CCNA - · PDF fileCisco Certified Network Associate Welcome to our Cisco CCNA® training course. This course will help you better understand how networking is defined,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Welcome to our Cisco CCNA® training course. This course will help you better understand how networking is defined, implemented and supported in the real world. More precisely, this course will give you a Cisco-specific network perspective.
CCIP, CCIE, CCDA, CCDP, CCENT, CCNP, CCNA, CCVO, VLANDirector, TrafficDirector, CiscoWorks 2000, ONS 15454 Secure PIX Firewall, Secure Virtual Private Networks, Cisco, Cisco Systems, Cisco Systems Logo, Catalyst, EtherChannel, IOS and LightStream are registered trademarks of Cisco Systems, Inc. or its affiliates in the US and certain other countries.
• This is a 5 day hands-on course which covers the following exam objectives.
CCNA 3.0 (640-802)
• Another exam option this course covers:
ICND1 (640-822)
ICND2 (641-816)
This course was also written to help you understand the objectives for the Cisco 640-801 exam; however the ICND and Intro exams are also covered. We do not suggest that you take the two test option as it is not easier than the one test method. Of course, that is up to you and we are confident this course will prepare you whichever way you decide to go.
Now, let’s start with this Course book itself….
Each page of this course book will consist of slides from the instructor’s slide-deck and the accompanying information to explain the content of the slide. Some slides are markers (i.e. chapter headings, outlines, intro’s, etc.) and require no additional information. In this case you will see the next corresponding slide immediately following. For example, look at the next few pages which outline the class and the exam.
The Cisco Router and Switch InterfaceThe Cisco Router and Switch Interface
Chapter 1
In this chapter we will discuss the basics and a glaze over a few advanced topics with regard to interfaces, configurations, registries and the like. We will review switch interfaces at the end of the chapter.
1. Perform Power-On Self Test (POST)2. Load and run bootstrap code3. Look in NVRAM for config-register setting4. Load the Cisco IOS software5. Find the configuration (if none, run Setup)6. If found, load the configuration in RAM
When you first bring up a Cisco router, it will run a Power-On Self-Test (POST), and if that passes, it will then look for and load the Cisco IOS from Flash memory—if a file is present. In case you don’t know, flash memory is an electronically erasable programmable Read-Only Memory (ROM)—an EEPROM. The IOS then proceeds to load and then look for a validconfiguration—the startup-config—that’s stored by default in nonvolatile RAM, or NVRAM.
ROMContains microcode for basic functionsRuns postLoads bootstrapHas Mini-IOSProvides ROM-Monitor mode
Router interfaces can be GigabitEthernet, FastEthernet, Ethernet, Token Ring and various other LAN physical technologies, like FDDI.
The serial ports can be used for a WAN T1, for example, or PPP or Frame Relay.
Miscellaneous ports can include BRI for ISDN
The Console port is a serial connection that allows out-of-band signaling
The Aux port is a console port that allows modem commands so you can dial into the router out-of-band if a remote router goes down and you need to configure it through the console connection.
After the interface status messages appear and you press Enter, the Router> prompt will appear. This is called User mode and is mostly used to view statistics.
There are two primary EXEC modes for entering commands on a Cisco router. These are User and Privilege modes. User mode is used to verify status, and run basic show commands. You can only view and change the configuration of a Cisco router in Privileged mode, which you get into with the “enable”command.
Router ContextRouter Context--Sensitive HelpSensitive Help
Router# clokTranslating "CLOK"% Unknown command or computer name, or unable to find computer address
Router# cl?clear clock
Router# clock% Incomplete command.
Router# clock ?set Set the time and date
Router# clock set 19:56:00 04 8^
% Invalid input detected at the '^' marker
Note: The command “help” does not give you help on a command.
You can use the Cisco advanced editing features to help you configure your router. If you type in a question mark (?) at any prompt, you’ll be given the list of all the commands available from that prompt.
You can press the “spacebar” to get another page of information, or you can press “Enter” to go one command at a time.
Once you have enough characters for a non-ambiguous command, the “Tab”key can be pressed to complete the syntax, and then the “?” key can be entered to obtain additional help if needed. If a command is ambiguous, you will need to enter more characters or “?” to determine the specific syntax to use for the desired command.
The “^ “ character is used to identify where syntax errors or invalid input was detected.
Automatic scrolling of long lines gives you $ and moves your text ten spaces to the left
<Ctrl-A> Move to the beginning of the command line.
<Ctrl-E> Move to the end of the command line.
<Esc-B> Move back one word.
<Ctrl-F> Move forward one character.
<Ctrl-B> Move back one character.
<Esc-F> Move forward one word.
Using Enhanced EditingUsing Enhanced EditingUsing Enhanced Editing
<Ctrl-D> Delete a single character.
tab Finishes typing a command for you
Displays previous/next command from the history buffer
up/down arrows
This slides shows the list of the enhanced editing commands available on a Cisco router.
The most common enhanced editing features used are the up/down arrows. On some terminal emulators, you may need to do a <Ctrl-P> or a <Ctrl-N> if the up/down arrows do not function.
Router> terminal history size lines Set session command buffer size
Router Command HistoryRouter Command History
You can review the router-command history with the commands shown in this slide. This is very helpful and will save you from re-typing things over and over and over…..
This slide shows some basic break sequences you can use on a Cisco router.
The <Ctrl>+<Shift>+6 then X is used to break out of a command. This is especially helpful on traceroute where the traceroute is to a network not in the routing table. By default the command would continue for 30 hops, with each waiting for the TTL to expire. This can save a lot of time by breaking out of the command. <Ctrl>+<Shift>+6 then B is very helpful if you are performing a password recovery and your PC configuration does not have a “break” key or if the <Ctrl>+[Break key] is not stopping the cycle of the reboot.
Router# show interfacesRouter# show interfacesRouter# show mem
Router# show ip routeRouter# show mem
Router# show ip route
Router# show flashRouter# show flash
Router# show startup-configRouter# show startup-configRouter# show running-configRouter# show running-config
Router# show process cpuRouter# show protocols
Router# show process cpuRouter# show protocols
Router# show versionRouter# show version
Router# show lineRouter# show line
show flash: shows all files in flash.show startup-config: shows the backup configuration stored in NVRAM.show running-config: shows the configuration the router is using at the moment.show interfaces: shows the status of all interfaces. You can type show interface s0 to see just the statistics of serial 0.show line: shows you all the available lines that can be configured on a router. The default lines are aux, console and vty.show version: covered in the next slide…
Router# show versionCisco Internetwork Operating System Software IOS (tm) 2600 Software (C2600-JS-L), Version 12.0(8), RELEASE SOFTWARE (fc1)Copyright (c) 1986-1999 by cisco Systems, Inc.Compiled Mon 08-Feb-99 18:18 by phanguyeImage text-base: 0x03050C84, data-base: 0x00001000
ROM: System Bootstrap, Version 11.0(10c), SOFTWAREBOOTFLASH:3000 Bootstrap Software (IGS-BOOT-R),Version 11.0(10c), RELEASE SOFTWARE(fc1)
R1 uptime is 22 minutesSystem restarted by reloadSystem image file is "flash:c2600-js-l_120-8.bin"(output cut)
Displays system hardware config info, software version, and thenames and sources of config files and boot images on a router
The “show version” command will provide basic configuration for the system hardware as well as the software version, the names and sources of configuration files, and the boot images.The last information given from this command is the value of theconfiguration register. In this example, the value is 0x2102—the default setting. The configuration register setting of 0x2102 tells the router to look in NVRAM for the boot sequence. By manipulating the configuration register, you can perform actions such as password recovery, or determine the boot sequence, or where to boot from.
show versionshow version Command cont.Command cont.
…cisco 2610 (MPC860) processor (revision 0x202) with 45056K/4096K bytes of memory.Processor board ID JAB032008NM (3952172322)M860 processor: part number 0, mask 49Bridging software.X.25 software, Version 3.0.0.SuperLAT software (copyright 1990 by Meridian Technology Corp).TN3270 Emulation software.1 Ethernet/IEEE 802.3 interface(s)1 Serial network interface(s)2 Serial(sync/async) network interface(s)32K bytes of non-volatile configuration memory.16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Note: The above router has 48 Meg of RAM and 16 Meg of System Flash
The above router has 48 meg of RAM, 32K of NVRAM and 16 meg of Flash memory. The IOS size for this router is limited to a maximum size of 16 megs.The last information given from this command is the value of theconfiguration register. In this example, the value is 0x2102—the default setting. The configuration register setting of 0x2102 tells the router to look in NVRAM for the boot sequence.
• 0x2102=load IOS from flash and then the configuration from NVRAM. The router looks in NVRAM for the boot sequence
• 0x2100=Load ROM Monitor Mode
• 0x2101=load Mini-IOS from ROM
• 0x2142=Load IOS from Flash and do not load startup-config
Router#config t
Router(config)#config-register 0x2102
All Cisco routers have a 16-bit software register that’s written into NVRAM. By default, the configuration register is set to load the Cisco IOS from flash memory and to look for and load the startup-config file from NVRAM.You can change the configuration register by using the config-register command.
When this router is rebooted, why does it When this router is rebooted, why does it lose itlose it’’s configuration?s configuration?
…cisco 2610 (MPC860) processor (revision 0x202) with 16384/2084kbytes of memory.Processor board ID JAB03040BPS (3406519245)M860 processor: part number 0, mask 49Bridging software.X.25 software, Version 3.0.0.SuperLAT software (copyright 1990 by Meridian Technology Corp).TN3270 Emulation software.1 Ethernet/IEEE 802.3 interface(s)1 Serial network interface(s)2 Serial(sync/async) network interface(s)32K bytes of non-volatile configuration memory.16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2142
It doesn’t lose the configuration, it just never loads the configuration from NVRAM because the configuration register is set to bypass the startup-config in NVRAM.The configuration register should be 0x2102
Viewing the ConfigurationViewing the Configuration
show startup-configAllows you to display the
backup configuration
show running-configDisplays the active
configuration
Config
NVRAM
IOS
Config
RAM
You can view the configuration files on a router by typing show running-config or show startup-config from privileged mode. The main difference is that the running-config is what is actually active on the router, where the startup-config is what is saved in NVRAM. By performing a “copy running-config startup-config”, it saves the running-config into NVRAM.
A best practice commonly used in various industries is to keep several versions of the router’s configuration on a TFTP server, and to regularly save the running-config after changes are made and successfully tested. This canprovide an audit trail of when changes were introduced, and can aid in troubleshooting problems brought on as a result of changes.
• When you erase the configuration on a router and reboot, you will be in Setup mode
• You can type “setup” from privilege mode to enter setup mode
• Square brackets indicate default or current settings• Enable password and Enable secret password are
configured during setup mode. The enable secret password cannot be seen as clear text when viewing the configuration
• If both the Enable password and Enable secret passwords are set, the router will utilize the Enable secret password as it is more secure.
Once the IOS is loaded, up and running, a valid configuration will be loaded from NVRAM.However, if there isn’t a configuration stored in NVRAM, the router will go into setup mode—a step-by-step process to help you configure the router. You can also enter setup mode at any time from the command line by typing the command setup from privileged mode.The Enable password and Enable secret password are configured during setup mode. The enable secret password cannot be seen as clear text when viewing the configuration. For this reason, it should be used wherever possible because it can protect against someone using router configurations to gain unauthorized access to the routers. It displays in the router configuration as an MD5 hash, and in many cases is used as a last resort password if TACACS or RADIUS fails.
Configuring from terminal, memory, or network [terminal]?
• Terminal: Configures information into RAM (changes
the running-config)
• Memory: Configures information from NVRAM into
running-config
• Network: Configures information from a file stored
on a TFTP host into running-config
To configure from a CLI, you can make global changes to the router by typing configure terminal (or config t for short), which puts you in global configuration mode and changes what’s known as the running-config. A global command (commands run from global config) is one that is set once and affects the entire router.You can type config from the privileged-mode prompt and then just press <Enter> to take the default of terminal.
You would use the memory or network option to upload a configuration file from either memory or a TFTP server on the network. In many cases, this is used to pre-stage changes, migrations, or to facilitate review processes.
It’s really important that you understand the different prompts you can find when configuring a router. Knowing these well will help you navigate and recognize where you are at any time within configuration mode.
You can manually save the file from DRAM to NVRAM by using the copy running-config startup-config command. You can use the shortcut copy run start also. You can also save to other files on NVRAM or a TFTP server in addition to the startup config.
Configures information into RAM on a router Retrieves a routers configuration file from NVRAM
Building configuration…
The copy startup-config running-config will append the startup-config file into RAM. This is one way of backing out of changes made that may not have been successful.
You can set the identity of the router with the “hostname” command. This is only locally significant, which means it has no bearing on how the router performs name lookups, but is used by Cisco MIBs to identify the router. A good naming standard should be able to provide some functional and geographical information. Unique naming is an important best practice as it will aid in troubleshooting and prevent confusion over duplicate names.
A good reason for having a banner is to add a security notice to users remotely accessing your internetwork.
You can set a banner on a Cisco router so that when either a user logs into the router or an administrator telnets into the router, the banner will give them the information you want them to have. As another best practice, the banner can be used to identify the revision of the standard configuration template used, and should not contain proprietary or confidential information since it will be seen by users prior to authentication.
Setting descriptions on an interface is helpful to the administrator and support staff. This is a helpful command because you can use it to keep track of circuit numbers, for example. If configurations are stored offline, this information can be accessed to create circuit databases, or assist in creation of port maps and network diagrams. Standardizing on the format provides a consistent format in which to create a script to pull the information together into a database, spreadsheet or network drawing.
R1(config-line)# line aux 0R1(config-line)# password lammleR1(config-line)# login
Consoleconnection
No Access!
To set the console password, use the “line console 0” command. Same for the aux port.You need to enable the “login” command, or the router will not prompt for the password.
Use caution if line passwords are the same as enable secret. Please keep in mind that these will be shown in clear text within the router configuration unless the “service password-encryption” command is utilized.
Other Console Line CommandsOther Console Line Commands
R1(config)# line console 0R1(config-line)# exec-timeout 0 0
R1(config)# line console 0R1(config-line)# logging synchronous
Prevent console session timeout
Redisplays interrupted console input
Consoleconnection
For one, the exec-timeout 0 0 command sets the timeout for the console EXEC session to zero, which basically means to never time out.
Logging synchronous is a very cool command, and it should be a default command, but it’s not. It’s basically stops annoying console messages from popping up and disrupting the input you’re trying to type.
Virtual Terminal PasswordR1(config)# line vty 0 4R1(config-line)# password toddR1(config-line)# login (or no login)R1(config-line)#
Telnetconnection
NOTE: no vty password – no telnet accessCisco supports 5 simultaneous Telnet sessions by default: 0-4 – although your router may support more.
To set the user-mode password for Telnet access into the router, use the “line vty” command. Routers that aren’t running the Enterprise edition of the Cisco IOS default to five VTY lines— 0 through 4. But if you have the Enterprise edition, you’ll have significantly more. The best way to find out how many lines you have is to use that question mark:Router(config-line)#line vty 0 ?<1-4> Last Line Number<cr>You can use the “no login” option so that you can telnet into a router and not be prompted for a password (not recommended!).
An access-class can be used on the VTY lines to further restrict access.
**Note ** If the password is not set, and TACACS or RADIUS is not configured, you will get “Password not set” when attempting to telnet to the router, and be logged off.
• SSH • Encrypted• IP domain must be defined • key must be generated
Telnet versus SSH AccessTelnet versus SSH Access
!--- The username command create the username and password for the SSH sessionusername cisco password 0 cisco
ip domain-name mydomain.com
crypto key generate rsa
ip ssh version 2
line vty 0 4login localtransport input ssh
SSH Server The SSH Server feature enables a SSH client to make a secure, encrypted connection to a Cisco router. This connection provides functionality that is similar to that of an inbound Telnet connection. Before SSH, security was limited to Telnet security. SSH allows a strong encryption to be used with the Cisco IOS software authentication. The SSH server in Cisco IOS software will work with publicly and commercially available SSH clients. SSH Integrated Client The SSH Integrated Client feature is an application running over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco router to make a secure, encrypted connection to another Cisco router or to any other device running the SSH server. This connection provides functionality that is similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network. The SSH client in the Cisco IOS software works with publicly and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard (DES), Triple DES (3DES), and password authentication. User authentication is performed like that in the Telnet session to the router. The user authentication mechanisms supported for SSH are RADIUS, TACACS+ and the use of locally stored user names and passwords.
The enable secret is encrypted by default andsupersedes the enable password if set
Setting the Enable password prompts you for a password when you enter the “enable” command.
The “Enable Secret” password is encrypted by default and supersedes the enable password. As a best practice, it is recommended to use the Enable Secret since it is encrypted within the configuration using an MD5 hash. Other means of encrypting the password (level 7) can be easily cracked using shareware programs. This is especially of concern if the configuration files were accessed. Use of Enable Secret password is therefore recommended.
Some of the configurations used to configure an interface are Network layer addresses, media type, bandwidth, and other administrator commands.Different routers use different methods to choose the interfaces used on them.
Most of today’s routers are modular, the configuration would be “interface type slot/port”.
Adding IP Addresses continuedAdding IP Addresses continued
R1(config-if)# ip address 11.1.1.2 255.255.255.0
R1(config-if)# interface e0
R1(config-if)# ip address 11.1.2.2 255.255.255.0
R1(config)# interface serial 0
R1# config t
Interfaces on fixed series routers
Even though you don’t have to use IP on your routers, it’s most often what people use. To configure IP addresses on an interface, use the ip address command from interface configuration mode.
Note: The command “ip address address mask” starts the IP processing on the interface
Adding IP Addresses continuedAdding IP Addresses continued
R1(config-if)# ip address 11.1.1.2 255.255.255.0
R1(config-if)# int fa0/0
R1(config-if)# ip address 11.1.2.2 255.255.255.0
R1(config)# interface serial 0/0
R1# config t
Interfaces on modular series routers
This slide demonstrates how to configure an IP address on 2600 router interfaces.
Notice the syntax for both of the different interfaces (serial & ethernet) is the same though the configuration command to access the interfaces are different. Don’t forget which interface you are programming….
Adding IP Addresses continuedAdding IP Addresses continued
R1(config-if)# ip address 11.1.1.2 255.255.255.0
R1(config-if)# int fa0/0
R1(config-if)# ip address 11.1.2.2 255.255.255.0
R1(config)# interface serial 0/0/0
R1# config t
Interfaces on ISR series routers
This slide demonstrates how to configure an IP address on 2600 router interfaces.
Notice the syntax for both of the different interfaces (serial & ethernet) is the same though the configuration command to access the interfaces are different. Don’t forget which interface you are programming….
Adding IP Addresses continuedAdding IP Addresses continued
R1(config-if)# ip address 11.1.1.2 255.255.255.0R1(config-if)# ip address 11.1.2.2 255.255.255.0 secondary
R1(config)# interface Ethernet 0R1# config t
Secondary Addresses (not advised)
Note: Different subnets/broadcast domains on same interface
E0
This slide shows how two hosts on the same LAN would need to go through a router to communicate because the hosts think they are on different subnets!
If you type another IP address and press Enter on a router interface, it will replace the existing IP address and mask. This is definitely a most excellent feature of the Cisco IOS.
However, if you want to add a second subnet address to an interface, you have to use the secondary command.
I really wouldn’t recommend having multiple IP addresses on an interface because it’s inefficient.
Serial Interface ClockingSerial Interface Clocking
CSU/DSUCSU/DSU
DTE
DCE DTE
Clocking typically provided by DCE network to routers.
In non-production environments,A DCE network is not always present
Serial interfaces will usually be attached to a CSU/DSU type of device that provides clocking for the line.
But if you have a back-to-back configuration (for example, one that’s used in a lab/classroom environment), on one end—the data communication equipment (DCE) end of the cable—must provide clocking.
The type of cable plugged into the serial interface can be verified by performing ‘show controller’ command. The clock present is representative of the cable plugged in (DTE or DCE). If it’s DCE, the clockrate command will be needed in a back to back configuration.
DCE side determined by cableAdd clocking to DCE side only
Configuring a Serial InterfaceConfiguring a Serial Interface
Note: show controllers will show the cable connection typeISR routers auto-detect cable type and set clock rate to 2,000,000 by default
By default, Cisco routers are all data terminal equipment (DTE) devices, so you must tell an interface to provide clocking if you need it to act like a DCE device. You configure a DCE serial interface with the clock rate command.
The show controllers command displays information about the physical interface itself. It’ll also give you the type of serial cable plugged into a serial port. Usually, this will only be a DTE cable that plugs into a type of data service unit (DSU).R1# show controllers serial 0Hd unit 0, idb = 0x121c04, driver structure at 0x127078Buffer size 1524, hd unit 0, v.35 DCE cable
The bandwidth and delay of an interface is used by routing protocols such as IGRP, EIGRP, and OSPF to calculate the best cost (path) to a remote network. So if you’re using RIP routing, then the bandwidth or delay setting of an interface is irrelevant, since RIP uses only hop count to determine that.
Disabling or Enabling an InterfaceDisabling or Enabling an Interface
R1# configure terminalR1(config)# interface serial 0R1(config-if)# no shutdown%LINK-3-UPDOWN: Interface Seria0, changed state to up%LINEPROTO-5-UPDOWN: Line Protocol on Interface Serial0, changed state to up
R1# configure terminalR1(config)# interface serial 0R1(config-if)# shutdown%LINK-5-CHANGED: Interface Serial0, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down
Disable an interface
Enable an interface
You can turn an interface off with the interface “shutdown” command, and turn it on with the “no shutdown” command. If an interface is shut down, it will display administratively down when using the “show interface”command.
REMEMBER TO DO A “NO SHUTDOWN” COMMAND WHEN YOU HAVE CONFIGURED A DEVICE….THIS TRIPS UP MANY STUDENTS ON THE SIMULATION PORTION OF THE EXAM.
Verifying Your ChangesVerifying Your ChangesVerifying Your Changes
The command “show interface” reveals to us the hardware address (if a LAN interface), logical address, and encapsulation method, as well as statistics.Maximum Transmission Unit (MTU) shows how many bytes of data can be sent in each encapsulated packet. BW is 1.544kbps by default on serial interfaces, Delay is 20,000 microseconds.If the link is 100% reliable, the “rely 255/255” will be shown. If the link is basically at no load , the “load 1/255” will be displayed. The encapsulation on a serial interface is HDLC by default. The loopback can be set to test the link and the keepalive is 10 seconds by default. This is a Data Link layer keepalive that is sent between routers. If the timers are not exactly the same, the Data Link layer will not come up.
Serial1 is up, line protocol is upSerial1 is up, line protocol is downSerial1 is down, line protocol is downSerial1 is administratively down, line protocol is down
KeepalivesCarrier Detect
Interpreting Interface StatusInterpreting Interface Status
(Physical) (Data Link)
The most important statistic of the show interface command is the output of the line and data-link protocol status. If the output reveals that serial 1 is up and the line protocol is up, then the interface is up and running.
The first listed “up” in this example, shows carrier detect from the CSU/DSU. The second “up” in this example shows keepalives from the remote router.
Another thing to confirm is the state of the signals. This is shown at the bottom of the output, and on most serial interfaces can also be seen on the router’s serial interface as a series of green lights. Usually when the router interface is up and normal, all of the signals will show to be up.
R1# show ip interface briefInterface IP-Address OK? Method Status ProtocolFastEthernet0/0 192.168.10.1 YES manual up upFastEthernet0/1 10.1.1.2 YES DHCP up upSerial0/0/0 172.1.1.12 YES manual up upSerial0/0/1 unassigned YES unset administratively down down
This command is used to get a quick view of the status of all interfaces configured on the router. The status and protocol fields are quick indicators as to the state of the interface. When you are troubleshooting if you see the status as administratively down, you need to perform a “no shutdown” on the interface to mark it administratively up.
Erasing NVRAM on a RouterErasing NVRAM on a Router
R1(config)# exitR1# erase startup-configErasing the nvram will remove all the files! Continue?OKErase of nvram complete
Erasing a router configuration
You can delete the startup-config file by using the “erase startup-config”command.
This command would be recommended if the router was being re-deployed or decommissioned, and you wanted to make sure none of the old configuration elements were present when it either comes back online, or is decommissioned. Once the configuration is erased, the user will be prompted to enter setup commands as if the router had come from the factory.
The “write earase” command is another command that performs the same function.
Introduction to CiscoIntroduction to CiscoCatalyst SwitchesCatalyst Switches
Chapter 1 Continued
This section will introduce you to Cisco Catalyst IOS Switches and how to set an IP address on the switch so it can be managed in-band.
When Cisco’s talking about switching, they really mean layer-2 switching unless they say otherwise. Layer-2 switching is the process of using the hardware address of devices on a LAN to segment a network.
Switching will be explained in detail in a later chapter.
If POST completes successfully, the system LED turns green.If POST fails, the system LED turns amber. This is typically fatal.
The 2950 comes in a bunch of flavors, and runs 10Mbps all the way up to 1Gbps switched ports, with either twisted-pair or fiber. It can be a layer 3 switch, and runs what is known as Catalyst IOS. This operating system is very similar to Cisco IOS running on a router, and all ports are treated as interfaces.
The 3550 and 3750 switches can provide layer 3 services, the 2950 cannot.
Operate at Layer 2 of the OSI modelForward, filter, or flood framesHave many portsBridges/Switches learn MAC addresses by examining the source MACaddress of each frame received
Internet
Hub Switch Hub
Segment 1 Segment 2
Layer-2 switching is hardware based, which means it uses the MAC address from the host’s NIC cards to filter the network. Unlike bridges that use software to create and manage a filter table, switches use application-specific integrated circuits (ASICs) to build and maintain their filter tables. But it’s still okay to think of a layer-2 switch as a multiportbridge because their basic reason for being is the same: to break up collision domains.Layer-2 switches and bridges are faster than routers because they don’t take up time looking at the Network layer header information. Instead, they look at the frame’s hardware addresses before deciding to either forward the frame or drop it.Switches create private dedicated domains and don’t share bandwidth like a hub would.
LAN Switches provide many features including dedicated connections between an end node and the switch allowing for a much smaller collision domain and the capability to run at full duplex.
When a switch is first powered on, the MAC forward/filter table is empty.When a device transmits and an interface receives a frame, the switch places the frame’s source address in the MAC forward/filter table, allowing it to remember which interface the sending device is located on. The switch then has no choice but to flood the network with this frame because it has no idea where the destination device is actually located.
When the switch is powered on, it has nothing in its MAC address forward/filter table.But when the hosts start communicating, the switch places the source hardware address of each frame in the table along with which port the frame’s address corresponds.
When a frame arrives at a switch interface, the destination hardware address is compared to the forward/filter MAC database. If the destination hardware address is known and listed in the database, the frame is only sent out the correct exit interface. The switch doesn’t transmit the frame out any interface except for the destination interface. This preserves bandwidth on the other network segments and is called frame filtering.But if the destination hardware address isn’t listed in the MAC database, then the frame is broadcast out all active interfaces except the interface the frame was received on. If a device answers the broadcast, the MAC database is updated with the device’s location (interface).If a host or server sends a broadcast on the LAN, the switch will broadcast the frame out all active ports by default. Remember, the switch only creates smaller collision domains, but it’s still one large broadcast domain by default.
Connecting Switches togetherConnecting Switches together
When connecting a cable into a switch, at first the link lights are orange, then turn green indicating normal operation. Why?
Crossover cable
You would use a crossover cable to connect switches together. A crossover cable has the following pins crossed:1 to 32 to 63 to 16 to 2
The lights turn orange for 50 seconds because of the Spanning-Tree Protocol (STP), which is covered later in this course. This behavior does depend on the type of switches being interconnected, their speed and duplex settings, and their spanning tree configuration. Care and caution should be exercised when interconnecting switches, as not to introduce loops in the network topology, as well as to limit the broadcast domain and not to substantially oversubscribe the uplink ports. STP is covered in detail later in the course.
Do switches need an IP Address?Do switches need an IP Address?
Which type of Ethernet cable is used to
connect the hubs to the switch?
Crossover cable
Hub Hub Hub
Switch Switch
No, switches do not need an IP address. We would add an IP address to a switch only for management purposes and it is configured under the VLAN 1 interface, or the management VLAN – NOT on an interface. This can also take the form of an Sc0 interface in the case of switches running Catalyst OS.
To connect a hub to a switch, you would use a crossover cable. Why not a straight-through?
What is the default gateway address What is the default gateway address for the hosts?for the hosts?
Both the hosts and the switch would use a
default gateway address of 192.168.10.1
E0: 192.168.10.1
192.168.10.2
The default gateway address of the hosts (which allows them to send packets out of the local network) is always set to a router or layer 3 network address. The layer 2 switch usually does not perform any routing functions, and would not be able to route the packet if directed to it’s IP address.
The switch, when sending packets out of the local network for management purposes only, needs a default gateway address set to the router as well – just like a host would.
Remember, the IP address and default gateway set on the switch have nothing to do with a host sending packets out of the local network. Think of the switch’s configuration in the same way as any host that does not route traffic. The switch simply breaks up collision domains for the local network and the router is used to connect networks together.
Switch(config)# interface vlan 1Switch(config-if)# ip address 192.168.10.2 255.255.255.0Switch(config-if)# no shutdownSwitch(config-if)# exit
Configures an IP address and subnet mask for the switch
Configuring the Switch IP AddressConfiguring the Switch IP Address
Switch(config)#ip default-gateway 192.168.10.1
• The rest of the commands are similar to a routers IOS• i.e. copy run start, erase start, show run, passwords…, etc…
Configures the default gateway for the switch
The IP address is configured differently on the Catalyst switches than it is on any router—you actually configure it under the VLAN1 interface.Remember that every port on every switch is a member of VLAN1 by default. This really confuses a lot of people—you’d think that you would set an IP address under a switch interface—but no, that’s not where it goes! Remember that you set an IP address “for” the switch so you can mange the switch in-band (through the network). You set the “ip default-gateway”command so that you can manage the switch from outside the local network. Remember to also perform a “no shut” under the VLAN interface.
As is true on routers, both the 2950’s and 3550’s configurations are stored in NVRAM.
You save the configuration with the “copy running-config startup-config”command, and you can erase the contents of NVRAM with the “erase startup-config” command.
On a Catalyst OS switch:Switch (enable)>clear config allSwitch (enable)>reset
The proper use and configuration of access lists is a vital part of router configuration because access lists are such versatile networking accessories. Contributing mightily to the efficiency and operation of your network, access lists give network managers a huge amount of control over traffic flow throughout the enterprise. With access lists, managers can gather basic statistics on packet flow and security policies can be implemented. Sensitive devices can also be protected from unauthorized access.
Filtering: Manage IP traffic by filtering packets passing through a routerClassification: Identify traffic for special handling
An access list is a mechanism for identifying particular traffic. One application of an access list is for filtering traffic into or out of a router interface.
Permit or deny packets moving through the router.Permit or deny vty access to or from the router.Without ACLs, all packets could be transmitted to all parts of your network.
This figure illustrates common uses for IP access lists.While this chapter focuses on IP access lists, the concept of access lists as mechanisms to control traffic in a network applies to all protocols.An improved security solution is the lock-and-key access feature, which is available only with IP extended access lists. Lock-and-key access allows you to set up dynamic access lists that grant access per user to a specific source/destination host through a user authentication process. You can allow user access through a firewall dynamically, without compromising security restrictions.
Numbered standard IPv4 lists (1–99) test conditions of all IP packets for source addresses. Expanded range (1300–1999).Numbered extended IPv4 lists (100–199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports. Expanded range (2000–2699).Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name).
With Cisco IOS 12.0, the IP access-lists range has been expanded to also include:<1300-1999> IP standard access list (expanded range)<2000-2699> IP extended access list (expanded range)
• Permit or deny packets moving through the router
• Permit or deny vty access to or from the router
• Stop basic user data. Without access lists all packets
could be transmitted onto all parts of your network
Advanced uses for Access-lists:
• Priority and custom queuing
• Dial-on-Demand Routing (DDR)
• Route table filtering
• Classify network traffic
This figure illustrates common uses for IP access lists.
While this chapter focuses on IP access lists, the concept of access lists as mechanisms to control traffic in a network applies to all protocols.An improved security solution is the lock-and-key access feature, which is available only with IP extended access lists. Lock-and-key access allows you to set up dynamic access lists that grant access per user to a specific source/destination host through a user authentication process. You can allow user access through a firewall dynamically, without compromising security restrictions.
Access lists can be used to permit or deny packets moving through the router, permit or deny Telnet (VTY) access to or from a router, and create dial-on-demand interesting traffic that triggers dialing to a remote location.
Wildcards are used with access lists to specify an individual host, a network, or a certain range of a network or networks.
To understand a wildcard, you need to understand what a block size is; they’re used to specify a range of addresses. Some of the different block sizes available are 64, 32, 16, 8, and 4.
This slides demonstrates a “basic” standard access-list. Each of the three test statements say the same thing. It is showing three different ways to specify a host.
Applying Access lists to a VTY LineApplying Access lists to a VTY Line
0 1 2 3 4
Virtual ports (typically vty 0 through 4)
Physical port (e0) (Telnet)
Setup IP address filter with standard access list
statement
Use line configuration mode to filter access with the
access-class command
You should set identical restrictions on all vty lines
Router#
e0
When you apply an access to the VTY lines, you don’t need to specify the telnet protocol since access to the VTY implies terminal access.
You also don’t need to specify a destination address, since it really doesn’t matter which interface address the user used as a target for the telnet session.
You really only need to control where the user is coming from—their source IP address. Nice!
Standard versus Extended Access ListStandard versus Extended Access List
Standard Extended
Filters Based onSource.
Filters Based onSource and destination.
Permit or deny entire TCP/IP protocol suite.
Specifies a specific IP protocol and port number.
Range is 100 – 199 and 2000 - 2699.
Range is 1 – 99 and 1300 - 1999.
Standard access listsThese use only the source IP address in an IP packet as the condition test. All decisions are made based on source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They don’t distinguish between any of the many types of IP traffic such as WWW, telnet, UDP, etc. Extended access listsExtended access lists can evaluate many of the other fields in the layer 3 and layer 4 header of an IP packet.
IP Source AddressIP Destination AddressProtocol Field in Network Layer PacketPort number in Transport Layer Segment
This slide shows an example of an extended IP access list.It denies FTP (port 21 is FTP and port 20 is FTP data) from subnet 172.16.4.0 to 172.16.3.0. Actually since there is an implicit DENY at the end of each access list, this access list denies all packets since there is NOT a permit statement. Note: If access list 101 were applied to an interface, all traffic wither inbound or outbound (depending on how the ACL was applied) would be denied.
Don’t forget to include the permit statement to permit all other IP traffic. Access list 101 could be applied inbound to interface E1 or outbound to interface E0.
Extended Access List ExampleExtended Access List Example
• You want to stop users from the Sales LAN entering the Marketing LAN. What access-list would you create, and to what interface will you apply it?
S0 (DCE)S1
E0 E0LAN_A LAN_B
Host C Host D Host E Host F
Sales LAN192.168.11.0
255.255.255.0
Marketing LAN192.168.12.0255.255.255.0
192.168.10.1/24
Extended:On the LAN_A routeraccess-list 110 deny ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255access-list 110 permit ip any anyint e0ip access-group 110 in
OR
Standard:On the LAN_B routeraccess-list 10 deny 192.168.11.0 0.0.0.255access-list 10 permit any int e0ip access-group 10 out
Access List Configuration GuidelinesAccess List Configuration Guidelines
• The order of ACL statements is crucial.• Recommended: Use a text editor on a PC to create the
ACL statements, then cut and paste them into the router.• Top-down processing is important.• Place the more specific test statements first.
• Statements cannot be rearranged or removed.• Use the no access-list number command to remove the
entire ACL.• Exception: Named ACLs permit removal of individual
statements.• Implicit deny any will be applied to all packets
that do not match any ACL statement unless the ACL ends with an explicit permit any statement.
GuidelinesAccess list numbers indicate which protocol is filtered.One access list per interface, per protocol, per direction is allowed.The order of access list statements controls testing. Place the most restrictive statements at the top of list.There is an implicit deny any statement as the last access list test. Every list needs at least one permit statement.Create access lists before applying them to interfaces.Access lists filter traffic going through the router; they do not apply to traffic originating from the router.
Named access lists are just another way to create standard and extended access lists. In medium to large enterprises, management of access lists can become, well, a real hassle over time.
For example, when you need to make a change to an access list, a frequent practice is to copy the access list to a text editor, change the number, edit the list, then paste the new list back into the router.
Named access lists allow you to use names to both create and apply either standard or extended access lists.
There is nothing new or different about these access lists aside from being able to refer to them in a way that makes sense to humans.
However, you do not need to delete the named access-list in order to make changes. This is one of the best benefits of named access-lists.
Named Standard ACL ExampleNamed Standard ACL Example
Deny a specific host
RouterX(config)#ip access-list standard troublemakerRouterX(config-std-nacl)#deny host 172.16.4.13RouterX(config-std-nacl)#permit 172.16.4.0 0.0.0.255RouterX(config-std-nacl)#interface e0RouterX(config-if)#ip access-group troublemaker out
All hosts on subnet 172.16.4.0 are blocked from going out on E0 to subnet 172.16.3.0.The arrow represent the access list is applied as an outbound access list.
Named Extended ACL ExampleNamed Extended ACL Example
Deny Telnet from a specific subnet
RouterX(config)#ip access-list extended badgroupRouterX(config-ext-nacl)#deny tcp 172.16.4.0 0.0.0.255 any eq 23RouterX(config-ext-nacl)#permit ip any anyRouterX(config-ext-nacl)#interface e0RouterX(config-if)#ip access-group badgroup out
All hosts telnet requests initiating on subnet 172.16.4.0 are blocked going out on E0 to subnet 172.16.3.0.
Extended IP access list ENG10 permit tcp host 10.22.22.1 any eq telnet (25 matches)20 permit tcp host 10.33.33.1 any eq ftp30 permit tcp host 10.44.44.1 any eq ftp-data
Displays all access lists
This is the most consolidated method for seeing several access lists. The implicit deny all statement is not displayed unless it is explicitly entered in the access list.
Todd#show ip int e0Ethernet0 is up, line protocol is up
Internet address is 10.1.1.11/24Broadcast address is 255.255.255.255Address determined by setup commandMTU is 1500 bytesHelper address is not setDirected broadcast forwarding is disabledOutgoing access list is not setInbound access list is 1Proxy ARP is enabledSecurity level is defaultSplit horizon is enabledICMP redirects are always sentICMP unreachables are always sentICMP mask replies are never sentIP fast switching is enabled
<output cut>
Verifying Access ListsVerifying Access Lists
Lists IP interface information. Indicates whether outgoing and/or inbound access lists are set.
Review the output of the “show ip interface” command. The highlighted text shows details about access list settings in the show command output.
Extended IP access list 101permit tcp host 10.22.22.1 any eq telnetpermit tcp host 10.33.33.1 any eq ftppermit tcp host 10.44.44.1 any eq ftp-data
Todd# show {protocol} access-list {access-list number}
Todd# show access-lists {access-list number}
show access-list: Displays all access lists and their parameters configured on the router. This command does not show you which interface the list is set on.
show access-list 110: Shows only the parameters for the access list 110. This command does not show you the interface the list is set on.
show ip access-list: Shows only the IP access lists configured on the router.
show ip interface: Shows which interfaces have access lists set.
show running-config: Shows the access lists and which interfaces have access lists set.
• The access control list shown in the figure has been applied to the
Ethernet interface of R1 using the ip access-group 101 in command.
• Which telnet sessions will be blocked by this ACL?
The following telnet session will be blocked by the ACL:Any host with an address between 5.1.1.8 and 5.1.1.11 on R1 will not be able to telnet to network 5.1.3.0