Ccna Icnd1 Study Notes

Cisco Certified Entry Network Technician Interconnecting Cisco Network Devices Part 1 Version 3

Part I - Networking Fundamentals Chapter 1 - Introduction to TCP/IP Networking TCP/IP Application Layer - HTTP: HTTP GET Request, HTTP Reply, and One Data-Only Message (Encapsulation): Step 1: Send GET request Step 2: Return HTTP header (status code, e.g. 200 OK, 404) Step 3: Transfer additional data without header

TCP error recovery: Bob's TCP logic requests segment sequence 2.

Concept

Description The two computers use a protocol (an agreed-to set of rules) Same-layer to communicate with the same layer on another computer. The protocol defined by each layer interaction on uses a header that is transmitted between the computers to communicate what each computer different computers wants to do. Header information added by a layer of the sending computer is processed by the same layer of the receiving computer. Adjacent-layer On a single computer, one layer provides a service to a higher layer. The software or hardware interaction on the that implements the higher layer requests that the next lower layer perform the needed same computer function.

Same-layer Interaction: two computers' communication with the same layer using headers; TCP error recovery (TCP creates sequence numbers, TCP receives and reacts to the segments) Adjacent-layer Interaction: Single computer, HTTP (Layer 5) requests => error recovery on TCP (Layer 4)

TCP/IP Network Layer: Major protocol: IP IP = Addressing, Routing

Sender: Application/Transport Layers Postal Service: L1/2/3, IP, routers - All Larry's IP addresses begin with 1, Bob's with 2 and Archie's with 3. - Routers route/forward IP packets to correct destination

IP header: Source address (1.1.1.1), Destination address (2.2.2.2) Step 1: Larry sends IP packet to nearest router on the same LAN Step 2: Router R1 process compares destination address to its known IP routes and forwards to packet to Router R2 (IP Routing) Step 3: Router R2 repeats same process and sends to Bob, who is on the same LAN.

TCP/IP Link Layer: Step 1: Larry encapsulates the IP packet between an Ethernet header and Ethernet trailer => Ethernet frame. Step 2: Larry physically transmits the bits of the Ethernet frame, using electricity flowing over the Ethernet cabling. Step 3: Router R1 physically receives the electrical signal over a cable, and re-creates the same bits by interpreting the meaning of the electrical signals. Step 4: Router R1 de-encapsulates the IP packet from the Ethernet frame by removing and discarding the Ethernet header and trailer. - WAN standards: PPP, Frame relay

TCP/IP Model and Terminology: Data encapsulation: Step 1: Create and encapsulate the application data with any required application layer headers, e.g. HTTP OK message in HTTP header, followed by part of the contents of a web page. Step 2: Encapsulate the data supplied by the application layer inside a transport layer header, e.g. TCP/UDP headers for end-user applications. Step 3: Encapsulate the data supplied by the transport layer inside a network layer (IP) header. IP defines the IP addresses that uniquely identify each computer.

Step 4: Encapsulate the data supplied by the network layer inside a data link layer header and trailer, e.g. Ethernet header and trailer Step 5: Transmit the bits. The physical layer encodes a signal onto the medium to transmit the frame.

Segment: Headers defined by the Transport layer and data encapsulated Packet: Headers defined by the Network layer and data encapsulated Frame: Headers and trailers defined by the Data Link layer and data encapsulated

OSI Model OSI, TCP/IP Original, TCP/IP Updated Model Comparison Open Systems Interconnect

Application Presentation Session Transport Network Data Link Physical

Transmission Control Protocol/ Internet Protocol Original

Transmission Control Protocol/ Internet Protocol Updated

Application Transport Internet

Application Transport Network Data Link Physical

Link

OSI Reference Model Layer Descriptions Layer Functional Description Application layer. Provides an interface from the application to the network by supplying a protocol with 7 actions meaningful to the application, for example, “get web page object.” 6 Presentation layer. This layer negotiates data formats, such as ASCII text, or image types like JPEG. Session layer. This layer provides methods to group multiple bidirectional messages into a workflow for 5 easier management and easier backout of work that happened if the entire workflow fails. Transport layer. In function, much like TCP/IP’s transport layer. This layer focuses on data delivery between 4 the two endpoint hosts (for example, error recovery). Network layer. Like the TCP/IP network (Internet) layer, this layer defines logical addressing, routing 3 (forwarding), and the routing protocols used to learn routes. Data link layer. Like the TCP/IP data link layer, this layer defines the protocols for delivering data over a 2 particular single type of physical network (for example, the Ethernet data link protocols). Physical layer. This layer defines the physical characteristics of the transmission medium, including 1 connectors, pins, use of pins, electrical currents, encoding, light modulation, and so on.

OSI Reference Model: Device and Protocol Examples Layer Name Application, presentation, session (Layers 5–7) Transport (Layer 4) Network (Layer 3)

Protocols and Specifications Telnet, HTTP, FTP, SMTP, POP3, VoIP, SNMP TCP, UDP IP

Data link (Layer 2)

Ethernet (IEEE 802.3), HDLC

Physical (Layer 1)

RJ-45, Ethernet (IEEE 802.3)

Benefits of Layered models:

Devices Hosts, firewalls Hosts, firewalls Router LAN switch, wireless access point, cable modem, DSL modem LAN hub, LAN repeater, cables

     

Less complex: Compared to not using a layered model, network models break the concepts into smaller parts. Standard interfaces: The standard interface definitions between each layer allow multiple vendors to create products that fill a particular role, with all the benefits of open competition. Easier to learn: Humans can more easily discuss and learn about the many details of a protocol specification. Easier to develop: Reduced complexity allows easier program changes and faster product development. Multivendor interoperability: Creating products to meet the same networking standards means that computers and networking gear from multiple vendors can work in the same network. Modular engineering: One vendor can write software that implements higher layers—for example, a web browser—and another vendor can write software that implements the lower layers—for example, Microsoft’s built-in TCP/IP software in its operating systems.

OSI Encapsulation Terminology OSI >> Protocol Data Unit (PDU) TCP segment = L4PDU IP packet = L3PDU Ethernet frame = L2PDU Terminology: Encapsulation: Process of putting headers and sometimes trailers around some data.

Chapter 2 - Fundamentals of Ethernet LANs - Wireless Router can replace Router + Switch + Access Point

- PC >> Switch >> Distribution Switch (SWD) >> Router - Example: PC3 >> SW3 >> SWD >> SW2 >> PC2 - Router connects LAN to WAN - Ethernet standards come from the IEEE and include the number 802.3 as the beginning part of the standard name. - UTP (Unshielded Twisted-Pair) Cabling saves money compared to optical fibers. - Informal IEEE standard name notation: SPEED + BASE + (T for UTP or X for fiber.)

- Ethernet nodes forward encapsulated Ethernet frame (Ethernet Header + Data + Ethernet Trailer)

- Two wires inside a single UTP cable. - Encoding scheme: Sender and receiver uses the same rules and interpret those changes as either 0s or 1s. - Solves electromagnetic interference (EMI) issues (crosstalk, wire pairs in the same cable).

- Components: Cable + connectors on each end + matching ports - 10BASE-T & 100BASE-T require 2 pairs of wires. - 1000BASE-T requires 4 pairs of wires. - RJ-45: common connector with 8 physical locations into which the wires in the cables can be inserted (pin positions/pins). - Network Interface Card (NIC) has RJ-45 ports.

- Has swappable transceivers/port hardware. - Small form-factor pluggable (SFP+) runs at 10 Gbps

UTP Cabling Pinouts for 10BASE-T and 100BASE-T Straight-Through Cable Pinout - NIC transmitters use the pair connected to pins 1 and 2. - NIC receivers use a pair of wires at pin positions 3 and 6.

- Pin 1 to Pin 1, Pin 2 to Pin 2, Pin 3 to Pin 3, Pin 6 to Pin 6 - Wire pairs: 1 and 2 | 3 and 6

- Straight-through cables only work when the nodes use opposite pairs for transmitting data.

Crossover Cable - Only when two like devices are transmitting on the same pins. - Connect 1 and 2 to 3 and 6, and 3 and 6 to 1 and 2

Crossover cable: If the endpoints transmit on the same pin pair. Straight-through cable: If the endpoints transmit on different pin pairs.

- Straight-through Cables: PCs to Switches (e.g. PC to SW11) - Crossover Cables: Switches to Switches (e.g. SW12 to SW22) - Cisco switches have an 'auto-mdix' feature which changes its logic to make the link work for wrong cable insertions.

UTP Cabling Pinouts for 1000BASE-T - Four wire pairs required. - (1,2) pair, (3,6) pair, (4,5) pair and (7,8) pair - Both ends can transmit and receive simultaneously on each wire pair. - Straight-through Cables: pin 1 to pin 1, pin 2 to pin 2 ... pin 8 to pin 8 - Crossover Cables: (1,2) to (3,6) | (3,6) to (1,2) | (4,5) to (7,8) | (7,8) to (4,5)

- Ethernet data-link protocol defines the Ethernet frame: and Ethernet header at the front, the encapsulated data in the middle, and an Ethernet trailer at the end. Ethernet addressing: - Sending node puts its own address in the source address field. Media Access Control (MAC) addresses: - 6 bytes (48 bits) long binary numbers - 12-digit hexadecimal numbers (e.g. 0000.0C12.3456) - Unicast Ethernet Address: MAC address that represents one interface to the Ethernet LAN - Multicast Ethernet Address - Broadcast Ethernet Address MAC Address Assignment: Step 1: Manufacturer asks IEEE to assign unique 3-byte code, called the Organizationally Unique Identifier (OUI). Step 2: Manufacturer agrees to assign all its NICs a MAC address beginning with the OUI. Step 3: Manufacturer assigns unique last 3-byte value. => All MAC addresses of every device in the world is unique. (Universal MAC address = Global MAC Address) Ethernet Address = - LAN Address - Ethernet Address - Hardware Address - Burned-In Address (BIA): permanent MAC address that is encoded into the ROM chip on the NIC - Physical Address - Universal Address: Emphasis of uniqueness of addresses - MAC Address Group Addresses - Identification of more than one LAN interface card - Frames can be sent to a set of devices on the LAN, or all devices on the LAN. Broadcast address: Frames sent to this address should be delivered to all devices on the Ethernet LAN. It has a value of FFFF.FFFF.FFFF Multicast address: Frames sent to a multicast Ethernet address will be copied and forwarded to a subset of the devices on the LAN that volunteers to receive frames sent to a specific multicast address.

Ethernet Type Field - Specifies Protocols - IPv4, IPv6, DECnet, SNA, Novell NetWare Error Detection with FCS - Only field in data-link trailer - Comparison of results of complex math formulas of both sending and receiving nodes - Upon error detection => Discard frame - Error Detection (FCS) != Error Recovery (TCP) Full Duplex/Half Duplex - Sending Ethernet Frames With Switches And Hubs Step 1: PC1 builds and sends the original Ethernet frame, using its own MAC address as the source address and PC2's MAC address as the destination address. Step 2: Switch SW1 receives and forwards the Ethernet frame out its G0/1 interface (short for Gigabit interface 0/1) to SW2. Step 3: Switch SW2 receives and forwards the Ethernet frame out its F0/2 interface (short for Fast Ethernet interface 0/2) to PC2. Step 4: PC2 receives the frame, recognizes the destination MAC address as its own, and processes the frame. Half duplex: The device must wait to send if it is currently receiving a frame; in other words, it cannot send and receive at the same time. Full duplex: The device does not have to wait before sending; it can send and receive at the same time.

CSMA/CD Step 1: A device with a frame to send listens until the Ethernet is not busy. Step 2: When the Ethernet is not busy, the sender begins sending the frame. Step 3: The sender listens while sending to discover whether a collision occurs; collisions might be caused by many reasons, including unfortunate timing. If a collision occurs, all currently sending nodes do the following: A. They send a jamming signal that tells all nodes that a collision happened. B. They independently choose a random time (16, backoff) to wait before trying again, to avoid unfortunate timing. C. The next attempt starts again at Step 1.

- Connection to hub requires a Half Duplex setting.

Chapter 3 - Fundamentals of WANs Leased-Line WANs - Similar to Ethernet crossover cables connecting two routers (full duplex) - Forwards data between two routers - Routers separate LAN and WAN. - Crooked line in diagram represents 'no need to show any physical details of the line'

- Leased lines use two pairs of wires, one pair for each direction => Full Duplex operation - Leased lines: companies pay monthly fees to use line - Service provider: companies that provide WAN connectivity, including Internet services

- "Serial" = "Sequential"

- CO: Central offices - Telcos put equipment in COs - Each customer sites has CPE (Customer Premises Equipment), including the router, serial interface card and CSU/DSU (Channel Service Unit/Data Service Unit). - Serial interface card: Router's Ethernet NIC-like card that sends/receives data over physical link.

- CSU/DSU: Function that is integrated into serial interface card in router or sit outside router as an external device - Router >> short serial cable >> external CSU/DSU (using RJ-48 connector, similar to RJ45) - Speeds are predefined - slower-speeds run at multiples of 64kbps, faster links run at multiples of about 1.5Mbps

Building a WAN Link in a Lab - DTE: Data Terminal Equipment cables, male connector, acts as straight-through cables - DCE: Data Communications Equipment cable, female connector, acts as crossover cables - Clocking: Router tells router exactly when to send each bit through signalling over the serial cable. Data-Link Details of Leased Lines - Leased line provides a Layer 1 service.

- Two most popular data link layer protocols used for leased lines between two routers: HighLevel Data Link Control (HDLC) and Point-to-Point Protocol (PPP). HDLC - HDLC has less work than Ethernet data-link protocol because of point-to-point topology. - HDLC frames can only go to one place: to other end of link - Address field exists, but the destination is implied. - International Organization for Standardization (ISO) made HDLC.

- ISO-standard HDLC does not have Type field. - Cisco-proprietary variation of HDLC adds a Type field. Step 1: PC1's network layer (IP) logic tells it to send the packet to a nearby router (R1). Step 2: Router R1's network layer logic tells it to forward (route) the packet out the leased line to Router R2 next. Step 3: Router R2's network layer logic tells it to forward (route) the packet out the LAN link to PC2 next. - Three hops though the internetwork Step 1: To send the IP packet to Router R1 next, PC1 encapsulates the IP packet in an Ethernet frame that has the destination MAC address of R1. Step 2: Router R1 de-encapsulates (removes) the IP packet from the Ethernet frame, encapsulates the packet into an HDLC frame using and HDLC header and trailer, and forwards the HDLC frame to Router R2 next. Step 3: Router R2 de-encapsulates (removes) the IP packet from the HDLC frame, encapsulates the packet into an Ethernet frame that has the destination MAC address of PC2, and forwards the Ethernet frame to PC2. HDLC Pros - Simple for the customer - Widely available - High quality - Private

Cons - Higher cost - Typically, longer lead times to get the service installed

Ethernet as a WAN Technology - New IEEE improved Ethernet standards: 1000BASE-LX standard: uses single-mode fiber cabling, with support for a 5-km cable length. 1000BASE-ZX standard: supports 70-km cable length. - Ethernet used between customer site and the SP (Service Provider)'s network - PoP: Point of Presence - SP uses Ethernet switch instead of telco switch

- Ethernet emulation = EoMPLS (Ethernet over Multiprotocol Label Switching (MPLS))

EoMPLS provides: - A point-to-point connection between two customer devices - Behaviour as if a fiber Ethernet link existed between the two devices - Forwarding IP packets from one site to another. - Uses same Ethernet protocols (802.3) as the Ethernet LAN links at each site. - Link uses the same Ethernet header and trailer. - Each router discards old data-link header/trailer and re-encapsulates. Step 1: To send the IP packet to Router R1 next, PC1 encapsulate the IP packet in an Ethernet frame that has the destination MAC address of R1. Step 2: Router R1 de-encapsulates (removes) the IP packet from the Ethernet frame and encapsulates the packet into a new Ethernet frame, with a new Ethernet header and trailer. The destination MAC address is R2's G0/0 MAC address, and the source MAC address is R1's G0/1 MAC address. R1 forwards this frame over the EoMPLS service to R2 next. Step 3: Router R2 de-encapsulates (removes) the IP packet from the Ethernet frame, encapsulates the packet into an Ethernet frame that has the destination MAC address of PC2, and forwards the Ethernet frame to PC2.

Accessing the Internet - WAN technologies used to gain access to the Internet: Digital Subscriber Line (DSL) and cable. The Internet as a Large WAN - Internet = one huge TCP/IP network. - Internet core: LANs and WANs owned and operated by Internet Service Providers (ISP). - ISP networks connect to customers and each other. Internet Access (WAN) Links - Internet Access Links: Some kind of WAN link that uses a cable or uses wireless technology (phones) - Business use Leased Lines - Customers use DSL or Cable. (Also Internet access for businesses) - Requires a pair of routers, customer side and ISP side. Digital Subscriber Line - Short (miles long but not tens of miles) high-speed link between telco customer and ISP - Uses same single-pair telephone line used for a typical home phone line. - Phone line: nearby telco CO <=> home - Wall plates are often RJ-11 ports (skinnier cousin of RJ-45 connector). - PSTN: Public Switched Telephone Network, provides infrastructure and services for public telecommunication. - [DSL-capable devices at home + DSL equipment at telco's CO] needed for 3-15 >> DSL service - DSL modem: sends data to/from the telco via physical and data link layer standards. - Home-based router also needs to be able to send data to/from the Internet.

- Telephones now require short extra cable with filter installed at the wall jack to filter higher electrical frequencies of DSL. - DSLAM: Direct Subscriber Line Access Multiplexer, splits data to router and voice signals to voice switch - DSL supports asymmetric speeds, transmission speed from the ISP to home (downstream) is much faster than the transmission toward the ISP (upstream). - Clicking web page sends smaller data upstream and bigger data downstream.

Cable Internet - Uses existing Cable TV (CATV) cable to send data. - Uses asymmetric speeds. - Short WAN links from customer to ISP - Telephone line of DSL replaced by coaxial cable of CATV. - DSL modem replaced by Cable modem. - CATV company splits data to router and video from video dishes (to TVs) Final Comparison: DSL vs CATV DSL - Lower speeds - Cheaper cost - Asymmetric speeds - "Always on" service - can communicate with Internet w/o the need to first take some action to start the Internet connection

CATV - Faster speeds - More cost - Asymmetric speeds - "Always on" service - can communicate with Internet w/o the need to first take some action to start the Internet connection

Chapter 4 - Fundamentals of IPv4 Addressing and Routing Role of TCP/IP network layer - IP routing: The process of hosts and routers forwarding IP packets (L3PDU), while relying on the underlying LANs and WANs to forward the bits - IP addressing: Addresses used to identify a packet's source and destination host computer. Addressing rules also organize addresses into groups, which greatly assists the routing process. - IP routing protocol: A protocol that aids routers by dynamically learning about the IP address groups so that a router knows where to route IP packets so that they go to the right destination host. - Other utilities: The network layer also relies on other utilities. For TCP/IP, these utilities include DNS, ARP and ping.

Overview of Network Layer Functions - IP focuses on logical details, rather than physical details (L2)

Network Layer Routing (Forwarding) Logic - Path selection: Routing process in 4-1 - PC1's logic: 168.1.1.1 is not on the same LAN, so send to default router - Default Router = Default Gateway - R1 & R2's logic: compare destination IP address to IP routing table entries. Forward over correct next LAN or WAN link according to matching entries. - R3's logic: R3 forwards packet directly to PC2, which is on the same LAN. How Network Layer Routing Uses LANs and WANs - Network layer: bigger view of the goal - Data link layer: specifics - ARP: dynamically learns the data-link address of an IP host connected to a LAN. Routing concepts - process of forwarding L3PDU based on L3 address in packet - process of encapsulating L3 packets to L2 frame for transmission IP Addressing and How Addressing Helps IP Routing - IP defines network layer addresses that identify any host or router interface. - IP grouping: IP network, IP subnet - Grouped by location and actual address values - Router can list one routing table entry for each IP network or subnet, instead of every IP address. - IPv4 header: 20-byte source IP address and destination IP address.

Routing Protocols - Hosts need to know IP address of default router - Routers need to know routes - Step 1: R3 sends routing protocol message to R2, with information of R3's network - Step 2: R2 sends routing protocol message to R1, with information of R3's network.

IPv4 Addressing Rules for IP Addresses - IP host: any device that has at least one interface with an IP address - IP address is a 32-bit number, in DDN (Dotted-Decimal Notation) - Each DDN has 4 decimal octets (bytes), separated by periods - Octet represents 8-bit number, has range of 0-255 inclusive - NIC, wireless NIC, router interfaces have IP addresses for each interface Rules for Grouping IP Addresses - Left network: Network ID of 8.0.0.0 - Serial link between R1 & R2: Network ID of 199.1.1.0 - Routers define IP grouping Class A, B, and C IP Networks - Class A: First octet of 1-126 - Class B: First octet of 128-191

- Class C: First octet of 192-223 - Class D: Multicast addresses (packets to multiple hosts) - Class E: Defined as reserved for future use - Class A: more than 16 million hosts, 126 networks - Class B: 65,534 addresses per network, 16,384 networks - Class C: 254 addresses each, more than 2 million networks The Actual Class A, B, and C IP Networks - Network Identifier = Network ID - Network ID: single DDN value per network

- Class A: first octet defines group - Class B: first two octets define group - Class C: first three octets define group IP Subnetting - Subnet = Subdivided Network - Waste of many IP addresses - One group of 254 addresses beginning with 150.9.1 - One group of 254 addresses beginning with 150.9.2 - One group of 254 addresses beginning with 150.9.3 - One group of 254 addresses beginning with 150.9.4 - One group of 254 addresses beginning with 150.9.5

IPv4 Routing IPv4 Host Routing

- PC1 to PC11: PC1 >> SW >> PC11 - PC1 to PC2: PC1 >> Core Router >> Router B1 >> PC2 Router Forwarding Decisions and the IP Routing Table A Summary of Router Forwarding Logic - Router logic at Step 3: In which groups (networks/subnets) does this packet's destination address reside? A Detailed Routing Example - All routers use Open Shortest Path First (OSPF) routing protocol Step 1: PC1 places packet into Ethernet frame >> send to default router R1 Step 2: R1 checks FCS >> de-encapsulate Ethernet header and trailer >> compare routing table entry >> encapsulate packet with next-hop router address in HDLC frame >> forward packet out S0 on serial link to R2

Step 3: R2 checks FCS >> de-encapsulate HDLC header and trailer >> compare routing table entry >> encapsulate packet with next-hop router address in Ethernet frame >> forward packet out F0/0 on (EoMPLS) link Step 4: R3 checks FCS >> de-encapsulates Ethernet header and trailer >> compare routing table entry >> encapsulate packet with PC2's MAC address in Ethernet frame and forward frame

IPv4 Routing Protocols - Steps of routing protocols Step 1: Each router adds a route to its routing table for each subnet directly connected to it. Step 2: Each router's routing protocol tells its neighbours about routes in its routing table, including directly connected routes and routes learned from other routers. Step 3: After learning new route from neighbour, router's routing protocol adds route to its own IP routing table, with next-hop router of that route typically being the neighbour from which it was learned. Step A: Subnet 150.150.4.0 is connected to Router R3 Step B: R3 adds a connected route for 150.150.4.0 to its IP routing table Step C: R3 sends routing protocol message (routing update) to R2 Step D: R2 adds a route for 150.150.4.0 to its routing table with next-hop router of R3 Step E: R2 sends a routing update to R1 Step F: R1 adds route for 150.150.4.0, with Serial0 as outgoing interface and R2 as next-hop router.

Other Network Layer Features - Domain Name System (DNS) - Address Resolution Protocol (ARP) - Packet Internet Groper (ping) Using Names and the Domain Name System - TCP/IP defines ways to use hostnames to identify other computers - Hostname: www.google.com - IP address: 8.8.8.8 - DNS resolves hostnames to matching IP address Step 1: PC11 sends DNS query for IP address of Server1 to DNS server Step 2: DNS server sends back DNS reply with. Server1's IP address Step 3: PC11 sends IP packet to destination address 10.1.2.3 - DNS query lists DNS server's IP - Web browsing follow DNS naming standards - DNS servers are distributed around the world The Address Resolution Protocol - ARP: any host or router on a LAN can dynamically learn MAC address of another IP host or router on the same LAN. - ARP request: "If this is your IP address, please reply with your MAC address." - ARP reply: list both original IP address and the matching MAC address. - R3's ARP reply is a LAN broadcast.

- Hosts keep ARP results in ARP cache or ARP table. - arp -a command to see ARP cache ICMP Echo and the ping Command - ping command: tests basic network connectivity - Ping (Packet Internet Groper) uses the Internet Control Message Protocol (ICMP) and sends an ICMP echo request to another IP address. - Computer with that IP sends an ICMP echo reply. - Goal: to see if network can deliver a packet from one host to the other and back - ICMP just tests basic IP connectivity (L1/2/3)

Chapter 5 - Fundamentals of TCP/IP Transport and Applications TCP/IP Layer 4 Protocols: TCP and UDP - Most data-link protocols: Error Detection - discard frames - TCP: Error Handling - retransmission - TCP: Flow control - avoid congestion - UDP: fewer bytes of overhead - VoIP, video over IP Transmission Control Protocol

Pros Cons - Error recovery - More bandwidth - Flow control (windowing) - More processing cycles - Multiplexing - More bytes in overhead networks - Connection establishment/termination - Slower speed - Ordered data transfer/segmentation - TCP: RFC 793 - Adjacent-layer interaction with Application Layer - TCP segment/L4PDU - message created by TCP that begins with TCP header Multiplexing Using TCP Port Numbers - Multiplexing: TCP & UDP - Multiplexing: tells receiving computer to which application to give received data Jessie's running applications: - UDP-based advertisement application - TCP-based wire-transfer application - TCP web server application - Problem: Jessie does not know which application to give data to. - Solution: Use of port number fields in the TCP or UDP headers Socket: - IP address - Transport protocol - Port number - Jessie's web server application: (10.1.1.2, TCP, port 80) - Hannah's possible socket: (10.1.1.1, TCP, 1030) - Port numbers 0 - 1023 are reserved for well-known applications - Port numbers 1024 (- 49151) and up are dynamical port numbers - Sockets allow multiplexing by creating unique connection between two computers. - FTP, Telnet, listen for connection requests and clients need to know well-known port numbers. - www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt - 100 applications to 1 server, server uses source port of application as destination port - WWW (World Wide Web): Web browsers accessing the content available on web servers - DNS (Domain Name System): Users can refer to computers as their names, and DNS finds corresponding IP address, client-server model - SNMP (Simple Network Management Protocol): Network device management, Cisco Prime uses SNMP to query network devices (query, compile, store and display information about network's operation) - TFTP (Trivial File Transfer Protocol): Protocol for basic file transfer, simple - FTP (File Transfer Protocol): Many more features than TFTP, general choice Connection Establishment and Termination - Connection establishment: process of initializing Sequence and Acknowledgement fields and agreeing on the port numbers used. - Three-way connection establishment flow = three-way handshake

- Sockets: IP address (source/destination IP address)/ TCP (TCP header protocol field value) is implied. - SYN: Synchronize the sequence numbers - ACK: Acknowledgement of establishment - FIN: 'Finishing' of connection/ termination of connection - Four-way handshake for TCP connection termination - In case of long reply time, right PC sends ACK-FIN to acknowledge that left PC wants to terminate connection - UDP has no connection termination sequence - TCP: connection-oriented protocol - UDP: connectionless protocol Error Recovery and Reliability - Sequence Number field + Acknowledgement field = Reliability Step 1: Web Browser encapsulates 1000 bytes of data with TCP header with Sequence number of 1000 and sends to Web Server. Step 2: Web Browser encapsulates 1000 bytes of data with TCP header with Sequence number of 2000 and sends to Web Server. Step 3: Web Browser encapsulates 1000 bytes of data with TCP header with Sequence number of 3000 and sends to Web Server. Step 4: Web Server sends TCP header with ACK value of 4000 to Web Browser. - Web Server's ACK: "I received all data with sequence numbers up through one less than 4000, so I am ready to receive your byte 4000 next" - TCP: forward acknowledgement, convention of acknowledging by listing next expected byte - TCP uses SEQ and ACK fields so receiving host can notice lost data >> ask sending host to resend >> acknowledge that re-sent data arrived Step 1: Web Server receives bytes 1000-1999 and 3000-3999, so it asks for missing data of bytes 2000-2999 next with ACK value of 2000. Step 2: Web browser sends missing data with SEQ of 2000 Step 3: Web server receives bytes 2000-2999, and asks for 4000 next with ACK value of 4000 (already received data + recently received data). Flow Control Using Windowing - Windowing: process of host telling sender how much data it can receive right now, to control sending speed - Sliding window or dynamic window: Receiver slides window size up/down Step 1: Web Server sends Web Browser TCP header with ACK value of 1000 and window of 3000 (= send me bytes 1000 and up until SEQ value of 3000). Step 2: Web Browser sends bytes 1000-3999, with segments with SEQ values of 1000, 2000, 3000. Step 3: Web Server acknowledges receiving the data without error with an ACK value of 4000, and grants a new window of 4000. Step 4: Web Browser can now send bytes 4000-7999 if necessary. User Datagram Protocol TCP

UDP

- Multiplexing using port numbers - Multiplexing using port numbers - Error recovery - No reliability/error recovery - Flow control with windowing - No windowing - Reordering of received data - No reordering of received data - Segmentation of large chunks of data - No segmentation of large chunks of data - Connection-oriented - Connectionless - Slower speed - Faster speed - More bandwidth/ bigger header - Less bandwidth/ smaller header - VoIP: by the time of retransmission, too much delay of voice would have occurred - DNS requests: user will retry if DNS fails - NFS (Network File System): recovery is performed with application layer code - Less work to do => Shorter header

TCP/IP Applications - Purpose of connection to Internet is to use applications (web browsing, text messaging, email etc.) - Web servers: Storage of information (web pages) - Web browser: End user software to connect to web server and display web pages - Web browsers = web clients Uniform Resource Identifiers - Link & URI refer to URI - Universal Resource Locator (URL), web address = (formal) URI - Protocol: Hypertext Transfer Protocol (HTTP) - Hostname: www.certskills.com - Web page: blog Finding the Web Server Using DNS - Name inside URI needs to be resolved to corresponding IP address. Step 1: The user enters the URI into the browser's address area. Step 2: The client sends a DNS request to the DNS server (client learns DNS server's IP address through DHCP), with a UDP header and DPort of 53. Step 3: DNS server sends a reply, listing IP address of URI with Dest. IP address of client's source IP address and UDP header with source port 53. Step 4: Client begins establishment of TCP connection to web server. The packet includes TCP header (since HTTP uses TCP) with DPort of 80 and SYN bit. Transferring Files with HTTP - Step 1: User sends HTTP GET request to server, listing filename - Step 2: Server sends HTTP GET response, with return code of 200 (OK), 404 (File not found) etc. - Web pages consist of multiple files called objects. - First file includes references to other URIs - All HTTP commands flow over TCP connection => error recovery is provided How the Receiving Host Identifies the Correct Receiving Application

- Different applications use different port numbers - Encapsulation: Data >> HTTP header >> TCP header >> IPv4 header >> Ethernet header - Ethernet Ether Type field: 0x0800 = IPv4 header - IPv4 Protocol field: 6 = TCP header (17 = UDP header) - TCP Destination Port Number field: 1024 = unique connection to HTTP

PART I REVISION Terms Chapter 1 Adjacent-layer Interaction

De-encapsulation Encapsulation Frame

Networking Model

Packet Protocol Data Unit (PDU) Same-layer Interaction Segment Chapter 2 Ethernet

Institute of Electrical and Electronics Engineers (IEEE)

Wired LAN

Definition On a single computer, one layer provides a service to a higher layer. The higher layer requests that the next lower layer perform the needed function. (HTTP & TCP) Process of discarding headers and/or trailers. Process of prepending/appending headers and/or trailers. A data link layer protocol message and its encapsulated data and header/trailer; L2PDU. A networking model defines rules about how each part of the network should work, how the parts should work together so that the entire network functions correctly. A network layer protocol message and its encapsulated data and header; L3PDU. The bits that include the headers and trailers for a layer, as well as the encapsulated data. The process of two computers communicating with the same layer. (TCP) A transport layer protocol message and its encapsulated data and header; L4PDU A family of LAN standards that together define the physical and data link layers of wired LAN technology. (IEEE 802.3) The institute that defines the standards of the cabling, connectors on each end of the cables, the protocol rules and everything required to create an Ethernet LAN. LANs that use wires to create physical connections between devices.

Wireless LAN Ethernet Frame 10BASE-T 100BASE-T 1000BASE-T Fast Ethernet Gigabit Ethernet Ethernet Link RJ-45 Ethernet Port Network Interface Card (NIC) Straight-through Cable Crossover Cable Ethernet Address MAC (Media Access Control) Address

Unicast Address Broadcast Address

Frame Check Sequence (FCS) Full Duplex

Half Duplex

Chapter 3 Leased Line Wide-area Network (WAN) Telco Serial Interface

LANs that use wireless technology to create connections between devices. A message which contains encapsulated data and Ethernet header/trailer. Twisted-pair cables that run at 10 Mbps (802.3, copper, 100m) Twisted-pair cables that run at 100 Mbps (802.3u, copper, 100m) Twisted-pair cables that run at 1000 Mbps (802.3ab, copper, 100m) Common name for 100BASE-T Common name for 1000BASE-T or 1000BASE-LX. Any physical cable between. two Ethernet nodes. Connectors that exist on both ends of cables and has 8 pin positions. Ports in which Ethernet connectors can connect to. A computer hardware component that connects a computer to a computer network. A cable used when both nodes send and receive on different pins. A cable used when both nodes send and receive on same pins. A MAC address. 12-digit hexadecimal (48-bit long binary) numbers which are the physical address of a device. An address that represents a single interface to the Ethernet LAN. Frames sent to this address should be delivered to all devices on the Ethernet LAN, and has a value of FFFF.FFFF.FFFF. A way for nodes to detect errors and discard frames if necessary. The device does not have to wait before sending; it can send and receive at the same time. The device must wait to send if it is currently receiving a frame; in other words, it cannot send and receive at the same time. Full duplex lines that companies (service providers) pay monthly fees to use it. WANs connect devices that a far apart. Telecommunications company; telephony and data communications provider

High-level Data Link Control (HDLC) Digital Subscriber Line (DSL) Cable Internet Ethernet over MPLS (EoMPLS) CSU/DSU CPE DTE

DCE

Chapter 4 Default Router (Default Gateway)

Routing Table IP Network IP Subnet IP Packet Routing Protocol Dotted-decimal Notation (DDN) IPv4 Address Unicast IP Address Subnetting Hostname Domain Name System (DNS) Address Resolution Protocol (ARP) Packet Internet Groper (ping) Chapter 5 Connection Establishment Error Detection Error Recovery Flow Control Forward Acknowledgement Hypertext Transfer Protocol (HTTP) Ordered Data Transfer Port Segment Sliding Windows Uniform Resource Identifier (URI) Web Server

A data link protocol to control the correct delivery of data over a physical link

Data terminal equipment; Serial cables used between router and external CSU/DSU, straight-through cable, male connector Data communications equipment; crossover cable, serial cable connecting router and external CSU/DSU with DTE, female connector The router that a device sends its frames to when the receiving node is outside the LAN. The table that keeps the logs of routes (e.g. next-hop router address for subnet)

Protocols that help routers to learn routes for all IP networks and subnets. Decimal numbers that are separated by dots. The IP address of a single interface.

Part II - Implementing Basic Ethernet LANs Chapter 6 - Using the CommandLine Interface Accessing the Cisco Catalyst Switch CLI - CLI: Command-Line Interface; text-based interface in which the user sends commands to the device. Cisco Catalyst Switches - 2960-X typical usage in campus LAN design - Interface type: Ethernet (Eth)/Fast Ethernet (Fa)/Gigabit Ethernet (Gi) etc. - Interface number: two digit (x/y) or three digits (x/y/z) Accessing the Cisco CLI - Internetwork Operating System (IOS) - Ways of connection: console, Telnet, Secure Shell (SSH) - Console: cabling/physical port - Telnet & SSH: IP network Cabling the Console Connection - Three main components: physical console port on the switch, physical serial port on the PC, cable that works with console/serial ports. - Three types of cables: Newer connectors on PC and switch, older connectors on both, newer USB connector on PC, older connector on switch - Left: RJ-45 console port >> UTP rollover cable (pins: 1-8, 2-7, 3-6 etc.) >> D-shell connector (nine pins, a.k.a. DB-9)

- Centre: RJ-45 console port >> UTP rollover cable >> USB converter >> USB cable >> USB port - Right: USB console port >> USB cable >> USB port - Terminal emulator software on PC - Emulator configurations (8N1):

Accessing the CLI with Telnet and SSH - Console cables to console ports - X, IP network - O - Telnet client - Terminal application - Telnet server - Device e.g. switch Telnet SSH - Uses IP network connection - Uses IP network connection - Uses a terminal emulator - Uses a terminal emulator - All data is sent in clear-text and no data is - Contents of all messages, including encrypted. passwords, are encrypted. - Uses TCP port 23 - Uses TCP port 22 User and Enable (Privileged) Modes - User EXEC mode: default mode when accessing CLI - Enable mode: accessed via enable command and password, powerful commands may be executed, e.g. reload command.

- reload command does not work in user mode, but does in enable mode. - Use enable command to switch to enable mode. Password Security for CLI Access from the Console - By default, switch has no password for console and enable mode for users connecting via console. - Getting physical access = complete control over switch - Two places for password: when user connects from console & when user moves to enable mode.

- show running-config: lists current configuration in switch - enable secret love: define password for enable mode as 'love' - line console 0: identifies the console; "these next commands apply to the console only" - login: perform simple password checking at the console - password faith: defines password for console as 'faith'

CLI Help Features - command = any command & parm = a command's parameter - When you enter ?, Enter key does not need to be pressed - You can get help in each configuration submode, and the configuration mode - Commands are stored in history buffer, ten commands by default

The debug and show Commands - show lists current operational status, of almost every feature of Cisco IOS - debug command tells user operational details - show lists status at one instant of time, debug lists current, live messages

Configuring Cisco IOS Software- -- User mode: Non-disruptive commands, displays some information - Privileged mode: Superset of commands, disruptive commands - Configuration mode: Changes configuration Configuration Submodes and Contexts - Global configuration mode: initial mode - Interface configuration mode: interface command, e.g. interface FastEthernet 0/1 - Subcommands, e.g. interface subcommands - configure terminal: Move from enable mode to global configuration mode - hostname Fred: Configure switch's name - line console 0: Move from global configuration mode to console line configuration mode - password hope: Set console's password to 'hope' - interface FastEthernet 0/1: Move from console configuration mode to interface configuration mode - speed 100: Set speed to 100 Mbps for Fa0/1 - exit: Move from interface configuration mode to global configuration mode

- Global commands: Only one configuration per switch, e.g. hostname - Configuration subcommands: Configuration can apply. to different switch interfaces etc., e.g. speed Storing Switch Configuration Files - RAM (Random-Access Memory) or DRAM (Dynamic Random-Access Memory): Working storage; running (active) configuration files storage - Flash memory: Default location of switch's Cisco IOS at boot time; storage for other files e.g. backup copies of configuration files - ROM (Read-Only Memory): Storage for bootstrap (boothelper) when switch first powers on; loads Cisco IOS into RAM - NVRAM (Nonvolatile RAM): Initial/startup configuration file on switch's first power on or reload - Configuration commands stored in configuration file. - Configuration mode changes only running-config file, and power loss = loss of configuration => copy running-config file to NVRAM Step 1: Running-config & startup-config have hostname 'hannah' though hostname hannah command Step 2: hostname jessie in configuration mode

Step 3: show running-config & show startup-config show different hostname Copying and Erasing Configuration Files - copy running-config startup-config: overwrites current startup-config file with current running-config file - write erase or erase startup-config or erase nvram:: erases the startup-config file, then use reload command to empty running-config as well

Chapter 7 - Analysing Ethernet LAN Switching LAN Switching Concepts - Campus LAN: Supports end users, switches sit in wiring closets near end users - Data Centre LAN: Servers in data centers connect to LAN Figure 7-1 Campus LAN and Data Centre LAN, Conceptual Drawing Overview of Switching Logic - Switch's main goal: Forward frames to correct MAC addresses - Switch port = Switch interface

Forwarding Known Unicast Frames Step 1: Fred sends a frame with destination address 0200.2222.2222 (Barney) Step 2: The switch compares the destination MAC address to the MAC address table Step 3: The matched table entry tells the switch to forward the frame out only port F0/2. Step 4: The switch filters (does not send) on F0/3 and F0/4 - MAC address table = switching table, bridging table, Content-Addressable Memory (CAM) table

Step 1: Fred sends a frame with destination address 0200.3333.3333 on F0/1 Step 2: SW1 compares the destination MAC address to the MAC address table Step 3: The matched table entry tells SW1 to forward the frame out only port G0/1 (Repeat) Step 4: SW2 receives a frame with destination address 0200.3333.3333 from SW1 on G0/2 Step 5: SW2 compares the destination MAC address to the MAC address table Step 6: The matched table entry tells SW2 to forward the frame out only port F0/3 - Known unicast frames/ known unicasts: the destination address is a unicast address, and the destination is known. Learning MAC Addresses - Switch adds unknown source MAC address from frame to MAC address table

Step A1: Fred sends a frame with destination address 0200.2222.2222 and source address of 0200.1111.1111 Step A2: Switch adds unknown source address 0200.1111.1111 to MAC address table with F0/1 as the outgoing interface (Step A3: Switch floods frame to every port except the incoming port) Step B1: Barney sends a frame with destination address 0200.1111.1111 and source address of 0200.2222.2222 Step B2: Switch adds unknown source address 0200.2222.2222 to MAC address table with F0/2 as the outgoing interface (Step B3: Switch sends frame out port F0/1) Flooding Unknown Unicast and Broadcast Frames - Flooding: switch forwarding the frame out all interfaces except the incoming interface - Unknown unicast frame or unknown unicast: frame whose destination address is unknown to the switch - Switch floods unknown unicasts - Switch floods LAN broadcast frames (FFFF.FFFF.FFFF)

Avoiding Loops Using Spanning Tree Protocol - STP: loop prevention - All switches have empty MAC address tables Step 1: Larry sends a frame with destination address of Bob Step 2: Larry's Switch floods the frame out all interfaces except incoming interface Step 3: Archie's and Bob's switches receive and flood the frame out all interfaces except incoming interface Step 4: The frame rotates in both directions until Bob sends a reply and his MAC address is stored in the MAC address tables - States of STP: - Blocking state: interface can't forward or receive data frames - Forwarding state: interface can send and receive data frames LAN Switching Summary

Verifying and Analysing Ethernet Switching - Cisco Catalyst switch from factory is ready to send frames with power cable, Ethernet cables - Default settings: - The interfaces are enabled by default - All interfaces are assigned to VLAN 1 - 10/100 and 10/100/1000 interfaces use autonegotiation (two connected devices agree on speed, duplex mode, flow control and other transmission parameters) by default - MAC learning, forwarding, flooding logic works by default - STP is enabled by default Demonstrating MAC Learning

- show mac address-table: lists all known MAC addresses in the MAC table - show mac address-table dynamic: lists all dynamically learned MAC addresses only - How to simulate a newly unboxed switch: - erase startup-config - erase startup-config file - delete vlan.dat - delete VLAN configuration - reload - reload the switch - MAC Address + Port columns = MAC address with matching ports - Type column: dynamic or static - VLAN column: when frame enters via port in VLAN 1, the switch will only forward or flood that frame out other ports in VLAN 1

Switch Interfaces - show interfaces status - Lists statuses of interfaces - Cisco Catalyst switches name their ports based on the fastest specification - Connected state and notconnected state (port not functioning) - show interfaces f0/1 status - lists status of f0/1 - show interfaces f0/1 counters - lists number of unicast, multicast and broadcast frames of f0/1

Finding Entries in the MAC Address Table - show mac address-table dynamic address address: shows a specific, dynamically MAC address entry in the MAC address table - show mac address-table dynamic interface interface: shows all dynamically learned MAC address entries from a particular port in the MAC address table - show mac address-table dynamic vlan vlan number: shows dynamic MAC address table entries for one VLAN Managing the MAC Address Table (Aging, Clearing) - Switches remove entries that have not been used for a defined aging time (default 300 seconds) - Switches reset inactivity timer to 0 for entry if incoming frame has source MAC address of entry - show mac address-table count: shows amount of dynamic and static MAC addresses in the MAC address table - MAC address table uses Content-Addressable Memory (CAM) - If table is full, to add a new table entry, the switch times out (removes) oldest table entry. - clear mac address-table dynamic: Removes dynamic entries from the MAC address table MAC Address Tables with Multiple Switches

Chapter 8 - Configuring Basic Switch Management - Data plane: the work a switch does to forward frames - Control plane: configurations and processes that control and change choices made by data plane - Management plane: Managing of the device itself

Securing the Switch CLI - If you have access to console port of switch, you have control over switch physically - Protection of user mode + enable mode - Switch needs IP address configuration for Telnet SSH - Login security: - Securing user mode and enable mode with simple passwords - Securing user mode access with local usernames - Securing user mode access with external authentication access - Securing remote access with Secure Shell (SSH) Securing User Mode and Privileged Mode with Simple Passwords - Default settings prevent Telnet and SSH users from accessing user mode - Simple shared password with no username - Console password for console users and vty password (Telnet password) for Telnet users

- Shared passwords: people tell (share with) new worker the password, all appropriate staff know the passwords - enable password for enable command Step 1: Enter console or vty line configuration mode with line console 0 or line vty 0 15 Step 2: Define a password for the console or vty with password password-value Step 3: Enable the use of a simple shared password (no username) with login - Enable password configuration: enable secret password-value in global configuration mode

Securing User Mode Access with Local Usernames and Passwords - Local username/password option & external authentication servers - Local username/password option for Telnet and SSH Step 1: Define username and password with username name password pass-value or username name secret pass-value Step 2: Enter console or vty line configuration mode with line console 0 or line vty 0 15 Step 3: Enable local username/password login with login local

Securing User Mode Access with External Authentication Servers - Local usernames/passwords need to be individually configured each change - AAA server: Authentication, Authorization and Accounting server Step 1: Telnet or SSH user inputs username and password at login Step 2: Switch asks whether username and password are allowed. Step 3: AAA server replies to the switch stating validity of username/password Step 4: Switch logins in the user if username/password is allowed - AAA server uses RADIUS or TACACS+ protocol, all are encrypted Securing Remote Access with Secure Shell - vty local login configuration affects both Telnet and SSH Step 1: Enter global configuration mode and define the hostname with hostname name Step 2: Define the domain name of the switch using ip domain-name example.com Step 3: Generate the SSH encryption keys with crypto key generate rsa [modulus modulusvalue] - FQDN: Fully Qualified Domain Name, hostname of a host + domain name - transport input all or transport input telnet ssh: Support both Telnet and SSH - transport input none: Support neither Telnet nor SSH (Cisco router default) - transport input telnet: Support only Telnet - transport input ssh: Support only SSH - ip ssh version 2: Support only SSHv2 (default is both 1 and 2) - show ip ssh: lists status information about SSH server itself - show ssh: lists information about each SSH client currently connected into the switch

Enabling IPv4 for Remote Access - Switch needs IP address to support overhead management traffic (e.g. SNMP: Simple Network Management Protocol) Host and Switch IP Settings PC - CPU - OS running on CPU - Ethernet NIC - IP address associated with NIC

Switch - CPU - OS (IOS) on CPU - Switched Virtual Interface (SVI) or VLAN interface

- By using VLAN 1 for IP configuration, switch can send/receive frames on any ports in VLAN 1 - VLAN up/up state: VLAN enabled + physical port - VLAN up/down state: VLAN enabled + no physical port - Host logic when sending IP packets - To send IP packets to hosts in the same subnet, send them directly - To send IP packets to hosts in a different subnet, send them to the local router; that is, the default gateway - Switch uses IP address 192.168.1.200 on VLAN 1 - Switch (255.255.255.0) needs to configure default gateway setting pointing to R1 (192.168.1.1 255.255.255.0, same subnet) to send packets to host A Configuring IPv4 on a Switch - Switch configures IPv4 address and mask on VLAN interface - [no] shutdown: enables/disables an interface Configuring a Switch to Learn Its IP Address with DHCP - DHCP: Dynamic Host Configuration Protocol - Steps to enable DHCP on interface Step 1: Enter VLAN 1 configuration mode using interface vlan 1 in global configuration mode. Step 2: Enable the interface with no shutdown Step 3: Assign an IP address and mask using ip address dhcp

Verifying IPv4 on a Switch - Ways to check switch IPv4 configuration 1. show running-config: check current configuration 2. show interfaces vlan x: IP address and mask information and detailed status information about VLAN x 3. show dhcp lease: check temporarily leased IP address - Up/up state (no shutdown) vs "administratively down" (shutdown) - When DHCP fails, IP address after show interfaces vlan x is not listed

Miscellaneous Settings Useful in Lab History Buffer Commands - Displays recently used commands The logging synchronous, exec-timeout, and no ip domain-lookup Commands - IOS default: displays unsolicited (not asked for) syslog messages on the console's screen at any time (while typing command, in the middle of a show command output etc.) - no logging console: disables unsolicited syslog messages, global command - logging console: enables unsolicited syslog messages, global command - logging synchronous: displays syslog messages with show command output, console line subcommand - Telnet/SSH default: automatic disconnection of console and vty users after 5 minutes of inactivity - exec-timeout minutes seconds: sets length of inactivity timer, 0 stands for "never time out", line subcommand - IOS default: mistype of command => switch tries DNS name resolution on IP hostnames, tries to Telnet to a host by that name, takes about a minute to return to normal state - no ip domain-lookup: disables IOS's attempt to resolve the mistyped hostname into IP address, global configuration command

Chapter 9 - Configuring Switch Interfaces Configuring Switch Interfaces Configuring Speed, Duplex, and Description - Duplex {auto | full | half}: Configure duplex of interface - speed {auto | 10 | 100 | 1000}: Configure speed of interface - description text: Adds text description to interface

- FastEthernet 0/1 (Fa0/1): - Lists configured description - Lists configured speed of 100 - Lists configured duplex of full - Lists status of notconnect - FastEthernet 0/2 (Fa0/2): - Default configuration - Lists speed auto (pre-autonegotiation) - Lists duplex auto (pre-autonegotiation) - Lists status of notconnect - FastEthernet 0/4 (Fa0/4): - Default configuration - Lists speed a-100 (post-autonegotiation) - Lists duplex a-full (post-autonegotiation) - Lists status of connected

Configuring Multiple Interfaces with the interface range Command - interface range interface-type lowest-interface-id - highest-interface-id (int ran): Defines a range for the next set of subcommands if all interfaces are the same type and are numbered consecutively

Administratively Controlling Interface State with shutdown - shutdown (shut): Disable interface - no shutdown (no shut): Enable interface - show interfaces status output: State: disabled - show interfaces output: FastEthernet 0/1 is administratively down Removing Configuration with the no Command - no speed: Sets interface speed to default configuration = speed auto - no duplex: Sets interface duplex to default configuration = duplex auto - no description: Sets interface description to default configuration = no text description - show running-config and show startup-config do not show default configurations Autonegotiation - Autonegotiation commands: speed auto and duplex auto Autonegotiation Under Working Conditions - Both ends need to use the exact same standards (same speed, same duplex) - IEEE autonegotiation protocol (802.3u), same wiring pinouts for 10BASE-T and 100BASE-T and 1000BASE-T adds two pairs to those pinouts - PC1: - Switch top speed: 1000 Mbps - PC1 NIC top speed: 10 Mbps - Autonegotiation: speed - 10 Mbps, duplex - full - PC2: - Switch top speed: 1000 Mbps - PC2 NIC top speed: 100 Mbps - Autonegotiation: speed - 100 Mbps, duplex - full - PC3: - Switch top speed: 1000 Mbps - PC3 NIC top speed: 1000 Mbps - Autonegotiation: speed - 1000 Mbps, duplex - full Autonegotiation Results When Only One Node Uses Autonegotiation - Configuring both speed and duplex on a Cisco switch interface disables autonegotiation - IEEE autonegotiation rules for autonegotiation failures - Speed: Use slowest supported speed - Duplex: If your speed = 10 or 100, use half duplex; otherwise use full duplex - Cisco switch autonegotiation rules for autonegotiation failures - Speed: Sense the speed, but if that fails, use IEEE default of slowest supported speed

- Duplex: IEEE defaults: If your speed = 10 or 100, use half duplex; otherwise use full duplex - PC1: - Speed: Switch senses speed of 100 Mbps and uses 100 Mbps - Duplex: Since speed = 100 Mbps, use half duplex - PC2: - Speed: Switch senses speed of 1000 Mbps and uses 1000 Mbps - Duplex: Since speed = 1000 Mbps, use full duplex - PC3: - Speed: Switch senses speed of 10 Mbps - Duplex: Since speed = 10 Mbps, use half duplex - Duplex mismatch: PC1 uses full duplex while switch uses half duplex. PC1 does not use CSMA/CD (only for half duplex) and switch port will believe collisions occur on the link, even if none physically occur. The link is up, but it performs poorly Autonegotiation and LAN Hubs - Hubs do no react to autonegotiation messages - Devices connected to hub must use IEEE rules for default settings (often 10 Half)

Port Security - Examination of source MAC address so only expected devices can use interface

- MAC addresses can be predefined to be allowed - Sticky secure MAC addresses: port security learns MAC addresses off each port and stores them in port security configuration (running-config file) Configuring Port Security - Access ports: Only 1 VLAN can connect to it at once - Trunk ports: 2 or more VLANs can connect to it at once

- switchport port-security: Enables port security, with all defaults - switchport mode access {access | trunk}: Configure the port as an access or trunk port - switchport port-security mac-address mac-address: Defines an allowed specific source MAC address - switchport port-security mac-address sticky: Tells the switch to dynamically learn source MAC addresses and add port-security commands to the running-config - F0/1: - Access port - Port security enabled with default configurations - Source MAC address 0200.1111.1111 is allowed (and is the only allowed source MAC address; default maximum MAC addresses is 1) - F0/2: - Access port - Port security enabled with default configurations

- Sticky learn source MAC addresses - F0/3: - Access port - Port security enabled with default configurations - F0/4: - Trunk port - Port security enabled with default configurations - Maximum number of source MAC addresses is 8 Verifying Port Security - show port-security interface interface-type interface-number: Lists configuration settings for port security on an interface - Port F0/1 is in secure-shutdown state because a violation occurred on F0/1 and is disabled because of maximum MAC addresses - switchport port-security mac-address sticky mac-address: Adds a MAC address to sticky learned MAC addresses

Port Security Violation Actions - switchport port-security violation {protect | restrict | shutdown}: Define additional actions interface should take in case of violation - IOS displays error disabled (err-disabled) state instead of no shutdown - To recover from err-disabled state, someone needs to manually do shutdown and then no shutdown to disabled and enable the interface Port Security MAC Addresses as Static and Secure but Not Dynamic - Switch port configured with port security does not consider dynamic entries in show mac address-table dynamic - show mac address-table secure: Lists MAC addresses associated with ports that use port security - show mac address-table static: Lists MAC addresses associated with ports that use port security, as well as any other statically defined MAC addresses

Part II Revision Key Terms You Should Know Key Terms Chapter 6 Command-Line Interface (CLI) Telnet Secure Shell (SSH) Enable mode User mode Configuration mode

Definition

Startup-config file Running-config file Chapter 7 Broadcast frame Known unicast frame Spanning Tree Protocol (STP) Unknown unicast frame MAC address table Forward Flood Chapter 8 Local username AAA AAA server Default gateway VLAN interface History buffer DNS Name resolution Log message Chapter 9 Port security Autonegotiation 10/100 10/100/1000

Part III - Ethernet LANs: Design, VLANs and Troubleshooting

Chapter 10 - Analysing Ethernet LAN Designs Analysing Collision Domains and Broadcast Domains Ethernet Collision Domains 10BASE-T with Hub - Uses cabling star topology - Hub does not look at the frame, but forwards the regenerated electrical signal out all ports except the incoming port - Connected devices must use CSMA/CD to prevent collision Step 1: Larry sends a frame to the hub Step 2: The hub repeats frame to all ports except incoming port (Archie and Bob) Step 1A: Archie sends a frame to Hub 1 Step 1B: Bob sends a frame to Hub 1 at the exact same time as Archie Step 2: The two forwarded frames collide as they get forwarded to Larry at the same time - All devices connected to the hub are in one collision domain

Ethernet Transparent Bridges - Bridges sat between hubs and divided the network into multiple collision domains - Bridges separate instances of CSMA/CD so each collision domain can have one sender at a time, thus increasing the capacity - Bridge uses CSMA/CD rules - Bridge separates collision domains; each interface is a separate collision domain Ethernet Switches and Collision Domains - Switches are faster, enhanced version of bridges - Switch collision domains that use full duplex has no collisions; CSMA/CD is not needed - Each interface of a switch is a separate collision domain - Each LAN interface (not apply to WAN) of a router is a separate collision domain

The Impact of Collisions on LAN Design

Ethernet Broadcast Domains - If all switch ports are assigned to VLAN 1, broadcast frames would flow to all the connected devices - Hubs forward broadcast frames (repeats on all non-incoming ports) - Bridges and switches flood LAN broadcasts - Routers do not forward Ethernet broadcast frames; they separate a network into separate broadcast domains

Virtual LANs - LAN: A LAN consists of all devices in the same broadcast domain - VLANs create multiple broadcast domains; switch forwarding logic does not forward frames from one VLAN to another VLAN - Routers must forward packets between VLANs using routing logic - Two disconnected switches are required to create broadcast domains without VLANs - switchport access vlan 2: puts switch interfaces into VLAN 2 The Impact of Broadcast Domains on LAN Design - Less broadcast domains => More interruption to CPU to process broadcasts - More broadcast domains => Less devices affected by broadcast

Analysing Campus LAN Topologies - Campus LAN: LAN created to support devices in close proximity - Considerations: Cable length, cable speed, cable type, expenses etc. Two-Tier Campus Design (Collapsed Core) The Two-Tier Campus Design - Uplink: A link that leads from a small network to a larger network - Downlink: A link that leads from a large network to a smaller network - Access switches: Connects directly to end users; sends traffic to and from end-user devices to and from distribution switches - Distribution switches: Provides a path through which the access switches can forward traffic to each other (often 2 per access switch); forwards traffic to other parts of LAN (often 2+ uplinks to distribution switches) - Two-tier design's solution to two major design needs - Provides a place to connect end-user devices (access layer) - Connects the switches with a reasonable number of cables and switch ports by connecting access switches to a few distribution switches

Topology Terminology Seen Within a Two-Tier Design - Two-tier design - Star topology at access layer - Partial mesh topology at distribution layer - Overall, is a hybrid design - Full mesh requires many links and many switch ports - Links in full mesh formula: N(N - 1) / 2 - Ports in full mesh formula: 2N(N - 1) / 2 Three-Tier Campus Design (Core) - Collapsed core = no core tier - Instead of core tier, distribution switches can be cabled together with full mesh or partial mesh - Three-tier core design uses less switch ports and cables - N.B.: Core switches often sit in the same room as distribution switches - Core tier uses partial mesh - Three-tier designs are a hybrid design - Access layer: Provides connection point for end-user devices; does not forward frames between other access switches - Distribution layer: Provides connectivity to the rest of the devices in the LAN for access switches; forwards frames between switches, but does not connect directly to end-user devices - Core layer: Aggregates distribution switches in large campus LANs Topology Design Terminology - Star topology: devices connecting to a single centralised device - Partial mesh: group of nodes that connect with more links than a star topology, but not all nodes have a direct link between each other - Full mesh: a design that connects all nodes with a link - Hybrid design: combination of different topologies in one network

Analysing LAN Physical Standard Choices - Access switches in locked wiring closets connect to end-user devices via UTP Ethernet Standards - Wired LAN standards: IEEE 802.3

Choosing the Right Ethernet Standard for Each Link - Considerations for choice of cable:

- The speed - The maximum distance allowed between devices when using that standard/cabling - The cost of the cabling and switch hardware - The availability of that type of cabling already installed at your facilities - TIA (Telecommunications Industry Association) cable categories: - 10BASE-T: CAT3 or better - 100BASE-T: CAT5 or better - 1000BASE-T: CAT5e or better

Pros

Cons

UTP - Cheaper cost

- Shorter distances - Lower speed - More outside interference

Optical cabling - Longer maximum distances - Higher speed - Less outside interference - Higher cost

Wireless LANs Combined with Wired Ethernet - Describe the impact of infrastructure components in an enterprise network: Access points and wireless controllers Home Office Wireless LANs - Wireless standards: IEEE 802.11 (Wi-Fi) - Wireless router features: - Ethernet switch: for wired Ethernet connections - Wireless Access Point (AP): for communication with wireless devices and forward frames to/from wired network - Router: to route IP packets to/from LAN/WAN interfaces - Autonomous wireless AP communicates with wireless devices with 802.11 protocols and radio waves, and converts header formats between 802.11 and 802.3 - Autonomous AP must perform control and management functions e.g. authentication of new devices, definition of name of WLAN (Service Set ID, SSID) etc. Enterprise Wireless LANs and Wireless LAN Controllers - Household APs disconnect user if they are out of range, and do not connect user to others' secured APs - Enterprise APs allow user to roam around building and office campus while connected to Wi-Fi network - AP coverage: approx. 30m to 60m Step 1: User connects to Wireless AP connected to A1 Step 2: User moves around the building, and connects to Wireless AP connected to A3 with roaming feature - Autonomous APs are removed of their control and management features => Lightweight APs (LWAPs) - Control and management features are moved to Wireless LAN Controllers (WLCs)

- Wireless LAN Controller (WLC): Controls and manages all AP functions (e.g. roaming, defining WLANs, authentication) - Lightweight AP (LWAP): Forwards data between wired and wireless LAN; forwards data specifically through the WLC with protocol (e.g. Control And Provisioning of Wireless Access Points (CAPWAP)) - WLC: centralised control/management functions - Phone => LWAP1 (=> Switch) => WLC (Roaming) (=> Switch) => LWAP4 => Phone

Chapter 11 - Implementing Ethernet Virtual LANs Virtual LAN Concepts - LAN: A LAN includes all devices in the same broadcast domain

- VLANs create multiple broadcast domains with a single switch; broadcast frames from one VLAN does not get forwarded to other VLANs - VLAN Advantages:

Creating Multiswitch VLANs Using Trunking - VLAN trunking: Use of VLAN tagging by adding a VLAN Identifier (VLAN ID) field to frames sent on same cable but directed to different VLANs - Without VLAN trunking: Each VLAN needs a separate physical link, and separate ports on each switch VLAN Tagging Concepts - Switches treat VLAN trunk links as part of all VLANs - SW1 adds VLAN header with VLAN ID of 10 to send broadcast frames to SW2, which can then flood out all ports in VLAN 10 Step 1: PC11 sends Ethernet broadcast frame to SW1 Step 2: SW1 adds a VLAN header with VLAN ID of 10 to Ethernet header and sends it out G0/1, which is the only port except incoming port that is in VLAN 10 Step 3: SW2 receives the frame, determines that the frame's VLAN ID is 10, and sends it out all ports in VLAN 10 (Fa0/1 and Fa0/2) The 802.1Q and ISL VLAN Trunking Protocol - Cisco supported trunking protocols: IEEE 802.1Q (more popular) and Inter-Switch Link (ISL, 2960 switch does not use) - 802.1Q inserts extra 4-byte 802.1Q header - Usable VLAN IDs: 1 - 4094 - All switches can use normal-range VLANs: 1 - 1005 - Some switches can use extended-range VLANs: 1006 - 4094 - Native VLAN: VLAN 1; 802.1Q does not add 802.1Q header to frames in native VLAN - Native VLANs let switches that do not understand 802.1Q headers to at least pass traffic in native VLAN Forwarding Data Between VLANs - Layer 2 switch: forwards data based on layer 2 logic; cannot send frames between VLANs on its own - Layer 3 switch/Multilayer switch: forwards data based on layer 2 and layer 3 logic; can send frames between VLANs on its own Routing Packets Between VLANs with a Router - Devices in same VLAN need to be in same subnet - Layer 2 switches do not forward L2PDUs to other VLANs - Layer 3 routers forward L3PDUs to other VLANs

- Router routes packets between VLANs via two physical links and two ports: one link and port for each VLAN - Routers use subnets to separate VLANs - VLAN trunking used by routers: saves physical links and ports - Router-on-a-stick design: single physical link connected to LAN switch - X - "Routing packets between VLANs." - O - "Routing Layer 3 packets between Layer 3 subnets, with those subnets each mapping to a Layer 2 VLAN." Routing Packets with a Layer 3 Switch - Problem with Layer 2 switch with router: router may not be able to route a large number of pps (packets per second) - Layer 3 switch: Does both Layer 2 switching and Layer 3 routing - Layer 3 switch = Layer 2 switch + Layer 3 router + intermediary cables

VLAN and VLAN Trunking Configuration and Verification - No configuration needed for VLAN 1 - Configuration required for multiple VLANs Creating VLANs and Assigning Access VLANs to an Interface - Switch must have nontrunking interfaces (access interfaces) and/or trunks that support the VLAN - Example configuration of VLAN 11, VLAN 12, VLAN 13: Step 1: Create three VLANs with vlan 11, vlan 12 and vlan 13 Step 2: For each interface, assign it to a VLAN with switchport access vlan 11 (or 12 or 13) - Default VLAN = VLAN 1 VLAN Configuration Example 1: Full VLAN Configuration - Configuring VLAN 2:

- show vlan brief: Shows vlan statuses; in this case, default settings - vlan 2: Creates a VLAN with VLAN ID 2 - name Freds-vlan: Defines VLAN name as Freds-vlan - interface range fastethernet 0/13 - 0/14: Selects interfaces F0/13 and F0/14 as applicant for next set of subcommands - switchport access vlan 2: Assigns F0/13 and F0/14 to VLAN 2 - switchport mode access: Assigns F0/13 and F0/14 as always being access (nontrunking) ports - show vlan id 2: displays information for VLAN 2 VLAN Configuration Example 2L Shorter VLAN Configuration

- switchport access vlan 3 without doing vlan 3 first dynamically creates VLAN 3 with default name VLAN0003 VLAN Trunking Protocol - VTP advertises each VLAN configured in one switch - Many enterprises choose not to use VTP - vtp mode transparent: sets switch to use VTP transparent mode - vtp mode off: sets switch to disable VTP - show vtp status: shows the VTP status - If switch uses VTP server or client mode: - VTP server switches can configure VLANs in the standard range only (1 - 1005) - VTP client switches cannot configure VLANs - Both servers and clients may be learning new VLANs from other switches, and seeing their VLANs deleted by other switches, because of VTP - show running-config does not list any vlan commands VLAN Trunking Configuration - Static configuration: switchport mode trunk or switchport mode access (to disable trunking) - Dynamic configuration: - Type of trunking: IEEE 802.1Q, ISL or negotiate - Administrative mode: Always trunk, always not trunk, or negotiate - Cisco switches that support ISL and 802.1Q negotiate which to use using DTP (Dynamic Trunking Protocol) - If both switches use both protocols, they use ISL, otherwise they use protocol that both support - switchport trunk encapsulation {dot1q | isl | negotiate}: statically configures or allows DTP to negotiate the type - Administrative mode: configuration setting for whether trunking should be used - Operational mode: refers to what is currently happening on the interface - If both switches are set to dynamic auto, when one switch is set to dynamic desirable, trunking negotiation begins, and trunking is used

- show interfaces interface-id switchport: Lists settings of interface - "Administrative Mode: dynamic auto" : Interface is configured to receive negotiation messages and respond accordingly - "Operational Mode: static access" : Interface is currently in access mode - "Administrative Trunking Encapsulation: dot1q" : Interface is currently using 802.1Q - "Operational Trunking Encapsulation: native" : Interface does not tag frames; it is in access mode so no trunking protocol headers are required - show interfaces trunk: lists all currently operational trunk interfaces - switchport mode dynamic desirable: tells switch to both negotiate as well as begin the negotiation process - Interface goes down and back up again to change from one mode to another - "Administrative Mode: dynamic desirable" : switch is configured to initiate negotiation process - "Operation Mode: trunk" : switch is currently negotiated to be in trunk mode

- "Administrative Trunking Encapsulation: dot1q" : switch is configured to use 802.1Q tagging - "Operational Trunking Encapsulation: dot1q" : switch is currently using 802.1Q tagging - show interfaces trunk now displays dynamic desirable configured G0/1 - Disabling trunk negotiation on most ports provide better security - switchport nonegotiate: disables DTP negotiations Implementing Interfaces Connected to Phones - When using IP telephony, switch's Ethernet port acts like an access port and a trunk Data and Voice VLAN Concepts - Before IP telephony: phone used UTP cabling connected to voice device (called voice switch or private branch exchange [PBX]) and PCs connected to LAN switch in wiring closet, sometimes with voice switch - IP telephony: telephones using IP packets to send and receive voice - IP phones connected to IP network via Ethernet cable and built-in Ethernet port - Cisco Unified Communication Manager - Problems of transition to IP phones: - Older non-IP phones used UTP that didn't support 100-Mbps or 1000-Mbps Ethernet - Single UTP cable from PC to wiring closet => two cables for PC and IP phone - Installation of new cables to every desk was expensive and required more switch ports - Solution: embedding of small three-port switches into each phone - PC => Patch cable => IP phone embedded switch => Ethernet UTP cable => Ethernet switch - IP phone switch port acts as an access link for PC's traffic and trunk for phone's traffic

Data and Voice VLAN Configuration and Verification - F0/1 - F0/4 data and voice VLAN configuration - CDP must be enabled on interface for voice access port to work with Cisco IP phones; CDP is enabled by default - show interfaces switchport command displays voice VLAN configuration - switchport mode access: statically configures the administrative mode to always be an access port - switchport access vlan 10: Assigns port to data VLAN 10 - switchport voice vlan 11: Assigns port to voice VLAN 11 - show interfaces type number switchport: proclaims "Operational Mode: static access" - show interfaces type number trunk: lists status as not-trunking, but VLANs 10 and 11 are allowed on the trunk

Summary: IP Telephony Ports on Switches

Chapter 12 - Troubleshooting Ethernet LANs - Four technical topics: - Analysing switch interfaces and cabling - Predicting where switches will forward frames - Troubleshooting port security

- Analysing VLANs and VLAN trunks

Perspectives on Applying Troubleshooting Methodologies - Troubleshooting methods

Troubleshooting on the Exams - Exams: (a) fix the problem (b) answer a multichoice question - Sim questions: Fixing or completing broken configuration - Simlet questions: Verify current operation of network and answer multichoice questions A Deeper Look at Problem Isolation - Simlet questions may require 5 - 10 show commands - ping 10.1.1.2 command verifies network connection - ping commands test whether the IP network can deliver packets in both directions - Can PC1 resolve the hostname? - Routing steps: - Step 1: PC1 sends packet to its default gateway (R1) via switches in between because the destination IP address of web server is in a different subnet - Step 2: R1 forwards packet to next-hop router R2 based on R1's routing table via serial link - Step 3: R2 forwards packet to web server based on R2's routing table (same subnet) - Step 4: Web server sends a packet back toward PC1 to default gateway R2 - Step 5: R2 forwards packet destined for PC1 by forwarding packet to R1 according to R2 routing table - Step 6: R1 forwards packet to PC1 based on R1's routing table - Failure at steps 1,3,4 or 6: root cause relates to Ethernet or Layer 2 issues - Failure at steps 2.5: root cause relates to routers or Layer 3 issues - What engineer needs to determine to isolate root causes: - The MAC address of PC1 and R1's LAN interface - The switch interfaces used on SW1 and SW2 - The interface status of each switch interface - The VLANs that should be used - The expected forwarding behaviour of a frame sent by PC1 to R1 as the destination MAC address Troubleshooting as Covered in This Book - Examining interface status and statistics: determination of whether an interface is working, and potential root causes for a failed switch interface - Analysing where switches will forward frames: analysis of switch's MAC address table and prediction of how a switch will forward a particular frame - Analysing port security: Knowledge of what behaviour will happen when a violation occurs, and how to know if it is happening right now or not - Analysing VLANs and VLAN trunking: Knowledge of what can go wrong with VLANs and VLAN trunks

Analysing Switch Interface Status and Statistics - Cisco switches do not use interfaces at all unless the interface is first considered to be in a functional or working state Interface Status Codes and Reasons for Nonworking States - Two-code status: show interfaces and show interfaces description: lists two-code status (line status and protocol status, L1 status and L2 status) - Single-code status: show interfaces status: lists connected state for working interfaces - Some root causes of cabling problems: - EMI of equipment - Damaged cable - Macrobending of cable (bending into too tight a shape) Interface Speed and Duplex Issues - Switch/router disables autonegotiation when both speed and duplex are statically configured - show interfaces status: shows if duplex was autonegotiated or statically configured - show interfaces type number: shows duplex is enabled but does not state whether it was autonegotiated or statically configured - Duplex mismatch: one interface uses autonegotiation, another uses static configuration; speeds are autonegotiated to be the same, but duplexes are autonegotiated to be different

- Duplex mismatch will still display up/up (connected) state - Half duplex device uses CSMA/CD logic, believes collision has happened when they physically have not How CSMA/CD responds to duplex mismatch: Half-duplex device: SW1 Full-duplex device: SW2 Step 1: SW1 sends frame to SW2 Step 2: SW2, able to receive and send simultaneously, sends frames to SW1 while receiving frame from SW1 Step 3: SW1 receives frames from SW2 when it is sending and CSMA/CD issues a jam signal Step 4: SW1 waits a random amount of time before retrying; process loops to provide poor performance

Common Layer 1 Problems on Working Interfaces - Interface counters: helps identify problem even at up/up state - CRC (Cycle Redundancy Check) error: frames that do not pass FCS error detection => discarded - Collisions counter: natural collisions when using CSMA/CD - Duplex mismatch counters

- Late collisions: when collision happens after switch sends first 64 bytes of a frame - Runts: when less than the minimum amount of bytes arrive - Input errors: total count of runts/giants/no buffer/CRC/frame overrun/ignored counts - CRC: if not all data arrives and FCS and CRC is wrong - When late collision counter increases: duplex mismatch suspected - When CRC counter increases and collisions do not: interference on the cables suspected

Predicting Where Switches Will Forward Frames Predicting the Contents of the MAC Address Table - Beginning of formal troubleshooting process: prediction of flow of frames

- show mac address-table dynamic: lists dynamically learned MAC addresses (if port security is disabled) - Barney 0200.2222.2222>> In SW1 Fa0/12 >> Out SW1 Gi0/1 >> In SW2 Gi/02 >> Out SW2 Fa0/13 >> In R1 Gi0/1 0200.5555.5555 Analysing the Forwarding Path

Is portYes security configured?

Is interface on up/up state? Port cannot send/receive frames. No

Yes No

Apply port security logic to filter frames as appropriate

Is the port an access port?

YesIs the frame a No (A) Known unicast? Determine interface's Determine the frame's access VLAN. (B) Unknown unicast? tagged VLAN. (C) Broadcast? (A) Forward frame out only matched address table entry.

(B) or (C) Flood frame out all other access ports except incoming port in same VLAN and allowed trunks.

- Example of Barney sending to R1 (default gateway) via SW2 - SW1 Step 1 - A: Port does not have port security enabled - B: SW1 receives frame on its Fa0/12 interface, an access port in VLAN 10 - SW1 Step 2:

- A: SW1 finds a MAC address table entry for 0200.5555.5555 in VLAN 10, outgoing interface Gi0/1, so SW1 forwards frame out only Gi0/1 (trunk, 802.1Q header added) - SW2 Step 1: - A: Port does not have port security enabled - B: SW2 receives frame on Gi0/2 interface, a trunk, with 802.1Q header and VLAN ID of 10 - SW2 Step 2: - A: SW1 finds a MAC address table entry for 0200.5555.5555 in VLAN 10, outgoing interface Fa0/13, so SW1 forwards frame out only Fa0/13

Analysing Port Security Operations on an Interface - ACL: Access Control Lists; examination of packets/frames and discarding of them - Port security filter features: - Limit which specific MAC addresses can send/receive frames on switch interface (discard if not allowed) - Limit the number of MAC addresses using the interface (discard if over maximum limit) - Combination of the two Step 1: Identify all interfaces on which port security is enabled (show running-config or show port-security) Step 2: Determine whether a security violation is currently occurring based on the violation modes - A: shutdown: Interface is put to err-disabled state, with port security port status secure-down - B: restrict: Interface remains in connected state, port security port status would be secure-up, but show port-security interface displays incrementing violations counter - C: protect: Interface remains in connected state, but show port-security interface will not display an incrementing violations counter Step 3: Compare port security configurations to diagram and Last Source Address field in show port-security interfaces Troubleshooting Shutdown Mode and Err-disabled Recovery - Err-disabled: switchport port-security violation shutdown or default configured, violation has occurred and no traffic is allowed - show port-security interface: secure-shutdown = violation, no traffic, shutdown configured - shutdown and no shutdown: Recovers interface, resets violation counter to 0 - Last Source Address helps identify MAC address of error

Troubleshooting Restrict and Protect Modes - Restrict/protect remains in up/up state and secure-up state => forwards good traffic, discard offending traffic - show port-security: reveals practically nothing about discarding traffic

- IOS shows indication of port security activity: incrementing violation counter, port security syslog message - Common problems: low maximum number of MAC addresses, misconfiguration of MAC addresses

Analysing VLANs and VLAN Trunks - To forward frames in VLAN: - Switch must know about a VLAN - VLAN must be active - If using trunk, trunk must currently allow that VLAN to pass over the trunk

Ensuring That the Right Access Interfaces Are in the Right VLANs - Determine which switch interfaces are access interfaces, determine assigned access VLANs on each interface, and compare information to documentation - show vlan and show vlan brief does not list operational trunks - show mac address-table: lists MAC address table, with each entry including a MAC address, interface and VLAN ID (use if show vlan and show interface switchport are not available) - switchport access vlan vlan-id assigns interface to correct VLAN if needed Access VLANs Not Being Defined - Switches do not forward frames for: - (a) Not configured VLANs - (b) Configured but disabled (shut down) VLANs - VLAN configuration: vlan number or VTP learning - VLAN listing: show vlan lists all VLANs known to switch, show running-config does not list VTP servers and clients Access VLANs Being Disabled - VLAN state values: - active: VLAN is operational and active - act/lshut: VLAN is shut down, switch will not forward frames in that VLAN - [no] shutdown or [no] shutdown vlan number: disables/enables VLAN Mismatched Trunking Operational States - Issue 1: when both switches use switchport mode dynamic auto; both will passively wait for negotiation messages - Issue 2: when one switch has operational state of "trunk" and other has operational state of "static access"; status on each end will be up/up or connected, traffic in native VLAN will cross successfully, traffic in all other VLANs will not

- switchport mode trunk does not disable DTP negotiations; switchport nonegotiate required to disable DTP negotiations - SW1 Gi0/1: "trunk", SW2 Gi0/2: dynamic desirable but autonegotiation is denied, so it uses "static access" => all frames received by SW2 Gi0/2 that has an 802.1Q header is discarded - Solution: check both operational states using show interfaces trunk and show interfaces switchport and re-configure if necessary

Part III Revision Vocabulary List Terms Chapter 10 Autonegotiation Broadcast domain Broadcast frame Collision domain Flooding Virtual LAN Access point Wireless LAN controller Star topology Full mesh Partial mesh Hub Transparent bridge Collapsed core design Core design Access layer Distribution layer Core layer Chapter 11 802.1Q Trunk Trunking administrative mode Trunking operational mode VLAN VTP VTP transparent mode Layer 3 switch Access interface Trunk interface Data VLAN Voice VLAN Chapter 12 Up and up Connected Error disabled Problem isolation Root cause Duplex mismatch Resolve Escalate

Definitions

Part IV - IP Version 4 Addressing and Subnetting Chapter 13 - Perspectives on IPv4 Subnetting Introduction to Subnetting - Subnetting: Chopping (subnetting) a large network into smaller pieces and assign subnets to different parts of the enterprise internetwork Subnetting Defined Through a Simple Example - Class A network, Class B network, Class C network - Class B network example: Everything beginning with 172.16 - Class B subnet example: Everything beginning with 172.16.1

Operational View Versus Design View of Subnetting - Design view: designing how IP addressing and subnetting would work for enterprise network - Operational view: taking other's design and interpreting it

Analyse Subnetting and Addressing Needs - Four basic questions: 1. Which hosts should be grouped together into a subnet? 2. How many subnets does this network require? 3. How many host IP addresses does each subnet require? 4. Will we use a single subnet size for simplicity, or not? Rules About Which Hosts Are in Which Subnet - Every interface using IP network requires an IP address - Rules:

- R1 separates Subnet 1 and Point to Point WAN link - R2 separates Point to Point WAN link and Subnet 3 - Routers connect to multiple subnets (LAN/WAN) to forward packets Determining the Number of Subnets - Engineer should plan for one subnet for every

- 2 EoMPLS subnets, 1 serial link subnet + at least one subnet (native VLAN) for LAN at each site - 12 (central site VLANs) + 3 X 2 (branch VLANs) + 2 (EoMPLS WAN links) + 1 (serial WAN link) = total 21 subnets - Subnetting plans need to include reasonable estimated growth of number of subnets Determining the Number of Hosts per Subnet - Population at site, number of devices etc. helps to calculate hosts per subnet - Hosts in subnet = hosts IP address + router interface IP address + switch IP address. used to remotely manage switch - Largest branch has 50 hosts/subnet, so all other smaller branches need around 50 hosts One Size Subnet Fits All - Or Not - Subnet's size/length = number of usable IP addresses in the subnet Defining the Size of a Subnet - Subnet mask defines size of subnet - Subnet mask sets aside host bits to number different host IP addresses in that subnet - When H = host bits, the subnet contains 2H unique numeric values - Subnet size= 2H-2 (numeric values - subnet number (lowest) - subnet broadcast address (highest)) - Subnet number = subnet ID = subnet address One-Size Subnet Fits All - The one mask needs to provide enough host IP addresses to support the largest subnet - Largest subnet: 200 host addresses - 2H-2 (when H = 8) = 254, 254 > 200 - Therefore, 8 host bits are required when using one subnet mask across all subnets Advantages Disadvantages - Provides operational simplicity - Wastes IP addresses (solution: private IP - IT staff can get used to working with one networks) mask Multiple Subnet Sizes (Variable-Length Subnet Masks) - Different masks, different numbers of host bits, different number of hosts in some subnets - Largest subnet: 8 host bits (28 - 2 = 254) - Smaller subnets: 6 host bits (26 - 2 = 64) - Point-to-point WAN links: 2 host bits (22 - 2 = 2) - Still some addresses are wasted as they need to be exponents of 2 This Book: One-Size Subnet Fits All (Mostly) - Makes process of learning subnetting easier - Calculating number of subnets in the classful network only make sense when single mask is used

Make Design Choices - Know how many subnets are needed => know how many host addresses are in largest subnet => know that single-size subnet masks are used => ...

Choose a Classful Network - Public classful IP networks => private IP networks Public IP networks - Company requests for registered public IP network, either a Class A, B, or C network - Company has universally unique IP address - No duplicate addresses exist Growth Exhausts the Public IP Address Space - IPv4 address exhaustion: - IANA, which assigns public IPv4 address blocks to the five RIR (Regional Internet Registries) around the globe, assigned the last of its IPv4 address in 2011 - ARIN, RIR for North America, exhausted its supply of IPv4 addresses by 2015 - Companies had to return unused public IPv4 addresses to ARIN before they can reassign them to new companies - Possible solutions: - Duplicates of private networks can exist, communicate with the Internet, and even communicate with each other - NAT translates IP addresses inside packets using a small number of public IP addresses to support tens of thousands of private IP addresses NAT translates a private IP address to a single public IP address. When it receives a packet, it compares the port number to its NAT translations table and forwards it to the matching private IP address. Private IP Networks - Will never be assigned to an organisation as a public IP network - Can be used by organisations that will use NAT when sending packets into the Internet - Can also be used by organisations that never need to send packets into the Internet

Choosing an IP Network During the Design Phase - Private network does not have penalties for wasting IP addresses Choose the Mask Design engineer should know the following - The. number of subnets required - The number of host/subnet required - That a choice was made to use only one mask for all subnets, so that all subnets are the same size (same number of hosts/subnet) - The classful IP network number that will be subnetted Classful IP Networks Before Subnetting

- Private IP address vs public IP address - The addresses have the same value in the network part - The addresses have different values in the host part - Size of unsubnetted Class A, B, or C network: - Class A: 224 - 2 = 16,777,214 - Class B: 216 - 2 = 65,534 - Class C: 28 - 2 = 254 Borrowing Host Bits to Create Subnet Bits - Some of host bits are used as subnet bits (ratio can be changed) - Network bits are locked at 8, 16, 24 - Host bits and subnet bits are not locked Choosing Enough Subnet and Host bits - Gathered information to determine number of subnet/host bits - Number of subnets required - Number of hosts/subnet - Subnet bits: 2S = no. of subnets - Host bits: 2H - 2 = no. of hosts/subnet - 2S only used when single mask is used for all subnets Example Design: 172.16.0.0, 200 Subnets, 200 Hosts - So far: - Use a single mask for all subnets - Plan for 200 subnets - Plan for 200 host IP addresses per subnet - Use private Class B network 172.16.0.0 - At least 8 subnet bits for 200 subnets (max. 256) - At least 8 host bits for 200 hosts/subnet (max. 254)

Masks and Mask Formats - Number of binary 0s equals the number of host bits, e.g. 11111111.11111111.11111111.00000000 (255.255.255.0) - Subnet mask cannot have interleaved 0s and 1s Build a List of All Subnets - Group of consecutive IP address - Network 172.16.0.0 - Mask 255.255.255.0 (for all subnets)

Plan the Implementation - Which subnet should be used for each VLAN at site? - For interfaces that require static IP addresses, which addresses should be used in each case?

- What range IP addresses from inside each subnet should be configured in the DHCP server, to be dynamically leased to host for use as their IP address?

Assigning Subnets to Different Locations - Prefix /24: first 24 bits are the same, i.e. 11111111.11111111.11111111.00000000 (255.255.255.0) - Organisation of subnets, specifically geographic organisation allows route summarisation

Choose Static and Dynamic Ranges per Subnet - Static configuration vs DHCP lease - Static IP addresses on lower end, DHCP-assigned IP addresses on higher end of subnet - Subnet ID: .0 - Static: .1 - .100 - DHCP: .101 - .254 - Subnet broadcast: .255

Chapter 14 - Analysing Classful IPv4 Networks Classful Network Concepts - With a single IP address, you can find out its: - Class (A, B, or C) - Default mask - Number of network octets/bits - Number of host octets/bits - Number of host addresses in the network - Network ID - Network broadcast address - First and last usable address in the network IPv4 Network Classes and Related Facts - Class A, B, C: Unicast addresses - Class D: Multicast addresses - Class E: Reserved for future use

- 128 Class A networks, with 0.0.0.0 and 127.0.0.0 reserved The Number and Size of the Class A, B, and C Networks - Number of networks from each class significantly differs - Size of networks from each class significantly differs

Address Formats - Address structure: network part (prefix) and host part - E.g. 10.0.0.0 has locked first octet and variable last three octets

Default Masks - Default mask = network bits as 1s, host bits as 0s

Number of Hosts per Network - For H host bits, 2H unique combinations exist - Network ID and network broadcast address is reserved

Deriving the Network ID and Related Numbers - Four key numbers that can be derived from a single IP address: - Network number - First (numerically lowest) usable address - Last (numerically highest) usable address - Network broadcast address - First usable address = network number + 1 - Last usable address = network broadcast address - 1

- Step 1: Find out which class network it is - Step 2: Divide octets into network part and host part - Step 3: Set all host octets to 0 (network ID) - Step 4: Add 1 to fourth octet of network ID (first usable) - Step 5: Set all host octets to 255 (network broadcast) - Step 6: Subtract 1 from fourth octet of network broadcast address (last usable)

Unusual Network IDs and Network Broadcast Addresses - Reservation of 0.0.0.0 and 127.0.0.0 - 128.0.0.0 is still Class B network - 223.255.255.0 is Class C network

Chapter 15 - Analysing Subnet Masks Subnet Mask Conversion Three Mask Formats

- Binary subnet mask rules: - Illegal values: 10101010 01010101 11110000 00001111, 00000000 00000000 00000000 11111111 - Legal values: 11111111 00000000 00000000 00000000, 11111111 11111111 11111111 00000000 - DDN values: 255.0.0.0, 255.255.255.0 - Prefix values: /8, /24 - Prefix = prefix mask = CIDR (Classless Interdomain Routing) mask = slash mask Converting Between Binary and Prefix Masks

Converting Between Binary and DDN Masks - For each octet, perform a decimal-to-binary conversion - Do decimal-binary conversion OR memorise nine possible decimal values possible

Converting Between Prefix and DDN Masks - Prefix => binary => DDN

Identifying Subnet Design Choices Using Masks - Subnet: all IPv4 addresses that have the same value in the prefix part of their IPv4 addresses

Masks Divide the Subnet's Addresses into Two Parts - Separation of host part and prefix with subnet mask

Masks and Class Divide Addresses into Three Parts - Subnet part divides prefix into network part and subnet part - Subnet 10.1.1.0 with subnet mask 255.255.255.0: 10.1.1 is subnet, .x is host Classless and Classful Addressing Calculations Based on the IPv4 Address Format - Hosts in the subnet: 2H - 2, where H is the number of host bits - Subnets in the network: 2S, where S is the number of subnet bits. Only use this formula if only one mask is used throughout the network

- Address 200.1.1.1, mask 255.255.255.252 - Prefix = /30 - Class = Class C - Network bits = 24 - Subnet bits = 30 - 24 = 6 - Host bits = 32 - 30 = 2 - Hosts/subnet = 22 - 2 = 2 - Subnets in network = 26 = 64

Chapter 16 - Analysing Existing Subnets Defining a Subnet An Example with Network 172.16.0.0 and Four Subnets - Subnet ID = resident subnet - Because each subnet uses a single mask, all subnets must be the same size

Subnet ID Concepts - Router advertises subnet ID/mask and stores in IP routing table

Subnet Broadcast Address Range of Usable Addresses - Subnet ID + 1 = First usable - Subnet broadcast - 1 = Last usable

Analysing Existing Subnets: Binary - With IP address and subnet mask, find: - Subnet ID - Subnet broadcast address - Range of usable addresses Finding the Subnet ID: Binary - All numbers in the subnet have the same value in the prefix part of the numbers - The subnet ID is the lowest numeric value in the subnet, so its host part, in binary, is all 0s - Binary subnet ID: all host bits changed to 0 - Binary subnet broadcast address: all host bits changed to 1 - Step 1: Convert prefix into binary (/18 => 11111111.11111111.11000000.00000000)

- Step 2: Convert IP address to binary (172.16.150.41 => 10101100 00010000 10010110 00101001) - Step 3: For all prefix bits in the IP address, leave it (10101100 00010000 10010110 00101001) - Step 4: For all host bits in the IP address, set it to 0 (10101100 00010000 10000000 00000000) - Step 5: Convert 8 bits at a time, into DDN form (10101100 00010000 10000000 00000000 => 172.16.128.0)

Finding the Subnet Broadcast Address Binary - Set all host bits to 1 - Step 1: Convert prefix into binary (/18 => 11111111.11111111.11000000.00000000) - Step 2: Convert IP address to binary (172.16.150.41 => 10101100 00010000 10010110 00101001) - Step 3: For all prefix bits in the IP address, leave it (10101100 00010000 10010110 00101001) - Step 4: For all host bits in the IP address, set it to 1 (10101100 00010000 10111111 11111111) - Step 5: Convert 8 bits at a time, into DDN form (10101100 00010000 10111111 11111111=> 172.16.191.255) Binary Practice Problems

Shortcut for the Binary Process - Subnet ID and subnet broadcast address are equal to the IP address in octets for which the DDN mask is 255 - Subnet ID and subnet broadcast address are equal 0 in octets for which the DDN mask is 0

Brief Note About Boolean Math (optional fact) - How computers calculate subnet ID and subnet broadcast address - Perform a Boolean AND of the IP address and mask. This process converts all host bits to binary 0. - Invert the mask, and then perform a Boolean OR of the IP addresses and inverted subnet mask. This process converts all host bits to binary 1s. Finding the Range of Addresses - First usable = subnet ID + 1 - Last usable = subnet broadcast address - 1

Analysing Existing Subnets: Decimal Analysis with Easy masks - Easy masks: 255.0.0.0, 255.255.0.0, 255.255.255.0

- Finding subnet ID: - Step 1: If the mask octet = 255, copy the decimal IP address - Step 2: If the mask octet = 0, write a decimal 0 - Finding subnet broadcast address: - Step 1: If the mask octet = 255, copy the decimal IP address - Step 2: If the mask octet = 0, write decimal 255 Predictability in the Interesting Octet - "Interesting octet" = non-0 and non-255 octets - Subnet ID is only predictable when single-size subnet masks are used Mask Pattern 255.255.128.0 Multiples of 128 255.255.192.0 Multiples of 64 255.255.224.0 Multiples of 32 255.255.240.0 ... Multiples of 16 ...

Finding the Subnet ID: Difficult Masks

Resident Subnet Example 1 - Example for IP address 130.4.102.1, mask 255.255.240.0 - Step 1: If the DDN mask octet = 255, copy the DDN octets (130.4._._) - Step 2: If the DDN mask octet = 0, turn octet into 0 (130.4._.0) - Step 3: Find the closest multiple of (256 - mask octet) to IP address octet (256 -240 = 16, closest multiple = 96 => 130.4.96.0)

Practice Analysing Existing Subnets A Choice: Memorise of Calculate

Part IV Revision Key Terminology Terminology Chapter 13 Subnet Network Classful IP network Variable-length subnet masks (VLSM) Network part Subnet part Host part Public IP network Private IP network

Definition

Subnet mask Chapter 14 Network number Network ID Network address Network broadcast address Network part Host part Default mask Chapter 15 Binary mask Decimal mask Prefix mask CIDR mask Classful addressing Classless addressing Chapter 16 Resident subnet Subnet ID Subnet number Subnet address Subnet broadcast address

Part V - Implementing IPv4 Chapter 17 - Operating Cisco Routers Installing Cisco Routers - Routers are capable of forwarding packets end to end through. a network; main feature of network layer - Routers forward packets by connecting to various physical network links, like Ethernet, serial links, and Frame Relay Installing Enterprise Routers - At least one LAN switch at each site for end-user support - Connection to WAN link for provision of remote connectivity - Routers use UTP cable with straight-through pinout - Integrated or external CSU/DSU (Channel Service Unit/Data Service Unit)

- Telco leased line with RJ-48 connector connects to router or CSU/DSU Cisco Integrated Services Routers - Integrated services routers: routers providing many network services - ISR = router for WAN/LAN connectivity + LAN. switch for local network + VoIP services for IP phones + Wi-Fi access for wireless connectivity + security services - NIM (Network Interface Module): interface

Physical Installation - Router has on/off switch Installing Internet Access Routers - SOHO "router" connects LAN end-users to high-speed Internet - Requirements: UTP cables, CATV cables, DSL cables, cable modem, DSL modem - Consumer-grade SOHO routers = - Router - Switch - Cable or DSL modem - Wireless access point - Hardware-enabled encryption

Enabling IPv4 Support on Cisco Router Interfaces Accessing the Router CLI - Accessing router CLI = accessing switch CLI - Same commands: - Different commands: - L2: show mac address-table - L3: show ip route Router Interfaces Switch Router - Supports Ethernet LAN interfaces of - Supports serial interfaces, cable TV, DSL, various speeds (fa0/1, gi0/1) 3G/4G wireless, Ethernet interfaces etc. - Point-to-point serial link can use: HDLC (default) or PPP - Referring to interfaces - interface ethernet 0 - interface fastEthernet 0/1 - interface gigabitethernet 0/0 - interface serial 1/0/1 - show ip interface brief: interface, IP address, OK?, method, line & protocol status - show interfaces [interface-id]: detailed list of statistics of interface

- sh int fa0/0= show interfaces fastethernet 0/0 - description text: sets description for interface Interface Status Codes - up/up required to function

Router Interface IP Addresses - Basic configuration to route - Enable interface with no shutdown (default: shutdown) - Configure IP address and mask (default: no IP address and mask) - Cisco routers attempt to route IP packets for any interfaces that are in an up/up state and that have an IP address/mask assigned - ip address address mask: configures address and mask

- show protocols: lists status and IP address of interfaces

Bandwidth and Clock Rate on Serial Interfaces - Clocking: CSU/DSU dictates speed for router - Routers that need external CSU/DSU can simply use DTE and DCE cables without buying two CSU/DSUs - If no CSU/DSU are on the link, router with the DCE cable must supply clocking function - clock rate: tells router to provide clocking - Newer router IOS versions add default clock rate 2000000, may be too high for some types of back-to-back serial cables (DTE + DCE) - show controllers interface-id: confirms DCE cable is connected and lists clock rate - bandwidth: documented speed of the interface, which doesn't have to match actual Layer 1 speed - OSPF and EIGRP base routing protocol metrics on bandwidth by default - Default serial bandwidth: 1544 kbps (T1 speed) - To see clock rate: clock rate interface or show controllers serial type number - To see bandwidth: show running-config or show interfaces [type number] - bandwidth 128: sets link bandwidth to 128 kbps Router Auxiliary Port - Allows phone call to router to issue commands from CLI - Aux port >> cable >> analog modem >> phone line << modem << terminal emulator << PC - line aux 0: aux line configuration mode

Chapter 18 - Configuring IPv4 Addresses and Static Routes IP Routing - IP routing: process of forwarding IP packets which relies on network layer logic on hosts and routers, and data-link and physical details at each link, such as serial links, Ethernet LANs, wireless LANs etc. by using protocols, encapsulation and transmission. IPv4 Routing Process Reference - LAN host routing logic: - Local packet is sent directly to host, remote packet is sent to default router/gateway - Router's routing logic - Paraphrased summary: The router receives a frame, removes the packet from inside the frame, decides where to forward the packet, puts the packet into another frame, and sends the frame - Step 1: Router R1 notes that the received Ethernet frame passes the FCS check, and that the destination Ethernet MAC address is R1's MAC address, so R1 processes the frame - Step 2: R1 de-encapsulates the IP packet from inside the Ethernet frame's header and trailer - Step 3: R1 compares the IP packet's destination IP address to R1's IP routing table - Step 4: R1 encapsulates the IP packet inside a new data-link frame, in this case, inside a HDLC header and trailer - Step 5: R1 transmits the IP packet, inside the new HDLC header frame, out the serial link An Example of IP Routing - Address abbreviations: Host A : 172.16.1.9, R1 S0/0/0 : 172.16.4.1 etc.

Host Forwards the IP Packet to the Default Router (Gateway) - Host A's routing logic: - My IP address/mask is 172.16.1.9/24, so my local subnet contains numbers 172.16.1.0 - 172.16.1.255 - The destination address is 172.16.2.9, which is not in my local subnet - Send the packet to my default gateway, which is set to 172.16.1.1 - To send the packet, encapsulate it in an Ethernet frame and make the destination MAC address be R1's G0/0 MAC address (default gateway)

Routing Step 1: Decide Whether to Process the Incoming Frame - 1A: Use FCS field to check frame for errors - If error: discard the frame (no error recovery) - If no errors: Continue

- 1B: Check destination MAC address to decide whether the frame is intended for router - If it is for the router: Process the frame - If it isn't for the router: Ignore the frame - Unknown unicast frames can send non-intended frames

Routing Step 2: De-encapsulation of the IP Packet - 2: Discard original frame's data-link header and trailer

Routing Step 3: Choosing Where to Forward the Packet - 3: Compare destination IP address to routing table and decide which interface is to be used - Routing entry: subnet ID, subnet mask, next-hop router address, outgoing interface - Router finds match for subnet that destination address is in, and decides to forward it out the matching interface, to the matching next-hop router IP address Routing Step 4: Encapsulating the Packet in a New Frame - HDLC (default) or PPP encapsulation on serial link; does not require resolution of IP address - Ethernet encapsulation on EoMPLS link; requires address resolution with ARP table and ARP learning

Routing Step 5: Transmitting the Frame

Configuring IP Addresses and Connected Routes - Interface routing minimum configurations: up/up status configured, IP address configured - Routes are required after interfaces are configured Connected Routes and the ip address Command - Cisco router automatically adds a route to its routing table for the subnet connected to each interface, assuming that the following two facts are true: - Router figures out subnet ID by subnet calculation with IP address and mask - show ip route: lists statuses of routes - Route code C - connected route, L - local route - Each local route has /32 prefix, defining a host route, a route that matches only the IP address of the local route The ARP Table on a Cisco Router - Used to find destination MAC address for a destination IP address - Age counter will increase when entry is not used and will timeout when it reaches age (default 240 minutes) - Age of -: never time out - clear ip arp [ip-address]: removes all dynamic entries or a single entry - Step 1: R1 looks in its ARP table for an entry for 172.16.1.9

- Step 2: R1 encapsulates the IP packet in an Ethernet frame, adding destination 0200.3333.3333 to the Ethernet header - Step 3: R1 transmits the frame out interface G0/0 Routing Between Subnets on VLANs - Some router needs to have a connected route to each subnet - Three options for connecting a router to each subnet on a VLAN:

- Layer 3 switches route between all 12 VLANs and routers use VLAN trunks to connect to and route between both VLANs Configuring Routing to VLANs Using 802.1Q on Routers - Routing packets to subnets associated with VLANs connected to a router 802.1Q trunk: router-on-a-stick (ROAS) - Subinterfaces: virtual router interfaces, one associated with each VLAN on that trunk - Each subinterface has IP address/mask - Frames tagged with VLAN 10 are treated as if they came in or out of G0/0.10 - Both router and switch need to manually configure trunking (switch: switchport mode trunk)

- subinterface number needs to be unique and can be 1 to over 4 billion - encapsulation [dot1q | isl] vlan-id: defines VLAN whose frames are considered to be coming in and out of the subinterface - How to configure to use native VLAN: - Configuration results of native VLAN 10: - show vlans: lists which router trunk interfaces use which VLANs, which is the native VLAN + packet statistics

Configuring Routing to VLANs Using a Layer 3 Switch - Layer 3 switch needs virtual interface connected to each VLAN internal to the switch - VLAN interface: Switched Virtual Interface (SVI) - Layer 3 switch connects to router via access link and VLANs on each SVI

- Layer 3 switch adds connected IP routes for each VLAN

Configuring Static Routes - All routers add connected routes, and static routes can be configured Static Route Configuration

- ip route: defines destination subnet ID and mask and outgoing interface or next-hop router's IP address - Static route: - destination subnet ID: 172.16.2.0 - destination subnet mask: 255.255.255.0 - outgoing interface : S0/0/0 OR - next-hop router IP address: 172.16.4.2 - To send packets to subnet 172.16.2.0/24, send them to 172.16.4.2 - To send packets to subnet 172.16.3.0/24, send them out S0/0/1 - show ip route displays outgoing interface as directly connected - If S0/0/1 fails, router removes static route to 172.16.3.0/24 until interface comes up again - Network route or subnet route: defines route to an IP network or subnet Static Host Routes - ip route with mask of 255.255.255.255 creates static routes for remote hosts - ip route 10.1.1.0 255.255.255.0 10.2.2.2 - ip route 10.1.1.9 255.255.255.255 10.9.9.9 - Router selects most specific match (longest prefix) of 10.1.1.9/32, and so it is forwarded to next-hop router 10.9.9.9 Static Routes with No Competing Routes - Checklist for adding route to IP routing table: - Is there any competing routes? - For ip route with outgoing interface, is the interface in an up/up state? - For ip route with next-hop IP address, does the local router have a route to reach that IP address? - ip route 172.16.2.0 255.255.255.0 172.16.4.2 - If 172.16.4.0/24 is removed, static route to 172.16.2.0/24 is also removed permanent keyword configures IOS to ignore basic checks

Static routes with Competing Routes - If there are competing routes, router compares administrative distance (lower the better) - IOS considers static routes better than OSPF-learned routes - Static route default administrative distance: 1 - OSPF route default administrative distance: 110 - Floating static routes: floats or moves into and out of IP routing table depending on whether the better administrative distance route happens to exist currently; router ignores static route during times when the better routing protocol route is known - Static route administrative distance needs to be changed to allow OSPF route - show ip route subnet-id: lists administrative distance

Static Default Routes - Default: router discards packet if no route matches packet's destination IP address

- Default route is used if packet does not match any other more specific route - If there is one, slow link to branch, routing protocol wastes bandwidth so default route is set to core router - ip route 0.0.0.0 0.0.0.0 S0/0/1 creates static default route with outgoing interface of S0/0/1 - candidate default route: a candidate from which the router can choose one to use as its "Gateway of Last Resort" Troubleshooting Static Routes - Troubleshooting perspectives: - Route is in the routing table but is incorrect - Route is not in the routing table - Route is in the routing table, and is correct, but the packets do not arrive Troubleshooting Incorrect Static Routes that Appear in the IP Routing Table - If range of addresses in specified subnet in command does not include actual addresses, there is a problem

The Static Route Does Not Appear in the IP Routing Table - ip route may have correct syntax and added to running-config and startup-config files but not be placed into IP routing table because:

The Correct Static Route Appears but Works Poorly - Static route can be perfect, but packets still may not arrive - Root cause may be static route, or something else - If permanent keyword is used when configuring a static route, you need to check if: - for ip route commands with an outgoing interface, the interface is in an up/up state - for ip route commands with a next-hop IP address, the local router has a route to reach that next-hop address

Chapter 19 - Learning IPv4 Routes with RIPv2 RIP and Routing Protocol Concepts - Each routing protocol causes routers to: - Learn routing information about IP subnets from other neighbouring routers - Advertise routing information about IP subnets to other neighbouring routers - If a router learns of more than one route to reach one subnet, choose the best route based on that routing protocol's concept of a metric

- React to changes when the network topology changes, e.g. a link fails, and converge to use a new choice of best route for each destination subnet History of Interior Gateway Protocols - OSPFv2: IPv4 only, OSPFv3: IPv6 only, OSPFv3 with address families: IPv4 + IPv6 Comparing IGPs - EIGRP and OSPFv2 are most popular - Inside one company or organisation: Interior Gateway (Router) Protocol (IGP) - Between companies or ISPs: Exterior Gateway (Router) Protocol (EGP) - RIP uses hop count metric: smallest number of links and routers - Disadvantage of RIP hop count metric: - RIP may use less number of links, but slower links

Distance Vector Basics The Concept of a Distance and a Vector - When routers learn a route to a subnet, they learn: - Destination subnet - Distance (routing protocol metric) - Vector (link and next-hop router to use as part of that route) - E.g. Four-hop route (distance) through R2 (vector) for subnet X (subnet) - R1 picks the route with the best (lowest) metric Full Update Messages and Split Horizon - Periodic routing update: RIP repeats the same update over and over on a timed basis even if no changes occur - Step 1: R2 interface G0/2 has an IP address and is in an up/up state - Step 2: R2 adds a connected route for 172.30.22.0/24, off interface G0/2, to R2's routing table - Step 3: R2 advertises its route for 172.30.22.0/24 to R1, with metric 1 (hop count 1), in a RIP update sent to R1 - Step 4: R1 adds a route for subnet 172.30.22.0/24, listing it as a RIP learned route with metric 1 - [Route for: subnet, outgoing interface: received interface, next-hop router IP address: sender of update] Split Horizon - Split horizon tells router to omit some routes from an update sent out an interface - The routes that use interface X as the outgoing interface does not get sent out interface X, i.e. the router does not advertise routes that receiving router would already know of

Route Poisoning - DV protocols prevent routing loops with route poisoning

- Route poisoning: advertising a failed route with special metric value infinity (16, meaning failed) - Step 1: R2's G0/2 interface fails - Step 2: R2 removes its connected route for 172.30.22.0/24 from its routing table - Step 3: R2 advertises 172.30.22.0 with an infinite metric (16 for RIP) - Step 4: R1 removes the route from its routing table or marks the route as unusable before removing the route for 172.30.22.0/24 - 16 = infinity, 15 = longest valid route in RIP network Summarising RIPv2 Features - RIPv2 features: - Supports authentication - Supports manual route summarisation - Sends update message to 224.0.0.9 multicast address instead of 255.255.255.255 broadcast address (RIPv1) - Supports VLSM

Core RIPv2 Configuration and Verification Configuring Core RIPv2 Features - RIPv2 configuration process:

Understanding the RIP network Command - Classful network identifies interface to enable RIPv2 - Once enabled:

RIP Configuration Example, with Many IP Networks - network commands for each Class C network each interface is part of - If IOS receives non-classful network number - IOS will not issue an error message - IOS will change configuration to matching classful address (e.g. 10.1.2.3 => 10.0.0.0) RIP Configuration Example, with One IP Network - Since all subnets are in same Class A network 10.0.0.0, RIPv2 only requires one network command:

RIPv2 Verification

Examining RIP Routes in the IP Routing Table

- Routing code R for RIP-learned routes - show ip route rip only lists RIP-learned routes - Each line in the output: - When interface fails etc., router converges to use other, non-best routes Comparing Routing Sources with Administrative Distance - When enterprises use multiple IP routing protocols, router compares administrative distance (AD) and chooses the lowest - For example, RIP and EIGRP metrics can't be compared - EIGRP default AD = 90 - RIP default AD = 120 - Router chooses EIGRP routes over RIP routes

Revealing RIP Configuration with the show ip protocols Command - version 2: RIPv2 configured to be only allowed - auto-summary: Automatic summarisation is enabled - maximum-paths 4: There can be up to 4 routes with the same metric (default) - network commands: Enables RIP on certain interfaces in certain networks - "Routing information sources" lists neighbouring routers from which this router has received RIP updates from Examining the Best RIP Routes Using RIP Database - show ip rip database: Lists prefix/length of each subnet known to local router's RIP process - It lists: - Routes for subnets learned from other RIP routers - Routes for connected subnets for which RIP is enabled on interfaces due to RIP network commands Lists RIP-learned routes, you cannot tell show ip route which interfaces are RIP enabled Identifies interfaces on which RIP is show ip protocols enabled, you don't know RIP-learned routes Lists both learned routes and connected show ip rip database routes

Optional RIPv2 Configuration and Verification Controlling RIP Updates with the passive-interface Command - passive-interface type number: stops all RIPv2 updates from being sent out the interface that is matched by a network command; RIP will still process received updates and advertise about the connected subnet

- passive-interface default: makes all interfaces passive by default - no passive-interface type number: makes interface not be passive

Supporting Multiple Equal-Cost Routes with Maximum Paths - RIP's default behaviour for equal-cost routes to same subnet: use maximum-path amount of same routes and use them all with equal-cost load balancing - maximum-paths number-of-paths: sets amount of maximum paths allowed (default 4) - Setting maximum path to 1 disables the feature Understanding Autosummarisation and Discontiguous Classful Networks - Classful routing protocols (RIPv1, IGRP) needed to avoid discontiguous classful networks - Classless routing protocols (RIPv2, EIGRP, OSPF) avoid discontiguous classful networks or can be configured to avoid them (no auto-summary for RIP) - Routing protocol with autosummarisation automatically creates summary route when: - That one router connects to subnets of multiple different classful networks - That router uses a routing protocol that uses the autosummary feature - Step 1: R3 has autosummary enabled, with the RIPv2 auto-summary router subcommand - Step 2: R3 advertises a route for all of Class A network 10.0.0.0 instead of advertising routes for each subnet inside network 10.0.0.0 (since R2 is in another subnet) - Step 3: R2 learns one route for network 10.0.0.0/8, which represents all of network 10.0.0.0, with R3 as the next-hop router - Definitions: - Contiguous network: A network topology in which subnets of network X are not separated by subnets of any other classful network - Discontiguous network: A network topology in which subnets of network X are separated by subnets of some other classful network - Both R3 and R1 have all of network 10.0.0.0, and R2 balances the traffic over both routes - Two solutions: - Keep all classful networks together in a design - Disable autosummarisation with no auto-summary - R1 and R3 has autosummarisation disabled Verifying Optional RIP Features - show ip protocol: separates list of interfaces and passive interfaces - R1 learned two 1-hop routes to subnet 192.168.6.0/24, show ip route lists two next-hop router IP addresses for one subnet

RIPv2 Default Routes - B01 and B02 uses default route. to R1, which uses a default route to ISP1

Learning Default Routes Using Static Routes and RIPv2 - Static default route configuration for router directly connected to true default route

- RIPv2 advertisement of a route to 0.0.0.0/0 teaches remote routers pointing to the router that sent advertisement - Step 1: R1 is configured with ip route 0.0.0.0 0.0.0.0 192.0.2.1, i.e. R1's default route is 192.0.2.1 - Step 2: R1 advertises the default route as 0.0.0.0 0.0.0.0 R1 to B01 and B02 - default-information originate: "If the IPv4 routing table has a default route in it, advertise a default route with RIP, with this local router as the eventual destination of those default routes" - R1's Gateway of Last Resort is set to next-hop address 192.0.2.1 - B01 sets default route with next-hop address 10.1.12.1 (R1's IP address)

Learning a Default Route Using DHCP - DHCP: lets hosts learn their IP addresses, subnet mask to use, DNS server IP addresses, IP address of default gateway - Step 1: R1 learns its address and default gateway with DHCP - Step 2: R2 lists next-hop address 192.0.2.1 as Gateway of Last Resort - ip address dhcp: enables dhcp on interface - IOS default administrative distance is 254 for DHCP-learned routes - DHCP-learned routes are shown as static routes

Troubleshooting RIPv2 - show ip route and show ip protocols

Symptoms with Missing and Incorrect network Commands - Problem: missing network commands, incorrect network commands - Consequence: - The router does not advertise about the subnets on those interfaces - The router does not exchange routing information with other routers on those interfaces - If network 192.168.12.0 was missing: - "Routing for Networks" lists only enabled interfaces Issues Related to Passive Interfaces - Passive interfaces should not be connected to active interfaces - R1 receives and processes R2's RIP messages, but does not send updates to R2 Issues Related to auto-summary - If a router does not connect to subnets of two different classful networks, no autosummary does not affect its operation

RIP Issues Caused by Other Router Features - RIP operates only on working interfaces (up/up state) - RIP requires that all neighbours on a link be in the same subnet; if routers are in different subnets, routers ignore RIP updates - ACLs could filter/discard RIP messages Summary of RIP Troubleshooting Issues

Chapter 20 - DHCP and IP Networking on Hosts Implementing and Troubleshooting DHCP - Any host that uses IPv4 needs four IPv4 settings to work properly: - IP address - Subnet mask - Default routers - DNS server IP addresses - Advantages of DHCP: - Centralised configuration and management rather than local configurations - User mobility, DHCP configuration at each new location - Prevents user-side errors/mistakes DHCP Concepts - DHCP client uses DHCP protocol to: - discover a DHCP server - request to lease an IPv4 address - DHCP message types (DORA):

Discover: Sent by the DHCP client to find a willing DHCP server - Offer: Sent by a DHCP server to offer to lease to that client a specific IP address -

(and inform the client of its other parameters) -

Request: Sent by the DHCP client to ask the server to lease the IPv4 address listed in the Offer message

-

Acknowledgement: Sent by the DHCP server to assign the address, and to list the

mask, default router and DNS server IP addresses - For DHCP clients without IPv4 addresses: - Discover packet has source address 0.0.0.0 and destination address 255.255.255.255

- Step 1: Host A sends a Discover message with source address 0.0.0.0 and destination address 255.255.255.255 (broadcast) - Step 2: The DHCP server sends an Offer message with source address 172.16.1.11 and destination address 255.255.255.255 (broadcast) - Assumes that host uses broadcast flag DHCP option - Host A lists its own DHCP client ID in the Discover message, so broadcast Offer messages get ignored by other devices and only host A processes the packet Supporting DHCP for Remote Subnets with DHCP Relay - To support centralised DHCP servers, DHCP client's messages need to travel between subnets, i.e. broadcast messages will not reach the DHCP server - ip helper-address server-ip: tells router to do the above steps (DHCP Relay) - Step 1: Host A sends a Discover message with source address 0.0.0.0 and destination address 255.255.255.255 (local broadcast) - Step 2: R1 forwards the Discover messages with source address 172.16.1.1 (incoming interface) and destination address 172.16.2.11 (configured ip helper-address DHCP server address) - Routers need to act as DHCP relay agents to let DHCP clients send and receive packets - Step 1: The returning Offer message from the DHCP server reverses the source and destination address of the Discover message. - Step 2: R1 takes the Offer message and edits the destination address to 255.255.255.255 (local broadcast) Information Stored at the DHCP Server - Types of settings DHCP server needs to know to support DHCP clients: - Subnet ID and mask: lets server know of all addresses in the subnet - Reserved (excluded ) addresses: lets server know which addresses in the subnet to not lease - Default router(s): IP address of the router on that subnet - DNS IP address(es): list of DNS server IP addresses - Additional parameters: maximum time limit for lease, allocation mode, TFTP server setting etc. - DHCP three allocation modes: - Dynamic allocation: DHCP dynamically leases IP addresses - Automatic allocation: Sets DHCP lease time to infinite; hands out permanent IP addresses - Static allocation: Manually preconfigured IP address is sent to client by DHCP server - TFTP server setting: Cisco IP phones need TFTP to retrieve configuration files when phone initialises DHCP Server Configuration on Routers - DHCP pool: per-subnet settings go into a pre-subnet DHCP pool; ip dhcp excludedaddress command is outside DHCP pool

- Subnet 172.16.2.0/24 configurations: - Reserves 172.16.2.0 to 172.16.2.100 - Sets default router's IP address 172.16.2.1 - Sets DNS server's IP address 172.16.1.12 - Sets lease time as 1 day, 2 hours and 3 minutes - Sets TFTP server IP address of UCM (United Communications Manager) as 172.16.2.5 - R1 needs ip helper-address command to serve as DHCP relay agent to DHCP server at R2 IOS DHCP Server Verification

- Output does not list the excluded addresses, but the addresses begin from the first leasable address - IPv4 DHCP server = stateful DHCP server; i.e. the DHCP server keeps status information (DHCP client ID, IP address leased to client) about each DHCP client that leases an address Troubleshooting DHCP Services DHCP Relay Agent Configuration Mistakes and Symptoms - Problem: missing configuration or omission of ip helper-address on DHCP relay agents - Consequence: router does not attempt to forward DHCP messages at all or is not sent to the actual DHCP server - Solution: find out the router connected to host's subnet and correct the ip helper-address subcommands - Points to remember: - DHCP relay agent feature is only needed on interfaces only if the DHCP server is on a different subnet - In ROAS configurations, subinterfaces require ip helper-address commands - show ip interface [type number] command to view ip helper-address settings on interface - ip helper-address 172.16.2.11 IOS DHCP Server Configuration Mistakes and Symptoms - Failure in DHCP lease process factors: - Packet from relay agent to DHCP server uses relay agent's interface IP address as source IP address - DHCP server compares source IP address to network commands to find right pool - Each network subnet mask implies a range of addresses - If source IP address is not in the range of addresses implied by network command, DHCP server does not reply at all - Every interface with an ip helper-address command configured should be included in a pool defined at the IOS DHCP server - Mistakes and symptoms: - If the DNS server IP addresses are incorrectly configured or omitted, hosts would fail to resolve hostnames to IP addresses

- If the default gateway IP address is incorrectly configured or omitted, hosts could not communicate outside the local subnet - If the TFTP server IP address is incorrectly configured or omitted, an IP phone would fail to correctly load its configuration IP Connectivity from DHCP Relay Agent to DHCP Server - IP broadcast packets must flow between the client and relay agent, and IP unicast packets must flow between relay agent and DHCP server

LAN Connectivity Between the DHCP Client and Relay Agent - When a packet uses 255.255.255.255: - the address is called the local broadcast address - packets sent to this address are not forwarded as-is by routers - broadcast packets are encapsulated in Ethernet broadcast destination address FFFF.FFFF.FFFF Summary of DHCP Troubleshooting - Network may have outages, and DHCP clients that have already leased an address can continue to work without any problem Detecting Conflicts with Offered Versus Used Addresses - No protocols can prevent a host from statically configuring and using an IP address from within the range of addresses used by DHCP server - Conflict: when a host statically configures an address from within the range of addresses in the DHCP pool - DHCP solutions: - DHCP server pings an address before - DHCP client sends an ARP request for the offering a new IP address to a client address offered by DHCP - If DHCP server receives a response to the - If another host replies, there is a conflict ping, some other host must already be using - Client sends a DHCP message back to the the address => conflict server, rejecting the use of the used address - DHCP does not offer the address - (Gratuitous: uncalled for) - show ip dhcp conflict: lists method through which the server added each address to the conflict list (gratuitous ARP by client, or ping by server) - Server avoids offering conflicted addresses until clear ip dhcp conflict command clears the list

Verifying Host IPv4 Settings IP Address and Mask Configuration - Most every OS have windows that list many IPv4 settings in one place - Network commands: ipconfig (Windows) or ifconfig (Linux and Mac OS)

Name Resolution with DNS - Routers and switches does not need to pay attention to DNS messages; i.e. routers and switches do not need to take special action, but can forward it like any normal frame/packet - Step 1: 10.1.1.1 sends a DNS request to resolve the IP address of Server1 to DNS server 10.3.3.3 - Step 2: The DNS server sends a DNS reply containing the resolved IP address of Server1 (10.1.2.3) to 10.1.1.1 - Step 3: 10.1.1.1 sends data to Server1, with destination address 10.1.2.3 - All destination IP addresses are known unicast addresses, so router/switch action is not required to support DNS Default Routers - Two-part host routing choice: - If packet is destined for a host in the same subnet, the local host sends the packet directly - If the packet is destined for a host in a different subnet, the local host sends the packet to the default gateway - Check settings in router CLI: show interfaces, show ip interface brief, show protocols, show running-config - Check VLAN assignments in switch CLI: show interfaces status, show vlan, show interfaces switchport - netstat -rn: displays default gateway IP address as default route - Host A needs an ARP entry for Host D (for local packet) and R1 (for remote packet) - arp -a: shows host's ARP table - Only local IP addresses are listed

IPv4 Address Types - Unicast, multicast and broadcast addresses Review of Unicast (Class A, B, and C) IP Addresses - Unicast IP addresses identify one interface on one device to IP - Examples: - Router with four LAN interfaces and two LAN interfaces = 6 unicast addresses - PC with Ethernet NIC and wireless NIC = 2 unicast addresses IP Broadcast Addresses - Different types of IPv4 broadcast addresses:

- Step 1: Host 1 sends a broadcast message destined to 10.1.1.255 to its default gateway, R1 - Step 2: R1 forwards the packet to subnet 10.1.1.0/24 - Step 3: R2 encapsulates the packet into a local broadcast frame and floods it out all ports - Security vulnerability: ping to subnet broadcast address causes many hosts to reply

- Cisco default setting of no ip directed-broadcast: disables forwarding of subnet broadcasts to connected subnet (Step 3) IPv4 Multicast Addresses (Class D Addresses) - Used mainly for applications: e.g. send 1 packet to subnet, gets copied 10 times and delivered to all 10 hosts in subnet - Host uses unicast IP address for normal traffic, and multicast IP address for multicast application - Host registers to local router to notify to receive packets with destination address 226.1.1.1 - Step 1: Server on the left generates and sends a multicast packet - Step 2: Router R1 replicates the packet to send a copy to both R2 ... - Step 3: ... and to R3. R1 does not replicate and send a copy to R4 because no hosts near R4 are listening for packets sent to 226.1.1.1 - Step 4: R2 forwards the packet out all interfaces since at least one host from both its branches registered and is listening for packets sent to 226.1.1.1 - Step 5: R3 knows that only one of its LAN interfaces connect to a subnet with hosts listening for packets sent to 226.1.1.1, and forwards a copy of the packet out that one interface only Unicast IP address Multicast IP address - Uses Class A, B, and C addresses - Uses Class D addresses - Identifies a single interface on a single - Identifies multiple interfaces across device multiple devices - Can be used as both source and destination - Can only be used as destination address IP address - Routers use ARP caches to find the - MAC address is formed by 25-bit prefix associated MAC address (01-00-5E) + last 23 bits of IP address - Multicast frame forwarding; one of the following: - the switch floods the multicast frame as if it were a broadcast - the switch uses other Ethernet multicast features that flood the frame only to those same devices that registered to receive a copy Comparing and Contrasting IP Address Types

Part V Revision Key Terms You Should Know Terminology Chapter 17 Bandwidth Clock rate Chapter 18 Default gateway/router ARP table Routing table Next-hop router

Definition

Outgoing interface Subinterface VLAN interface Layer 3 switch Connected route Static route Default route Host route Floating static route Network route Administrative distance Chapter 19 Distance vector Exterior gateway protocol (EGP) Interior gateway protocol (IGP) Metric Routing update Contiguous network Discontiguous network Autosummarisation Passive interface IP routing table Hop count Chapter 20 DHCP client DHCP server DHCP relay agent Local broadcast IP address Subnet broadcast IP address Network broadcast IP address Multicast IP address DNS Request DNS Reply

Part VI - IPv4 Design and Troubleshooting Chapter 21 - Subnet Design Choosing the Mask(s) to Meet Requirements - Assumption of existing:

- number of subnets - number of hosts per subnet - network number to be subnetted - choice of single mask Review: Choosing the Minimum Number of Subnet and Host Bits - At least 2S subnets and 2H - 2 hosts/subnet - Step 1: Determine number of network bits based on class - Step 2: Determine smallest value of S, so that 2S >= required no. of subnets - Step 3: Determine the smallest value of H, so 2H >= required no. of hosts/subnet No Masks Meet Requirements - If the minimum number of subnet bits required and the minimum number of host bits required => subnet mask does not fit into 32-bit mask => INVALID SUBNET

One Mask Meets Requirements - If network bit + subnet bit + host bit = exactly 32, there is only one subnet that meets the requirements

Multiples Masks Meet Requirements Finding All the Masks: Concepts - For network 172.16.0.0: - Network bits: 16 - Subnet bits: 6 (50 subnets) - Host bits: 8 (180 hosts/subnet) - Network and subnet bits on the far left - Host bits on the far right

Finding All the Masks: Math - Math to find the range of masks that meet the requirements Choosing the Best Mask - Longer prefix mask maximises number of subnet bits - Shorter prefix mask maximises number of host bits - Mask in the middle provides growth in both subnets and hosts/subnet The Formal Process - Summary of formal process:

Finding All Subnet IDs

- First subnet ID = network ID First Subnet ID: The Zero Subnet - First subnet ID = subnet zero or zero subnet = classful network ID - ip subnet-zero: allows configuration of addresses in the zero subnet - no ip subnet-zero: prevents configuration of addresses in the zero subnet - Router rejects use of address in subnet zero with "bad mask" Finding the Pattern Using the Magic Number - Magic number = 256 - decimal value of interesting octet e.g. for 172.16.0.0 255.255.128.0, magic number is 256 - 128 = 128

- Number of subnets in a network = 256 / {256 - (interesting octet)} A Formal Process with Less Than 8 Subnet Bits

Example 1: Network 172.16.0.0 255.255.240.0 - Magic number = 256 - 240 = 16 - Subnet zero = 172.16.0.0 - Subnet IDs = 172.16.0.0, 172.16.16.0, 172.16.(n+16).0

Finding All Subnets with Exactly 8 Subnet Bits - Two cases with subnets with exactly 8 subnet bits: - Class A network with mask 255.255.0.0 or 255.255.255.0 - Class B network with mask 255.255.255.0 - Interesting octet is the subnet octet - Magic number = 256 - 255 = 1, subnet IDs increase by 1 Finding All Subnets with More Than 8 Subnet Bits - Process for 9 - 16 subnet bits, 17+ subnet bits Process with 9 - 16 Subnet Bits - Octet to the left of the interesting octet => just-left octet - Step 1: Calculate the interesting octet's subnet IDs as per usual (create a "subnet block") - Step 2: Replicate the subnet block for each increasing value of the just-left octet ... - Step 3: ... until you reach 255 when you go no further Process with 17 or More Subnet Bits - At least 217 (131,072) subnets - Only Class A networks can be subnetted in this way - Subnet blocks in subnet blocks

Chapter 22 - Variable-Length Subnet Masks VLSM Concepts and Configuration - VLSM: When internetwork uses more than one mask for different subnets of a single classful network - Using more than one mask in a single classful network - If 10.0.0.0 uses 1 mask and 11.0.0.0 uses 1 mask, there is no VLSM - Less wasted IP addresses; less IP assignment by authorities in public networks Classless and Classful Routing Protocols - To support VLSM, routing protocol must advertise mask along with each subnet, classful routing protocols do not

VLSM Configuration and Verification - No way to disable/enable VLSM support in classless routing protocol - VLSM is a side effect of ip address interface subcommand - show ip route lists subnet masks of each listed subnet

Finding VLSM Overlaps Designing Subnetting Plans with VLSM - Possible brand-new VLSM design - VLSM overlapped subnet IDs cannot be used - Routing problems occur when overlapping subnets are implemented => some hosts cannot communicate outside their subnets - Look at entire range of addresses to find VLSM overlaps An Example of Finding a VLSM Overlap - Find address range of all subnet IDs to determine overlaps - Hosts being unable to ping each other may be a root cause - Example:

Adding a New Subnet to an Existing VLSM Design

- IP Address Management (IPAM) - Question: add a new subnet with mask ___ to the design

An Example of Adding a New VLSM Subnet - Step 1: Select prefix mask for subnet with 300 hosts: Minimum 9 host bits (510 hosts/subnet) Prefix mask: /23 (32 total bits - 9 host bits) - Step 2: List of first five possible /23 subnets: 172.16.0.0 - 172.16.1.255 172.16.2.0 - 172.16.3.255 172.16.4.0 - 172.16.5.255 172.16.6.0 - 172.16.7.255 172.16.8.0 - 172.16.9.255 - Step 3: List of existing subnet address ranges 172.16.2.0 - 172.16.3.255 172.16.4.0 - 172.16.5.255 172.16.6.0 - 172.16.6.255 172.16.9.0 - 172.16.9.3 172.16.9.4 - 172.16.9.7 - Step 4: Comparison of Step 2 and Step 3 lists to find overlaps - Step 5: Numerically lowest subnet number: 172.16.0.0/23 - Zero subnet should be avoided if - (a) question implies use of classful routing protocols - (b) the routers are configured with the no ip subnet-zero command

Chapter 23 - IPv4 Troubleshooting Tools Problem Isolation Using the ping Command Ping Command Basics - ping tests connectivity by sending packet to an IP address and "if it is addressed to you, send a reply back." - ping uses ICMP echo request and ICMP echo reply messages - Step 1: Host A issues ping 172.16.2.101 and sends a packet with an ICMP echo request - Step 2: Host B sends an ICMP echo reply on receipt of ICMP echo request - Packet size | source IP address | ICMP sequence number | time-to-live | time taken Strategies and Results When Testing with the ping Command - Customer Support Representative (CSR) - No single router ping can replicate a user's ping

Testing Longer Routes from Near the Source of the Problem - Best option: ping from host, if unavailable >> ping from nearest router - Default ping settings: five echo messages, 2 second timeout - If timeout, a period (.) is listed - If success, an exclamation mark (!) is listed - Common behaviour: first ping shows one failure to start because some devices are missing an ARP table entry - What ping tells us of this internetwork: - R1 can send ICMP echo request messages to host B - R1's 172.16.4.1 interface can send ICMP echo request messages to host B - Host B can send ICMP echo reply messages to R1's 172.16.4.1 - R1 has a route (static or protocol) that matches host B's address (fig. 23-3) - Host B has a valid default router setting - R2 has a route for 172.16.4.1 (connected route) - Data link and physical layer details are working - Serial link is working - Router LAN/serial interfaces are up/up - All Ethernet LAN features are working - Switch interfaces are in a connected (up/up) state - Port security does not filter frames sent by R2 or host B - STP has placed right ports into forwarding state - ACLs did not filter ICMP messages (fig. 23-4) - ARP worked on R2 and host B and they have matching ARP table entries (fig. 23-5) - SW2 learned MAC addresses for its MAC address table

Using Extended Ping to Test the Reverse Route - Standard ping uses router's outgoing interface as source interface and can't test for reverse routes to host's subnet - Extended ping allows use of router's LAN IP address from within host's subnet - Extended ping: ping command (Enter)with guided options - ping 172.16.2.101 source 172.16.1.1 - Extended ping tests same forward route but reverse route now has to be to host's subnet, not router's outgoing interface in another subnet - Standard and extended pings cannot test for: - ACL: router looks at packets as they exit or enter an interface, make comparisons to header fields, and if matched, make a choice to either discard the packet or let it through

- R1 issues ping 172.16.1.51 to test LAN connectivity to confirm: - The host with address 172.16.1.51 replied - The LAN can pass unicast frames from R1 to host 172.16.1.51 and vice versa

- The switches learned the MAC addresses of the router and the host, adding those to the MAC address tables - Host A and Router R1 completed the ARP process and list each other in their respective ARP tables - Potential root causes in case of failure:

Testing LAN Neighbours with Extended Ping - Extended ping can test for host's default router setting - Both standard and extended tests can be useful because

- Step 1: R1 sends an ICMP echo request from a source interface not in the host's subnet - Step 2: Host A decides to use the default router because the destination address is in another subnet - Step 3: Host A sends ICMP echo reply to R1's interface not in its subnet Testing WAN Neighbours with Standard Ping - Standard ping across a serial WAN link confirms IP packet can be sent over the link and back - Successful standard ping confirms that: - Both router's serial interfaces are in an up/up state - The Layer 1 and 2 features of the link work - The routers believe that the neighbouring router's IP address is in the same subnet - Inbound ACLs on both routers do not filter the incoming packets, respectively - The remote router is configured with the expected IP address - ping does not confirm: - routes for subnets on LANs - host's ACL issues Using Ping with Names and with IP Addresses - ping can use hostnames, which allows testing of DNS process - ping B on host A makes it look in its local DNS name cache and if it has not already resolved the name B, it asks the DNS to resolve the name - If ping of the hostname fails but the ping of the IP address works, the problem usually is to do with DNS

Problem Isolation Using the traceroute Command - Similarity of ping and traceroute: traceroute Basics - Identifies next-hop IP address of each router

How the traceroute Command Works - traceroute uses ICMP Time-to-Live Exceeded (TTL Exceeded) message, originally used to notify hosts when a packet is in a routing loop

- Router sets initial TTL value, each forwarding router decreases TTL by 1 and packet is discarded if TTL = 0 and sending host is notified with TTL Exceeded message - Step 1: Host A issues a traceroute command and sends a packet with TTL = 1 to (default) router - Step 2: R1 subtracts 1 from the TTL value, which triggers a TTL Exceeded error - Step 3: R1 sends a TTL Exceeded message to Host A with source address of R1's LAN interface - traceroute sends packet with increasing TTL value to next routers - Step 1: traceroute command sends a packet from the second set with TTL = 2 - Step 2: R1 decrements TTL to 1 and forwards the packet - Step 3: R2 decrements TTL to 0 and discards the packet - Step 4: R2 notifies the sending host of the discarded packet by sending a TTL Exceeded ICMP message with source address of its incoming interface - Routers use source interface address where original message was discarded Standard and Extended traceroute - Extended traceroute lets user choose source address - traceroute with guided parameters: - Windows: tracert, pathping - Linux/ Mac OS X: traceroute - Host OS traceroute usually creates ICMP echo requests while Cisco IOS traceroute creates IP packets with a UDP header Using traceroute to Isolate the Problem to Two Routers - Where to look next to isolate problem:

- Successful listing of R2 confirms: - R1's forward route to 5.5.5.5 - R2's reverse route to 1.1.1.1 - Successful listing of R3 confirms: - R1's forward route to 5.5.5.5 - R2's forward route to 5.5.5.5 - R3's reverse route to 1.1.1.1 - R2's reverse route to 1.1.1.1 - Failure of listing of R4 confirms: - R3's problem with forward route to 5.5.5.5 OR - R4's problem with reverse route to 1.1.1.1

Telnet and SSH Common Reasons to Use the IOS Telnet and SSH Client

- Telnet/SSH from host to router or from router to router - Telnet/SSH from host to router may fail, but individual links may still work, allowing telnet/SSH from a router to a router

IOS Telnet and SSH Examples - R1 using Telnet to connect to R2 - telnet 10.1.2.2 => local username authentication => show ip interfaces brief - ssh -l username host connects to router with SSH client - -l: next parameter is the login username; username is not required at local username authentication - exit or quit logs out from Telnet/SSH connection - IOS supports hotkeys for moving between connections

Chapter 24 - Troubleshooting IPv4 Routing Problems Between the Host and the Default Router Root Causes Based on a Host's IPv4 Settings - Host's four key settings can be learnt by static configuration or DHCP Ensure IPv4 Settings Correctly Match - ipconfig/ifconfig shows IPv4 settings - DNS server setting should match actual DNS server IP addresses

- Compare show interfaces G0/0 to ipconfig /all Mismatched Masks Impact Route to Reach Subnet - Host A's subnet mask implies address range of 10.1.1.0 - 10.1.1.255, so destination address NOT within the range will be sent to 10.1.1.150/25 - R1's subnet mask implies address range of 10.1.1.128 - 10.1.1.255, and host A is NOT within the route to 10.1.1.128/25 - Connected route to 10.1.1.128/25, which does NOT include 10.1.1.9/24, is advertised by OSPF - Hosts should use the same subnet mask as the default router, and the two devices should be in the same subnet

Typical Root Causes of DNS Problems - when ping and traceroute with names fail, but with IP addresses, succeeds, there is a problem with the DNS setting - If DNS server is statically configured, change the setting - If DNS server is learned with DHCP, examine the DHCP server configuration, and if using the IOS DHCP server feature, change the setting with dns-server server-address in DHCP pool configuration mode - Two packet flows can have IP connectivity issues - Router must have ip name-server dns1-address dns2-address... and ip domain-lookup (default) global commands Wrong Default Router IP Address Setting - Incorrect default router setting => hosts unable to send packets to different subnet - Sending within LAN works, it does not require a default router Root Causes Based on the Default Router's Configuration - LAN between host and router must work - Router and its interfaces must work DHCP Issues - Router needs to enable DHCP Relay to let DHCP messages cross subnets (ip helperaddress DHCP-server-address) - Step 1: Host A sends a DHCP Discover message to 255.255.255.255 ff:ff:ff:ff:ff:ff (local subnet broadcast address) - Step 2: R1, with the ip helper-address 172.16.2.11 command, changes the destination address to the DHCP server address as configured in ip helper-address command, and source address to the incoming interface - For ROAS, each subinterface needs to be configured with the ip helper-address command - To test IP connectivity between the DHCP relay agent and the DHCP server, use extended ping or extended traceroute, with source address of the incoming interface and destination address of the DHCP server

Router LAN Interface and LAN Issues - If host and default router can't send packets to each other, the root causes fall into: - Problems that cause the router LAN interface to fail - Problems with the LAN itself - Router LAN interface must be in up/up state to receive/send packets => if not, find root cause for router interface to not be up - LAN details, like Ethernet cable pinouts, port security and STP may cause LAN issues

- speed 1000 command for router and speed 100 for switch causes down/down

Problems with Routing Packets Between Routers IP Forwarding by Matching the Most Specific Route - Following router features can create overlapping subnets: - Autosummarisation - Manual route summarisation - Static routes - Incorrectly designed subnetting plans that cause subnets to overlap their address ranges - If packet's destination address matches one route, the router uses that one route - If more than one route matches a packet's destination address:

Using show ip route and Subnet Math to Find the Best Route - show ip route ospf lists only OSPF-learned routes, but statistics for numbers of subnets and masks are for all routes - When address matches more than one route, the route with the longer prefix length is used - Example destination IP address' routes: Address Matches Longest prefix Route to 172.16.1.1/32 /32 172.16.1.1 (local 172.16.1.1 172.16.1.0/24 route) 172.16.0.0/22 172.16.0.0/16 0.0.0.0/0 172.16.1.0/24 /24 172.16.1.0/24 172.16.1.2 172.16.0.0/22 172.16.0.0/16 0.0.0.0/0 172.16.0.0/22 /22 172.16.0.0/22 172.16.2.3 172.16.0.0/16 0.0.0.0/0 172.16.0.0/16 /16 172.16.0.0/16 172.16.4.3 0.0.0.0/0 0.0.0.0/0 /0 0.0.0.0/0 (default 172.17.1.1 route) Using show ip route address to Find the Best Route - Router lists the route it would use to route a packet sent to the address in the parameter

show ip route Reference

Routing Problems Caused by Incorrect Addressing Plans - One router can claim to be connected to a subnet with one address range, while another router claim to be connected to another subnet with an overlapping range

Recognising When VLSM Is Used or Not - An internetwork is considered to be using VLSM when multiple subnet masks are used for different subnets of a single classful network - VLSM does not apply for all 10.0.0.0 subnets using /20, all 172.16.0.0 subnets using /24 etc. - Only classless routing protocols can support VLSM: - RIPv2 - OSPF - EIGRP Overlaps When Not Using VLSM - Overlap when all subnets use the same mask => exact same subnet ID, exact same address range - Both R3 and R4 advertises 10.1.1.128/25 with OSPF - R1 will send to R4, R2 will send to R3 - No IP addressing plan should use the same subnet on two different LANs Overlaps When Using VLSM - Overlaps between subnets with different masks (i.e. when using VLSM) cause a partial overlap - Problems occur for some destinations within the overlapped ranges - 172.16.5.0/24 (172.16.5.0 - 172.16.5.255) completely overlaps with parts of 172.16.4.0/23 (172.16.4.0 - 172.16.5.255) - ping commands fail, traceroute commands complete for only certain hosts - Subnet with overlapping addresses should be changed Configuring Overlapping VLSM Subnets - IOS overlap recognition:

- IOS only performs the subnet overlap check for interfaces that are not in a shutdown state - IOS accepts IP address configurations that overlap with shutdown interfaces - When no shutdown is issued on the overlapping interface, the interface is shut down until overlap condition has been resolved - Allowing of overlaps on different routers:

Pointers to Related Troubleshooting Topics Router WAN Interface Status - For a serial link, both routers must have working serial interfaces in an up/up state before they can send IPv4 packets to each other - The two routers should have serial IP addresses in the same subnet Filtering Packets with Access Lists

- Device can monitor packets during forwarding process, compare those packets to a list of rules, and filter some packets based on those rules => ACLs

Part VI Revision Key Terms You Should Know Terms Chapter 21 Zero subnet Subnet zero Broadcast subnet Chapter 22 Classful routing protocol Classless routing protocol Overlapping subnets Variable-length subnet masks (VLSM) Chapter 23 Ping Traceroute ICMP echo request ICMP echo reply Extended ping Forward route Reverse route DNS Chapter 24

Definitions

Part VII - IPv4 Services: ACLs and NAT Chapter 25 - Basic IPv4 Access Control Lists IPv4 Access Control List Basics - ACL configuration lists values router can see in IP, TCP, UDP etc. headers - Source/destination IP address - Source/destination TCP/UDP port - ACL's features: - Packet filter

- QoS (Quality of Service); give some packets (e.g. voice) faster service or slower service ACL Location and Direction - Inbound ACL: before router makes its forwarding decision - Outbound ACL: after router makes its forwarding decision and determined exit interface - Locations to filter packets going left to right: - R1's inbound F0/0 - R1's outbound S0/0/0 - R2's inbound S0/0/1 - R2's outbound F0/0 - Inbound ACL on R2's F0/0 would NOT filter packets going left to right

Matching Packets - ACL command logic: "look for these values in the packet header, and if found, discard/allow the packet" - When ACL is enabled, R2 examines every inbound IP packet on S0/0/1 and packets sent by host A (10.1.1.1) are allowed through, and those sourced by host B (10.1.1.2) are discarded Taking Action When a Match Occurs - deny: discard packet - permit: allow packet as if ACL did not exist - Router can use permit to apply NAT functions Types of IP ACLs - ACL features: - Standard numbered ACLs (1-99) - Extended numbered ACLs (100-199) - Additional ACL numbers (1300-1999 standard, 2000-2699 extended) - Named ACLs - Improved editing with sequence numbers

Standard Numbered IPv4 ACLs - Standard: matching only source IP address of packet - Numbered: identifying ACLs using numbers rather than names - IPv4: looking at IPv4 packets - ACLs: Cisco filters List Logic with IP ACLs - ACL processing:

- Host A matches all 3 ACL lines, but the first match is for source address 10.1.1.1, which is to permit

- Host B matches last 2 ACL lines, but the first match is for source address 10.1.1.0 0.0.0.255, which is to deny - Host C matches last ACL line for source address 10.0.0.0 0.255.255.255, which is to permit - If packet does not match any items in ACL, packet is discarded (default configuration: deny any) Matching Logic and Command Syntax - Standard numbered ACLs: access-list {1-99} {permit | deny} matching-parameters Matching the Exact IP address - To match the exact, entire source IP address, use: access-list ACL-no. {permit | deny} host-address - Example: access-list 1 permit 10.1.1.1 - Earlier IOS versions used host keyword before address, and later IOS versions still accept the command, but removes the keyword - Example: access-list 1 permit host 10.1.1.1 Matching a Subset of the Address with Wildcards - Wildcard mask (WC mask) tells IOS to ignore parts of the address when making comparisons, essentially treating those parts as wildcards, as if they already matched

- 0.0.0.255: last octet is ignored as a wildcard = 10.1.2.x - 0.0.255.255: last two octets are ignored as wildcards = 10.1.x.x - 0.255.255.255: last three octets are ignored as wildcards = 10.x.x.x - Line 1: Match and permit all packets with source address of exactly 10.1.1.1 - Line 2: Match and deny all packets with source address with first three octets 10.1.1 - Line 3: Match and permit all addresses with first octet 10 - IOS will specify a source address to be 0 for the parts that will be ignored, even if nonzero values were configured (e.g. 10.1.2.3 0.255.255.255 => 10.0.0.0 0.255.255.255) Binary Wildcard Masks - Binary mask logic: - Compare binary access-list command address and binary packet header address bit by bit - Ignore any bits for which the binary WC mask lists a binary 1 - If all bits that are checked are equal, it's a match Finding the Right Wildcard Mask to Match a Subnet - To match a subnet: - For example, for subnet 172.16.8.0 255.255.252.0: - address parameter = 172.16.8.0 (subnet number) - wildcard mask = - Completed command: access-list 1 permit 172.168.0.0 0.0.3.255 Matching Any/All Addresses - any keyword, e.g. access-list 1 permit any - Can override default deny any by using permit any

- Explicitly configured deny any lets show ip access-lists list the counter for how many packets are matched by the deny any logic Implementing Standard IP ACLs - access-list command, with generic syntax: access-list access-list-number {deny | permit} source [source-wildcard]

Standard Numbered ACL Example 1 - Requirements for this ACL: - Enable ACL inbound on R2's S0/0/1 interface ip access-group 1 in - Permit packets coming from host A access-list 1 permit 10.1.1.1 - Deny packets coming from other hosts in host A's subnet access-list 1 deny 10.1.1.0 0.0.0.255 - Permit packets coming from any other address in Class A network 10.0.0.0 access-list 1 permit 10.0.0.0 0.255.255.255 - Deny all other traffic (default) (access-list 1 deny any) - access-list command: global configuration mode - ip access-group 1 in: interface configuration mode - show ip access-lists: lists details about IPv4 ACLs only - show access-lists: lists details about IPv4 ACLs plus other types of ACLs, e.g. IPv6 ACLs - show ip interface interface-id: lists details about inbound/outbound ACL configurations (ip access-group) Standard Numbered ACL Example 2 - Standard numbered ACL requirements: - Enable ACL inbound on R2's F0/0 interface - Permit packets from S1 going to hosts in A's subnet - Deny packets from S1 going to hosts in C's subnet - Permit packets from S2 going to hosts in C's subnet - Deny packets from S2 going to hosts in A's subnet - Deny all other packets (default) - Above requirements require an extended ACL - Improved requirements for standard numbered ACLs: - Use outbound ACL on R1's F0/0, permit packets from S1, and deny all other packets ip access-group 2 out access-list 2 permit 10.2.2.1 (access-list 2 deny any) - Use outbound ACL on R1's F0/1, permit packets from S2, and deny all other packets ip access-group 3 out access-list 3 permit 10.2.2.2 (access-list 3 deny any) - access-list access-list-number remark: leaves text documentation that stays with ACL

- Router does not filter packets that the router itself creates with an outbound ACL (e.g. ping, traceroute etc.) Troubleshooting and Verification Tips - To tell if router is matching packets or not, use log keyword to make IOS issue log messages with occasional statistics about matches of that particular line of ACL - access-list 1 permit 100.0.0.0 0.0.0.255 log - Troubleshooting ACL requires thought on both: - Interface on which the ACL is enabled, and - Direction of packet flow

Practice Applying Standard IP ACLs Practice Building access-list Commands

Reverse Engineering from ACL to Address Range - Address range = address in command - (address in command + wildcard mask) - For access-list 1 permit 172.16.200.0 0.0.7.255: - address in command = 172.16.200.0 - wildcard mask = 0.0.7.255 - Address range = 172.16.200.0 - 172.16.207.255 - IOS could potentially change command before placing command into running-config file - For example: access-list 21 permit 10.1.1.1 0.0.255.255 => 10.1.0.0, wildcard 0.0.255.255 - show ip access-lists lists final command

Chapter 26 - Advanced IPv4 Access Control Lists Extended Numbered IP Access Control Lists - Comparison of standard numbered ACLs and extended numbered ACLs Similarities Differences - Can be enabled on interfaces for inbound - Variety of packet header fields that can be or outbound packets used to match a packet - IOS searches list sequentially - Numbers (1-99 1300-1999, 100-199 2000- Uses first-match logic 2699) Matching the Protocol, Source IP and Destination IP - Extended ACL access-list command requires at least 3 parameters: - IP protocol type - Source IP address (or address range with wildcard mask) - Destination IP address (or address range with wildcard mask)

- Protocol type identifies type of segment header - Protocol parameter keywords: - tcp - udp - icmp - eigrp - ospf - ip (for all IPv4 packets) - Extended ACL access-list commands MUST use the host keyword for source/destination IP addresses

- For example, to match access-list 101 deny udp 1.1.1.0 0.0.0.255 any, packet must have: - UDP header - Source IP address 1.1.1.1 - 1.1.1.254 - Any destination IP address Matching TCP and UDP Port Numbers - Extended ACLs examine parts of TCP/UDP headers, especially source/destination ports

- Extended ACLs with tcp or udp keyword may have source/destination port parameters - Syntax of ACL that matches: - tcp: Packets that include a TCP header - 172.16.1.0 0.0.0.255: Packets sent from 172.16.1.0/24 (client subnet) - 172.16.3.0 0.0.0.255: Packets sent to 172.16.3.0/24 (server subnet) - eq 21: Packets with TCP destination port 21 (FTP server control port) - EXTRA INFO: the source port of the client is going to be greater than 1023 (gt 1023)

- Reverse flow: - Source address: server subnet - Source port: 21 (FTP server control port) - Destination address: client subnet (- Destination port: greater than 1023)

Extended IP ACL Configuration - Summary of syntax options: - Like standard ACLs, the location and direction in which to enable the ACL must be chosen: - Which interface? - Which direction: inbound or outbound?

Extended IP Access Lists: Example 1

- Extended access-list numbers: 100 - 199, 2000 - 2699 - Protocol parameter: IP, TCP/UDP, ICMP/EIGRP etc. - TCP/UDP port numbers: may be used when checking for TCP/UDP headers - eq 80, eq www: matching port 80 (HTTP traffic), when eq 80 is configured, config shows eq www - Cisco suggests locating extended ACLs as close to source of packet (saves bandwidth) so configurations on R2 and R3 could have worked - R3 does not match Larry's traffic because Larry's traffic will never enter R3's E0 interface

Named ACLs and ACL Editing Named IP Access Lists - Similarities between named and numbered ACLs: - Can be used to filter packets etc. - Can match the same fields; standard numbered ACL = standard named ACL and extended numbered ACL = extended named ACL - Differences between named and numbered ACLs:

- ip access-list: defines whether ACL is standard or extended, and defines the name and moves user to ACL configuration mode - no command-you-want-to-delete: deletes a single entry from the ACL

Editing ACLs Using Sequence Numbers - ACL sequence numbers provide following features for both numbered and named ACLs - Configuration of standard numbered IP ACL, with new alternative configuration style: - Step 1: Numbered ACL 24 is configured within ip access-list standard 24, with three permit commands - Step 2: do show ip access-lists 24 shows three permit commands with sequences numbers 10, 20, and 30 - Step 3: Second permit command is deleted using no 20 - Step 4: do show ip access-lists 24 confirms that ACL now has two lines (10, 30) - Step 5: A new deny command is added to the beginning of the ACL, with 5 deny 10.1.1.1 - Step 6: do show ip access-lists 24 confirms that ACL now has three lines (5, 10, 30) - EXTRA INFO: do show ... executes show command in configuration mode

Numbered ACL Configuration Versus Named ACL Configuration - Numbered ACLs: - access-list global commands - ACL configuration mode subcommands

- IOS always stores numbered ACLs as global access-list commands, even if it was configured in ACL configuration mode (- Continuing on from the steps above: ) - Step 7: The configuration is listed with do show running-config, which lists oldstyle global configuration commands - Step 8: A new statement is added to the end of the ACL using access-list 24 permit 10.1.4.0 0.0.0.255 global command - Step 9: do show ip access-lists 24 confirms that old-style command is added to the end of the ACL (sequence number 40) - Step 10: do show running-config confirms that both new- and old- style commands are all listed in the same global commands

ACL Implementation Considerations - Filtering closer to source of packet: less bandwidth taken up in the network (extended ACLs) - Filtering closer to destination: less unwanted packets being filtered (standard ACLs) - Place more specific matching parameters early in each list: - Example: 10.1.1.1 after 10.1.1.0 0.0.0.255, packets will never match 10.1.1.1 - Cisco recommends you disable ACLs on the interfaces before you change statements in the list - If an entire ACL is deleted while ACL is enabled on interface, IOS does not filter any packets (as is the case with disabling an ACL on interface) - As soon as one statement is added to enabled ACL, IOS filters packets based on that ACL, and the implicit deny any (deny ip any any) is activated

Troubleshooting with IPv4 ACLs Analysing ACL Behaviour in a Network - ping and traceroute might work fine, but other end-user packets may be matched with a deny command - Steps to analysing an ACL: - Step 1, Step 2: Simlet questions ACL Troubleshooting Commands - Finding location & direction of ACLs in enable mode: show running-config - Finding location & direction of ACLs in user mode: show ip interfaces {interface-id} - Finding contents of ACL: show running-config, show access-lists and show ip access-lists - Commands also list counters for number of packets that have matched each line in ACL - Not increasing counter may mean: - Packets are not matching that line in that ACL - Packets are matching an earlier line in the same ACL - Packets are not reaching that router for some reason - Find address range for ACL: address in command + wildcard mask

Example Issue: Reversed Source/Destination IP Addresses - Requirements: - Allow hosts in subnet 10.3.3.0/25 and subnet 10.1.1.0/24 to communicate - Prevent hosts in subnet 10.4.4.0/23 and subnet 10.1.1.0/24 from communicating - Allow all other communications between hosts in network 10.0.0.0 - Prevent all other communications - R2's G0/2 inbound interface does not match outbound packets from 10.4.4.0/23 - Can apply for TCP/UDP source/destination ports Steps 3D and 3E: Common Syntax Mistakes - IOS rejects commands with missing tcp or udp keyword for matching ports - ICMP is a separate keyword: icmp Example Issue: Inbound ACL Filters Routing Protocol Packets - Router bypasses outbound ACL logic for packets the router itself generates - Outbound ACL can discard forwarded packets, but not generated packets - R1 would match RIP messages with the implicit deny any - R1 would never learn routes from R2, but R2 could still learn RIP routes from R1 - RIPv2 uses UDP as a transport, EIGRP and OSPF do not use a transport protocol

- You can include these lines in any inbound ACL to ensure that routing protocol packets would be permitted ACL Interactions with Router-Generated Packets Local ACLs and a Ping from a Router - ping generates ICMP echo request messages and may receive an ICMP echo reply message - ICMP messages by pinging server S1 can be filtered at locations B, C, and D - EXTRA INFO: if R1 pinged R2, only locations B and D could filter the packets as R2 sends its own ICMP echo reply with its IP address Router Self-Ping of a Serial Interface IPv4 Address - Self-ping of a serial interface: - Step 1: Router sends ICMP echo request out the point-to-point serial link to other router - Step 2: The neighbouring router receives and routes the packet with the ICMP echo request back to the original router - Self-ping tests parts of point-to-point serial link: - The link must work at Layers 1, 2, and 3 - Both routers have a working (up/up) serial interface, with correct IPv4 addresses configured - ACLs B, C, and D must permit the ICMP echo request and reply packets Router Self-Ping of an Ethernet Interface IPv4 Address

- Self-ping of an Ethernet interface: - Tests status of local router interface (up/up) - Does not test security features on neighbouring devices (port security or ACL), since ICMP messages are not physically forwarded out the interface - Incoming IP ACL on local router process router self-ping - Only the ACL on incoming interface of the local router will filter self-ping

Chapter 27 - Network Address Translation Perspectives on IPv4 Address Scalability - Long-term solution: - IPv6 (theoretically has 1038 addresses) - Short-term solution: -NAT: allows for private networks to connect to Internet - Private addressing: use of unregistered networks - CIDR (Classless Interdomain Routing): assignment of subnets, not entire networks, by ISPs and ability to summarise routes CIDR - CIDR's main goals according to RFC 4632: - Defines a way to assign public IP addresses - Allows route aggregation or route summarisation - Assignment of all addresses that begin with 198 to one ISP lets other ISPs use one route for 198.0.0.0/8 to match all those addresses - CIDR reduces wasted addresses by assigning subnets (CIDR blocks) Private Addressing - If a computer would never connect to the Internet, it can use duplicates of registered IP addresses or private addresses - RFC 1918 defines a set of networks that will never be assigned to any organisation as a registered network number called private internets - Private addresses cannot be advertised using a routing protocol on the Internet

Network Address Translation Concepts - NAT allows addresses not Internet-ready to communicate across the Internet by representing them with registered address/es - NAT router changes outgoing packet source addresses and incoming packet destination addresses - Source NAT

Static NAT - IP addresses are statically mapped to each other - NAT router configures one-to-one mapping between the private address and public address (200.1.1.0, as assigned by ISP) - Terminology: - Inside local addresses: private IP addresses (e.g. 10.1.1.1) - Inside global addresses: public IP addresses (e.g. 200.1.1.1) - "Inside": part of enterprise network that uses private addresses (e.g. 10.1.1.0) - "Outside": Internet side of NAT function (e.g. 200.1.1.0) - Source NAT table: lists inside local address with matching inside global address - Destination NAT uses outside global/local

Dynamic NAT - One-to-one mapping of inside local address to inside global address happens dynamically - Step 1: Host 10.1.1.1 sends its first packet to 170.1.1.1 - Step 2: Router uses NAT matching logic to decide whether packet should have NAT applied, since it has a match, router adds it to the NAT table - Step 3: NAT router allocates the first available IP address from the pool of valid inside global addresses and adds it to the NAT table to complete the entry - Step 4: NAT router translates source IP address and forwards the packet - Dynamic entry times out - clear ip nat translation *: clears NAT table - If inside global address pool is all allocated, packet is discarded - Address can be reallocated if timed out Overloading NAT with Port Address Translation - Static NAT requires as much public addresses as private addresses - Dynamic NAT requires fewer public addresses, but to a small degree - TCP/UDP uses port numbers to communicate - Server does not care whether all connections came from a single host, or from multiple hosts - PAT takes advantage of this, and translates ports and address - NAT overload can use more than 65000 port numbers to translate addresses and ports

NAT Configuration and Troubleshooting Static NAT Configuration - Static NAT Configuration steps: - Step 1: Use ip nat inside in interface configuration mode to configure interfaces to be in the inside part of the NAT design - Step 2: Use ip nat outside in interface configuration mode to configure interfaces to be in the outside part of the NAT design

- Step 3: Use ip nat inside source static inside-local inside-global in global configuration mode to configure the static mappings - Extra addresses can be used to connect enterprise to Internet, or loopback address - inside: NAT translates addresses for hosts on the inside part of the network - source: NAT translates the source IP address of packets coming into its inside interfaces - static: Static entry is defined - show ip nat translations lists NAT table - show ip nat statistics lists statistics on NAT, such as number of hits, active translations etc. Dynamic NAT Configuration - Dynamic NAT needs: - ACL to specify inside local addresses for which the NAT should apply - Pool to specify inside global address ranges for which the inside local addresses should translate to - Example dynamic NAT configuration - ip nat pool my-pool 200.1.1.1 200.1.1.10 netmask 255.255.255.240: configures for inside global addresses in between, and including 200.1.1.1 and 200.1.1.10 to be translated to - netmask checks if both lowest and highest addresses are in the same subnet - If netmask doesn't match, then IOS rejects the command - ip nat inside source list 1 pool fred: - Create NAT table entries that map between hosts matched by ACL 1, for packets entering any inside interface, allocating an inside global address from the pool called fred Dynamic NAT Verification - Before user traffic happens, NAT table is empty, with show ip nat statistics listing 0 active translations - First "misses" indicates number of times a new packet does not find a NAT entry, at which point, dynamic NAT reacts and builds an entry - Second "misses" indicates number of times dynamic NAT tries to allocate a new NAT table entry and finds no available addresses, probably resulting in a discard - After host 10.1.1.1 telnets to host 170.1.1.1, show ip nat statistics lists: - 1 active translation - 1 miss (host tried to find NAT entry, but couldn't find one) - 69 hits (dynamic NAT created entry, and host can now be translated) - 1 pool member allocated | 50% of the pool are currently in use - NAT entry can time out or clear ip nat translation * can remove all entries - debug ip nat causes router to issue a message every time a packet has its address translated for NAT NAT Overload (PAT) Configuration - Two versions of PAT configuration: - PAT is enabled on one interface, and uses one inside global IP address

- PAT uses a pool of inside global IP addresses - Difference between NAT overload and one-to-one NAT: - PAT configuration checklist: - Example: ip nat inside source list 1 pool fred overload - Certskills is given 200.1.1.248/30, and PAT is enabled on 200.1.1.249 - 10.1.1.1 creates one Telnet connection, and 10.1.1.2 creates two Telnet connections - interface serial 0/0/0: only inside global IP address available is the IP address of the NAT router's interface serial 0/0/0 - overload parameter means that NAT overload feature is enabled NAT Troubleshooting - Most of NAT troubleshooting issues relate to getting the configuration correct - Troubleshooting checklist for most common source NAT issues:

- Troubleshoot two different IP addresses: - Step 1: Inside host sends packet with destination address 170.1.1.1 - Step 2: NAT router forwards packet with unchanged destination address of 170.1.1.1 - Step 3: Server sends packet with inside global destination address 200.1.1.249 - Step 4: NAT router forwards packet with inside local destination address 10.1.1.1

Part VII Revision Key Terms to Remember Terminology Chapter 25 Standard access list Wildcard mask Chapter 26 Extended access list Named access list Chapter 27 CIDR Inside global Inside local NAT overload (PAT) Outside global Port Address Translation (PAT) Private IP network Source NAT

Definition

Part VIII - IP Version 6 Chapter 28 - Fundamentals of IP Version 6 Introduction to IPv6 - IPv6 serves as the replacement protocol for IPv4 - Around 340 undecillion theoretic addresses - Different size address field, different addressing rules, different routing protocols, different subnetting rules etc. The Historical Reasons for IPv6 - ARPANET => research => fixed Internet access with dial, DSL and cable => pervasive mobile Internet - IANA and RIRs exhausted IPv4 addresses, and THE DAY HAS COME WHEN NEW COMPANIES' ONLY OPTION WILL BE IPv6 - IETF used NAT, CIDR and IPv6 to solve IPv4 address exhaustion problem The IPv6 Protocols - Protocol migrations: - OSPFv2 => OSPFv3 (Supports advertising of both IPv4 and IPv6 routes) - ICMP => ICMPv6 - ARP => NDP (Neighbour Discovery Protocol) - One specific protocol called IPv6 defines the new 128-bit IPv6 address - IPv6 addresses are represented as hexadecimal values - IPv6's simpler 40-bit header IPv6 Routing

- PC1, with address 2345::1, wants to send a packet to host PC2 in another subnet, so sends the packet to the default gateway, 2345::2, with the packet encapsulated inside an Ethernet header and trailer - Step 1: R1 de-encapsulates the IPv6 packet, discarding the Ethernet header and trailer - Step 2: R1 makes a forwarding decision and re-encapsulates the IPv6 packet into a HDLC header and trailer - IPv6 packets use IPv6 routing table, listing information about prefixes (subnets), outgoing interface and next-hop router

- Dual stack: migration strategy of running both IPv4 and IPv6 (on a router, by adding additional configuration) IPv6 Routing Protocols - Same IGP/EGP conventions as IPv4: IGP advertises IPv6 routes inside an enterprise

IPv6 Addressing Formats and Conventions Representing Full (Unabbreviated) IPv6 Addresses - Address with 128 bits, 32 hex digits, 8 quartets - Conversion from hexadecimal to binary and vice versa Abbreviating and Expanding IPv6 Addresses - Computers and routers use the shortest abbreviation, even if you type all 32 hex digits of the address Abbreviating IPv6 Addresses - Two basic rules: - For example: - Unabbreviated address: FE00:0000:0000:0001:0000:0000:0000:0056 - Remove the leading 0s: FE00:0:0:1:0:0:0:56 - Remove consecutive 0s: - Shortest abbreviation: FE00:0:0:1::56 - Longer, valid abbreviation: FE00::1:0:0:0:56 - Invalid abbreviations: - FE:0:0:1::56 - FE00::1::56 Expanding Abbreviated IPv6 Addresses - Two reverse-logic rules:

Representing the Prefix Length of an Address - IPv6 prefix-length (IPv4: subnet mask) uses slash notation - Cisco routers may require configuration of either: - No space between address and prefix length (e.g. 2222:1111:0:1:A:B:C:D/64) - Space between address and prefix length (e.g. 2222:1111:0:1:A:B:C:D /64) - Prefix length can be from /0 to /128 Calculating the IPv6 Prefix (Subnet ID) - IPv6 address and prefix length can calculate IPv6 prefix (IPv4: subnet ID) Finding the IPv6 Prefix - Rules to find IPv6 prefix: - Rule to find IPv6 prefix which is a multiple of 4:

1. Identify the number of hex digits in the prefix by dividing the prefix length by 4 2. Copy the hex digits determined to be in the prefix per the first step 3. Change the rest of the hex digits to 0 - Example: - Abbreviating prefix lengths: - Address: 34BA:B:B:0:5555:0:6060:707/64 - Prefix length: 34BA:B:B:0:0:0:0:0/64 (34BA:B:B:0::/64) - Abbreviation: 34BA:B:B::/64 Working with More-Difficult IPv6 Prefix Lengths - If prefix length is a multiple of 16, copy entire quartets - If prefix length is a multiple of 4: copy entire hex digits - If not, work in binary to form new hex digit - For example: - Address: 210F:A:B:C:CCCC:B0B0:9999:9009/40 - Prefix length: 210F:A:0000:0:0:0:0:0/40 - Abbreviation: 210F:A::/40

Chapter 29 - IPv6 Addressing and Subnetting Global Unicast Addressing Concepts A Brief Review of Public and Private IPv4 Addresses Review of Public IPv4 Addressing Concepts - Three steps in planning to ensure that each unicast was unique: - The company or organisation asked for an received the rights to the exclusive use of a public Class A, B, or C IPv4 network number - The classful network into smaller subnets - Individual IPv4 addresses are allocated to each host interface - The following each need a separate subnet:

- If all devices were in the same VLAN, serial link, EoMPLS link and data branches require a different subnet (subnets for the Internet will be assigned by ISP) Review of Private IPv4 Addressing Concepts - Using NAT/PAT allows one public IPv4 address to support many private addresses

Public and Private IPv6 Addresses - Global unicast IPv6 addresses = public IPv4 addresses - Unique local IPv6 addresses = private IPv4 addresses

- Each company is given a unique IPv6 address block, and each company subnets the block, and only uses unique addresses from that block OR - IPv6 NAT/PAT is used to assign unique local addresses to hosts - Summary of global unicast and unique local: - Site local (begin with FEC, FED, FEE or FEF): originally intended to be used like IPv4 private addresses and is not removed from the IPv6 standards The IPv6 Global Routing Prefix - The reserved block of IPv6 addresses that are allocated to companies, are called a global routing prefix (meaning that Internet routers can have one route that refers to all the addresses inside the block) - Assignment process: IANA, ICANN => RIRs => ISPs - Step 1: IANA gives ARIN prefix 2001::/16 - Step 2: ARIN gives NA-ISP1 prefix 2001:0DB8::/32 - Step 3: NA-ISP1 gives Company 1 2001:0DB8:1111::/48 Address Ranges for Global Unicast Addresses - Global unicast address (2000::/3) includes all IPv6 addresses not otherwise allocated for other purposes

IPv6 Subnetting Using Global Unicast Addresses - Most everyone uses /64 because dynamic IPv6 address assignment process works better Deciding Where IPv6 Subnets Are Needed - A subnet for each: - VLAN - Point-to-point WAN link: - Serial link - EoMPLS - Data branches

The Mechanics of Subnetting IPv6 Global Unicast Addresses - IPv4 uses classful rules for network and host bits in unsubnetted IPv4 addresses - When a classful network is subnetted, subnet bits "borrow" host bits - Network bits stay locked, but subnet and host bits are flexible - IPv6 subnetted addresses use: - Global routing prefix; as set by IANA, RIR, or ISP - Subnet part; as set by the local engineer - Interface ID; as set by the local engineer - IPv6 has no concept of address classes, but authorities give a locked global routing prefix and prefix length (prefix length of global routing prefix is often between /32 and /48 or possibly as long as /56)

- Interface ID doesn't have to be 64 bits long, but there is no reason to avoid it - Subnet field is typically 128 - Interface ID - Global Routing Prefix (or 64 - Global Routing Prefix) - For 2001:0DB8:1111:0001:0000:0000:0000:0001: - Company was assigned prefix 2001:0DB8:1111/48 - Company uses a 64-bit interface ID - Company has a subnet field of 16 bits, allowing 216 (65536) IPv6 subnets - Each subnet supports [264 - reserved values] hosts Listing the IPv6 Subnet Identifier - Routers list the IPv6 prefix ID (subnet ID) with prefix length in their IPv6 routing tables, in this case, 2001:DB8:1111:1::/64 List All IPv6 Subnets - If a single prefix length is used for all subnets, you can write down all the IPv6 prefix IDs - Rules to find all prefix IDs:

- Global routing prefix followed by different subnet bits, and all 0s for interface IDs - The IPv6 subnet ID is more formally called the subnet router anycast address, is reserved, and should not be used as an IPv6 address for any host Assign Subnets to the Internetwork Topology - Company 1's four subnets for all its data link instances, with global routing prefix 2001:DB8:1111::/48 Assigning Addresses to Hosts in a Subnet - Host can have the IPv6 address static configuration with: - IPv6 address - IPv6 prefix length - Default router IPv6 address - DNS server IPv6 addresses - Hosts can have their configuration dynamically learnt using either: - DHCP or - SLAAC (Stateless Address Autoconfiguration)

Unique Local Unicast Addresses - Begins with hex FD, and is not registered with any numbered authority and can be used by multiple organisations - Unique local address rules:

Subnetting with Unique Local IPv6 Addresses - First 8 bits are preset, and next 40 global routing prefix bits can be random: - E.g. FD00:0001:0001::/48 (FD00:1:1::/48)

- Treat entire fourth quartet as a subnet field

The Need for Globally Unique Local Addresses - Short global routing prefixes are good for testing, but not for real situations - For a real network, global routing prefixes should be chosen randomly, so that it is globally unique - Globally unique addresses helps the merging of two enterprise networks much easier, as no two addresses overlap

Chapter 30 - Implementing IPv6 Addressing on Routers Implementing Unicast IPv6 Addresses on Routers - IPv6 requires a long-term migration strategy, usually with a dual-stack strategy Static Unicast Address Configuration - Two options when configuring static IPv6 addresses: - Configure the full 128-bit address - Configure a 64-bit prefix and let the router derive the interface ID Configuring the Full 128-Bit Address - ipv6 address address/prefix-length interface subcommand: - Address can be either global unicast or unique local - Address can be either abbreviated or can be the full 32-digit hex address - Address and the prefix length has no space between them

Enabling IPv6 Routing - ipv6 unicast-routing global command enables IPv6 routing - Router must both enable IPv6 globally and enable IPv6 on the interface (ipv6 address) to route packets - If only ipv6 address is configured, the router acts like an IPv6 host and does not route IPv6 packets Verifying the IPv6 Address Configuration - show ipv6 interface brief: gives interface IPv6 address info, but not prefix length info - show ipv6 interface: gives details of IPv6 interface settings - WARNING: show interfaces tells nothing about IPv6 - show ipv6 interface lists IPv6 address, prefix length and subnet that interface is in - show ipv6 interface brief: lists IPv6 addresses, but not the prefix length or prefixes - Router adds IPv6 connected routes to the IPv6 routing table off each interface that is up/up

Generating a Unique Interface ID Using Modified EUI-64 - Routers typically use static IPv6 addresses, while user devices use DHCP or SLAAC - Modified EUI-64 (Extended Unique Identifier) rules for creating interface IDs:

- Step 1: Start with the MAC address => 0013.1234.ABCD - Step 2: Split the MAC address into halves => 001312 34ABCD - Step 3: Insert FFFE between the two halves => 001312FFFE34ABCD - Step 4: Insert a colon every four hex digits => 0013:12FF:FE34:ABCD - Step 5A: Take the first 2 hex digits => 00 - Step 5B: Convert the first 2 hex digits to binary => 0000 0000 - Step 5C: Invert the 7th bit => 0000 0010 - Step 5D: Convert to hex => 02 => Address: Prefix + 0213:12FF:FE34:ABCD - Table avoids hex/binary conversions - Configuring router interface to use EUI-64 format: ipv6 address address/prefix-length eui-64 interface subcommand - Serial interfaces DO NOT have associated MAC addresses - Router chooses the MAC of the lowest-numbered router interface that does have a MAC

Dynamic Unicast Address Configuration - Cisco routers support two ways for router interface to dynamically learn an IPv6 address: - Stateful DHCP - Stateless Address Autoconfiguration (SLAAC)

Special Addresses Used by Routers - After configuration of ipv6 unicast-routing and unicast IPv6 address on an interface, the router:

Link-Local Addresses - Not used for normal IPv6 packet flows, but by overhead protocols and for routing Link-Local Address Concepts - IPv6 protocols that need to send messages inside a single subnet typically uses link-local addresses, such as NDP - Routers use link-local addresses as the next-hop IPv6 addresses in IPv6 routes - Hosts use default router's link-local address - Key facts about link-local addresses:

Creating Link-Local Addresses on Routers

- Link-local address start with FE80::/10 (FE8, FE9, FEA, FEB), but RFC says the next 54 bits should be binary 0, so link-local address should ALWAYS start with FE80:0000:0000:0000 - Link-local address can be created: - With EUI-64 format (Cisco routers) - By random (Microsoft OS) - With static configuration - IOS creates link-local addresses for any interface that has configured at least one other unicast address with the ipv6 address command (global unicast, unique local) - Unicast and link-local addresses have same interface IDs if using EUI-64 - IOS chooses link-local address for interface based on the following rules: - If configured, router uses value in ipv6 address address link-local - If not, IOS calculates link-local address with EUI-64 rules Routing IPv6 with Only Link-Local Addresses on an Interface - ipv6 enable interface subcommand enables IPv6 and router creates a link-local address - Two routers on WAN link do not need global unicast addresses, whereas hosts on each LAN need global unicast addresses IPv6 Multicast Address - Multicast address: FF00::/8 Local Scope Multicast Addresses - FF02::/16 is a link-local scope multicast: routers will not forward these packets outside the local subnet - Organisation-scope multicast (FF08::/16): packets are forwarded throughout the organisation but not out the Internet - Most common local-scope IPv6 multicast addresses: - show ipv6 interface lists multicast addresses used by interface:

Solicited-Node Multicast Addresses - Value varies from host to host - Every interface with unicast addresses has a solicited-node multicast address - Solicited-node multicast address concepts: - Multicast: The address is a multicast address - Link-local: The scope is link-local, meaning routers do not forward messages sent to this address - Calculated: The address is calculated based on the last six hex digits of the unicast IPv6 address - Operation: Each host interface must listen for packets sent to its solicited-node multicast address - Overlap: Some hosts might have the same solicited-node multicast address - Packets sent to solicited-node multicast address might be processed by one or multiple hosts - Some protocols want the logic of sending one multicast packet to all hosts using similar unicast IPv6 addresses

- Solicited-node multicast address: RFC-defined FF02::1:FF/104 + last 6 hex digits of unicast address - One for global unicast address, one for link-local address Anycast Addresses - Packets sent to this address is sent to the nearest device that supports the address - Two steps of anycast addressing: - Step 1: Two routers configure the exact same IPv6 address, designated as an anycast address, to support some service - Step 2: Routers route the packet to the nearest of the routers that support the address - Anycast address is configured and advertised with /128 prefix so it is a host route - anycast keyword for anycast address configuration - show ipv6 interface identifies address as anycast, but show ipv6 interface brief does not - Subnet router anycast address sends packet to any router on a subnet Miscellaneous IPv6 Addresses - All IPv6 hosts can use two additional special addresses: - :: is used when its own IPv6 address is not yet known, or wonders if its own IPv6 address might have problems (e.g. dynamic IPv6 address configuration) - ::1 is used as loopback address to test its own protocol stack (down to IPv6 and back up to application) IPv6 Addressing Configuration Summary - Summary of IPv6 address types:

Chapter 31 - Implementing IPv6 Addressing on Hosts The Neighbour Discovery Protocol - Host IPv6 settings: - Interface IPv6 address, DNS servers: typically global unicast or unique local unicast address - Default router: typically link-local address - NDP functions:

Discovering Routers with NDP RS and RA - ICMPv6 includes all the NDP messages - Two messages that enable routers to learn addressing and subnet information from any routers in the subnet:

- PC1 learning R1's link-local address: - RS uses all-routers multicast address (FF02::2) - RA uses PC1's address or all-nodes multicast address (FF02::1) Discovering Addressing Info for SLAAC with NDP RS and RA - RS/RA: basic query/response protocol (hosts asking, routers supplying info) - Host can learn prefix and prefix length from router global unicast address - SLAAC uses prefix/prefix length info from RS/RA Discovering Neighbour Link Addresses with NDP NS and NA - NS = IPv4 ARP Request - NA = IPv4 ARP Reply (lists host MAC address) - RS/RA sends to router, NS/NA sends to host - NS/NA lets hosts discover the link-layer address of other on-links (hosts on same data link) - NS: "What is your link address?" to target IPv6 unicast address - Step 1: - PC1 looks in its NDP neighbour table, and doesn't find MAC address - PC1 sends RS to solicited-node multicast address to find PC2's MAC address, asking for MAC address - Step 2: - PC2 sends back an NA message, listing PC2's MAC address - PC1 record PC2's MAC address in PC1's NDP neighbour table Windows Linux Mac OS interface ipv6 show ip -6 neighbour show ndp -an neighbors Discovering Duplicate Addresses Using NDP NS and NA - IPv6 uses Duplicate Address Detection (DAD) before using unicast address - If another host already uses that address, first host doesn't use the address until problem is resolved - DAD uses NDP NS/NA - Step 1: PC1 must use DAD before using address 2001:DB8:1111:1::11 - Step 2: PC1 sends an NS for target 2001:DB8:1111:1::11 - Step 3: PC2 sends back an NA, listing the IPv6 address and MAC address of itself - Step 4: Because PC1 received an NA, PC1 realises a duplicate address exists - Host uses DAD for each unicast and link-local address, when address is first used and each time host's interface comes up NDP Summary

Dynamic Configuration of Host IPv6 Settings - DHCPv6 has disadvantage of requiring a server => SLAAC Dynamic Configuration Using Stateful DHCP and NDP

- Similarities between stateful DHCPv6 and IPv4 DHCP: - Stateful DHCPv6 tracks info about which client has a lease for what IPv6 address - Stateless DHCP servers do not track any per-client information Differences Between DHCPv6 and DHCPv4 - Stateful DHCPv6 does not supply default router information to client (use NDP for that) - Stateful DHCPv6 messages: - Solicit: Client searching for IPv6 address of DHCPv6 server - Advertise: Server advertises an address and other configuration settings for client to possibly use - Request: Client asks to lease the address - Reply: Server confirms the lease DHCPv6 Relay Agents - Client uses following addresses in Solicit message: - Source of link-local: client uses its own link-local address as source - Destination address of "all-DHCP-agents" FF02::1:2: Multicast sends to DHCP servers and DHCP relay agents - Step 1: From: A's link-local address To: FF02::1:2 (all-DHCP-agents address) - Step 2: From: R1's OUTGOING interface address (DHCPv4: incoming) To: DHCPv6 server address - Return DHCPv6 messages follow reverse process - ipv6 dhcp relay destination server-address command enables DHCP relay - show ipv6 interface lists interface as listening to FF02::1:2 Using Stateless Address Auto Configuration - Stateful DHCPv6 server requires IT staff management - SLAAC dynamically learns part of IPv6 address without a server Building an IPv6 Address Using SLAAC - SLAAC IPv6 address choice process: - Host can use modified EUI-64 or random interface ID:

Combining SLAAC with NDP and Stateless DHCP - Host uses three different tools to find its four IPv6 settings: - DHCPv6 client asks for only DNS server addresses, and NOT a lease of an IPv6 address - Stateless DHCPv6 server: - Needs simple configuration only; small number of DNS server addresses - Needs no per-subnet configuration; no lists, pools, excluded addresses etc.

- Does not need to track state information about DHCP leases because it does not lease addresses to any clients

Troubleshooting IPv6 Addressing - Verification of host's IPv6 settings and ability to send packets (ping and traceroute) Verifying Host IPv6 Connectivity from Hosts - Four IPv6 host settings on GUI: - SLAAC gave host two IPv6 address (one with EUI-64, one with random interface ID) - ipconfig or ifconfig examines IPv6 settings: - ping (ping6), traceroute (traceroute6) checks host connectivity - IPv6 pings to R1 and PC2, IPv4 ping to PC2: - traceroute6 from PC1 to PC2:

Verifying Host Connectivity from Nearby Routers - Standard ping and traceroute command work on Cisco routers for IPv6 - Extended ping and traceroute requires ipv6 keyword in Protocol parameter - Another verification: look at router's neighbour table (checks host NA/NS response) - Router can clear its neighbour table with clear ipv6 neighbor and then ping a host on some connected interface - Router sends NDP NS - Host needs to send NDP NA back - If host MAC address shows in neighbour table, host replied with NDP NA - Cisco routers watch for (unsolicited) RA messages received from other routers - show ipv6 routers lists any other routers in the local subnet - R1 does not hear any RA messages from other routers on that LAN subnet - R2 and R3 hears RAs from each other in the same LAN subnet - Host neighbour tables give routers "flag" "R" if RA was received

Chapter 32 - Implementing IPv6 Routing Connected and Local IPv6 routes - A router adds IPv6 routes based on:

Rules for Connected and Local Routes - If interface is up/up and ipv6 address is configured, router adds both a connected and local route - Routers DO NOT create IPv6 routes for link-local addresses - ipv6 address 2000:1:1:1::1/64: - Local route for 2000:1:1:1::1/128 - Connected route for 2000:1:1:1::/64

Example of Connected IPv6 Routes - Prefixes (subnets) with abbreviated interface IPv6 addresses - R1 should have three local and connected routes, one of each on each interface - Each connected route lists: - Routing code "C" for connected route - Destination IPv6 prefix length (subnet ID) of "2001:DB8:1111:1::/64" - Administrative distance of "0" (connected route default value) - Metric of "0" (static route) - Outgoing interface of "GigabitEthernet0/0" - "Directly connected" route Examples of Local IPv6 Routes - Each working interface has a local route + one local route for multicast - Lists interface address with prefix length /128 (matches only that address)

Static IPv6 Routes - ipv6 route + prefix + prefix length + next-hop address OR outgoing interface OR both

Static Routes Using the Outgoing Interface - Command uses the local outgoing interface: - Both R1 and R2 needs to have routes for each other's subnet for a successful ping: - Verification: ping, traceroute, show ipv6 route and show ipv6 route static: - Facts about static route: - Routing code "S" - Destination prefix length - AD "1" and metric "0" - Outgoing interface - "Directly connected" - show ipv6 route 2001:db8:1111:2::22 lists which route R1 would use:

Static Route Using Next-Hop IPv6 Address - Global unicast or unique local OR link-local with interface

Example Static Route with a Global Unicast Next-Hop Address - Static IPv6 routes with global unicast addresses (2-way): - Verification with show ipv6 route 2001:db8:1111:2::22: Example Static Route with a Link-Local Next-Hop Address - Link-local address does not tell the local route which outgoing interface to use by itself - ipv6 route with global unicast address can deduce the outgoing interface from the connected route - show ipv6 route lists route with next-hop address AND outgoing interface

Static Default Routes - IPv6 routing logic: - With no default route, router discards the IPv6 packet - With default route, router forwards the IPv6 packet based on the default route - Branch routers with one WAN link use default routes: - ::/0: address is all 0s, prefix length is 0 = matching all IPv6 addresses - IPv6 default routes (::/0) don't have candidates (*s), and are simply added

Static IPv6 Host Routes - Host route uses /128 mask, identifying a single host - Host route with host's full address and /128 mask:

Floating Static IPv6 Routes - Both primary OSPF-learned link and backup T1 link reach subnet 2001:DB8:1111:7::/64 - R1 chooses backup T1 link over faster primary link because: - AD of OSPF-learned route is 110 - AD of static route is 1 - Lowest AD (static route) gets chosen - Floating static route: static route with overridden default AD value - ipv6 route 3444:4:4:4::/64 3444:2:2:2::2 130: static route does not get learnt because OSPF-learned route's AD is lower - show ipv6 route and show ipv6 route 3444:4:4:4::/64 list ADs: - List of some default IPv6 administrative distance values:

Default Routes with SLAAC on Router Interfaces - DHCP's default route mechanism => SLAAC's default route mechanism - Step 1: ipv6 address autoconfig default on router interface enables SLAAC and dynamic default route learning - Step 2: R1 sends an NDP RS to ISP1 to find the prefix and default router address - Step 3: ISP1 sends an NDP RA to R1 with prefix and default router address - When R1 receives the NDP RA: Interface address: Builds own interface IPv6 address using SLAAC and prefix learned from RA Local /128 Route: Adds a local (/128) route for the address Connected Route for Prefix: Adds a connected route for prefix learned from RA Default route: R1 adds a default route (::/0) with next-hop address of ISP1's address, as learned in the RA - Routing code: - "ND": NDP-learned default route - "NDp": NDP-learned prefix Troubleshooting Static IPv6 Routes - Two cases: - Route is in the routing table, but is incorrect - Route is not in the routing table, but is correct Troubleshooting Incorrect Static Routes That Appear in the IPv6 Routing Table - If command syntax is correct, ipv6 route command is placed into running-config, then, if no other problem exists, IOS puts route into IP routing table - Incorrect commands, such as using local interface address as a next-hop address, are accepted and put into the IPv6 routing table - Check for mistakes: - IOS would accept the command, but the route will not work

- Step 1: Prefix has a typo and doesn't match actual prefix - Step 2A: Neighbour link-local address is incorrect - Step 2B: The outgoing interface is omitted (router rejects command) - Step 3: Next-hop router address is incorrect - Step 4: Outgoing interface is incorrect - IOS rejects the command if outgoing interface is omitted and next-hop address is a linklocal address The Static Route Does Not Appear in the IPv6 Routing Table - IOS makes checks before adding a route: - ipv6 route with incorrect next-hop address of R2's LAN interface: - Since R1 doesn't have a route to the next-hop address 2001:DB8:9:3::2, IOS does not add the route

Part VIII Revision Key Terms You Should Know Terminology Chapter 28 IPv4 address exhaustion IP version 6 (IPv6) OSPF version 3 (OSPFv3) EIGRP version 6 (EIGRPv6) Prefix Prefix length Quartet Chapter 29 Global unicast address Global routing prefix Unique local address Subnet ID (prefix ID) Subnet router anycast address Chapter 30 Dual stacks EUI-64 Link-local address Link-local scope Solicited-node multicast address All-nodes multicast address (FF02::1) All-routers multicast address (FF02::2) Anycast address Subnet-router anycast address (prefix) Chapter 31 Neighbor Discovery Protocol (NDP) Router Solicitation (RS) Router Advertisement (RA) Neighbor Solicitation (NS) Neighbor Advertisement (NA) Stateless Address Auto Configuration (SLAAC) Duplicate Address Detection (DAD) Stateful DHCPv6 Stateless DHCPv6 IPv6 neighbor table Chapter 32 -

Definition

Part IX - Network Device Management Chapter 33 - Device Management Protocols System Message Logging (Syslog) - IOS can send syslog messages to currently-logged users or store them Sending Messages in Real Time to Current Users - Default: IOS shows log messages to console users for all severity levels of messages (logging console) - Two-step configuration for Telnet/SSH users: - logging monitor: tells IOS to enable sending of log messages to all logged users - terminal monitor: tells IOS that this terminal session would like to receive log messages - B receives syslog messages, C does not Storing Log Messages for Later Review - Default: IOS sends message to console (and terminal sessions) and discards the message - Option 1 - Storing in RAM: - logging buffered: IOS stores copies of log messages in RAM - show logging: user can review the old log messages in RAM - Option 2 - Storing in a syslog server: - Device uses UDP to send messages to syslog server for storage - logging host {address | hostname} - User can connect to server (typically with GUI) and browse log messages

Log Message Format - Format: timestamp: *Dec 18 17:10:15.079 facility on router that generated message: %LINEPROTO severity level: 5 mnemonic for message: UPDOWN description: Line protocol on Interface FastEthernet0/0, changed state to down - User can toggle on/off the use of timestamp (default: on) - User can toggle on/off log message sequence number (default: not enabled)

Log Message Severity Levels - IOS severity levels (lower = more severe): - E.g. interface failing to physically down state: severity level 3 message - When severity level is set, IOS sends that service messages of that severity level and more severe - no command disables service Configuring and Verifying System Logging - Both switches and routers use the same configuration:

- show logging confirms configuration settings: - show logging lists severity levels by name, not number - Buffered log messages are listed at the end of the command - clear logging clears old messages - logging buffered 4 allows only %LINK-3-UPDOWN message to be stored in RAM The debug Command and Log Messages - debug remains active, even if user is logged out, until no debug command is issued - debug monitors RIPv2's 30-second periodic messages - debug messages do not get stored in RAM or syslog server because of logging buffered warning and logging trap 4 - Telnet/SSH users need to issue terminal monitor before they can see messages - Debug options use router CPU, and the more CLI users that receive debug messages, the more CPU is consumed - show process cpu: for monitoring CPU - Some installations choose to not include debug-level log messages for console/terminal logging, requiring users to look at the logging buffer or syslog server to reduce router CPU load

Network Time Protocol (NTP) - NTP synchronises device's time-of-day clocks - If routers from different time zones are not synchronised, user at syslog server may experience problems: - Two unsynchronised timestamps look irrelevant - NTP allows all devices to have the same time of day, other than differences in time zone Setting the Time and Timezone - NTP works best if you set if set the device clock to reasonably close time before enabling NTP client function

- clock timezone EST -5: - EST: can be any meaningful value - -5: UTC value - clock summer-time EDT recurring: - EDT: can be any meaningful value - recurring: tells router to automatically apply daylight saving - clock set 20:52:49 21 October 2015: - 20:52:49: 24-hour time - 21 October 2015: date, month, year (in that order) - show clock lists current time Implementing NTP Clients, Servers, and Client/Server Mode - A real network would have 1 server and all others being clients - NTP terms: - ntp server address | hostname: - Tells the router to act as an NTP client, referencing the NTP server's IP address or hostname - Tells router to also act as an NTP server after that router has synchronised its time with some reliable source (e.g. NTP server) - NTP server must be a trusted clock source: - Purpose-built NTP servers are good sources - ntp master tells router to act as NTP server and trust its internal clock as a good clock source - Multiple ntp server commands for redundancy: - Router compares stratum level (lower = better) - ntp master 2 > ntp master 5 - * means R1 peered with 172.16.2.2 with NTP - show ntp status lists "unsynchronised": - Until client synchronises with at least one server - Never, when device is an NTP server NTP Using a Loopback Interface for Better Availability - If one of R4's interface fails, clients referencing that address: - Would likely still have a route to reach R4 itself - Would not be able to send packets to the configured address because it is down - Loopback interfaces: - interface loopback number - Interface is not tied to any physical interface - Can be assigned an IP address, routing protocols can advertise about the subnet, you can ping/traceroute to that address - Loopback interfaces remain up/up as long as:

- Loopback interface address can be referenced by NTP clients

Analysing Topology Using CDP and LLDP Examining Information Learned by CDP - CDP discovers information about neighbouring devices by listening for the advertisements sent by other devices - CDP discovers: - CDP's two general roles: 1. Provide info to devices to support some function - Cisco IP phones use CDP to learn data and voice VLAN IDs on the access switch 2. Provide info the network engineers - show commands

- show cdp neighbors lists: - Device ID (hostname) - Local device's interface - Holdtime, capability & platform - Neighbouring device's interface - show cdp neighbors detail lists more detail: - Full name of switch model - IP address on the neighbouring device - CDP creates a security exposure, so Cisco recommends CDP being disabled on unnecessary interfaces: - Any switchport connected to another switch, a router, or to an IP phone should use CDP Configuring and Verifying CDP Itself - IOS typically enables CDP globally, and on each interface by default: - no cdp enable/cdp enable on interfaces - no cdp run/cdp run globally

Implementing Link Layer Discovery Protocol - CDP: Cisco-proprietary Layer 2 protocol - LLDP: IEEE-standard (802.1AB) Layer 2 protocol - CDP and LLDP have similar command syntaxes: - show cdp neighbors and show lldp neighbors have "local intf" and "port ID" columns - lldp run: enables LLDP globally - lldp transmit and lldp receive: enables LLDP on interfaces (configures LLDP to only send, or only receive messages)

Chapter 34 - Device Security Features

Securing IOS Passwords - Best way to store passwords => AAA server - Enable passwords: - To enter privileged EXEC mode - To connect via Telnet - To connect via SSH and Telnet (username & password) - EXTRA INFO: line vty 0 4 can be used to refer to Telnet only Encrypting Older IOS Passwords with service password-encryption - password command stores passwords in clear-text in configuration files, backups etc. - service password-encryption encrypts: - Configuration/verification: - IOS adds encryption/encoding type of "7" - passwords encrypted with service passwordencryption command - | section password-encryption lists the section on password - Encoding type "0": clear-text passwords - no service password-encryption: password remains encrypted until password is changed - service password-encryption is not effective as the Internet has tools to decrypt Encoding the Enable Passwords with Hashes - Secure replacement: enable password => enable secret Interactions Between Enable Password and Enable Secret - Use enable secret instead of enable password - Rules of both commands:

Making the Enable Secret Truly Secret with a Hash - enable secret uses MD5 (Message Digest 5) by default - IOS compares the hashed value of entered password at login to the enable secret value - enable secret configuration/verification: - Encoding type "5": MD5 hash of the clear-text password - no enable secret deletes the enable secret password - Another enable secret command overwrites the old password - | include enable secret shows output including lines with "enable secret" Improved Hashes for Cisco's Enable Secret - MD5 is much easier to crack now (rainbow table) - Two newer security hashes for passwords to router IOS images: - SHA-256 - Scrypt

- Configuration of all three algorithm types: - Another enable secret command with a different algorithm type it replaces any existing enable secret command - Encoding type "9": Scrypt | Encoding type "8": SHA-256 Hiding the Passwords for Local Usernames - username name password pass: stores password in clear-text - IOS allows: - Only one username command for a given username - either a username password OR username secret command - A mix of commands in the same router or switch - username password is needed when router needs to know the clear-text password for performing authentication over serial links

Cisco Device Hardening - Device hardening: making it more difficult for attackers to gain access to the device Configuring Login Banners - Banner: text that appears on the screen for the user (at login) - Banner types: - Console, Telnet | SSH banner orders: - banner command default is motd - banner command uses 'beginning delimiter character' to start and end a banner and can be any character

Securing Unused Switch Interfaces - Cisco recommendations to secure unused ports: - Administratively disable the interface using shutdown - Prevent VLAN trunking by making the port a nontrunking interface using switchport mode access - Assign the port to an unused VLAN using switchport access vlan number (blackhole VLAN) - Set the native VLAN to an unused VLAN using switchport trunk native vlan vlanid - shutdown removes security exposure but others prevent any immediate problems when no shutdown is configured Controlling Telnet and SSH Access with ACLs - IOS can apply ACL to inbound connections to filter host addresses - access-class in refers to Telnet and SSH connections into this router - access-class out filters outbound Telnet and SSH connections connecting out of the local device to another device

- Protecting inbound connections is more important - Standard VTY ACL for outbound connections looks at the destination IP address (the device to which the telnet or ssh is trying to connect) Firewalls Typical Location and Uses of Firewalls - Firewalls sit in the forwarding path of all packets so that the firewall can protect the whole network - Firewall performs packet filtering function with many more options, as well as other security tasks - Enterprise with Cisco Adaptive Security Appliance (ASA) firewall: - Firewall's logic to discard/allow a packet: - Like ACLs, match the source and destination IP address - Like ACLs, identify applications by matching their static well-known TCP/UDP ports - Know what additional TCP and UDP ports are used by a particular flow, and filter based on those ports - Match the text in the URI of an HTTP request and match patterns to decide whether to allow or deny the download of the web page identified by that URI - Keep state information by storing info about each packet, and make decisions about filtering future packets based on the historic state information (stateful inspection/ stateful firewall) - Routers spend as little time as possible processing each packet so that they experience little delay, whereas firewalls have stateful information used for future filtering decisions - In a DoS attack, the attacker creates a large volume of TCP connections to the server - Stateful firewalls can track the number of TCP connections per second and notice that the number of requests is very large from a small number of clients and stateful firewall can start filtering those packets - Stateless firewall or router ACL cannot realise that a DoS attack was occurring Security Zones - Firewalls pay close attention to which host initiates communications by looking at the initial TCP segments (SYN) - When user opens web browsers, company doesn't want unauthorised hosts to connect to the payroll server - Security zones define which hosts can initiate new connections and firewall can place multiple interfaces into the same one to have same rules applied - Basic firewall rule in above security zones: Allow hosts from zone inside to initiate connections to hosts in zone outside, for a predefined set of safe well-known ports (e.g. HTTP) - Firewalls typically disallow all traffic unless a rule specifically allows the packet - Demilitarised Zone (DMZ): firewall security zone used to place servers that need to be available for use by users in the public Internet - Firewall needs another rule that users in zone outside can initiate connections to web servers in the DMZ

- Enterprise can prevent Internet users from attempting to connect to internal devices in zone inside, preventing many types of attacks

Chapter 35 - Managing IOS Files Managing Cisco IOS Images and Upgrades - IOS = a single file that router loads into RAM to use as its OS The IOS File System - File system: storage including directories, structure, filenames, with associated rules - Cisco routers typically use flash memory (USB) - For each physical memory device in the router, IOS creates an IFS (IOS file system) - Disk and usbflash are the physical storage devices in that router - IFS types: - Opaque: logical internal file systems - Network: external file systems found on different types of servers - Disk: for flash - Usbflash: for a USB flash - NVRAM: a special type of NVRAM memory, the default location of startup-config - Use of formal names: - more flash0:/wotemp/fred displays content of file fred in directory /wotemp - Use of keywords: - show running-config refers to file system:running-config - show startup-config refers to file nvram:startup-config - show flash refers to default flash IFS (usually flash0:) Upgrading IOS Images - New IOS image can be in local physical file systems or on an external server - Process to upgrade an IOS image into flash memory: - Step 1: Obtain the IOS image from Cisco by downloading the IOS image from cisco.com using HTTP or FTP - Step 2: Place the IOS image someplace that the router can reach (TFTP/FTP servers, USB flash drive) - Step 3: Issue copy command from router, copying the file into the flash memory that usually remains with the router on a permanent basis (router usually can't boot from IOS image in USB flash drive

Copying a New IOS Image to a Local IOS File System Using TFTP - R2 (2901) copying IOS image from TFTP server at IP address 2.2.2.1: - copy command check questions: 1. What is the IP address or hostname of the TFTP server? 2. What is the name of the file? 3. Ask the server to learn the size of the file, and then check the local routers flash to ask whether enough space is available for this file in flash memory 4. Does the server actually have a file by that name?

5. Do you want the router to erase any old files in flash? - Press Enter for default answer => erases flash memory if directed => copies file => verifies checksum - show flash shows files in default flash file system (flash0:) - dir flash0: lists the contents in the same file system, with similar information - show flash lists bytes used dir lists total bytes (bytes used + bytes free) EXTRA INFO: Components of a filename C1900-universalk9-mz.SPA.152-4.M3.bin C1900 universalk9

m z SPA 15 2 4 M 3 .bin

The hardware this image runs on Image designation

Memory location - where the image runs Compression format Digital signature indicator Major release Minor release Maintenance release - new features Extended maintenance release Maintenance rebuild File extension

Cisco 1900 router universalk9 (contains strong encryption which can only be used in some countries) m = RAM z = zip SPA - file is digitally signed by Cisco IOS Release 15 2 4 M 3 Binary executable file

Verifying IOS Code Integrity with MD5 - Cisco publishes MD5 hash value for entire IOS file - verify /md5 command checks Cisco's hash value and router's hash value

Copying Images with FTP - List of file transfer protocols: - Copying files with FTP: copy ftp flash - copy can use URI for source/destination and refers to formal name of file in IFS - copy ftp://wendell:[email protected]/c2900-universalk9-mz.SPA.155-2.T1.bin flash protocol://username:password@FTP-server's-IP-address/filename - Source (URI) and then destination flash (flash0:) - Configuring FTP username/password so it does not have to be included in copy command: - ip ftp username name - ip ftp password pass => copy ftp://192.168.1.170/...

Copying Images with SCP - SCP makes router be configured as SCP server and desktop computer to use SCP client to transfer files - SCP uses SSH to: - Authenticate the user - Encrypt all data transfer - Configuring SCP server on a router: ERRATA: username fred privilege-level 15 password barney is WRONG Correct command => username fred privilege 15 password barney - Privilege level 15: enable mode (highest privilege level) - Command-line SCP file copy with scp: - Source (second parameter) filename and destination (third parameter) full URI - User must reload the router to start using the new IOS copied into a local IOS file system The Cisco IOS Software Boot Sequence - Router can have multiple IOS images available and so it picks which image to load into RAM and use - ROMMON (special-purpose OS) is used for password recovery, can send and receive packets to load a new IOS, but does not route packets - RXBOOT: very old special-purpose OS - Four steps when router first powers on or is reloaded: - If any of first two steps fail, call Cisco Technical Assistance Centre (TAC) - Steps 3 and 4 are configurable: - Step 4: Routers almost always load the configuration from NVRAM (startup-config) The Configuration Register - Routers use configuration register to find some settings at boot time before router loads IOS and reads the startup-config file (16 bits, 4 hex digits) - Console speed (default 9600bps), which IOS to load etc. can be configured in the configuration register - config-register sets the configuration register for the next time the router is reloaded - config-register 0x2100: causes router to load ROMMON OS rather than IOS - Router automatically saves config-register in startup-config - Default configuration register: 0x2102 How a Router Chooses Which OS to Load - Router chooses OS to load based on: - The last hex digit in the configuration register (called boot field) - Any boot system commands in startup-config - Cisco represents hexadecimal values by preceding the hex digits with 0x (e.g. 0xAB) - Process to choose which OS to load: - boot system points to files in flash memory, filenames, IP addresses of servers, telling the router where to look for an IOS image to load - boot system can be configured multiple times, and each is added to end of a list

- Router tries to load IOS images in the order of the configured boot system commands - Routers number files in flash memory, and loads the IOS file with the lowest number (first file found in memory) - Most routers use step 3B because default configuration register is 0x2102 and router has a single IOS file in flash by factory default - Routers consider one flash file system to be the default IFS to look for IOS images - boot system commands: - After an upgraded IOS is copied into flash, boot system needs to refer to the new file, save the configuration and reload the router to boot to the new IOS image Verifying the IOS Image Using the show version Command - show version lists version of software, source from which router found the IOS image etc. - show version lists (in order): 1. IOS version 2. Uptime (time that has passed since last reload) 3. Reason for last reload of IOS (reload, power off/on, software failure) 4. Time of last loading of IOS (if router's clock is set) 5. Source from which router loaded the current IOS 6. Amount of RAM memory 7. Number and types of interfaces 8. Amount of NVRAM memory 9. Amount of flash memory 10. Configuration register's current and future setting (if different)

Password Recovery - If connected to the router console, anyone can reset all the passwords on the router to new values - Cisco refers to the topic as password recovery, but you change the password to a new value The General Ideas Behind Cisco Password Recovery/Reset - If router boots while ignoring initial configuration (startup-config), router has no passwords - Ignore configuration bit (second bit, third nibble [hex digit]): if binary 1, router ignores startup-config next time router is loaded (0x2102 => 0x2142) - ROMMON has confreg command to set the configuration register - Press break key at console during boot of router OR remove all flash memory

A Specific Password Reset Example - Sample password recovery/reset on a 2901 router:

- Use copy startup-config running-config to restore the ignored startup-config and put the configuration register value back to its normal value (usually 0x2102) - Using copy running-config startup-config instead could result in shut down interfaces so check and no shutdown any interfaces

Managing Configuration Files Copying and Erasing Configuration Files - Configuration files can be copied with TFTP, FTP or SCP or to a removable USB flash - Centralised server is better with thousands of devices than USBs Traditional Configuration Backup and Restore with the copy Command - When any file is copied into the running-config file in RAM with copy, the file is added to the old configuration, not replacing it (unless some cases) - E.g. ip address new command will replace the old value of the address, but access-list commands will be added to existing ACLs, creating a different configuration - Red commands are configurations that are added - Because of the defect of copying configurations into the running-config file, restore process avoids using copy into running-config - Complete process to back up and restore configurations using copy: - Instead of copy tftp running-config, copy tftp startup-config with reload is used so that the startup-config file is restored, and reloading the router replaces the running-config with the startup-config, so that no defects occur Alternatives for Configuration Backup and Restore - Cisco's two improvements to backup and restore: - Archive is defined by when to automatically save the configuration and where to save them - configure replace allows user to copy a configuration archive into the running-config file so that it completely replaces the running-config file - The ACL and hostname configured after the archive was configured with archive config has been removed after configure replace Erasing Configuration Files - Three commands to erase startup-config file in NVRAM: - write erase (older) - erase startup-config (older) - erase nvram: (more recent and recommended) - To clear out the running-config file, erase the startup-config file, then reload so that the router loads an empty startup-config file into the running-config Initial Configuration (Setup Mode) - Two primary methods of giving a router/switch an initial basic configuration: - Configuration mode - Setup mode - Two ways of getting into setup mode: - If the router boots with no initial configuration, router asks if the user wants to enter the "initial configuration dialogue" A.K.A. setup mode - Use setup command from privileged EXEC mode

Chapter 36 - IOS License Management IOS Packaging - IOS is a single file that is copied onto the flash memory on the router IOS Images per Model, Series and per Software Version/Release - Since the 1980s to late 2000s, Cisco created each IOS image for a particular router model, version and release, and feature set - Cisco needed different IOS images for different router models or router families because of hardware differences (e.g. different processors, types of interface cards) - Cisco needed different IOS images for each new version/release of Cisco IOS software: - Major revisions to software => version - Smaller changes to IOS => release - To move to a new release/version, you need a whole new IOS file and install it - Routers had different IOS images for each router model/model series, version/release Original Packaging: One IOS Image per Feature Set Combination - Feature set: a group of related IOS features (e.g. voice, security [e.g. IPS {Intrusion Prevention System}]) - Cisco created one image for each combination of IOS feature sets - All images have the same basic IP functions, some have additional features - If you needed security feature, you could opt for one of the four images - More feature sets = higher price New IOS Packaging: One Universal Image with All Feature Sets - Universal image has all feature sets which can be enabled later - Universal image has all the feature sets a router model supports

IOS Software Activation with Universal Images - Until late 2000s, Cisco permitted anyone to download any IOS image for any Cisco router - User had to agree to the policy, and there was no mechanism to confirm that the person installing the IOS file had the right to do so - Customers could choose to avoid paying for new versions through Cisco service agreement (SMARTnet) - In the late 2000s, Cisco introduced a process that verified the rights of the user - Cisco checks user's rights by looking at their profile which lists a company, and checks if the company paid for a current service agreement - User must use software activation process to unlock the feature sets in the universal image - Three major goals for software activation process:

- Automatically enables IP Base: Router arrives from Cisco with IP base feature set already enabled and activated (no further action required) - Enables other feature sets: Network engineer must enable additional feature sets - Verifies legal rights: Process checks and confirms that the customer has paid for the right to use that feature set on that router - IP Base is enabled already, with a license key for that feature already installed on the router - Feature sets with the most significant set of features => technology packages:

The Future: Cisco ONE Licensing - Removes the per-device effort to add and remove licenses - Process just checks to see that company has rights to feature sets - If you upgrade to a new router model, you still have the rights to use the feature set from before, unlike the current licensing, which is tied to the hardware

Managing Software Activation with Cisco License Manager - Cisco License Manager (CLM) is used to manage Cisco licenses. The CLM: - Communicates with Cisco's Product License Registration Portal over the Internet - Takes as input information about feature licenses purchased from any Cisco reseller - Communicates with the company's routers/switches to install license keys, enabling. features on the correct devices - CLM tracks the licensing information with easy-to-use GUI Manually Activating Software Using Licenses - You can manually do the process that CLM does for you - Each of the same router models that support software licensing has a UDI (Unique Device Identifier) - UDI = PID (Product ID) + SN (Serial Number) - show license udi shows PID, SN and UDI - PAK (Product Authorisation Key) provides proof that you paid for a license - License key file can be acquired by entering in the UDI and PAK at the Cisco Product License Registration Portal - Summary of first three steps: - Step 1: At Cisco Product License Registration Portal (www.cisco.com/go/license), input UDI from show license udi - Step 2: At the same portal, type in the PAK for the license - Step 3: Copy the license key file from the portal - Copy license key file to USB flash drive or TFTP, FTP or HTTP server - Summary of steps (continued) - Step 4: Make the file available to the router via USB or some network server - Step 5: Issue license install url | filename to install the license key file into the router - Step 6: Reload the router to pick up the changes

Example of Manually Activating a License Showing the Current License Status - R1 (2901 router) has only IP Base feature enabled: - IP Base is enabled permanently, and Security, UC, Data licenses are listed as Not Activated - show license lists longer status information than show version and show license feature - show license feature lists one-line information per feature - show version lists license information for the main technology feature packages at the end Adding a Permanent Technology Package License - Final steps to install the license file on router R1 which has completed Steps 1 through 4: - Verifying status for Data feature set after reload:

Right-to-Use Licenses - Customers who want to test a router feature before buying can enable most features for a 60-day evaluation period, after which the feature stays enabled, with no time limit - Right-to-use license does not require a PAK and uses license boot module command - Process to add Security feature to R1 as right-to-use evaluation license: - After a reload, the feature set is available - Output of show license after right-to-use license: - "Period left" is set to 60 days, and it counts down to 0, after which it converts to a lifetime time period

Part XI Revision Key Terms You Should Know Terminology Chapter 33 Log message Syslog server Network Time Protocol (NTP) NTP client NTP Client/Server Mode NTP Server NTP synchronisation CDP LLDP Chapter 34 Telnet

Definition

SSH Local username Login banner Message of the day (MOTD) MD5 hash Device hardening Chapter 35 Boot field Configuration register IOS image ROMMON Startup-config file Running-config file Setup mode IOS ROM Flash memory NVRAM IOS File System (IFS) Code integrity Configuration archive Secure Copy Protocol (SCP) Chapter 36 IOS feature set Universal image Product Authorisation Key (PAK) Universal Device Identifier (UDI)

Commands List Command Name

Mode/Submode

Command Description

line console 0

Global configuration mode

login

Line (console and vty) configuration mode Line (console and vty) configuration mode

Changes context to console configuratio n mode Tells IOS to prompt for a password.

password pass-value

Sets password for login if login is configured

Command Parameters

password hello

Comma nd Abbrevi ations line con 0

interface type portnumber

Global configuration mode

hostname name

Global configuration mode Configuration mode

exit

end

Configuration mode

Ctrl + Z

Two-key combination/co nfiguration mode Privileged EXEC mode

no debug all undebug all reload copy runningconfig startupconfig copy startupconfig runningconfig show runningconfig 1. write erase 2. erase startupconfig

Privileged EXEC mode Privileged EXEC mode

Privileged EXEC mode

User EXEC mode Privileged EXEC mode

Changes context to interface mode Sets the switch's hostname Moves back to next higher configuratio n mode Exits configuratio n mode and returns to enable mode from any submodes. = end

Disable all currently enabled debugs. Reboot. Saves active config to startupconfig Merges startupconfig with currently active config file in RAM. Lists runningconfig file. Erase the startupconfig file.

interface FastEthernet 0/1

hostname chris

int type portnumber

3. erase nvram: quit

User EXEC mode

show startupconfig enable

User EXEC mode

disable

Privileged EXEC mode

configure terminal

Privileged EXEC mode

show mac addresstable

User EXEC mode

show mac addresstable dynamic

User EXEC mode

show mac addresstable dynamic vlan vlanid show mac addresstable dynamic address MACaddress show mac addresstable dynamic

User EXEC mode

User EXEC mode

User EXEC mode

User EXEC mode

Disconnects user from CLI session. Lists startupconfig file. Moves user to enable mode and if configured, prompts for a password. Moves user from enable mode to user mode. Moves user into configuratio n mode. Shows all MAC table entries of all types Shows all dynamically learned MAC table entries Shows all dynamically learned MAC table entries in that VLAN Shows the dynamically learned MAC table entries with that MAC address Shows all dynamically learned MAC table

show mac address-table dynamic vlan 1

show mac address-table dynamic address 0200.2222.2222

show mac address-table dynamic interface fastEthernet 0/1

interface interface id

show mac addresstable count

User EXEC mode

show mac addresstable aging-time

User EXEC mode

clear mac addresstable dynamic

Privileged EXEC mode

show interfaces status

User EXEC mode

show interfaces interface id

User EXEC mode

show interfaces interface id status

User EXEC mode

show interfaces interface id counters

User EXEC mode

entries associated with that interface Shows the number of entries in the MAC table, and the remaining empty slots Shows the global and per-VLAN aging timeout Empties the MAC table of all dynamic entries Lists basic status and operating information as a single line for each interface Displays a detailed set of messages about the interface Lists status of interface in a single line of output Lists statistics about incoming and outcoming frame on the interfaces

show int status

show interfaces f0/1

show int interfac e id

show interfaces f0/1 status

show int interfac e id status show int interfac e id counter s

show interfaces f0/1 counters

Changes context to vty configuratio n mode for the range of vty lines listed login local Console and vty Tells IOS to configuration prompt for a mode username and password, to be checked against local configuratio n Global Defines username name configuration username secret pass- mode and value password Creates and crypto key Global configuration stores (in generate mode hidden rsa [modulus location in 360..2048] flash memory) keys required by SSH (at least 768-bit required for SSHv2) Vty line Defines transport configuration whether input (telnet | ssh mode Telnet/SSH | all (telnet access is ssh) | none) allowed Global Changes interface configuration context to vlan number mode VLAN interface mode ip address VLAN interface Statistically ip-address mode configures subnetswitch's IP mask address and mask line vty 1st-vty lastvty

Privileged EXEC mode

line vty 0 15

username chris secret cisco

crypto key generate rsa modulus 1024

transport input ssh

interface vlan 1

ip address 192.168.10.1 255.255.255.0

int vlan number

VLAN interface Configures mode switch as DHCP client to discover its IPv4 address, mask & default gateway Configures ip default- Global configuration switch's gateway address mode default gateway IPv4 address (if no DHCP) Global Configures ip nameconfiguration IPv4 server server-ip-1 mode addresses of server-ipDNS servers, 2 ... so any commands will use DNS for name resolution Global Sets enable enable secret pass- configuration mode value mode password Defines history size Line length configuration number of mode commands held in the history buffer Console or vty Tells IOS to logging send syslogs synchrono configuration mode to user at us natural break points between commands [no] Global Disables/ena configuration bles display logging mode of log console messages to console ip address dhcp

ip default-gateway 192.168.1.1

ip name-server 192.168.1.1

enable secret cisco

history size 20

exectimeout minutes [seconds] show runningconfig | begin line vty

Console or vty configuration mode

Sets the inactivity timeout

Privileged EXEC mode

show dhcp lease

Privileged EXEC mode

show crypto key mypubkey rsa

User EXEC mode

Lists runningconfig beginning with the first line that contains the text line vty Lists information the switch acquires as a DHCP client (IP address, subnet mask, default gateway) Lists public and shared key created for SSH using crypto key generate rsa Lists status information for the SSH server Lists status information for current SSH connections into and out of switch Lists the show interfaces vlan 1 interface status, switch's IPv4 address and mask etc. Lists switch's setting for IPv4 default gateway

show ip ssh User EXEC mode

show ssh

User EXEC mode

show interfaces vlan number

User EXEC mode

show ip defaultgateway

Privileged EXEC mode

exec-timeout 3 0

show int vlan number

User EXEC terminal history size mode x

show history

User EXEC mode

interface range type portnumber end-portnumber [no] shutdown

Global configuration mode

speed {10 | 100 | 1000 | auto}

Interface configuration mode Interface configuration mode

duplex {auto | full | half}

Interface configuration mode

description text

Interface configuration mode

no duplex

Interface configuration mode

no speed

Interface configuration mode

Changes terminal length of history size 15 history buffer for the current user of the current login session to switch Lists the commands in the current history buffer The subcommand s that follow apply to all interfaces in the range Disables or enables the interface Manually sets the speed of the interface Manually sets the duplex of the interface Defines any information text that the engineer wants to track for the interface Sets duplex to default settings = duplex auto Sets speed to default settings = speed auto

interface range FastEthernet 0/1 - 24

no shutdown

speed auto

duplex full

description link to R1

no description switchport mode {access | trunk}

Interface configuration mode Interface configuration mode

switchport portsecurity macaddress macaddress

Interface configuration mode

switchport portsecurity macaddress sticky

Interface configuration mode

switchport portsecurity maximum value

Interface configuration mode

switchport portsecurity violation {protect | restrict | shutdown} show runningconfig | interface type number

Interface configuration mode

Privileged EXEC mode

Does not set description text Tells the switch to be an access port or a trunk port Statically adds a specific MAC address as an allowed MAC address on the interface Tells switch to learn MAC addresses on the interface and add them as secure MAC addresses Sets the maximum number of static secure MAC addresses that can be assigned to a single interface Tells switch what to do if inappropriate MAC address tries to access network Displays listed interface and its subcommand s in the

switchport mode access

switchport port-security macaddress 0200.1111.1111

switchport port-security maximum 10

switchport port-security violation protect

show running-config | interface F0/2

runningconfig file Lists MAC addresses defined or learned on ports configured with port security Lists static MAC addresses and learned/defin ed MAC addresses with port security Lists interface's port security configuratio n settings and security operational status Lists port security settings for any interface on which is enabled (1 per line)

show mac addresstable secure [interface type number]

Privileged EXEC mode

show mac addresstable static [interface type number]

Privileged EXEC mode

show portsecurity interface type number

Privileged EXEC mode

show portsecurity

Privileged EXEC mode

switchport access vlan vlan-id

Interface configuration mode

Statically configures the interface into that one VLAN

vlan vlanid

Global configuration mode

name vlanname

VLAN configuration mode

Creates vlan 2 VLAN and puts CLI into VLAN config mode Defines the name my-vlan name of VLAN

show mac address-table secure interface G0/1

show mac address-table static interface F0/4

show port-security interface GigabitEthernet 0/2

switchport access vlan 3

[no] shutdown [no] shutdown vlan vlanid vtp mode {server | client | transparen t | off} switchport mode {access | dynamic {auto | desirable} | trunk} switchport trunk encapsulati on {dot1q | isl | negotiate}

VLAN configuration mode Global configuration mode

Enables or disables VLAN Enables or disables specified VLAN Defines VTP mode

no shutdown

Interface configuration mode

Configures trunking administrativ e mode on interface

switchport mode dynamic desirable

Interface configuration mode

Defines which type of trunking to use, assuming trunking is configured/n egotiated Defines native VLAN for a trunk. port Disables negotiation of VLAN trunking (DTP) Defines voice VLAN on a port; switch uses 802.1Q tagging for frames in this VLAN Defines list of allowed VLANs

switchport trunk encapsulation dot1q

Global configuration mode

switchport trunk native vlan vlan-id switchport nonegotiat e

Interface configuration mode

switchport voice vlan vlan-id

Interface configuration mode

switchport trunk allowed vlan {add | all | except

Interface configuration mode

Interface configuration mode

no shutdown vlan 2

vtp mode transparent

switchport trunk native vlan 1

switchport voice vlan 3

switchport trunk allowed vlan add 3, 4, 5

| remove} vlan-id show interfaces interface-id switchport

Privileged EXEC mode

show interfaces interface-id trunk

Privileged EXEC mode

show vlan [brief | id vlan-id | name vlanname | summary] show vlan [vlan]

Privileged EXEC mode

show vtp status

Privileged EXEC mode

show mac addresstable [dynamic | static] [address hw-addr] [interface interfaceid] [vlan vlan-id] show portsecurity.

Privileged EXEC mode

Privileged EXEC mode

Privileged EXEC mode

Lists information about any interface about administrativ e settings and operational state Lists information about all operational trunks, including list of VLANs that can be forwarded over trunk Lists information about VLAN

show interfaces F0/2 switchport

Displays VLAN information Lists VTP configuratio n and status information

show vlan 2

Displays the MAC address table; static option displays information about restricted or static settings Displays information

show mac address-table dynamic address 0200.1111.1111

show interfaces F0/1 trunk

show vlan id 2

show port-security interface f0/1

[interface interfaceid] [address]

show interfaces description

Privileged EXEC mode

show interfaces [type number] switchport

Privileged EXEC mode

show interfaces [type number] trunk

Privileged EXEC mode

show vlan brief, show vlan

Privileged EXEC mode

show vlan id num

Privileged EXEC mode

about security options configured on an interface Displays one line per interface, with twoitem status and configured description Displays a large variety of configuratio n settings and current operation status e.g. VLAN trunking details, access and voice VLAN and native VLAN Lists information about currently operational trunks and the VLAN supported on those trunks Lists each VLAN and interfaces assigned to that VLAN but does not include operational trunks Lists both access and

show interfaces fastethernet 0/1 switchport

show interfaces f0/2 trunk

show vlan id 10

trunk ports in the VLAN

Route r ip address address mask

Interface configuration mode

clock rate rate-in-bps

Interface configuration mode

bandwidth rate-inkbps

Interface configuration mode

show ip interface brief

EXEC mode

show protocols [type number]

EXEC mode

Sets the router's IPv4 address and mask Sets the speed at which the router supplies a clocking signal (only when router has DCE cable) Sets the speed at which router considers the interface to operate (not the physical speed) Lists IP address, line and protocol status, method with which the address was configured for each interface per line (manual | DHCP) Lists information about interface(s), including IP address, mask, line/protocol status

ip address 192.168.1.0 255.255.255.0

clock rate 2000000

bandwidth 128

show protocols f0/2

show controllers [type number]

EXEC mode

Lists many lines of information per interface

show controllers f0/2

interface type number.sub int

Interface configuration mode

Creates and enters subinterface configuratio n mode Tells router to use 802.1Q trunking for a particular VLAN, and with native keyword, to make that VLAN a native VLAN Tells router to use ISL trunking for a particular VLAN Enables the switch to support IP routing if configured Enables or disables IPv4 routing

interface g0/0.10

Creates a static route

ip route 192.168.1.0 255.255.255.0 192.168.2.1 130 permanent

encapsulati Subinterface configuration on dot1q vlan-id mode [native]

encapsulati Subinterface on isl vlan- configuration identifier mode

sdm prefer lanbaserouting

Global configuration mode (Layer 3 switch)

[no] ip routing

Global configuration mode (Layer 3 switch) Global configuration mode

ip route prefix mask {ip-address | interfacetype interfacenumber} [distance] [permanen t]

encapsulation dot1q 10 native

encapsulation isl 10

no ip routing

show ip route

EXEC mode

show ip route [connected | static | rip] show ip route ipaddress

EXEC mode

show vlans

EXEC mode

show arp, show ip arp clear ip arp [ipaddress]

EXEC mode

router rip

Global configuration mode

network networknumber

RIP configuration mode

version 2

RIP configuration mode RIP configuration mode

passiveinterface default

EXEC mode

Privileged EXEC mode

Lists router's entire routing table Lists a subset of the IP routing table

show ip route static

Lists detailed show ip route 192.168.2.3 information about route that a router matches for listed IP address Lists VLAN configuratio n and statistics for VLAN trunks configured on routers Lists router's IPv4 ARP table Removes clear ip arp 192.168.1.2 dynamically learned ARP table entries Moves user into RIP configuratio n mode Enables RIP on all of that router's interface in that classful network Sets RIP version to 2 Changes default setting on RIP-enabled

network 192.168.2.0

passiveinterface {interfacetype interfacenumber} [no] autosummary

RIP configuration mode

maximumpaths number

RIP configuration mode

defaultinformatio n originate

RIP configuration mode

ip address dhcp

Interface configuration mode

show ip route [rip]

EXEC mode

RIP configuration mode

interfaces to be passive Tells RIP to no longer advertise RIP updates on listed interface Toggles autosummari sation feature of RIP Sets number of equalmetric routes for same subnet that RIP will add to IP routing table Tells RIP to advertise a default route (0.0.0.0/0), if the local router has a default route in its routing table already Causes interface to learn IPv4 address and dynamically learn a default route that uses DHCPannounced default gateway address as next-hop IP address in a static route Lists routing table including, or

passive-interface f0/1

no auto-summary

maximum-paths 2

show ip route rip

show ip protocols

EXEC mode

show ip rip EXEC mode database

ip dhcp excludedaddress first last

Global configuration mode

ip dhcp pool poolname

Global configuration mode

network subnet-id {ddn-mask | prefixlength }

DHCP server pool configuration mode

defaultrouter address1 address2...

DHCP server pool configuration mode

just, RIPlearned routes Lists information about RIP configuratio n, IP addresses of neighbouring RIP routers from which the local router has learned routes Lists IP address and interface status Reserves a range of addresses that DHCP cannot lease out Creates a pool, by name, and moves user to DHCP server pool configuratio n mode Defines a network or subnet causing DHCP to lease out IP addresses in that subnet Defines one or more routers as default routers for clients

ip dhcp excluded-address 192.168.1.1 192.168.1.50

ip dhcp pool mysubnet

network 192.168.1.0 /24

default-router 192.168.1.1

dns-server address1 address2... lease {days [hours [minutes]] | infinite}

DHCP server pool configuration mode DHCP server pool configuration mode

Interface ip helperaddress IP- configuration address mode

show ip dhcp binding

EXEC mode

show ip dhcp pool name

EXEC mode

show ip dhcp server statistics

EXEC mode

Defines the list of DNS servers for clients Defines the length of time for a DHCP lease for clients Tells the router to notice local subnet broadcasts that use UDP and change the source/destin ation IP address (DHCP relay agent) Lists currently leased IP addresses on a DHCP server with client IDs and lease time Lists configured range of addresses in pool with usage statistics and high/lowwater marks (high limit/low limit) Lists statistics about requests served by DHCP server

dns-server 10.0.1.1

lease 1 12 0

ip helper-address 192.168.2.1

show ip dhcp pool mysubnet

show ip dhcp conflict

EXEC mode

clear ip dhcp conflict

Privileged EXEC mode

ipconfig

Host

netstat -rn

Host

arp -a

Host

[no] ip subnetzero

Global configuration mode

Allows/prev ents configuratio n of addresses in the zero subnet

no ip subnet-zero

Global configuration mode

Defines standard numbered access lists (1-99 or 1300-1999)

access-list 1 permit 192.168.1.0 0.0.0.255 log

Global configuration mode

Defines a remark that helps you remember what the ACL is supposed to do

access-list 10 remark Filter packets from server S1

Chapter 25 access-list access-listnumber {deny | permit} source [sourcewildcard] [log] access-list access-listnumber remark text

Lists IP addresses that the DHCP server found were already in use when server tried to lease that address to a host Removes all entries from the DHCP server's conflict list Lists IP settings for NIC Lists host's routing table Lists host's ARP table

ip accessgroup number {in | out}

Interface configuration mode

show ip interface [type number]

EXEC mode

show access-lists [access-listnumber | access-listname] show ip access-lists [access-listnumber | access-listname] Chapter 26 access-list access-listnumber {deny | permit} protocol source sourcewildcard destination destinationwildcard [log] access-list access-listnumber {deny | permit} tcp source sourcewildcard [operator [port]]

EXEC mode

EXEC mode

Enable inbound/outb ound accesslists on interface Includes reference to the access lists enabled on the interface (inbound/out bound) Shows details of configured access lists for all protocols Shows IP access lists

ip access-group 2 out

show ip interface f0/1

show access-lists 21

show ip access-lists 10

Global configuration mode

Global access-list 101 permit tcp command for 192.168.1.0 0.0.0.255 host extended 192.168.2.20 log numbered access-list configuratio ns

Global configuration mode

Version of access-list global command with TCPspecific parameters

access-list 101 permit tcp 192.168.1.0 0.0.0.255 lt 1024 10.1.1.0 0.0.0.255 eq www log

destination destinationwildcard [operator [port]] [log] Global access-list access-list- configuration number mode remark text

ip accessgroup {number | name [in | out]}

Interface configuration mode

accessclass {number | name} [in | out]

Line configuration mode

ip accesslist {standard | extended} name

Global configuration mode

{deny | permit} source [source wildcard] [log]

ACL configuration mode

{deny | permit} protocol

ACL configuration mode

Defines a remark that helps you remember what the ACL is supposed to do Interface subcommand to enable access lists either inbound or outbound Line subcommand to enable either standard or extended access lists on vty lines Global command to configure named standard or extended ACL and enter ACL configuratio n mode ACL mode subcommand to configure matching details and action for standard named ACL ACL mode subcommand to configure

access-list 124 remark filter host A's packets

ip access-group 2 out

access-class ACL-B in

ip access-list extended myACL

deny 10.1.1.0 0.0.0.3

deny icmp host 10.0.0.1 172.16.0.0 0.0.255.255

source sourcewildcard destination destinationwildcard [log] {deny | permit} tcp source sourcewildcard [operator [port]] destination destinationwildcard [operator [port]] [log] remark text

the matching details and action for an extended named ACL

ACL configuration mode

ACL mode permit tcp any host subcommand 192.168.1.1 eq telnet to configure the matching details and action for a named ACL that matches TCP segments

ACL configuration mode

ACL mode subcommand to configure a description of a named ACL Includes a reference to access lists enabled on the interface Shows details of configured access lists for all protocols Shows IP access lists

remark filter packets from R1

Enables NAT and identifies whether the interfaces is in the inside

ip nat inside

show ip interface [type number]

User EXEC mode

show access-lists [access-listnumber | access-listname] show ip access-lists [access-listnumber | access-listname] Chapter 27 ip nat {inside | outside}

EXEC mode

EXEC mode

Interface configuration mode

show ip interface f1/1

show access-lists ACL-C

show ip access-lists 105

Global ip nat configuration inside source {list mode {accesslist-number | accesslist-name}} {interface type number | pool poolname} [overload] ip nat pool name startip end-ip {netmask netmask | prefixlength prefixlength} ip nat inside source static inside-local insideglobal

Global configuration mode

show ip nat statistics

EXEC mode

show ip nat translation s [verbose]

EXEC mode

Global configuration mode

or outside of the network Enables NAT globally, referencing the ACL that defines which source addresses to NAT, and the interface or pool from which to find global addresses Defines a pool of NAT addresses

Lists the inside and outside address (or interface) to be paired and added to the NAT translation table Lists counters for packets and NAT table entries as well as basic configuratio n information Displays the NAT table

ip nat inside source list 1 pool my-pool overload

ip nat pool my-pool 200.1.1.1 200.1.1.10 netmask 255.255.255.240

ip nat inside source static 192.168.1.1 200.1.1.1

show ip nat translations verbose

clear ip nat EXEC mode translation {* | [inside global-ip local-ip] [outside local-ip global-ip]} clear ip nat EXEC mode translation protocol inside global-ip global-port local-ip local-port [outside local-ip global-ip] EXEC mode debug ip nat

Chapter 30 ipv6 unicastrouting ipv6 address ipv6address/pre fix-length [eui-64]

Global configuration mode Interface configuration mode

Clears all or some of the dynamic entries in the NAT table depending on which parameters are used Clears some of the dynamic entries in the NAT table, depending on which parameters are used

clear ip nat translation inside 200.1.1.1 192.168.1.1

clear ip nat translation tcp inside 200.1.1.1 1030 10.1.1.1 1024

Issues a log message describing each packet whose IP address is translated with NAT Enables IPv6 routing globally on the router Manually ipv6 address 2001:1:1:1::/64 configures eui-64 either the entire interface IPv6 address, or a /64 prefix with the router building the EUI-64 format interface ID automaticall y

ipv6 address ipv6address/pre fix-length [anycast] ipv6 enable

Interface configuration mode

ipv6 address dhcp

Interface configuration mode

show ipv6 route [connected ] [local]

EXEC mode

show ipv6 interface [type number]

EXEC mode

show ipv6 interface brief [type number]

EXEC mode

Interface configuration mode

Manually configures an address to be used as an anycast address Enables IPv6 on an interface and generates a link-local address Enables IPv6 on an interface, causes the router to use DHCP client processes to try to lease an IPv6 address, and creates a link-local address for the interface Lists IPv6 routes, or just the connected routes, or just the local routes Lists IPv6 settings on an interface, including link-local and other unicast IP addresses (e.g. anycast) Lists interface status and IPv6 addresses for each interface

ipv6 address 2001:2:3:4:5:6:7:8ABC/128 anycast

show ipv6 route connected

show ipv6 interface g0/0

show ipv6 interface brief s2/0

Chapter 31 ipv6 dhcp relay destination serveraddress ping {hostname | ipv6address}

Interface configuration mode

Enables IPv6 ipv6 dhcp relay destination DHCP relay 200.1.1.1 agent

EXEC mode

Tests IPv6 routes by sending ICMP packet to the destination host Tests IPv6 routes by discovering the IP addresses of the routes between a router and the listed destination Lists the router's IPv6 neighbour table Lists any neighbouring routers that advertised themselves through an NDP RA message Lists interface settings, including IPv4 and IPv6 addresses Tests IP routes by sending ICMPv6 packet to destination host

traceroute {host-name | ipv6address}

EXEC mode

show ipv6 neighbors

EXEC mode

show ipv6 routers

EXEC mode

ipconfig / ifconfig / ifconfig

Host

ping / ping6 / ping6

Host

ping 2000:A:B:C:0:22FF:FE22:222 2

traceroute 2001::1:300:33FF:FE33:3333

ifconfig [Mac]

ping6 2001::A:B:C:D [Mac]

tracert / traceroute 6/ traceroute 6

Host

Tests IP routes by discovering. the IPv6 addresses of the routes between a router and destination Lists a host's IPv6 neighbour table

traceroute6 2001::D:C:B:1 [Mac]

netsh interface ipv6 show neighbors / ndp -an / ip -6 neighbor show Chapter 32 ipv6 route prefix/lengt h next-hopaddress

Host

ipv6 route 2000:db8:1:2::/64 2000:db8:1:2::1

Global configuration mode

Defines an IPv6 static route to a next-hop router IPv6 address Defines an IPv6 static route, with local router's outgoing interface Defines an IPv6 static route, with both the next-hop address and local router outgoing interface listed Defines a default IPv6 static route

ipv6 route prefix/lengt h outgoinginterface

Global configuration mode

ipv6 route prefix/lengt h next-hopaddress outgoinginterface

Global configuration mode

ipv6 route ::/0 {[next-hopaddress] [outgoinginterface]} ipv6 address

Interface configuration mode

Tells the router to use SLAAC to

ipv6 address autoconfig default

Global configuration mode

netsh interface ipv6 show neighbors [Windows]

ipv6 route 2000:db8:1:2::/64 s2/0

ipv6 route 2000:db8:1:2::/64 s2/0 fe80::200:22ff:fe22:0

ipv6 route ::/0 g0/1

autoconfig [default]

show ipv6 route [connected | local | static] show ipv6 route address

Privileged EXEC mode

find/build its own interface IPv6 address, and to add a default route with a next hop of the router that responds with the RA message Lists routes in the routing table

show ipv6 route static

Privileged EXEC mode

Displays detailed information about the route this router uses to forward packets to the IPv6 address

show ipv6 route 2000:db8:1:2::2

Chapter 33 [no] logging console

Global configuration mode

no logging console

[no] logging monitor

Global configuration mode

[no] logging buffered

Global configuration mode

logging [host] ipaddress | hostname

Global configuration mode

Enables/disa bles logging to the console device Enables/disa bles logging to users connected to the device with SSH or Telnet Enables/disa bles logging to an internal buffer Enables logging to a syslog server

no logging monitor

no logging buffered

logging host 172.16.1.9

Global logging configuration console level-name | mode levelnumber

Sets the log message level for console log messages

logging console notification

Global logging configuration monitor level-name | mode levelnumber

Sets the log message level for log messages sent to SSH and Telnet users Sets the log message level for buffered log messages Sets the log message level for messages sent to syslog servers Enables/disa bles the use of timestamps Enables/disa bles the use of sequence numbers in log messages Names a timezone and defines the +/- offset versus UTC Names a daylight savings time for a timezone and tells IOS to adjust the clock automaticall y

logging monitor 7

logging buffered level-name | levelnumber logging trap levelname | levelnumber

Global configuration mode

[no] service timestamp s [no] service sequencenumbers

Global configuration mode

clock timezone name +number

Global configuration mode

clock summerti me name recurring

Global configuration mode

Global configuration mode

Global configuration mode

logging buffered critical

logging trap 4

no service timestamps

no service sequence-numbers

clock timezone AEST +10

clock summertime AESTdaylight-savings recurring

ntp server address | hostname

Global configuration mode

ntp master stratumlevel

Global configuration mode

ntp source name/numb er

Global configuration mode

interface loopback number

Global configuration mode

[no] cdp run

Global configuration mode

[no] cdp enable

Interface configuration mode

[no] lldp run

Global configuration mode

[no] lldp transmit

Interface configuration mode

Configures the device as an NTP client by referring to the address or name of an NTP server Configures the device as an NTP server and assigns its local clock stratum level Tells NTP to use the listed interface for the source IP address for NTP messages Creates a loopback interface and moves the user into interface configuratio n mode Enables/disa bles CDP for the entire switch/router Enables/disa bles CDP for a particular interface Enables/disa bles LLDP for the entire switch or router Enables/disa bles transmission of LLDP

ntp server 203.15.16.7

ntp master 4

ntp source g0/2

interface loopback 0

no cdp run

no cdp enable

no lldp run

no lldp transmit

[no] lldp receive

Interface configuration mode

show logging

EXEC mode

terminal [no] monitor

Privileged EXEC mode

[no] debug {various}

EXEC mode

show clock

EXEC mode

show ntp association s

EXEC mode

show ntp status

EXEC mode

messages on the interface Enables/disa no lldp receive bles processing of received LLDP messages on the interface Lists current logging configuratio n, and lists buffered log messages at the end For a terminal no monitor Telnet/SSH session, toggles on/off the receipt of log messages, for that one session (logging monitor needs to be configured) Enables/disa no debug ip nat bles one of a multitude of debug options Lists timeof-day and date per the local device Shows all NTP clients and servers with which the local device is attempting to synchronise with NTP Shows current NTP

show interfaces loopback number

EXEC mode

show cdp | lldp neighbors [type number] show cdp | lldp neighbors detail

EXEC mode

show cdp | lldp entry name

EXEC mode

show cdp | lldp

EXEC mode

show cdp | lldp interface [type number]

EXEC mode

show cdp | lldp traffic

EXEC mode

EXEC mode

client status in detail Shows current status of the listed loopback interface Lists one summary line of info about each neighbour Lists one large set of info (~15 lines) for every neighbour Displays detailed info but only for the named neighbour States whether CDP/LLDP is enabled globally, and lists the default update and holdtime timers States whether CDP/LLDP is enabled on each interface, or a single interface Displays global statistics for the number of CDP/LLDP advertisemen

show interfaces loopback 2

show cdp neighbors g0/1

show lldp neighbors detail

show cdp entry SW1

show lldp

show cdp interface f0/2

show lldp traffic

ts sent/received Chapter 34 line console 0

Configuration mode

line vty 1st-vty lastvty

Configuration mode

login

Console line configuration mode and vty line configuration mode Console line configuration mode and vty line configuration mode Console line configuration mode and vty line configuration mode

password pass-value

login local

Global username name configuration secret pass- mode value

Changes the context to console configuratio n mode Changes the context to vty configuratio n mode for the range of vty lines listed in the command Tells IOS to prompt for a password

Lists the password required if the login command is configured Tells IOS to prompt for a username and password, to be compared against locally configured username Defines one of possibly multiple usernames and associated passwords, stored as a hashed value

line vty 0 15

password mypass1

username chris secret pass1234

username name password pass-value

Global configuration mode

crypto key generate rsa [modulus 512 | 768 | 1024]

Global configuration mode

transport input {telnet | ssh | all | none}

Vty line configuration mode

[no] service passwordencryption

Global configuration mode

Global enable secret pass- configuration value mode

enable password pass-value

Global configuration mode

Global enable [algorithm configuration -type md5 | mode sha-256 | scrypt] secret passvalue

Defines a username and password, stored in clear text in the configuratio n by default Creates and stores (in a hidden location in flash memory) the keys required by SSH Defines whether Telnet and/or SSH access is allowed into this switch Encrypts/dis ables all clear-text passwords in the runningconfig Creates the enable password, stored as a hashed value Creates the enable password, stored as a clear text Create enable password, stored as a hashed value defined by the algorithm type

username admin password subnet255

crypto key generate rsa modulus 1024

transport input all

no service passwordencryption

enable secret thisishashed

enable password thisisnothashed

enable algorithm-type sha256 secret thisissha256encrypted

no enable secret

Global configuration mode

no enable password

Global configuration mode

banner [motd | exec | login] delimiter banner-text delimiter

Global configuration mode

shutdown

Interface configuration mode Switch interface configuration mode

switchport mode access

switchport access vlan number switchport trunk native vlan number

no cdp enable no cdp run

accessclass number | name in

Deletes the enable secret command Deletes the enable password command Defines a banner that is displayed at different times when users log in to the switch/router

banner exec # Hosts in subnet 10.1.1.0/24 needs to be configured with DHCP #

Disables the interface

Makes the switch act as an access port and not as a trunk port Switch interface Defines the configuration switch's mode access VLAN ID Switch interface Defines the configuration switch's mode native VLAN ID used when trunking Interface Disables configuration CDP on that mode interface Global Disables configuration CDP mode globally Vty line Enables configuration inbound mode ACL checks against Telnet/SSH clients

switchport access vlan 99

switchport trunk native vlan 999

access-class 5 in

show runningconfig | section vty

Privileged EXEC mode

show runningconfig | section con

Privileged EXEC mode

show runningconfig | include enable

Privileged EXEC mode

Chapter 35 configregister value

Global configuration mode

boot system {file-uri | filename}

Global configuration mode

boot system flash [flash-fs:] [filename]

Global configuration mode

boot system {tftp | ftp} filename [ipaddress]

Global configuration mode

archive

Global configuration mode

connecting to the router Lists vty lines and subcommand s from the configuratio n Lists the console and subcommand s from the configuratio n Lists all lines in the configuratio n with the word "enable" Sets the hexadecimal value of the configuratio n register Identifies an externally located IOS image using a URI Identifies the location of an IOS image in flash memory Identifies an external server, protocol, and filename to use to load an IOS from an external server Moves the user into

config-register 0x2100

boot system ftp://user:[email protected]/ copy-of-new-ios-image

boot system flash flash0:upgraded-ios-15-4

boot system ftp ios-v15-4 192.168.1.180

writememory

Archive mode

timeperiod minutes

Archive mode

path uri

Archive mode

ip ftp username name

Global configuration mode

ip ftp password pass

Global configuration mode

username name privilege 15 secret pass

Global configuration mode

archive mode Tells the router to archive the configuratio n each time the configuratio n is saved to startupconfig Defines the time between the automatic creation of a new configuratio n archive Defines where to store configuratio ns Defines the username used when referencing the ftp: IFS but not supplying a username Defines the password used when referencing the ftp: IFS but not supplying a password Defines a username useful to SCP with a privilege level that enables SCP file transfers

time-period 1440

path ftp://cs:[email protected]/

ip ftp username cs

ip ftp password cisco

username cs privilege 15 secret cisco

reload copy fromlocation tolocation copy runningconfig startupconfig copy startupconfig runningconfig show runningconfig write erase erase startupconfig erase nvram: setup show flash dir filesystem: dir filesystem:d irectory verify /md5 filesystem:n ame [MD5hash] archive config configure replace filesystem:n ame confreg value

Chapter 36

copy tftp flash

dir usbflash0: dir flash0:archived-config1

verify /md5 flash0:new-iosimage 84hIHGswiiuri

configure replace flash0:newrunning-config

ROMMON OS

Defines the configuratio n register while in ROMMON OS

confreg 0x2142

license boot module c2900 technology -package packagename show license

Global configuration mode

Adds a rightto-use license to a router

EXEC mode

show license feature

EXEC mode

show license udi

EXEC mode

dir filesystem

EXEC mode

Displays a group of lines for each feature in the currently running IOS image, along with several status variable related to software activation and licensing, and activation status Displays one line for each feature in the currently running IOS image, along with several status variable related to software activation and licensing, and activation status Displays the UDI of the router Displays the files inside

license boot module c2900 technology-package securityk9

dir usbflash1:

show version

EXEC mode

license install url

EXEC mode

the listed file system Displays various information about the current IOS version, including the licensing details at the end Installs a license key file into a router

license install usbflash0:FTX1628838P_2013 02111432454180.lic

Troubleshooting Checklist Cable Issue: - Cables may experience EMIs from nearby electrical devices - Cables bent too sharply (macrobending), or pressed by too much force could damage cables - Use the appropriate cabling type: - Straight-through for connecting different devices (PC to switch) - Crossover for connecting same devices (switch to switch) - Rollover for connecting PC to devices (PC to console port) - Serial cable for connecting point-to-point WAN routers - Consider: - Cable's supported speed - Cable's maximum distance supported between two devices - Cost and availability of type of cabling Interface Issue: - Use show ip interfaces brief or show interfaces status - If interface is administratively down/down: - For routers, use no shutdown if interface has never been configured, or shutdown command has been configured - If interface is down/down: - Switch port-security shutdown mode may be in effect => shutdown and then no shutdown puts interface back to secure-up state pg257

Configuration Checklist SWITCH Configuring simple password security (171) for console for vty for privileged EXEC mode access Configuring local username/password security for console/vty Configuring SSH (178) hostname R1 ip domain-name cisco.com crypto key generate rsa modulus 1024 (ip ssh version 2) username cisco secret cisco login local (transport input ssh) Configuring IPv4 for a switch(182) interface vlan 10 ip address 192.168.1.2 255.255.255.0 ip default-gateway 192.168.1.1 ip name-server 172.16.1.8 Configuring DHCP for a switch (183) ip address dhcp Configuring miscellaneous settings (184) exec-timeout 5 0 logging synchronous no ip domain-lookup Configuring speed, duplex and description (193) speed 1000 duplex auto description connected to R1 Configuring port-security (203)

switchport mode access switchport port-security switchport port-security maximum 4 switchport port-security mac-address 0200.0000.2222 switchport port-security mac-address sticky switchport port-security mac-address sticky 0100.0000.1111 switchport port-security violation restrict Configuring VLANs (253) vlan 10 name myvlan switchport access vlan 10 Configuring VLAN trunking (258) switchport mode trunk Configuring IP phone VLANs (265) switchport mode access switchport access vlan 10 switchport voice vlan 20 ROUTER Installing enterprise routers (388) Installing Internet access routers (389) Configuring IPv4 Addresses on Cisco routers (395) ip address 192.168.1.1 255.255.255.0 Configuring clock rate (397) clock rate 2000000 Configuring 802.1Q (417) interface g0/0.10 encapsulation dot1q 10 Configuring native VLANs (419) interface g0/0.20 encapsulation dot1q 20 native Configuring routing to VLANs using a Layer 3 switch (421) sdm prefer lanbase-routing ip routing interface vlan 15 ip address 192.168.2.3 255.255.255.128 no shutdown Configuring static routes (423) ip route 192.168.1.0 255.255.255.0 s2/0 ip route 192.168.2.0 255.255.255.0 192.168.2.1 Configuring static host routes (424)

ip route 192.168.2.5 255.255.255.255 f0/0 ip route 192.168.4.2 255.255.255.255 192.168.2.1 Configuring permanent static routes (425) ip route 192.168.1.0 255.255.255.0 192.168.3.1 permanent Configuring floating static routes (426) ip route 10.0.1.0 255.255.255.0 s3/0 114 Configuring static default routes (428) ip route 0.0.0.0 0.0.0.0 192.168.1.1 Configuring RIPv2 (444) router rip version 2 network 10.0.0.0 Configuring RIPv2 passive-interfaces (457) passive-interface s2/0 passive-interface default no passive-interface s3/0 Configuring RIPv2 auto-summary and maximum-paths (458) no auto-summary maximum-paths 2 Configuring RIPv2 default route advertising (459) default-information originate Configuring router DHCP client (461) ip address dhcp Configuring DHCP relay (475) ip helper-address 172.31.200.2 Configuring IOS DHCP server (478) ip excluded-address 192.168.1.1 ip dhcp pool mypool network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 192.168.2.2 next-server 192.168.3.2 domain-name cisco.com lease 0 6 0 Configuring zero subnets (514) ip subnet-zero Configuring VLSM (531) ip address 192.168.1.1 255.255.255.128 ip address 192.168.1.128 255.255.255.192 Configuring standard numbered IP ACLs (603)

access-list 10 permit 10.0.0.0 0.255.255.255 log access-list 10 deny any ip access-class 10 out Configuring extended numbered IP ACLs (621) access-list 100 deny tcp 10.0.0.0 0.0.255.255 eq 80 192.168.1.0 0.0.0.127 gt 1023 log-input ip access-group 100 in Configuring named IP ACLs (626) ip access-list standard test 5 permit 172.16.1.0 0.0.0.63 Configuring new-style numbered ACLs (627) ip access-list extended 120 no 30 Configuring static NAT (653) ip nat inside ip nat outside ip nat inside source static 192.168.1.2 200.1.1.2 Configuring dynamic NAT (655) ip nat inside ip nat outside access-list 1 permit 192.168.1.0 0.0.0.255 ip nat pool test1 200.1.1.1 200.1.1.254 netmask 255.255.255.0 ip nat inside source list 1 pool test1 Configuring NAT overload (PAT) (660) ip nat inside ip nat outside access-list 2 permit 10.0.0.0 0.255.255.255 ip nat inside source list 2 interface s2/0 overload IPv6 Configuring static IPv6 unicast addresses (707) ipv6 address FD00::1/64 Configuring IPv6 Routing (708) ipv6 unicast-routing ipv6 enable Configuring static IPv6 unicast addresses with modified EUI-64 (714) ipv6 address 2001:2:3:4::/64 eui-64 Configuring dynamic IPv6 unicast addresses (715) ipv6 address dhcp ipv6 address autoconfig

Configuring IPv6 link local addresses (718) ipv6 enable ipv6 address 2001::2/64 ipv6 address fe80::10 link-local Configuring IPv6 anycast addresses (722) ipv6 address 2001::3/128 anycast Configuring various IPv6 address types (724) Configuring DHCPv6 relay agents (738) Configuring IPv6 static routes: With outgoing interface (757) With global unicast next-hop address (758) With link-local next-hop address (759) Configuring IPv6 static default routes (761) ipv6 route ::/0 2001::11 Configuring IPv6 static host routes (762) ipv6 route 2001:db8:1111:4::2/128 s3/0 Configuring IPv6 floating static routes (763) ipv6 route 2001:db8:1:2::/64 g0/1 fe80::0200:00ff:fe00:2222 100 Configuring IPv6 default routes with SLAAC (764) ipv6 address autoconfig default INFRASTRUCTURE MANAGEMENT Configuring syslog for console users (780) logging console 5 for Telnet/SSH users (781) logging monitor 3 terminal monitor to store messages in RAM (781) logging buffered 2 to store messages in syslog server (781) logging host 160.1.1.3 logging trap 7 timestamps and sequence numbers (782) no service timestamps service sequence-numbers logging message levels (783) Configuring NTP clock (time and timezone) (788) clock timezone AEST -10

clock summer-time SAEST recurring clock set 22:08:28 22 January 2019 client/server (790) ntp server 170.1.1.1 ntp master 5 with loopback interface (792) interface loopback 0 ntp source loopback 0 Configuring CDP globally and on interfaces (796) no cdp run no cdp enable Configuring LLDP globally and on interfaces (799) no lldp run no lldp transmit no lldp receive Configuring login security (804) Configuring service password-encryption (805) service password-encryption Configuring password encryption with MD5 (807) enable secret cisco with SHA-256 and scrypt (809) enable algorithm-type sha-256 secret cisco enable algorithm-type scrypt secret cisco for usernames (810) username jack secret cisco Configuring login banners (812) banner M Maintenance tonight M banner login # Unauthorised access prohibited # banner exec ! Welcome ! Configuring security for unused switch interfaces (812) shutdown switchport mode access switchport access vlan 99 switchport trunk native vlan 99 Configuring inbound/outbound ACLs for Telnet and SSH (813) access-list 1 deny 192.168.1.1 access-list 1 permit any access-class 1 out Upgrading IOS images (824)

Copying images with FTP (828) copy ftp://jack:[email protected]/new-ios-image flash Copying images with SCP (829) [SSH is enabled] username jack privilege 15 secret cisco ip scp server enable Client: scp new-ios-file.bin [email protected]:flash0:new-ios-file.bin Configuring the configuration register (831) config-register 0x2101 Configuring the boot system (833) boot system tftp new-ios-version.bin 10.1.1.1 Configuring password recovery/reset (837) Boot ROMMON confreg 0x2142 reset Copying files to USB flash (839) copy running-config usbflash0:backup-running-config Backing up and restoring configurations (840) copy running-config tftp copy tftp startup-config reload Configuring configuration archives (841) archive path ftp://jack:[email protected]/ time-period 2880 write-memory archive config Restoring configuration archives (842) config replace ftp://jack:[email protected]/-Oct-24-09-46.165-2 Erasing configuration files (843) write erase erase startup-config erase nvram: Configuring at setup mode (843) setup Configuring manual license activation (856) license install usbflash1:license-key-file.lic Configuring right-to-use licenses (861)

license boot module c2900 technology-package securityk9

RFC LIST

Verification checklist no interface range line aux 0