Dear Web User:
For Better View Of This Web Page, Please Use Any Latest Web Browser, Because Some Elements Are Not Work In The Old Web Browser (It Might Not Be Displayed Properly Or Are Not Appearing properly!).Plz Note:
Some Topics That You Might Want To Pursue On Your Own That We Did Not Cover In This Article Are Listed Here. This Page Discusses “ BASIC NETWORKING (CISCO) SHORT REFERENCES NOTES ”, And Also We Request To The Students, Please Go Through All The Articles That Are We Posted In This Web Site And Also Identify All The CISCO IOS Commands In The Lab Practice Before Going To Access This Page. Experience Is The Sequence Of Hands-On LABs. Thank You!FOR MORE REFERENCES:
◙ - ➤ For More Reference - > BASIC COLLECTION OF NETWORKING CONCEPTS:
◙ - ➤ For More Reference - > USEFUL NETWORKING DOS COMMAND REFERENCE:
◙ - ➤ For More Reference - > KEYBOARD SHORTCUTS (MICROSOFT WINDOWS):
◙ - ➤ For More Reference - > KEYBOARD SHORTCUTS REFERENCE FOR CISCO IOS;
◙ - ➤ For More Reference - > THE CISCO ROUTER BOOT SEQUENCE:
◙ - ➤ For More Reference - > HOW TO CONFIGURE ROUTER TELNET, CONSOLE AND AUX PORT PASSWORDS :
◙ - ➤ For More Reference - > LIST OF SHOW COMMAND REFERENCES:
◙ - ➤ For More Reference - > CISCO IOS BASIC ROUTER COMMANDS REFERENCE:
◙ - ➤ For More Reference - > INITIAL CONFIGURATION REFERENCES OF CISCO ROUTERS AND SWITCHES:
◙ - ➤ For More Reference - > RIP CONFIGURATION EXAMPLES:
◙ - ➤ For More Reference - > STATIC ROUTES Vs DYNAMIC ROUTES:
◙ - ➤ For More Reference - > IPv6 COMMAND (CISCO) REFERNCE:
◙ - ➤ For More Reference - > IPv6 CONFIGURATION COMMANDS (CISCO) REFERENCES:
◙ - ➤ For More Reference - > BASIC NETWORKING QUESTIONS AND ANSWER:
◙ - ➤ For More Reference- > IP ROUTING QUESTIONS AND ANSWERS:
BASIC NETWORKING (CISCO) SHORT REFERENCES:
Internetworking
LAN TRAFFIC: BROADCAST STORMS, MULTICASTING, LOW BANDWIDTH.
Routers Break Up Broadcast Domains And Collision Domains.
Switches/Bridges Break Up Collision Domains. They Read Each Frame As It Passes Through And Filter The Source Address To The Port It Came From On And Put It In The Address Table.
Router Functions: Don’t Forward Broadcasts By Default, Packet Switching, Filtering, And Path Selection.
Routers Forward Packets.
Switches Forward Frames.
OSI MODEL:
1. APPLICATION: Provides A User Interface (File, Print, Message. Database..)
Also important to check availability of communication partner. HTTP,FTP, TFTP reside in the Application layer.
2. PRESENTATION: Presents data/encryption (Data encryption, compression, translation)
Basically translates data so application layer programs can read them.
3. SESSION: Keeps Different Application Data Separate (Dialog Control)
Setting Up, Managing, And Tearing Down Sessions. It Offers Simplex, Half Duplex, And Full Duplex.
4. TRANSPORT: Reliable Or Unreliable Delivery/ Error Correction (End To End Connection)
Segments and reassembles data into data streams. Provides logical connection. Virtual circuits. Uses Flow control and Ack.
5. NETWORK: logical addressing and finding destination hardware address to dictate as to where to send the packet. (Routing)
Data packets, router update packets, network address. Uses ARP
6. DATA LINK: packets into bytes and bytes into frames/ access to media using MAC address/error detection, not correction. (Framing)
Error notification, network topology, flow control. MAC 802.3: Defines how packets are placed on the media. Physical addressing is defined here. Turns bits into bytes and bytes into frames.
LLC 802.2: Identifies Network Layer Protocols And Encapsulates Them. Tells Data Link Layer What To Do With A Packet Once It’s Received.
7. PHYSICAL: Movies Bits/Voltage,Wire,Speed (Physical Topology)
Sends and receives bits. This layer identifies DCE and DTE.
OPERATE AT ALL 7 LAYERS: NMS, Web And App. Servers, Gateways, Network Hosts.
FLOW CONTROL: Means For The Receiver To Govern The Amount Of Data Sent By The Sender. Windowing, ACK.
Service is connection oriented if VC is setup, sequencing, ack, and flow control.
ETHERNET: A connection media access method that allows hosts on the same network to share the same bandwidth of a link.
CSMA/CD (CARRIER SENSE MULTIPLE ACCESS WITH COLLISION DOMAIN): Protocol that helps devices share the bandwidth evenly without two devices transmitting data at the same time.
1. A jam signal tells all a collision occurred.
2. Collision invokes random back-off algorithm.
3. Each device stops transmitting for a short time.
4. All hosts have equal priority to transmit after timer expired.
If A Hub Is Connected To A Switch, It MUST Operate At Half Duplex Mode Because The End Station Must Be Able To Detect Collisions.
HALF DUPLEX IS BASICALLY 10BASET.
Full Duplex uses two wires and is point to point. (Switch to host, switch to switch and host to host with crossover cable). Dedicated switch port is required for full duplex.
CABLES: Category 5 is better than 3 for better quality. 5’s have more twists per foot in a wire and less crosstalk.
802.3
1. 10base2: 10Mbps, upto 30 hosts, 185 meters long. The 10 means 10Mbps. Base means baseband technology, and 2 means upto 200 meters.
2. 10base5
3. 10baseT: UTP Wiring. Unlike 10base2/5, each device must connect to a switch/hub.
802.3u (fast Ethernet)
4. 100baseTX: Two pair wiring
5. 100baseFX: Fiber cabling (Best for not being susceptible to EMI)
802.3Z
6. 1000baseCX: Copper twisted
7. 1000baseSX
8. 1000baseLX
9. 1000baseT: 802.3ab
STRAIGHT THROUGH: Host to host, Router to Switch or hub
CROSSOVER: Switch To Switch, Hub To Hub, Hub To Host, Hub To Switch, Router Direct To Host.
ROLLED: Connect A Host To A Router Console. (Open Hyper Terminal And Set Bit Rate To 9600 And No Flow Control).
DATA ENCAPSULATION:
1. PDU(Protocol data unit): hold control info attached to the data at each layer of the model. It attaches control info to data at each layer.
2. Then transported down to transport which sets up Virtual Circuit. The date is broken to smaller Segments.
3. Each segment is sequenced.
4. Then handed down to Network layer which adds control header and makes packet.
5. Data link layer gets data from network and puts it on the network medium(cables/wires). It encapsulates each packet into a frame.
6. Then the physical layer encodes the digits into digital signals. At this point the devices build the frames, run a CRC and check their answer against the frame’s FCS Field.
0-1023 ARE USED FOR WELL-KNOWN PORT NUMBERS.
CISCO THREE LAYERED HIERARCHICAL MODEL:
1. CORE (BACKBONE): Transporting large amount of traffic. If there’s a problem, every single user can be affected.
2. DISTRIBUTION (ROUTING): Routing, filtering and WAN access. Access lists, security, routing between VLANS..
3. ACCESS LAYER(SWITCHING): controls user and workgroup access to network resources.
INTRO TO TCP/IP
DOD MODEL:
1. Process App. Layer (App. , Presentation, Session)
2. Host To Host (Transport)
3. Internet (Network)
4. Network Access Layer (Data Link, Physical)
PROTOCOLS BASED ON LAYERS:
1. Process/Application: Telnet, FTP, TFTP, SMTP, SNMP,NFS.
2. Host to host: TCP, UDP
3. Internet: ICMP, ARP, RARP, IP.
4. Network Access: Ethernet, Fast Ethernet, Token ring, FDDI.
PROTOCOLS:
1. DHCP (Dynamic host control protocol): Assigns IP Address to hosts. Can provide IP address, subnet mask, Domain name, Default gateway, DNS, and WINS.
2. BootP: Same as DHCP except the hardware address must be entered manually and it also sends an OS a host can boot from.
3. DNS(53): Resolves hostname to IP address. Works in both TCP and UDP layers.
4. SMTP(25): Protocol used for Emails:
5. SNMP: Watch dog used for network monitoring.
6. FTP(21): Reliable oriented File transfer protocol.
7. TFTP(69): Unreliable transfer of files.
8. Telnet(23):
9. NFS: Network File system
10. TCP: Connection oriented (FTP, Telnet, DOOM)
11. UDP Connectionless (TFTP, POP3, News)
NETWORK LAYER:
12. ARP: Finds IP Address From A Known Hardware Address.
13. RARP: Resolves MAC Address To IP Address.
14. Proxy ARP: Helps Machines On A Subnet Reach Remote Subnets Without Configuring Routing.
15. ICMP: Used For Ping And Trace Route. Can Provide Hosts With Network Information.
NETWORK ADDRESSING:
1. A: 0xxxxxxx is 0. 01111111 is 127
2. B: 1 0000000 is 128. 10 000000 is 191
3. C:11 000000 is 192. 110 00000 is 223
1. A: PRIVATE address range 10.0.0.0 - 10.255.255.255 (0-127)
2. B: PRIVATE address range 127.16.0.0 - 127.31.255.255 (128-191)
3. C: PRIVATE address rage 192.168.0.0 - 192.168.255.255 (192-223)
LAYER 2 BROADCAST: To All Nodes On A LAN (Don’t Go Past LAN Boundaries) (Hardware Casts)
LAYER 3 BROADCAST: To All Nodes On The Network
UNICAST: To A Single Host
MULTICAST: From A Single Source To Many Devices On Different Networks.
SUBNETTING, VLSM, AND TROUBLESHOOTING TCP/IP
IP SUBNET-ZERO: Allows Use Of First And Last Subnet In Your Network Design. As Of 12.x
CIDR (CLASSLESS INTER-DOMAIN ROUTING): example is /25
CLASSFUL ROUTING: (RIP and IGRP): A router will assume all the interfaces have the same subnet mask. So same amount of hosts per subnet.
CLASSLESS ROUTING: (RIP v2, EIGRP, OSPF): useful for saving ip address space. Can have different masks for different interfaces.
255.0.0.0 (/8)….255.254.0.0(/15)…255.255.0.0(/16)….255.255.248.0(/21)…255.255.255.252(/30).
/8 - /15 Class A
/16 - /24 Class A B
/24 -/30 Class A B C
Sample Class C subnetting: 255.255.255.240(/28)
SUBNETS: 2^4=16
HOSTS: 2^4-2= 14
VALID SUBNETS: 0, 16,32,48…
Broadcast address: .15 - .31 - .47
VALID HOSTS: 1-14…145-158
Sample Class B subnetting: 255.255.240.0 (/20)
SUBNETS: 2^4= 16
HOSTS= 2^12-2= 4094
0.0, 0.1, 0.2, 0.3…15.1, 15.2, 15.3…15.254, 15.255(broadcast)…16.1…31.254, 31.255(broadcast)
SAMPLE CLASS B: 255.255.255.192 (/26)
SUBNETS: 2^10=1024
HOSTS: 2^6-2=62
VALID SUBNETS: 0, 64, 128, 192, 254
0.0, 0.1..0.62,0.63(broadcast), 1.1, 1.2,…1.62,1.63(broadcast, 255.129, 255.130…255.254, 255.255(broadcast)
WHAT IS THE SUBNET AND BROADCAST ADDRESS OF 172.16.66.10 255.255.192.0(/18):
SUBNETS ARE: 172.16.64.0 – 172.168.127.254
SAMPLE CLASS A SUBNETTING: 255.255.0.0 (/16)
SUBNETS= 2^8=256 (since it’s class A, we start from 11111111.(11111111).00000000.00000000)
HOSTS= 2^16-2= 65,534
10.0.0.1, 10.0.0.2…10.0.255.254, 10.1.0.1,10.1.0.2…10.1.5.15, 10.1.5.16….10.1.255.254,10.1.255.255(broadcast).
SAMPLE CLASS A subnetting: 255.255.255.192(/26)
SUBNETS: 2^18
HOSTS: 2^6-2
10.0.0.1…10.0.0.62,10.0.0.63(broadcast), 10.0.1.1, 10.0.1.62…10.14.5.60,10.14.5.61..10.255.255.1,10.255.255.2…10.255.255.62,10.255.255.63(broadcast)
SUMMARIZATION (ROUTE AGGREGATION): Allows Routing Protocols To Advertise Many Networks As One Address. Purpose Is To Reduce Size Of Routing Tables On Routers. Summarizing A Network From 192.168.16.0 Through 192.168.30.0, We Would Use A Subnet Mask Of 255.255.255.240. 16 Blocks Would Fit Perfectly Into This Summarization
VLSM(VARIABLE LENGTH SUBNET MASK) AND SUMMARIZATION: For This, We Need Block Sizes. For Example, To Summarize A Network That Has One Link With 12 Hosts And Another Link With 14, We Summarize Both Subnets With /28 To Have A Block Size Of 16(-2) For Hosts.
Always Good To Have /30 For Serial Port To Port Connections.
CISCO’S WAY OF TROUBLESHOOTING:
1. Ping 127.0.0.1 (Loop back address) and if fails, you have an IP Stack problem and need to reinstall TCP/IP.
2. Ping local host. If good, then the network card is working.
3. Ping Default gateway or router.
4. Ping remote server.
IOS AND SDM
First Place We Usually Connect To A Cisco Router Is Through The Console Port Using RJ-45.
Aux Port Will Also Help Connect To A Modem.
2800 Router Replace 2500 And 2600 And Is ISR.
When Booting Up A Router: Runs A POST, If Post Is Successful, It Then Looks For IOS Is In Flash Memory. Then The IOS Will Load The Startup Config In NVRAM. If It’s Not There, It Will Go To Setup Mode.
Running config is in DRAM
If A Router Doesn’t Find A Startup Config, It Broadcasts For A TFTP Host That Has It, If Not, It Will Go To Setup Mode.
USER EXEC MODE: Limited To Monitoring Commands
PRIVILAGED EXEC MODE: Access To All Other Router Commands.
GLOBAL CONFIG MODE: commands that affect entire system.
A serial int is usually attached to a CSU/DSU type that provides clocking. Like DCE to DTE.
By Default All Routers Are DTE And You Must Provide Clocking. They Are Usually Provided By DCE networks. To make a DTE router become DCE, you must create Clocking. New ISR Routers are already configured with clocking.
INT S0/0 – CLOCK RATE 64000: To Set Clocking
The Bandwidth Is Important For Routing Protocols That Use It Such As EIGRP and OSPF. (T1=1.544kbps)
BANDWIDTH 1000: Set the bandwidth of a device.
SHOW CONTROLLERS: Show the cable connection type
You Won’t Be Able To Telnet Into A Router That Doesn’t Have a VTY Password Set Unless You Type In The NO LOGIN Command.
TRANSPORT INPUT SSH TELNET: Telnet And SSH (Secure Shell)( More Secure Than Telnet) Will Work On The Router.
SERVICE PASSWORD-ENCRYPTION: To encrypt passwords. (same as enable secret) and NO PASSWORD-ENCRYPTION
INT FA0/0/0 (FOR ISR ROUTERS): First 0 Is Router, Second 0 Is Slot And Third 0 Is The Port.
If a SHOW INT FA0/0 Says Fa0/0 Is Up Or Down, Then It’s A Physical Error, If It Says Line Protocol Is Up Or Down Then It’s A Data Link Error (Looks For Keep Alives From The Connecting End.)
NO SHUT: To Disable The Shut Down Of An Interface.
INT FA0/0 – IP ADDRESS 172.16.10.2 255.255.255.0
ENABLE/DISABLE: Go to Privilaged Exec mode or back.
CONFIG T: Global Configuration mode
CONFIG MEM: Merges Startup-Config Into Running Config To Change The Startup Config
CONFIG NET: Change Router Configuration Stored On TFTP host
CLOCK SET 10:22:45 08 MAY 2011
TERMINAL HISTORY SIZE 25: Change Size Of History Buffer
HOSTNAME Ehsan: Create a hostname
BANNER (Exec, Login, Incoming, Motd, …) MOTD This Is A Test Banner #
DESCRIPTION this is the Sales VLAN: Create a description for a port
ENABLE SECRET cisco: Created a crypted password called cisco.
LINE : Aux (Auxiliary Port) Con (Console Port), Vty (Telnet)
LINE VTY 0 4: Go To Configuration Of Vty, The 0 4 Is Ports 0 To 4
LINE CON 0 – PASSWORD cisco – LOGIN (Have To Put It In So It’ll Ask For A Password)
LINE CON 0 - EXEC-TIMEOUT 0 0: Sets The Time Out For Console Exec Sessions
LINE CON 0 - LOGGING SYN: Stops Annoying Messages From Popping Up When You’re Inputting Commands
DO SHOW…: You can use the DO command at the start to see certain configurations in configuration mode.
SH HISTORY: Show the previous typed lines
SH RUN or SH START
SH INT F0/0 or SH INT S0/0/0
SHOW INTERFACES: Verify Your Int Configuration And IP And Mask. (MTU, bandwidth, reliability).
SH IP INT: shows info regarding layer 3 info of an int.
SH IP IP INT BRIEF: Quick Overview Of Router Ints. (Administratively Downs Mean You Need To Type No Shut)
CLEAR COUNTERS: Clear Counters On An Int.
SHOW PROTOCOLS: Shows Status Of Layer 1 And 2 Of Each Int And The IP Addresses Used.
SHOW CONTROLLERS S0/0: displays info about the physical int itself. Also gives type of serial plugged in.
SHOW VER: shows configuration register and IOS version and boot images,
SH FLASH: shows amount of flash memory the IOS is using.
SH PROCESSES: shows a routers CPU utilization and lists active processes.
IP HOST ROUTER1 10.2.2.2: resolves hostname to IP address
IP DOMAIN-LOOKUP: to lookup name through DNS
IP NAME-SERVER 10.2.2.3: to set IP address of DNS server
IP DOMAIN-NAME premji-schoolofcisconetworking.blogspot.com: Appends Domain Name To Hostname.
Create Http And Https Server And Configure SSH And Telnet.(IP HTTP SERVER, IP HTTP SECURE-SERVER, IP HTTP AUTHENTICATION LOCAL, USERNAME cisco PRIVILEGE 15 PASSWORD 0 cisco, LINE CON 0, LOGIN LOCAL, LINE VTY 0 1180, PRIVILEGE LEVEL 15, LOGIN LOCAL, TRANSPORT INPUT TELNET SSH, ^Z).
MANAGING A CISCO INTERNETWORK
BOOTSTRAP (ROM): brings up a router
POST (ROM): checks basic functionality
ROM MONITOR (ROM): used to test and troubleshoot
MINI IOS (RXBOOT OR BOOTLOADER IN ROM): Used To Bring Up An Interface And Load IOS Into Flash Memory.
RAM: used to hold routing tables, ARP cache, Running-config, allows router to function.
ROM: Hold POST, Bootstrap.
FLASH MEMORY: Holds the IOS. Not erased when the router is loaded.
NVRAM: Holds startup configuration. Not erased when router is reloaded.
CONFIGURATION REGISTER: Controls how the router is boot up. By default it’s 0x2102 which tells router to load IOS from flash and load configuration from NVRAM.
ROUTER BOOT SEQUENCE:
1. Router performs POST to test hardware.
2. Bootstrap looks for and loads IOS from flash.
3. The IOS looks for configuration register in NVRAM.
4. If the startup is present, the router will copy it to RAM and turn it into running config.
CONFIG-REGISTER 0X2102: change configuration register.
0X2142: used to ignore startup from nvram and recover password.
PASSWORD RECOVERY:
1. Boot router and interrupt by performing break.
2. Change conf reg to 0x2142
3. Reload router and enter privileged mode
4. Copy start to run
5. Change password
6. Reset conf register value to original
7. Save the new configuration.
BOOT (SYSTEM, BOOTSTRAP, CONFIG..): used to boot another IOS from another location.
TO BACK UP A CISCO IOS:
1. Make sure you can access network server
2. Make sure server has enough space
3. Verify file naming and path requirements
IF YOU HAVE A LAPTOP CONNECTED DIRECTLY TO A ROUTER:
1. TFTP Software must be running on the laptop
2. The Ethernet connection must be made with a crossover
3. The laptop must be on the same subnet as the routers Ethernet int.
4. COPY FLASH TFTP must be supplied the IP address of the workstation if copying from router flash
5. If copying “into” flash, you need to verify there’s enough room in flash memory
COPY RUN TFTP
COPY TFTP RUN
CDP (CISCO DISCOVERY PROTOCOL): Helps Admins Collect Info About Local And Remote Devices. You Can Gather Hardware And Protocol Information On Neighboring Devices.
1. SH CDP: show’s information about CDP timer(how often CDP packets are transmitted) and Hold time(amount of time a device will hold packets).
2. SH CDP NEIGHBOR: shows info about directly connected devices. (Device ID, platform, Port ID, Local int, Hold time, capability).
3. SH CDP NEI DETAIL or SH CDP ENTRY *: shows detailed info about connected devices. In addition to sh cdp nei, it shows us the IOS versions too.
4. SH CDP ENTRY * PROTOCOLS: shows protocols of neighbors
5. SH CDP ENTRY * VER: shows ONLY IOS version of directly connected routers.
6. SH CDP TRAFFIC: shows info about CDP traffic and packets sent and received and errors.
7. SH CDP INT: shows CDP info on router interfaces or switch ports. (encapsulation, holdtime, timer)
8. NO CDP RUN: turns off CDP. CDP ENABLE: turns it on.
Remember, you can’t use CDP to gather information about routers or switches that are not DIRECTLY connected to you.
Remember to telnet, you have to set a password on the VTY line or use the NO LOGIN command.
Cntrl+Shift+6 then X: if you want to keep connection to remote but also go back to your own screen.
SH SESSIONS: will show telnet connections from your router to remote devices
SH USERS: all active consoles and VTY ports in use on your router
EXIT: to close telnet session
DISCONNECT 2: Ends A Certain Telnet Session.
IP ROUTING
To Be Able To Route Packets, A Router Needs To Know, At Minimum, The Following:
1. Destination Address
2. Neighbor Routers From Which It Can Learn About Remote Networks
3. Possible Routes To All Remote Networks
4. The Best Route To Each Remote Network
5. How To Maintain And Verify Routing Information
Host A------à(FA0)Router A----------Router B(FA0)--------àHost B
WHEN A HOST A PINGS HOST B:
1. ICMP creates a packet with minimum destination and source IP address of HOST B
2. IP then determines if the destination is local or over the network
3. Then when the default gateway is determined, the hardware address of THE ETHERNET PORT FA0 OF ROUTER A must be known through ARP. (The hardware address of the Switch between the host and router will not be known, only the router). HARDWARE ADDRESSES ONLY STAY ON THE LOCAL LAN.
4. Then the ARP cache of host A is checked to see if it’s in the table. If not, it will send an ARP request.
5. The packet will be handed to the data link layer for framing. The frame has the local and destination MAC addresses, Ethernet TYPE that describes if it’s IP, IPX or so on.. and FCS.
6. Then the frame is handed down the physical layer to be put into bits
7. Every device in the collision domain receives this frame and checks under the CRC and checks the answer in the FCS field. If the answer doesn’t match, the frame is discarded, if it does match, then the hardware destination is checked to see if it matches too. Then the Ether type field is checked for the network layer protocol.
8. The packet is pulled from the frame. The destination IP is checked, if not in the routing table, the packet will be dropped and a message will be sent to host A saying “Destination network unreachable”
9. The process then starts with the Ethernet 1 checking the ARP table for the MAC address of the next device and the same process goes on until HOST B receives the ICMP message.
If A Packet Is Lost On The Way Back You Will See “Request Timed Out”. If The Error Occurred Because Of A Known Issue, Such As The Destination Address Is Not In The Routing Table, Then You Will Get A “Destination Unreachable” Message.
C:\arp – a: To see ARP cache in DOS
NO IP DOMAIN-LOOKUP: router will not look for a DNS in the DNS table
Configuring a wireless port:
1. INT DOT11RADIO 0/0/3
2. IP ADDRESS 10.1.1.2 255.255.255.0
3. NO SHUT
4. SSID ADMIN
5. GUEST-MODE
6. AUTHENTICATION OPEN
7. INFRASTRUCTURE-SSID
8. NO SHUT
CONFIGURING DHCP:
1. IP DHCP-POOL EHSAN
2. NETWORK 10.1.1.0 255.255.255.0
3. DEFAULT-ROUTER 10.1.1.1
4. EXIT
5. IP DHCP EXCLUDED-ADDRESS 10.1.1.1 (excludes this address from DHCP table)
6. IP DHCP EXLUCED-ADDRESS 10.1.1.2
A: STATIC ROUTING (DIFFERENT WAYS OF SETTING ONE)
1. IP ROUTE 192.168.2.0 255.255.255.0 192.168.3.1 150(2.0 is the remote network we want to send data to and 3.1 is the default gateway and the 150 is the priority)
Or…
2. IP ROUTE 192.168.2.0 255.255.255.0 S0/0/0
B: DEFAULT ROUTING: To send packets to a remote destination NOT in the routing table. Should only use default routing on STUB networks (those with only one exit path out of the network.
1. IP ROUTE 0.0.0.0 0.0.0.0 10.1.11.1
IP CLASSLESS (all cisco routers are classful and they require a subnet mask, so the IP classless command has to be entered. It is on by default with the new 12.4 ISR routers).
2. IP DEFAULT-NETWORK 10.1.11.0
3. IP ROUTE 0.0.0.0 0.0.0.0 S0/0
C: DYNAMIC ROUTING: USE PROTOCOLS TO FIND THE NETWORKS AND UPDATE ROUTING TABLES (RIP, OSPF..)
Administrative distance is used to trust routing info received from neighboring routers. The lower the AD, the more trust worthy. 0 is fully trusted and 255 means no traffic goes through. If a router receives two updates, the first thing it checks is the AD. The router with the lowest AD will be placed in the routing table. If both routes have the same AD, then Hop count or bandwidth will be used. If both AD and metric are the same, then the router will load balance.
CONNECTED ROUTES HAVE 0 AD. STATIC ROUTES HAVE 1 AD. EIGRP (90), RIP v.1 and 2(120) OSPF(110), External EIGRP(170).
ROUTING PROTOCOLS:
1. Distance vector: Finds the path to a remote network by judging distance. It works by hop counts and the route with the least amount of hops is considered the best path. RIP is distance vector.
2. Link state (also called Shortest Path First protocol): The routers each create three separate tables: neighbor, topology of network, and the routing table. OSFP is link state. Link state protocols send updates containing the state of their links to all other routers on the network.
3. Hybrid: Use both link state and Distance. EIGRP is one.
DISTANCE-VECTOR:
1. Each router sends it’s complete routing table to it’s neighbor router and combine their neighbors routing table with their own to complete that routing table. This is called routing by rumor.
2. Only uses hop count and if two links have the same hopcount to a destination, it doesn’t use the bandwidth of the line. This is called pinhole congestion.
3. When all the routers first start up, they converge and their data’s are sent into neighboring routing tables, which in turn, send it to their next neighbor until they all have the same information. Converging with distance-vector protocols is VERY slow.
4. Routing loops can occur because every router isn’t update simultaneously. To prevent routing loops:
a. Maximum hop count: A maximum hop count is used. RIP is 15 and EIGRP is 100 by default.
b. Split horizon: Routing info can’t be sent back in the direction they came from.
c. Route poisoning: If a network goes down, one router will initiate route poisoning to that route and make the hop count 16, deeming it unreachable.
d. Hold down timers: Allow time and creates a hold down timer for a downed link (also called flapping if it goes up and down quickly), to come back up before a new route is found.
RIP: Classful, broadcasts, no support for VLSM, no authentication, no support for discontiguous networks, distance vector, maximum hop count is 15.
RIP VERSION 2: Classless, supports VLSM, MD5 authentication, supports discontiguous networks, distance vector, maximum hop count is 15.
1. TIMERS:
a. Route update timer: interval between routing updates
b. Route invalid timer: the length of time that must elapse before a route become invalid
c. Hold down timers: Amount of time which routing is suppressed. It starts when it receives a message that a route is unreachable.
d. Route flush timer: time from when a route has become invalid, till when it’s removed from the routing table.
2. CONFIGURING:
ROUTER RIP
VERSION 2
NETWORK 10.0.0.0
(if needed)PASSIVE-INTERFACE E0 (to make that interface not send RIP broadcasts from an interface).
SHOW IP ROUTE: To View IP Routing Tables Created On A Router
SHOW IP PROTOCOLS: Shows The Routing Protocols Configured On Your Router
DEBUG IP RIP: sends routing updates as they are sent and received on a router. Requires TERMINAL MONITOR command from a telnet to be seen on another router.
TERMINAL MONITOR: To View Debug Or Other Commands From A Telnetted Router. You Need To Have This Command To View Debugs On A Telnetted Router.
EIGRP AND OSPF
EIGRP:
1. Distance Vector / Link state protocol (hybrid). AD of 90
2. Can only use EIGRP if all the routers are Cisco.
3. Uses Autonomous system to describe the set of routers running the same protocol
4. Synchronizes routing tables between neighbors at startup and then sends specific updates only when topology changes occur.
5. Has a max hop count of 255.
6. Supports IP6, VLSM/CIDR, summaries and discontiguous networks (Discontiguous network is one that has 172.16.10.0/24 on one network, and 172.16.20.0 on another network, and with autosummary on, they would both be considered 172.16.0.0 classful network).
7. EIGRP supports different network layer protocols through the use of protocol-dependant modules(PDM). Each PDM will maintain a separate table containing routing information that applies to a specific protocol. IP EIGRP and IP6 EIGRP for example.
8. Stores routing updates in its local topology table.
9. Uses multicast address of 224.0.0.10
10. EIGRP shows up as D (DUAL) in the routing table.
11. Feasible distance: best metric along all paths to a remote network, including the metric to the remote neighbor.
12. Advertised distance: Metric of remote neighbor as reported by neighbor.
13. Neighbor table: When a new neighbor is learned, the address and interface of the neighbor is stored in the RAM.
14. Topology table: Populated but PDM and acted upon by DUAL. Contains all destinations advertised by neighbors.
15. Feasible successor (backup route): A path who’s reported distance is less than the feasible distance.
16. Successor route: The best route to the remote network. Stored in the routing table.
17. Reliable transport protocol (RTP): When EIGRP sends out multicasts, it finds out who its neighbors are. If one neighbor in its table doesn’t respond, it will send out unicasts to it upto 16 times, if it gets no response, it will declare that neighbor dead.
18. Diffusing update algorithm (DUAL): Uses DUAL for selecting and maintaining the best path to a remote network. They’re constantly keeping the router tables updated and if the best route goes down, they simply look at the topology network for the next best route.
19. Internal EIGRP Route: Regular EIGRP with AD of 90 within the same AS.
20. External EIGRP: AD of 170. Appear in EIGRP table through manual or automatic redistribution and represent networks that originated outside the EIGRP AS.
21. If you simply change older IGRP routes to the same AS as the new ones, they will all sync, except it will be considered an External EIGRP with the AD of 170.
22. Discontiguous networks don’t work on RIP and IGRP or RIPv2 and EIGRP by default but work on OSPF because OSPF does not auto-summarize like EIGRP. This is why we need the NO AUTO-SUMMARY command for EIGRP and RIPv2.
23. EIGRP uses a series of tables to store routing information:
a. Neighborship table: Information about routers who’s neighborship relationship have been formed
b. Topology table: Stores routes advertised for the entire network from each neighbor.
c. Route Table: Routes that are currently used to make routing decisions. Separate copy of each table for each protocol.
24. EIGRP uses Bandwidth and Delay by default to find the best route but all the metrics it uses are:
a. Bandwidth:
b. Delay:
c. Load:
d. Reliability
25. EIGRP can provide equal-cost load balancing of up to 6 links. Actually all routing protocols can:
a. IP EIGRP 10
b. MAXIUMUM-PATHS (1-6)
26. Hops can also be changed from 100 to a maximum of 255:
a. MAXIMUM-HOPS 255
27. To configure EIGRP with an AS of 20:
a. ROUTER EIGRP 20
b. NETWORK 172.16.0.0
c. NETWORK 10.0.0.0
d. NO AUTO-SUMMARY
28. AS number are irrelevant as long as all the routers use the SAME AS number.
29. To stop an interface from sending or receiving hello packets, we type(for RIP the int won’t send updates but it will still receive them). If an interface shows P, then that int is in Passive interface mode:
a. ROUTER EIGRP 20
b. PASSIVE-INTERFACE S0/1
30. As mentioned, EIGRP can load balance between two Links (let’s say we have links 10.1.2.0 and 10.1.3.0), type on the first router: IP ADDRESS 10.1.2.3 and second router: IP ADDRESS 10.1.2.4. (yes I wrote the IP’s correctly. Now the Links are considered as one.)
31. Commands to verify EIGRP:
a. SHOW IP ROUTE: shows entire routing table
b. SH IP ROUTE EIGRP: shows only EIGRP entries in the routing table
c. SH IP EIGRP NEIGH: shows all EIGRP neighbors
d. SH IP EIGRP TOPOLOGY: shows entries in the EIGRP topology table
e. DEBUG EIGRP PACKET: shows hello packets sent and received between adjacent routers.
f. DEBUG IP EIGRP NOTIFICATION: shows EIGRP changes and updates.
Before routers are to exchange info, they must become neighbors first. Three conditions for that, Hello or ACK received, AS numbers match, and Identical metrics. So to keep relationship with the neighbor router, the routers have to continue to receive hello updates from neighbor routers. EIGRP routers in different AS’s don’t become neighbors. Only time EIGRP advertises it’s whole routing table is when it discovers a new neighbor. When both routers exchange hello packets and become neighbors, they exchange routing tables, and only the new changes are transferred to each other.
OSPF:
1. All routers don’t have to be Cisco and it supports IP6
2. Following reasons to use OSPF
a. Fast convergance
b. Decrease routing overhead
c. Confine network instability in a single area.
3. Hierarchical network.
4. AD of 110 and Linkstate
5. Consists of Areas AND autonomous systems
6. Supports VLSM/CIDR
7. Unlimited hop count
8. Multicast address of 224.0.0.5
9. Can only load balance on links of equal cost…unlike EIGRP.
10. Router ID: IP address used to identify the router. Cisco chooses the router by using the highest IP address of loopback ints, if there’s no loopback int, it chooses the highest IP address of any active physical int.
11. Adjacency: Relationship between two OSPF routers that permits the direct exchange of route updates. OSPF is picky about sharing route updates and only shares updates with neighbors who have formed adjacencies.
12. Hello Protocol: OSPF uses to provide network discovery and maintain relationships.
13. Neighbor database: Lists all OSPF neighbors which hello packets have been received. It includes RID and state
14. Topological database: Information for all the Link state advertisement (LSA) that have been received for the area.
15. Link state advertisements (LSA): An OSPF data packet containing link-state and routing information that’s shared among routers.
16. Designated router (DR): The main router elected to ensure that topology tables are synchronized.
17. Backup designated router (BDR): Backup for the DR. It receives all the routing updates from the OSPF adjacent routers but does NOT flood LSA updates.
18. OSPF Areas: each interface on a router can be in a different area. All the routers within the same area, have the same topology table. When configuring OSPF, there HAS to be an area 0 and it’s typically connected to the backbone network.
19. Broadcast (multi-access): An example is Ethernet. Allow multiple devices to connect to (or access) the same network, as well as, provide a broadcast ability in which a single packet is delivered to all nodes on the network.
20. Non-broadcast multi-access (NBMA): There are frame relay, X.25, and ATM. Allow for multi access but have no broadcast ability like Ethernet. So NBMA networks require special OSPF configuration to function properly.
21. Point to point: Direct connection of two routers that provides a single communication path. Either Physical or logical. Eliminates the need for DR’s or BDR’s.
22. Point to multipoint: Connections between a single interface on one router and multiple destination routers. They all belong to the same network. As with point to point, no DR or BD elections are needed.
23. To configure OSPF:
a. ROUTER OSPF 1 (the 1 is just a process Id and has no significance)
b. NETWORK 10.0.0.0 0.255.255.255 AREA 0 (255 means all hosts and the 0 means this specific host).
Or, if you want a specific network like 192.168.10.8/30:
a. ROUTER OSPF 5
b. NETWORK 192.168.10.8 0.0.0.3 AREA 0 (/30 is 256-252=4. Since the block size in this network is 4, we use the wildcard of 3.) In wildcards 0 is all ip’s and 255 is this specific IP. So 10.10.2.10 0.255.255.255 means 10.0.0.0 – 10.255.255.255.
Another one, 192.168.10.64/28
a. ROUTER OSPF 1
b. NETWORK 192.168.10.64 0.0.0.15 AREA 0
24. Some OSPF verification commands
a. SH IP OSPF: shows OSPF info for one or all OSPF processes running on the router.
b. SH IP OSPF DATABASE: Shows info about number of routers in the network plus the neighboring RID.
c. SH IP OSPF INTERFACE: Displays all interface related OSPF information.
d. SH IP OSPF NEIGH: Super useful, because it summarizes the OSPF info regarding neighbors and adjacency states.
e. SH IP PROTOCOLS: Provides an overview of the actual operation of all currently running protocols. (show’s process Id, RID, type of OSPF area, networks and areas configured, and neighbors RID.)
f. DEBUG IP OSPF PACKET: Show’s hello packets being received on your router.
g. DEBUG IP OSFP HELLO shows hello packets being sent and received on your router. Shows more detail than previous debug command.
h. DEBUG IP OSPF ADJ: Shows DR and DBR elections on a broadcast and non-broadcast multi-access network.
In an OSPF Network, Each Router Is Designated An Area And All The Routers In The Same Area Are Connected To Each Other. AS Numbers Are Used In OSPF But Have No Significance. OSPF MUST Have An Area 0 And All Others Should Connect To This Area. Routers That Connect Other Area To The Backbone Area Within An AS Are Called Area Border Routers(ABR’s). Atleast One Interface Of The ABR Must Be In Area 0. The Routers On The Network Will Establish Adjacencies With A Designated (DR) And A Backup Designated Router (BDR).
The Election Is Won By The Router With The Highest Priority And The RID Is Used As A Tiebreaker If The Priority Of More Than One Router Is The Same. Within An Area, Each Router Calculates The Best/Shortest Path To Every Network In That Same Area. Based Upon Info In The Topology Table And An Algorithm Called Shortest Path First (SPF). OSPF Uses “Cost” And Bandwidth. The Equation Is 10^8/Bandwidth.
Two Different Routers Must Have The Same Cost To The Link For OSPF To Work. Two Routers Don’t Become Neighbors Unless They Agree On Area ID, Authentication, And Hello And Dead Intervals. Though Authentication Between Routers Isn’t Required, You Can Set It If U Need. The Hello Intervals Specifies The Number Of Seconds Between Hello Packets And The Dead Interval Is The Number Of Seconds That A Router’s Hello Packets Can Go Without Being Seen Before Its Neighbor Declares The OSPF Router Down. These Intervals Have To Be EXACTLY The Same Between Two Neighbors Or The Routers Won’t Become Neighbors. You Can See These Timers With The SH IP OSPF INT Command. Adjacency Is The Next Step After The Neighbor Process And DR And BDR’s Are Elected. They Are Elected Through The Hello Protocol.
Only Segments That Are Broadcast And NBMA Networks (Such As Ethernet And Frame Relay) Will Perform DR And BDR Elections. Point-To-Point Links Like A Serial WAN Will Not Have A DR Election. As We Know, RID Is Determined By The Highest IP Address On Any Interface At The Moment Of OSPF Startup. This Can Be Overridden With A Loopback Interface. All Routers Default Priority Is 1 And If We Set A Routers Priority To 0, That Router Won’t Participate In The DR Or BDR Elections Process. Cisco Suggest Configuring Loopback On An Interface Whenever Using OSPF. This Ensures That An Interface Is Always Active For OSPF Processes. (CONF T, INT LOOPBACK 0, IP ADDRESS 172.16.10.2 255.255.255.255). In Order For A Router With A New Set Higher Priority Or IP Address To Be The DR, The Router Has To Be Either Rebooted, Or Simply RELOAD.
LAYER 2 SWITCHING AND STP
SPANNING TREE PROTOCOL (STP) Was Created To Stop Switching Loops Between Switches. Switches Look At A Frames Hardware Address Before They Decide To Forward, Drop, Or Flood The Frame. Unlike Hubs, Switches Provide Dedicated Bandwidth On Each Port. Broadcasts And Multicasts, Along With Slow Convergence Are The Main Reasons Why Layer 2 Switches And Bridges Will Never Replace Routers.
DIFFERENCES BETWEEN BRIDGES AND SWITCHES:
1. Bridges are software based and switches hardware
2. A switch can be viewed as a multi-port bridge
3. There can be only one spanning tree instance per bridge, while switches have many
4. Both bridges and switches forward layer 2 broadcasts but switches have more ports
5. Bridges and switches learn a mac address but looking at the source address of each frame
THREE DISTINCT FUNCTIONS OF LAYER 2 SWITCHING ARE:
1. Address learning: Switches learn the source address of a frame received and input it into their MAC database called a forward/filter table.
2. Forward/Filter decisions: When a frame is received on an interface, the switch looks at the destination hardware address and finds the exit interface in the MAC database
3. Loop avoidance: STP is used to prevent network loops.
When a switch receives a frame, it places the source address in its MAC Table. If It Doesn’t Have The Destination Address, It Floods It Out All Ports, Except The Port It Was Received On. When A Device Answers This Flood, Then The Switch Will Take The Source Address From The Frame And Place That MAC Address In Its Database As Well. Now, The Switch Doesn’t Need To Flood Out The Frame With This Destination Address. Remember Though, If A Server Sends A Broadcast On The LAN, The Switch Will Flood The Frame Out All Active Ports Except The One It Came From Because A Switch Breaks Up Collision Domains, Not Broadcast Domains.
LOOP AVOIDANCE:
1. Broadcast Storms: Switches Will Flood Broadcasts Endlessly
2. A Device Can Receive Multiple Copies Of The Same Frame Since That Frame Can Arrive From Different Segments At The Same Time.
3. The MAC Address Table May Be Confused About The Devices Location Because The Switch Can Receive The Frame From More Than One Link.
4. Multiple Loops, Meaning Loops Can Occur Within Other Loops.
THE ORIGINAL STANDARD FOR STP WAS 802.1D. NOW CISCO IS MOVING TOWARD RSTP WHICH IS 802.1W. STP PREVENTS LOOPS BY MONITORING NETWORKS AND SHUTTING DOWN ANY REDUNDANT LINKS. WITH STP RUNNING, FRAMES WILL BE FORWARDED ONLY ON THE PREMIUM STP-PICKED LINKS.
1. ROOT BRIDGE: The bridge with the best bridge ID. All switches have to elect a root bridge which makes all decisions.
2. BRIDGE PROTOCOL DATA UNIT (BPDU): Used to exchange information. Each switch compares the BPDU that it sends to one neighbor with the one that it receives from another neighbor.
3. BRIDGE ID: Used by switches to keep track of all the switches in the network. Determined by a combination of the bridge priority (32,768 default on all cisco switches) and based MAC address. The bridge with the lowest bridge ID becomes the root bridge in the network.
4. NONROOT BRIDGES: All bridges that are not the root bridge. They exchange BPDU’s with all bridges and update the STP topology database.
5. PORT COST: Determines the best path, when multiple links are used between two switches and none of the links is a root port. Determined by bandwidth.
6. DESIGNATED PORT: One that has been determined as having the best (lowest) cost. This will be marked as the forwarding port.
7. NONDESIGNATED PORT: Port with the higher cost. These are put into blocking mode.
8. BLOCKED PORT: In order to prevent loops, will block frames. But it will still listen to frames.
STP OPERATION:
1. First STP elects a root bridge, determined by the lowest priority number of all the bridges. If two switches have the same priority number, then the lower MAC Address determines the root bridge. You can lower a bridges priority to make sure that becomes the root bridge.
2. Once all switches agree on who the root bridge is, every switch must find its one allotted designated root port. This is the port with the highest bandwidth to the root. Obviously, every port on the root switch is a designated port. Remember that a bridge can go through many other bridges to get to the root bridge. It’s not always the shortest but the fastest path that is chosen. These are determined by cost:
Speed |
New IEEE Cost |
Original IEEE Cost |
10 Gbps |
2 |
1 |
1 Gbps |
4 |
1 |
100 Mbps |
19 |
100 |
10 Mbps |
100 |
100 |
So the path from a port to the root bridge with the lowest cost will be the root port.
ROOT PORT is a single selected port on "a Switch" with least PATH COST to the Root Bridge. The DESIGNATED PORT is the port that has the lowest PATH COST on a particular Local Area Network (LAN) segment.
3. After the dust settles, any port that is not either the root port or designated port, will be placed in the blocking state.
STP PORT STATES:
1. BLOCKING: Won’t forward frames, but it just listens to BPDU’s. When a blocked port is determined to be a root or designated port, it first goes to listening port and checks all BPDU’s to make sure it won’t create a loop once it goes to forwarding mode
2. LISTENING: Listens and prepare to forward frames WITHOUT populating the MAC table
3. LEARNING: Populates the MAC table but doesn’t forward frames.
4. FORWARDING: Sends and receives all data frames.
5. DISABLED: Virtually non operational.
Convergence Occurs When All Ports On The Bridges And Switches Have Transitioned To Either Forwarding Or Blocking Mode. No Data Will Be Forwarded Until Convergence Is Complete. And Before Convergence Can Be Complete, ALL Devices Must Be Updated. Create Your Core Switch As The STP Root For The Fastest Convergence. Convergence By Default Takes 50 Seconds. These Are Created By Cisco To “Fix” The Holes And Liabilities Of The Standard 802.1d (RSTP 802.1w Has These Enabled By Default):
1. PORTFAST: If you have a server or other devices connected to your switch that you’re totally sure won’t create a switch loop if STP is disabled, you can use portfast on these ports. Means basically the switch won’t take the usual 50 seconds for a port to go into forwarding mode while STP is converging. In other words, disables STP on that port.
2. UPLINK FAST: Designed to run in a switched environment when you have at least one backup port, one that is in blocking state. Uplink fast allows a switch to find alternated paths to the root bridge before the primary link fails. This means that if a primary link fails, the secondary link would come up more quickly. (should be enabled on Access layer switches or ones with redundant links).
3. BACKBONE FAST: Unlike Uplink fast that is used to find and fix failures on the local switch, Backbone fast is used for speeding up convergence when a link that’s not directly connected to the switch fails. It can save 20 seconds on the 50 seconds convergence time.
4. RSTP (802.1w): Just turn on RSTP and it will enable all these cisco “fixes” in one tight package.
5. ETHERCHANNEL: Instead of having redundant links and allowing STP to put one in Block mode, we can bundle the links and create a logical aggregation so that our multiple links will appear as one.
a. Port Aggregation protocol (PAgP): Cisco’s version or Etherchannel.
b. Link Aggregation protocol (LACP): IEEE 802.1ad version of Etherchannel.
6. BPDUGUARD: If you turn on Portfast for a port, turning on BPDUGuard is a great idea. If a switch port that has Portfast enabled receives a BPDU on that port, it will place the port into error disabled state. This stops an admin from accidentally connecting another switch or hub ports into a switch port configured with portfast. In essence, you’re “guarding” a Portfast port from getting BPDUs when a new switch is connected to that port. Only configure on the access layer switches not core.
7. BPDUFILTER: Since a switch port that has Portfast enabled will still receive BPDU’s by default, you can use BPDUFilter to completely stop BPDU’s from coming to or going from that port. BPDUFilter will immediately take a port out of Portfast if it receives a BPDU and force the port to be a part of the STP topology. Unlike BPDUGuard which puts the port into disabled state, BPDUGuard will keep a port up, but without Portfast running.
BOOTUP ERRORS FOR A SWITCH:
1. LED turns green: Successful POST.
2. LED turns amber: POST fails. Very bad thing, usually fatal.
3. When connecting switches to each other, the link lights are orange, then green: Indicates normal operation.
4. Led turns green and amber: The port is experiencing problems.
SOME SWITCH CONFIGURATION COMMANDS:
1. PORT SECURITY:
a. INT RANGE F0/1 - 4
b. SWITCHPORT PORT-SECURITY MAXIMUM 1 (allows for only 1 person to connect to the switch)
c. SWITCHPORT PORT-SECURITY VIOLATION SHUTDOWN (if more than one MAC address is used, the port is shut down.
d. SWITCHPORT PORT-SECURITY MAC-ADDRESS mac address (to assign individual mac addresses to a port.
e. SWITCHPORT PORT-SECURITY MAC-ADDRESS STICKY (provides MAC address security, without having to type in each mac address.
2. PORTFAST/UPLINKFAST/BACKBONEFAST:
a. INT RANGE F0/2 – 4
b. SPANNING-TREE PORTFAST
c. SPANNING-TREE UPLINKFAST
d. SPANNING-TREE BACKBONEFAST
3. BPDUGUARD / BPDUFILTER:
a. SPANNING-TREE BPDUGUARD ENABLE
b. SPANNING-TREE BPDUFILTER ENABLE
4. RSTP (802.1W):
a. SPANNING-TREE MODE RAPID-PVST (ports running 802.1d drop 802.1w BPDU’s because they don’t understand them).
5. SETTING THE ROOT BRIDGE:
a. SPANNING-TREE VLAN 1 ROOT PRIMARY (this command does not override a low priority switch, or one that has 0 priority which always makes it the root. It would only work for you if all your switches had the same priority or higher set.
6. VERIFYING OUR SWITCH CONFIGURATIONS:
a. SH MAC ADDRESS-TABLE: Show’s us the MAC address-table
b.
SH SPANNING-TREE
or SH SPANNING-TREE VLAN 2: See who the root bridge is and what our priorities
are set to for each VLAN. Cisco switches run Per-VLAN Spanning Tree (PVST),
which means each VLAN runs its own instance of STP.
VIRTUAL LAN’S (VLANS)
A VLAN is a logical grouping of network users and resources connected to administratively defined ports on a switch. When you create a VLAN on each port, you’re creating its own subnet or broadcast domain. These are some ways VLANS help a network:
1. Network adds, moves, and changes are achieved with ease by just configuring a port into the appropriate VLAN
2. A group of users that need high security can be put in their own VLAN
3. Since logical, VLANS can be considered independent from their physical locations
4. VLANS enhance network security
5. VLANS increase the number of broadcast domains while decreasing their size
Any Port On Any Switch Can Be Assigned A VLAN Number. Let’s Say A Person From Sales Wants To Be In The Sales VLAN, But No More Ports On A Switch Or Room In The Sales Department. He Can Be Located To Another Department And All We Would Have To Do Is Put One Of The New Departments Switch Ports To The Sales VLAN. Remember That Each Host Has To Have To Correct IP Address Information For The VLAN It’s Being Put In. For Example, If The Sales VLAN IP Is 172.16.20.0/24, Then It Should Be Put Into That Network.
Remember That VLAN1 Is Always Considered The Administrative(Native) VLAN. When We Create A New VLAN, we usually always start from VLAN2. Remember, that all ports by default are members of VLAN1 until you change them. VLANS can only communicate within their own subnet and each VLAN thinks it’s part of its own network. The only way they can communicate with other VLANS is through a Router (inter-VLAN communication).
STATIC VLANS: A VLAN that is created by an admin who assigns switch ports to each VLAN. This is the most secure because a VLAN association will always maintain it unless you change the port assignment manually.
DYNAMIC VLANS: Determines a nodes VLAN assignment automatically using intelligent software, you can base VLAN assignments on MAC addresses, protocols, or even applications that create dynamic VLANS. You can use VLAN Management Policy Server (VMPS) to setup a database of MAC addresses to be used for the dynamic addressing of your VLANs. VMPS automatically maps MAC addresses to VLANs.
A switch port can belong to only one VLAN if it’s an access port or all VLANs if it’s a trunk port. You can manually set a port to access or trunk port or you can let the Dynamic Trunking Protocol (DTP) operate on a per-port basis to set the switchport mode.
TWO DIFFERENT TYPES OF LINKS IN A SWITCHED ENVIRONMENT:
1. ACCESS PORTS: An access port belongs to and carries the traffic of only one VLAN. The traffic is sent in native format with no VLAN tagging whatsoever. Anything arriving on an access port is simply assumed to belong to the VLAN assigned to the port. So what would happen if an access port receives a tagged packet? It DROPS it. Tagged traffic can only be received and sent on a trunk port. Any device attached to an access link is unaware of VLAN membership. Remember that switches remove any VLAN information from the frame before it’s forwarded out an access-link device. One thing to keep in mind, is that the Voice VLAN can be laid on top of the data VLAN, enabling both types of traffic through the port. But this is still considered an access port.
2. Trunk ports: A trunk link is 100 or 1000Mbps point-to-point link between two switches, a switch and a router, or even between a switch and a server and it carries traffic from multiple VLANS at a time. You can make a single port part of a whole bunch of different VLANs at the same time. You can set a port up to have a server in two separate broadcast domains simultaneously so your users don’t have to cross a layer 3 device to log in and access it. All VLANs send information on a trunked link unless you clear each VLAN by hand. Basically, the Sales department VLAN on one switch, can communicate with the Sales department VLAN on another switch using a Trunk link connecting the switches together.
FRAME TAGGING: There needs to be a way for a switch to keep track of all the users and frames as they travel the switch fabric and VLANS. This is where frame tagging comes into play. Frame tagging assigns a user-defined ID to each frame. People refer to this as the VLAN ID or color. Here’s how it works, each switch that the frame reaches must first identify the VLAN ID from the frame tag. It then finds out what to do with the frame by looking at the information in the filter table. If the frame reaches a switch that has another trunked link, the frame will be forwarded out the Trunk-link port. Once the frame reaches an exit that’s determined by the forward/filter table to be an access link matching the frame’s VLAN ID, the switch will remove the VLAN ID so the destination device can receive the frames without being required to understand their VLAN ID. Trunk ports support both tagged an untagged traffic. If a trunk has a defaulted port VLAN ID (PVID) for untagged traffic and those are always sent to the native VLAN which is always VLAN1.
VLAN IDENTIFICATIONS METHODS:
1. INTER-SWITCH LINK (ISL): Made by Cisco, ISL functions at layer 2 by encapsulating a data frame with a new header and CRC. ISL is becoming obsolete.
2. IEEE 802.1q (dot1q): This actually inserts a field into the frame to identify the VLAN. If you’re trunking between a Cisco and another switch type, you have to use 802.1q for the trunk to work. First you designate each port that is going to be a trunk with 802.1q. The port must be specified a VLAN ID like VLAN 3 for example. That VLAN becomes the native VLAN. The ports that populate the trunk create a group with this native VLAN. The native VLAN allows the trunk to carry information that was received without any VLAN identification or frame tagging.
VLAN TRUNKING PROTOCOL (VTP): The basic goal of VTP is to manage all configured VLANs across a switched network to maintain consistency throughout that network. VTP allows you to add, delete, and rename VLANs, information that is then propogated to all other switches in the VTP domain. Some VTP functions:
1. Consistent VLAN configuration across all switches in a network
2. VLAN trunking over mixed networks such as Ethernet, ATM or FDDI
3. Accurate tracking and monitoring of VLANs
4. Dynamic reporting of added VLANs to all switches in the VTP domain
5. Plug and Play VLAN adding.
Before VTP can manage our VLAN, we have to create a VTP server. A switch can be in only one domain at a time and all servers that need to share VLAN information must use the same domain name. So in order for switches to share information, they HAVE to be in the same VTP domain. If you have all your switches in one VLAN, you just don’t need VTP. Keep in mind that VTP information is sent between switches only via a trunk port. Switches detect a new added VLAN through the VTP advertisements. Updates are sent as revision numbers that consist of the notification, plus 1. Any time a switch sees a higher revision number, it knows the information is most current and it will over write the existing database with the current information. VTP has three modes of operation:
1. SERVER: All catalyst switches by default are servers. You need at least one server in your VTP domain to propagate VLAN information throughout the Domain. Also, important, the switch has to be in server mode to create, add, or delete VLANs in a VTP domain. In this mode, VLAN configurations are saved in NVRAM.
2. CLIENT: Client mode switches receive information from the VTP servers, but they also send and receive updates. The difference is that they can’t create, change, or delete VLANs. VTP information sent from a VTP server isn’t stored in NVRAM, so if the switch is reloaded, the VLAN information is deleted. If you want to make a switch a VTP server, first make it a client to get correct VLAN info, then change to server.
3. VTP TRANSPARENT MODE: In this mode, switches forward VTP information through trunk ports but not accept information updates. They don’t participate in the VLAN domain or share its database. They can create, modify, or delete VLANS because they keep their own database in NVRAM, one they keep secret from other switches. So this is only locally significant.
VTP PRUNING: VTP pruning enabled switches that send broadcasts only to trunk links that must have the information, this is done in order to save bandwidth. An example is, if switch A doesn’t have a trunk port configured for VLAN 5, with VTP pruning, that broadcast won’t traverse the trunk link to Switch A. VTP is disabled by default but should be enabled.
Routing between VLANS: If you want your hosts or any other IP based device to communicate between VLANs, you have to have a layer 3 device. For this, you can use a router that has an interface for each VLAN or a router that supports ISL or 802.1q routing. So for example, you can either have a router with 3 interfaces to have 3 VLANs with an access port on each interface, or have a router with one interface (Router on a stick) and use ISL or 802.1q.
DIFFERENT TRUNK MODES:
1. SWITCHPORT MODE ACCESS: Places the port into access mode.
2. SWITCHPORT MODE DYNAMIC AUTO: This link becomes a trunk link if the neighbor interface is set to trunk or desirable mode. This is now default for all Ethernet interfaces on new Cisco switches.
3. SWITCHPORT MODE DYNAMIC DIESIRABLE: This makes the interface actively attempt to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode.
4. SWITCHPORT MODE TRUNK: Puts the interface into permanent trunking mode.
5. SWITCHPORT MODE NONEGOTIATE: Prevents the interface from generating DTP frames. Basically the lines don’t negotiate on one becoming a trunk or not.
CONFIGURING VLANS:
1. VLANS:
a. CONF T
b. VLAN 2
c. NAME SALES
2. ASSIGNING SWITCH PORTS TO VLANS:
a. INT FA0/3
b. SWITCHPORT MODE ACCESS
c. SWITCHPORT ACCESS VLAN 3
3. TRUNKING WITH CISCO CATALYST 3560 SWITCH (2960 CAN’T DO LAYER 3 TRUNKING):
a. SWITCHPORT TRUNK ENCAPSULATION DOT1Q
b. SWITCHPORT MODE TRUNK
4. INTER-VLAN ROUTING: For a router interface we have to create a sub interfaces for this. The subinterface number is only locally significant and is best to be set as the same number as the VLAN.
a. INT F0/0
b. NO IP ADDRESS
c. NO SHUTDOWN
d. INT F0/0.1
e. ENCAPSULATION DOT1Q
f. IP ADDRESS 192.168.1.65 255.255.255.192
g. INT F0/0.2
h. ENCAPSULATION DOT1Q
i. IP ADDRESS 192.168.1.129 255.255.255.192 (and so forth..)
ON THE SWITCH:
a. INT F0/1 (connected to the router so we’re making this a trunk link)
b. SWITCHPORT TRUNK ENCAPSULATION DOT1Q
c. SWITCHPORT MODE TRUNK
d. SWITCHPORT TRUNK VLAN 1
e. VLAN 2 Sales
f. VLAN 3 Management
g. INT F0/2
h. SWITCHPORT MODE ACCESS
i. SWITCHPORT ACCESS VLAN 2
j. INT F0/3
k. SWITCHPORT MODE ACCESS
l. SWITCHPORT ACCESS VLAN 3
m. DESCRIPTION this is the Management vlan
And to set an IP on a VLAN: (We only really put an IP address on a VLAN just so we can manage it. Switches are layer 2 devices and don’t need IP addressing to function).
a. INT VLAN 1
b. IP ADDRESS 172.16.10.2 255.255.255.128
c. NO SHUTDOWN (yes we need no shut on the VLAN interface)
5. CONFIGURING VTP:
a. VTP MODE SERVER
b. VTP DOMAIN Ehsan (The client VTP’s we will create have to be in this domain and have the same password)
c. VTP PASSWORD Password
6. CONFIGURING IP PHONE VOICE TRAFFIC: The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When a switch is connected to a Cisco IP phone, the IP phone sends voice traffic with layer 3 IP precedence and layer 2 class of service (CoS) values. Because the sound quality of an IP phone can deteriorate if the data is evenly sent, the switch supports Quality of Service (QoS) based on IEEE 802.1p CoS. 802.1p provides a mechanism for implementing QoS at the MAC level. 802.1p field is carried in the 802.1q trunk header. QoS uses classification and scheduling to send network traffic from the switch in an organized, predictable manner. The Cisco phone basically has a three-port switch: one to connect to the Cisco switch, one to a PC, and one to the actual phone, which is internal. You can also configure an access port with an attached Cisco IP phone to use one VLAN for voice traffic and another for VLAN data traffic from a device attached to the phone, like a PC. You can configure access ports on the switch to send CDP packets that instruct an attached Cisco IP phone to send voice traffic to the switch in any of these ways: In the voice VLAN tagged with layer 2 CoS priority value
In the access VLAN “…
In the access VLAN, untagged (no layer 2 CoS priority value)
You can configure layer 2 access ports on the switch to send CDP packets that instruct the attached Cisco IP phone to configure the IP phone access port in either Trusted mode (all traffic received through the access port on the Cisco IP phone passes through the IP phone unchanged) or Untrusted mode (all traffic in IEEE 802.1q or 802.1p frames received through the access port on the IP phone receive a configured layer 2 CoS value) which is the default.
You can enable a voice VLAN feature by typing SWITCHPORT VOICE VLAN. These are the Voice VLAN configuration guidelines:
· Voice VLAN isn’t supported on trunk ports and has to be configured on access ports
· The voice VLAN should be present and active on the switch for the IP phone to correctly communicate on it
· Before you enable the voice VLAN, it’s recommended that you enable QoS on the switch by typing MLS QOS global config command and set the port trust state to trust by entering the MLS QOS TRUST COS.
· You must make sure that CDP is enabled on the switch port connected to the Cisco IP phone to send the configuration. This is on by default
· The Portfast feature is automatically enabled when the voice VLAN is configured, but when you disable the voice VLAN, the Portfast feature isn’t automatically disabled
· To return the port to its default setting, use the NO SWITCHPORT VOICE VLAN command
TO CONFIGURE:
a. CONFIG T
b. MLS QOS
c. INTERFACE F0/1
d. SWITCHPORT PRIORITY EXTEND TRUST
e. MLS QOS TRUST COS
f. SWITCHPORT VOICE VLAN DOT1P
g. SWITCHPORT MODE ACCESS
h. SWITCHPORT ACCESS VLAN3
i. SWITCHPORT VOICE VLAN10
First we configured a port connected to an IP phone to use the CoS value for classifying. Second we configured the port to use 802.1p priority tagging for voice traffic. Third we configured it to use the Voice VLAN 10 to carry all voice traffic. And last we configured VLAN 3 to carry PC data.
7. VLAN TROUBLESHOOTING:
a. SH VLAN: Shows our VLANS
b. SH VLAN BRIEF: Shows our VLAN number, name, status and port
c. SH VTP STATUS: Shows the VTP domain, the VTP password, and the switch mode.
SECURITY
Access Lists Is Essentially A List Of Conditions That Categorize Packets And Filter Unwanted Packets. You Can Use Them To Control Which Networks Will Or Won’t Be Advertized By Dynamic Routing Protocols. You Can Also Use Access Lists To Categorize Packets For Queuing Or Qos Type Service And For Controlling Which Types Traffic Can Activate An ISDN Link. Access Lists Are Basically Packet Filters That Packets Are Compared Against And Acted Up Accordingly. Once The List Is Made, It Can Be Applied To Either Inbound Or Outbound Traffic On An Interface. Applying An Access List To An Interface Causes The Router To Analyze Every Packet Crossing That Interface In The Specified Direction And Take The Appropriate Action.
Once you create an ACL, it’s not going to do anything until you apply it. They may be in the router, but they’re inactive until you tell the router what to do with them. To use an ACL as a packet filter, you need to apply it to an interface on the router where you want the traffic filtered. And you have to specify which direction of traffic you want the ACL applied to. So you may need different ACL’s for inbound and outbound traffic on a single interface.
· INBOUND ACL: When an ACL is applied to inbound packets on an interface, those packets are processed through the ACL before being routed to the outbound interface.
· OUTBOUND ACL: When an ACL is applied to outbound packets on an interface, those packets are routed to the outbound interface and then processed through the ACL before being queued.
THERE ARE A FEW RULES THAT A PACKET FOLLOWS WHEN BEING COMPARED WITH AN ACCESS LIST:
· It’s always compared with each line of the ACL in sequential order, that is, it’ll start from the first line and go down.
· It’s compared with lines of the ACL only until a match is made. Once it’s found a match, the packet will act upon it and NO OTHER COMPARISON WILL TAKE PLACE.
· There is an implicit “deny” at the end of each ACL. This means if the packet doesn’t match any of the conditions on any of the lines of the ACL, it will be dropped.
THESE ARE SOME GUIDELINES THAT SHOULD BE FOLLOWED WHEN YOU’RE CREATING AN ACL:
· You can assign only one ACL per interface per protocol per direction. This means that when you’re creating IP ACL, you can only have one inbound and one outbound ACL per interface.
· Organize your ACL so that more specific tests are at top of the ACL.
· Any time a new entry is added to the ACL, it will be placed at the bottom of the list. Using a text editor for access lists is highly suggested.
· You cannot remove one line from an ACL. If you try to do this, you will remove the entire list. It’s best to copy the ACL to a text editor before trying to edit the list. Only exception is when using named ACL.
· Unless your access list ends with a permit any command all packets will be discarded if they don’t meet the lists tests. Every ACL should have at least one permit statement.
· Apply ACL to an interface. Any ACL applied to an interface without an ACL present will not filter traffic.
· ACL’s are designed to filter traffic going through the router. They will not filter traffic originated from the router.
· Place IP standard ACL’s as close to the destination as possible. You cannot put standard ACL’s close to the source host or network because you can only filter based on source address and nothing would be forwarded.
· Place extended ACL’s as close to the source as possible. Since extended ACL’s can filter based on very specific addresses and protocols, you don’t want your ACL to traverse the entire network and then be denied. This will filter traffic before it uses your precious bandwidth.
WILD CARDS: We can also use ACL’s based on Wildcard masking to specify a host, a network, or a certain range of networks. If you specify for example 34 networks, you need a block size of 64. Wild Cards are used with the host or network address to tell the router a range of addresses to filter. To specify a host, the address would look like this, 172.16.30.5 0.0.0.0. Whenever a zero is present, it means the octet in that address must match exactly. To specify an octet can be any value, the value of 255 can be used: 172.30.16.0 0.0.0.255. This tells the router to match up the first 3 octets exactly but the fourth octet can be any value. Let’s say you want to block access to part of the network that is in the range from 172.16.8.0 to 172.16.15.0. That is a block size of 8 your ACL number would be 172.16.8.0 0.0.7.255. The network and wild card tell the router to start at 172.16.8.0 and go up a block size to eight addresses to network 172.16.15.0. Remember, each block size must start at 0, you can’t say you want a block size of 8 and start at 12…you must use 0-7, 8-15, 16-23…etc. The command “any” is the same as writing 0.0.0.0 255.255.255.255.
1. STANDARD ACL’S: These only use the source IP address In an IP packet as the condition. All decisions are made based on the source IP address. This means that standard ACL’s basically permit or deny an entire suit of protocols. It uses the ACL number 1-99 or 1300-1999. By using these numbers, you’re basically telling the router to use a standard ACL. To specify a single host or a range of them, when use the “host” command.
a. ACCESS-LIST 10 DENY HOST 172.16.30.2
Or
ACCESS-LIST 10 DENY 172.16.16.0 0.0.3.255
b. ACCESS-LIST 10 PERMIT ANY
c. INT E1
d. IP ACCESS-GROUP 10 OUT (to place an ACL on the outbound of an interface on a router).
ACCESS-CLASS 10 IN (Used for placing it on a VTY line).
2. EXTENDED ACL’S: These can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP Packet. They can evaluate source and destinations IP addresses, the protocol field in the network layer header, and the port number at the Transport layer header. This gives extended ACL’s the ability to make much more granular decisions when controlling traffic. Extended ACL’s allow you to use source and destination address as well as the protocol and the port number that identify the upper layer protocol or application. By using an extended ACL you can allow users access to a physical LAN and stop them from accessing specific hosts or even specific services on those hosts. They use numbers 100-199 or 2000-2699.
a. ACCESS-LIST 110 DENY TCP ANY HOST 172.16.30.2 EQ 23 LOG(to block telnet port 23 from any to the host and log it).
b. ACCESS-LIST 110 PERMIT ANY ANY (remember there is an implicit deny at the end so we need this).
ANOTHER EXAMPLE:
a. ACCESS-LIST 110 DENY TCP ANY 172.16.48.0 0.0.0.255 EQ 23
b. ACCESS-LIST 110 DENY TCP ANY 172.16.192.0 0.0.0.255 EQ 23
c. ACCESS-LIST 110 PERMIT IP ANY ANY
d. INT ETHERNET 1
e. IP ACCESS-GROUP 110 OUT
***IP ACCESS-GROUP IN or OUT?***
Let’s say:
(192.168.10.20) PCà(fa0/0)RouterA(fa0/1)<---->(fa0/0)RouterB(fa0/1)ßServer (172.16.10.10).
WE WANT TO BLOCK PC FROM PINGING SERVER:
a. ACCESS-LIST 110 DENY ICMP HOST 192.168.10.20 172.16.10.10 0.0.0.0
b. ACCESS-LIST 110 PERMIT ANY 0.0.0.0 255.255.255.255 (this is just like saying any)
c. INT FA0/0 (this if interface of Router 1)
d. IP ACCESS-GROUP 110 IN
WE WANT BLOCK IP ACCESS FROM PC TO SERVER:
a. ACCESS-LIST 10 DENY IP HOST 192.168.10.20 HOST 172.16.10.10
b. ACCESS-LIST 10 PERMIT IP ANY ANY
c. INT FA0/1 (this is on the RouterB)
d. IP ACCESS-GROUP 10 OUT
3. NAMED ACL’S: NAMED ACL’S ARE EITHER STANDARD OR EXTENDED AND NOT ACTUALLY A NEW TYPE.
a. ACCESS-LIST EXTENDED Ehsan
b. ACCESS-LIST 110 DENY TCP HOST…..
SHOW ACCESS-LISTS: displays information about the access-lists that are configured on a router. It also shows information about what lines are matching in the ACL.
SHOW IP ACCESS-LISTS Ehsan: displays the contents of all IP access lists named Ehsan.
NAT
There are 3 types of NAT:
STATIC NAT: One to one mapping between local and Global addresses.
a. IP NAT INSIDE SOURCE STATIC 192.168.1.1 170.46.2.2
b. INT E0
c. IP ADDRESS 192.168.1.1 255.255.255.0
d. IP NAT INSIDE
e. INT S0
f. IP ADDRESS 170.46.2.1 255.255.255.0
g. IP NAT OUTSIDE
DYNAMIC NAT: Map an IP address from a pool of IP addresses. You don’t have to statically configure your router to map each inside address to an individual outside address.
a. IP NAT POOL EHSAN 170.16.2.2 172.16.2.7 NETMASK 255.255.255.0 (Creates a pool of addresses that will be distributed to those hosts that require global addresses).
We Could Also Use PREFIX-LENGTH 24 command instead of NETMASK 255.255.255.0. PREFIX-LENGTH 24 means /24.
b. IP NAT INSIDE SOURCE LIST 1 POOL EHSAN (tells the router to translate IP addresses that match access-list 1 to an address found in the IP NAT pool named Ehsan)
c. INT E0
d. IP ADDRESS 192.168.1.1 255.255.255.0
e. IP NAT INSIDE
f. INT S0
g. IP ADDRESS 170.16.2.1
h. IP NAT OUTSIDE
i. ACCESS-LIST 1 PERMIT 192.168.1.0 0.0.0.255 (Yes this access list is used solely for the purpose of this NAT translation.
OVERLOADING: This is really a type of dynamic NATing that maps multiple unregistered IP addresses to a single registered IP address (Many-to-one) by using different source ports. It is also called PAT (port address translation).
a. IP NAT POOL EHSAN 170.42.2.2 170.42.2.2 PREFIX-LENGTH 30
b. IP NAT INSIDE SOURCE LIST 1 POOL EHSAN OVERLOAD
c. INT E0
d. IP ADDRESS 10.1.1.5 255.255.255.0
e. IP NAT INSIDE
f. INT S0
g. IP ADDRESS 170.42.2.2
h. IP NAT OUTSIDE
i. ACCESS-LIST 1 PERMIT 10.1.1.0 0.0.0.255
NAT TERMS: Addresses after NAT translations are called global addresses. These are usually the public IP addresses. Local addresses are the ones we use before NAT translation, private addresses.
· Inside Local: Name of inside source address before translation. 10.1.1.3
· Inside Global: Name of inside host after translation. 170.168.2.2
· Outside Local: Name of destination host after translation.
· Outside Global: Name of outside destination host before translation.
SHOW IP NAT TRANSLATIONS: Shows basic IP NAT translations.
DEBUG IP NAT: shows and verifies the sending address, the translation, and the destination address on each debug line.
CLEAR IP NAT TRANSLATIONS: clear your NAT entries from the translation table.
SH IP NAT STATISTICS: Shows a summary of NAT configuration and it will count the number of active translation types.
FAST SWITCHING: shown by an * in a debug ip nat output, packets are translated and fast switched to the destination. The fast switching process is used by Cisco routers to create a cache of layer 3 routing information to be accessed by layer 2, in order to quickly forward packets through a router without having to parse the routing table for every packet. As packets are processed switched, this info is stored in the cache for later use if needed for faster routing processing.
NAT EXAMPLE: we have a border router that needs to be configured with NAT and allow the use of six public IP addresses to the inside locals, 192.1.2.109 through 192.1.2.114. However, in the inside network we have 62 hosts that use the private address 192.168.10.65 through .126. How would our NAT config be on the border router?
a. IP NAT POOL EHSAN 192.1.2.109 192.1.2.109 NETMASK 255.255.255.248
b. ACCESS-LIST 1 PERMIT 192.168.10.64 0.0.0.63
c. IP NAT INSIDE SOURCE LIST 1 POOL EHSAN OVERLOAD
CISCO’S WIRELESS TECHNOLOGIES
There are four main wireless channels and I will go over some of their basic differences.
· 2.4GHz (802.11b): It has 11 channels and 1, 3, and 6 are the only ones that do not overlap. Has a Maximum transfer rate of 11Mbps. Uses CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance). This basically uses CSMA/CA (Request to Send, Clear to Send) where for every packet sent, and ack must be received.
· 2.4GHZ (802.11g): Backwards compatible with 802.11b. This delivers 54Mbps maximum data rate if you are less than 100ft from the AP. If you have 802.11b running in the same network, everyone connected to the Access Point is forced to use 802.11b, even if your wireless card and support 802.11g.
· 5GHz (802.11a): Maximum data rate of 54Mbps (only if you are 50ft or less away from the AP) and up to 28 non-overlapping channels.
· 2.4GHz (802.11n): 40MHz wide channels. Uses MIMO which is multiple transmitters and receiver antennas to increase data throughput and rage. 802.11n is also backwards compatible. Speeds can be up to 119Mbps! Uses Block ack and can pass many packets before an ack is required.
These All Have The Ability To Rate Shift While Moving Meaning The Further You Are From The AP, your speed will go down from 54Mbps, to 48Mbps, 24Mbps…
Wireless VoIP requirements in a wireless network are: we need to create separate VLANS, one for voice, and one for data. Provided switches with POE. Determine bandwidth needs, and configure Qos.
WIRELESS TECHNOLOGIES:
· Adhoc: Wireless NICs communicate directly without the need for an AP.
· BASIC SERVICE SET (BSS): An Access Point provides management of wireless frames so the hosts can communicate. This is kind of like an Adhoc but all the PC’s use an AP.
· INFRASTRUCTURE BASIC SERVICE SET (IBSS): Typical wireless network, where all the hosts connect to an AP and the AP to a DS (Distribution System) which could be a device like a switch. The AP’s do not communicate with each other through a wireless network, only through a DS.
· EXTENDED SERVICE SET (ESS): If all your access points use the same SSID, mobiles wireless clients can roam around freely within the same network. This is ESS technology and it enables people to roam around more easily. All AP’s must overlap by at least 10 to 20 percent of their signal to their neighbors cell and make sure channels on each AP are set differently.
WIRELESS SECURITY:
· Open access: No security.
· WEP: The AP sends the client a Challenge-Text packet that the client must then encrypt with the correct WEP key and return to the AP, and unfortunately, this is clear text and not encrypted. It is composed of either 40 or 128 bit.
· TKIP and the better one, AES: These two are encryption technologies assisting in making sure security is not open text.
· WPA and WPA2 PSK: Uses AES encryption.
o Personal mode: Uses only pre-shared key for authentication.
o Enterprise mode: Uses EAP (Extensible Authentication Protocol)mode for authentication. AES is used by PSK to encrypt the pre-shared key.
· LOCAL EAP: Normally uses a RADIUS server to authenticate.
IPv6
Advantages are that it uses IP sec, mobility from one network to another, processing speed and a lot of IP addresses. An IP6 is 128 bits of address as opposed to 32 bits of IP4. There are more levels of hierarchy inside the address space and more flexible addressing architecture.
There are 8 groups of numbers instead of 4 and they are separated by colons. In a web browser, you have to type the address in brackets.
IPv6, unlike IPv4 (which uses broadcasts), uses Multicast.
Unicast: Same as IPv4 which sends to one device.
Global Unicast: Your typical publically routable addresses and they are the same as they are in IPv4.
Link Local Address: These are like private addresses in IPv4 in that they are not meant to be routed. Think of them as a tool to create a private LAN to share resources. Example would be: 169…
Unique Local Address: These are like IPv4 private addresses that can be routable to multiple local networks. Example would be: 10.1.5.1.
Multicast: Same as IPv4 where addressed to a multicast address are sent to all the interfaces tuned into the multicast address. Sometimes people call them one-to-many addresses.
Anycast: Like multicast address, an anycast address identifies multiple interfaces on multiple devices, but there’s a big difference. The anycast packet is delivered to only one device-actually, to the closest one it finds defined in terms of routing distance. These are referred to as “one-to-nearest” address.
:: . Equivalent to IP4’s 0.0.0.0.
0:0:0:0:0:0:0:1 . This is same as 127.0.0.1 loopback address.
0:0:0:0:0:0:192.168.100.1 . This is how an IPv4 address would be written in a mixed IP6/IP4 environment.
2000::/3 . Global unicast address range.
FC00::/7 . Unique local.
FE80::/10 .Link local.
FF00::/8 . Multicast range.
2002::/16 . used with 6to4 tunneling.
2001:0db8::://32 reserved for testing, examples and documentation.
An IP6 address example: 2001:0db8:3c4d:0012:0000:0000:1234:56ab
2001:0db8:3c4d(global prefix). 0012(Subnet).0000:0000:1234:56ab(Interface ID).
SHORTENED EXPRESSIONS: You can drop any leading zero’s in any individual block. So the earlier IP6 will look like this: 2001:db8:3c4d:12:0:0:1234:56ab. Consecutive blocks of zeros (0000:0000) can also become :: . Remember you can only do one contiguous block in an IP6 address to colons. So 2001:0000:0000:0012:0000:0000:1234:55ab would be 2001::12:0:0:1234:56ab. The reason is the device getting this IP address would have no idea where the zero’s would go back.
AUTOCONFIGURATION: a useful tool because it allows devices on a network to address themselves with a link-local as well as a global unicast address. This process happens through first learning the previx information from the router and then appending the device’s own interface address as the interface ID. The interface ID is gained by each devices MAC address and since the MAC address is only 48 bits as opposed to 64, it’s padded with FFFE in the middle. On a side note, let’s say with have an IP6 address starting with 0060 and one with 0260. Where did the 2 come from? Part of the process of padding called the eui-64 (Extended Unique Identifier) format, changes a bit to specify if the address is locally unique or globally unique. The bit that gets changed is the 7th bit. A bit value of 1 is global and 0 is local. To perform auto configuration, the host goes through a basic 2 step process:
1. The host needs it’s prefix information so it sends out a multicast ICMP or RS (router solicitation) message to all the routers.
2. The router answers back with a prefix information via RA (router advertisement).
By the way, this type of autoconfiguration is called stateless autoconfiguration because it doesn’t contact or connect and receive any further information from the other device.
To enable IPv6 which is by default disabled: IPV6 UNICAST-ROUTING. IPv6 isn’t enabled on any interfaces either so we have to go to each and enable it. The easiest way to do it is to just add an IPv6 address to an interface.
Router(config-if)#IPV6 ADDRESS 2001:DB8:3C4D:1:0260:D6FF:FE73:1987/64 . Remember, you can use the eui-64 option and instead type: IPV6 ADDRESS 2001:DB8:3C4D:1::/64 EUI-64 .
IPv6 uses ICMPv6 in its core for neighbor discovery, RS/RA and other features.
Routing protocols:
1. RPng: next generation for IPv6 and it uses FF02::9 (just like 224.0.0.9):
a. Router(config-if)#IPV6 RIP 1 ENABLE: The 1 is a tag that identifies the process of RIPng that’s running.
b. Router(config)#IPV6 ROUTER RIP 1: You will then enter this is if you need to go to router config more and configure something like redistribution.
2. RIGRPv6: FF02::A (same as 224.0.0.10, it’s IP4 multicast address).
a. Router(config)#IPV6 ROUTER EIGRP10
b. Router(config-rtr)#NO SHUT: the routing process must literally be turned on using this command.
c. Router(config-if)#IPV6 EIGRP 10.
3. OSPFv6: FF02::5 and FF02::6.
a. Router(config)#IPV6 ROUTER OSPF 10
b. Router(config-rtr)#ROUTER ID 1.1.1.1
We don’t even need to configure OSPF from this prompt if we configure OSPFv3 from the interface. When the interface configuration is completed, the router config process is added automatically:
Router(config-if)#IPV6 OSPF 10 AREA 0.0.0.0
MIGRATING TO IPV6:
1. Dual Stacking: The most common type of migration strategy because it’s easier on us. It allows all devices to communicate using either IP4 or IP6. Dual stacking lets you upgrade your devices and applications on the network one at a time. As more and more hosts and devices on the network are upgraded, more of your communication will happen over IP6.
a. IPV6 UNICAST-ROUTING
b. INT FA 0/0
c. IPV6 ADDRESS 2001:DB8:3C4D1:1::/64 EUI-64
d. IPV6 ADDRESS 192.168.55.1 255.255.255.0.
2. 6TO4 TUNNELING: Useful in carrying IP6 packets over a network that’s still running IP4. All it requires is snatching the IPv6 traversing a tunnel across the network and sticking an IP4 header onto the front of it. To do this, we need a couple Dual stacked routers. Remember if there’s a NAT translation at the other end, it will break this tunnel encapsulation. To create the tunnel:
a. Router1(config)#INT TUNNEL 0
b. IPV6 ADDRESS 2001:DB8:3C4D1:1::/64 EUI-64
c. TUNNEL SOURCE 192.168.30.1
d. TUNNEL DESTINATION 192.168.40.1
e. TUNNEL MODE IPV6IP
AND THE NEXT ROUTER:
a. Router2(config)#INT TUNNEL 0
b. IPV6 ADDRESS 2001:DB8:3C4D1:1::/64 EUI-64
c. TUNNEL SOURCE 192.168.40.1
d. TUNNEL DESTINATION 192.168.30.1
e. TUNNEL MODE IPV6IP
3. NAT-PT: Only use this as a last resort because it’s not a great solution. As you know IPv6 doesn’t have any NAT in it. Basically, your IPv6 packets will be translated to IPV4 addresses.
Wide Area Networks.
WAN CONNECTION TYPES:
a. LEASED LINES (DEDICATED): These are usually referred to as a point to point connection. A leased line is a pre-established WAN communication path that goes from the CPE through the DCE switch, then over the CPE of the remote site. The CPE enables the DTE networks to communicate at any time. This is an expensive option.
b. CIRCUIT SWITCHING: Think phone call. This technology uses dial up modems or ISDN and is used for low bandwidth data transfer.
c. PACKET SWITCHING: This is a WAN switching method that allows you to share bandwidth with other companies to save money. This is more advantageous if your data transfer types are more burst type and not continuous. Frame relay is a packet switching technology.
DTE (DATA TERMINAL EQUIPMENT): By default, router interfaces are DTE and then connect into DCE.
DCE (DATA COMMUNICATION EQUIPMENT): The idea behind a WAN is to be able to connect two DTE networks through a DCE network. The DCE network includes the CSU/DSU, through the provider’s wiring and switches all the way to the CSU/DSU at the other end. The DCE provides clocking to the DTE connected interface.
DEMARC: DCE’s connect to a demarc and this is the ISP’s last responsibility. Most of the time, the demarc has an RJ-45 jack.
CPE (CUSTOMER PREMISE EQUIPMENT): Our equipment.
Some Of The Known Protocols Used On A Serial Interface Are Frame Relay, HDLC, and PPP. Who Said We’re Only Stuck With Using Serial Interfaces Now Though?
1. Frame relay: (I won’t get into too much detail as Frame Relay will be considered an older technology). Frame relay is a packet switching technology which is NBMA, meaning it does not send and receive broadcasts such as RIP updates. It uses two bandwidth specifications, Access rate, the maximum speed at which the frame relay interface can transmit, and CIR, the rate, in bets per sec, at which the frame relay switch agrees to transfer data. When using it on a cisco router, you have to use it as an encapsulation type. You can’t use PPP or HDLC with frame relay. There are two encapsulations, Cisco, if you’re connecting to another Cisco device, and IETF for connecting to another.
Virtual Circuits: Frame relay uses a VC between your two DTE devices, making it appear for them to be connected via a circuit, when in reality, they’re dumping their data into one shared infrastructure. There are two types of VC:
o Permanent: the Telco creates the mapping inside its gear and as long as you pay the bill, they’re remain in place.
o Switched: More like a phone call. The VC is established when the data needs to be transmitted, and taken down when complete.
DLCI (DATA LINK CONNECTION IDENTIFIER): Frame relay PVC’s (permanent VC) are identified to DTE devices through DLCI. A frame relay service provider typically provides DLCI values which are used on frame relay interfaces to distinguish between different VC’s. Since many VC’s can be terminated on one Frame relay interface, many DLCI’s are associated with it to differentiate between those connections. IARP(Inverse ARP), is used by Frame relay to map a known DLCI to an IP address, if you use a non-cisco device, you have to manually map IP-DLCI. DLCI are only locally significant.
LMI (LOCAL MANAGEMENT INTERFACE): A signaling standard used between your router and the first frame relay switch it’s connected to. It allows for passing information about the operation and status of the VC between the providers network and the DTE. It communicates information about the keepalives, multicasting, Global Addressing, and status of VC’s.
2. PPP: Can be used to create point to point links between different vendor’s equipment. It uses a network control protocol field in the Data Link header to identify the network layer protocol being carried and allows authentication and multilink connections to be run over asynchronous and synchronous links. This is a Data Link layer protocol. Since HDLC is the default serial encapsulation on Cisco serial links why and when would you choose PPP? The basic purpose of PPP is to transport layer 3 packets across a Data Link layer point to point link and it’s nonproprietary. So unless you have all Cisco routers, you need PPP on your serial interfaces. Also, PPP encapsulates layer 3 router protocols, and provides authentication, dynamic addressing, and callback.
a. LCP (LINK CONTROL PROTOCOL): A method to for establishing, configuring, maintaining, and terminating the point to point connection.
i. Authentication: This option tells the calling side of the link to send information that can identify the user. The two methods are:
1. PAP (Password Authentication Protocol): The less secure method of the two, passwords are sent in cleartext and PAP is performed only upon the initial link establishment. When the PPP link is first established, the remote node sends the username and password back to the originating target router until authentication is acknowledged.
2. CHAP (Challenge Handshake Authentication Protocol): CHAP is used at the initial startup of a link and at periodic checkups on the link to make sure the router is still communicating with the same host. After PPP finishes its initial link establishment phase, the local router sends a challenge request to the remote device. The remote device send a value calculated using a one-way hash function called MD5. The local router checks this hash value to make sure it matches. If the values don’t match, the link is immediately terminated.
ii. Compression: PPP compresses and decompresses to increase data throughput.
iii. Error detection.
iv. Multilink: This option makes several separate physical paths to appear to be one logical path at layer 3. For example, two T1’s running multilink PPP would show up as a single 3Mbps path.
v. PPP Call back: PPP can be configured to call back after successful authentication.
b. NCP (Network Control Protocol): Used to allow multiple network layer protocols to be used on and communicate over a point to point connection.
To Configure PPP you must have a username and password configured for each remote system plan to connect to. The remote routers must also be similarly configured with a usernames and passwords. The username and password are case sensitive and password by default is not encrypted:
a. Router(Config)#HOSTNAME ROUTER_A
b. Router_A(Config)#: USERNAME ROUTER_B PASSWORD cisco
c. Router_A(Config)#INT S0
d. Router_A(Config)#: IP ADDRESS 10.1.1.1 255.255.255.0
e. Router_A(Config-if)#: ENCAPSULATION PPP. Of course, PPP encapsulation has to be enabled on both interfaces connected to a serial line in order to work.
f. Router_A(Config)#: AUTHENTICATION CHAP PAP. If both authentication methods are used, only the first will be used during the link negotiation and the second is used as a backup.
g. Router(Config)#HOSTNAME ROUTER_B
h. Router_A(Config)#: USERNAME ROUTER_A PASSWORD cisco
i. Router_A(Config)#INT S0
j. Router_A(Config)#: IP ADDRESS 10.1.1.2 255.255.255.0
k. Router_A(Config-if)#: ENCAPSULATION PPP.
l. Router_A(Config)#: AUTHENTICATION CHAP PAP.
You can verify the serial line, encapsulation, LCP being open (meaning that it has negotiated the session establishment and is all good!), and NCP by doing a SHOW INT S0/0. Three common issues that can cause a link to not work are mismatched encapsulations on the end of the lines, no keep alives coming from remote router, and ip addresses of links on different subnets. You can use SH CDP NEI command to see the mismatched IP address of your neighbor.
3. HDLC: HDLC Specifies And Encapsulation Method For Data On Synchronous Serial Data Links Using Frame Characters And Checksums. Remember, That HDLC Is The Default Encapsulation On Synchronous Serial Interfaces. No Authentication Is Provided By HDLC. Cisco’s HDLC Is Proprietary And Won’t Communicate With Any Other Vendor’s Implementation. Everyone’s HDLC Is Proprietary. So Let’s Say You Need To Connect Your Cisco Router To A Non-Cisco Router, You Would Have To Use An Encapsulation Like PPP.
CONCLUSION:
The Goal Of This Article Is To Give An Easy Way To Understand The “BASIC NETWORKING (CISCO) SHORT REFERENCES:” And Also We Hope This Guide Will Help Every Beginner Who Are Going To Start Cisco Lab Practice Without Any Doubts. Some Topics That You Might Want To Pursue On Your Own That We Did Not Cover In This Article Are Listed Here! Hands - On Experience Is An Invaluable Part Of Preparing For The Lab Exam And Never Pass Up An Opportunity To Configure Or Troubleshoot A Router ( If You Have Access To Lab Facilities, Take Full Advantage Of Them) There Is No Replacement For The Experience You Can Gain From Working In A Lab, Where You Can Configure Whatever You Want To Configure And Introduce Whatever Problems You Want To Introduce, Without Risk Of Disrupting A Production Network. Thank You And Best Of LuckThis Article Written Author By: Mr. Premakumar Thevathasan - CCNA And CCNP (Routing & Switching), MCSE, MCSA, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+ And Etc.
WARNING AND DISCLAIMER:
Routers Direct And Control Much Of The Data Flowing Across Computer Networks. This Guide Provides Technical Guidance Intended To Help All Network Students, Network Administrators And Security Officers Improve Of Their Demonstrated Ability To Achieve Specific objectives Within Set Timeframes. We Cannot Provide Any Kind Of Advice, Explanation, Opinion, Or Recommendation And This Document Carries No Explicit Or Implied Warranty. Nor Is There Any Guarantee That The Information Contained In This Document Is Accurate. Every Effort Has Been Made To Make All Articles As Complete And As Accurate As Possible, But No Warranty Or Fitness Is Implied. Your Access To The Website Is At Your Own Risk, It Is Offered In The Hopes Of Helping Others, But You Use It At Your Own Risk Only. The Author Will Not Be Liable For Any Special, Incidental, Consequential Or Indirect Any Damages Due To Loss Of Data Or Any Other Reason That Occur As A Result Of Using This Document. But No Warranty Or Fitness Is Implied. The Information Provided Is On An "As Is" Basic. All Use Is Completely At Your Own Risk. Your Access To The Website Is Subject To Our Terms Of Use.Home Page Of - > The School Of Cisco Networking (SCN) Page Of - > SCN InF4 TECH (IT Consultancy & Services) About Us SCN Page To Send Email @
No comments:
Post a Comment