Cisco Routing Switching - Unlocked PDF

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.
com)
Network Technologies
Information and Communication Technology
Training Institute, Union of Myanmar
[Cisco Routing & Switching]
Caution: This textbook is intended for use in training courses at

Information and Communication Technology Training Institute only.
Unauthorized copy of any part or all of this material is strictly prohibited.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
1/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Document History
Date Version By Remarks
4 April 2010 1.00 T. D. Win, K. P. Thant, First version
T. Naing
28 April. 1.01 T. D. Win, S. T. D. Testing , modifying and adding for
2010 Win, K. P. Thant, T. training course with Cisco devices
Naing
5 July.2010 1.02 S.T. D.Win, K.P.Thant Modifying and adding sub topics
30 Jan 2011 1.03 K. P. Thant Redraw some figure, support Cisco
1800 Series, Cisco 2600, Cisco 2800
and Catalyst 2960 Series
1 Aug 2011 1.04 K.P. Thant, T. Naing Editing some facts and LAB.
S-AN-A-1.04
2/200
Copyright Information
Copyright 2006 ICTTI. All rights reserved.
Cisco and Cisco Systems are registered trademarks of Cisco Systems, Inc. and /or its
affiliates in the U.S. and certain countries.
SUSE, openSUSE, the openSUSE logo, Novell, the Novell logo, the N logo, are
registered trademarks of Novell, Inc. in the United States and other countries. Linux is a
registered trademark of Linus Torvalds.
The example companies, organizations, products, domain names, e-mail address, logos,
people, places, and events depicted herein are fictitious. No association with any real
company, organization product, domain name, e-mail address, logo, person, place, or event
is intended or should be inferred.
All other products and company names are the trademarks, registered trademarks, and
service marks of the respective owners. Throughout this manual, ICTTI and JICA have used
its best efforts to distinguish proprietary trademarks from descriptive names by following the
capitalization styles used by the manufacturer.
S-AN-A-1.04
3/200
Contents at a Glance
1. CISCO Routers and LAN Switches <Day 1> ................................................................ 10
2. Router Basic Configuration <Day 2> ............................................................................ 29
3. IP Routing <Day 3-4-5> ................................................................................................ 62
4. LAN Switching <Day 6> ................................................................................................ 99
5. Virtual LANs <Day 7>.................................................................................................. 124
6. Network Security <Day 8-9> ....................................................................................... 144
7 WAN <Day 10> ........................................................................................................... 182
References ......................................................................................................................... 197
Tables and Figures ............................................................................................................. 198
Indexes ............................................................................................................................... 200
S-AN-A-1.04
4/200
Table of Contents
1. CISCO Routers and LAN Switches <Day 1> ................................................................ 10
1.1. Cisco Router Management .................................................................................... 10
1.1.1. Cisco Router Introduction ............................................................................... 10
1.1.2. The Router Boot Sequence ............................................................................ 11
1.1.3. Managing Configuration Register ................................................................... 12
1.1.4. Cisco Router Series ........................................................................................ 13
1.1.5. Cisco Switching Products ............................................................................... 16
1.1.6. Cisco IOS ........................................................................................................ 17
1.1.7. Cisco IOS Modes ............................................................................................ 18
1.2. Connecting to a Cisco Router ................................................................................ 22
1.3. Console Connection............................................................................................... 22
1.3.1. Linux ............................................................................................................... 22
1.3.2. Windows ......................................................................................................... 23
1.4. Managing Cisco IOS Images ................................................................................. 25
1.4.1. Backing up and Restoring the Cisco IOS ....................................................... 25
1.4.2. Download IOS in ROMmon Mode .................................................................. 26
2. Router Basic Configuration <Day 2> ............................................................................ 29
2.1. Command Line Interface (CLI) .............................................................................. 29
2.1.1. Content Sensitive Help ................................................................................... 29
2.1.2. Command Syntax Check ................................................................................ 30
2.1.3. Command Abbreviation .................................................................................. 30
2.1.4. Hot Keys ......................................................................................................... 30
2.2. Basic Configuration ................................................................................................ 31
2.2.1. Status .............................................................................................................. 31
2.2.2. Hostname ....................................................................................................... 32
2.2.3. Banners........................................................................................................... 32
2.2.4. Clock and NTP................................................................................................ 33
2.2.5. Domain Name Services .................................................................................. 34
2.2.6. Simple Network Management Protocol (SNMP) ............................................ 34
2.3. Login Configuration ................................................................................................ 34
2.3.1. Privileged password ....................................................................................... 34
2.3.2. Virtual Terminal (VTY) .................................................................................... 35
S-AN-A-1.04
5/200
2.3.3. Primary Terminal Line .................................................................................... 35

2.3.4. Auxiliary Line .................................................................................................. 36
2.3.5. Setting up user IDs ......................................................................................... 37
2.3.6. Encrypting Passwords .................................................................................... 37
2.3.7. SSH................................................................................................................. 38
2.4. Router Interfaces ................................................................................................... 39
2.4.1. Bringing Up an Interface ................................................................................. 39
2.4.2. IP Address on an Interface ............................................................................. 40
2.4.3. Serial Interface Commands ............................................................................ 40
2.4.4. Interface State ................................................................................................ 40
2.5. Logging .................................................................................................................. 41
2.5.1. Enabling local router logging .......................................................................... 41
2.5.2. Using a Remote Log Server ........................................................................... 42
2.6. Cisco Discovery Protocol (CDP) ............................................................................ 43
2.6.1. CDP Timers and Holdtime Information........................................................... 43
2.6.2. Neighbor Information ...................................................................................... 43
2.6.3. Gathering Interface Traffic, Port and Interface Information ........................... 47
2.7. Router Management .............................................................................................. 49
2.7.1. Clearing the Configuration and Reloading the Router ................................... 49
2.7.2. Password Removal ......................................................................................... 49
Hands-on-Lab 1 Introduction to Router Commands ..................................................... 52
Hands-on-Lab 2 Router Interface Commands .............................................................. 55
Hands-on-Lab 3 Router Management ........................................................................... 59
3. IP Routing <Day 3-4-5> ................................................................................................ 62
3.1. Introduction to IP Routing ...................................................................................... 62
3.1.1. Configuring the Routers.................................................................................. 62
3.1.2. Verify the configuration ................................................................................... 64
3.2. Basic Routing ......................................................................................................... 65
3.2.1. Configure Static Routing................................................................................. 65
3.2.2. Verify the Static Routing ................................................................................. 65
3.2.3. Configure Default Routing .............................................................................. 65
Hands-on-Lab 4 Static Route 1 ..................................................................................... 67
Hands-on-Lab 5 Static Route 2 ..................................................................................... 69
3.3. RIP ......................................................................................................................... 71
3.3.1. Configure RIP Protocol ................................................................................... 73
3.3.2. Verify the RIP Routing .................................................................................... 73
S-AN-A-1.04
6/200
3.3.3. RIP v2 ............................................................................................................. 77

3.3.4. Verify the RIP v2 Configuration ...................................................................... 77
3.3.5. Holding Down RIP Propagations .................................................................... 77
3.4. EIGRP and OSPF .................................................................................................. 78
3.4.1. Configuring EIGRP Routing............................................................................ 78
3.4.2. Verifying EIGRP Routing ................................................................................ 79
3.4.3. Configuring Single Area OSPF ....................................................................... 80
3.4.4. Verify the Single Area OSPF .......................................................................... 83
3.5 RIP and OSPF with Default Route ........................................................................ 85
3.5.1 RIP and Default Route.................................................................................... 85
3.6 OSPF and Default Route ....................................................................................... 89
Hands-on-Lab 6 RIPv2 .................................................................................................. 90
Hands-on-Lab 7 EIGRP ................................................................................................. 93
Hands-on-Lab 8 OSPF .................................................................................................. 96
4. LAN Switching <Day 6> ................................................................................................ 99
4.1. Layer 2 Switch Operation ...................................................................................... 99
4.2. LAN Switch Configuration and Operation ............................................................ 100
4.2.1. Configuring the Switch IP Address ............................................................... 100
4.2.2. Configuring Switch Interfaces ....................................................................... 101
4.2.3. Securing Unused Switch Interfaces ............................................................. 103
4.2.4. Configuring the Layer 2 Forwarding Path with the MAC Address Table (CAM)
103
4.3. Spanning Tree Protocol (STP)............................................................................. 105
4.3.1. Types of STP ................................................................................................ 106
4.3.2. Spanning Tree Operation ............................................................................. 107
4.3.3. Root Bridge ................................................................................................... 108
4.3.4. Root Ports and Designated Ports ................................................................. 109
4.3.5. PortFast ........................................................................................................ 111
4.3.6. UplinkFast ..................................................................................................... 111
4.3.7. BackboneFast ............................................................................................... 112
4.3.8. Root Guard ................................................................................................... 112
4.3.9. Loop Guard ................................................................................................... 112
4.3.10 BPDU Guard ................................................................................................. 112
4.3.11 BPDU Filtering .............................................................................................. 112
4.3.12 UDLD ............................................................................................................ 113
4.3.13 Spanning Tree Protocol Configuration ......................................................... 113
S-AN-A-1.04
7/200
Hands-on-Lab 9 Switching Lab ................................................................................... 121

5. Virtual LANs <Day 7>.................................................................................................. 124
5.1. Introduction to VLAN ............................................................................................ 124
5.1.1. VLAN Basic ................................................................................................... 125
5.1.2. VLAN Memberships ...................................................................................... 126
5.1.3. VLAN Enabled Switches............................................................................... 127
5.1.4. Why use VLANs?.......................................................................................... 127
5.1.5. Identifying VLANs ......................................................................................... 129
5.2. VLAN Trunking Protocol (VTP) ............................................................................ 131
5.2.1. How VTP Works ........................................................................................... 132
5.2.2. VTP Modes ................................................................................................... 133
4.3.11 VTP Pruning ................................................................................................. 133
5.3. Configuring VLANs .............................................................................................. 135
5.3.1. Inter-VLAN Routing : Router-on-a-Stick ....................................................... 135
5.3.2. VLAN with VTP Domain ............................................................................... 139
6. Network Security <Day 8-9> ....................................................................................... 144
6.1. Securing Switch Access ...................................................................................... 144
6.1.1 Port Security ................................................................................................. 144
6.1.2 DHCP Snooping ........................................................................................... 148
6.2 DHCP ................................................................................................................... 149
6.2.1 DHCP Server ................................................................................................ 149
6.2.2 DHCP Relay Agent ....................................................................................... 150
6.3 Access Control List (ACL).................................................................................... 151
6.3.1 IP Standard Access-Lists ............................................................................. 152
6.3.2 Applying an Access-List to a VTY Line ........................................................ 153
6.3.3 IP Extended Access-Lists ............................................................................. 153
6.3.4 Standard ACL ............................................................................................... 155
6.3.5 Extended ACL............................................................................................... 157
6.3.6 Named ACL .................................................................................................. 159
6.3.7 VTY ACL ....................................................................................................... 159
6.4 NAT ...................................................................................................................... 160
6.4.1 Types of NAT ................................................................................................ 164
6.4.2 NAT Overload or Port Address Translation (PAT) ....................................... 164
6.4.3 Verify and Troubleshoot NAT ....................................................................... 166
6.4.4 Static NAT : Port Forwarding (Destination NAT) .......................................... 166
6.4.5 Dynamic NAT................................................................................................ 167
S-AN-A-1.04
8/200
6.4.6 ICMP Redirect with NAT............................................................................... 168

6.4.7 NAT and VLAN ............................................................................................. 171
6.5 Security ................................................................................................................ 172
6.5.1 Anti-Spoofing ................................................................................................ 172
6.5.2 Disable unused services............................................................................... 173
Hands-on-Lab 10 Configuring Port Security................................................................ 175
Hands-on-Lab 11 DHCP .............................................................................................. 179
Hands-on-Lab 12 DHCP, NAT .................................................................................... 180
7 WAN <Day 10> ........................................................................................................... 182
7.1 Introduction to Wide Area Networks .................................................................... 182
7.2 WAN Connection Types ...................................................................................... 183
7.3 WAN Encapsulation ............................................................................................. 184
7.4 HDLC Encapsulation............................................................................................ 185
7.5 PPP Encapsulation .............................................................................................. 185
7.5.1 Overview of PPP........................................................................................... 186
7.5.2 PPP Session Establishment ......................................................................... 187
7.5.3 PPP Authentication Methods ........................................................................ 188
7.5.4 Configuring PPP ........................................................................................... 189
7.5.5 Verifying PPP................................................................................................ 191
7.5.6 Verifying PPP Authentication........................................................................ 193
7.6 Troubleshooting ................................................................................................... 194
7.6.1 Mismatched WAN Encapsulations ............................................................... 194
7.6.2 Mismatched IP Addresses ............................................................................ 194
References ......................................................................................................................... 197
Bibliography .................................................................................................................... 197
External Links ................................................................................................................. 197
Tables and Figures ............................................................................................................. 198
Figures ............................................................................................................................ 198
Tables ............................................................................................................................. 199
References ...................................................................................................................... 199
Indexes ............................................................................................................................... 200
Keywords ........................................................................................................................ 200
S-AN-A-1.04
9/200
Cisco Routing & Switching 7/9/2012

CISCO Routers and LAN Switches <Day 1>
Cisco Router Management
1. CISCO Routers and LAN Switches <Day 1>

1.1. Cisco Router Management
1.1.1. Cisco Router Introduction

A Cisco router is as a special-purpose computer. It has its own operating system, which is
called the Internetwork Operating System (IOS), as well as files and file systems. The basic
system administration functions that a router engineer must perform are discussed.
Cisco routers use flash memory, rather than disks, for storing information. Flash storage
media is significantly more expensive and slower than disk storage, but the amount of
storage needed to run a router is relatively small compared to the amount needed to run a
general-purpose computer. Flash also has the important benefit that it tends to be more
reliable than disk storage.
Flash storage is similar to Random Access Memory (RAM), but it does not need power to
retain information, so it is called non-volatile RAM (NVRAM). There are other types of
non-volatile solid state storage, such as Erasable Programmable Read Only Memory
(EPROM).
On most Cisco routers, the NVRAM area is somewhere between 16 and 256Kb, depending
on the size and function of the router.
There are two important configuration files on any router. There is the configuration file that
describes the current running state of the router, which is called the running-config. Then,
there is the configuration file that the router uses to boot, which is canned the
startup-config. Only the startup-config is stored in NVRAM. You can synchronize the
two configuration files by simply copying the running-config onto the startup-config file:
Router#copy running-config startup-config
Many engineers still use the old version of this command,

Router#write memory
Most of the examples throughout this book assume that you have IOS Version 12.
S-AN-A-1.04
10/200

show running-config show version show protocols

(write terminal) (show hardware)
show memory
RAM
(running-config
Programme
Running configuration file buffer)
Flash memory ROM NVRAM

(IOS) (ROMMON (startup-config)
miniOS)
show startup-config
show flash show interface (show configuration)
Figure 1 Routers component, and show command
Table 1 Routers memories

RAM RAM (DRAM) is used at run time for executable Cisco IOS software (and its
subsystems), routing tables, Fast Switching cache, running configuration,
packets, and so on.
NVRAM Non-Volatile RAM (NVRAM) is used for writable permanent storage of the startup
configuration. It is an EPROM, where the startup configuration is stored in the
same Flash device where the boot code is loaded.
Flash Flash is used for permanent storage of a full Cisco IOS software image in
compressed form.
ROM ROM is used for permanently storing startup diagnostic code (ROM Monitor) and
emergency OS.
The main task for the boot ROM is to perform some hardware diagnostics during
boot up on the router (Power On Self Test - POST), and to load the Cisco IOS
software from the Flash to the Memory.
The boot ROM is not erasable; it is socketed, so it can be replaced.
1.1.2. The Router Boot Sequence

When a router boots up, it performs a series of steps, called the boot sequence, to test the
hardware and load the necessary software.
The boot sequence consists of the following steps:
Step 1. To verify the hardware components, the router performs a POST. The POST
stored in and run from ROM checks for the different interfaces on the router.
S-AN-A-1.04
11/200

Step 2. The bootstrap which is a program in ROM looks for and loads the Cisco IOS
software from flash memory in all Cisco routers.
Step 3. The IOS software looks for a valid configuration file stored in NVRAM,
startup-config file.
Step 4. If a startup-config file is in NVRAM, the router will copy this file and place it in
RAM, called running-config file.
1.1.3. Managing Configuration Register

The default configuration setting on Cisco routers is 0x2102. You can see the current value
of the configuration register by using the show version command. The configuration register
setting of 0x2102 tells the router to look in NVRAM for the boot sequence. This command
will display system hardware configuration information, software version, and the names of
the boot images on a router.
Router#sh version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-C-M), Version 12.2(4)T1, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2001 by cisco Systems, Inc.
128K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2142
Before you change the configuration register, make sure you know the current configuration
register value. These are the main reasons you would want to change the configuration
register:
To force the system into the ROM monitor mode
To select a boot source and default boot filename
To enable or disable the Break function
To control broadcast addresses
To set the console terminal baud rate
To load operation software from ROM
To enable booting from a Trivial File Transfer Protocol (TFTP) server
You can change the configuration register by using the config-register command.
S-AN-A-1.04
12/200

Router(config)#config-register 0x2102
Router(config)#^z
Router#sh ver
The show version command displays the current configuration register value and also what
that value will be when the router reboots. Any change to the configuration register wont
take effect until the router is reloaded.
Stop the router, and start again the router.

Router#sh ver
1.1.4. Cisco Router Series
7200
Series
AS 5000
Series
4000
Series
3600
Series
2600
Series
2500
1700 Series Central site solutions
Series
1600
Series
1000
Series
800
Series Branch office solutions
700
Series
Small office solutions
Residential telecommuter site solutions
Figure 2 Cisco Router Series and the sites for which they are Suited
S-AN-A-1.04
13/200

The Cisco 700 series, designed for telecommuters, is a low-cost, easy-to-manage,

multiprotocol ISDN router. The 700 router has been optimized for interoperability with Cisco
core networks, although these routers can connect to any network that supports the relevant
standards for ISDN and IP/Internetwork Packet Exchange (IPX) routing.
The Cisco 800 series routers are Ciscos lowest-priced routers that are based on Cisco IOS
software. The 800 series ISDN access routers provide big-business networking benefits to
small offices and corporate telecommuters. The Cisco 800 series offers secure,
manageable, high performance solutions for Internet and corporate LAN access.
The Cisco 1000 series router is intended for remote office networking where Cisco IOS
software, higher performance, and WAN options beyond ISDN are important.
The Cisco 1600 series routers are similar to the Cisco 1000 series routers, but they have a
slot that accepts a WAN interface card. These cards are shared with the 1700, 2600, and
3600 series, and will be shared in future modular branch office-type products.
The Cisco 1720 access router delivers optimized security, integration, and flexibility in a
desktop form factor for small- and medium-sized businesses, and for small branch offices
that want to deploy Internet/intranet access or Virtual Private Networks (VPNs). The Cisco
1720 access router features two modular WAN slots that support 1600, 2600, and 3600 data
WAN interface cards; and an autosensing 10/100-Mbps Fast Ethernet LAN port to provide
investment protection and flexibility for growth.
The Cisco 2500 series routers provide a variety of models that are designed for branch
office and remote site environments. These routers are typically fixed configuration, with at
least two of the following interfaces: Ethernet, Token Ring, synchronous serial,
asynchronous serial, ISDN BRI, and a hub.
The Cisco 2600 series features single or dual fixed LAN interfaces. A network module slot
and two WAN interface card slots are available for WAN connections.
The 3600 series multiservice access servers/routers also offer a modular solution for dial-up
and permanent connectivity over asynchronous, synchronous, and ISDN lines. Up to four
network module slots are available for LAN and WAN requirements.
S-AN-A-1.04
14/200

The Cisco 4500 and 4700 series access routers are high-performance modular Central site
routers with support for a wide range of LAN and WAN technologies. The 4500 and 4700
are intended for large regional offices that do not require the density of the 7200 series.
Their modular design allows easy reconfiguration as needs change.
The Cisco AS5000 series is Ciscos line of universal integrated access servers. The AS5000
series is extremely popular because it integrates the functions of standalone CSUs, channel
banks, modems, communication servers, switches, and routers in a single chassis. The
AS5000 series contains synchronous serial, digital ISDN, and asynchronous modem access
server functionality, which are ideal for the mixed-media requirements that are becoming
more prevalent every day.
The Cisco 7200 routers are also very high-performance, modular Central site routers that
support a variety of LAN and WAN technologies. The 7200 is targeted for large regional
offices that require high-density solutions.
Branch Routers Cisco 800, 2800 and 3800 Integrated Series Routers
WAN Routers Cisco 7200 VXR Series and Cisco 7301 Router
The following table highlights some of the features and WAN options for each series of
routers.
Table 2 Remote Access Options for each Series of Router
Router Platform Remote Access Options
700 series ISDN BRI, basic telephone service ports
800 series ISDN BRI, basic telephone service ports, entry-level Cisco IOS
software
1000 series ISDN BRI, serial (1005 router)
1600 series ISDN BRI, 1 WAN interface card slot
1700 series 2 WAN interface card slots
2500 series Family of routers that offers various ISDN BRI, serial, and WAN
interfaces
2600 series Various fixed LAN interface configurations, one network module slot,
two WAN interface card slots
3600 series Two and four network module slots on the 3620 and 3640,
respectively
4000 series T1/E1 ISDN PRI
S-AN-A-1.04
15/200

AS5000 series Access server with multiple T1/E1 ISDN PRI and modem capabilities
7200 series Supports a wide range of WAN services, with the required high port
density necessary for a scalable enterprise WAN
(1) Central Site Router Equipment

Choose the router that supports the WAN protocols that you will use. When selecting a
Central site router, typical Cisco solutions include the following:
Cisco 3600 series
Cisco 4000 series
Cisco AS5x00 series
Cisco 7000 series
(2) Branch Office Router Equipment

Choose the router that supports the WAN protocols and interfaces you will use. For
example, the 1600 series router and the respective WAN interface card is an example of a
branch office router that will support the interfaces required. When selecting a branch office
router, typical Cisco solutions include the following:
Cisco 1600 series
Cisco 1700 series
Cisco 2500 series
Cisco 2600 series
(3) Telecommuter Site Router Equipment

Choose the router that supports the WAN protocols and interfaces that you will use. When
selecting a branch office router, typical Cisco solutions include the following:
Cisco 700 series (760 or 770)
Cisco 800 series
Cisco 1000 series
1.1.5. Cisco Switching Products

Cisco has two major brands of LAN switching products.
Cisco Linksys Switch
Cisco Catalyst Switch
The Cisco Linksys switch brand includes a variety of switches designed for use in the home.
The Cisco Catalyst switch brand includes a large collection of switches, all of which have
S-AN-A-1.04
16/200

been designed with Enterprises (companies, governments, and so on) in mind. The Catalyst
switches have a wide range of sizes, functions, and forwarding rates. Cisco offers a wide
variety of Catalyst switches that fit within each Layer of the Cisco Hierarchical network
model.
Table 3 Access Layer Switches

Model Max. Port Density Max. Backplane
Catalyst 2950 48 10/100 ports 13.6Gpbs
Catalyst 3550 (SMI) 48 10/100 ports or 24Gpbs
12 10/100/1000 ports
Catalyst 4000/4500 with 240 10/100/1000 ports 64Gpbs
Supervisor Engine III or IV
Table 4 Distribution and Core Layer Switches

Model Max. Port Density Max. Backplane
Catalyst 3550 (EMI) 48 10/100 ports or 24Gpbs
12 10/100/1000 ports
Catalyst 6500 Over 500 10/100/1000 256Gpbs
ports
1.1.6. Cisco IOS

(1) Introduction
Cisco IOS Software is network system software that tightly integrates a broad range of
Internet and enterprise network hardware. Cisco IOS Software is the unifying thread that
connects otherwise disparate networks to build a scalable network infrastructure. It enables
network services and Internet applications, serving as an end-to-end solution for global
networking.
Cisco IOS Software is implemented on most Cisco hardware platforms, including switches
and routers. This software enables network services in Cisco products, including carrying
the chosen network protocols and functions, controlling access and prohibiting unauthorized
network use, and adding interfaces and capability as needed for network growth.
(2) Cisco IOS Trains

A Cisco IOS train is a vehicle for delivering releases that evolve from a common code base.
In recent years, with the addition of thousands of new features, hundreds of new
S-AN-A-1.04
17/200

applications, and a wide array of platforms, Cisco IOS Software diversified from one train of
releases to multiple trains supporting different feature sets for different customer needs.
Table 5 Types of Trains

Type Description Train
Name
mainline Consolidates releases and fixes defects. Inherits features from the 12.3,
parent T train, and does not add additional features. 12.4
T Introduces new features and fixes defects. 12.4 T
S Contains features and a command-set for specific ISP equipment. 12.2 S
Consolidates 12.1E, 12.2 mainline, and 12.0S, which supports
high-end backbone routing, and fixes defects.
E Targets enterprise core and SP edge, supports advanced QoS, 12.1 E
voice, security, and firewall, and fixes defects.
B Supports broadband features and fixes defects. 12.3 B
(3) Cisco IOS Software Images

A Cisco IOS image is a binary executable file of a feature set for a specific platform. Multiple
images exist for a release, representing supported platform and feature set combinations.
The Cisco IOS Software image name represents the hardware, feature set, format and other
information about the image file. Figure 3 shows the image name of Cisco IOS Software
Release 12.4(22) T with the Enterprise Base feature set for the Cisco 3825 router.
c3825-entbasek9-mz.124-22.T.bin
Hardware
Feature Set
Memory Location
Compression Format
Train Number
Maintenance Release
Train Identifier
Figure 3 Example of a Cisco IOS Software Image Name
1.1.7. Cisco IOS Modes

The Cisco IOS command-line interface is organized around the idea of modes. You move in
S-AN-A-1.04
18/200

and out of several different modes while configuring a router, and which mode you are in
determines what commands you can use. Each mode has a set of commands available in
that mode, and some of these commands are only available in that mode. In any mode,
typing a question mark will display a list of the commands available in that mode.
Router>?
Table 6 Summary of Command Mode

Mode of Usage How to enter Prompt About this mode
Operation the mode
User Change terminal First level Router> Change terminal
EXEC settings on a accessed. settings
temporary basis, Perform basic
perform basic tests
tests, and list Display system
system information information
Privileged System From user Router# Configure your
EXEC administration, set EXEC mode, router operating
operating enter enable parameters
parameters. password Perform the
command verification steps
Global Modify From Router(config)# To configure
Config configuration that privileged parameters that
affect the system EXEC, enter apply to your
as a whole. configure router as a whole
terminal.
Interface Modify the From global Router(config-i Use this mode to
Config operation of an mode, enter f)# configure
interface. interface parameters for the
type number. various LAN and
WAN interfaces
as,
Ethernet
Serial
ISDN, etc
Setup Create the initial From Prompted dialog
S-AN-A-1.04
19/200

configuration. privileged
EXEC mode,
enter
command
setup.
(1) User EXEC Mode:

When you are connected to the router, you are started in user EXEC mode. The user EXEC
commands are a subset of the privileged EXEC commands.
(2) Privileged EXEC Mode:

Privileged commands include the following:
Configure Changes the software configuration.
Debug Display process and hardware event messages.
Setup Enter configuration information at the prompts.
Enter the command disable to exit from the privileged EXEC mode and return to user EXEC
mode.
(3) Configuration Mode

Configuration mode has a set of sub-modes that you use for modifying interface settings,
routing protocol settings, line settings, and so forth. Use caution with configuration mode
because all changes you enter take effect immediately.
To enter global configuration mode, enter the command configure terminal.
S-AN-A-1.04
20/200

User EXEC
Router>
enable exit
Privileged EXEC
Router#
configure terminal exit
Ctrl+z
Global Config Ctrl+z

Router(config)# or
End
interface exit
Interface Config
Router(config-if)#
Figure 4 Command Mode Transition
From global configuration mode, you can access specific configuration modes, which
include, but are not limited to, the following:
Interface: Supports commands that configure operations on a per-interface basic

Subinterface: Supports commands that configure multiple virtual interfaces on a
single physical interface
Controller: Supports commands that configure controllers (for example, E1 and T1
controllers)
Line: Supports commands that configure the operation of a terminal line (for
example, the console or the vty ports)
Router: Supports commands that configure an IP routing protocol
If you enter the exit command, the router backs out one level, eventually logging out. In
general, you enter the exit command form one of the specific configuration modes to return
to global configuration mode. Press Ctrl-Z or enter end to leave configuration mode
completely and return to the privileged EXEC mode.
Commands that affect the entire device are called global commands. The hostname and
enable password commands are examples of global commands.
Commands that point to or indicate a process or interface that will be configured are called
major commands. When entered, major commands cause the CLI to enter a specific
configuration mode. Major commands have no effect unless you immediately enter a
subcommand that supplies the configuration entry. Notice that entering a major command
S-AN-A-1.04
21/200

Connecting to a Cisco Router
switches from one configuration mode to another.
Table 7 Major Commands and Subcommands

Major command Subcommand
RouterX(config)#interface serial 0 RouterX(config)#shutdown
RouterX(config-if)#line console 0 RouterX(config-line)#password cisco
RouterX(config-line)#router rip RouterX(config-router)#network 10.0.0.0
1.2. Connecting to a Cisco Router

We can access the Cisco IOS through the console port of a router, from a modem into the
auxiliary (or Aux) port, or even through Telnet. Access to the IOS command line is called an
EXEC session.
We can connect to a Cisco router to configure it, verify its configuration, and check statistics.
There are different ways to connect a router, but the first place is the console port. The
console port is usually an RJ-45 connection located at the back of the router. There is
another port, an auxiliary port which is the same as a console port. The auxiliary port allows
configuring modem commands so that a modem can be connected to the router. For
example, it lets you dial up a remote router and attach to the auxiliary port if the router is
down and you need to configure it out-of-band (that is out of the network). We can use
Telnet, in-band, to connect to any active interface on a router, such as an Ethernet or serial
port.
1.3. Console Connection

First, connect a Console Cable between the PCs COM1 port and the routers console port.
The cable is blue color, and must be rolled up cable; it is neither straight, nor crossover
cable.
If your PC does not have a COM port especially on laptop PC, you can use an USB-Serial
port converter, so the console cable can be connected.
1.3.1. Linux
From Linux, minicom command can be used to the Cisco device, so install the minicom
package.
This command with -s option shows the setup menu to configure for the configuration.
S-AN-A-1.04
22/200

Console Connection
# minicom s
Configure the Serial port setup like below.

A - Serial Device : /dev/ttyS0
B - Lockfile Location : /var/lock
C - Callin Program :
D - Callout Program :
E - Bps/Par/Bits : 9600 8N1

F - Hardware Flow Control : No
G - Software Flow Control : No
Change which setting?
Select Save setup as dfl and then Exit. The terminal will connect to the Cisco device.
To close the terminal session, you need to press the Ctrl-A, and q key, then go back the
shell prompt.
Next time, you just enter this command to connect.

# minicom
1.3.2. Windows
(1) Hyper Terminal
[Hyper Terminal] is the default tool shipped together with Windows. When you open the
[Hyper Terminal], enter the connection name, and click [OK].
Change the COM properties especially at the [Bits per second] textbox to 9600.
S-AN-A-1.04
23/200

Console Connection
(2) Putty
Putty to connect the console, select [Serial].
(3) Tera Term

Tera Term to connect the console, select [Serial], and desired port.
S-AN-A-1.04
24/200

Managing Cisco IOS Images
1.4. Managing Cisco IOS Images

Occasionally the router will need to have the IOS upgraded or restored. On a new router, the
IOS should be backed up.
1.4.1. Backing up and Restoring the Cisco IOS

We can back up the Cisco IOS to a TFTP server by using the copy flash tftp command.
This command requires only the source filename and the IP address of the TFTP server.
Firstly, we need to set up TFTP server. To install TFTP server, we can get TFTPD32 from,
http://pagesperso-orange.fr/philippe.jounin/tftpd32.html. It can easily start TFTP
server.
We make sure solid connectivity to the TFTP server by using ping command. For example,
the IP address of TFTP server is 192.16.0.129, check connectivity like this.
Router#ping 192.168.0.129
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.129, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Secondly, we check the source filename of the router by using show flash command.
Router#show flash
Directory of flash:/
2 -rwx 1560 May 13 2010 14:37:44 +06:30 vlan.dat

3 -rwx 1048 Mar 1 1993 11:30:39 +06:30 multiple-fs
4 -rwx 7534 Mar 1 1993 11:30:38 +06:30 config.text
5 drwx 512 Mar 1 1993 06:38:29 +06:30 c2800nm-ipbase-mz.124-3g.bin

547 -rwx 5 Mar 1 1993 11:30:39 +06:30 private-config.text
21710744 bytes total (17950208 bytes free)
Backing up the Cisco IOS

After we check the TFTP server and router connection that is working, you can use the copy
flash tftp command to copy the IOS to the TFTP server as shown below:
Router#copy flash tftp
Source filename []?c2800nm-ipbase-mz.124-3g.bin

Address or name of remote host []?192.168.0.129
S-AN-A-1.04
25/200

Destination filename[c2800nm-ipbase-mz.124-3g.bin]? [enter]

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!
21710744 bytes copied in 60.724 secs (357532 bytes/sec)
Router#
or
This will copy the IOS file on the machine into the TFTP server.
#copy flash:c2800nm-ipbase-mz.124-3g.bin tftp://192.168.0.129
Restoring the Cisco Router IOS

When a routers original file has been damaged or if you want to upgrade the IOS, you need
to restore the Cisco IOS to a flash memory to replace an original file. You can download the
file from a TFTP server to flash memory by using the copy tftp flash command. This
command requires the IP address of the TFTP host and the name of the file you want to
download. We make sure the file you want to place in flash memory is in the default TFTP
directory on your host. If the file is not in the default directory of the TFTP host, this just wont
work.
Router#copy tftp flash
Address or name of remote host []?192.168.0.129
Source filename []?c2800nm-ipbase-mz.124-3g.bin
Destination filename[c2800nm-ipbase-mz.124-3g.bin]? [enter]

%Warning: There is a file already existing with this name
Do you want to over write? [confirm] [enter]

Accessing tftp://192.168.0.129/c2800nm-ipbase-mz.124-3g.bin
Loading c2800nm-ipbase-mz.124-3g.bin from 192.168.0.129 (via
FastEthernet0/0):
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 21710744 bytes]
21710744 bytes copied in 82.880 secs (261954 bytes/sec)
Router#
1.4.2. Download IOS in ROMmon Mode

It explains how to download an IOS image file to a Cisco 2600/2800/3800 Series Router
using TFTP using the ROMmon tftpdnld command.
S-AN-A-1.04
26/200

You can view the ROMmon environment variables by using the set command, as shown
here. The IOS file is available at TFTP servers iosfoder/c2600-jk9o3s-mz.123-10.bin.
You do not need to specify .bin extension.
rommon 3 > set
PS1=rommon ! >
IP_ADDRESS=172.16.0.123
IP_SUBNET_MASK=255.255.255.0
DEFAULT_GATEWAY=172.16.0.2
TFTP_SERVER=172.18.16.10
TFTP_FILE=iosfolder/c2600-jk9o3s-mz.123-10
You can specify the ROMmon environment variables.

rommon 16 > IP_ADDRESS=192.168.0.250
rommon 17 > IP_SUBNET_MASK=255.255.255.0
rommon 18 > DEFAULT_GATEWAY=192.168.0.1
rommon 19 > TFTP_SERVER=192.168.0.3
rommon 20 > TFTP_FILE= iosfolder/c2600-jk9o3s-mz.123-10
You need use the sync command to save ROMmon environment variables to nonvolatile
RAM (NVRAM).
Now you can download.

rommon 21 > tftpdnld
IP_ADDRESS: 192.168.0.250
IP_SUBNET_MASK: 255.255.255.0
DEFAULT_GATEWAY: 192.168.0.1
TFTP_SERVER: 192.168.0.3
TFTP_FILE: iosfolder/c2600-jk9o3s-mz.123-10
Invoke this command for disaster recovery only.
WARNING: all existing data in all partitions on flash will be lost!
Do you wish to continue? y/n: [n]: y
Receiving c2600-jk9o3s-mz.123-10 from 192.168.0.3 !!!!!.!!!!!!!!!!!!!!!!!!!.!!
File reception completed.

Copying file c2600-jk9o3s-mz.123-10 to flash.
S-AN-A-1.04
27/200

Erasing flash at 0x607c0000
program flash location 0x60440000
rommon 22 >
S-AN-A-1.04
28/200

Router Basic Configuration <Day 2>
Command Line Interface (CLI)
2. Router Basic Configuration <Day 2>
2.1. Command Line Interface (CLI)

Cisco uses the acronym CLI to refer to the terminal user command-line interface to the IOS.
The term CLI implies that the user is typing commands at a terminal, a terminal emulator, or
a Telnet connection. [1]
2.1.1. Content Sensitive Help

Cisco IOS CLI offers context sensitive help. This is a useful tool for a new user because at
any time during an EXEC session, a user can type a question mark (?) to get help. Two
types of context sensitive help are available - word help and command syntax help.
Word help can be used to obtain a list of commands that begin with a particular character
sequence. To use word help, type in the characters in question followed immediately by the
question mark (?). Do not include a space before the question mark. The router will then
display a list of commands that start with the characters that were entered. The following is
an example of word help:
Router#co?
configure connect copy
Command syntax help can be used to obtain a list of command, keyword, or argument
options that are available based on the syntax the user has already entered. To use
command syntax help, enter a question mark (?) in the place of a keyword or argument.
Include a space before the question mark. The router will then display a list of available
command options with <cr> standing for carriage return. The following is an example of
command syntax help:
Router#configure ?
memory Configure from NV memory
network Configure from a TFTP network host
overwrite-network Overwrite NV memory from TFTP network host=20
terminal Configure from the terminal
<cr>
S-AN-A-1.04
29/200

Command Line Interface (CLI)
2.1.2. Command Syntax Check

If a command is entered improperly (e.g. typo or invalid command option), the router will
inform the user and indicate where the error has occurred. A caret symbol (^) will appear
underneath the incorrect command, keyword, or argument. The following example displays
what happens if the keyword "fastethernet" is spelled incorrectly.
Router(config)#interface fastethernat
% Invalid input detected at '^' marker.
2.1.3. Command Abbreviation

Commands and keywords can be abbreviated to the minimum number of characters that
identifies a unique selection. For example, you can abbreviate the "configure" command to
"conf" because "configure" is the only command that begins with "conf". You could not
abbreviate the command to "con" because more than one command could fit these criteria.
The router will issue the following error message if you do not supply enough characters.
Router(config)#i
% Ambiguous command: "i"
2.1.4. Hot Keys

For many editing functions, the IOS CLI editor provides hot keys. The following table lists
some editing shortcuts that are available.
Table 8 Summary of Hot Keys
Key Description
Delete Removes one character to the right of the cursor.
Backspace Removes one character to the left of the cursor.
TAB Finishes a partial command.
Ctrl-A Moves the cursor to the beginning of the current
line.
Ctrl-R Redisplays a line.
Ctrl-U Erases a line.
Ctrl-W Erases a word.
Ctrl-Z Ends configuration mode and returns to the
EXEC.
Up Arrow Allows user to scroll forward through former
commands.
S-AN-A-1.04
30/200

Basic Configuration
Down Arrow Allows user to scroll backward through former

commands.
2.2. Basic Configuration

2.2.1. Status
Show system hardware and software status
Router>enable
Router#show version
IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(19c), RELEASE SOFTWARE (fc2)
Show system memory statistics information

Router#show memory
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
Processor 81C319DC 100460068 3738100 96721968 96573512 96583824
I/O 7C00000 4194304 1724720 2469584 2467872 2464444
Show routers protocol at network layer and address.

Router#show protocols
Global values:
FastEthernet0/0 is up, line protocol is up

Internet address is 192.168.0.101/24
BRI0/0 is up, line protocol is up
BRI0/0:1 is down, line protocol is down
BRI0/0:2 is down, line protocol is down
Show routers running configuration.

Router#show running-config
Building configuration...
Current configuration : 701 bytes
version 12.2
service timestamps debug uptime
S-AN-A-1.04
31/200

Basic Configuration
service timestamps log uptime
no service password-encryption
Show routers startup configuration at NVRAM

Router #show startup-config
Using 701 out of 29688 bytes
version 12.2
service timestamps debug uptime
service timestamps log uptime
Show routers interfaces.

Router #show interfaces
Hardware is AmdFE, address is 000f.2411.9440 (bia 000f.2411.9440)
2.2.2. Hostname
You can set the identity of the router with the hostname command. This is only locally
significant, which means that it has no bearing on how the router performs name lookups or
how the router works on the internetwork. Change routers hostname
Router>enable
Router#configure terminal
Router(config)#hostname cisco1
cisco1(config)#
2.2.3. Banners
A banner is a little security notice to give any and all who dare attempt to telnet or dial into
your internetwork. And you can create a banner to give anyone who shows up on the router
exactly the information you want to them to have.
There are four available banner types: exec process creation banner, incoming terminal line
banner, login banner, and message of the day banner.
Router(config)#banner ?
S-AN-A-1.04
32/200

Basic Configuration
LINE c banner-text c, where 'c' is a delimiting character
exec Set EXEC process creation banner
incoming Set incoming terminal line banner
login Set login banner
motd Set Message of the Day banner
prompt-timeout Set Message for login authentication timeout
Message of the day (MOTD) is the most extensively used banner. It gives a message to
every person dialing into or connecting to the router via Telnet or an auxiliary port, or even
through a console port as seen here:
Router(config)#banner motd ?
LINE c banner-text c, where 'c' is a delimiting character
Router(config)#banner motd c
Enter TEXT message. End with the character 'c'.
Router(config)#banner motd #
If you are not authorized to be in ICTTI network, then you must disconnect
immediately.
#
Router(config)#^z
Router#exit
Router con0 is now available
Press RETURN to get started.
If you are not authorized to be in ICTTI network, then you must disconnect
immediately.
Router>en
Router#
The preceding MOTD banner essentially tells anyone connecting to the router to get lost if
theyre not on the guest list. The part to understand is the delimiting character which is used
to tell the router when the message is done. You can use any character you want for it, but
you cant use the delimiting character in the message itself.
2.2.4. Clock and NTP

Configure time, timezone and NTP server
S-AN-A-1.04
33/200

Login Configuration
Router(config)#clock timezone MMT 6 30
Router#clock set 17:16:00 21 dec 2005
Router(config)#ntp server 192.168.0.1
2.2.5. Domain Name Services

Configure to use DNS to resolve hostnames
Router(config)#ip domain-lookup
Router(config)#ip domain-name foobar.site
Router(config)#ip domain-list foobar.site
Router(config)#ip name-server 192.168.0.1
Router(config)#ip name-server 192.168.0.2
domain-name: Define the default domain name

domain-list: Domain name to complete unqualified host names.
When you miss type a command, the router will wait a while for a timeout, so you might
disable the domain lookup.
Router(config)#no ip domain-lookup
2.2.6. Simple Network Management Protocol (SNMP)

Enable SNMP protocol on the router for monitoring. The traffic can be monitored by Cacti or
other tools.
Router(config)#snmp-server community public RO
Note: SNMP version 1 transmits clear text community string which can easily revealed by
sniffer.
2.3. Login Configuration
2.3.1. Privileged password

To assign the privileged level password, use enable password command
Router(config)#enable password test
However, you can see the password by show running-config

Router#show running-config
enable password test
S-AN-A-1.04
34/200

Login Configuration
To enable strong, nonreversible encryption of the privileged password, use the enable
secret command.
Router(config)#enable secret testuser
You should never use the same password for the enable password and enable secret
commands. The router warns you against doing this, but will accept it.
Router(config)#enable password test
Router(config)#enable secret test

The enable secret you have chosen is the same as your enable password.
This is not recommended. Re-enter the enable secret.
2.3.2. Virtual Terminal (VTY)

The Virtual Teletype (VTY) lines are used to configure Telnet access to a Cisco router. To
accept the telnet connection, configure enable secret (or enable password), and the login
must be configured on the VTY.
Router#conf t
Router(config)#enable secret cisco1

Router(config)#line vty 0 4
Router(config-line)#password cisco2
Router(config-line)#login
Router(config-line)#exit
The VTY password must be encrypted by the following command.

Router(config)#service password-encryption
Increase the telnet session timeout, so the connection will not be disconnected.
Router(config)#line vty 0 4
Router(config-line)#exec-timeout 0 0
2.3.3. Primary Terminal Line

This is the basic connection into every router. To initially set up a router, you need to
connect to the console port and at a minimum enable one interface and set the VTY
password. After one interface is enabled and the VTY lines are configured, an administrator
can then Telnet into the router and do the final configurations from that connection. However,
S-AN-A-1.04
35/200

Login Configuration
the console port can be used to configure the complete configuration at any time. This
makes it very important to protect the console port with a password. To configure a console
user-mode password, use the Line command from global configuration mode. There is only
one console port on all routers, so the command is
Router#conf t
Router(config)#enable secret cisco1

Router(config)#line console 0
Router(config-line)#password cisco2
Router(config-line)#login
Router(config-line)#exit
We can set the console to go from never timing out (0 0) to timing out in 35,791 minutes and
2,147,483 seconds. The default is 10 minutes.
Router(config)#line con 0
To stop annoying console messages from popping up and disrupting the input when we are
trying to type, logging synchronous is a very cool command. The messages still pop up,
but you are returned to your router prompt without your input interrupted.
Router(config)#line console 0
Router(config-line)#logging synchronous
Router(config-line)#
2.3.4. Auxiliary Line

On some routers, aux is called the auxiliary port, and on some it is called the aux port. To
find the complete command-line name on your router, use a question mark with the Line
command as shown:
R0(config)#line ?
< 0-4> First Line Number
aux Auxiliary line
console Primary terminal line
vty Virtual terminal
To configure the auxiliary password, go into global configuration mode and type line aux ?.
R0(config)#line axu 0
S-AN-A-1.04
36/200

Login Configuration
R0(config-line)#login
R0(config-line)#password aux
2.3.5. Setting up user IDs

Assign individual (or group) user IDs and passwords to network staff. Use the following set
of configuration commands to enable locally administered user IDs:
Enter configuration commands, one per line. End with CNTL/Z
Router(config)#username user1 password password1
Router(config)#username user2 password password2

Router(config)#aaa new-model
Router(config)#aaa authentication login default local
Enabling locally administered usernames overrides the default VTY password-based

authentication system. When you enable the aaa new-model command, the router
immediately begins to prompt for usernames and passwords.
% telnet Router
Trying 192.168.0.100
Connected to Router.
Escape character is ^].
User Access Verification
Username: user1
Password: password1
Router>
Compare this to how the router behaves by default:

% telnet Router2
Trying 192.168.0.101
Connected to Router.
Escape character is ^].
Password: password1
Router2>
2.3.6. Encrypting Passwords

You need to encrypt passwords so that they do not appear in plain-text in the router
S-AN-A-1.04
37/200

Login Configuration
configuration file as enable password, and line connection as VTY, console, and AUX.
Router(config)#service password-encryption
Following command shows what the enable secret command looks like in the routers
configuration file
Router#show running-config | include secret
enable secret 5 $1$u76B$IOFVJ7VxfVXYVpGDrFTcI0
2.3.7. SSH
SSH is used to increase the security to access router instead of Telnet
You need the following configuration,
Hostname
Domain name
Asymmetric keys
Local authentication
These are optional to configure

Timeouts
Retries
Router>
Router>en
Router#conf t
Router(config)#host R1
R1(config)#ip domain-name domain1.site
R1(config)#crypto key generate rsa

The name for the keys will be: R1.domain1.site
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys ...[OK]
R1(config)#ip ssh time-out 15
R1(config)#ip ssh authentication-retries 2
R1(config)#username user1 secret user1password

R1(config)#line vty 0 4
S-AN-A-1.04
38/200

Router Interfaces
R1(config-line)#transport input ssh
R1(config-line)#login local
R1(config-line)#exit
To login to the remote router by SSH

R2# ssh -l user1 192.168.0.1
2.4. Router Interfaces

Type interface ? to see all the interfaces available on the router.
Router(config)#interface ?
Async Async interface
BVI Bridge-Group Virtual Interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Group-Async Async Group interface
Lex Lex interface
Loopback Loopback interface
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Null Null interface
Serial Serial
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
range interface range command
2.4.1. Bringing Up an Interface

All interfaces are shut down by default. You can turn it on with the no shutdown command.
Router(config)#interface fastethernet 0/0
Router(config-if)#no shutdown
00:08:47 %LINK-3-UPDOWN: Interface Fastethernet0/0, changed state to up
00:08:47 %LINEPROTO-5-UPDOWN: Line protocol on Interface Fastethernet0/0, changed

state to up
S-AN-A-1.04
39/200

Router Interfaces
Router(config-if)#exit
Router(config)#exit
Router#show interface Fa0/0

2.4.2. IP Address on an Interface

Router(config)#interface fa0/0
Router(config-if)#ip address 192.168.1.80 255.255.255.0
Router(config-if)#no shut
If you want to add a second subnet address to an interface, then you must use,
Router(config-if)#ip address 192.168.2.80 255.255.255.0 secondary
2.4.3. Serial Interface Commands

To configure a serial interface, there are a couple of specifics that need to be discussed.
Typically, when in production, the interface will be attached to a CSU/DSU type of device
that provides clocking for the line. However, if you have a back-to-back configuration used in
a lab environment, for example, one end must provide clocking. This would be the DCE end
of the cable. Cisco routers, by default, are all DTE devices, and you must tell an interface to
provide clocking if it is to act as a DCE device.
DCE-Router#conf t
DCE-Router(config)#int s0/0
DCE-Router(config-if)#clock rate 64000
The next, you need the bandwidth for the serial interface. Unlike the clock rate command,
the bandwidth command is configured in kilobits.
DCE-Router(config-if)#bandwidth 64
Note that the value of the clock rate and the bandwidth are depending on the WAN
connectivity.
2.4.4. Interface State

One of the most important elements of the show interfaces command output is the display of
the line and data-link protocol status.
Router# show interfaces fa0/0
fa0/0 is up, line protocol is up
S-AN-A-1.04
40/200

Logging
Hardware is HD64570
Based on the output of the show interfaces command, possible problems can be fixes as
follows:
Operational fa0/0 is up, line protocol is up
Connection problem fa0/0 is up, line protocol is down
- no keepalives
- mismatch in the encapsulation type
Interface problem fa0/0 is down, line protocol is down
- a cable might never have been attached
- some other interface problem
Disabled fa0/0 is administratively down, line protocol is down
- manually disabled by using shutdown command
2.5. Logging
Many network administrators overlook the importance of router logs. Logging is critical for
fault notification, network monitoring, and security auditing.
2.5.1. Enabling local router logging

This configuration changes format of date, save log into memory.
Router(config)#service timestamps debug datetime localtime show-timezone year
Router(config)#service timestamps log datetime localtime show-timezone year
Router(config)#logging buffered 16000 debugging
A good rule is to set your logging buffer to 16KB for smaller routers. Routers with more than
32MB of memory can safely dedicate 32KB, or even 64KB without problem. To be safe,
always check the amount of free memory on your router with the show memory command
before increasing your buffer size.
You can use the show logging command to view this buffer.
Router>show logging
Syslog logging: enabled (1 messages dropped, 2 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: level debugging, 12 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
S-AN-A-1.04
41/200

Logging
filtering disabled
Buffer logging: level debugging, 12 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 16 message lines logged
Log Buffer (16000 bytes):
Feb 1 2008 08:52:20.100 MMT: %SYS-5-CONFIG_I: Configured from console by console
Feb 1 2008 08:54:18.100 MMT: %SYS-5-CONFIG_I: Configured from console by console
2.5.2. Using a Remote Log Server

Use the following command to send router log messages to a remote syslog server
Router#conf t
Router(config)#logging on
Router (config)#logging 192.168.0.2
Router (config)#logging facility local1
Router (config)#logging source-interface FastEthernet 0/0
Forwarding log messages to a remote slog server has several advantages over just
retaining log messages locally on the router. The primary advantage is that messages sent
to the server are stored to disk. All other form of router logging are lost when the router
reload, including vital log messages that occur just before a router crashes due to error.
Another advantage of using a remote syslog server is storage capacity. A router stores
logging messages in internal system memory, which severely limits the number of log
messages that can be stored.
Finally, being able to view log messages from all of your routers in a single location can be
quite useful. Forwarding all router log messages to a common log file can assist in fault
isolation, problem resolution, and security investigations.
The syslog protocol uses UDP port 514, and messages are forwarded asynchronously
without acknowledgement from the server. In other words, communications between the
router and server flow in a single direction with the server acting as a passive receiver.
S-AN-A-1.04
42/200

Cisco Discovery Protocol (CDP)
2.6. Cisco Discovery Protocol (CDP)

Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help
administrators collect information about both locally attached and remote devices.
2.6.1. CDP Timers and Holdtime Information

CDP timer is how often CDP packets are transmitted out all active interfaces. CDP holdtime
is the amount of time that the device will hold packets received from neighbor devices. To
configure the CDP holdtime and timer on a router, use the global commands cdp holdtime
and cdp timer.
Router#sh cdp
Global CDP information:
Sending CDP packets every 60 seconds

Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#cdp ?
advertise-v2 CDP sends version-2 advertisements
holdtime Specify the holdtime (in sec) to be sent in packets
timer Specify the rate at which CDP packets are sent (in sec)
run
Router(config)#cdp hold
Router(config)#cdp holdtime ?
<10-255> Length of time (in sec) that receiver must keep this packet
Router(config)#cdp timer ?
<5-254> Rate at which CDP packets are sent (in sec)
2.6.2. Neighbor Information

The show cdp neighbors command delivers information about directly connected devices.
S-AN-A-1.04
43/200

R1 R0
f 0/0 f 0/0
192.168.0.1 192.168.0.2
Figure 5 CDP Neighbor Information
R1#config t
R1(config)#int f0/0
R1(config-if)#ip address 192.168.0.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#cdp enable
R1(config)#cdp holdtime 10
R1(config)#cdp timer 5
R0#config t
R0(config)#int f0/0
R0(config-if)#ip address 192.168.0.2 255.255.255.0
R0(config-if)#no shut
R0(config-if)#cdp enable
R0(config)#cdp holdtime 10
R0(config)#cdp timer 5
R1#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
R0 Fas 0/0 8 R 2621 Fas 0/0
R0#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
S-AN-A-1.04
44/200

R1 Fas 0/0 7 R 2621 Fas 0/0
Table 9 CDP information

Field Description
Device ID The hostname of the device directly connected.
Local Interface The port or interface on which you are receiving
the CDP packet.
Holdtime The amount of time the router will hold the
information before discarding it if no more CDP
packets are received.
Capability The capability of the neighbor, such as the
router, switch, or repeater. The capability codes
are listed at the top of the command output.
Platform The type of Cisco device directly connected.
Port ID The neighbor devices port or interface on which
the CDP packets are multicast.
You can check detailed information about each device.

R1#sh cdp neighbors detail
-------------------------
Device ID: R0
Entry address(es):
IP address: 192.168.0.2
Platform: cisco 2621, Capabilities: Router
Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/0
Holdtime : 7 sec
Version :
Compiled Fri 26-Oct-01 00:19 by ccai
advertisement version: 2
Duplex: half
S-AN-A-1.04
45/200

-------------------------
Device ID: R1
Entry address(es):
IP address: 192.168.0.1
Platform: cisco 2621, Capabilities: Router
Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/0
Holdtime : 8 sec
Version :
Duplex: half
The show cdp entry * protocols command and show cdp entry * version will show the
IP address and IOS version of each directly connected neighbor.
R1#sh cdp entry * protocol
Protocol information for R0 :
IP address: 192.168.0.2
R1#sh cdp entry * version
Version information for R0 :
S-AN-A-1.04
46/200

R0#sh cdp entry * protocol
Protocol information for R1 :
IP address: 192.168.0.1
R0#sh cdp entry * version
Version information for R1 :
2.6.3. Gathering Interface Traffic, Port and Interface Information

The show cdp traffic command displays information about interface traffic, including the
number of CDP packets sent and received and the errors with CDP.
R1#sh cdp traffic
CDP counters :
Total packets output: 289, Input: 286
Hdr syntax: 0, Chksum error: 0, Encaps failed: 0
No memory: 0, Invalid packet: 0, Fragmented: 0
CDP version 1 advertisements output: 0, Input: 0
R0#sh cdp traffic
CDP counters :
Total packets output: 300, Input: 298
Hdr syntax: 0, Chksum error: 0, Encaps failed: 0
No memory: 0, Invalid packet: 0, Fragmented: 0
The show cdp interface command gives you the CDP status on router interfaces or switch
ports.
S-AN-A-1.04
47/200

R1#sh cdp interface
Encapsulation ARPA
Holdtime is 10 seconds
FastEthernet0/1 is administratively down, line protocol is down
Encapsulation ARPA
R0#sh cdp interface
Encapsulation ARPA
FastEthernet0/1 is administratively down, line protocol is down
Encapsulation ARPA
R1#sh run
hostname R1
!
cdp timer 5
cdp holdtime 10
end
R0#sh run

!
S-AN-A-1.04
48/200

Router Management
hostname R0
cdp timer 5
cdp holdtime 10
end
2.7. Router Management
2.7.1. Clearing the Configuration and Reloading the Router

You can delete the current startup configuration files and return the router to its factory
default settings.
Router>enable
Router#erase startup-config
Erasing the nvram filesystem will remove all configuration files!
Continue? [confirm] <enter>

[OK]
Erase of nvram: complete
*12 7 17:53:03.155: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
Router#reload
System configuration has been modified. Save? [yes/no]: no<enter>
2.7.2. Password Removal

This procedure removes all the configurations for the Cisco 1700, 1800, 2600 and 2800, so
make a router without password.
First, connect a console cable to the router. In Windows, I prefer to use Tera Term.
S-AN-A-1.04
49/200

Router Management
Choose [Serial] and port which has

connected to the router.
You need to restart the router and send a

break key to the router in order to start as a
ROMmon environment.
Off and on power a switch, and then send a

break command. For Tera Term, send as
shown or just ALT+B.
If succeeded, the prompt shows as ROMmon, and then change the configuration registry,
and then type reset to reboot the router.
rommon 1>confreg 0x2142
rommon 2>reset
After reboot, type no to the setup question, change to enable mode, remove the
startup-config, change the configuration registry back to normal.
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]:no
Router>enable
Router#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]Enter
Erase of nvram: complete
Router#conf t
Router(config)#config-register 0x2102
Router(config)#^Z
Switch off and on the router. It shows a configuration dialog because there is no
startup-config.
S-AN-A-1.04
50/200

Router Management
Reference:
http://www.cisco.com/en/US/products/hw/routers/ps259/products_password_recover
y09186a0080094675.shtml
S-AN-A-1.04
51/200

Hands-on-Lab 1 Introduction to Router Commands
Router Number (assigned by the Instructor): ________________
1. Connect to your routers Console port. What type of cable did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
2. What software program did you use to connect to your routers Console port? What
settings did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
3. What router mode did you start in?

________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
4. Enter into privileged mode. What command did you use?

________________________________________________________________________
________________________________________________________________________
5. Return into user mode. What command did you use?

________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
6. Log off of your router. What command did you use?

________________________________________________________________________
________________________________________________________________________
S-AN-A-1.04
52/200

7. Log back into your router. Enter into privileged mode, and then enter into global
configuration mode. To enter into global configuration mode, what command do you
use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
8. What command do you use to exit out of global configuration mode?

________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
9. Type a ? at the command prompt. What is displayed?

________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
10. Type c? at the command prompt. What is displayed?

________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
11. Type clock ? at the command prompt. What is displayed?

________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
12. Set the encrypted password for privileged mode to be cisco. What mode did you need
to enter to accomplish this? What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
S-AN-A-1.04
53/200

________________________________________________________________________
13. Set the password for your console port to be cisco. What mode did you need to enter to
accomplish this? What commands did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
14. Set the password for your virtual terminal (telnet) ports to be cisco. What mode did you
need to enter? What commands did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
15. Set a banner message to appear on your router at login. Type whatever banner you wish
(feel free to be creative). What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
S-AN-A-1.04
54/200

Hands-on-Lab 2 Router Interface Commands
1. Enter interface configuration mode for the first Ethernet interface on your router. What
command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
2. Bring this interface up from being administratively down. What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
3. Do the same for the first Serial interface on your router. What commands did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
4. Configure the correct IP address for your Ethernet interface (supplied by your instructor).
What command(s) did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
5. Configure the correct IP address for your Serial interface (supplied by your instructor).
What command(s) did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
S-AN-A-1.04
55/200

6. View the current status of your interfaces. What command(s) did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
7. What is the status of your Serial and Ethernet interfaces?

________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
8. At this point, your serial interface may show a line protocol status of down. What
additional command must you configure on your Serial interface, to ensure communication
with the serial interface of the directly connected router?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
9. Should the above command be configured on the connected serial interfaces of both
routers, or on just one side of the serial cable? If the latter, on what side of the serial cable
should this command be used?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
10. Set the hostname for your router. Ensure that your router number is reflected
somewhere in the hostname, but you can be creative. For example: My_Router2.
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
11. Set a description on both of your interfaces, to document what they are connecting to.
S-AN-A-1.04
56/200

What commands did you use?

________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
12. View the configuration file stored in RAM. What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
13. View the configuration file stored in NVRAM (25xx series router) or Flash (26xx series
router). What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
14. What command would you use to erase the startup configuration?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
15. If you erase the startup configuration, what will happen the next time the router is
rebooted?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
16. Ping your neighbors router. Did you receive a reply? Can you ping all routers directly
connected to you?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
S-AN-A-1.04
57/200

17. Can you currently ping routers not directly connected to you? Why or why not?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
18. What command will provide you with a brief, summarized view of the status and IP
information on your interfaces?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
19. Save your router configuration. What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
S-AN-A-1.04
58/200

Hands-on-Lab 3 Router Management
1. What are configuration registers? What do they control on Cisco routers?

________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
2. Check the current value of the configuration register on your router, and write it below.
What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
3. Back up your current IOS to a tftp server. What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
4. When backing up your IOS, what additional information were you asked to specify?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
5. Copy that same IOS image back to the router. What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
6. Verify that CDP is enabled on your router. What command did you use? How often does
your router send CDP packets?
________________________________________________________________________
S-AN-A-1.04
59/200

________________________________________________________________________
________________________________________________________________________
7. Check the status of your connected neighbors. What CDP command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
8. Disable CDP. What command did you use?

________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
9. Ensure that anyone logged into your router, via either console or telnet, are automatically
logged off after 5 minutes, 30 seconds of inactivity. What mode did you need to enter to
accomplish this? What commands did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
10. Disable name resolution on your router. What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
11. Pretend that you forgot your enable password. Perform the password recovery
procedure: Change the enable password to ICTTI, but change only the password
(leave all other configuration intact). What steps did you take to accomplish this?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
S-AN-A-1.04
60/200

________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
S-AN-A-1.04
61/200

IP Routing <Day 3-4-5>
Introduction to IP Routing
3. IP Routing <Day 3-4-5>
3.1. Introduction to IP Routing

This chapter will provide configuration of several routers in the lab and then turn on IP
routing using static, default, and dynamic routing protocols. In this lab, we use cisco1800
series, cisco2600 series, and cisco2800 series.
172.16.0.0/16
Router0 .1.0/24 Router1 .2.0/24 Router2

Fa0/0 Fa0/0 Fa0/1 Fa0/0
.1 .2
.1 .2
Fa0/1 .1 Fa0/1
.1
.0.0/24 .3.0/24
.10 .10
pc0 pc1
Figure 6 Lab Network Diagram for IP routing
3.1.1. Configuring the Routers

After the configurations are complete, we will build the routing tables.
Connect to the Router0 and set the hostname, password, interface descriptions, and IP
addresses of each interface.
Router>enable
Router#conf t
Router(config)#hostname Router0
Router0(config)#enable secret testuser
Router0(config)#line console 0
Router0(config-line)#password testuser
Router0(config-line)#login
Router0(config-line)#exit
S-AN-A-1.04
62/200

Router0(config-line)#line vty 0 4
Router0(config-line)#exit
Router0(config)#interface fastethernet 0/0
Router0(config-if)#ip address 172.16.1.1 255.255.255.0
Router0(config-if)#description connection to Router1
Router0(config-if)#no shutdown
Router0(config-if)#interface fastethernet 0/1
Router0(config-if)#description connection to LAN 0
Router0(config-if)#exit
Router0(config)#exit
Router0#copy running-config startup-config
Connect to the Router1

Router>enable
Router#conf t
Router1(config-line)#interface fastethernet 0/0
S-AN-A-1.04
63/200

Connect to the Router2

Router>enable
Router#conf t
Router2(config-line)#interface fastethernet 0/0
Router2(config-if)#description connection to LAN 3
3.1.2. Verify the configuration

1. Starting at the Router0 to the Router2, run the following two commands.
Router0#show running-config
Router0#show ip route
The running-config shows the complete configuration your router is running. The show ip
route command is used to see the routing table on your router. It is important to notice that
only the directly connected networks are showing. It means the routers can only route to the
directly connected networks. In order to send packets to another network not in the routing
table, we must configure the routing table with this network.
S-AN-A-1.04
64/200

Basic Routing
3.2. Basic Routing

This lab will build the routing table by hand, which means you will create static routing tables
on each router.
3.2.1. Configure Static Routing

From Router0, use the ip route command to configure static routing. The Router0 router is
connected to networks 172.16.0.0 and 172.16.1.0, and a static route must be configured for
EVERY network that is not directly connected. The next hop gateway is always 172.16.1.2.
From the Router0

Router0(config)#ip route 172.16.2.0 255.255.255.0 172.16.1.2
From the Router1

From the Router2

3.2.2. Verify the Static Routing

It is important to be able to verify your configuration. From the Router0 to Router2, use the
show ip route command.
Once you verify the routing tables in all routers, use the ping command to verify IP
connectivity between routers, and PCs
3.2.3. Configure Default Routing

Static routing is great in small networks, and is better when you are learning IP routing.
Configuring default routing on a router is not like setting the default gateway on a host.
Remember that a router is the default gateway and you cannot set a default gateway on a
router. However, you can set what is called a gateway of last resort, which means that if a
packet is destined for a network that is not listed in the routing table, the router will forward
S-AN-A-1.04
65/200

Basic Routing
the packet to the default route.
You can only configure default routing on a router that is connected to a stub network,
which means that there is not another router on the connected networks. In other words,
there is only one way in and out. Router0 and Router2 are stub routers to the LANs because
they are the only way in and out of the LAN. Router1 cannot use default routing since it is
connected to multiple routers.
To configure default routing, use ip route command, but instead of using the network and
subnet mask, you use all zero, which means all networks all masks. You must also use the
ip classless command enabled when using default routing. This tells the router to not drop
packets, but instead to forward them to the default route address.
Before configuring router Router0 and Router2 with default routing, you must remove the
static routers we created previously.
Remove static routes from the Router0 router.
Router0(config)#no ip route 172.16.2.0 255.255.255.0 172.16.1.2
Remove static routes from the Router2 router.

From the Router0, add the default route to router Router1. The default route command will
tell the router to send all packets destined for any network not in the routing table to the
Router1, which will then route the packet.
Router0(config)#ip classless
From the Router2

Router2(config)#ip classless
S-AN-A-1.04
66/200

Hands-on-Lab 4 Static Route 1
PC5 PC6
192.168.64.0/24 192.168.65.0/24
R0
10.0.0.0/30 10.0.0.4/30
PC3
PC1
192.168.0.0/24
172.24.0.0/16
R1 R2
192.168.1.0/24
172.25.0.0/16
PC4
PC2
1. Design the topology

Select the Cisco devices from (Cisco 2800 series, 4 Cisco 1800 series, Cisco2600
series).
Cable the networks according to the topology taking care that match the documentation
above.
Fill the address table.
Device Interface IP Address Subnet Mask Default Gateway
R0 F0/0 NA
F0/1 NA
S0/0 NA
S0/1 NA
R1 F0/0 NA
F0/1 NA
S0/0 NA
R2 F0/0 NA
S-AN-A-1.04
67/200

F0/1 NA
S0/0 NA
PC1
PC2
PC3
PC4
PC5
PC6
2. Configure the router

For the WAN links, assign the first address to R0 and second address to the other
router.
For the LAN links, assign the first address to the router interface. Make sure to also
configure hostnames.
Assign the .10 address to the PCs. Make sure to include the default gateway.
cisco as the line password and class as the secret password.
Use 64000 as the clock rate.

R0 is the DCE for all other WAN links.
3. Configure static and default routing.

Configure R0 with static routes using the local interface.
Configure R1 and R2 with exactly one default route using the local interface.
4. Test connectivity
You should now have end-to-end connectivity. Use ping to test connectivity across the
network.
Troubleshoot until pings are successful.
5. Submit Routers configuration file to Moodle.
S-AN-A-1.04
68/200

Device Interface IP Address Subnet Mask

HQ F0/0
F0/1
S0/0
S0/1
S0/2
S0/3
R1 F0/0
F0/1
S0/0
R2 F0/0
F0/1
S0/0
R3 F0/0
F0/1
S0/0
ISP S0/0
S-AN-A-1.04
69/200

F0/0
SRV
1. Select the device from Cisco 1800 series, Cisco2800 series, and Cisco2600 series.
2. Design the topology

Based on the network requirements shown in the topology, design an appropriate
addressing scheme.
The HQ, R1, R2, and R3 routers each have an address space. Subnet the address
space based on the host requirements.
For each address space, assign subnet zero to the f0/0 LAN, subnet 1 to the f0/1.
Document the IP addresses and subnet masks.
Assign the first IP address to the router interface, and the second IP address to the PC.
For the WAN links, assign the first IP address to HQ.
3. Configure the router

Using the addressing scheme, configure the routers with basic configuration including
addressing and hostname.
cisco as the line password and class as the secret password.
Use 64000 as the clock rate.

ISP is the DCE in its WAN link to HQ. HQ is the DCE for all other WAN links.
4. Configure static and default routing.

HQ should have three static routes and one default route.
R1, R2, and R3 should have one default route.
ISP should have seven static routes. This will include the three WAN links between HQ
and the branch routers R1, R2, and R3.
You should now have end-to-end connectivity. Use ping to test connectivity across the
network.
Each router should be able to ping all other router interface and the Server.
Troubleshoot until pings are successful.
6. Submit routers configuration and routing tables to Moodle.
S-AN-A-1.04
70/200

RIP
3.3. RIP
Dynamic routing is the process of routers running routing protocols that find and advertise
networks in the inter-network to other routers. Routing tables are then converged, which
means that all routers in the inter-network have the same routing information.
Routing Information Protocol (RIP) is a true distance-vector routing protocol. RIP sends the
complete routing table out to all active interfaces every 30 seconds. RIP only uses hop count
to determine the best way to a remote network, but it has a maximum allowable hop count of
15 by default, meaning that 16 is deemed unreachable. RIP works well in small networks,
but its inefficient on large networks with slow WAN links or on networks with a large number
of routers installed.
RIP version 1 uses only classful routing, which means that all devices in the network must
use the same subnet mask. This is because RIP version 1 doesnt send updates with subnet
mask information. RIP version 2 provides something called prefix routing and does send
subnet mask information with the route updates. This is called classless routing.
This lab will configure Routing Information Protocol (RIP), one of the first dynamic routing
protocols created. It is easy and works pretty well in small to medium size networks.
To configure RIP routing, first remove the static and default routing configured on the routers.
Then use the router rip command to configure RIP.
From the Router0, delete the default route, and then verify the routing table with the show
ip route command. Only the directly connected networks should be in the routing table.
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
S-AN-A-1.04
71/200

RIP
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
C 172.16.0.0 is directly connected, FastEthernet0/1
From the Router1

From the Router2


S-AN-A-1.04
72/200

RIP
3.3.1. Configure RIP Protocol

From the Router0, configure RIP routing and tell RIP the network you want to advertise
Router0(config)#router rip
Router0(config-router)#network 172.16.0.0
The important thing to notice here is that the network address is a classful address, which
means you use the classful boundary. For instance, we use 172.16.0.0 class B network
address and subnet that network with 24bits of subnetting. This means that third octet is
used for subnets and the fourth octet is the host addresses for each subnet. RIP is a classful
routing protocol, which means that you do not type in any subnet addresses, only the class
B address.
From the Router1

From the Router2

3.3.2. Verify the RIP Routing

From the Router0, use the show ip route command to verify the routing table.

S-AN-A-1.04
73/200

RIP
R 172.16.2.0 [120/1] via 172.16.1.2, 00:00:11, FastEthernet0/0
Notice the R, which means it is a RIP found route. The C is a directly connected network.
You should see two directly connected.
From the Router1,

From the Router2,


S-AN-A-1.04
74/200

RIP
Router2#
From the Router0, use the debug ip rip command to see RIP updates being sent and
received on the router
Router0#debug ip rip
RIP protocol debugging is on
Router0#RIP: sending v1 update to 255.255.255.255 via FastEthernet0/0
(172.16.1.1)
RIP: build update entries
network 172.16.0.0 metric 1
RIP: sending v1 update to 255.255.255.255 via FastEthernet0/1 (172.16.0.1)

RIP: build update entries
RIP: received v1 update from 172.16.1.2 on FastEthernet0/0

172.16.2.0 in 1 hops
172.16.3.0 in 2 hops
172.16.4.0 in 1 hops
You can see from the updates that were sending out information about networks 172.16.0.0,
172.16.1.0, 172.16.2.0, 172.16.3.0. But both the 172.16.0.0 network and the 172.16.1.0
network are being advertised with a hop count (metric) of 1, meaning that these networks
are directly connected. The 172.16.2.0 is being advertised as a metric of 2, which means
S-AN-A-1.04
75/200

RIP
that it is not directly connected.
To turn off debugging, use the no debug all command or the undebug all command.
Router0#no debug all
All possible debugging has been turned off
To see the routing protocol timers, use the show ip protocols command
Router0#show ip protocols
Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 10 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: rip
Default version control: send version 1, receive any version

Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 1 2 1
FastEthernet0/1 1 2 1
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
172.16.0.0
Passive Interface(s):
Routing Information Sources:
Gateway Distance Last Update
172.16.1.2 120 00:00:19
Distance: (default is 120)
Another good command is the show protocols command, which shows you the routed
protocol configuration of each interface.
Router0#show protocols
Global values:
Internet Protocol routing is enabled

S-AN-A-1.04
76/200

RIP
3.3.3. RIP v2
This lab will configure RIP v2
From the Router0, configure RIP routing to use version 2.

Router0(config-router)#version 2


3.3.4. Verify the RIP v2 Configuration

The new feature that is now provided is variable length subnet masks (VLSM) support.
Classless inter-Domain Routing (CIDR) uses the VLSM.
From the Router0, use the show ip route command to verify the routing table. The routing
tables will look the same as version 1 unless you have VLSM networks configured.
To see the routing protocol timers, use the show ip protocols command. Notice the timers,
RIP is sent out every 30 seconds by defaults. The administrative distance is 120 by default.
Both RIPv1 and RIPv2 use the same timers.
3.3.5. Holding Down RIP Propagations

Theres a few different ways to stop unwanted RIP updates from propagating across your
LANs and WANs, and the easiest one is through the passive-interface command. This
command prevents RIP update broadcasts from being sent out a specified interface, yet that
same interface can still receive RIP updates.
S-AN-A-1.04
77/200

EIGRP and OSPF
Router0#config t
Router0(config-router)#passive-interface fastethernet 0/1
3.4. EIGRP and OSPF
Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary Hybrid routing
protocol. It uses the properties of both Distance Vector and Link State and uses an
administrative distance of 90, so it will automatically overwrite RIP found routes in the
routing table. Also, it uses Autonomous System (AS) to create groups of routers that share
routing information, just like IGRP. The major difference between IGRP and EIGRP is that
EIGRP uses three different tables to create a stable routing environment and additionally
EIGRP only sends updates when needed whereas IGRP broadcasts routing table entries
every 90 seconds.
Open Shortest Path First (OSPF) is an open standards routing protocol that has been
implemented by a wide variety of network vendors, including Cisco.
3.4.1. Configuring EIGRP Routing

To configure EIGRP, it is basically the same as IGRP except you add the letter E in front of
IGRP. All routers must use the same AS number if you want them to share information.
Configure the Router0 to use EIGRP with an AS of 10.

Router0(config)#router eigrp 10
Configure the Router1


S-AN-A-1.04
78/200

EIGRP and OSPF
The hello-interval can be changed with the following command in interface configuration
mode:
Router(config-if)# ip hello-interval eigrp autonomous-system-number seconds
A rule of thumb is to keep the hold-time at three times the hello-interval. The hold timer can
also be adjusted on a per interface basis:
Router(config-if)# ip hold-time eigrp autonomous-system-number seconds
3.4.2. Verifying EIGRP Routing

Since EIGRP has a better administrative distance than RIP, all the routing tables should
have EIGRP found routes.
From the Router0, use the show ip route command to verify the routing table.
Notice the D found routers. This is EIGRP.
The command show ip route destination-network-number output the total delay, minimum
bandwidth, reliability, minimum MTU, and load for a path and the composite metric.
Router0# sh ip route 172.16.1.0
Use the show ip protocols command from the Router0 router. Notice that EIGRP, IGRP
and RIP are running on the router. Notice also that there is no timer for EIGRP, which
means it does not periodically.
From the Router0, use the show ip eigrp neighbors command to see the EIGRP neighbor
table. This table holds information about the routers directly connected neighbor.
Router0#show ip eigrp neighbors
IP-EIGRP neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.1.2 Fa0/0 10 00:03:13 40 500 0 6
From the Router, use the show ip eigrp topology command to see the EIGRP topology
S-AN-A-1.04
79/200

EIGRP and OSPF
table. This table shows the entire network as the Router0 understands it.
Router0#show ip eigrp topology
IP-EIGRP Topology Table for AS 10
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - Reply status
P 172.16.1.0/24, 1 successors, FD is 28160
via Connected, FastEthernet0/0
via Connected, FastEthernet0/1
via 172.16.1.2 (30720/28160), FastEthernet0/0
via 172.16.1.2 (33280/30720), FastEthernet0/0
3.4.3. Configuring Single Area OSPF

The easiest (and least scalable) way to configure OSPF is simply to use a single area, which
requires a minimum of two commands.
The command to activate the OSPF routing process is as follows

Router(config)#router ospf ?
<1-65535>
A value in the range 1-65535 identifies the OSPF Process ID, which is a unique number on
this router that groups a series of OSPF configuration commands under a specific running
process. Different OSPF routers do not have to use the same Process ID in order to
communicate. It is purely a local value and its number is basically irrelevant. The only time
an OSPF number would matter is when you have multiple OSPF Autonomous System (AS)
connecting together on the same network.
This lab will be simple. We will process on each router, and then configure the interfaces to
be in OSPF area 0. Since, EIGRP has a better administrative distance than OSPF; we need
to also disable the EIGRP routing processes on each router.
Configure the Router0 to start the OSPF process. Remember the number does not matter.
S-AN-A-1.04
80/200

EIGRP and OSPF
The number can even all be the same on all routers. First disable EIGRP and IGRP.
Router0(config)#no router eigrp 10
Router0(config)#router ospf 100


After starting the OSPF process (and disabling EIGRP on each router), you need to identify
the interfaces on which to activate OSPF communications and the area in which each
resides. This will also configure the networks you will advertise to others. This is achieved
with the following command as an example.
Router0(config-router)#network 10.0.0.0 0.255.255.255 area ?
<0-4294967295> OSPF area ID as a decimal value
A.B.C.D OSPF area ID in IP address format
The first two arguments of the network command are the network number (10.0.0.0) and
wildcard mask (0.255.255.255). The combination of the two numbers identifies the
interfaces that OSPF will operate on and that will also be included in its OSPF Link State
Advertisements (LSA).
A 0 octet in the wildcard mask indicates that the corresponding octet in the network must
match exactly. A 255, on the other hand, indicates that you do not care what the
corresponding octet is in the network number. A network and wildcard mask combination of
1.1.1.1 0.0.0.0 would match 1.1.1.1 only and nothing else. This is useful if you want to
activate OSPF on a specific interface.
If you insist on matching a range of networks, the network and wildcard mask combination of
1.1.0.0 0.0.255.255 would match anything in the range 1.1.0.0-1.1.255.255. It is simpler and
safer to stick to using wildcard masks of 0.0.0.0 and identify each OSPF interface
individually.
S-AN-A-1.04
81/200

EIGRP and OSPF
The final argument is the area number. It indicates the area to which the interfaces identified
in the network and wildcard mask portion belong. Remember that OSPF routers will only
become neighbors if their interfaces share a network that is configured to the same area
number. The format of the area number is either a decimal value from the range
1-4294967295 or a value represented in standard dotted-decimal notation. Area 0.0.0.0 is a
legitimate area, for instance, and is identical to area 0. Again, we only support area 0 in this
module at this time.
Router Interface IP Address

Router0 Fastethernet 0/0 172.16.1.1
Configure the Router0 to advertise both directly connected networks with OSPF
Router0(config-router)#network 172.16.1.1 0.0.0.0 area 0
The command: network 172.16.1.1 0.0.0.0 area 0 tells the OSPF process to advertise the
interface 172.16.1.1 into area 0. The wildcard mask of 0.0.0.0 tells the process to match
each octet exactly.
The command: network 172.16.0.0 0.0.0.255 area 0 tells the router OSPF process to look
for any interface in subnet 172.16.0.0 and advertise that in area 0. With a wildcard of
0.0.0.255, this tells the OSPF process to match the first three octets exactly, but the fourth
octet value is irrelevant.
We could have used this command as well: network 172.16.0.1 0.0.0.0 area 0 which is
just another way to advertise the same interface, but is more precise. No difference in
function on the router or OSPF.

Understand that all we are doing is advertising OSPF networks and this lab is showing the
S-AN-A-1.04
82/200

EIGRP and OSPF
many ways to accomplish the same thing.
The command: network 172.16.1.2 0.0.0.0 area 0 tells the OSPF process to advertise the
interface 172.16.1.2 into area 0. The wildcard mask of 0.0.0.0 tells the process to match all
four octets exactly.
The command: network 172.0.0.0 0.255.255.255 area 0 tells the OSPF process to look for
an interface configured with network 172 in the first octet, but the other three octets can be
any value. Once found, place that interface in area 0. Understand that with this second
command, the first command is really not needed; it is just for some example.
The network command 172.0.0.0 will find any interface that has an IP address that starts
with 172 and put that in area 0.
Configure the Router2 to advertise both directly connected networks with OSPF.
3.4.4. Verify the Single Area OSPF

This section describes several ways to verify proper OSPF configuration and operation.
The show ip ospf command is used to display OSPF configuration for one or all OSPF
processes running on the router. Information contained therein includes the Router ID, area
information, SPF statistics, and LSA timer information. Here is a sample output from the
Router0.
Router0#show ip ospf
Routing Process "ospf 100" with ID 172.16.1.1
Supports only single TOS(TOS0) routes
Supports opaque LSA
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 0. Checksum Sum 0x000000
Number of opaque AS LSA 0. Checksum Sum 0x000000

Number of DCbitless external and opaque AS LSA 0
S-AN-A-1.04
83/200

EIGRP and OSPF
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 2
Area has no authentication
SPF algorithm executed 5 times
Area ranges are
Number of LSA 3. Checksum Sum 0x00F725
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
The information displayed by the show ip ospf database command indicates the number of
links and the neighboring Router ID. The output is broken down by area. Here is a sample
output from the Router0.
Router0#show ip ospf database
The show ip ospf interface command displays all interface-related OSPF information. Data
is displayed about OSPF information for all interfaces or for specified interfaces. Information
includes the interface IP address, area assignment, Process ID, Router ID, network type,
cost, priority, DR/BDR (if applicable), timer intervals, and adjacent neighbor information.
Router0#show ip ospf interface
The show ip ospf neighbor command is very useful. It summarizes the pertinent OSPF
information regarding neighbors and the adjacency state. If DR or BDR exists, that
information is also displayed..
Router0#show ip ospf neighbor
The show ip protocols command is useful whether you are running OSPF, EIGRP, IGRP,
RIP, BGP, ISIS, or any other routing protocol you can configure on your router. It provides
an excellent overview of the actual operation of all currently running protocols
S-AN-A-1.04
84/200

RIP and OSPF with Default Route
Based upon this output, you can determine the OSPF Process ID, OSPF Router ID, type of
OSPF area, networks and areas configured for OSPF, and OSPF Router IDs of neighbors.
3.5 RIP and OSPF with Default Route
3.5.1 RIP and Default Route

To provide the internet connection to all the networks in the RIP routing network, the default
static route needs to be advertised to all other routers that use the dynamic routing protocol.
To do so, a static default route is configured on R2 and advertised to R1 dynamically.
172.10.1.0/30 192.168.1.0/30
R1 R2 ISP
s0/0 s0/1 s0/0 s0/0
.2 .1 .2 .1
DCE
DCE
.1 f0/0 .129 f0/0 .1 f0/0
172.10.0.0/25 172.10.0.128/25
192.168.0.0/24
.126 f0/0 .254 f0/0 .10 f0/0
PC1 PC2 SRV
(1) Configure without propagating the default route

R1
hostname R1
interface FastEthernet0/0
ip address 172.10.0.1 255.255.255.128
interface Serial0/0
ip address 172.10.1.2 255.255.255.252
router rip
version 2
passive-interface FastEthernet0/0
network 172.10.0.0
!
S-AN-A-1.04
85/200

R2
hostname R2
ip address 172.10.0.129 255.255.255.128
interface Serial0/0
ip address 192.168.1.2 255.255.255.252
interface Serial0/1
ip address 172.10.1.1 255.255.255.252
clockrate 64000
router rip
version 2
passive-interface FastEthernet0/0
passive-interface Serial0/0
network 172.10.0.0
ISP
hostname ISP
ip address 192.168.0.1 255.255.255.0
interface Serial0/0
ip address 192.168.1.1 255.255.255.252
clockrate 64000
ip route 172.10.0.0 255.255.254.0 Serial0/0
Routing table on R1
R1#sh ip route

172.10.0.0/16 is variably subnetted, 3 subnets, 2 masks
S-AN-A-1.04
86/200

R 172.10.0.128/25 [120/1] via 172.10.1.1, 00:00:00, Serial0/0
C 172.10.0.0/25 is directly connected, FastEthernet0/0
C 172.10.1.0/30 is directly connected, Serial0/0
Routing table on R2
R2#sh ip route
R 172.10.0.0/25 [120/1] via 172.10.1.2, 00:00:13, Serial0/1
C 192.168.1.0 is directly connected, Serial0/0
PC1 and PC2 cannot ping to SRV

PC1#ping 192.168.0.10
U.U.U
Success rate is 0 percent (0/5)
PC2#ping 192.168.0.10
.U.U.
Success rate is 0 percent (0/5)
(2) Propagate the default route
Configure a static route on R2, and see the routing table.

R2#conf t
R2(config)#ip route 0.0.0.0 0.0.0.0 Serial0/0
R2(config)#^Z
R2#sh ip route
S-AN-A-1.04
87/200

Gateway of last resort is 0.0.0.0 to network 0.0.0.0
R 172.10.0.0/25 [120/1] via 172.10.1.2, 00:00:06, Serial0/1
C 192.168.1.0 is directly connected, Serial0/0
S* 0.0.0.0/0 is directly connected, Serial0/0
Now PC2 can ping to SRV.

PC2#ping 192.168.0.10
!!!!!
But PC1 still cannot ping to SRV.
R2 needs to propagate the default route to the RIP neighbors.

R2#conf t
R2(config)#router rip
R2(config-router)#default-information originate
After the configuration, recycle R1 and R2 (restart).
R1 received the default route.

R1#sh ip route

R 172.10.0.128/25 [120/1] via 172.10.1.1, 00:00:07, Serial0/0
R* 0.0.0.0/0 [120/1] via 172.10.1.1, 00:00:07, Serial0/0
Now PC1 also can ping to SRV

PC1#ping 192.168.0.10
S-AN-A-1.04
88/200

OSPF and Default Route
!!!!!
3.6 OSPF and Default Route

Use default-information originate statement to propagate the static route into the
OSPF domain.
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 10.1.1.0 0.0.0.7 area 0
default-information originate
!
ip route 0.0.0.0 0.0.0.0 Serial0/0
S-AN-A-1.04
89/200

Hands-on-Lab 6 RIPv2
Addressing Table
HQ F0/0 NA
F0/1 NA
S0/0 210.165.201.2 255.255.255.252 NA
S0/1 NA
S0/2 NA
B1 F0/0 NA
F0/1 NA
S0/0 NA
B2 F0/0 NA
F0/1 NA
S0/0 NA
ISP F0/0 210.165.202.129 255.255.255.252 NA
S-AN-A-1.04
90/200

S0/0 210.165.201.1 255.255.255.252 NA

SRV 210.165.202.130 255.255.255.252 210.165.202.129
PC1
PC2
PC3
PC4
PC5
PC6
1. Select the devices (Cisco 1800 series, Cisco2800 series, and Cisco2600 series).
2. Design an addressing scheme

Address the LANs in order starting with LAN1, then LAN2. Use the first address for
the router interface and the last address for the PC.
Address the WANs in order starting with WAN1, then WAN2. HQ is the first usable
address in all WAN links.
Record the network addresses in dotted-decimal/slash format
Document the IP addresses, subnet masks and default gateway addresses.
3. Apply a basic configuration

Using your design, configure the routers with basic configuration, including
addressing and hostnames. Use cisco as the line password (console and telnet).
Use class as the enable secret password.
Using your documentation, configure the PCs with an IP address, subnet mask,
and default gateway.
Before continuing, make sure that each device can ping its directly connected
neighbor.
5. Configure and verify RIPv2 routing

Configure all devices with RIPv2 routing. In your configuration, make sure you include the
following
Disable automatic summarization
Stop routing updates on interfaces that are not connected to RIP neighbors
Set a default route from HQ to ISP
S-AN-A-1.04
91/200

Redistribute default route from HQ

Use verification commands to check your configuration. All routers should be
converged on all the 10.1.0.0/24 and 172.16.1.224/29 subnets.
6. Test connectivity and examine the configuration

Test connectivity and examine the configuration
Issue show ip route command to verify the routing table
7. Submit the document.
S-AN-A-1.04
92/200

Hands-on-Lab 7 EIGRP
Addressing Table
HQ F0/0 NA
F0/1 NA
S0/0 210.165.201.2 255.255.255.252 NA
S0/1 NA
S0/2 NA
B1 F0/0 NA
F0/1 NA
S0/0 NA
B2 F0/0 NA
F0/1 NA
S0/0 NA
ISP F0/0 210.165.202.129 255.255.255.252 NA
S0/0 210.165.201.1 255.255.255.252 NA
S-AN-A-1.04
93/200

SRV 210.165.202.130 255.255.255.252 210.165.202.129

PC1
PC2
PC3
PC4
PC5
PC6

For the LANs, use the address space 10.2.32.0/22. Starting with the largest
subnets requirements on B1, assign subnets in order throughout the topology.
LAN1 first, then LAN2.
For the WANs, use the address space 172.30.0.0/27. Assign WAN subnets
according to the following specifications
Subnet 0 to the WAN link between HQ and B1
Subnet 1 to the WAN link between HQ and B2
Subnet 2 to the WAN link between B1 and B2
Record the network addresses in dotted-decimal/slash format
Document the IP addresses, subnet masks and default gateway addresses.
For LANs, assign the first address to the router interface. Assign the last address to
the PC.
For WAN links to HQ, assign the first address to the HQ router.
For WAN links between branch routers, assign the first address to B1.

Using your documentation, configure the PCs with an IP address, subnet mask,
and default gateway.
Before continuing, make sure that each device can ping its directly connected
neighbor.
4. Configure and verify EIGRP routing

S-AN-A-1.04
94/200

Configure all devices with EIGRP routing. In your configuration, make sure you include the
following
Disable automatic summarization
Stop routing updates on interfaces that are not connected to EIGRP neighbors
Use verification commands to check your configuration. All routers should be
converged on all the 10.2.32.0/22, and 172.30.0.0/28 subnets.
5. Fine-tune EIGRP
Adjust bandwidth values used to calculate metrics. The links between the branch
routers are for back up purposes only. Configure the bandwidth value to 64 kbps so
that EIGRP does not equal-cost load across the T1 links to HQ and the backup
links to the neighboring branch router.
Change the hello intervals for the 64 kbps links to 60 seconds, and the hold down
timer to 180 seconds.
6. Configure Static and Default Routing

Configure redistribution of default route so all routers and PCs can go to ISP. ISP
will need a default route configured.

Use verification commands as, show ip route, show ip eigrp topology, and
show ip eigrp neighbors.
8. Submit the document with Routers configuration and test result.
S-AN-A-1.04
95/200

Hands-on-Lab 8 OSPF
Hands-on-Lab 8 OSPF
Addressing Table
Device Interface IP Address Subnet Mask
R1 F0/0 10.1.1.1 255.255.255.248
S0/0 211.165.202.2 255.255.255.252
R2 F0/0 10.1.1.2 255.255.255.248
F0/1
F1/0
R3 F0/0 10.1.1.3 255.255.255.248
F0/1
R4 F0/0 10.1.1.4 255.255.255.248
F0/1
F1/0
ISP F0/0 211.165.202.5 255.255.255.252
S0/0 211.165.202.1 255.255.255.252
SRV 211.165.202.6 211.165.202.5
PC1
PC2
PC3
PC4
S-AN-A-1.04
96/200

Hands-on-Lab 8 OSPF
PC5

Use the 172.40.0.0/16 to create an efficient addressing scheme that meets the following
requirements. Start with the largest network and move to the smallest.
Host Name Interface Number of Hosts

R2 F0/1 6000
R2 F1/0 800
R3 F0/1 2000
R4 F0/1 3500
R4 F1/0 1000

Assign the .10 address to the PCs. Make sure to include the default gateway.
Assign the default route to the SRV, the only two specific static route address to
the ISP
3. Configure Single-Area OSPF routing
Configure OSPF (Process ID 1) routing on each Router
Verify that all routes were learned.
4. Fine-tuning OSPF
R1 will never participate in a DR/BDR election
R2 will always become the DR
R3 and R4 will both have the same priority of 100.
R4 should always become the BDR
All priorities should be set on f0/0
Restart R1, R2, R3, and R4 to force the DR/BDR election.
5. Configure Static and Default Routing
On R1, create a default route to ISP and propagate the route within OSPF
updates.

S-AN-A-1.04
97/200

Hands-on-Lab 8 OSPF

Use verification commands as, show ip route, show ip ospf database, and
show ip ospf neighbor.
7. Submit the document with Routers configuration and test result.
S-AN-A-1.04
98/200

LAN Switching <Day 6>
Layer 2 Switch Operation
4. LAN Switching <Day 6>
4.1. Layer 2 Switch Operation

A Layer 2 switch is basically a multiport transparent bridge, where each switch port is its
own Ethernet LAN segment, isolated from the others. Frame forwarding is based completely
on the MAC addresses contained in each frame, such that the switch will not forward a
frame unless it knows the destinations location.
At its most basic level, an Ethernet switch provides isolation from other connected hosts in
several ways:
The collision domains scope is severely limited. On each switch port, the collision
domain consists of the switch port itself and the devices directly connected to that
porteither a single host or, if a shared-media hub is connected, the set of hosts
connected to the hub.
Host connections can operate in full-duplex mode because there is no contention on
the media. Hosts can talk and listen at the same time.
Bandwidth is no longer shared. Instead, each switch port offers dedicated bandwidth
across a switching fabric to another switch port. (These connections change
dynamically.)
Errors in frames are not propagated. Each frame received on a switch port is
checked for errors. Good frames are regenerated when they are forwarded or
transmitted. This is known as store-and-forward switching technology: Packets are
received, stored for inspection, and then forwarded.
You can limit broadcast traffic to a volume threshold.
Other types of intelligent filtering or forwarding become possible.
Layer 2 switches contain queues where frames are stored after they are received and
before they are sent. When a Layer 2 switch receives a frame on a port, it places that frame
in one of the ports ingress queues. When the switch decides which port that frame should
sent out of, it places the frame in that ports egress queue. If the destination MAC address
in the frame is not in the MAC address table, the frame is placed in the egress queue of all
ports and is flooded throughout the network. All the decisions are made simultaneously by
independent portions of switching hardware and can be described as follows:
L2 forwarding table
S-AN-A-1.04
99/200

LAN Switch Configuration and Operation
SecurityACLs
QOS ACls
Each port can be configured with multiple ingress or egress queues. Using Quality of
Service (QoS), each queue can be assigned a different priority. Thus, we can give a higher
preference to more critical traffic, such as video conferencing, by placing that traffic in a high
priority queue.
Before a Layer 2 switch can take a frame from one ports ingress queue to another ports
egress queue, it must consult two tables:
Content Addressable Memory (CAM), which is Ciscos term for the MAC address
table. It can also be referred to as the Layer 2 Forwarding Table. By default, idle
CAM table entries are kept for 300 seconds before they are deleted.
Ternary Content Addressable Memory (TCAM), which contains access lists that
can filter frames by MAC address, and QoS accesslists to prioritize traffic. In
multi-layer switches, the TCAM also contains access lists to filter frames based on
IP address or TCP/UDP port.
4.2. LAN Switch Configuration and Operation
4.2.1. Configuring the Switch IP Address
To allow Telnet or SSH access to the switch, to allow other IP-based management protocols
such as Simple Network Management Protocol (SNMP) to function as intended, or to allow
access to the switch using graphical tools such as Cisco Device Manager (CDM), the switch
needs an IP address. Switches do not need IP address to be able to forward Ethernet
frames. You can statically configure a switch with its IP address/mask/gateway or the switch
can dynamically learn this information using DHCP.
An IOS-based switch configures its IP address and mask on special virtual interface called
the VLAN 1 interface. This interface plays the same role as an Ethernet interface on a PC. In
effect, a switchs VLAN 1 interface gives the switch an interface into the default VLAN used
on all ports of the switch namely, VLAN 1.
(1) Static IP Address Configuration
S-AN-A-1.04
100/200

Switch#configure terminal
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.1.10 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#ip default-gateway 192.168.1.1
(2) Dynamic IP Address Configuration with DHCP
Switch#configure terminal
Switch(config)#interface vlan 1
Switch(config-if)#ip address dhcp
Switch(config-if)#no shutdown
Switch(config-if)#exit
4.2.2. Configuring Switch Interfaces
You can configure the individual ports on a switch with various information and settings, as
detailed in the following sections.
(1) Selecting Ports to Configure
To select a single switch port, enter the following command in global configuration mode:
Switch(config)# interface type modular/number
The port is identified by its Ethernet type (fastethernet, gigabitethernet, tengigabitethernet,

vlan).
To select several arbitrary ports for a common configuration setting, you can identify them
as a range entered as a list. All port numbers and the commas that separate them must be
separated with spaces. Use the following command in global configuration mode:
Switch(config)# interface range fastethernet 0/3, fastethernet 0/7, fastethernet0/9
switch(config)# interface range fastethernet 1/0 - 10
S-AN-A-1.04
101/200

(2) Port Speed

You can assign a specific speed to switch ports through switch-configuration commands.
Fast Ethernet 10/100 ports can be set to speeds of 10, 100, and Auto (the default) for
autonegotiate mode. Gigabit Ethernet GBIC ports always are set to a speed of 1000,
whereas 1000BASE-T ports can be set to speeds of 10, 100, 1000, and Auto (the default).
To specify the port speed on a particular Ethernet port, use the following
interface-configuration command:
Switch(config-if)# speed {10 | 100 | 1000 | auto}
(3) Port Duplex Mode

You also can assign a specific link mode to Ethernet-based switch ports. Therefore, the port
operates in half-duplex, full-duplex, or autonegotiated mode. Autonegotiation is allowed only
on UTP Fast Ethernet and Gigabit Ethernet ports. In this mode, the port participates in a
negotiation by attempting full-duplex operation first and then half-duplex operation if full
duplex is not successful. The autonegotiation process repeats whenever the link status
changes. Be sure to set both ends of a link to the same speed and duplex settings to
eliminate any chance that the two ends will be mismatched.
To set the link mode on a switch port, enter the following command in interface configuration
mode:
Switch(config-if)# duplex {auto | full | half}
For instance, you could use the commands in the followings to configure 10/100/1000
interfaces GigabitEthernet 3/1 for autonegotiation and 3/2 for 100-Mbps full duplex (no
autonegotiation).
Switch(config)# interface gig 3/1
Switch(config-if)# speed auto
Switch(config-if)# duplex auto
Switch(config-if)# interface gig 3/2
Switch(config-if)# speed 100
Switch(config-if)# duplex full
S-AN-A-1.04
102/200

4.2.3. Securing Unused Switch Interfaces
Cisco originally chose the default interface configuration settings on Cisco switches so that
the interfaces would work without any overt configuration. The interfaces automatically
negotiate the speed and duplex, and each interface begins in and enabled (no shutdown)
state, with all interfaces assigned to VLAN 1. Additionally, every interface defaults to
negotiate to used VLAN features called VLAN trunking and VLAN Trunking Protocol (VTP).
The good intentions of Cisco for plug and play operation have an unfortunate side effect in
that defaults expose switches to some security threats. So, for any currently unused switch
interfaces, Cisco makes some general recommendations to override the default interface
settings to make the unused ports more secure. The recommendations for unused
interfaces are as follows:
Administratively disable the interface using the shutdown interface subcommand.
Prevent VLAN trunking and VTP by making the port a nontrunking interface using
the switchport mode access interface subcommand.
Assign the port to an unused VLAN using the switchport access vlan number
interface subcommand.
4.2.4. Configuring the Layer 2 Forwarding Path with the MAC Address
Table (CAM)
All Catalyst switch models use a CAM table for Layer 2 switching. As frames arrive on
switch ports, the source MAC addresses are learned and recorded in the CAM table. The
port of arrival and the VLAN both are recorded in the table, along with a time stamp. If a
MAC address learned on one switch port has moved to a different port, the MAC address
and time stamp are recorded for the most recent arrival port. Then, the previous entry is
deleted. If a MAC address is found already present in the table for the correct arrival port,
only its time stamp is updated.
To view the contents of the CAM table, you can use the following form of the show mac
address-table EXEC command:
Switch# show mac address-table dynamic [address mac-address | interface type mod/num
| vlan vlan-id ]
To view all dynamic MAC entires in the CAM:
S-AN-A-1.04
103/200

Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- --------------------
0000.001e.2a52 Dynamic 1 FA1/1
0000.001e.345e Dynamic 1 FA1/1
0000.001e.bb3a Dynamic 1 FA1/1
0000.001e.eba3 Dynamic 1 FA1/2
0000.001e.face Dynamic 1 FA1/3
0000.001e.3519 Dynamic 1 FA1/4
0000.001e.2dc1 Dynamic 1 FA1/5
0000.001e.8465 Dynamic 1 FA1/5
0050.8b11.54da Dynamic 1 FA1/6
To view a specific dynamic address in the CAM:

Switch# show mac address-table dynamic address 0050.8b11.54da
Mac Address Table
------------------------------------------
Vlan Mac Address Type Ports
---- ----------- ---- -----
54 0050.8b11.54da DYNAMIC Fa0/6
Total Mac Addresses for this criterion: 1
Switch#
To view the number of MAC addresses per VLAN:

Switch# show mac address-table count
To clear the entire dynamic contents of the CAM:

Switch# clear mac address-table dynamic
To clear a single entry of the CAM:

Switch# clear mac address-table dynamic address 1234.5678.90ab
To change the aging timer for dynamically learned MAC addresses in the CAM from its
default of 300 seconds to 360 seconds:
S-AN-A-1.04
104/200

Spanning Tree Protocol (STP)
Switch(config)# mac address-table aging-time 360
To statically add to the CAM a MAC address of 0011.2233.4455, which resides on Port
FA0/0 on VLAN 1:
Switch(config)# mac address-table static 0011.2233.4455 vlan 1 interface fa0/0
4.3. Spanning Tree Protocol (STP)

STP is a layer 2 protocol that is used to maintain a loop-free switched network. Without
Spanning Tree Protocol (STP), frames would loop for an indefinite period of time in networks
with physically redundant links. To prevent looping frames, STP blocks some ports from
forwarding frames so that only one active path exists between any pair of LAN segments
(collision domains). The result of STP is both good and bad. Frames do not loop infinitely,
which makes the LAN usable, which is good. However, the network does not actively take
advantage of some of the redundant links, because they are blocked to prevent frames from
looping. Some users traffic travels a seemingly longer path through the network, because a
shorter physical path is blocked, which is bad. However, the net result is good. If frames
looped indefinitely, the LAN would be unusable. So, STP has some minor unfortunate side
effects compared to the major benefit of letting you build redundant LANs.
Secondary
Root Bridge Root Bridge
Core
BackboneFast
Layer
Distribution
BackboneFast
Layer
Loop Guard
Access UplinkFast Port Security

Layer DHCP Snooping
PortFast IP Source Guard
Dynamic ARP
BPDU Guard Inspection
Root Guard
Figure 7 - STP Configuration

S-AN-A-1.04
105/200

4.3.1. Types of STP
(1) Spanning Tree Protocol ( IEEE802.1D)

IEEE defines the original, or traditional STP in the 802.1d IEEE standard. The Spanning
Tree Protocol (STP) provides network link redundancy so that a Layer2 switched network
can recover from failures without intervention in a timely manner.
(2) Common Spanning Tree ( IEEE 802.1Q)

The IEEE 802.1Q standard specifies how VLANs are to be trunked between switches. It
also specifies only a single instance of STP that encompasses all VLANs. This instance is
referred to as the Common Spanning Tree (CST). All CST BPDUs are transmitted over
trunk links using the native VLAN with untagged frames.
(3) Rapid Spanning Tree Protocol (IEEE 802.1w)

The IEEE has improved the 802.1d protocol with the definition of Rapid Spanning Tree
Protocol (RSTP), as defined in standard 802.1w. RSTP can be deployed alongside
traditional 802.1d STP bridges and switches, with RSTP features working in switches that
support it, and STP features working in the switches that support only STP. With all these
similarities, you might be wondering why the IEEE bothered to create RSTP in the first place.
The overriding reason is convergence. STP takes a relatively long time to converge (50
seconds with the default settings). RSTP improves network convergence when topology
changes occur.
The three waiting periods of (by default) 20 seconds for Maximum Age, 15 seconds for
Forward Delay ( Listening) , and 15 seconds for Forward Delay ( Learning) create STPs
relatively slow convergence. RSTP convergence times typically take less than 10 seconds.
In some cases, they can be as low as 1 to 2 seconds.
(4) Per-VLAN Spanning Tree

Cisco has a proprietary version of STP that offers more flexibility than the CST version.
Per-VLAN Spanning Tree (PVST) operates a separate instance of STP for each individual
VLAN. This allows the STP on each VLAN to be configured independently, offering better
performance and tuning for specific conditions.
S-AN-A-1.04
106/200

Because of its proprietary nature, PVST requires the use of Cisco Inter-Switch Link (ISL)
trunking encapsulation between switches. In networks where PVST and CST coexist,
interoperability problems occur. Each requires a different trunking method, so BPDUs are
never exchanged between STP types.
(5) Per-VLAN Spanning Tree Plus

Cisco has a second proprietary version of STP that allows devices to interoperate with both
PVST and CST. Per-VLAN Spanning Tree Plus (PVST+) effectively supports three groups
of STP operating in the same campus network:
Catalyst switches running PVST

Catalyst switches running PVST+
Switches running CST over 802.1Q
To do this, PVST+ acts as a translator between groups of CST switches and groups of
PVST switches.
(6) Rapid Per-VLAN Spanning Tree Protocol

Rapid Per-Vlan Spanning Tree Plus is a Cisco implementation of RSTP based on 802.1w
standard .You can improve the efficiency of each STP instance by configuring a switch to
begin using RSTP instead. This means that each VLAN will have its own independent
instance of RSTP running on the switch. This mode is known as Rapid PVST+ ( RPVST+).
4.3.2. Spanning Tree Operation

STPs job is to find all links in the network and shut down any redundant ones, thereby
preventing network loops from occurring. Firstly, STP will elect a root bridge/switch. Each
and every link between two switches must have one, and only one, designated port the
port on that link that provides the highest bandwidth to the root. Every port on the root switch
is a designated port. Both non-root port and non-designated port are placed in the blocking
state, thus breaking the switching loop.
STP uses three criteria to choose whether to put an interface in forwarding state:
STP elects a root bridge. STP puts all interfaces on the root bridge in forwarding
state.
Each non-root bridge considers one of its ports to have the least administrative cost
between itself and the root bridge. STP places this least-root-cost interface, called
S-AN-A-1.04
107/200

that bridges root port, in forwarding state.

Many bridges can attach to the same Ethernet segment. The bridge with the lowest
administrative cost from itself to the root bridge, as compared with the other bridges
attached to the same segment, is placed in forwarding state. The lowest-cost bridge
on each segment is called the designated bridge, and that bridges interface,
attached to that segment, is called the designated port.
All other interfaces are placed in blocking state. Table 10 summarizes the reasons
why STP places a port in forwarding or blocking state.
Table 10 STP: Reasons for Forwarding or Blocking
Characterization of STP State Description

Port
All the root bridges Forwarding The root bridge is always the designated bridge on
ports all connected segments.
Each non-root bridges Forwarding The root port is the port receiving the lowest-cost
root port BPDU from the root.
Each LANs designated Forwarding The bridge forwarding the lowest-cost BPDU onto
port the segment is the designated bridge for that
segment.
All other ports Blocking The port is not used for forwarding frames, nor are
any frames received on these interfaces
considered for forwarding.
4.3.3. Root Bridge

The bridge ID is used to elect the root bridge in the STP domain and to determine the root
port for each of the remaining devices in the STP domain. This ID is 8 bytes long and
includes both the priority and the MAC address of the device. The default priority on all
devices running the IEEE STP version is 32768. If two switches or bridges happen to have
the same priority value, the MAC address becomes the tiebreaker which one has the lowest
(best) ID. The lower value is the better one when it comes to electing a root bridge.
On a root bridge
Switch(config)#spanning-tree vlan 1-100 root primary
Or specify the priority to 0 (zero). The priority must be 0-61440, and the default is 32,768.
Switch(config)#spanning-tree vlan 1-100 priority 0
S-AN-A-1.04
108/200

On a secondary root bridge

Switch(config)#spanning-tree vlan 1-100 root secondary
Other bridges, make lower priority as 49,152.

Switch(config)#spanning-tree vlan 1-100 priority 49152
4.3.4. Root Ports and Designated Ports

The second step in the STP process is identifying Root Ports, or the port on each switch that
has the lowest path cost to get to the Root Bridge. Each switch has only one Root Port, and
the Root Bridge cannot have a Root Port.
The Root Path Cost for each active port of a switch is determined by the cumulative cost as
a BPDU travels along. As a switch receives a BPDU, the port cost of the receiving port is
added to the root path cost in the BPDU. The port or port path cost is inversely proportional
to the ports bandwidth. If desired, a ports cost can be modified from the default value.
To set a switch ports path cost,

switch (config-if)# spanning-tree [vlan vlan-id] cost cost-value
For example, a Gigabit Ethernet interface has a default port cost of 4. You can use the
following command to change the cost to 2, but only for VLAN 10:
Switch(config-if)# spanning-tree vlan 10 cost 2
You can see the port cost of an interface by using the following command:
Switch# show spanning-tree interface type mod/num [cost]
As an example, GigabitEthernet 0/1 is configured as a trunk port, carrying VLANs 1, 10, and
20. shows the port cost for each of the VLANs.
Displaying STP Port Cost Values on an Interface :

Switch# show spanning-tree interface gigabitEthernet 0/1
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Root FWD 4 128.1 P2p
VLAN0010 Desg FWD 2 128.1 P2p
S-AN-A-1.04
109/200

VLAN0020 Root FWD 4 128.1 P2p
To change an interfaces Path Cost from its defaults:

Switch(config)# int f0/24
Switch(config-if)# spanning-tree cost 4
Table 11 STP Path Cost
Link Bandwidth STP Cost

4 Mbps 250
10 Mbps 100
16 Mbps 62
45 Mbps 39
100 Mbps 19
155 Mbps 14
622 Mbps 6
1 Gbps 4
10 Gbps 2
The next criteria of an STP decision is the port ID. The port ID value that a switch uses is
actually a 16-bit quantity: 8 bits for the port priority and 8 bits for the port number. The port
priority is a value from 0 to 255 and defaults to 128 for all ports. Whichever interface has the
lowest Port ID will become the Root Port. Remember, that port priority is the last tiebreaker
STP will consider . Lowering this values will ensure a specific interface becomes the Root
Port.
To configure port priority,

switch (config-if)# spanning-tree [vlan vlan-id] port-priority
Switch(config)# int fa0/10
Switch(config-if)# spanning-tree port-priority 50
To Confirm STP Port Priority Values with the show spanning-tree interface command,
Switch#show spanning-tree interface gigabitEthernet 3/16
S-AN-A-1.04
110/200

Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0010 Desg FWD 4 64.144 Edge P2p
The third and final step in the STP process is to identify Designated Ports. Each network
segment requires a single Designated Port, which has the lowest path cost leading to the
Root Bridge. This port will not be placed in a blocking state. A port cannot be both a
designated Port and a Root Port. Ports on the Root Bridge are never placed in a blocking
state, and thus become Designated Ports for directly attached segments.
4.3.5. PortFast
PortFast enables fast connectivity to be established on access-layer switch ports to
workstations that are booting up.
Enable PortFast by default

Switch(config)#spanning-tree portfast default
%Warning: this command enables portfast by default on all interfaces. You
should now disable portfast explicitly on switched ports leading to hubs,
switches and bridges as they may create temporary bridging loops.
Disable Portfast on ports to the uplink, hub, and switch.

Switch(config)#interface range GigabitEthernet 0/1 - 2
Switch(config-if-range)#no spanning-tree portfast
This command will use a macro to enable PortFast, access port

Switch(config)#interface range fastEthernet 0/1 - 24
Switch(config-if-range)#switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
4.3.6. UplinkFast
UplinkFast enables fast-uplink failover on an access-layer switch when dual uplinks are
connected into the distribution layer.
S-AN-A-1.04
111/200

Configure on the access switch only.

Switch(config)#spanning-tree uplinkfast
4.3.7. BackboneFast
BackboneFast enables fast convergence in the network backbone (core) after a
spanning-tree topology change occurs.
If you enable BackboneFast, you must configure on all switches.

Switch(config)#spanning-tree backbonefast
4.3.8. Root Guard

Switch(config)#int range f 0/1 - 24
Switch(config-if-range)#spanning-tree guard root
4.3.9. Loop Guard

Switch(config-if-range)#int range g 0/1 - 2
Switch(config-if-range)#spanning-tree guard loop
4.3.10 BPDU Guard

The BPDU guard feature was developed to further protect the integrity of switch ports that
have PortFast enabled. If any BPDU (whether superior to the current root or not) is received
on a port where BPDU guard is enabled, that port immediately is put into the errdisable
state.
To configure BPDU guard as a global default, affecting all switch ports with a single
command,
Switch(config)# spanning-tree portfast bpduguard default
To enable or disable BPDU guard on a per-port basis,

Switch(config-if)# [no] spanning-tree bpduguard enable
4.3.11 BPDU Filtering

In special cases when you need to prevent BPDUs from being sent or processed on one or
more switch ports, you can use BPDU filtering to effectively disable STP on those ports.
S-AN-A-1.04
112/200

To configure BPDU filtering as a global default,

Switch(config)#spanning-tree portfast bpdufilter default
4.3.12 UDLD
Usually two unidirectional links as uplink and downlink are used for one fiber link. If any link
problem happens in one link, STP protocol cannot detect the problem. UDLD (Unidirectional
Link Detection) must be configured on Fiber and SPF ports in order to detect unidirectional
link problem.
If it is configured on the global configuration, this configuration will be applied on all the fiber
ports otherwise configure only on a specific interface. It must be enabling at both side of
fiber.
Switch(config)#udld enable
4.3.13 Spanning Tree Protocol Configuration

Cisco switches use STP by default. You can buy some switches, connect them with
Ethernet cables in a redundant topology, and STP will ensure that no loops exist. And you
never even to think about changing any of the settings. You might want to change some of
STPs default settings. This section shows a simple example of how to examine STP
parameters and change some common STP parameters.
The following examples were taken from a small network with two switches, as shown in
Figure 10. Two 2950s connect using crossover cables. The cables are plugged into
interfaces 0/9 and 0/12 on both switches.
Fa0/9 Fa0/9
Fa0/12 Fa0/12
S1-2950 S2-2950
Figure 8 Two-Switch Network
(1) Basic STP Show commands

Example 1 lists information about the current state of STP in this network, with all default
STP parameters.
S-AN-A-1.04
113/200

S1#sh spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0009.43bd.7340
Cost 19
Port 9 (FastEthernet0/9)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0019.568d.4880
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- -
Fa0/9 Root FWD 19 128.9 P2p
Fa0/12 Altn BLK 19 128.12 P2p
S2#sh spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
This bridge is the root
Aging Time 300
---------------- ---- --- --------- -------- ----------
Fa0/9 Desg FWD 19 128.9 P2p Peer(STP)
Fa0/12 Desg FWD 19 128.12 P2p Peer(STP)
This example lists the output of the show spanning-tree command on SW1. At the beginning
of the example, the SW1 output lists the root bridge ID, comprised of the priority and MAC
address, first. The bridge ID combines the priority and the MAC address used to identify
S-AN-A-1.04
114/200

each bridge or switch. Next, the output lists SW1-2950s own bridge ID. Notice that the root
bridge ID is different from SW1-2950's bridge ID.
The topology in this example ends up with SW2 as the root bridge, so it forwards on both
interfaces. SW1-2950 receives BPDUs on FastEthernet ports 0/9 and 0/12. From the
topology, you know that the two BPDUs are both from SW2, and both tie in every respect.
However, SW1 must choose one interface to put into forwarding state and one into blocking
state to avoid a loop. You can see in the example that the port cost is 19 on each interface,
the default IEEE port cost for FastEthernet interfaces. So SW1 breaks the tie by using the
lowest internal interface number, which is FastEthernet 0/9. So, in the example, you see
SW1 port 0/9 in forwarding state and 0/12 in blocking state.
(2) Changing STP Port Costs and Bridge Priority

In Example 2, the configuration changes to affect the spanning tree. First, on SW1-2950,
the port cost is changed on fastethernet 0/12, which makes SW1-2950 transition that port
from blocking state to forwarding state and interface fastethernet 0/9 to blocking state. Next,
SW1-2950 becomes the root by changing its bridge priority.
S1#debug spanning-tree switch state
Spanning Tree Port state changes debugging is on
S1(config)#int f0/12
S1(config-if)#spanning-tree cost 2
S1(config-if)#
00:36:21: STP: VLAN0001 new root port Fa0/12, cost 2
00:36:21: STP SW: Fa0/12 new listening req for 1 vlans
00:36:21: STP: VLAN0001 Fa0/12 -> listening
00:36:21: STP: VLAN0001 sent Topology Change Notice on Fa0/12
00:36:21: STP SW: Fa0/9 new blocking req for 1 vlans
00:36:21: STP: VLAN0001 Fa0/9 -> blocking
00:36:36: STP SW: Fa0/12 new learning req for 1 vlans
00:36:36: STP: VLAN0001 Fa0/12 -> learning
00:36:51: STP SW: Fa0/12 new forwarding req for 1 vlans
00:36:51: STP: VLAN0001 Fa0/12 -> forwarding
S1#sh spanning-tree
VLAN0001
S-AN-A-1.04
115/200

Cost 2
Address 0019.568d.4880
Aging Time 300
---------------- ---- --- --------- -------- ------------
Fa0/9 Altn BLK 19 128.9 P2p
Fa0/12 Root FWD 2 128.12 P2p
S1(config)#spanning-tree vlan 1 root primary
S1(config)#
00:43:16: setting bridge id (which=1) prio 24577 prio cfg 24576 sysid 1 (on) id
6001.0019.568d.4880
00:43:16: STP: VLAN0001 we are the spanning tree root
00:43:16: STP SW: Fa0/9 new listening req for 1 vlans

00:43:16: STP: VLAN0001 Fa0/9 -> listening
00:43:16: STP: VLAN0001 Topology Change rcvd on Fa0/9
00:43:16: STP: VLAN0001 Topology Change rcvd on Fa0/9
00:43:31: STP SW: Fa0/9 new learning req for 1 vlans
00:43:31: STP: VLAN0001 Fa0/9 -> learning
00:43:46: STP SW: Fa0/9 new forwarding req for 1 vlans
00:43:46: STP: VLAN0001 Fa0/9 -> forwarding
S1#sh spanning-tree
VLAN0001
Address 0019.568d.4880

S-AN-A-1.04
116/200

Address 0019.568d.4880
Aging Time 300
---------------- ---- --- --------- -------- --------------------------------
Fa0/9 Desg FWD 19 128.9 P2p
Fa0/12 Desg FWD 2 128.12 P2p
S2#sh spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Address 0019.568d.4880
Cost 19
Aging Time 300
---------------- ---- --- --------- -------- --------------------------------
Fa0/9 Root FWD 19 128.9 P2p Peer(STP)
Fa0/12 Altn BLK 19 128.12 P2p Peer(STP)
This example starts with the debug spanning-tree command on SW1-2950. This command
tells the switch to issue informational messages whenever STP performs any significant
work. These messages show up in the example as a result of the commands shown later in
the example output. Next, the port cost of the SW1-2950 interface fastethernet 0/12 is
changed using the spanning-tree cost 2 command. (The default cost on a 100-Mbps link is
19.) Immediately following this command, you see the first meaningful debug messages.
S-AN-A-1.04
117/200

SW1-2950 issues a message each time an interface transitions to another state, and it
includes a time stamp.
Notice that the message stating that fastethernet 0/12 moves to listening state is followed by
a message stating that fastethernet 0/12 has been placed in learning stateand the time
stamp shows that this message was issued 15 seconds after the first one. Similarly, the
message stating that fastethernet 0/12 was placed in forwarding state happens 15 seconds
after that. So the debug messages simply reinforce the notion of the Forward Delay timer.
Following the debug messages, the output of the show spanning-tree command lists
fastethernet 0/9 as blocking and fastethernet 0/12 as forwarding, with the cost to the root
bridge now only 2, based on the changed cost of interface fastethernet 0/12. The next
change occurs when the spanning-tree vlan 1 root primary command is issued on
SW1-2950. This command changes the bridge priority to 24,576, which makes SW1-2950
the root. The debug messages that follow confirm this fact.
(3) Example STP Configuration
Figure 9 Three-Switch Network
Firstly, configure Switch1,

Switch1(config)#int vlan 1
Switch1(config-if)#ip address 172.16.0.10 255.255.255.0
Switch1(config-if)#no shutdown
Configure Switch2 and Ping switch1 to switch2.

Switch2(config-if)#ip add 172.16.0.20 255.255.255.0
S-AN-A-1.04
118/200

Switch2#ping 172.16.0.10
!!!!!
Configure Switch3.
Ping Switch3 to Swtich1 and Switch2.

!!!!!
!!!!!
Switch1#sh spanning-tree
VLAN0001
Root ID Priority 1
Address 0060.3E3A.DE25
Aging Time 20
S-AN-A-1.04
119/200

---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 100 128.1 P2p
Switch2#show spanning-tree
VLAN0001
Root ID Priority 1
Cost 19
Port 1(FastEthernet0/1)
Address 000C.853E.006E
Aging Time 20
---------------- ---- --- --------- -------- --------------------------------
Fa0/2 Altn BLK 19 128.2 P2p
Switch3#show spanning-tree
VLAN0001
Root ID Priority 1
Cost 19
Port 2(FastEthernet0/2)
Address 000C.85DA.5AB3
Aging Time 20
S-AN-A-1.04
120/200

Hands-on-Lab 9 Switching Lab
---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Altn BLK 100 128.1 P2p
S1 S2
Fa0/2 Fa0/2
Fa0/4 Fa0/3
S3
Fa0/4 Fa0/3
Fa0/10
Fa0/9
PC1 PC2
Switch Switch Enable Secret Enable, VTY, VLAN 1 IP Default Subnet Mask
Designation Name Password and Console Address Gateway IP
Passwords Address
Switch1 S1 ictti cisco 172.16.1.10 172.16.1.1 255.255.255.0
Objective
Create a basic switch configuration and verify it.
Determine which switch is selected as the root switch with the factory default
settings.
Force the other switch to be selected as the root switch.
S-AN-A-1.04
121/200

Background/Preparation
Cable a network similar to the one in the diagram. The configuration output used in this lab
is produced from a 2950 series switch. Any other switch used may produce different output.
The following steps are to be executed on each switch unless specifically instructed
otherwise.
Step 1 Configure the switches

Configure the hostname, access and command mode passwords, as well as the
management LAN settings. These values are shown in the chart.
Step 2 Configure the hosts attached to the switches

Configure the host to use the same subnet for the address, mask, and default gateway as
on the switch.
Step 3 Verify connectivity and display the show interface VLAN options
___________________
a. What are the MAC addresses of the switches : S1, S2 and S3?
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
b. Which switch should be the root of the spanning-tree for VLAN 1? __________________
______________________________________________________________________
Step 4 Display the spanning-tree table on each switch

Examine the output and answer the following questions.
a. Which switch is the root switch? _____________________________________________
b. What is the priority of the root switch? ________________________________________
c. What is the bridge id of the root switch? _______________________________________
d. Which ports are forwarding on the root switch? _________________________________
e. Which ports are blocking on the root switch? ___________________________________
f. What is the priority of the non-root switch? _____________________________________
g. What is the bridge id of the non-root switch? ___________________________________
h. Which ports are forwarding on the non-root switch? ______________________________
i. Which ports are blocking on the non-root switch? ________________________________
j. What is the status of the link light on the blocking port? ___________________________
S-AN-A-1.04
122/200

Step 5 Reassign the root bridge

It has been determined that the switch selected as the root bridge, by using default values,
is not the best choice. S2 is preferred as the root switch. It is necessary to force the S2
switch as shown in figure to become the root switch. It is also necessary to force the S1
switch to become the secondary root bridge.
Step 6 Display the switch spanning-tree table after reassigning

Examine the output and answer the following questions.
a. Which switch is the root switch? _____________________________________________
b. What is the priority of the root switch? ________________________________________
c. What is the bridge id of the root switch? _______________________________________
d. Which ports are forwarding on the root switch? _________________________________
e. Which ports are blocking on the root switch? ___________________________________
f. What is the priority of the secondary-root switch? ________________________________
g. What is the bridge id of the secondary-root switch?______________________________
h. Which ports are forwarding on the secondary-root switch? ________________________
i. What is the priority of the non-root switch? _____________________________________
g. What is the bridge id of the non-root switch? ___________________________________
h. Which ports are forwarding on the non-root switch? ______________________________
i. Which ports are blocking on the non-root switch? ________________________________
j. What is the status of the link light on the blocking port? ____________________________
Step 7 Applying STP Features in the Network

Configure the following conditions.
a. When new switch S4 connects to S3 from fa0/4, S4 is never expected to be root.
b. PC1 and PC2 is needed to allow faster STP convergence by bypassing the typical STP
listening and learning state, eliminating the normal 30 seconds of STP delay.
c. BPDU guard is needed to apply to all user ports where PortFast is enabled.
Step 8 Verify the running configuration files on each switch

Specify the running configuration files on the switches that were changed to be the root
bridge, secondary root bridge, and configured STP features.
S-AN-A-1.04
123/200

Virtual LANs <Day 7>
Introduction to VLAN
5. Virtual LANs <Day 7>
5.1. Introduction to VLAN

A flat network topology, as illustrated in Figure 10, is adequate for small networks and is
implemented using Layer 2 switching. This is no hierarchy with a flat network design, and
because each network device within the topology is performing the same job, a flat network
design can be easy to implement and manage. The flat network topology is not divided into
layers or modules and can make troubleshooting and isolating of network faults a bit more
challenging than in a hierarchical network. In a small network, this might not necessarily be
an issue, as long as the network stays small and manageable. Actually, it has one broadcast
domain, but the actual design is not physically flat. See in figure; Host A sending out a
broadcast and all ports on all switches forwarding it.
Host A
Figure 10 - Flat Network Structure
Now, individual collision domain segments are created for each device plugged into each
port on the switch by having the largest benefit of the layer 2 switched networks as shown in
Figure 11. For example, the larger number of users and devices, the more broadcasts and
packets each switch must handle.
S-AN-A-1.04
124/200

Host A Host D
Figure 11 - Benefit of Switched Network
One of considerable issue in the switched networks is security. All users can see all devices
by default in typical layer 2 switched internetworks. And you cannot stop devices from
broadcasting, plus you cannot stop users from trying to respond to broadcasts. So, such
kinds of problems can be solved by associating layer 2 switching with virtual LAN (VLAN).
5.1.1. VLAN Basic

A virtual LAN (VLAN) is a network composed of logical broadcast domains (or) is a logical
grouping of network users and resources connected to administratively defined ports on a
switch.
Software Development
Department
VLAN1 VLAN2
Network Technology
Department
VLAN1 VLAN2 VLAN3
Physical LAN
Physical LAN
VLAN3
Figure 12- Concept of Virtual LANs
When VLANs are created, you are given the ability to create smaller broadcast domains
within a layer 2 switched internetworks by assigning different ports on the switch to different
sub networks. A VLAN is treated like its own subnet or broadcast domain, meaning that
frames broadcast onto the network are only switched between the ports logically grouped
S-AN-A-1.04
125/200

within the same VLAN. In the other words, a VLAN is a broadcast domain created by one or
more switches. The switch creates a VLAN simply by putting some interfaces in one VLAN
and some in another.
First, before VLANs existed, if a design specified two separate broadcast domains, two
switches would be usedone for each broadcast domain.
VLANs are pretty simple in concept and in practice. The following list hits the high points:
A collision domain is a set of network interface cards (NICs) for which a frame sent by
one NIC could result in a collision with a frame sent by any other NIC in the same
collision domain.
A broadcast domain is a set of NICs for which a broadcast frame sent by one NIC is
received by all other NICs in the same broadcast domain.
A VLAN is essentially a broadcast domain.
VLANs are typically created by configuring a switch to place each port in a particular
VLAN.
Layer 2 switches forward frames between devices in the same VLAN; they cannot
forward frames between different VLANs.
A Layer 3 switch, multilayer switch, or router can be used to essentially route packets
between VLANs.
The set of devices in a VLAN typically also is in the same IP subnet; devices in different
VLANs are in different subnets.
Generally, the first consideration for setting up VLANs in your network is planning your
environment. Will the VLANs span multiple switches, or will you only be segmenting one
switch? If you only have one switch to segment, you can just configure the VLANs with no
other considerations. If you need to span multiple switches with VLAN information, you will
need to decide which switches need which VLANs. You will also need to configure trunking
and set up VLAN Trunking Protocol (VTP). Detailed explanations concerned with VTP are
discussed in section 5.2.
5.1.2. VLAN Memberships

The two common approaches to assigning VLAN membership are as follows:
Static VLANs
Dynamic VLANs
Static VLANs are also referred to as port-based VLANs. Static VLAN assignments are
S-AN-A-1.04
126/200

created by assigning ports to a VLAN. As a device enters the network, the device
automatically assumes the VLAN of the port. If the user changes ports and needs access to
the same VLAN, the network administrator must manually make a port-to-VLAN assignment
for the new connection. For example, let us say a 12 port fastethernet switch is split for the
creation of 2 VLANs. The first 6 ports are associated with VLAN1 and the last 6 ports are
associated with VLAN2. If a machine is moved from port 3 to port 11, it will effectively
change VLANs.
Dynamic VLANs are specified by MAC address. With a VLAN Management Policy Server
[VMPS], an administrator can assign switch ports to VLANs dynamically based on
information such as the source MAC address of the device connected to the port or the
username used to log onto that device. The VMPS database automatically maps MAC
addresses to VLANs. As a device enters the network, the device queries a database for
VLAN membership. See also FreeNAC which implements a VMPS server. Assuming the
same scenario, a system administrator will enter MAC addresses for all machines
connecting to the switch. These addresses will be stored in a memory chip inside the switch
that forms a database of local MAC addresses. Each MAC address can then be associated
with a certain VLAN. This way, if a machine is moved, it will retain the original VLAN
membership regardless of its port number.
5.1.3. VLAN Enabled Switches
Not all switches support VLANs. While most expensive switches do, you won't get "the
works" unless you are using a Cisco Catalyst. Cisco has created proprietary protocols to
manage VLANs. VLAN Trunking Protocol (VTP) enables Cisco switches to advertise VLAN
routes to other VTP enabled switches. It also allows a system administrator to manage all
VLANs from a central point and order all switches to update the VLAN information along the
entire network. 3com Superstack switches also have great VLAN support. However, there
has been some compatibility issues associated with multi-vendor VLAN devices. Most
organizations using VLANs have figured out it is worth shelling out the extra cash to go with
Cisco equipment and get the extra features and functionality.
5.1.4. Why use VLANs?
VLANs offer a number of advantages over traditional LAN's. They are:

(1). Performance
S-AN-A-1.04
127/200

In networks where traffic consists of a high percentage of broadcasts and multicasts,

VLAN's can reduce the need to send such traffic to unnecessary destinations. For example,
in a broadcast domain consisting of 10 users, if the broadcast traffic is intended only for 5 of
the users, then placing those 5 users on a separate VLAN can reduce traffic.
Compared to switches, routers require more processing of incoming traffic. As the volume of
traffic passing through the routers increases, so does the latency in the routers, which
results in reduced performance. The use of VLAN's reduces the number of routers needed,
since VLAN's create broadcast domains using switches instead of routers.
(2) Formation of Virtual Workgroups

With VLAN's it is easier to place members of a workgroup together. Without VLAN's, the
only way this would be possible is to physically move all the members of the workgroup
closer together. Consider the situation where one user of the workgroup is on the fourth floor
of a building, and the other workgroup members are on the second floor. Resources such as
a printer would be located on the second floor, which would be inconvenient for the lone
fourth floor user.
(3) Simplified Administration

Seventy percent of network costs are a result of adds, moves, and changes of users in the
network. Every time a user is moved in a LAN, re-cabling, new station addressing, and
reconfiguration of hubs and routers becomes necessary. Some of these tasks can be
simplified with the use of VLAN's. If a user is moved within a VLAN, reconfiguration of
routers is unnecessary. In addition, depending on the type of VLAN, other administrative
work can be reduced or eliminated.
(4) Reduced Cost

VLANs reduce the time it takes to implement moves, additions and changes. Moreover,
VLAN's can be used to create broadcast domains which eliminate the need for expensive
routers.
(5) Security
Periodically, sensitive data may be broadcast on a network. In such cases, placing only
those users who can have access to that data on a VLAN can reduce the chances of an
outsider gaining access to the data. VLAN's can also be used to control broadcast domains,
set up firewalls, restrict access, and inform the network manager of an intrusion.
S-AN-A-1.04
128/200

(6) Flexibility and Scalability

What if no hub ports are available for a department LAN?
What if no physical space is available for new users?
Physically locate new user in another department and plug computer into that
departments hub
User must obtain Sales resources by traversing a router
Dont SPAN the WAN; keep resources local
VLANs overcome these problems.
5.1.5. Identifying VLANs

(1) VLANs defined by Port Group
Figure 13 - Example of Identifying VLANs by Ports
(2) VLAN Tagging or Frame Tagging
When you want traffic from multiple VLANs to be able to traverse a link that interconnects
two switches (or) VLANs span multiple switches, you need to configure a VLAN tagging
method on the ports that supply the link.
A VLAN is a method of creating independent logical networks within a physical network.

VLAN Tagging is the practice of inserting a VLAN ID into a packet header in order to identify
which VLAN (Virtual Local Area Network) the packet belongs to. More specifically, switches
use the VLAN ID to determine which port(s), or interface(s), to send a broadcast packet to.
VLAN Tagging support allows administrators to deploy ProxySG appliances in line with
switches that are routing VLAN traffic without the risk of losing VLAN ID information.
Figure 14 shows the tagged frames and untagged frames. Frames are handled according to
the type of link they are traversing. A means of keeping track of users & frames as they
S-AN-A-1.04
129/200

travel the switch fabric & VLANs:

User-defined ID assigned to each frame
VLAN IDs compared to information in filter table for routing purposes
VLAN ID is removed before exiting trunked links & access links
Figure 14 - Distinguish between Tagged Frames and Untagged Frames
(3) VLANs and Network Switches Link Types

Differentiate the linked types are shown in Figure 15.
Access link
Receive and transmit Untagged frames
Default port configuration on switches
Usually used to connect end-stations to the network
PC do not need to change their frame format
Trunk link
Receive and transmit Tagged frames
Must be configured explicitly on switches
Usually used in switch-to-switch connections and to servers/routers
Hybrid link
Accepts both tagged and untagged frames
Differentiates frame according to the type field (0x8100 or not)
Trunk links are usually also Hybrid links
Used on ports on which both hosts and servers / routers / switches are
connected
S-AN-A-1.04
130/200

VLAN Trunking Protocol (VTP)
Figure 15 - Linked Types
(4) VLAN Identification Methods

VLAN identification is what switches use to keep track of all those frames as they are
traversing a switch fabric. There are a number of tagging methods (or) VLAN identification
methods) such as InterSwitch Link (ISL) and 802.1Q.
Inter-Switch Link (ISL)

ISL is a way of explicitly tagging VLAN information onto an Ethernet frame. ISL is a Cisco
proprietary VLAN tagging methods. When interconnecting two Cisco switches, ISL is usually
the best choice.
IEEE 802.1Q
802.1Q is an Industry standard trunking protocol if you need to interconnect switches of
different types (for example, a Cisco switch and an Avaya switch).
LAN Emulation (LANE)

Used for trunking VLANs over ATM links.
IEEE 802.10 (dot10q)

Cisco proprietary method for transporting VLAN information inside standard FDDI frames.
5.2. VLAN Trunking Protocol (VTP)
VLAN Trunking Protocol (VTP) ensures that all switches in the VTP domain are aware of all
VLANs. There are occasions, however, when VTP can create unnecessary traffic. All
unknown unicasts and broadcasts in a VLAN are flooded over the entire VLAN. All switches
in the network receive all broadcasts, even in situations where few users are connected in
that VLAN. VTP pruning is a feature used to eliminate (or prune) this unnecessary traffic.
S-AN-A-1.04
131/200

By default, all Cisco Catalyst switches are configured to be VTP servers. Cisco switches use
the proprietary VTP to exchange VLAN configuration information between switches. VTP
defines a Layer 2 messaging protocol that allows the switches to exchange VLAN
configuration information so that the VLAN configuration stays consistent throughout a
network. For instance, if you want to use VLAN 3 and name it accounting, you can
configure that information in one switch, and VTP will distribute that information to the rest of
the switches. VTP manages the additions, deletions, and name changes of VLANs across
multiple switches, minimizing misconfigurations and configuration inconsistencies that can
cause problems, such as duplicate VLAN names or incorrect VLANtype settings.
VTP makes VLAN configuration easier. However, you have not yet seen how to configure
VLANs, so to better appreciate VTP, consider this example: If a network has ten
interconnected switches, and parts of VLAN 3 were on all ten switches, you would have to
enter the same config command on all ten switches to create the VLAN. With VTP, you
would create VLAN 3 on one switch, and the other nine switches would learn about VLAN 3
dynamically. The VTP process begins with VLAN creation on a switch called a VTP server.
The changes are distributed as a broadcast throughout the network. Both VTP clients and
servers hear the VTP messages and update their configuration based on those messages.
So VTP allows switched network solutions to scale to large sizes by reducing the manual
configuration needs in the network.
5.2.1. How VTP Works

VTP floods advertisements throughout the VTP domain every 5 minutes, or whenever there
is a change in VLAN configuration. The VTP advertisement includes a configuration revision
number, VLAN names and numbers, and information about which switches have ports
assigned to each VLAN. By configuring the details on one (or more) VTP server and
propagating the information through advertisements, all switches know the names and
numbers of all VLANs. One of the most important components of the VTP advertisements is
the configuration revision number. Each time a VTP server modifies its VLAN information, it
increments the configuration revision number by 1. The VTP server then sends out a VTP
advertisement that includes the new configuration revision number. When a switch receives
a VTP advertisement with a larger configuration revision number, it updates its VLAN
configuration. Figure 18 illustrates how VTP operates in a switched network.
S-AN-A-1.04
132/200

(1 ) Add New VLAN

(2 ) Rev 3 Rev4
(3) send VTP Advertisement (3 ) send VTP Advertisement
VTP
Server
VTP VTP
Client Client
(4 ) Rev 3 Rev 4 (4 ) Rev 3 Rev4

(5 ) Syn New VLAN Info (5 ) Syn New VLAN Info
Figure 16 - VTP Operation
5.2.2. VTP Modes

VTP operates in one of three modes:
Server mode
Client mode
Transparent mode
ServerIn VTP server mode, you can create, modify, and delete VLANs and specify
other configuration parameters, such as VTP version and VTP pruning, for the entire VTP
domain. VTP servers advertise their VLAN configuration to other switches in the same
VTP domain and synchronize their VLAN configuration with other switches based on
advertisements received over trunk links. VTP server is the default mode.
ClientVTP clients behave the same way as VTP servers, but you cannot create,
change, or delete VLANs on a VTP client.
TransparentVTP transparent switches do not participate in VTP. A VTP transparent

switch does not advertise its VLAN configuration and does not synchronize its VLAN
configuration based on received advertisements, but transparent switches do forward
VTP advertisements that they receive out their trunk ports in VTP Version 2.
4.3.11 VTP Pruning

VTP pruning is a feature that you use in order to eliminate or prune this unnecessary traffic.
It also allows switches to prevent broadcasts and unknown unicasts from flowing to switches
S-AN-A-1.04
133/200

that do not have any ports in that VLAN. It enabled switches sends broadcasts only to trunk
links that actually must have the information.
We can check VTP status with show vtp status command.

s1#show vtp status
VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : DOMAIN1
VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x7F 0x37 0x5A 0xA6 0x0A 0xAA 0xA9 0x19
Configuration last modified by 0.0.0.0 at 3-1-93 00:08:24
Local updater ID is 172.16.0.2 on interface Vl1 (lowest numbered VLAN interface
found)
Use the following command to enable VTP Pruning

s1(config)#vtp pruning
Pruning switched on
s1(config)#do show vtp status
VTP Version : 2
Configuration Revision : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : DOMAIN1
VTP Pruning Mode : Enabled

VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x09 0x93 0x62 0xEA 0x38 0x07 0x14 0xE1
Configuration last modified by 172.16.0.2 at 3-1-93 01:43:51
Local updater ID is 172.16.0.2 on interface Vl1 (lowest numbered VLAN interface

found)
S-AN-A-1.04
134/200

Configuring VLANs
5.3. Configuring VLANs
5.3.1. Inter-VLAN Routing : Router-on-a-Stick
Inter-VLAN communication occurs between broadcast domains via a Layer 3 device. In a

VLAN environment, frames are switched only between ports within the same broadcast
domain. VLANs perform network partitioning and traffic separation at Layer 2. Inter-VLAN
communication cannot occur without a Layer 3 device, such as a router. Use IEEE 802.1Q
to enable trunking on a router subinterface. Figure 19 illustrates a router attached to a core
switch. The configuration between a router and a core switch is sometimes referred to as a
router on a stick.
Figure 17 Router on a Stick
(1) Configuring VLAN on Router
This is the defining VLANs on router sub-interfaces.

Router0#sh run
hostname Router0
no ip address
interface FastEthernet0/0.1
description native vlan1

encapsulation dot1Q 1 native
S-AN-A-1.04
135/200

Configuring VLANs
ip address 192.168.1.1 255.255.255.0
description vlan2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
description vlan3
ip address 192.168.3.1 255.255.255.0
(2) Configuring VLAN on Switch

The switch commands needed to configure static VLANs. By default, all switch ports are
assigned to VLAN 1, are set to be a VLAN type of Ethernet. First, the VLAN must be created
on the switch, if it does not already exist. Then, the VLAN must be assigned to specific
switch ports. VLANs always are referenced by a VLAN number, which can range from 1 to
1005. VLANs 1 and 1002 through 1005 automatically are created and are set aside for
special uses. For example, VLAN 1 is the default VLAN for every switch port. VLANs 1002
to 1005 are reserved for legacy functions related to Token Ring and FDDI switching.
To configure VLANs on a Cisco Catalyst switch, use the global config vlan command. See
the following example,
Swich# config t
Switch(config)# vlan ?
WORD ISL VLAN IDs 1-4094
internal internal VLAN
Switch(config)# vlan 2
Switch(config)# name Software_Development_Department
Switch(config)# vlan 3
Switch(config)# name Network_Technology_Department
Verify the VLAN information by using this command.

Switch# sh vlan
S-AN-A-1.04
136/200

Configuring VLANs
1. To configure VLANs on the 2960 series switch,

2960A#vlan database
2960A(vlan)#
2. To configure VLANs on the 2960 switch, use the vlan # name command.
Switch0(vlan)#vlan 2 name Sales
VLAN 2 added:
Name: Sales
Switch0(vlan)#vlan 3 name Marketing
VLAN 3 added:
Name: 2960A(vlan)#vlan 2 name Sales
VLAN 2 added:
Name: Sales
Switch0(vlan)#exit
APPLY completed.
Exiting.
Switch0#exit
3. To assign switch ports to VLANs

Each port on a switch can be configured in a specific VLAN (access port) by using the
interface switchport command.
Switch# conf t

Switch(config-if)# switchport ?
...
Switch(config-if)# switchport mode ?
...
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 2
You can also configure multiple ports at the same time with the interface range command.
For example, from port number 6 to 12 can access VLAN 3.
Switch# conf t
Switch(config)# int range f0/6 - 12
Switch(config-if)# switchport mode access

Switch(config-if)# switchport access vlan 3
S-AN-A-1.04
137/200

Configuring VLANs
4. To configure Trunk port

To configure trunking on a FastEthernet port, use the interface command trunk
[parameter]. It is a little different on the Cisco 3560 switch. On Cisco 2960,
Switch# conf t
Switch(config-if)# switchport mode trunk
To configure the Trunk port on Cisco 3560 multilayer switch,

Switch# conf t
Switch(config-if)# switchport trunk encapsulation ?
...
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch0 configuration
hostname Switch0
description Trunk Link to Router0
switchport mode trunk
switchport access vlan 2
switchport mode access
switchport access vlan 3
switchport mode access
interface Vlan1
ip address 192.168.1.10 255.255.255.0
ip default-gateway 192.168.1.1
S-AN-A-1.04
138/200

Configuring VLANs
5.3.2. VLAN with VTP Domain
Figure 18 VTP Domain on Router
(1) Router
Router0#sh run
hostname Router0
no ip address
ip address 172.16.1.1 255.255.255.0
ip address 172.16.2.1 255.255.255.0
ip address 172.16.3.1 255.255.255.0
S-AN-A-1.04
139/200

Configuring VLANs
(2) Switch
Connect into Switch0 switch and set the hostname, interface descriptions, IP address,
subnet mask, and default-gateway information. The IP address of the switch will be
172.16.1.10/24, with a default gateway of 172.16.1.1.
Switch>en
Switch#conf t
Switch(config)#hostname Switch0
Switch0(config)#enable password test
Switch0(config)#enable secret secret
Switch0(config)#line console 0
Switch0(config-line)#password test
Switch0(config-line)#login
Switch0(config-line)#line vty 0 15
Switch0(config-line)#exit
Switch0(config)#ip default-gateway 172.16.1.1
Switch0(config)#interface VLAN 1
Switch0(config)#interface GigabitEthernet 1/1
Switch0(config-if)#description Trunk Link to Router0
Switch0(config-if)#switchport mode trunk
Switch0(config-if)#interface GigabitEthernet 1/2
Switch0(config-if)#description Trunk Link to Switch1
Switch0(config-if)#exit
Switch0(config)#exit
(3) VTP Configuration
Create a VTP domain of testdomain and leave the Switch0 as a VTP server
Switch0(config)#vtp domain testdomain
S-AN-A-1.04
140/200

Configuring VLANs
Switch0(config)#vtp mode server
Connect to the Switch1 switch and set the hostname, interface descriptions, IP address,
subnet mask, and default-gateway information. The IP address of the switch will be
172.16.1.11/24, with a default gateway of 172.16.1.1.
Switch>en
Switch#conf t
Switch(config)#hostname Switch1
Switch1(config)#enable password test
Switch1(config)#enable secret secret
Switch1(config)#line console 0
Switch1(config-line)#line vty 0 15
Switch1(config-line)#exit
Switch1(config)#ip default-gateway 172.16.1.1
Switch1(config)#interface vlan 1
Switch1(config)#interface GigabitEthernet 1/1
Switch1(config-if)#description Trunk Link to Switch0
Switch1 (config-if)#exit
Switch1(config)#exit
Configure the Switch1 to be a member of the VTP domain testdomain, and configure the
Switch1 as a VTP client.
Switch1(config)#vtp domain testdomain
Switch1(config)#vtp mode clientt
Create two VLANs on Switch0 called Sales and Marketing.

Switch0#vlan database
Switch0(vlan)#vlan 2 name Sales
S-AN-A-1.04
141/200

Configuring VLANs
VLAN 2 modified:
Name: Sales
Switch0(vlan)#vlan 3 name Marketing
VLAN 3 modified:
Name: Marketing
Switch0(vlan)#exit
APPLY completed.
Exiting.
Note that we created the two VLANs using 2 and 3. VLAN 1 is configured by default on all
switches and cannot be changed or deleted.
Go to the Switch1 and type in show VLAN to verify the VLAN information was shared with
VTP.
Switch1#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
2 Sales active
3 Marketing active
You should see three VLANs, 1-3, that were shared via VTP from the 2960A switch.
PC0 and PC2 will be in VLAN2, Sales, which has a subnet address of 172.16.2.0/24. PC0
will be 172.16.2.10 and PC2 will be 172.16.2.11. The default gateway will be 172.16.2.1,
which is configured on the Router0.
Connect to the Switch0 and make port f0/10 a member of VLAN 2.

Switch0(config)#interface fastethernet 0/10
Switch0(config-if)#switchport access vlan 2
Switch0(config-if)#switchport mode access
Connect to the Switch1 and make port f0/10 a member of VLAN 2.


S-AN-A-1.04
142/200

Configuring VLANs
You can configure portfast on the access port. This enables a switch port to come up
quickly and not to wait the typical 50 seconds for spanning-tree to go through its cycle.
However, if you turn portfast on, then you better be sure you do not create a physical loop
on the switch network or it will bring your network down. You are telling the switch not to
check for loops using these ports.
Switch1(config-if)#spanning-tree portfast
Configure PC0 with an IP address of 172.16.2.10/24, with a default gateway of 172.16.2.1.

Configure PC2 with an IP address of 172.16.2.11/24 with a default gateway of 172.16.2.1.
Verify you have set up the VLANs correctly by pinging from PC0 to PC2.
>ping 172.16.2.11
Once you can ping, you know you have configured at least one VLAN correctly.
Configure PC1 and PC3 to be in VLAN3. From the Switch0, configure port F0/20 to be a
member of VLAN 3.
Switch0#config t
Connect to the Switch1 and make port F0/20 a member of VLAN 3.

Switch1#config t

Verify that you can ping PC1 from PC3.
>ping 172.16.3.11
S-AN-A-1.04
143/200

Network Security <Day 8-9>
Securing Switch Access
6. Network Security <Day 8-9>
6.1. Securing Switch Access

Traditionally, users have been able to connect a PC to a switched network and gain
immediate access to enterprise resources. As networks grow and as more confidential data
and restricted resources become available, it is important to limit the access that users
receive.
Catalyst switches have a variety of methods that can secure or control user access. Users
can be authenticated as they connect to or through a switch, and can be authorized to
perform certain actions on a switch. User access can be recorded as switch accounting
information. The physical switch port access also can be controlled based on the users
MAC address or authentication.
In addition, Catalyst switches can detect and prevent certain types of attacks. Several
features can be used to validate information passing through a switch so that spoofed
addresses cant be used to compromise hosts.
6.1.1 Port Security

In some environments, a network must be secured by controlling what stations can gain
access to the network itself. The engineer can use port security to restrict that interface so
that only the expected devices can use it. This reduces exposure to some types of attacks in
which the attacker connects a laptop to the wall socket that connects to a switch port that
has been configured to use port security.
Where user workstations are stationary, their MAC addresses always can be expected to
connect to the same access-layer switch ports. If stations are mobile, their MAC addresses
can be learned dynamically or added to a list of addresses to expect on a switch port.
Port security supports trunks

Port security supports IEEE 802.1Q tunnel ports.
Port security does not support Switch Port Analyzer (SPAN) destination ports.
Port security does not support EtherChannel port-channel interfaces.
Port security and 802.1X port-based authentication cannot both be configured
on the same port.
S-AN-A-1.04
144/200

Catalyst switches offer the port security feature to control port access based on MAC
addresses. To configure port security on an access-layer switch port, begin by enabling it
with the following interface-configuration command:
Switch(config)# interface fa0/5
Switch(config-if)# switchport port-security
Next, you must identify a set of allowed MAC addresses so that the port can grant them
access. You can explicitly configure addresses or they can be learned dynamically from port
traffic. By default, Port Security will allow only one MAC on an interface. The maximum
number of allowed MACs can be adjusted, up to 1024:
Switch(config-if)# switchport port-security maximum 2
To statically specify the allowed MAC address(es) on a port:

Switch(config-if)# switchport port-security mac-address 0006.1111.5b02
Switch(config-if)# switchport port-security mac-address 0001.332C.5555
Only hosts configured with the above two MAC addresses will be able to send traffic through
this port. If the number of static addresses configures is less than the maximum number of
addresses secured on a port, the remaining addresses are learned dynamically.
MAC addresses that are dynamically learned with Port Security are referred to as Sticky
Addresses.
Switch(config-if)# switchport port-security mac-address sticky
Dynamically learned addresses can be aged out after a period of inactivity (measured in
minutes). By default, no aging occurs.
Switch(config-if)# switchport port-security aging time 10
Port Security can instruct the switch on how to react if an unauthorized MAC address
attempts to forward traffic through an interface (this is considered a violation). There are
three violation actions a switch can take:
shutdownPuts the interface into the error-disabled state immediately and sends
an SNMP trap Notification
S-AN-A-1.04
145/200

restrictDrops packets with unknown source addresses until you remove a

sufficient number of secure MAC addresses to drop below the maximum value and
causes the SecurityViolation counter to increment.
protectDrops packets with unknown source addresses until you remove a
sufficient number of secure MAC addresses to drop below the maximum value.
Switch(config-if)# switchport port-security violation {shutdown | restrict |
protect}
As an example of the portect mode, a switch interface has received the following
configuration commands:
Switch(config)#int f 0/1
Switch(config)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security violation protect
Server 1
Fa0/1
0200.1111.1111
Server 2
Fa0/2
0200.2222.2222
Fa0/3 User1
Figure 19- Port Security Configuration Example

Show the status.
Switch# show running-config
Interface FastEthernet 0/1
Switchport mode access
Switchport port-security
Switchport port-security mac-address 0200.1111.1111
Interface FastEthernet 0/2
Switchport mode access

Switchport port-security
S-AN-A-1.04
146/200

Switchport port-security mac-address maximum 1
Switchport port-security mac-address sticky
To show the port status with the show port-security interface command,
Switch#show port-security interface fa0/2
Port Security : Enabled
Port Status : Secure-up

Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address : 0200.2222.2222

Security Violation Count : 0
To display a summary of the port-security status with the show port-security command,
Switch#sh port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/1 1 1 1 Up
Fa0/2 1 1 1 Up
To display port security status,

Switch#show port-security interface fa0/2
Port Security : Enabled
Port Status : Secure-shutdown

Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1

Total MAC Addresses : 1
S-AN-A-1.04
147/200

Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address : 0200.1111.1111

Security Violation Count : 0
6.1.2 DHCP Snooping

When DHCP servers are allocating IP addresses to the clients on the LAN, DHCP snooping
can be configured on LAN switches to harder the security on the LAN to allow only clients
with specific IP/MAC addresses to have access to the network.
DHCP snooping is a series of layer 2 techniques. It works with information from a DHCP
server to:
Track the physical location of hosts.
Ensure that hosts only use the IP addresses assigned to them.
Ensure that only authorized DHCP servers are accessible.
So DHCP snooping ensures IP integrity on a Layer 2 switched domain. With DHCP

snooping, only a whitelist of IP addresses may access the network. The whitelist is
configured at the switch port level, and the DHCP server manages the access control. Only
specific IP addresses with specific MAC addresses on specific ports may access the IP
network. DHCP snooping also stops attackers from adding their own DHCP servers to the
network.
It disables all the ports to run DHCP Server

Switch(config)# ip dhcp snooping
Specify VLAN to enable DHCP snooping

Switch (config)#ip dhcp snooping vlan 1 100
It will enable to run DHCP Server on an interface

Switch(config)#int range g 0/1 - 2
Switch(config-if-range)#ip dhcp snooping trust
Show the status

Switch#show ip dhcp snooping
Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:
S-AN-A-1.04
148/200

DHCP
none
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
GigabitEthernet0/1 yes unlimited
GigabitEthernet0/2 yes unlimited
6.2 DHCP
6.2.1 DHCP Server

To a router to be a DHCP server and allocate dynamic IP addresses to client workstation.
Following set of configuration commands allow the router to dynamically allocate IP
addresses to client workstations.
Router1#conf t
Router1(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.99
Router1(config)#ip dhcp excluded-address 192.168.1.201 192.168.1.254
Router1(config)#ip dhcp pool LAN-POOL-1
Router1(dhcp-config)#network 192.168.1.0 255.255.255.0

Router1(dhcp-config)#default-router 192.168.1.1
Router1(dhcp-config)#domain-name domain1.site
Router1(dhcp-config)#dns-server 172.25.1.1 172.25.1.3
Router1(dhcp-config)#netbios-name-server 192.168.1.2
Router1(dhcp-config)#netbios-node-type h-node
Router1(dhcp-config)#lease 2 12 30
Router1(dhcp-config)#exit
The lease command takes up to three options: lease days hours minutes with hours and
minutes being optional.
When DHCP is enabled, the router will allocate IP addresses by binding them to device
MAC addresses in the configured pool. You can see the address bindings
S-AN-A-1.04
149/200

DHCP
Router1#show ip dhcp binding
6.2.2 DHCP Relay Agent

Normally, DHCP server can provide IP addresses only when a DHCP request broadcast is
received, and this is normally limited within the same network. However, deploying a DHCP
server at each subnet is not cost efficient. By the DHCP Relay Agent configuration, the
DHCP Request broadcast is forwarded into the DHCP server and it can reply the valid IP
address to the client at the different network.
VLAN1 : 192. 168.0.0/24
DHCP Server
DHCP
Request
IP IP
DHCP Client
VLAN2 : 192. 168.1.0/24 DHCP

Request
DHCP
DHCP
Request
Relay
Agent
IP
DHCP Client DHCP
Request
VLAN3 : 192. 168.2.0/24
IP
DHCP Client
Figure 20 DHCP Relay Agent
The sub-interfaces f0/0.2 and f0/0.3 are configured as a DHCP Relay Agent, and DHCP
Discover request is forwarded to the DHCP server of 192.168.0.3.
ip address 192.168.0.1 255.255.255.0
ip address 192.168.10.1 255.255.255.0
ip helper-address 192.168.0.3
S-AN-A-1.04
150/200

Access Control List (ACL)
ip address 192.168.20.1 255.255.255.0
ip helper-address 192.168.0.3
!
In a case of Linux DHCP server, /etc/dhcp.conf would include the following subnet lease
ranges as follows,
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.250;
subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.100 192.168.10.250;
option routers 192.168.10.1;
subnet 192.168.20.0 netmask 255.255.255.0 {
range 192.168.20.100 192.168.20.250;
option routers 192.168.20.1;
The same concept can be used at any DHCP server product (i.e. Cisco Router and MS
Windows Server).
6.3 Access Control List (ACL)

Access Control List (ACL) gives network managers a huge amount of control over traffic
flow throughout the network.
With access lists, managers can gather basic statistics on packet flow and security policies
can be implemented. Sensitive device can also be protected from unauthorized access.
Access lists can be used to permit or deny packets moving through the router, permit or
deny Telnet (VTY) access to or from a router.
There are two types of access lists used

Standard access lists: These use only the source IP address in an IP packet to filter the
network. This basically permits or denies an entire suite of protocols.
S-AN-A-1.04
151/200

Extended access lists: It checks for source and destination IP address, protocol field in
the Network layer header, and port number at the Transport layer header.
Once you create an access list, you apply it to an interface with either an inbound or
outbound list
Inbound access list: Packets are processed through the access list before being routed
to the outbound interface.
Outbound access list: Packets are routed to the outbound interface and then processed
through the access list.
6.3.1 IP Standard Access-Lists

This example will have you block access to network 172.16.40.0 from host 172.16.50.3
Connect to the Router0 and create an access-list.

Router0#conf t
Router0(config)#access-list 10 deny host 172.16.50.3
Router0(config)#access-list 10 permit any
Add the access-list 10 to the serial 0/1 interface of Router0 and filtered any incoming
packets.
Router0(config)#interface serial 1/0
Router0(config-if)#ip access-group 10 in
This applied the access-list 10 to the serial 0/1 interface of Router0 and filtered any
incoming packets.
Type show running-config to see both the access-list and to verify the interface where the
access-list is applied.
And then test it. PC0, Router0 cant ping to PC1.
S-AN-A-1.04
152/200

PC1 cant also ping to PC0 and Router0. PC1 can ping Router1.
Table 12 Access List Number Range

Access List Number Range Description
1-99 IP standard access list
100-199 IP extended access list
200-299 Protocol type-code access list
600-699 Appletalk access list
700-799 48-bit MAC address access list
800-899 IPX standard access list
900-999 IPX extended access list
1000-1099 IPX SAP access list
1100-1199 Extended 48-bit MAC address access list
1200-1299 IPX summary address access list
1300-1999 IP standard access list (expanded range)
6.3.2 Applying an Access-List to a VTY Line

You can use a standard IP access list to control access by placing the access list on the
VTY lines.
Router0(config)#access-list 20 deny host 172.16.50.3
Router0(config)#access-list 20 permit any
Apply the access-list directly to the VTY lines and not to an interface.
Router0(config)#line vty 0 4
Router0(config-line)#access-class 20 in
6.3.3 IP Extended Access-Lists

This will create a new access-list that is more succinct on the Router0.
Remove the standard access-list on the Router0.

Router0#conf t
Router0(config)#no access-list 10
Router0(config)#no access-list 20
Router0(config-if)#no ip access-group 10 in
Router0(config)#line vty 0 4
S-AN-A-1.04
153/200

Router0(config-line)#no access-class 20 in
Remove the access-list on the serial 0/1 interface

Router0(config-if)#no ip access-group 10 in
Create an access-list on the Router0 to block Telnet access into the 172.16.40.0 network,
but still allow to ping.
Router0(config)#access-list 110 deny tcp host 172.16.50.3 172.16.40.0 0.0.0.255
eq telnet
Router0(config)#access-list 110 permit ip any any
Apply this access-list to the serial interface 0/1 of the Router0 to filter the packets coming
into the router.
Router0(config-if)#ip access-group 110 in
Verify the configuration by show running-config

This is a sample ACL

!
ip address 202.0.0.14 255.255.255.240
ip access-group 100 in
ip access-group 101 out
no ip redirects
no ip proxy-arp
ip accounting access-violations
no cdp enable
access-list 100 permit icmp any 202.0.0.0 0.0.0.15
access-list 100 permit tcp any 202.0.0.0 0.0.0.15 established
access-list 100 permit tcp any 202.0.0.0 0.0.0.15 gt 1023
access-list 100 permit udp any 202.0.0.0 0.0.0.15 gt 1023

access-list 100 permit tcp any 202.0.0.1 0.0.0.0 eq domain
S-AN-A-1.04
154/200

access-list 100 permit udp any 202.0.0.1 0.0.0.0 eq domain
access-list 100 permit tcp any 202.0.0.2 0.0.0.0 eq domain
access-list 100 permit udp any 202.0.0.2 0.0.0.0 eq domain
access-list 100 permit tcp any 202.0.0.1 0.0.0.0 eq smtp
access-list 100 permit tcp any 202.0.0.1 0.0.0.0 eq pop3
access-list 100 permit tcp any 202.0.0.2 0.0.0.0 eq www
access-list 100 deny tcp any 202.0.0.0 0.0.0.15 eq 2049 log
access-list 100 deny udp any 202.0.0.0 0.0.0.15 eq 2049 log
access-list 100 deny tcp any 202.0.0.0 0.0.0.15 eq 6000 log
access-list 100 deny ip any any log
access-list 101 permit ip 202.0.0.0 0.0.0.15 any
no cdp run
snmp-server community public RO
line vty 0 4
access-class 101 in
exec-timeout 0 0
password 7 12345678901234567890
transport input telnet
transport output none
6.3.4 Standard ACL

This is an example of Standard ACL.
R0 192.168.1.0/24
R1
.1 .10
F0/1 F0/0
F0/0 .1
192.168.0.0/24
S0
.10 .11
PC1 PC2
S-AN-A-1.04
155/200

Configuration of a Standard ACL on R0

R0 denies PC1 to access R1
R0 permits any host to access R1
This is a sample configuration on R0

hostname r0
ip address 192.168.0.1 255.255.255.0
ip address 192.168.1.1 255.255.255.0
access-list 1 deny 192.168.0.10
access-list 1 permit any
R1
hostname r1
ip address 192.168.1.10 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.1
PC1
hostname pc1
ip address 192.168.0.10 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
S-AN-A-1.04
156/200

PC2
hostname pc2
ip address 192.168.0.11 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.0.1
6.3.5 Extended ACL

This is an example of Extended ACL using the same network as the standard.
R0 192.168.1.0/24
R1
.1 .10
F0/1 F0/0
F0/0 .1
192.168.0.0/24
S0
.10 .11
PC1 PC2
Configure an Extended ACL on R0.

R0 denies PC1 to telnet to R1
R0 permits any host to telnet R1
This is a sample configuration on R0

hostname r0
ip address 192.168.0.1 255.255.255.0
S-AN-A-1.04
157/200

ip address 192.168.1.1 255.255.255.0
access-list 100 deny tcp host 192.168.0.10 host 192.168.1.10 eq telnet
access-list 100 permit ip any any
R1 requires VTY configuration in order to accept telnet.

service password-encryption
hostname r1
enable secret 5 $1$4hrB$NgcokrRg1/QR9FffAE1Ut.
ip address 192.168.1.10 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.1
line vty 0 4
exec-timeout 0 0
password 7 0822455D0A16
login
From PC1, the telnet access is denied.

pc1>telnet 192.168.1.10
Trying 192.168.1.10 ...
% Destination unreachable; gateway or host down
From PC2, the telnet access is permitted.

pc2>telnet 192.168.1.10
Trying 192.168.1.10 ... Open

S-AN-A-1.04
158/200

Password:
r1>
6.3.6 Named ACL

The named ACL feature allows you to identify standard and extended IP ACLs with an
alphanumeric sting (name) instead of the current numeric representations.
Named IP ACLs allow you to delete individual entries in a specific ACL. If you are using
Cisco IOS Release 12.3, you can use sequence numbers to insert statements anywhere in
the named ACL. If you are using a software version earlier than Cisco IOS Release 12.3,
you can insert statements only at the bottom of the named ACL.
6.3.7 VTY ACL

This is a practice of VTY ACL using the same network as the standard.
R0 192.168.1.0/24
R1
.1 .10
F0/1 F0/0
F0/0 .1
192.168.0.0/24
S0
.10 .11
PC1 PC2
Configure a VTY ACL on R0.

PC1 is an administrators PC, so R0 accept VTY connection only from PC1
S-AN-A-1.04
159/200

NAT
6.4 NAT
One of the most important drawbacks to IP version 4 (IPv4) is the limited number of unique
network addresses; the Internet is running out of address space. Two solutions to this
dilemma are Network Address Translation (NAT) and IP version 6 (IPv6).
NAT provides a short-term solution to this problem by translating private IPv4 addresses into
globally unique, routable IPv4 addresses. IPv6 is the long-term solution by increasing the
size of an IP address to 128 bits.
In the Network Address Translation (NAT) configuration, all of your internal devices use the
same external global address as the routers external interface.
Router#conf t
Router(config)#access-list 15 permit 192.168.0.0 0.0.0.255
Router(config)#ip nat inside source list 15 interface FastEthetnet 0/0 overload
Router(config)#interface FastEthernet 0/0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#interface FastEthetnet 0/1
Router(config-if)#ip nat inside
This command shows the NAT translation result.

Router#show ip nat translations
Figure 21 and Table 13 shows another sample of NAT router configuration.
LAN DMZ
Network Address: 192. 168.0.0 Network Address: 202.0.0.0/28
Network Mask: 255. 255. 255.0 Network Mask: 255. 255. 255. 224
Default Gateway: 192. 168.0.21 Default Gateway: 202.0.0.30
192.168.0.1
. 202.0.0.14
HOST: 2800A
PCs SNMP, NAT, ACL
Servers
Figure 21 NAT Sample Network

S-AN-A-1.04
160/200

NAT
Table 13 NAT Sample Network Information
LAN 192.168.0.0/24
External Network (DMZ) 202.0.0.0/28
CISCO Router GigabitEthernet0/0: 192.168.0.1
GigabitEthernet0/1: 202.0.0.14
Domain Name domain1.site
DNS server 202.0.0.1, 202.0.0.2
NTP server 202.0.0.2
This is a complete configuration based on the above network.

2800A#show running-config
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
hostname 2800A
boot-start-marker
boot-end-marker
logging buffered 64000 debugging
enable secret 5 $1$XU1n$pltI.IGoFdQLPIRw9Qa0V/
enable password test
clock timezone MMT 6 30
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
no ip source-route
S-AN-A-1.04
161/200

NAT
ip cef
ip ips notify SDEE
ip ips po max-events 100
ip domain list domain1.site
ip domain name domain1.site
ip name-server 202.0.0.1
no ftp-server write-enable
interface GigabitEthernet0/0
description LAN
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
description WAN
ip address 202.0.0.14 255.255.255.240
no ip redirects
no ip proxy-arp
ip nat outside
S-AN-A-1.04
162/200

NAT
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
ip classless
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
no ip http server
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/1 overload
logging facility local1
logging source-interface GigabitEthernet0/1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
snmp-server community public RO
snmp-server enable traps tty
no cdp run
control-plane
line con 0
line aux 0
line vty 0 4
access-class 102 in
password secret
S-AN-A-1.04
163/200

NAT
login
transport input telnet
transport output none
scheduler allocate 20000 1000
ntp server 202.0.0.2
end
6.4.1 Types of NAT

NAT operates on a Cisco router and is designed for IPv4 address simplification and
conservation. NAT enables private IPv4 internetworks that use nonregistered IPv4 address
to connect to the Internet. Usually, NAT connects two networks and translates the
private(inside local) addresses in the internal network into public addresses (inside global)
before packets are forwarded to another network. As part of this functionality, you can
configure NAT to advertise only one address for the entire network to the outside world.
Advertising only one address effectively hides the internal network from the world, thus
providing additional security.
NAT has many forms and can work in the following ways:
NAT Overload : Maps multiple unregistered IPv4 addresses to a single registered

IPv4 address (many to one) by using different ports. Overloading is also known as
port address translation (PAT).
Static NAT: Maps an unregistered IPv4 address to a registered IPv4 address (one to
one). Static NAT is particularly useful when a device must be accessible from
outside the network.
Dynamic NAT: Maps an unregistered IPv4 address to a registered IPv4 addresses

from a group of registered IPv4 addresses.
6.4.2 NAT Overload or Port Address Translation (PAT)

PAT allows you to translate multiple internal addresses into a single external address,
essentially allowing the internal addresses to share one external address.
S-AN-A-1.04
164/200

NAT
This is a practice of making a NAT router. The cloud is connected to the existing LAN
(192.168.0.0/24). R0: f0/0 is connected to the C0 cloud therefore bridged, so the f 0/0 has
the IP address of the existing LAN. PC1 is in the different network 192.168.1.1/24.
F0/1 F0/0
PC1 R0
Figure 22 Port Address Translation
This is the R0 router NAT configuration.

R0#show running-config
hostname r0
ip address 192.168.0.69 255.255.255.0
ip nat outside
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat inside source list 15 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.0.3
S-AN-A-1.04
165/200

NAT
The PC1 is able to ping to the outside host.

pc1#ping 192.168.0.3
!!!!!
This shows the result of the translations on the R0

R0#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.0.69:10 192.168.1.100:10 192.168.0.3:10 192.168.0.3:10
6.4.3 Verify and Troubleshoot NAT

To verify the NAT Operation
# show ip nat translations
This command shows the total number of active translations, NAT configuration parameters,
and how many addresses are in the pool, and how many have been allocated.
# show ip nat statistics
To view NAT translations in real-time

#debug ip nat
To clear all dynamic NAT entries from the translation table:

#clear ip nat translation *
6.4.4 Static NAT : Port Forwarding (Destination NAT)

Port Forwarding or Destination NAT allows the outside PC to access to the internal network
servers. The following figure shows the use of discrete address mapping with static NAT
translations.
S-AN-A-1.04
166/200

NAT
Figure 23 Static NAT Address Mapping
ip nat inside source static tcp 192.168.1.100 80 210.200.100.201 80 extendable
6.4.5 Dynamic NAT

This is the R0 router with dynamic NAT configuration.
R0#show running-config
hostname R0
ip address 192.168.0.69 255.255.255.0
ip nat outside
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat pool test 192.168.0.100 192.168.0.120 netmask 255.255.255.0

ip nat inside source list 10 pool test
ip route 0.0.0.0 0.0.0.0 192.168.0.3
S-AN-A-1.04
167/200

NAT
The PC1 is able to ping to the outside host.

pc1#ping 192.168.0.3
!!!!!
This shows the result of the translations on the R0

R0#show ip nat translations

--- 192.160.0.100 192.168.1.100 -------- --------
6.4.6 ICMP Redirect with NAT

This is a practice of how ICMP works. The firewall is configured with NAT, so this topology
may similar to the real implementation.
192.168.20.0/24 192.168.10.0/24 192.168.0.0/24

F0/1 F0/0 F0/1 F0/0
.10 .1 .2 .1 .69
R1 S0
FW
PC2
.10
PC1
Figure 24 ICMP Redirect Example
The configuration is,

C0 bridges FW to the external network
FW is configured as NAT
PC1s default route is R1 because the traffic to the PC2 is more than the external
network (C0).
PC1 should be able to communicate with PC2 and the external network (C0).
PC2 should be able to communicate with PC1 and the external network (C0).
S-AN-A-1.04
168/200

NAT
FW Configuration. There is a static route to 192.168.20.0/24 network.

hostname fw
ip address 192.168.0.69 255.255.255.0
ip nat outside
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip route 0.0.0.0 0.0.0.0 192.168.0.3
ip route 192.168.20.0 255.255.255.0 192.168.10.2
R1 configuration
hostname r1
ip address 192.168.10.2 255.255.255.0
ip address 192.168.20.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.10.1
S-AN-A-1.04
169/200

NAT
PC1 is configured with the following IP address.

ip address : 192.168.10.10
default gateway : 192.168.10.2
PC2 is configured with the following IP address.

ip address : 192.168.20.10
default gateway : 192.168.20.1
This is the routing table at FW

fw#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
S 192.168.20.0/24 [1/0] via 192.168.10.2
S* 0.0.0.0/0 [1/0] via 192.168.0.3
NAT translation result at FW after pinging from PC1 and PC2 to 192.168.0.3.
fw#show ip nat translations
icmp 192.168.0.69:6 192.168.10.10:6 192.168.0.3:6 192.168.0.3:6
icmp 192.168.0.69:10 192.168.20.10:10 192.168.0.3:10 192.168.0.3:10
PC1 to the external network by traceroute. The gateway .2 redirects to .1 by ICMP redirect
reply and communicate to the external.
pc1>traceroute 192.168.0.3

Tracing the route to 192.168.0.3
S-AN-A-1.04
170/200

NAT
1 192.168.10.2 108 msec 76 msec 52 msec
2 192.168.10.1 153 msec 117 msec 52 msec
3 192.168.0.3 112 msec 116 msec 128 msec
PC2 to the external network by traceroute

pc2#traceroute 192.168.0.3
Tracing the route to 192.168.0.3
1 192.168.20.1 64 msec 56 msec 76 msec
2 192.168.10.1 76 msec 108 msec 76 msec
3 192.168.0.3 100 msec 100 msec 84 msec
6.4.7 NAT and VLAN

Continuing the previous configuration, connect the R0 to the external LAN by NAT
configuration.
Bridge Connection
PC1 F0/0 F0/1
S0 R0
NAT Configuration External LAN

PC2
Figure 25 VLAN with NAT
The configuration is,

R0 and C0 (external LAN) are bridged.
R0 and S0 are connected by dot 1Q trunking.
R0 is configured as NAT
PC1 and PC2 are in the different VLANs and connected by R0.
R0 configuration will be,

hostname r0
no ip address
S-AN-A-1.04
171/200

Security
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip address 192.168.0.60 255.255.255.0
ip nat outside
ip route 0.0.0.0 0.0.0.0 192.168.0.1
6.5 Security
6.5.1 Anti-Spoofing
The IP Address Spoofing is a technique to change a source IP address in a packet to
become someone. Figure 28 explains the attacker in the WAN crafts packets which have a
source IP address of an administrator PC which is located in the LAN.
S-AN-A-1.04
172/200

Security
LAN WAN
192. 168.1.0/24 192. 168.0.0/24
.1 .1
F0/1 F0/0
. 254
Administrator
IP Spoofing by modifying the

source IP address into
192. 168.1. 254
Figure 26 Anti Spoofing by ACL
To protect from the spoofing access, following ACL needs to be configured at each
interface.
ip address 192.168.0.1 255.255.255.0
ip address 192.168.1.1 255.255.255.0
6.5.2 Disable unused services

Disable unused services for the better security. Small Server
Router(config)#no service tcp-small-servers
Router(config)#no service udp-small-servers
In default, these options are enabled before IOS 11, and disabled after IOS 12.0.
Disable Finger, and Source Route.

Router(config)#no ip finger
Router(config)#no ip source-route
S-AN-A-1.04
173/200

Security
Disable CDP at global level if not used.

Router(config)#no cdp run
Disable CDP at interface

Router(config-if)#no cdp enable
Disable HTTP Server

Router(config)#no ip http server
Router(config)#no ip http secure-server
S-AN-A-1.04
174/200

Hands-on-Lab 10 Configuring Port Security
Fa0/1 Fa0/4
PC1 PC2 PC3
Switch Switch Enable Secret Enable, VTY, VLAN 1 IP Default Subnet Mask
Designation Name Password and Console Address Gateway IP
Passwords Address
Switch Switch 1 ictti cisco 192.168.1.2 192.168.1.1 255.255.255.0
Objective
Create and verify a basic switch configuration.
Configure port security on individual FastEthernet ports.
Background/Preparation
Cable a network similar to the one in the diagram. The configuration output used in this lab
is produced from a 2950 series switch. The following steps are intended to be executed on
each switch unless specifically instructed otherwise.
Note: Go to the erase and reload instructions at the end of this lab. Perform those steps on
all switches in this lab assignment before continuing.
Step 1 Configure the switch

Configure the hostname, access and command mode passwords, as well as the
management LAN settings. These values are shown in the chart. If problems occur while
performing this configuration, refer to the Basic Switch Configuration lab.
Step 2 Configure the hosts attached to the switch

a. Configure the hosts to use the same IP subnet for the address, mask, and default
gateway as on the switch.
S-AN-A-1.04
175/200

b. There is a third host needed for this lab. It needs to be configured with the address
192.168.1.7. The subnet mask is 255.255.255.0 and the default gateway is
192.168.1.1.
Note: Do not connect this PC to the switch yet.
Step 3 Verify connectivity

a. To verify that hosts and switch are correctly configured, ping the switch IP address
from the hosts.
b. Were the pings successful? -----------------------------------------------------------------------
c. If the answer is no, troubleshoot the hosts and switch configurations.
Step 4 Record the host MAC addresses

a. Determine and record the layer 2 addresses of the PC network interface cards.
If running Window 98, check by using Start > Run > winipcfg. Click on More info.
If running Windows 2000, check by using Start > Run > cmd > ipconfig /all.
b. PC1 --------------------------------------------------------------------------------------------------------
c. PC2 --------------------------------------------------------------------------------------------------------
Step 5 Determine what MAC addresses that the switch has learned
a. Determine what MAC addresses the switch has learned by using the show
mac-addresstable command.
b. How many dynamic addresses are there? -------------------------------------------------------
c. How many total MAC addresses are there? -----------------------------------------------------
d. Do the MAC addresses match the host MAC addresses? -----------------------------------
Step 6 Determine the show MAC table options

a. Enter the following to determine the MAC address table
---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------
Step 7 Setup a static MAC address

Setup a static MAC address that was recorded for PC1 in Step 4 on FastEthernet
interface 0/1.as follows: ---------------------------------------------------------------------------
Step 8 Verify the results

a. Enter the following to verify the MAC address table entries:
S-AN-A-1.04
176/200

b. How many total MAC addresses are there now ? ------------------------------------
Step 9 List port security options

a. Determine the options for setting port security on interface FastEthernet 0/4.
----------------------------------------------------------------------------------------------------
b. To allow the switchport FastEthernet 0/4 to accept dynamically learned MAC
address. ---------------------------------------------------------------------------------------
Step 10 Verify the results

a. Enter the following to verify the macaddress table entries: ----------------------
b. How are the address types listed for the two MAC addresses? -----------------
Step 11 Limit the number of hosts per port

a. On interface FastEthernet 0/4 set the port security maximum MAC count to 1 as
follows: ----------------------------------------------------------------------------------------------------
b. Disconnect the PC attached to FastEthernet 0/4. Connect to the port on the PC that
has been given the IP address 192.168.1.7. This PC has not yet been attached to
the switch. It may be necessary to ping the switch address 192.168.1.2 to generate
some traffic.
c. Record any observations. ----------------------------------------------------------------------------
Step 12 Configure the port to shut down if there is a security violation

a. It has been decided that in the event of a security violation the interface should be
shut down. Enter the following to make the port security action to shutdown:
b. What other action options are available with port security? ----------------------
c. If necessary, ping the switch address 192.168.1.2 from the PC 192.168.1.7. This PC
is now connected to interface FastEthernet 0/4. This ensures that there is traffic from
the PC to the switch.
d. Record any observations. ------------------------------------------------------------------
Step 13 Show port 0/4 configuration information

a. To see the configuration information for just FastEthernet port 0/4, type show
interface fastethernet 0/4, as follows, at the Privileged EXEC mode prompt:
b. What is the state of this interface?
FastEthernet0/4 is -------------------------------, Line protocol is------------------------------
S-AN-A-1.04
177/200

Step 14 Reactivate the port

a. If a security violation occurs and the port is shut down, use the no shutdown
command to reactivate it.
b. Try reactivating this port a few times by switching between the original port 0/4 host
and the new one. Plug in the original host, type the no shutdown command on the
interface and ping using the DOS window. The ping will have to be repeated
multiple times or use the ping 192.168.1.2 n 200 command. This will set the
number of ping packets to 200 instead of 4. Then switch hosts and try again.
Step 15 Exit the switch

Type exit to leave the switch welcome screen. Once the steps are completed, logoff by
typing exit, and turn all the devices off. Then remove and store the cables and adapter.
S-AN-A-1.04
178/200

Hands-on-Lab 11 DHCP
Hands-on-Lab 11 DHCP
PC1 PC2
Fa0/0 Fa0/1 Fa0/1 Fa0/0
Net 1 Net 2 Net 3

192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
Configure the above network with the above network addressing. Configure Router1 to
provide DHCP to PC1 and Router2 to provide DHCP to PC2. At the end of the lab, PC1 and
PC2 should be able to ping each other.
S-AN-A-1.04
179/200

Hands-on-Lab 12 DHCP, NAT
NAT
www R1 ISP 210.0.1.0/24 SRV
192.168.30.0/24 210.0.0.0/30
S0/0 S0/0
.10 .1 .2 .1 .10
.1
S0/1 .1 .5 S0/2
Inside Web Server
10.0.0.0/30 10.0.0.4/30
S0/0 .2 S0/0
.6 DHCP
192.168.10.100 254
192.168.11.100 254
F0/0 192.168.20.100 - 254
R2 R3 F0/0
F1/0-7 F1/ 8 -15
VLAN 10: Marketing VLAN 11: Sales
S0
PC1 PC2 PC3
192.168.10.0/24 192.168.11.0/24 192.168.20.0/24
1. Configure Single-Area OSPF routing

Configure OSPF (Process ID 1) routing on R1, R2, and R3
Verify that all routes were learned.
On R1, create a default route to ISP and propagate the route within OSPF
updates.
Use verification commands as, show ip route, show ip ospf database, and
show ip ospf neighbor.
2. Configure NAT (PAT)

To define the internal addresses that are translated to a public address in the NAT
process, create a standard ACL.
The ISP has assigned one public address to R1. This address is used to all other
internal hosts that access the Internet
Configure NAT with overload, also called Port Address Translation (PAT) uses port
numbers to distinguish packets from different hosts that are assigned the same
public IP address.
Configure the interfaces on R1 to apply NAT. Configure each of the interfaces
S-AN-A-1.04
180/200

using the ip nat {inside | outside} command.
3. Configure Static NAT for an inside web server (Destination NAT)

Configure port forwarding on the R1 to provide the Web access so that it can be
accessed from outside the network.
4. Configure R2 and make two VLANs.

Connect PCs to the switch S0, and configure VLAN on each port.
Assign IP addresses on each VLAN interface which will become a default gateway
of each VLAN.
5. Configure DHCP
Configure PCs as a DHCP client.
On R3, three DHCP pools on R2 for the network 192.168.10.0/24,
192.168.11.0/24, and 192.168.20.0/24.
On R2, configure DHCP Relay Agent so the PC1 and PC2 can acquire IP
addresses from R3.

Use OSPF verification commands as, show ip route, show ip ospf database ,
and show ip ospf neighbor.
Use NAT verification commands as, show ip nat translations, show ip nat
statistics.
S-AN-A-1.04
181/200

WAN <Day 10>
Introduction to Wide Area Networks
7 WAN <Day 10>
7.1 Introduction to Wide Area Networks

WANs are most often charge-for-service networks, providing the means for users to access
resources across a wide geographic area. Some services are considered Layer 2
connections between your remote locations, typically provided by a telephone company
(Telco) over its WAN switches. Some of these technologies include a serial point-to-point
(leased line) connection and Frame Relay connections.
Major Characteristics of WANs:

They connect devices that are separated by wide geographical areas
They use the services of carriers,
They use serial connection of various types to access bandwidth over large
geographic areas.
A variety of WAN technologies exist, most WAN technologies operate at the lowest two
levels of the OSI model the physical and data link layers although some implement the
network layer as well. Higher-layer protocols such as IP are encapsulated when sent across
the WAN link. Figure 27 illustrates the relationship between the common WAN technologies
and the OSI model.
Figure 27 Mapping the OSI Model to WAN Protocols
S-AN-A-1.04
182/200

WAN <Day 10>
WAN Connection Types
7.2 WAN Connection Types

WAN are generally grouped into three separate connection types:
Point-to-Point technologies
Circuit-switched technologies
Packet-switched technologies
Figure 28 WAN Connection Types
7.2.1.1 Point-to-Point Technologies (Leased Lines)

These are usually referred to as a point-to-point or dedicated connection. Point-to-Point
technologies are leased from a service provider, and provide guaranteed bandwidth from
location to another. A leased line is a pre-established WAN communications path that goes
from the CPE (Customer premises equipment) through the DCE switch, then over to the
CPE of the remote site. Generally, point-to-point links require no call-setup, and the
connection is usually always on. It uses synchronous serial lines up to 45Mbps. HDLC and
PPP encapsulations are frequently used on leased lines.
7.2.1.2 Circuit switching

When you hear the term circuit switching, think phone call. The big advantage is costyou
only pay for the time you actually use. No data can transfer before an end-to-end connection
is established. Circuit switching uses dial-up modems or ISDN and is used for
low-bandwidth data transfers. It requires call-setup to occur before information can be
transferred. Circuit switched lines are generally low-speed compared to point-to-point lines.
S-AN-A-1.04
183/200

WAN <Day 10>
WAN Encapsulation
7.2.1.3 Packet switching

This is a WAN switching method that allows you to share bandwidth with other companies to
save money. Thus, bandwidth is not guaranteed, but is instead allocated on a best effort
basis. Packet switching will only work for you if your data transfers are the bursty typenot
continuous. Frame Relay and X.25 are packet-switching technologies with speeds that can
range from 56Kbps up to T3 (45Mbps).
7.3 WAN Encapsulation

Each WAN connection uses an encapsulation protocol to encapsulate traffic while it is
crossing the WAN link. To ensure that the correct encapsulation protocol is used, you need
to configure the Layer 2 encapsulation type to use. A WAN is usually terminated on a Cisco
devices serial interface. Serial interfaces support a wide variety of WAN encapsulation
types, which must be manually specified.
The choice of encapsulation protocol depends on the WAN technology and the
communicating equipment. Typical WAN protocols include the following:
High-Level Data Link Control (HDLC)HDLC is the default encapsulation type on

point-to-point, dedicated links. It is used typically when communicating between two
Cisco devices. It is a bit-oriented synchronous data link layer protocol. HDLC
specifies a data-encapsulation method on synchronous serial links using frame
characters and checksums. If communicating with a non-Cisco device, synchronous
PPP is a more viable option.
Point-to-Point Protocol (PPP) PPP provides router-to-router and host-to-network

connections over synchronous and asynchronous circuits. PPP was designed to
work with several network layer protocols, including IP. PPP also has a built-in
security mechanism, such as Password Authentication Protocol (PAP) and
Challenge Handshake Authentication Protocol (CHAP).
Asynchronous Transfer Mode (ATM) - ATM is the international standard for cell
relay, in which multiple service types (such as voice, video, or data) are conveyed in
fixed-length (53-byte) cells. Fixed-length cells allow processing to occur in hardware,
thereby reducing transit delays. ATM is designed to take advantage of high-speed
transmission media such as E3, Synchronous Optical Network (SONET), and T3.
S-AN-A-1.04
184/200

WAN <Day 10>
HDLC Encapsulation
Frame Relay A successor to X.25. This protocol is an industry-standard, switched

data link layer protocol that handles multiple virtual circuits (VC). Frame relay is
streamlined to eliminate some of the time-consuming processes, such as error
correction and flow control that were employed in X.25 to compensate for older, less
reliable communication links.
Serial Line Internet Protocol (SLIP)SLIP is a standard protocol for point-to-point

serial connections using a variation of TCP/IP. SLIP is the predecessor of PPP.
X.25/Link Access Procedure, Balanced (LAPB)
7.4 HDLC Encapsulation

High-Level Data-link Control (HDLC) is a WAN encapsulation protocol used on dedicated
point-to-point serial lines. Though HDLC is technically an ISO standard protocol, Ciscos
implementation of HDLC is proprietary, and will not work with other routers.
HDLC is also Ciscos default encapsulation type for serial point-to-point links. HDLC
provides no authentication mechanism.
7.5 PPP Encapsulation

Wide-area networking services are typically leased from a service provider. Some WAN
services operate as Layer 2 connections between your remote locations and are typically
provided by a telephone company (Telco) provider over its WAN switches.
PPP emerged as an encapsulation protocol for transporting IP traffic over point-to-pint

(leased line) serial connections. This section describes the operation, configuration, and
verification of PPP. PPP is a common Layer2 protocol for the WAN.
S-AN-A-1.04
185/200

WAN <Day 10>
PPP Encapsulation
Figure 29 Point-to-Point Protocol Stack
7.5.1 Overview of PPP

PPP is an international standard encapsulation used for the following types of
connections (physical interfaces):
Asynchronous Serial : Plain old telephone service (POTS) dialup
Synchronous Serial : ISDN or point-to-point leased
PPP has four components:

Physical standard for physical serial communication (such as EIA/TIA-232-C, V.35,
ISDN, etc.).
HDLC for encapsulating packets into frames over serial lines.
LCP for establishing, maintaining, and terminating point-to-point links.
NCP allows multiple Layer-3 protocols (such as IP and IPX) to be encapsulated
into frames.
Figure 30 Overview of PPP Components
S-AN-A-1.04
186/200

WAN <Day 10>
PPP Encapsulation
Because it is standardized, PPP supports vendor interoperability. PPP uses its Network
Control Protocol (NCP) component to encapsulate multiple protocols, as shown in Figure 30.
PPP uses another of its major components, the Link Control Protocol (LCP), to negotiate
and set up control options on the WAN data link. PPP supports several features that
standalone HDLC does not:
Authentication
Compression
Multilink
Callback
Error Control
7.5.2 PPP Session Establishment
Figure 31 PPP Session Establishment
Three phases of a PPP session establishment are described in the following list:
(1) Link Establishment Phase

In this phase, each PPP device sends LCP packets to configure and test the data link.
(2) Authentication Phase (optional)

PPP supports two authentication protocols: PAP and CHAP.
(3) Network Layer Protocol Phase

In this phase, the PPP devices send NCP packets to choose and configure one or more
network layer protocols, such as IP. After each of the chosen network layer protocols is
configured, datagrams from each network layer protocol can be sent over the link.
S-AN-A-1.04
187/200

WAN <Day 10>
PPP Encapsulation
7.5.3 PPP Authentication Methods

There are two methods of authentication that can be used with PPP links: PAP and CHAP.
PAP is a two-way handshake that provides a simple method for a remote node to establish
its identity. PAP is performed only upon initial link establishment. After the PPP link
establishment phase is complete, the remote node A repeatedly sends a username and
password pair to the router until authentication is acknowledged or the connection is
terminated. PPP is not a strong authentication protocol. Passwords are sent across the link
in plain text.
CHAP, which uses a three-way handshake, occurs at the startup of a link and periodically
thereafter to verify the identity of the remote node using a three-way handshake. After the
PPP link establishment phase is complete, the local router sends a challenge message to
the remote node. The remote node responds with a value that is calculated using a one-way
hash function, typically Message Digest Algorithm 5 (MD5), based on the password and
challenge message.
The local router checks the response against its own calculation of the expected hash value.
If the values match, the authentication is acknowledged. Otherwise, the connection is
terminated immediately. CHAP uses an MD5 has.
Figure 32 PAP and CHAP Authentication
S-AN-A-1.04
188/200

WAN <Day 10>
PPP Encapsulation
7.5.4 Configuring PPP
7.5.4.1 Configuring PPP on Cisco Routers

Configuring PPP encapsulation on an interface is really pretty straightforward. To configure
it from the CLI, follow these simple router commands:
Router#config t
Router(config)#int s0
Router(config-if)#encapsulation ppp
Router(config-if)#^Z
Router#
Of course, PPP encapsulation has to be enabled on both interfaces connected to a serial

line in order to work.
7.5.4.2 Configuring PPP Authentication

After you configure your serial interface to support PPP encapsulation, you can configure
authentication using PPP between routers. First, you need to set the hostname of the router,
if its not already. Then you set the username and password for the remote router that will be
connecting to your router:
Heres an example:
Router#config t
Router(config)#hostname RouterA
RouterA(config)#username RouterB password cisco
When using the hostname command, remember that the username is the hostname of the
remote router thats connecting to your router. And its case sensitive too. Also, the
password on both routers must be the same. Its a plain-text password that you can see with
a show run command; you can encrypt the password by using the command service
password-encryption.
You must have a username and password configured for each remote system you plan to
connect to. The remote routers must also be configured with usernames and passwords.
Now, after youve set the hostname, usernames, and passwords, choose the authentication
type, either CHAP or PAP:
S-AN-A-1.04
189/200

WAN <Day 10>
PPP Encapsulation
RouterA#config t
RouterA(config)#int s0
RouterA(config-if)#ppp authentication chap pap
RouterA(config-if)#^Z
RouterA#
Example : PPP and CHAP Configuration
Figure 33 shows an example of CHAP configuration on two routers. In this example, a

two-way challenge occurs. The hostname on one router must match the username that
other router has configured. The passwords must also match.
S0/1 S0/1
R1 R2
hostname R1 hostname R2
username R2 password cisco username R1 password cisco
! !
int serial 0/1 int serial 0/1
ip address 10.0.1.1 255.255.255.0 ip address 10.0.1.2 255.255.255.0
encapsulation ppp encapsulation ppp
ppp authentication chap ppp authentication chap
Figure 33 Network Topology for PPP and CHAP Configuration

R1
hostname R1
username R2 password cisco
int serial 0/1
ip address 10.0.1.1 255.255.255.0
encapsulation ppp
clockrate 64000
ppp authentication chap
R2
hostname R2
S-AN-A-1.04
190/200

WAN <Day 10>
PPP Encapsulation
username R1 password cisco
int serial 0/1
ip address 10.0.1.2 255.255.255.0
encapsulation ppp
ppp authentication chap
7.5.5 Verifying PPP
7.5.5.1 Verifying PPP Encapsulation Configuration

Use the show interface command to verify proper configuration. The following outputs
show that PPP encapsulation has been configured and LCP has established a connection,
as indicated by LCP Open in the command output.
R1#sh int s0/1
Serial0/1 is up, line protocol is up
Hardware is PowerQUICC Serial
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open

Open: CDPCP, IPCP, loopback not set
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:48:47
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/2/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 2 packets/sec
5 minute output rate 4000 bits/sec, 10 packets/sec
917 packets input, 43816 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
1 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored, 0 abort

3052 packets output, 143088 bytes, 0 underruns
S-AN-A-1.04
191/200

WAN <Day 10>
PPP Encapsulation
0 output errors, 0 collisions, 15 interface resets
0 output buffer failures, 0 output buffers swapped out
30 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
R2
R2#sh int s0/1
Encapsulation PPP, loopback not set
Keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
Last input 00:00:09, output 00:00:09, output hang never
Last clearing of "show interface" counters 00:05:37
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/1/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 1158 kilobits/sec
5 minute input rate 0 bits/sec, 1 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
55 packets input, 3177 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
57 packets output, 3252 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 output buffer failures, 0 output buffers swapped out
1 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
S-AN-A-1.04
192/200

WAN <Day 10>
PPP Encapsulation
7.5.6 Verifying PPP Authentication

To display the CHAP authentication process as it occurs between two routers in the
network, just use the command debug ppp authentication.
If your PPP encapsulation and authentication are set up correctly on both routers, and your
usernames and passwords are all good, then the debug ppp authentication command will
display an output that looks like this:
Debug ppp authentication
Mar 1 05:51:54.703: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar 1 05:51:54.731: Se0/0 PPP: Using default call direction
*Mar 1 05:51:54.731: Se0/0 PPP: Treating connection as a dedicated line
*Mar 1 05:51:54.735: Se0/0 PPP: Authorization required
*Mar 1 05:51:54.743: Se0/0 CHAP: O CHALLENGE id 1 len 23 from "R1"
*Mar 1 05:51:54.747: Se0/0 CHAP: I CHALLENGE id 1 len 23 from "R2"
*Mar 1 05:51:54.747: Se0/0 CHAP: Using hostname from unknown source
*Mar 1 05:51:54.747: Se0/0 CHAP: Using password from AAA
*Mar 1 05:51:54.752: Se0/0 CHAP: O RESPONSE id 1 len 23 from "R1"
*Mar 1 05:51:54.756: Se0/0 CHAP: I RESPONSE id 1 len 23 from "R2"
*Mar 1 05:51:54.756: Se0/0 PPP: Sent CHAP LOGIN Request
*Mar 1 05:51:54.756: Se0/0 PPP: Received LOGIN Response PASS
*Mar 1 05:51:54.760: Se0/0 PPP: Sent LCP AUTHOR Request
*Mar 1 05:51:54.760: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar 1 05:51:54.760: Se0/0 LCP: Received AAA AUTHOR Response PASS
*Mar 1 05:51:54.764: Se0/0 IPCP: Received AAA AUTHOR Response PASS
*Mar 1 05:51:54.764: Se0/0 CHAP: O SUCCESS id 1 len 4
*Mar 1 05:51:54.764: Se0/0 CHAP: I SUCCESS id 1 len 4
*Mar 1 05:51:54.768: Se0/0 PPP: Sent CDPCP AUTHOR Request
*Mar 1 05:51:54.768: Se0/0 CDPCP: Received AAA AUTHOR Response PASS
*Mar 1 05:51:54.768: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar 1 05:51:55.765: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0,
changed state to up
S-AN-A-1.04
193/200

WAN <Day 10>
Troubleshooting
7.6 Troubleshooting
7.6.1 Mismatched WAN Encapsulations

If you have a point-to-point link but the encapsulations arent the same, the link will never
come up. Figure 36 shows one link with PPP and one with HDLC.
S0/1 S0/1
R1 R2
! !
encapsulation ppp encapsulation hdlc
Figure 34 Mismatched WAN Encapsulations
R2#sh int s0/1
Serial0/1 is up, line protocol is down

Encapsulation HDLC, loopback not set
The serial interface is down and LCP is sending requests but will never receive any
responses because router R2 is using the HDLC encapsulation. To fix this problem, you
configure the PPP encapsulation on the serial interface on router R2.
7.6.2 Mismatched IP Addresses

In figure 37, the two routers are connected with different subnetsrouter R1 with
10.0.1.1/24 and router R2 with 10.2.1.2/24.
S-AN-A-1.04
194/200

WAN <Day 10>
Troubleshooting
S0/1 S0/1
R1 R2
! !
encapsulation ppp encapsulation hdlc
Figure 35 Mismatched IP Addresses
R2#sh int s0/1
Encapsulation PPP, loopback not set
Keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
The IP addresses between the routers are wrong but the link looks like its working fine. This
is because PPP, like HDLC and Frame Relay, is a layer 2 WAN encapsulation and doesnt
care about IP addresses at all. So yes, the link is up, but you cant use IP across this link
since its misconfigured.
To find and fix this problem, you can use the show running-config or the show interfaces
command on each router, or you can use the show cdp neighbors detail command:
R2
R2# sh cdp neighbors detail
-------------------------
Device ID: R1
Entry address(es):
IP address: 10.0.1.1
Platform: cisco 2611XM, Capabilities: Router
S-AN-A-1.04
195/200

WAN <Day 10>
Troubleshooting
Interface: Serial0/1, Port ID (outgoing port): Serial0/1
Holdtime : 129 sec
Version :
IOS (tm) C2600 Software (C2600-I-M), Version 12.3(6c), RELEASE SOFTWARE (fc1)
Compiled Tue 20-Jul-04 05:25 by kellythw
R1
-------------------------
Device ID: R2
Entry address(es):
IP address: 10.2.1.2
Platform: cisco 2611XM, Capabilities: Router
Interface: Serial0/1, Port ID (outgoing port): Serial0/1
Holdtime : 169 sec
Version :
IOS (tm) C2600 Software (C2600-I-M), Version 12.2(21b), RELEASE SOFTWARE (fc2)
Compiled Wed 31-Mar-04 16:47 by pwade
You can view and verify the directly connected neighbors IP address and then solve
your problem.
S-AN-A-1.04
196/200

References
Bibliography
References
Bibliography
Lammle, T. (2006). Ccna intro: introduction to cisco networking technologies study guide.
Sybex. ISBN: 0470068507
External Links
Cisco Systems, Inc. http://www.cisco.com/
GNS3. http://www.gns3.net/
Packet Tracer, http://www.packettracerdownload.com/
VLAN, http://en.wikipedia.org/wiki/Virtual_LAN
http://www.cisco.com/warp/cpropub/45/tutorial.htm
http://itknowledgeexchange.techtarget.com/itanswers/show-interface-command-output/
S-AN-A-1.04
197/200

Tables and Figures
Figures
Tables and Figures
Figures
Figure 1 Routers component, and show command .................................................. 11

Figure 2 Cisco Router Series and the sites for which they are Suited ...................... 13
Figure 3 Example of a Cisco IOS Software Image Name ......................................... 18
Figure 4 Command Mode Transition ......................................................................... 21
Figure 5 CDP Neighbor Information .......................................................................... 44
Figure 6 Lab Network Diagram for IP routing ............................................................ 62
Figure 7 - STP Configuration ...................................................................................... 105
Figure 8 Two-Switch Network .................................................................................. 113
Figure 9 Three-Switch Network ............................................................................... 118
Figure 10 - Flat Network Structure .............................................................................. 124
Figure 11 - Benefit of Switched Network .................................................................... 125
Figure 12- Concept of Virtual LANs ............................................................................ 125
Figure 13 - Example of Identifying VLANs by Ports ................................................... 129
Figure 14 - Distinguish between Tagged Frames and Untagged Frames ................. 130
Figure 15 - Linked Types ............................................................................................ 131
Figure 16 - VTP Operation .......................................................................................... 133
Figure 17 Router on a Stick ..................................................................................... 135
Figure 18 VTP Domain on Router............................................................................ 139
Figure 19- Port Security Configuration Example ........................................................ 146
Figure 20 DHCP Relay Agent .................................................................................. 150
Figure 21 NAT Sample Network .............................................................................. 160
Figure 22 Port Address Translation ......................................................................... 165
Figure 23 Static NAT Address Mapping .................................................................. 167
Figure 24 ICMP Redirect Example .......................................................................... 168
Figure 25 VLAN with NAT ........................................................................................ 171
Figure 26 Anti Spoofing by ACL............................................................................... 173
Figure 27 Mapping the OSI Model to WAN Protocols ............................................. 182
Figure 28 WAN Connection Types .......................................................................... 183
S-AN-A-1.04
198/200

Tables and Figures
Tables
Figure 29 Point-to-Point Protocol Stack ................................................................... 186

Figure 30 Overview of PPP Components ................................................................ 186
Figure 31 PPP Session Establishment .................................................................... 187
Figure 32 PAP and CHAP Authentication................................................................ 188
Figure 33 Network Topology for PPP and CHAP Configuration ............................. 190
Figure 34 Mismatched WAN Encapsulations .......................................................... 194
Figure 35 Mismatched IP Addresses ....................................................................... 195
Tables
Table 1 Routers memories ........................................................................................ 11

Table 2 Remote Access Options for each Series of Router ...................................... 15
Table 3 Access Layer Switches ................................................................................. 17
Table 4 Distribution and Core Layer Switches........................................................... 17
Table 5 Types of Trains ............................................................................................. 18
Table 6 Summary of Command Mode ....................................................................... 19
Table 7 Major Commands and Subcommands ......................................................... 22
Table 8 Summary of Hot Keys ................................................................................... 30
Table 9 CDP information ............................................................................................ 45
Table 10 STP: Reasons for Forwarding or Blocking ............................................... 108
Table 11 STP Path Cost .......................................................................................... 110
Table 12 Access List Number Range ...................................................................... 153
Table 13 NAT Sample Network Information ............................................................ 161
References
1. http://www.cisco.com/warp/cpropub/45/tutorial.htm
2. http://itknowledgeexchange.techtarget.com/itanswers/show-interface-command-out
put/
S-AN-A-1.04
199/200

Indexes
Keywords
Indexes
Keywords
A N
ACL, 151 non-volatile RAM (NVRAM), 10
Autonomous System (AS), 78

O
C Open Shortest Path First (OSPF), 78
CDP, 43, 49
CLI, 29, 30, 189 R
Routing Information Protocol (RIP), 71
D
Dynamic VLANs, 127 S
Static VLANs, 126
E switched networks, 124
Enhanced Interior Gateway Routing Protocol
(EIGRP), 78 V
Erasable Programmable Read Only Memory variable length subnet masks (VLSM), 77
(EPROM), 10 virtual LAN (VLAN), 125
VLAN membership, 126

F VLAN Trunking Protocol (VTP), 131
flat network topology, 124 VTP clients, 133
VTP pruning, 133

I VTP server mode, 133
IOS, 10, 11, 14, 18, 26, 27, 29, 30, 31, 173, 196 VTP transparent, 133
L
Link State Advertisements (LSA), 81
S-AN-A-1.04
200/200

Cisco Routing Switching - Unlocked PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Cisco Routing Switching - Unlocked PDF

Загружено:

Авторское право:

Доступные форматы

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.

Information and Communication Technology

Training Institute, Union of Myanmar

[Cisco Routing & Switching]

Caution: This textbook is intended for use in training courses at

2.3.3. Primary Terminal Line .................................................................................... 35

3.3.3. RIP v2 ............................................................................................................. 77

Hands-on-Lab 9 Switching Lab ................................................................................... 121

6.4.6 ICMP Redirect with NAT............................................................................... 168

Cisco Routing & Switching 7/9/2012

1. CISCO Routers and LAN Switches <Day 1>

1.1.1. Cisco Router Introduction

Router#copy running-config startup-config

Many engineers still use the old version of this command,

Cisco Routing & Switching 7/9/2012

show running-config show version show protocols

Flash memory ROM NVRAM

Figure 1 Routers component, and show command

Table 1 Routers memories

1.1.2. The Router Boot Sequence

Cisco Routing & Switching 7/9/2012

1.1.3. Managing Configuration Register

Cisco Internetwork Operating System Software

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2001 by cisco Systems, Inc.

128K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2142

Cisco Routing & Switching 7/9/2012

128K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2142

Stop the router, and start again the router.

128K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

1.1.4. Cisco Router Series

Residential telecommuter site solutions

Cisco Routing & Switching 7/9/2012

The Cisco 700 series, designed for telecommuters, is a low-cost, easy-to-manage,

Cisco Routing & Switching 7/9/2012

Cisco Routing & Switching 7/9/2012

(1) Central Site Router Equipment

(2) Branch Office Router Equipment

(3) Telecommuter Site Router Equipment

1.1.5. Cisco Switching Products

Cisco Routing & Switching 7/9/2012

Table 3 Access Layer Switches

Table 4 Distribution and Core Layer Switches

1.1.6. Cisco IOS

(2) Cisco IOS Trains

Cisco Routing & Switching 7/9/2012

Table 5 Types of Trains

(3) Cisco IOS Software Images

Figure 3 Example of a Cisco IOS Software Image Name

1.1.7. Cisco IOS Modes

Cisco Routing & Switching 7/9/2012

Table 6 Summary of Command Mode

Cisco Routing & Switching 7/9/2012

(1) User EXEC Mode:

(2) Privileged EXEC Mode:

(3) Configuration Mode

Cisco Routing & Switching 7/9/2012