Ccna PDF

.
.
Cisco CCNA Training Curriculum
Course Outsource 2008 - All Rights Reserved.
.
.
1
Copyright 2006 Course Outsource. All Rights Reserved. Copyright 2008 Course Outsource. All Rights Reserved.
Welcome to our version of the:
CCNA
Cisco Certified Network Associate
Welcome to our Cisco CCNA training course. This course will help you
better understand how networking is defined, implemented and supported in
the real world.
More precisely, this course will give you a Cisco-specific network perspective.
P
R
E
V
I
E
W
NOT FOR PRINTING OR INSTRUCTIONAL USE
.
.
.
.
2
Introduction Introduction
This is a 5 day hands-on course which covers
the following exam objectives.
!CCNA 3.0 (640-802)
Another exam option this course covers:
!ICND1 (640-822)
!ICND2 (641-816)
This course was also written to help you understand the objectives for the
Cisco 640-801 exam; however the ICND and Intro exams are also covered.
We do not suggest that you take the two test option as it is not easier than the
one test method. Of course, that is up to you and we are confident this course
will prepare you whichever way you decide to go.
Now, lets start with this Course book itself.
Each page of this course book will consist of slides from the instructors slide-
deck and the accompanying information to explain the content of the slide.
Some slides are markers (i.e. chapter headings, outlines, intros, etc.) and
require no additional information. In this case you will see the next
corresponding slide immediately following. For example, look at the next few
pages which outline the class and the exam.
P
R
E
V
I
E
W
.
.
.
.
3
CCNA Exam CCNA Exam
Around 50-60 items
Around 850 out of 1000 to pass
The amount of questions and percent to pass
varies on each exam
About 90 minutes
Cannot return to questions
Simulated, testlets, multiple choice, fill-in-the-blank,
and drag n drop questions
P
R
E
V
I
E
W
.
.
.
.
4
CCNA CCNA Course Outline Course Outline
Chapter 1: The Cisco Router and Switch
Interface
Cisco IOS
Cisco CLI
Administrative Functions
Configuring Interfaces
Introduction to Cisco Catalyst Switches
P
R
E
V
I
E
W
.
.
.
.
5
CCNA Course Outline CCNA Course Outline
Chapter 2: Managing a Cisco Internetwork
Copying and saving the IOS and configuration
Troubleshooting Cisco networks
Chapter 3: TCP/IP Addressing and Subnetting
IP Addressing
Class C Subnetting
P
R
E
V
I
E
W
.
.
.
.
6
Chapter 4: IP Routing
Basic IP routing
Static Routing
RIPv1 and RIPv2
EIGRP
OSPF
P
R
E
V
I
E
W
.
.
.
.
7
Chapter 5: Advanced TCP/IP
Class C subnetting review
Class B subnetting
VLSM design and implementation
Discontiguous Networks
Summarization
Chapter 6: Security
Introduction to Security
Standard Access Lists
Extended Access Lists
Named Access Lists
P
R
E
V
I
E
W
.
.
.
.
8
Chapter 7: Network Address Translation
Static NAT
Dynamic NAT Pools
Port Address Translation (PAT)
Chapter 8: Switching
Virtual LANs (VLANs)
Spanning Tree Protocol (STP)
P
R
E
V
I
E
W
.
.
.
.
9
Chapter 9: Wireless LANs
- 802.11
- Basic Service Sets (BSS)
Chapter 10: Introduction to IPV6
- IPv6 Addressing
- Implementing IPv6
P
R
E
V
I
E
W
.
.
.
.
10
Chapter 11: Cisco WAN Support
Basic WAN
HDLC
PPP
Frame Relay
P
R
E
V
I
E
W
.
.
.
.
11
Preface Preface
Course Conventions
P
R
E
V
I
E
W
.
.
.
.
12
Local Local- -Area and Wide Area and Wide- -Area Network Area Network
Symbols Key Symbols Key
Router Bridge Ethernet Switch ATM Switch
Hub
MAU Concentrator
Server
Comm Server
CSU/DSU
WAN Cloud
Serial Line
Ethernet
P
R
E
V
I
E
W
.
.
.
.
13
Syntax Conventions Syntax Conventions
Router prompts are in BLACK as follows:
R1#
Router commands to be entered by the user are in GREEN as follows:
R1(config)# interface serial 0
R1(config-if)# shutdown
P
R
E
V
I
E
W
.
.
.
.
14
The Cisco Router and Switch Interface The Cisco Router and Switch Interface
Chapter 1
In this chapter we will discuss the basics and a glaze over a few advanced
topics with regard to interfaces, configurations, registries and the like. We
will review switch interfaces at the end of the chapter.
P
R
E
V
I
E
W
.
.
.
.
15
Router Power Router Power- -On/Bootup Sequence On/Bootup Sequence
1. Perform Power-On Self Test (POST)
2. Load and run bootstrap code
3. Look in NVRAM for config-register setting
4. Load the Cisco IOS software
5. Find the configuration (if none, run Setup)
6. If found, load the configuration in RAM
When you first bring up a Cisco router, it will run a Power-On Self-Test
(POST), and if that passes, it will then look for and load the Cisco IOS from
Flash memoryif a file is present. In case you dont know, flash memory is
an electronically erasable programmable Read-Only Memory (ROM)an
EEPROM. The IOS then proceeds to load and then look for a valid
configurationthe startup-configthats stored by default in nonvolatile
RAM, or NVRAM.
ROM
!Contains microcode for basic functions
!Runs post
!Loads bootstrap
!Has Mini-IOS
!Provides ROM-Monitor mode
P
R
E
V
I
E
W
.
.
.
.
16
Router Interfaces Router Interfaces
Router interfaces can be GigabitEthernet, FastEthernet, Ethernet, Token Ring
and various other LAN physical technologies, like FDDI.
The serial ports can be used for a WAN T1, for example, or PPP or Frame
Relay.
Miscellaneous ports can include BRI for ISDN
The Console port is a serial connection that allows out-of-band signaling
The Aux port is a console port that allows modem commands so you can dial
into the router out-of-band if a remote router goes down and you need to
configure it through the console connection.
P
R
E
V
I
E
W
.
.
.
.
17
" User Mode
Limited examination of switch or router
Command prompt on the device: Router>
Cisco IOS Software EXEC Cisco IOS Software EXEC
" Privileged (or enable) Mode
Detailed examination of switch or router
Enables configuration and debugging
Prerequisite for other configuration modes
Command prompt on the device: Router#
P
R
E
V
I
E
W
.
.
.
.
18
Router con0 is now available
Press RETURN to get started.
Logging into the Router Logging into the Router
Router>
Router> enable
Router#
Router# disable
Router> quit
User mode prompt
User mode prompt
Privileged mode prompt
Privileged mode prompt
After the interface status messages appear and you press Enter, the Router>
prompt will appear. This is called User mode and is mostly used to view
statistics.
There are two primary EXEC modes for entering commands on a Cisco router.
These are User and Privilege modes. User mode is used to verify status, and
run basic show commands. You can only view and change the configuration
of a Cisco router in Privileged mode, which you get into with the enable
command.
P
R
E
V
I
E
W
.
.
.
.
19
Router Context Router Context- -Sensitive Help Sensitive Help
Router# clok
Translating "CLOK"
% Unknown command or computer name, or unable to find computer address
Router# cl?
clear clock
Router# clock
% Incomplete command.
Router# clock ?
set Set the time and date
Router# clock set 19:56:00 04 8
^
% Invalid input detected at the '^' marker
Note: The command help does not give you help on a command.
You can use the Cisco advanced editing features to help you configure your
router. If you type in a question mark (?) at any prompt, youll be given the list
of all the commands available from that prompt.
You can press the spacebar to get another page of information, or you can
press Enter to go one command at a time.
Once you have enough characters for a non-ambiguous command, the Tab
key can be pressed to complete the syntax, and then the ? key can be entered
to obtain additional help if needed. If a command is ambiguous, you will need
to enter more characters or ? to determine the specific syntax to use for the
desired command.
The ^ character is used to identify where syntax errors or invalid input was
detected.
P
R
E
V
I
E
W
.
.
.
.
20
Automatic scrolling of long lines gives you $ and moves your
text ten spaces to the left
<Ctrl-A>
Move to the beginning of the command line.
<Ctrl-E>
Move to the end of the command line.
<Esc-B>
Move back one word.
<Ctrl-F>
Move forward one character.
<Ctrl-B>
Move back one character.
<Esc-F>
Move forward one word.
Using Enhanced Editing Using Enhanced Editing Using Enhanced Editing
<Ctrl-D>
Delete a single character.
tab Finishes typing a command for you
Displays previous/next command
from the history buffer
up/down arrows
This slides shows the list of the enhanced editing commands available on a
Cisco router.
The most common enhanced editing features used are the up/down arrows. On
some terminal emulators, you may need to do a <Ctrl-P> or a <Ctrl-N> if the
up/down arrows do not function.
P
R
E
V
I
E
W
.
.
.
.
21
Ctrl-P or Up arrow Last (previous) command recall
Ctrl-N or Down arrow More recent command recall
Router> show history Show command buffer contents
Router> terminal history size lines Set session command buffer size
Router Command History Router Command History
You can review the router-command history with the commands shown in this
slide. This is very helpful and will save you from re-typing things over and
over and over..
P
R
E
V
I
E
W
.
.
.
.
22
Break Sequences Break Sequences
<CTRL>+z
<CTRL>+c
<CTRL>+<SHIFT>+6 then X
<CTRL>+Break or <CTRL>+<SHIFT>+6 then B
during the router boot cycle allows you to access
ROM Monitor mode. One purpose is to perform
password recovery.
This slide shows some basic break sequences you can use on a Cisco router.
The <Ctrl>+<Shift>+6 then X is used to break out of a command. This is
especially helpful on traceroute where the traceroute is to a network not in the
routing table. By default the command would continue for 30 hops, with each
waiting for the TTL to expire. This can save a lot of time by breaking out of
the command. <Ctrl>+<Shift>+6 then B is very helpful if you are performing
a password recovery and your PC configuration does not have a break key or
if the <Ctrl>+[Break key] is not stopping the cycle of the reboot.
P
R
E
V
I
E
W
.
.
.
.
23
Router Components
Console
Auxiliary
Interfaces
RAM
[Running-Config]
routing table, arp
cache,
packet buffers
NVRAM
[Startup-Config]
[config-register]
Flash
[IOS]
ROM
[POST]
[Bootstrap]
[Skeleton IOS]
Router# show interfaces
Router# show interfaces
Router# show mem
Router# show ip route
Router# show mem
Router# show ip route
Router# show flash
Router# show flash
Router# show startup-config
Router# show startup-config
Router# show running-config
Router# show running-config
Router# show process cpu
Router# show protocols
Router# show process cpu
Router# show protocols
Router# show version
Router# show line
Router# show line
show flash: shows all files in flash.
show startup-config: shows the backup configuration stored in NVRAM.
show running-config: shows the configuration the router is using at the
moment.
show interfaces: shows the status of all interfaces. You can type show
interface s0 to see just the statistics of serial 0.
show line: shows you all the available lines that can be configured on a router.
The default lines are aux, console and vty.
show version: covered in the next slide
P
R
E
V
I
E
W
.
.
.
.
24
show version show version Command Command
Cisco Internetwork Operating System Software
IOS (tm) 2600 Software (C2600-JS-L), Version 12.0(8),
RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Mon 08-Feb-99 18:18 by phanguye
Image text-base: 0x03050C84, data-base: 0x00001000
ROM: System Bootstrap, Version 11.0(10c), SOFTWARE
BOOTFLASH:3000 Bootstrap Software (IGS-BOOT-R),Version 11.0(10c),
RELEASE SOFTWARE(fc1)
R1 uptime is 22 minutes
System restarted by reload
System image file is "flash:c2600-js-l_120-8.bin"
(output cut)
Displays system hardware config info, software version, and the
names and sources of config files and boot images on a router
The show version command will provide basic configuration for the system
hardware as well as the software version, the names and sources of
configuration files, and the boot images.
The last information given from this command is the value of the
configuration register. In this example, the value is 0x2102the default
setting. The configuration register setting of 0x2102 tells the router to look in
NVRAM for the boot sequence. By manipulating the configuration register,
you can perform actions such as password recovery, or determine the boot
sequence, or where to boot from.
P
R
E
V
I
E
W
.
.
.
.
25
show version show version Command cont. Command cont.
cisco 2610 (MPC860) processor (revision 0x202) with 45056K/4096K bytes of memory.
Processor board ID JAB032008NM (3952172322)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
1 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
2 Serial(sync/async) network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Note: The above router has 48 Meg of RAM and 16 Meg of System Flash
The above router has 48 meg of RAM, 32K of NVRAM and 16 meg of Flash
memory. The IOS size for this router is limited to a maximum size of 16
megs.
The last information given from this command is the value of the
configuration register. In this example, the value is 0x2102the default
setting. The configuration register setting of 0x2102 tells the router to look in
NVRAM for the boot sequence.
P
R
E
V
I
E
W
.
.
.
.
26
Configuration Configuration- -Register Register
0x2102=load IOS from flash and then the
configuration from NVRAM. The router looks in
NVRAM for the boot sequence
0x2100=Load ROM Monitor Mode
0x2101=load Mini-IOS from ROM
0x2142=Load IOS from Flash and do not load
startup-config
Router#config t
Router(config)#config-register 0x2102
All Cisco routers have a 16-bit software register thats written into NVRAM.
By default, the configuration register is set to load the Cisco IOS from flash
memory and to look for and load the startup-config file from NVRAM.
You can change the configuration register by using the config-register
command.
Router# config t
Router(config)# config-register 0x2102
On newer routers, this can also be carried out from ROMMON mode using the
confreg command.
P
R
E
V
I
E
W
.
.
.
.
27
When this router is rebooted, why does it When this router is rebooted, why does it
lose it lose it s configuration? s configuration?
cisco 2610 (MPC860) processor (revision 0x202) with 16384/2084k

bytes of memory.
Processor board ID JAB03040BPS (3406519245)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
1 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
2 Serial(sync/async) network interface(s)
16384K bytes of processor board System flash (Read/Write)
It doesnt lose the configuration, it just never loads the configuration from
NVRAM because the configuration register is set to bypass the startup-config
in NVRAM.
The configuration register should be 0x2102
P
R
E
V
I
E
W
.
.
.
.
28
Viewing the Configuration Viewing the Configuration
show startup-config
Allows you to display the
backup configuration
show running-config
Displays the active
configuration
Config
NVRAM
IOS
Config
RAM
You can view the configuration files on a router by typing show running-
config or show startup-config from privileged mode. The main difference is
that the running-config is what is actually active on the router, where the
startup-config is what is saved in NVRAM. By performing a copy running-
config startup-config, it saves the running-config into NVRAM.
A best practice commonly used in various industries is to keep several
versions of the routers configuration on a TFTP server, and to regularly save
the running-config after changes are made and successfully tested. This can
provide an audit trail of when changes were introduced, and can aid in
troubleshooting problems brought on as a result of changes.
P
R
E
V
I
E
W
.
.
.
.
29
Setup Mode Setup Mode
When you erase the configuration on a router and
reboot, you will be in Setup mode
You can type setup from privilege mode to enter
setup mode
Square brackets indicate default or current settings
Enable password and Enable secret password are
configured during setup mode. The enable secret
password cannot be seen as clear text when viewing
the configuration
If both the Enable password and Enable secret
passwords are set, the router will utilize the Enable
secret password as it is more secure.
Once the IOS is loaded, up and running, a valid configuration will be loaded
from NVRAM.
However, if there isnt a configuration stored in NVRAM, the router will go
into setup modea step-by-step process to help you configure the router.
You can also enter setup mode at any time from the command line by typing
the command setup from privileged mode.
The Enable password and Enable secret password are configured during setup
mode. The enable secret password cannot be seen as clear text when viewing
the configuration. For this reason, it should be used wherever possible because
it can protect against someone using router configurations to gain unauthorized
access to the routers. It displays in the router configuration as an MD5 hash,
and in many cases is used as a last resort password if TACACS or RADIUS
fails.
P
R
E
V
I
E
W
.
.
.
.
30
Configuring the Router Configuring the Router
Router#configure
Configuring from terminal, memory, or network [terminal]?
Terminal: Configures information into RAM (changes
the running-config)
Memory: Configures information from NVRAM into
running-config
Network: Configures information from a file stored
on a TFTP host into running-config
To configure from a CLI, you can make global changes to the router by typing
configure terminal (or config t for short), which puts you in global
configuration mode and changes whats known as the running-config.
A global command (commands run from global config) is one that is set once
and affects the entire router.
You can type config from the privileged-mode prompt and then just press
<Enter> to take the default of terminal.
You would use the memory or network option to upload a configuration file
from either memory or a TFTP server on the network. In many cases, this is
used to pre-stage changes, migrations, or to facilitate review processes.
P
R
E
V
I
E
W
.
.
.
.
31
Router Modes Router Modes
User EXEC Mode:
Limited to basic monitoring
commands
Provides access to all other
router commands
Commands that effect the
entire system
Commands that affect
interfaces/processes only
Interactive configuration dialog Setup Mode:
Specific Configuration Mode:
Global Configuration Mode:
Privileged EXEC mode:
This slide shows a summary of the various router modes used on a router.
P
R
E
V
I
E
W
.
.
.
.
32
Router(config)#
Router> enable
Router# configure terminal
<ctrl>-z (end)
User EXEC mode:
Privileged EXEC mode:
Global configuration mode:
Configuration Mode Prompt
Interface Router(config-if)#
Subinterface Router(config-subif)#
Line Router(config-line)#
Router Router(config-router)#
Router Modes Example Router Modes Example
Its really important that you understand the different prompts you can find
when configuring a router. Knowing these well will help you navigate and
recognize where you are at any time within configuration mode.
P
R
E
V
I
E
W
.
.
.
.
33
Saving Configurations Saving Configurations
Copy the current configuration to NVRAM
Router# copy running-config startup-config
Destination filename [startup-config]? <enter>
Building configuration
You can manually save the file from DRAM to NVRAM by using the copy
running-config startup-config command. You can use the shortcut copy run
start also. You can also save to other files on NVRAM or a TFTP server in
addition to the startup config.
P
R
E
V
I
E
W
.
.
.
.
34
Restoring Configurations Restoring Configurations
Copy the saved configuration to DRAM
Router# copy startup-config running-config
Destination filename [running-config]? <enter>
!Configures information into RAM on a router
! Retrieves a routers configuration file from NVRAM
The copy startup-config running-config will append the startup-config file
into RAM. This is one way of backing out of changes made that may not have
been successful.
P
R
E
V
I
E
W
.
.
.
.
35
Administrative Functions Administrative Functions
Administrative Functions help you
administer your internetwork.
This includes:
Hostnames
Banners
Interface Descriptions
Passwords
This next section will teach you how to configure administrative functions on
a router.
P
R
E
V
I
E
W
.
.
.
.
36
Router Name
Router(config)# hostname R1
R1(config)#
Message of the Day Banner
R1(config)# banner motd #
MIS meeting at 13:00
Everyone that has attended this class
gets a 50% raise.
#
Configuring Router Identification Configuring Router Identification
You can set the identity of the router with the hostname command. This is
only locally significant, which means it has no bearing on how the router
performs name lookups, but is used by Cisco MIBs to identify the router. A
good naming standard should be able to provide some functional and
geographical information. Unique naming is an important best practice as it
will aid in troubleshooting and prevent confusion over duplicate names.
A good reason for having a banner is to add a security notice to users remotely
accessing your internetwork.
You can set a banner on a Cisco router so that when either a user logs into the
router or an administrator telnets into the router, the banner will give them the
information you want them to have. As another best practice, the banner can
be used to identify the revision of the standard configuration template used,
and should not contain proprietary or confidential information since it will be
seen by users prior to authentication.
P
R
E
V
I
E
W
.
.
.
.
37
lnterface Description
R1(config)# interface fastethernet 0/1
R1(config-if)# description Finance LAN
R1(config-if)# interface serial 0/0
R1(config-if)# description WAN to Miami
View descriptions with the following commands:
R1# show running-config
R1# show interface
Configuring Interface Description Configuring Interface Description
Setting descriptions on an interface is helpful to the administrator and support
staff. This is a helpful command because you can use it to keep track of
circuit numbers, for example. If configurations are stored offline, this
information can be accessed to create circuit databases, or assist in creation of
port maps and network diagrams. Standardizing on the format provides a
consistent format in which to create a script to pull the information together
into a database, spreadsheet or network drawing.
P
R
E
V
I
E
W
.
.
.
.
38
R1(config)# do show run
R1(config-if)# do show interface
For newer routers running 12.3 and above,
you can use the:
Do the Do the do do
P
R
E
V
I
E
W
.
.
.
.
39
R1(config)# line console 0
R1(config-line)# password todd
R1(config-line)# login
Console and Auxiliary Password
Console/Aux Password Configuration Console/Aux Password Configuration
R1(config-line)# line aux 0
R1(config-line)# password lammle
R1(config-line)# login
Console
connection
No Access!
To set the console password, use the line console 0 command.
Same for the aux port.
You need to enable the login command, or the router will not prompt for the
password.
Use caution if line passwords are the same as enable secret. Please keep in
mind that these will be shown in clear text within the router configuration
unless the service password-encryption command is utilized.
P
R
E
V
I
E
W
.
.
.
.
40
Other Console Line Commands Other Console Line Commands
R1(config-line)# exec-timeout 0 0
R1(config-line)# logging synchronous
Prevent console session timeout
Redisplays interrupted console input
Console
connection
For one, the exec-timeout 0 0 command sets the timeout for the console EXEC
session to zero, which basically means to never time out.
Logging synchronous is a very cool command, and it should be a default
command, but its not. Its basically stops annoying console messages from
popping up and disrupting the input youre trying to type.
P
R
E
V
I
E
W
.
.
.
.
41
Telnet VTY Password Telnet VTY Password
Virtual Terminal Password
R1(config)# line vty 0 4
R1(config-line)# password todd
R1(config-line)# login (or no login)
R1(config-line)#
Telnet
connection
NOTE: no vty password no telnet access
Cisco supports 5 simultaneous Telnet sessions by
default: 0-4 although your router may support more.
To set the user-mode password for Telnet access into the router, use the line
vty command. Routers that arent running the Enterprise edition of the Cisco
IOS default to five VTY lines0 through 4.
But if you have the Enterprise edition, youll have significantly more. The best
way to find out how many lines you have is to use that question mark:
Router(config-line)#line vty 0 ?
<1-4> Last Line Number
<cr>
You can use the no login option so that you can telnet into a router and not
be prompted for a password (not recommended!).
An access-class can be used on the VTY lines to further restrict access.
**Note ** If the password is not set, and TACACS or RADIUS is not
configured, you will get Password not set when attempting to telnet to the
router, and be logged off.
P
R
E
V
I
E
W
.
.
.
.
42
Telnet
Most common access method
Insecure
SSH
Encrypted
IP domain must be defined
key must be generated
Telnet versus SSH Access Telnet versus SSH Access
!--- The username command create the username and password for the SSH session
username cisco password 0 cisco
ip domain-name mydomain.com
crypto key generate rsa
ip ssh version 2
line vty 0 4
login local
transport input ssh
SSH Server
The SSH Server feature enables a SSH client to make a secure, encrypted connection to a
Cisco router. This connection provides functionality that is similar to that of an inbound
Telnet connection. Before SSH, security was limited to Telnet security. SSH allows a strong
encryption to be used with the Cisco IOS software authentication. The SSH server in Cisco
IOS software will work with publicly and commercially available SSH clients.
SSH Integrated Client
The SSH Integrated Client feature is an application running over the SSH protocol to
provide device authentication and encryption. The SSH client enables a Cisco router to
make a secure, encrypted connection to another Cisco router or to any other device running
the SSH server. This connection provides functionality that is similar to that of an outbound
Telnet connection except that the connection is encrypted. With authentication and
encryption, the SSH client allows for a secure communication over an insecure network.
The SSH client in the Cisco IOS software works with publicly and commercially available
SSH servers. The SSH client supports the ciphers of Data Encryption Standard (DES),
Triple DES (3DES), and password authentication. User authentication is performed like that
in the Telnet session to the router. The user authentication mechanisms supported for SSH
are RADIUS, TACACS+ and the use of locally stored user names and passwords.
P
R
E
V
I
E
W
.
.
.
.
43
Secure Shell Secure Shell
Here are the minimum commands needed to
configure SSH on your router or switch:
R1# config t
R1(config)# username Todd password Lammle
R1(config)# ip domain-name lammle.com
R1(config)# crypto key generate rsa
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
(Optional: transport input ssh telnet)
You must remember the command:
transport input ssh
This enables SSH under the VTY lines.
P
R
E
V
I
E
W
.
.
.
.
44
Verifying SSH Verifying SSH
To verify that the SSH server is enabled and
view the version and configuration data for
your SSH connection:
R1# show ip ssh
To verify the status of your SSH server
connections:
R1# show ssh
P
R
E
V
I
E
W
.
.
.
.
45
Enable Passwords Enable Passwords
Enable Password
Router(config)# enable password lammle
Enable Secret Password
Router(config)# enable secret fido
No Access!
The enable secret is encrypted by default and
supersedes the enable password if set
Setting the Enable password prompts you for a password when you enter the
enable command.
The Enable Secret password is encrypted by default and supersedes the
enable password. As a best practice, it is recommended to use the Enable
Secret since it is encrypted within the configuration using an MD5 hash.
Other means of encrypting the password (level 7) can be easily cracked using
shareware programs. This is especially of concern if the configuration files
were accessed. Use of Enable Secret password is therefore recommended.
P
R
E
V
I
E
W
.
.
.
.
46
Encrypting your Passwords Encrypting your Passwords
Router(config)# service password-encryption
Router(config)# exit
*Router# show running-config
Router(config)# no service password-encryption
Encrypts your enable password and line passwords
*You need to perform a show run if you configure
your passwords before you enable the encryption service
Router# config t
The service password-encryption encrypts passwords
in the plain text configuration file
Remember that you can see all the passwords except the Enable Secret when
performing a show running-config on a router.
To manually encrypt your passwords, use the service password-encryption
global configuration command.
P
R
E
V
I
E
W
.
.
.
.
47
Draw a line from the left to the Draw a line from the left to the
answer on the right answer on the right
P
R
E
V
I
E
W
.
.
.
.
48
Chapter 1 Lab Chapter 1 Lab
Hands-on Lab 1.1
Open your lab books and complete hands-on lab 2.3
P
R
E
V
I
E
W
.
.
.
.
49
Chapter 1 Continued Chapter 1 Continued
Configuring Router Interfaces
Open your lab books and complete hands-on lab 2.3
P
R
E
V
I
E
W
.
.
.
.
50
R1(config)# interface type number
R2(config)# interface type slot/port
R1(config)# interface ethernet 0
R2(config)# interface fastethernet 0/1
Choosing an interface
Examples of choosing an interface
e0 fa0
Configuring an Interface Configuring an Interface
e0/0 fa0/1
R1
R2
Some of the configurations used to configure an interface are Network layer
addresses, media type, bandwidth, and other administrator commands.
Different routers use different methods to choose the interfaces used on them.
Most of todays routers are modular, the configuration would be interface
type slot/port.
P
R
E
V
I
E
W
.
.
.
.
51
Adding IP Addresses continued Adding IP Addresses continued
R1(config-if)# ip address 11.1.1.2 255.255.255.0
R1(config-if)# interface e0
R1# config t
Interfaces on fixed series routers
Even though you dont have to use IP on your routers, its most often what
people use. To configure IP addresses on an interface, use the ip address
command from interface configuration mode.
Note: The command ip address address mask starts the IP processing on the
interface
P
R
E
V
I
E
W
.
.
.
.
52
R1(config-if)# int fa0/0
R1(config)# interface serial 0/0
R1# config t
Interfaces on modular series routers
This slide demonstrates how to configure an IP address on 2600 router
interfaces.
Notice the syntax for both of the different interfaces (serial & ethernet) is the
same though the configuration command to access the interfaces are different.
Dont forget which interface you are programming.
P
R
E
V
I
E
W
.
.
.
.
53
R1(config-if)# int fa0/0
R1(config)# interface serial 0/0/0
R1# config t
Interfaces on ISR series routers
This slide demonstrates how to configure an IP address on 2600 router
interfaces.
Notice the syntax for both of the different interfaces (serial & ethernet) is the
same though the configuration command to access the interfaces are different.
Dont forget which interface you are programming.
P
R
E
V
I
E
W
.
.
.
.
54
R1(config-if)# ip address 11.1.2.2 255.255.255.0 secondary
R1(config)# interface Ethernet 0
R1# config t
Secondary Addresses (not advised)
Note: Different subnets/broadcast domains on same interface
E0
This slide shows how two hosts on the same LAN would need to go through a
router to communicate because the hosts think they are on different subnets!
If you type another IP address and press Enter on a router interface, it will
replace the existing IP address and mask. This is definitely a most excellent
feature of the Cisco IOS.
However, if you want to add a second subnet address to an interface, you have
to use the secondary command.
I really wouldnt recommend having multiple IP addresses on an interface
because its inefficient.
P
R
E
V
I
E
W
.
.
.
.
55
Serial Interface Clocking Serial Interface Clocking
CSU/DSU
CSU/DSU
DTE
DCE
DTE
Clocking typically provided by
DCE network to routers.
In non-production environments,
A DCE network is not always present
Serial interfaces will usually be attached to a CSU/DSU type of device that
provides clocking for the line.
But if you have a back-to-back configuration (for example, one thats used in a
lab/classroom environment), on one endthe data communication equipment
(DCE) end of the cablemust provide clocking.
The type of cable plugged into the serial interface can be verified by
performing show controller command. The clock present is representative of
the cable plugged in (DTE or DCE). If its DCE, the clockrate command will
be needed in a back to back configuration.
P
R
E
V
I
E
W
.
.
.
.
56
R1(config-if)# clock rate 64000
R1# config t
R1(config-if)# bandwidth 64
R1(config-if)# exit
R1(config)# exit
Set clock rate if needed
Set interface bandwidth
DCE
DTE
DCE side determined by cable
Add clocking to DCE side only
Configuring a Serial Interface Configuring a Serial Interface
Note: show controllers will show the cable connection type
ISR routers auto-detect cable type and set clock rate to 2,000,000 by default
By default, Cisco routers are all data terminal equipment (DTE) devices, so
you must tell an interface to provide clocking if you need it to act like a DCE
device. You configure a DCE serial interface with the clock rate command.
The show controllers command displays information about the physical
interface itself. Itll also give you the type of serial cable plugged into a serial
port. Usually, this will only be a DTE cable that plugs into a type of data
service unit (DSU).
R1# show controllers serial 0
Hd unit 0, idb = 0x121c04, driver structure at 0x127078
Buffer size 1524, hd unit 0, v.35 DCE cable
The bandwidth and delay of an interface is used by routing protocols such as
IGRP, EIGRP, and OSPF to calculate the best cost (path) to a remote network.
So if youre using RIP routing, then the bandwidth or delay setting of an
interface is irrelevant, since RIP uses only hop count to determine that.
P
R
E
V
I
E
W
.
.
.
.
57
Disabling or Enabling an Interface Disabling or Enabling an Interface
R1# configure terminal
R1(config-if)# no shutdown
%LINK-3-UPDOWN: Interface Seria0, changed state to up
%LINEPROTO-5-UPDOWN: Line Protocol on Interface Serial0, changed state to up
R1# configure terminal
R1(config-if)# shutdown
%LINK-5-CHANGED: Interface Serial0, changed state to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down
Disable an interface
Enable an interface
You can turn an interface off with the interface shutdown command, and
turn it on with the no shutdown command. If an interface is shut down, it
will display administratively down when using the show interface
command.
REMEMBER TO DO A NO SHUTDOWN COMMAND WHEN YOU
HAVE CONFIGURED A DEVICE.THIS TRIPS UP MANY STUDENTS
ON THE SIMULATION PORTION OF THE EXAM.
P
R
E
V
I
E
W
.
.
.
.
58
R1# show interface serial 0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 11.1.1.2/24 100% Reliable No Load
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, loopback not set, keepalive set (10 sec)
Last input 00:00:09, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/1/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
(output cut)
Verifying Your Changes Verifying Your Changes Verifying Your Changes
The command show interface reveals to us the hardware address (if a LAN
interface), logical address, and encapsulation method, as well as statistics.
Maximum Transmission Unit (MTU) shows how many bytes of data can be
sent in each encapsulated packet. BW is 1.544kbps by default on serial
interfaces, Delay is 20,000 microseconds.
If the link is 100% reliable, the rely 255/255 will be shown. If the link is
basically at no load , the load 1/255 will be displayed.
The encapsulation on a serial interface is HDLC by default. The loopback can
be set to test the link and the keepalive is 10 seconds by default. This is a
Data Link layer keepalive that is sent between routers. If the timers are not
exactly the same, the Data Link layer will not come up.
P
R
E
V
I
E
W
.
.
.
.
59
R1# show interfaces serial 1
Operational..................
Connection problem...
Interface problem........
Disabled ......................
Serial1 is up, line protocol is down
Serial1 is down, line protocol is down
Serial1 is administratively down, line protocol is down
Keepalives Carrier Detect
Interpreting Interface Status Interpreting Interface Status
(Physical) (Data Link)
The most important statistic of the show interface command is the output of
the line and data-link protocol status.
If the output reveals that serial 1 is up and the line protocol is up, then the
interface is up and running.
The first listed up in this example, shows carrier detect from the CSU/DSU.
The second up in this example shows keepalives from the remote router.
Another thing to confirm is the state of the signals. This is shown at the
bottom of the output, and on most serial interfaces can also be seen on the
routers serial interface as a series of green lights. Usually when the router
interface is up and normal, all of the signals will show to be up.
P
R
E
V
I
E
W
.
.
.
.
60
Show ip interface brief Show ip interface brief
R1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.1 YES manual up up
FastEthernet0/1 10.1.1.2 YES DHCP up up
Serial0/0/0 172.1.1.12 YES manual up up
Serial0/0/1 unassigned YES unset administratively down down
This command is used to get a quick view of the status of all interfaces
configured on the router. The status and protocol fields are quick indicators as
to the state of the interface. When you are troubleshooting if you see the status
as administratively down, you need to perform a no shutdown on the
interface to mark it administratively up.
P
R
E
V
I
E
W
.
.
.
.
61
Which issue on the left corresponds Which issue on the left corresponds
to the router output on the right? to the router output on the right?
Layer 1 problem
Layer 2 problem
Layer 3 problem
Port operational
Port disabled
Serial 0/1 is up, line protocol is up
Serial 0/1 is up, line protocol is down
Serial 0/1 is down, line protocol is down
Serial 0/1 is administratively down,
line protocol is down
P
R
E
V
I
E
W
.
.
.
.
62
Erasing NVRAM on a Router Erasing NVRAM on a Router
R1(config)# exit
R1# erase startup-config
Erasing the nvram will remove all the files! Continue?
OK
Erase of nvram complete
Erasing a router configuration
You can delete the startup-config file by using the erase startup-config
command.
This command would be recommended if the router was being re-deployed or
decommissioned, and you wanted to make sure none of the old configuration
elements were present when it either comes back online, or is
decommissioned. Once the configuration is erased, the user will be prompted
to enter setup commands as if the router had come from the factory.
The write earase command is another command that performs the same
function.
P
R
E
V
I
E
W
.
.
.
.
63
Draw a line from the left to the Draw a line from the left to the
answer on the right answer on the right . .
# configure term
(config-if)# ip address 192.168.3.3/24
(config-if)# ip address 10.8.26.0
255.255.248.0
(config)# ip address 172.16.10.1
255.255.255.0
(config)# interface fa0/0
(config-if)# no shutdown
(config-if)# enable interface
# enable
> enable
Enter privileged EXEC mode
Enter global config mode
Enter interface config mode
Configure the interface IP
address
Enable the interface
P
R
E
V
I
E
W
.
.
.
.
64
Hands-on Lab 1.2
Open your lab book and complete hands-on lab 2.4
P
R
E
V
I
E
W
.
.
.
.
65
Introduction to Cisco Introduction to Cisco
Catalyst Switches Catalyst Switches
Chapter 1 Continued
This section will introduce you to Cisco Catalyst IOS Switches and how to set
an IP address on the switch so it can be managed in-band.
When Ciscos talking about switching, they really mean layer-2 switching
unless they say otherwise. Layer-2 switching is the process of using the
hardware address of devices on a LAN to segment a network.
Switching will be explained in detail in a later chapter.
P
R
E
V
I
E
W
.
.
.
.
66
Catalyst Switches Catalyst Switches
If POST completes successfully, the system LED turns green.
If POST fails, the system LED turns amber. This is typically fatal.
The 2950 comes in a bunch of flavors, and runs 10Mbps all the way up to
1Gbps switched ports, with either twisted-pair or fiber. It can be a layer 3
switch, and runs what is known as Catalyst IOS. This operating system is very
similar to Cisco IOS running on a router, and all ports are treated as interfaces.
The 3550 and 3750 switches can provide layer 3 services, the 2950 cannot.
P
R
E
V
I
E
W
.
.
.
.
67
Hubs (Physical) Hubs (Physical)
A B C D
All devices in the same collision domain
All devices in the same broadcast domain
Devices share the same bandwidth
Hubs just connect network segments together.
P
R
E
V
I
E
W
.
.
.
.
68
Switches/Bridges (Layer 2) Switches/Bridges (Layer 2)
" Each segment has its own collision domain
" All segments are in the same broadcast domain
" Dedicated bandwidth when only one host connected to
switch port
1 2 3 4
Crossover cable
Straight-through cable
Switches/Bridges break up collision domains, but create one large broadcast domain by
default.
P
R
E
V
I
E
W
.
.
.
.
69
Switches Supersede Bridges Switches Supersede Bridges
" Operate at Layer 2 of the OSI model
" Forward, filter, or flood frames
" Have many ports
" Bridges/Switches learn MAC addresses by examining the source MAC
address of each frame received
Internet
Hub
Switch
Hub
Segment 1 Segment 2
Layer-2 switching is hardware based, which means it uses the MAC address from the hosts
NIC cards to filter the network. Unlike bridges that use software to create and manage a
filter table, switches use application-specific integrated circuits (ASICs) to build and
maintain their filter tables. But its still okay to think of a layer-2 switch as a multiport
bridge because their basic reason for being is the same: to break up collision domains.
Layer-2 switches and bridges are faster than routers because they dont take up time looking
at the Network layer header information. Instead, they look at the frames hardware
addresses before deciding to either forward the frame or drop it.
Switches create private dedicated domains and dont share bandwidth like a hub would.
P
R
E
V
I
E
W
.
.
.
.
70
LAN Switch Features LAN Switch Features
Dedicated Communication
Between Devices
Multiple Simultaneous
Conversations
Full-Duplex
Communication
Media-Rate Adaptation
100 MB 10 MB
LAN Switches provide many features including dedicated connections between an end node
and the switch allowing for a much smaller collision domain and the capability to run at full
duplex.
P
R
E
V
I
E
W
.
.
.
.
71
Three Switch Functions Three Switch Functions
Address learning
Forward/filter decision
Loop avoidance
There are three distinct functions of layer-2 switching: address learning, forward/filter
decisions, and loop avoidance.
P
R
E
V
I
E
W
.
.
.
.
72
Learning Host Locations Learning Host Locations
Initial MAC address table is empty
MAC address table
0260.8c01.1111
0260.8c01.2222
0260.8c01.3333
0260.8c01.4444
E0 E1
E2 E3
A B
C D
When a switch is first powered on, the MAC forward/filter table is empty.
When a device transmits and an interface receives a frame, the switch places the frames
source address in the MAC forward/filter table, allowing it to remember which interface the
sending device is located on.
The switch then has no choice but to flood the network with this frame because it has no
idea where the destination device is actually located.
P
R
E
V
I
E
W
.
.
.
.
73
How Switches Filter Frames How Switches Filter Frames
Station A sends a frame to station C
Destination is known, frame is not flooded
E0: 0260.8c01.1111
E2: 0260.8c01.2222
E1: 0260.8c01.3333
E3: 0260.8c01.4444
0260.8c01.1111
0260.8c01.2222
0260.8c01.3333
0260.8c01.4444
E0 E1
E2 E3
X
X
X
X
D C
A B
MAC address table
When the switch is powered on, it has nothing in its MAC address forward/filter table.
But when the hosts start communicating, the switch places the source hardware address of
each frame in the table along with which port the frames address corresponds.
P
R
E
V
I
E
W
.
.
.
.
74
Broadcast and Multicast Frames
Station D sends a broadcast or multicast frame
Broadcast and multicast frames are flooded to all ports other than
the originating port
0260.8c01.1111
0260.8c01.2222
0260.8c01.3333
0260.8c01.4444
E0 E1
E2 E3
D C
A B
E0: 0260.8c01.1111
E2: 0260.8c01.2222
E1: 0260.8c01.3333
E3: 0260.8c01.4444
MAC address table
When a frame arrives at a switch interface, the destination hardware address is compared to
the forward/filter MAC database. If the destination hardware address is known and listed in
the database, the frame is only sent out the correct exit interface. The switch doesnt
transmit the frame out any interface except for the destination interface. This preserves
bandwidth on the other network segments and is called frame filtering.
But if the destination hardware address isnt listed in the MAC database, then the frame is
broadcast out all active interfaces except the interface the frame was received on. If a device
answers the broadcast, the MAC database is updated with the devices location (interface).
If a host or server sends a broadcast on the LAN, the switch will broadcast the frame out all
active ports by default. Remember, the switch only creates smaller collision domains, but
its still one large broadcast domain by default.
P
R
E
V
I
E
W
.
.
.
.
75
show mac show mac- -address address- -table table
S1 needs to forward a frame with an address of 00b0.d056.efa4.
What will the switch do with this frame?
Switch-1# show mac address-table
Dynamic Addresses Count: 3
Secure Addresses (User-defined) Count: 0
Static Addresses (User-defined) Count: 0
System Self Addresses Count: 41
Total Mac Addresses: 50
Non-static Address Table:
Destination Address Address Type VLAN Destination Port
0010.0de0.e289 Dynamic 1 FastEthernet0/1
0010.7b00.1540 Dynamic 2 FastEthernet0/3
0010.7b00.1545 Dynamic 2 FastEthernet0/2
What would the switch do if it received a frame and the source address was
00b0.d056.efa4?
It would place the address in the MAC Address Table with the destination port being the
source port the packet was received on.
P
R
E
V
I
E
W
.
.
.
.
76
Connecting Switches together Connecting Switches together
When connecting a cable into a switch, at first
the link lights are orange, then turn green
indicating normal operation. Why?
Crossover cable
You would use a crossover cable to connect switches together. A crossover
cable has the following pins crossed:
1 to 3
2 to 6
3 to 1
6 to 2
The lights turn orange for 50 seconds because of the Spanning-Tree Protocol
(STP), which is covered later in this course. This behavior does depend on the
type of switches being interconnected, their speed and duplex settings, and
their spanning tree configuration. Care and caution should be exercised when
interconnecting switches, as not to introduce loops in the network topology, as
well as to limit the broadcast domain and not to substantially oversubscribe the
uplink ports. STP is covered in detail later in the course.
P
R
E
V
I
E
W
.
.
.
.
77
Do switches need an IP Address? Do switches need an IP Address?
Which type of Ethernet cable is used to
connect the hubs to the switch?
Crossover cable
Hub Hub Hub
Switch Switch
No, switches do not need an IP address. We would add an IP address to a
switch only for management purposes and it is configured under the VLAN 1
interface, or the management VLAN NOT on an interface. This can also take
the form of an Sc0 interface in the case of switches running Catalyst OS.
To connect a hub to a switch, you would use a crossover cable.
Why not a straight-through?
P
R
E
V
I
E
W
.
.
.
.
78
What is the default gateway address What is the default gateway address
for the hosts? for the hosts?
Both the hosts and the switch would use a
default gateway address of 192.168.10.1
E0: 192.168.10.1
192.168.10.2
The default gateway address of the hosts (which allows them to send packets
out of the local network) is always set to a router or layer 3 network address.
The layer 2 switch usually does not perform any routing functions, and would
not be able to route the packet if directed to its IP address.
The switch, when sending packets out of the local network for management
purposes only, needs a default gateway address set to the router as well just
like a host would.
Remember, the IP address and default gateway set on the switch have nothing
to do with a host sending packets out of the local network. Think of the
switchs configuration in the same way as any host that does not route traffic.
The switch simply breaks up collision domains for the local network and the
router is used to connect networks together.
P
R
E
V
I
E
W
.
.
.
.
79
Switch(config)# interface vlan 1
Switch(config-if)# ip address 192.168.10.2 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Configures an IP address and subnet mask for the switch
Configuring the Switch IP Address Configuring the Switch IP Address
Switch(config)#ip default-gateway 192.168.10.1
The rest of the commands are similar to a routers IOS
i.e. copy run start, erase start, show run, passwords, etc
Configures the default gateway for the switch
The IP address is configured differently on the Catalyst switches than it is on
any routeryou actually configure it under the VLAN1 interface.
Remember that every port on every switch is a member of VLAN1 by default.
This really confuses a lot of peopleyoud think that you would set an IP
address under a switch interfacebut no, thats not where it goes!
Remember that you set an IP address for the switch so you can mange the
switch in-band (through the network). You set the ip default-gateway
command so that you can manage the switch from outside the local network.
Remember to also perform a no shut under the VLAN interface.
P
R
E
V
I
E
W
.
.
.
.
80
Testing your understanding
As is true on routers, both the 2950s and 3550s configurations are stored in
NVRAM.
You save the configuration with the copy running-config startup-config
command, and you can erase the contents of NVRAM with the erase startup-
config command.
On a Catalyst OS switch:
Switch (enable)>clear config all
Switch (enable)>reset
P
R
E
V
I
E
W
.
.
.
.
81
show running show running- -config config
Switch# sh running-config
Building configuration...
[output cut]
!
interface Vlan1
ip address 172.16.10.3 255.255.255.0
!
ip default-gateway 172.16.10.2
!
The show running-config command displays the active configuration.
P
R
E
V
I
E
W
.
.
.
.
82
Hands-On Lab 1.3 & 1.4
Open your lab books and complete labs 2.5 and 2.6
P
R
E
V
I
E
W
.
.
.
.
83
Chapter 1 Summary Chapter 1 Summary
Cisco routers provide a command line interface (CLI)
There are two modes
User EXEC
Privileged EXEC
The enable command is used to enter Privileged EXEC mode
from User EXEC mode
Routers contain four types of memory:
RAM (Random Access Memory)
ROM (Read Only Memory)
Flash
NVRAM (NonVolatile RAM)
Learned CTRL and ESC sequences to manipulate the command
line.
Learned the startup sequence of the router.
P
R
E
V
I
E
W
.
.
.
.
84
Chapter 1 Summary (cont.) Chapter 1 Summary (cont.)
Learned how to manipulate / store / restore the router
configuration file.
There are several passwords on a Cisco router that control
access. Examples are as follows:
enable
enable secret
line VTY # (telnet access)
console
auxiliary
Unencrypted passwords can be encrypted in the configuration
file so they are not seen as clear text.
Banners can be used to display messages
Default configuration register setting is 0x2102 (0x2142 is used
for password recovery)
P
R
E
V
I
E
W
.
.
.
.
85
Advanced IOS Management Advanced IOS Management
Chapter 2
In this chapter, you will learn how to manage Cisco routers on an
internetwork.
The Internetwork Operating System (IOS) and configuration files reside in
different locations in a Cisco device, and its important to understand where
these files are located and how they work.
Youll also learn about the main components of a router, the router boot
sequence, and the configuration register.
P
R
E
V
I
E
W
.
.
.
.
86
Router as a Computer Router as a Computer
Major phases to the router
boot-up process
" Test router hardware
Power-On Self Test
(POST)
Execute bootstrap loader
" Locate & load Cisco IOS
software
-Locate IOS
-Load IOS
" Locate & load startup
configuration file or enter
setup mode
-Bootstrap program looks
for configuration file
Router components and their functions:
"CPU - Executes operating system instructions
"Random access memory (RAM) - Contains the running copy of
configuration file. Stores routing table. RAM contents lost when power
is off
"Read-only memory (ROM) - Holds diagnostic software used when
router is powered up. Stores the routers bootstrap program.
"Non-volatile RAM (NVRAM) - Stores startup configuration. This
may include IP addresses (Routing protocol, Hostname of router)
"Flash memory - Contains the operating system (Cisco IOS)
"Interfaces - There exist multiple physical interfaces that are used to
connect network. Examples of interface types:
-Ethernet / fast Ethernet interfaces
-Serial interfaces
-Management interfaces
P
R
E
V
I
E
W
.
.
.
.
87
Router Boot Cycle Router Boot Cycle
Perform power-on self test (POST) from ROM
Load and run bootstrap code from ROM
Look in NVRAM for config-register setting default
is 0x2102 (tells router where to find IOS and
configuration file)
Load the Cisco IOS software from flash by
default. Use boot system commands to vary
Find the startup-config file in nvram (if none,
broadcast for tftp host, if fail, go into Setup mode)
If configuration file found, copy the file and place
in RAM file called running-config
P
R
E
V
I
E
W
.
.
.
.
88
Finding the Cisco IOS Image Finding the Cisco IOS Image
Order of search:
1. Checks configuration register
2. Parses configuration for boot system command
3. Defaults to first file in flash memory
4. Attempts to boot from network server
5. Boot helper image
6. ROMMON
show
startup-config
show
version
console
NVRAM
Configuration
Register
IOS
Signature
Flash
P
R
E
V
I
E
W
.
.
.
.
89
Loading the Cisco IOS Image from Flash Memory Loading the Cisco IOS Image from Flash Memory
The flash memory file is loaded into RAM.
IOS
Signature
console
IOS
Signature
RAM
Flash
show
flash
P
R
E
V
I
E
W
.
.
.
.
90
show flash command show flash command
RouterX#show flash
-#- --length-- -----date/time------ path
1 14951648 Feb 22 2007 21:38:56 +00:00 c2800nm-ipbase-mz.124-5a.bin
2 1823 Dec 14 2006 08:24:54 +00:00 sdmconfig-2811.cfg
3 4734464 Dec 14 2006 08:25:24 +00:00 sdm.tar
4 833024 Dec 14 2006 08:25:38 +00:00 es.tar
5 1052160 Dec 14 2006 08:25:54 +00:00 common.tar
6 1038 Dec 14 2006 08:26:08 +00:00 home.shtml
7 102400 Dec 14 2006 08:26:22 +00:00 home.tar
8 491213 Dec 14 2006 08:26:40 +00:00 128MB.sdf
41836544 bytes available (22179840 bytes used)
P
R
E
V
I
E
W
.
.
.
.
91
Determining the Current Configuration Register Determining the Current Configuration Register
Value (show version command) Value (show version command)
Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.4(5a),
RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sat 14-Jan-06 03:19 by alnguyen
ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE
(fc1)
RouterX uptime is 1 week, 5 days, 21 hours, 30 minutes
System returned to ROM by reload at 23:04:40 UTC Tue Mar 13 2007
System image file is "flash:c2800nm-ipbase-mz.124-5a.bin"
Cisco 2811 (revision 53.51) with 251904K/10240K bytes of memory.
Processor board ID FTX1013A1DJ
2 FastEthernet interfaces
2 Serial(sync/async) interfaces
DRAM configuration is 64 bits wide with parity enabled.
62720K bytes of ATA CompactFlash (Read/Write)
Verify the router boot-up process:
-The show version command is used to view information about the router during the
bootup process. Information includes:
"Platform model number
"Image name & IOS version
"Bootstrap version stored in ROM
"Image file name & where it was loaded from
"Number & type of interfaces
"Amount of NVRAM
"Amount of flash
"Configuration register
P
R
E
V
I
E
W
.
.
.
.
92
Backing up / Restoring the Cisco IOS and Backing up / Restoring the Cisco IOS and
Configuration Configuration
IOS Configuration
copy flash tftp copy run start
copy tftp flash copy start run
copy run tftp
copy tftp run
This slide lists the various commands that can be used to both backup and
restore the IOS and configuration of a device.
P
R
E
V
I
E
W
.
.
.
.
93
Copy IOS to TFTP server Copy IOS to TFTP server
Verify the IOS file name
show version: Displays the IOS file name that the
router is running
show flash: shows all files in flash memory
Verify the host
Can be accessed (ping)
There is space for the file
Location of the file on the server
Directory and naming conventions
Before you upgrade or restore a Cisco IOS, you really should copy the existing
file to a TFTP host as a backup just in case the new image crashes and burns.
You can use any TFTP host to accomplish this. By default, the flash memory
in a router is used to store the Cisco IOS.
But before you backup an IOS image to a network server, youve got to do
these three things:
-Make sure you can access the network server.
-Ensure the network server has adequate space for the code image.
-Verify the file name and path requirement
On unix-based TFTP servers it may be necessary to create the file using the
touch command, and change the file security properties by doing a chmod
command.
P
R
E
V
I
E
W
.
.
.
.
94
Copy IOS to TFTP server Copy IOS to TFTP server
Copy the IOS to a tftp host
Router#copy flash tftp
IP address of tftp server
IOS file name
TFTP server software must be running on the PC
The PC must be on the same subnet as the routers E0 interface
The copy flash tftp command must be supplied the IP address of the PC
RouterX#copy flash tftp:
Source filename []?c2800nm-ipbase-mz.124-5a.bin
Address or name of remote host []? 10.1.1.1
Destination filename [c2800nm-ipbase-mz.124-5a.bin] [enter]
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<output omitted>
12094416 bytes copied in 98.858 secs (122341 bytes/sec)
RouterX#
E0
To back up the Cisco IOS to a TFTP host, you use the copy flash tftp
command. Its a straightforward command that requires only the source
filename and the IP address of the TFTP host.
The key to success in this backup routine is to make sure that youve got good,
solid connectivity to the TFTP host. Check this by pinging the device from the
router console prompt.
Backing up IOS or Catalyst OS to the TFTP server is a good practice since in
many cases, the IOS will need to be erased to support an upgrade. If problems
are incurred with the upgrade, having the image on a TFTP server will make
restoring the image much easier than having to locate and download it again.
P
R
E
V
I
E
W
.
.
.
.
95
Copy TFTP Flash Copy TFTP Flash
Copy the IOS from a TFTP host to a router
(Upgrading an IOS Image from the Network)
Router# copy tftp flash
confirm router non-functionality
source host name
source filename
destination filename
confirm erase flash
What happens if you need to restore the Cisco IOS to flash memory to replace
an original file that has been damaged, or if you want to upgrade the IOS?
No worriesyou just download the file from a TFTP host to flash memory by
using the copy tftp flash command. This command requires the IP address
of the TFTP host and the name of the file you want to download.
But before you begin, make sure that the file you want to place in flash
memory is in the default TFTP directory on your host.
When you issue the command, TFTP wont not ask you where the file is, so if
the file you want to restore isnt in the default directory of the TFTP host, you
will need to specify the path to the file.
In many cases, files will end in .bin, and some operating systems like
Windows will truncate or hide the file extension. You will still need to specify
this when prompted during the download.
If you dont have enough room in flash memory to store both copies, or if the
flash memory is new and no file has been written to flash memory before, the
router will ask to erase the contents of flash memory before writing the new
file into flash memory. Make sure you have a copy of the image file
somewhere on your TFTP server in case restore becomes necessary.
P
R
E
V
I
E
W
.
.
.
.
96
Cisco IOS copy Command Cisco IOS copy Command
" NVRAM
" Terminal
" TFTP server
" Erase start
Configuration
copy running startup
RAM NVRAM
erase
start
Configuration
copy startup running (merge)
copy tftp run
(merge)
copy run tftp copy start tftp
copy tftp start
TFTP
SERVER
configure
terminal
(merge)
P
R
E
V
I
E
W
.
.
.
.
97
Cisco IOS copy Command Example Cisco IOS copy Command Example
P
R
E
V
I
E
W
.
.
.
.
98
Loading the Configuration Loading the Configuration
" Load and execute the configuration from NVRAM
" If no configuration is present in NVRAM, enter setup mode
Configuration
show
running-config
RAM NVRAM
console
Configuration
show
startup-config
Setup Utility
IOS
Using the default config register value (0x2102), the router will load the config from
NVRAM at startup.
P
R
E
V
I
E
W
.
.
.
.
99
show and debug Commands show and debug Commands
Examples of some show commands:
Show ip route
Show running-config
Show startup-config
Show version
Show ip interface
Show ip interface brief
Examples of some debug commands:
Debug ip icmp
Debug ip rip
Debug ip routing
Debug ip ssh
Debug ip ospf hello
P
R
E
V
I
E
W
.
.
.
.
100
Considerations When Using debug Commands Considerations When Using debug Commands
May generate output in a variety of formats that may
not identify the problem
Requires high overhead, possibly disrupting network
device operation
Useful for obtaining information about network traffic
and router status
P
R
E
V
I
E
W
.
.
.
.
101
Commands Related to debug Commands Related to debug
service timestamps debug datetime msec
" Adds a time stamp to a debug or log message
no debug all/undebug all (un all)
" Disables all debug commands
show processes
" Displays the CPU utilization for each process
terminal monitor
" Displays debug output on your current vty session
P
R
E
V
I
E
W
.
.
.
.
102
Backing up the configuration Backing up the configuration
Copy the configuration to a TFTP host and back
Router# copy running-config tftp
Router# copy tftp running-config
To copy the routers configuration from a router to a TFTP host, you can use
either the copy running-config tftp or the copy startup-config tftp
command.
Either one will back up the router configuration thats currently running in
DRAM, or thats stored in NVRAM.
If youve changed your routers running-config and want to restore the
configuration to the version in startup-config, the easiest way to do this is to
use the copy startup-config running-config command (copy start run for
short).
Note: When you copy or paste a configuration into RAM, the interfaces are
shutdown by default. This is especially important if you are configuring the
router for the first time, and will be shipping it out to a location where you will
not have access to it unless the interface is up. To prevent this, insert no
shutdown commands under each interface needed to at least obtain access to
the device.
P
R
E
V
I
E
W
.
.
.
.
103
Fallback Fallback
To have the router boot an IOS image from another
source:
Router# config t
Router(config)# boot system flash ios_filename
Router(config)# boot system tftp ios_filename tftp_address
Router(config)# boot system rom
Note: Flash, TFTP server, ROM is the fallback sequence
Cisco routers, by default, load the IOS from Flash memory. However, what
happens if the flash memory fails or the file in flash memory becomes
corrupted?
By default, the Cisco routers will look for a TFTP server to load an IOS from,
and if that fails, the router will load a mini-ios from ROM so that an IOS can
be restored into flash memory.
P
R
E
V
I
E
W
.
.
.
.
104
ROM Monitor Mode ROM Monitor Mode
If the IOS in Flash is corrupt or missing and no
network connectivity is available, and the default
fallback procedure fails:
The router will enter ROM monitor mode
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE
(fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 65536 Kbytes of main memory
rommon 1 >
rommon 2 > confreg 0x2142
You must reset or power cycle for new config to take effect
rommon 3 > i
Remember: when you boot your router and see rommon this is bad!
Youre IOS in flash is missing or corrupt.
In the above example, the router was rebooted and the ctrl-break key stroke
was pressed, which took the router into ROM monitor mode.
You would do this to provide password recovery by changing the
configuration register to 0x2142, as shown above.
When you have completed the password recovery, set the configuration
register back to 0x2102 for normal operation.
The default for a router is to look in flash memory for the IOS, NVRAM for
the startup-config
If this fails, the default is to look in flash, then look for a TFTP server on a
network, then run a mini-ios from ROM.
If all this fails, then the router will load ROM monitor mode.
P
R
E
V
I
E
W
.
.
.
.
105
Auto Auto- -Install Install
To stop a router from attempting to
pull a configuration from another
router or from a network host:
Router(config)# no service config
Router(config)# no boot network
ARP SLARP
?
E0 S0
The auto-install feature is annoying at best. If a router is powered up, has no
configuration and sees Carrier Detect on an interface, it will look for an IP
address by using ARP on a LAN and/or SLARP (serial line ARP) on a serial
interface.
You can disable this feature with the no service config command and the
no boot network command from global configuration mode.
P
R
E
V
I
E
W
.
.
.
.
106
Making Your Router a TFTP Server Making Your Router a TFTP Server
To make your router a TFTP server
Router# config t
Router(config)# tftp-server flash: [press tab or ?]
Connect your two routers together with a LAN connection,
then copy the IOS with the copy tftp flash command.
Fa0 Fa0
Now this is a great feature of a Cisco router! If you do not have a laptop or
other host that can provide TFTP services, you can make a router a TFTP
server with the global configuration command tftp-server flash:.
P
R
E
V
I
E
W
.
.
.
.
107
Making Your Router a DHCP Server Making Your Router a DHCP Server
To make your router a DHCP server
Router# config t
Router(config)# ip dhcp-pool LAN_A
Router(config-dhcp)# network 192.168.10.0 255.255.255.0
Router(config-dhcp)# default-router 192.168.10.1
Router(config-dhcp)# dns-server 63.10.1.1
Router(config)#ip dhcp excluded-address 192.168.10.1
Fa0
dhcp address
This is another great Cisco router feature.
It is important that you understand that the router maps the pool to the interface which has
an IP address in the same subnet as the pool.
In the example above, the fa0 interface must be assigned the IP address 192.168.10.1 or the
pool will not hand out IP addreses to clients.
P
R
E
V
I
E
W
.
.
.
.
108
Cisco Discovery Protocol Cisco Discovery Protocol
Cisco Proprietary
Gathers information about other Cisco
neighbor devices only
Turned on by default on all Cisco routers and
switches
Operates at layer two
Who are your neighbors?
Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to
help administrators collect information about both locally attached and remote
devices.
By using CDP, you can gather hardware and protocol information about
neighbor devices, regardless of their routed protocols enabled on the interface.
This is very useful information for troubleshooting and documenting your
Cisco-based networks.
P
R
E
V
I
E
W
.
.
.
.
109
Cisco Discovery Protocol Cisco Discovery Protocol
Show commands Global Config
show cdp cdp holdtime
show cdp neighbors cdp timer
show cdp neighbors detail cdp run
show cdp entry *
show cdp interface
show cdp traffic lnterface
cdp enable
The show cdp neighbor command (sh cdp nei for short) delivers
information about directly connected devices.
Its important to remember that CDP packets arent passed through a Cisco
switch, and that you only see whats directly attached. So this means that if
your a router is connected to a switch, you wont see any of the devices
hooked to that switch.
Another command that will deliver show neighbor information is the show
cdp neighbor detail command (show cdp nei de for short). This command
can be run on both routers and switches, and it displays detailed information
about each device connected to the device youre running the command on.
The show cdp entry * command is the same as show cdp nei detail.
However, on a router or switch, type show cdp entry * ? and youll see there
are two helpful subcommands you can use.
For externally facing routers, CDP is commonly turned off or disabled for
security reasons.
P
R
E
V
I
E
W
.
.
.
.
110
show show cdp cdp neighbors neighbors
S1# show cdp neighbor
Device ID Local Intrfce Holdtme Capability Platform Port ID
R2 Fas 0/1 170 R S I Cisco 2811 Fas 0/0
R3 Fas 0/2 178 R Cisco C804 Eth 0
S2 Fas 0/12 171 S I WS-C3550-2 Fas 0/2
S2 Fas 0/11 171 S I WS-C3550-2 Fas 0/1
Crossover cable
S2 S1
R3
R2
Who are your neighbors?
P
R
E
V
I
E
W
.
.
.
.
111
Using CDP Example Using CDP Example
You can only console into the Vail router and it is not
configured.How can you get the Keystones IP address so you can
configure Vail with the correct IP address? In addition, HostB needs to
be able to ping the server.
1. You first need to enable the s0/0 interface on the Vail router so you can receive CDP information
Vail>enable
Vail#config t
Vail(config)#int s0/0
Vail(config-if)#no shutdown
2. You need to find the Keystone routers IP address and set the address of the Vail s0/0 to the next address in
the available pool
Vail(config-if)#exit
Vail(config)#exit
Vail#show cdp neighbors detail
3. Once you find the IP address of the Keystone router, configure the Vail interface with the correct IP address
the next available IP address in the pool.
4. Telnet from the Vail router into the Keystone router and verify the configuration. Enable the F0/0 with a no
shutdown if needed.
5. Finally, open HostB and make sure you can ping the server at 10.1.1.240.
P
R
E
V
I
E
W
.
.
.
.
112
Telnet Telnet
From a router prompt:
RouterA# telnet ip_address
Suspending and resuming a telnet session:
RouterB# [ctrl]-[shift]-6 then x
RouterA# show sessions
RouterA# resume <session#>
From a host prompt:
> telnet ip_address
Telnet is a virtual terminal protocol thats part of the TCP/IP protocol suite that allows you to make
connections to remote devices, gather information, and run programs.
After your routers and switches are configured, you can use the Telnet program to reconfigure
and/or check up on your routers and switches without using a console cable.
You run the Telnet program by typing telnet from any command prompt (DOS or Cisco).
In order to be able to remotely telnet to your router or switch, you have to have the VTY passwords
set. Otherwise, the router or switch will prompt that password is not set, and not permit the remote
login.
If you telnet to a router or switch, you can end the connection by typing exit at any time, but what if
you want to keep your connection to a remote device but still come back to your original router
console?
To do that, you can press the Ctrl+Shift+6 key combination, release it, and then press X.
Another common practice is to telnet and specify a port or socket. This is useful when accessing a
device hanging off of a terminal server, or when testing listener ports or firewall access rules.
Router# telnet 10.10.10.10 80
Open
The open indicates the port is listening, and access is not blocked by a firewall or ACL.
Another telnet method is to telnet to the host, and specify a source address. This can be useful when
trying to verify routing to a specific subnet or host address on the router. An example would be:
telnet 10.10.10.10 /source-interface Ethernet0/0
P
R
E
V
I
E
W
.
.
.
.
113
Telnet (cont.) Telnet (cont.)
show sessions: displays your open sessions
disconnect: closes current session open by you
show users: shows connection open by a
remote device
clear line: closes a session open by a remote
device
terminal monitor: displays console output to a
telnet session
To see the connections made from your router to a remote device, use the
show sessions command.
You can list all active consoles and VTY ports in use on your router with the
show users command.
You can end Telnet sessions a few different waystyping exit or disconnect is
probably the easiest and quickest.
Although the console port always monitors, when accessing the router or
Catalyst IOS switch using telnet/vty session, the terminal monitor command
will display all console output to the telnet session.
P
R
E
V
I
E
W
.
.
.
.
114
Resolving Host Names Resolving Host Names
Building a Hosts table
Router(config)# ip host hostname ip_address
Router(config)# ip host RouterC 172.16.40.2
Verify the Hosts table
Router# show hosts
The show hosts command show temporary DNS
entries and permanent lP host entries
DNS Server
Router(config)# ip domain-lookup
Router(config)# ip name-server <ip address> (up to
6)
Router(config)# ip domain-name lammle.com
In order to use a hostname rather than an IP address to connect to a remote
device, the device that you are using to make the connection must be able to
translate the hostname to an IP address.
There are two ways to resolve hostnames to IP addresses: building a host table
on each router or building a Domain Name System (DNS) server, which is
kind of like a dynamic host table.
A host table provides name resolution on the router that it was built upon only.
The command to build a host table on a router is:
ip host name tcp_port_number ip_address
The default is TCP port number 23 but you can create a session using Telnet
with a different TCP port number if you want. You can also assign up to eight
IP addresses to a hostname.
And to see the newly built host table, just use the show hosts command,
which shows the temporary DNS entries and permanent IP host entries.
In lab scenarios, or when you will be performing many commands from
EXEC, you may want to utilize the no ip domain-lookup command. This is
usually a huge timesaver; especially if you make syntax errors while typing.
Without it turned off, the time it takes to perform the lookup on a bogus
command may seem like an eternity. To turn this off perform the following
command in the global configuration mode:
no ip domain-lookup
P
R
E
V
I
E
W
.
.
.
.
115
Basic Testing Basic Testing
Router# ping
Uses ICMP echo request and replies. Can be used
from user mode and privilege mode, but not from
configuration mode. Extended mode provides
multiple protocol ping support.
Router# traceroute (Microsoft uses tracert)
Uses TTL timeouts with ICMP error messages to find
the path a packet takes through an internetwork.
Can be used from user mode and privilege mode,
but not from configuration mode.
You can use the ping and traceroute commands to test connectivity to remote
devices, and both of them can be used with many protocols, not just IP.
Although the router may use ICMP for traceroute, many hosts use the UDP
version. This can return inconsistent results when traversing a firewall and
needs to be kept in mind when obtaining traceroute information from system
administrators.
P
R
E
V
I
E
W
.
.
.
.
116
Show/ping/ Show/ping/traceroute traceroute
P
R
E
V
I
E
W
.
.
.
.
117
Telnet, FTP, HTTP
ping, trace, show ip route
show interface
Application
Presentation
Session
Transport
Network
Data Link
Physical
Troubleshooting LAN Connectivity Troubleshooting LAN Connectivity
Problems Problems
The best network test would be telnet, FTP or even HTTP between two hosts.
If you can use an upper layer application between two hosts, you know they
are working end-to-end.
Remember: tracert and ipconfig are Windows commands, not Cisco
commands!
Note: If you can ping and telnet into a server but cannot access the server via
its network name, you probably have some type of DNS failure.
P
R
E
V
I
E
W
.
.
.
.
118
IP Troubleshooting IP Troubleshooting
You cant telnet to your router. You
think there may be a problem with
your protocol stack.
Which IP address should you ping to
verify your local IP stack?
ping 127.0.0.1
127.0.0.1 is the loopback address
P
R
E
V
I
E
W
.
.
.
.
119
Hands-on Lab 2.1
through 2.4
Open your lab books and complete hands-on lab 3.1 through 3.4
P
R
E
V
I
E
W
.
.
.
.
120
Learned how to backup / restore router configurations and IOS
images.
Sample commands are as follows:
copy tftp startup (restores configuration from tftp server)
copy startup tftp (saves a copy of the config to a tftp
server)
copy tftp flash (copies an IOS image to the router)
copy flash tftp (copies an IOS image to a tftp server)
Learned about telnet and console connection management.
Learned basic testing tools (ping and traceroute).
Cisco Discovery Protocol (CDP) - Works at layer 2 to discover
other Cisco devices. Works even if no layer 3 addresses are
configured.
P
R
E
V
I
E
W
.
.
.
.
121
WANS WANS
Chapter 11
The Cisco IOS WAN can support many different WAN protocols that can help
you extend your LANs to other LANs at remote sites. Connecting company
sites together so information can be exchanged is imperative in todays
economy. However, it would take a truckload of money to put in your own
cable or connections to connect all of your companys remote locations.
Service providers allow you to lease or share connections that they already
have installed, which can save money and time.
It is important to understand the different types of WAN support provided by
Cisco. Although this chapter does not cover every type of Cisco WAN
support, it does cover the HDLC, PPP, Frame Relay, and ISDN protocols.
P
R
E
V
I
E
W
.
.
.
.
122
WAN Terms WAN Terms
Provider
network
Demarc
CPE Local Loop
CO
CSU/DSU
CO = Central Office
CPE = Customer Premises Equipment
WAN: a data communication network covering a broad geographic area,
typically using rented transmission facilities.
Demarc: The boundary between the customers in-house wiring and the
service providers wiring. Its the demarcation point, or the end of
responsibility for the service provider.
CPE: Customer Premise Equipment refers to all wiring and equipment on the
customers side of the Demarc.
Local loop: The wiring running from the Demarc to the CO.
CO: (Central Office) The point where the local loop gains access to the
service providers high speed trunk lines. This is often referred to as a POP, or
Point of Presence.
P
R
E
V
I
E
W
.
.
.
.
123
Typical WAN Encapsulation Protocols Typical WAN Encapsulation Protocols
In order to exchange traffic over a WAN link, the packets must be
encapsulated into a Layer 2 frame. There are a variety of Layer 2
encapsulation types available that can be used, depending on the WAN
connection being used. Some of the types are listed the figure.
Encapsulation must be configured on the router when configuring the
interface. Some of these encapsulation types will be seen again in the
following chapters.
In an ISDN environment, the Point-to-Point Protocol (PPP) is the B channels
Layer 2 encapsulation. Link Access Procedure on the D channel (LAPD) is the
encapsulation for the D channel.
Either the proprietary Cisco or Internet Engineering Task Force (IETF)
(defined in RFC 1490) encapsulations are the Layer 2 encapsulations for
Frame Relay.
P
R
E
V
I
E
W
.
.
.
.
124
What is a VPN? What is a VPN?
Virtual: Information within a private network is transported
over a public network.
Private: The traffic is encrypted to keep the data confidential.
IPsec acts at the network layer, protecting and authenticating IP packets between
participating IPsec devices (peers), such as other PIX Firewalls, Cisco routers, VPN 3000
Concentrator Series, Cisco Secure VPN Client, and other IPsec-compliant products. IPsec is
a framework of open standards that provides data confidentiality, data integrity, and data
authentication between participating peers at the IP layer. IPsec encompasses a suite of
protocols. It is not bound to any specific encryption or authentication algorithms, key
generation technique, or security association. IPsec supplies the rules while existing
algorithms provide the encryption, authentication, key management, and so on. In this way,
IPsec can allow the use of updated algorithms and key techniques without patching the
IPsec protocol. In this topic, well discuss how those open standards provide data
confidentiality, integrity, and authentication.
P
R
E
V
I
E
W
.
.
.
.
125
Benefits of VPN Benefits of VPN
" Cost
" Security
" Scalability
HQ
SOHO
Branch
Office
Mobile
User
versus
Traditional
Layer 2 WAN
Internet
The first VPN solution is remote access. Remote access is targeted to mobile user and
Home telecommuters. Most people have access to the Internet from there homes, why not
take advantage of it. In the past, corporations supported remote users via dial-in networks.
This typically necessitated a toll, or 1-800, call to access the corporation. With the advent
of VPNs, a mobile user can make a local call to their ISP to access corporation via Internet
wherever they may be. It is an evolution of dial networks. Remote access VPN can support
the needs of telecommuters, mobile users, extranet consumer-to-business, and so on.
P
R
E
V
I
E
W
.
.
.
.
126
Synchronous Synchronous vs vs Asynchronous Asynchronous
Synchronous
Precise clocking must be provided between
communicating devices to coordinate
sending/receipt of data signals
Asynchronous
No precise clocking, uses stop and start bits to
indicate presence of data signals
P
R
E
V
I
E
W
.
.
.
.
127
Telephone
company
Service
provider
Circuit-switched
Dedicated
Packet-switched
PPP, SLIP
PPP, HDLC, SLIP
X.25, Frame Relay, ATM
Typical WAN Protocols Typical WAN Protocols
Note: Cisco says the typical Layer-two encapsulations are HDLC, PPP
and Frame Relay
Other encapsulations not shown include AppleTalk Remote Access Protocol
(ARAP), CSLIP, or Synchronous Data Link control (SDLC).
Dedicated:
Pre-established, permanent path
Ideal for high volume, steady rate traffic
Usually expensive
56K to 45Mbps (T3) speeds
Circuit Switched:
Used in dial on demand environments
Short term, low volume, periodic traffic
Useful as backup connection
28K to 1.544Mbps speeds
Packet Switched:
Provides long connect times over large distances
Long term, high volume traffic
Less expensive than dedicated lines but uses shared bandwidth
56K to 45Mbps (T3) speeds P
R
E
V
I
E
W
.
.
.
.
128
HDLC HDLC
High-level Data-Link control
Cisco default encapsulation for serial links
Dedicated
Link
HDLC
The High-Level Data-Link Control protocol (HDLC) is a popular ISO-
standard, bit-oriented Data Link layer protocol. It specifies an encapsulation
method for data on synchronous serial data links using frame characters and
checksums. HDLC is a point-to-point protocol used on leased lines. No
authentication can be used with HDLC.
HDLC is the default encapsulation used by Cisco routers over synchronous
serial links. Lets repeat that, HDLC is the default encapsulation used by
Cisco on synchronous serial links. Ciscos HDLC is proprietaryit wont
communicate with any other vendors HDLC implementationbut dont give
Cisco grief for it; everyones HDLC implementation is proprietary.
P
R
E
V
I
E
W
.
.
.
.
129
Flag Address Control Proprietary Data FCS Flag
Cisco HDLC
HDLC Frame Format HDLC Frame Format
Proprietary LLC Header
Identifies Network layer protocols
HDLC is the default layer 2 protocol for Cisco router serial interfaces. Ciscos
proprietary enhancement to HDLC incorporates a protocol or type field to
allow multiple protocols to be carried on a single link
P
R
E
V
I
E
W
.
.
.
.
130
HDLC Command HDLC Command
Router# config t
Router(config)# int s0
Router(config-if)# encapsulation hdlc
Enable hdlc encapsulation if disabled
HDLC
S0
P
R
E
V
I
E
W
.
.
.
.
131
Non-Proprietary HDLC encapsulation
PPP uses Network Control Protocol (NCP) in the
LLC header to negotiate the Network layer
protocols to be used during a connection
PPP controls the setup of several link options using
Link Control Protocol (LCP) at the MAC sub layer
PPP provides error correction and can encapsulate
several routed protocols
An Overview of PPP An Overview of PPP
PPP
PPP (Point-to-Point Protocol) is a data-link protocol that can be used over
either asynchronous serial (dial-up) or synchronous serial (ISDN) media and
that uses the LCP (Link Control Protocol) to build and maintain data-link
connections.
The basic purpose of PPP is to transport layer-3 packets across a Data Link
layer point-to-point link
Synchronous Serial
Asynchronous Serial (analog dialup)
Dynamic addressing
PPP does not work by default on Token Ring and Ethernet LANs. You must
run PPoE and PPoT (tunneling).
P
R
E
V
I
E
W
.
.
.
.
132
PPP Architecture PPP Architecture
Physical Layer
(such as EIA/TIA-232, V.24, V.35, ISDN)
High-Level Data Link Control (HDLC)
Link Control Protocol (LCP)
Network Control Protocol (NCP)
Upper-layer protocols
OSI layer
2
1
( IP, IPX, AppleTalk)
3
MAC
LLC
PPP contains four main components:
EIA/TIA-232-C
A Physical layer international standard for serial communication.
HDLC
A method for encapsulating datagrams over serial links.
LCP
A method of establishing, configuring, maintaining, and terminating the point-
to-point connection.
NCP
A method of establishing and configuring different Network layer protocols.
PPP is designed to allow the simultaneous use of multiple Network layer
protocols. Some examples of protocols here are IPCP (Internet Protocol
Control Protocol) and IPXCP (Internetwork Packet Exchange Control
Protocol).
P
R
E
V
I
E
W
.
.
.
.
133
PPP LCP Options PPP LCP Options
!Authentication (PAP, CHAP)
!Callback
!Compression (Predictor, Stacker)
!Multilink
High-Level Data Link Control
(HDLC)
Link Control Protocol (LCP)
Note: PPP can provide error correction at the Data Link Layer
Link Control Protocol offers different PPP encapsulation options, including
the following:
Authentication
This option tells the calling side of the link to send information that can
identify the user. The two methods are PAP and CHAP.
Compression
This is used to increase the throughput of PPP connections by compressing the
data or payload prior to transmission. PPP decompresses the data frame on the
receiving end.
Error detection
PPP uses Quality and Magic Number options to ensure a reliable, loop-free
data link.
Multilink
Starting in IOS version 11.1, multilink is supported on PPP links with Cisco
routers. This option allows several separate physical paths to appear to be one
logical path at layer 3. For example, two T-1s running multilink PPP would
appear as a single 3Mbps path to a layer-3 routing protocol.
P
R
E
V
I
E
W
.
.
.
.
134
PPP Session Establishment PPP Session Establishment
The following are the steps in PPP
session establishment in correct order :
1. Link establishment
2. Network layer protocol configuration
3. Optional authentication phase
When PPP connections are started, the links go through three phases of session
establishment:
Link-establishment phase
LCP packets are sent by each PPP device to configure and test the link. The
LCP packets contain a field called the Configuration Option that allows each
device to see the size of the data, compression, and authentication. If no
Configuration Option field is present, then the default configurations are used.
Authentication phase
If required, either CHAP or PAP can be used to authenticate a link.
Authentication takes place before Network layer protocol information is read.
Network layer protocol phase
PPP uses the Network Control Protocol to allow multiple Network layer
protocols to be encapsulated and sent over a PPP data link.
P
R
E
V
I
E
W
.
.
.
.
135
Network Control Protocol (NCP) Network Control Protocol (NCP)
Identifies the Network layer protocol which
allows PPP to encapsulate several routed
protocols
Provides error correction
Each protocol gets it own NCP header:
IPCP, CDPCP, IPXCP
P
R
E
V
I
E
W
.
.
.
.
136
PPP Encapsulation PPP Encapsulation
To enable PPP on your serial interfaces, use
the following command:
Router# config t
Router(config)# interface serial0
Router(config-if)# encapsulation PPP
Configuring PPP encapsulation on an interface is a fairly straightforward
process.
P
R
E
V
I
E
W
.
.
.
.
137
Step one: Make sure a hostname is set on all routers
Router(config)# hostname name
Router(config)# username name password password
Three Steps to PPP Authentication
Step two: Create a username using the hostnames
of all connected routers. The password must be the
same on all routers
After you configure your serial interface to support PPP encapsulation, you
can then configure authentication using PPP between routers.
First set the hostname of the router if it is not already set.
Then set the username and password for the remote router connecting to your
router.
P
R
E
V
I
E
W
.
.
.
.
138
Router(config-if)# ppp authentication
{chap | chap pap | pap chap | pap}
PAP
authenticates only at start of session
sends password in clear text
CHAP
authenticates at the start of a session and
throughout its duration
passwords are never sent over the wire, rather
an encrypted hash value is exchanged and
compared
Step Three: Add PPP Authentication to
the interface
There are two types of authentication protocols: PAP and CHAP.
PAP provides a simple method for a remote node to establish its identity using
a two-way handshake.
PAP is done only upon initial link establishment.
PAP is not a strong authentication protocol. It provides no encryption. It may
be fine in DDR environments when the password changes each time a user
authenticates.
CHAP is the preferred protocol.
CHAP is done upon initial link establishment and can be repeated any time
after the link has been established.
CHAP transactions occur only when a link is established. The local access
server does not request a password during the rest of the session.
(The local access server can, however, respond to such requests from other
devices during a session.)
CHAP is specified in RFC 1334. It is an additional authentication phase of the
PPP Link Control Protocol.
P
R
E
V
I
E
W
.
.
.
.
139
Configuring PPP CHAP Example Configuring PPP CHAP Example
p1r1
router
p1r2
router
PSTN/ISDN
hostname p1r1
username p1r2 password sameone
interface serial 0
ip address 10.0.1.1 255.255.255.0
encapsulation ppp
ppp authentication chap
hostname p1r2
username p1r1 password sameone
interface serial 0
ip address 10.0.1.2 255.255.255.0
encapsulation ppp
ppp authentication chap
You cannot have HDLC on one router and PPP on another
Keep in mind the use of the hostname in this configuration. Where this is
applied will need to be updated if someone needed to change the routers
hostname.
Another note is that CHAP uses a level 7 password that can be cracked if
someone accesses the router configuration.
P
R
E
V
I
E
W
.
.
.
.
140
Hands-on Lab 11.1
Open your lab books and complete Lab 11.1
P
R
E
V
I
E
W
.
.
.
.
141
Frame Relay Frame Relay
Chapter 11 Continued
As a CCNA, you need to understand the basics of this technology and be able
to configure it in simple scenarios. Realize that we are only introducing frame
relay here, this technology is much deeper than we will explore in our current
discussion.
P
R
E
V
I
E
W
.
.
.
.
142
Frame Relay Overview Frame Relay Overview
Frame Relay works here
CSU/DSU
Frame Relay works here
Frame Relay uses high-quality digital lines and is packet switched
Frame Relay is used between the customer premises equipment (CPE) device
and the Frame Relay switch. It does NOT affect how packets get routed within
the Frame Relay cloud.
Frame Relay is a purely Layer 2 protocol.
The network providing the Frame Relay service can be either a carrier-
provided public network or a network of privately owned equipment serving a
single enterprise. It is more common to have a publicly provided frame relay
network than to have a single enterprise attempt to manage or maintain their
own frame relay network.
P
R
E
V
I
E
W
.
.
.
.
143
Frame Relay Stack Frame Relay Stack
OSI Reference Model
Frame Relay
Physical
Presentation
Session
Transport
Network
Data Link
Application
EIA/TIA-232,
EIA/TIA-449, V.35,
X.21, EIA/TIA-530
Frame Relay
IP/IPX/AppleTalk, etc.
The same serial standards that support point-to-point serial connections also
support Frame Relay serial connections.
Frame Relay operates at the data link layer.
Frame Relay supports multiple upper-layer protocols.
P
R
E
V
I
E
W
.
.
.
.
144
Instead of this Instead of this . .
Dedicated/Leased lines
to each location
$$$
P
R
E
V
I
E
W
.
.
.
.
145
Frame Relay
We get this We get this . .
Statistically multiplexing
multiple logical circuits over
a single physical connection
Frame Relay creates a cost effective mesh network
One of the big selling points of frame relay is the cost savings it provides by
giving network administrators the capability to oversubscribe or share their
backbone links between several branch offices.
P
R
E
V
I
E
W
.
.
.
.
146
Frame Relay PVC (DLCI) Frame Relay PVC (DLCI)
DLCI: 17
DLCI: 16
DLCI: 18
DLCI identifies the
circuit from the router
to the FR switch
This figure provides an overview of terminology so that the student is prepared
to understand the Frame Relay operation discussion.
The DLCI is of local significance, therefore, point out that the same DLCI can
be used in multiple places in the network.
The autosensing LMI is in release 11.2 and later.
Frame Relay connections are made using PVCs. The circuits are identified by
the DLCI assigned by the service provider.
P
R
E
V
I
E
W
.
.
.
.
147
DLCI DLCI s s are locally significant are locally significant
DLCI 17 is the layer 2 address used by Router 2
to describe a PVC to Router 3
DLCI 16 DLCI 17
DLCI 99 DLCI 28
Router 1
Router 2
Router 3
P
R
E
V
I
E
W
.
.
.
.
148
Frame Relay Mapping Frame Relay Mapping
CSU/DSU
DLCI: 16 PVC
172.16.10.1/24
Note: DLCIs identify the logical circuit between
the local router and a Frame Relay switch and
are considered locally significant.
This figure illustrates mapping the data-link connection identifier (DLCI) to
the network layer address such as IP.
The DLCI is of local significance, therefore, point out that the same DLCI can
be used in multiple places in the network. Frame Relay connections are made
using PVCs. The circuits are identified by the DLCI assigned by the service
provider.
Static mapping can be configured instead of inverse ARP.
P
R
E
V
I
E
W
.
.
.
.
149
LMI LMI
Local Management Interface
Signaling standard between the CPE and Frame Relay switch
Responsible for managing the connection and maintaining
status between the devices
Sends keepalives every 60 seconds to make ensure that the
PVC does no shut down because of inactivity
Indicates the status of a VC as one of
Active
Inactive
Deleted
Multicasts
LMI is a signaling standard used between your router and the first frame relay
switch it is connected to. It allows for passing of information regarding
operation and status of the VC between the providers network and the DTE
(your router).
P
R
E
V
I
E
W
.
.
.
.
150
LMI Standards LMI Standards
Cisco supports three LMl standards:
ansi - ANSl T1.617 Annex D
q933a - lTU-T Q.933 Annex A
Cisco - "The gang of four
Cisco, StrataCom, DEC, Nortel
Cisco supports two frame relay encapsulation standards
ietf use when connecting to non-Cisco device across frame relay network
Cisco default encapsulation, includes protocol fields in header
If youre not going to use the auto-sense feature, youll need to check with
your Frame Relay provider to find out which type to use instead. On Cisco
equipment, the default type is Cisco, but you may need to change to ANSI or
Q.933A if so instructed by your service provider. The three different LMI
types are depicted in the following router output:
Cisco
LMI defined by the Gang of Four (default).
ANSI
Annex D defined by ANSI standard T1.617.
ITU-T (q933a)
Annex A defined by Q.933.
When configuring Frame Relay on Cisco routers, you need to specify it as an
encapsulation on serial interfaces.
When you configure frame relay, you specify an encapsulation of frame relay.
However, unlike HDLC or PPP, with frame relay there are two encapsulation
types: Cisco and IETF (Internet Engineering Task Force).
P
R
E
V
I
E
W
.
.
.
.
151
LMI and Encapsulation LMI and Encapsulation
LMI
Encapsulation (Cisco default)
LMI
Note: LAPF is used to transport Frame Relay traffic
Local Management Interface (LMI) is a signaling standard used between the
customer premise equipment (CPE) device, and a frame relay switch. It is
responsible for managing and maintaining status between these two devices.
P
R
E
V
I
E
W
.
.
.
.
152
Frame Relay Inverse ARP and LMI
Operation
Note: Inverse ARP maps a known DLCI to an IP address
This figure describes the Inverse ARP and LMI process
The LMI connection is established by the frame-relay lmi-type [ansi | cisco | q933a]
command. The default values established during initial setup are usually sufficient to
maintain connectivity with the Frame Relay network. Altering these values would only be
required in case of intermittent failures. Changing the default values of the LMI should only
be attempted after consulting with your service provider.
These configuration steps are the same, regardless of the network-layer protocols operating
across the network.
P
R
E
V
I
E
W
.
.
.
.
153
Cisco Router 3Com Router
interface Serial0
ip address 10.16.0.1 255.255.255.0
encapsulation frame-relay ietf
bandwidth 64
frame-relay interface-dlci 100
interface Serial0
ip address 10.16.0.2 255.255.255.0
encapsulation frame-relay ietf
bandwidth 64
frame-relay lmi-type ansi
HQ
Branch
Configuring Basic Frame Relay Configuring Basic Frame Relay
This figure describes the Inverse ARP and LMI process.
The LMI connection is established by the frame-relay lmi-type [ansi |
cisco | q933a] command. The default values established during initial
setup are usually sufficient to maintain connectivity with the Frame
Relay network. Altering these values would only be required in case of
intermittent failures. Changing the default values of the LMI should only
be attempted after consulting with your service provider.
These configuration steps are the same, regardless of the network-layer
protocols operating across the network.
P
R
E
V
I
E
W
.
.
.
.
154
DLCI=110
IP address=10.16.0.1/24
p1r1
DLCI=100
IP address=10.16.0.2/24
interface Serial1
ip address 10.16.0.1 255.255.255.0
encapsulation frame-relay
bandwidth 64
frame-relay map ip 10.16.0.2 110 broadcast
HQ Branch
Configuring a Static Frame Relay Map Configuring a Static Frame Relay Map
Note: Configure
static maps if the
remote frame relay
router does NOT
support Inverse ARP
We can use the frame-relay map command to configure multiple DLCIs to be
multiplexed over one physical link. Instead of using Inverse ARP, the Frame
Relay map tells the Cisco IOS software how to get from a specific protocol
and address pair to the correct DLCI.
The simplest way to generate a static map is to let the router learn the
information dynamically first. Some users let the router learn the information
dynamically, then enable static maps for easier network administration.
Although static maps are not needed when Inverse ARP is enabled, it is a good
idea to configure them for each connection for easier network administration.
Most modern frame relay networks utilize point-to-point or point-to-
multipoint interfaces. This provides a great deal more control, and flexibility
on behalf of the network administrators.
P
R
E
V
I
E
W
.
.
.
.
155
Configuring Address Mapping Configuring Address Mapping
DLCI to Branch=110
DLCI to Non-Cisco=120
10.16.0.1/24
10.16.0.2/24
Central site
VC
Central
Branch
Non-Cisco
VC
10.16.0.3/24
Central(config)# interface Serial1
Central(config-if)# ip address 10.16.0.1 255.255.255.0
Central(config-if)# encapsulation frame-relay
Central(config-if)# bandwidth 56
Central(config-if)# frame-relay map ip 10.16.0.2 110 broadcast
Central(config-if)# frame-relay map ip 10.16.0.3 120 broadcast ietf
Central(config-if)# frame-relay interface-dlci 110
Central(config-if)# frame-relay interface-dlci 120
Note: The broadcast option allows packets, such as RIP updates,
to be forwarded across the PVC
This figure discusses the static map command option:
You can use the frame-relay map command to configure multiple
DLCIs to be multiplexed over one physical link. Instead of using Inverse
ARP, the Frame Relay map tells the Cisco IOS software how to get from
a specific protocol and address pair to the correct DLCI.
This command is similar to building a static route.
The simplest way to generate a static map is to let the router learn the
information dynamically first. Some users let the router learn the
information dynamically, then enable static maps for easier network
administration.
Although static maps are not needed when Inverse ARP is enabled, it is
a good idea to configure them for each connection for easier network
administration.
P
R
E
V
I
E
W
.
.
.
.
156
Frame Relay Topology Frame Relay Topology
hub and spoke
Full mesh
Partial mesh
Frame Relay default: nonbroadcast multiaccess (NBMA)
By default interfaces that support Frame Relay are multipoint connection
types. This type of connection is not a problem when only one PVC is
supported by a single interface; however it is a problem when multiple PVCs
are supported by a single interface. In this situation, broadcast routing updates
received by the central router cannot be broadcast to the other remote sites.
Broadcast routing updates are issued by distance vector protocols. Link-state
and hybrid protocols use multicast and unicast addresses.
One concern about a Frame Relay network is how to handle broadcast traffic.
Because Frame Relay is not a broadcast network by design, the distribution of
broadcast traffic can only be accomplished by sending the same message to
each virtual connection. This method requires considerable resource allocation
within the router.
P
R
E
V
I
E
W
.
.
.
.
157
Routing update Problems Routing update Problems
PVC #1
PVC #2
B
S0
Routing
update
This figure continues the discussion the need for subinterfaces.
Partial mesh Frame Relay networks must deal with the case of split horizon
not allowing routing updates to be retransmitted on the same interface from
which they were received. Split horizon cannot be disabled for certain
protocols such as AppleTalk.
Split horizon issues are overcome through the use of logical subinterfaces
assigned to the physical interface connecting to the Frame Relay network.
A physical interface can be divided into multiple, logical interfaces. Each
logical interface is individually configured and is named after the physical
interface. A decimal number is included to distinguish it.
The logical port names contain a decimal point and another number, indicating
that these are subinterfaces of interface serial 0 (S0).
Subinterfaces are configured by the same configuration commands used on
physical interfaces.
A broadcast environment can be Frame Relay-created by transmitting the data
on each individual circuit. This simulated broadcast requires significant
buffering and CPU resources in the transmitting router, and can result in lost
user data because of contention for the circuits.
P
R
E
V
I
E
W
.
.
.
.
158
Resolving Split Resolving Split- -Horizon Issues Horizon Issues
Subnet A
Subnet B
S0
Physical
interface
S0.10
S0.30
subinterface
Although subinterfaces are used, the logical networks are designed
as though they are a point-to-point dedicated connection
S1
S0
S0
S0
This figure defines subinterfaces and how they can resolve NBMA issues.
You can have connectivity problems in a Frame Relay network if the
following conditions exist:
You are using an NBMA model.
Your configuration is in a partial mesh.
You are using a distance vector routing protocol.
Split horizon is enabled on the routing protocol.
If the routing protocol is configured with split horizon, routing updates from
one router connected on the multipoint subinterface are not propagated to
other routers connected on this multipoint subinterface. For example, if router
C sends a routing update, this split horizon will keep this update from being
sent back out the subinterface to router D.
To resolve this problem you can do the following:
Use Frame Relay subinterfaces to overcome the split horizon problem.
Use a routing protocol that supports disabling split horizon.
Use this configuration if you want to save IP address space.
You can also use this type of configuration with several fully meshed groups.
Routing updates will be exchanged between the fully meshed routers.
P
R
E
V
I
E
W
.
.
.
.
159
Configuring Subinterfaces Configuring Subinterfaces
Multipoint
Subinterfaces act as default NBMA network
Can save subnets because uses single subnet
Good for full-mesh topology
Point-to-point
Subinterfaces act as leased line
Each point-to-point connection requires its own subnet
Good for star or partial-mesh topologies
Note: At the customer site there is a single electrical
interface that appears to be many distinct interfaces to
other sites
You can have multiple virtual circuits on a single serial interface and yet treat
each as a separate interface. This is accomplished by creating subinterfaces.
Think of a subinterface as a logical interface defined by the IOS software.
Several subinterfaces will share a single hardware interface, yet for
configuration purposes they operate as if they were separate physical
interfaces.
The encapsulation frame-relay command is assigned to the physical
interface. All other configuration items, such as the network-layer address and
DLCIs, are assigned to the subinterface.
Multipoint may not save you addresses if you are using variable-length subnet
masks (VLSMs). Further, it may not work properly given the broadcast traffic
and split horizon considerations. The point-to-point subinterface option was
created to avoid these issues.
Subinterfaces are also used with Asynchronous Transfer Mode (ATM)
networks and Internetwork Packet Exchange (IPX) LAN environments
where multiple encapsulations exist on the same medium.
P
R
E
V
I
E
W
.
.
.
.
160
This figure continues the discussion of configuring subinterfaces.
The Frame Relay service provider will assign the DLCI numbers. These numbers
range from 16 to 992. This range will vary depending on the LMI used.
Using the frame-relay interface-dlci command with subinterfaces provides greater
flexibility when configuring Frame Relay networks. On multipoint subinterfaces, the
frame-relay interface-dlci command enables Inverse ARP on the subinterface. When
this command is used with point-to-point subinterfaces, all traffic for the
subinterfaces subnetwork is sent out this subinterface.
The ability to change a subinterface from point-to-point to multipoint or vice versa, is
limited by the software architecture. The router must be rebooted for this type of
change to take effect. As an alternative exists to rebooting the router and creating a
network outage, you can create another subinterface in the software and migrate the
configuration parameters to the new subinterface using the proper point-to-point or
multipoint setting, as required.
Another common migration strategy is to have new services provisioned in parallel
and then simply scheduling the migration using the new DLCI numbers. New IP
addressing can be added to bring up and test the new interface prior to putting traffic
on it, and will facilitate a smooth transition to the new services.
Another best practice is to match the DLCI # with the sub-interface number. This aids
in troubleshooting because it is less numbers needed to memorize to support the
connectivity.
Configuring Subinterfaces Example Configuring Subinterfaces Example
10.17.0.1
S0.2-DLCI=110
10.18.0.2
S0
10.17.0.2
S0
Branch
Branch
Central
Branch
110
120
130
10.18.0.1
S0.3-DLCI=120
S0.3-DLCI=130
10.18.0.3
S0
Central(config-if)# interface Serial0
Central(config-if)# no ip address
Central(config-if)# encapsulation frame-relay
Central(config)# interface Serial0.2 point-to-point
Central(config-subif)# ip address 10.17.0.1 255.255.255.0
Central(config-subif)# frame-relay interface-dlci 110
Central(config)# interface Serial0.3 multipoint
Central(config-subif)# ip address 10.18.0.1 255.255.255.0
P
R
E
V
I
E
W
.
.
.
.
161
A
10.17.0.1
s0.2
B
Point Point- -to to- -Point Subinterfaces Point Subinterfaces
interface Serial0
no ip address
encapsulation frame-relay
!
interface Serial0.2 point-to-point
ip address 10.17.0.1 255.255.255.0
bandwidth 64
!
interface Serial0.3 point-to-point
ip address 10.18.0.1 255.255.255.0
bandwidth 64
s0.3
10.18.0.1
C
10.17.0.2
10.18.0.2
DLCI=110
D
L
C
I
=
1
2
0
This figure continues the discussion of configuring subinterface
The Frame Relay service provider will assign the DLCI numbers. These
numbers range from 16 to 992. This range will vary depending on the LMI
used.
Use the frame-relay interface-dlci command on subinterfaces only. Use of
the command on an interface, rather than a subinterface, will prevent the
device from forwarding packets intended for the DLCI. It is also required for
multipoint subinterfaces for which dynamic address resolution is enabled. It is
not used for multipoint subinterfaces configured with the frame-relay map
command for static address mapping.
Using the frame-relay interface-dlci command with subinterfaces provides
greater flexibility when configuring Frame Relay networks.
On multipoint subinterfaces, the frame-relay interface-dlci command enables
Inverse ARP on the subinterface. When this command is used with point-to-
point subinterfaces, all traffic for the subinterfaces subnetwork are sent out
this subinterface.
The ability to change a subinterface from point-to-point to multipoint, or vice
versa, is limited by the software architecture. The router must be rebooted for
a change of this type to take effect. An alternative exists to rebooting the
router and creating a network outage. Create another subinterface in the
software and migrate the configuration parameters to the new subinterface
using the proper point-to-point or multipoint setting, as required.
P
R
E
V
I
E
W
.
.
.
.
162
Subinterfaces Subinterfaces
To configure subinterfaces on a router
using Frame Relay:
1. Remove the IP address from the
physical interface
2. Create the virtual interfaces with the
interface command (int s0/0.1)
3. Configure each subinterface with its
own IP address (own subnet)
You must now specify the point-to-point or point-to-multipoint. Older IOS
defaulted to multi-point, but later revisions force one to specify the type.
P
R
E
V
I
E
W
.
.
.
.
163
Router# clear frame-relay-inarp
Clears dynamically created Frame Relay maps, created by using Inverse ARP
Router# show interfaces type number
Displays information about Frame Relay DLCIs and the LMI
Router# show frame-relay lmi [type number]
Displays LMI statistics
Router# show frame-relay map
Displays the current Frame Relay map entries
Router# show frame-relay pvc [type number [dlci]]
Displays PVC statistics
Router# show frame-relay traffic
Displays Frame Relay traffic statistics
Verifying Frame Relay Operation Verifying Frame Relay Operation
Monitoring Frame Relay
There are several commands frequently used to check the status of your
interfaces and PVCs once you have Frame Relay encapsulation set up and
running.
P
R
E
V
I
E
W
.
.
.
.
164
Verifying Frame Relay Operation Verifying Frame Relay Operation
There are several commands frequently used to
check the status of your interfaces and PVC
RouterA> show frame ?
ip show frame relay IP statistics
lmi show frame relay lmi statistics
map Frame-Relay map table
pvc show frame relay pvc statistics
route show frame relay route
traffic Frame-Relay protocol statistics
Monitoring Frame Relay
There are several commands frequently used to check the status of your
interfaces and PVCs once you have Frame Relay encapsulation set up and
running:
RouterA>show frame ?
ip show frame relay IP statistics
lmi show frame relay lmi statistics
map Frame-Relay map table
pvc show frame relay pvc statistics
route show frame relay route
traffic Frame-Relay protocol statistics
P
R
E
V
I
E
W
.
.
.
.
165
Displays line, protocol, DLCI, and LMI information
Router# show interfaces s0
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation FRAME-RELAY, loopback not set, keepalive set (10 sec)
LMI enq sent 19, LMI stat recvd 20, LMI upd recvd 0, DTE LMI up
LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0
LMI DLCI 1023 LMI type is CISCO frame relay DTE
FR SVC disabled, LAPF state down
Broadcast queue 0/64, broadcasts sent/dropped 8/0, interface broadcasts 5
Last input 00:00:02, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
<Output omitted>
show interfaces show interfaces
We can also use the show interface command to check for LMI traffic. The
show interface command displays information about the encapsulation as
well as layer-2 and layer-3 information.
P
R
E
V
I
E
W
.
.
.
.
166
Displays PVC traffic statistics
The PVC Status = Active means the FR switch is
correctly programmed with the DLCI and is operational
Router# show frame-relay pvc 100
PVC Statistics for interface Serial0 (Frame Relay DTE)
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0
input pkts 28 output pkts 10 in bytes 8398
out bytes 1198 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 10 out bcast bytes 1198
pvc create time 00:03:46, last time pvc status changed 00:03:47
show frame show frame- -relay relay pvc pvc
The show frame pvc command will list all configured PVCs and DLCI
numbers. It provides the status of each PVC connection and traffic statistics. It
will also give you the number of BECN and FECN packets received on the
router.
P
R
E
V
I
E
W
.
.
.
.
167
Displays the route maps, either static or dynamic
Router# show frame-relay map
Serial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic,
broadcast,, status defined, active
show frame show frame- -relay map relay map
The show frame map command will show you the Network layertoDLCI
mappings.
P
R
E
V
I
E
W
.
.
.
.
168
Troubleshooting Basic Frame Relay Troubleshooting Basic Frame Relay
Operations Operations
Displays LMI debug information
Router# debug frame-relay lmi
Frame Relay LMI debugging is on
Displaying all Frame Relay LMI data
Router#
1w2d: Serial0(out): StEnq, myseq 140, yourseen 139, DTE up
1w2d: datagramstart = 0xE008EC, datagramsize = 13
1w2d: FR encap = 0xFCF10309
1w2d: 00 75 01 01 01 03 02 8C 8B
1w2d:
1w2d: Serial0(in): Status, myseq 140
1w2d: RT IE 1, length 1, type 1
1w2d: KA IE 3, length 2, yourseq 140, myseq 140
1w2d: Serial0(out): StEnq, myseq 141, yourseen 140, DTE up
1w2d: datagramstart = 0xE008EC, datagramsize = 13
1w2d: FR encap = 0xFCF10309
1w2d: 00 75 01 01 01 03 02 8D 8C
1w2d:
1w2d: Serial0(in): Status, myseq 142
1w2d: RT IE 1, length 1, type 0
1w2d: KA IE 3, length 2, yourseq 142, myseq 142
1w2d: PVC IE 0x7 , length 0x6 , dlci 100, status 0x2 , bw 0
The debug frame lmi command will show output on the router consoles by
default.
The information from this command will allow you to verify and troubleshoot
the Frame Relay connection by helping you to determine whether the router
and switch are exchanging the correct LMI information.
P
R
E
V
I
E
W
.
.
.
.
169
Committed Information Rate Committed Information Rate
Allows customers to buy a lower amount
of bandwidth then what is really needed
It is the rate, in bits per second, at which
the Frame Relay switch agrees to transfer
data
Committed Burst Size (Bc) allows CIR to
be exceeded
The CIR is the rate, in bits per second, at which the Frame Relay switch agrees
to transfer data.
When provisioning a frame relay network, the CIR is an important
configuration parameter, and if not provisioned carefully can result in
discarded packets. Although most frame relay circuits are allowed to burst up
to their port speed, any packets seen that exceed the CIR threshold, are marked
discard eligible (DE). During periods of congestion, it is possible to have
packets that exceed the CIR get dropped. Depending upon the application this
may have a devastating effect. For this reason, assure that critical applications
are accounted for such that adequate bandwidth or CIR is available during
peak utilization periods.
P
R
E
V
I
E
W
.
.
.
.
170
Congestion Notification Congestion Notification
Discard Eligibility (DE)
Forward-explicit Congestion
Notification (FECN)
Backward-Explicit Congestion
Notification (BECN)
DE (Discard Eligibility)
When you burst, that is, transmit packets beyond the CIR of a PVC, those packets above
CIR are eligible to be discarded if congestion is encountered in the providers network. As
such, they are marked with a DE bit in the frame relay header. If the providers network
is congested, the Frame Relay switch will discard the packets with the DE bit set first. If
your bandwidth is configured with a committed information rate (CIR) of zero, the DE
will always be on.
FECN (Forward Explicit Congestion Notification)
When the Frame Relay network recognizes congestion in the cloud, the switch will set the
Forward-Explicit Congestion Notification (FECN) bit to 1 in a Frame Relay packet
header. This will indicate to the destination DCE that the path just traversed is congested.
BECN
When the switch detects congestion in the Frame Relay network, it will set the Backward-
Explicit Congestion Notification (BECN) bit in a Frame Relay packet destined for the
source router, letting it know that congestion is being encountered ahead.
Depending on where FECNs and BECNs are seen, this can be a sign of over-subscription,
and time to upgrade the port speed or Committed Information Rate (CIR).
P
R
E
V
I
E
W
.
.
.
.
171
Hands-on Labs 11.2 and 11.3
Written Lab 11.4
Open your lab book and complete hands-on lab 10.2, 10.3 and written lab 10.4
P
R
E
V
I
E
W
.
.
.
.
172
Frame Relay is a packet switching network.
Frame Relay is not a particular interface, but rather an
encapsulation type.
Cisco supports three LMI standards:
ansi ANSI T1.617 Annex D
q933a ITU-T Q933 Annex A
cisco The gang of four
Cisco, StrataCom, DEC, Nortel
Cisco supports two Frame Relay encapsulation
standards:
ietf
cisco
P
R
E
V
I
E
W
.
.
.
.
173
Chapter 11 Summary (cont.) Chapter 11 Summary (cont.)
There are many WAN connection types:
dedicated
Circuit Switched
Packet Switched
There are multiple encapsulation methods:
Point-to-point protocol (PPP)
High-level Data Link Control (HDLC) Cisco default
encapsulation for serial links; Cisco Proprietary
PPP provides for authentication, there are two types:
Password Authentication Protocol (PAP)
Challenge Handshake Authentication Protocol (CHAP)
Frame Relay is a packet switching network.
Frame Relay is not a particular interface, but rather an encapsulation
type.
P
R
E
V
I
E
W
.
.
.
.
174
CCNA CCNA
Please complete a course survey
Thank you for attending our course
Good luck on your exam!
P
R
E
V
I
E
W
.
.
.
.
175
CCNA Reminder CCNA Reminder
Around 50-60 items
Around 850 out of 1000 to pass (find out what you need before you start)
The amount of questions and percent to pass varies on each exam
About 90 minutes
Cannot return to questions
Simulated, multiple choice, fill-in-the-blank, and drag n drop questions
Hints:
Relax, you can do this
Be sure to check your answers before you go on to the next question
Dont forget to turn on your interfaces on the sim questions
Dont get hung up on test-lets (5-subquestions in 1), just dont forget to
answer all the sub-sections before you go on
Think positively and remember that when in doubt hit the ? keyit will
be available on certain simulations so you might as well use it
P
R
E
V
I
E
W

Ccna PDF

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Ccna PDF

Încărcat de

Drepturi de autor:

Formate disponibile

.

cisco 2610 (MPC860) processor (revision 0x202) with 16384/2084k

S-ar putea să vă placă și