Copyright Copyright © 2003 Boson Software, Inc. Inc. All Rights Reserved. Reserved.
No part of this copyrighted document and/or related copyrighted software may be reproduced, transmitted, translated, distributed, or otherwise copied in any manner or format whatsoever, without the prior written signed permission of Boson Software, Inc. License This copyrighted document and/or its related copyrighted software is licensed to the End User for use only in accordance with the Boson End User License Agreement (EULA). This document and its related software are never sold and are only licensed under the terms of the EULA. Trademarks BOSON®, BOSON.COM®, BOSON ROUTER R OUTER SIMULATOR®, QUIZWARE®, BOSON SWITCH SIMULATOR™, BOSON STATION SIMULATOR™, BOSONSOFTWARE™, BOSON NETWORK DESIGNER™, BOSON CERTIFIED LABS™, BOSON TRAINING™, BOSON NETWORK SIMULATOR™, BOSON NETWORK EMULATOR™, BOSON NETSIM™, BOSON CLASS IN A BOX™, BOSON ESWITCH™, BOSON EROUTER™, and BOSON ESTATION™, are Trademarks or Registered Trademarks of Boson Software, Inc. in the United States and certain other countries.
Cisco®, Cisco Systems®, CCNA®, CCDA®, CCNP®, CCDP®, CCIE®, IOS®, and their related logos, are Trademarks or Registered Trademarks of Cisco Systems, Inc. in the United States and certain other countries. All other trademarks, registered trademarks, service marks, and/or certification marks, are the property of their respective owners. Any use of a third party mark does not constitute a challenge to said mark. Trademark, service mark, and/or certification mark acknowledgements will be added to the next product revision upon request.
Disclaimer Boson Software, its products, courseware, practice tests, study guides, software applications, and/or other materials are not sponsored by, endorsed by or affiliated with Cisco Systems, Inc., or any company mentioned within and/or related to this product.
First Edition
2
Copyright Copyright © 2003 Boson Software, Inc. Inc. All Rights Reserved. Reserved.
No part of this copyrighted document and/or related copyrighted software may be reproduced, transmitted, translated, distributed, or otherwise copied in any manner or format whatsoever, without the prior written signed permission of Boson Software, Inc. License This copyrighted document and/or its related copyrighted software is licensed to the End User for use only in accordance with the Boson End User License Agreement (EULA). This document and its related software are never sold and are only licensed under the terms of the EULA. Trademarks BOSON®, BOSON.COM®, BOSON ROUTER R OUTER SIMULATOR®, QUIZWARE®, BOSON SWITCH SIMULATOR™, BOSON STATION SIMULATOR™, BOSONSOFTWARE™, BOSON NETWORK DESIGNER™, BOSON CERTIFIED LABS™, BOSON TRAINING™, BOSON NETWORK SIMULATOR™, BOSON NETWORK EMULATOR™, BOSON NETSIM™, BOSON CLASS IN A BOX™, BOSON ESWITCH™, BOSON EROUTER™, and BOSON ESTATION™, are Trademarks or Registered Trademarks of Boson Software, Inc. in the United States and certain other countries.
Cisco®, Cisco Systems®, CCNA®, CCDA®, CCNP®, CCDP®, CCIE®, IOS®, and their related logos, are Trademarks or Registered Trademarks of Cisco Systems, Inc. in the United States and certain other countries. All other trademarks, registered trademarks, service marks, and/or certification marks, are the property of their respective owners. Any use of a third party mark does not constitute a challenge to said mark. Trademark, service mark, and/or certification mark acknowledgements will be added to the next product revision upon request.
Disclaimer Boson Software, its products, courseware, practice tests, study guides, software applications, and/or other materials are not sponsored by, endorsed by or affiliated with Cisco Systems, Inc., or any company mentioned within and/or related to this product.
First Edition
2
CCNA 640-801 Cram Sheet This Cram Sheet is based on many years of networking experience with Cisco equipment, many years of authorizing experience, and many years of test taking experience with Cisco certifications. Having written Exam Cram books for Que Publishing and The Coriolis Group, I felt that having all the important material condensed into a few dozen pages will greatly help those people who have gone through book-reading and training and are in their final days of CCNA exam preparation.
This Cram Sheet is based on my book with McGraw-Hill, entitled CCNA Cisco Certified Network Associate Study Guide (640-801) . It pulls all of the important information from this book and puts it into a condensed and simplified presentation. I’ve broken this Cram Sheet into 18 sections, including the Introduction. The remaining sections correspond to the chapter numbers in my book.
Please note that you can use this Cram Sheet to study for all three CCNA exams: INTRO (640-821), INTRO (640-821), ICND (640-811), ICND (640-811), and CCNA (640-801). CCNA (640-801). For preparing for INTRO, study the notes for chapters 1-6. For preparing for ICND, study chapters 3 and 5-17. For the CCNA, study all chapters.
Further Preparation If you want to practice your test-taking skills, I also offer practice exams with QuizWare (http://www.quizware.com (http://www.quizware.com), ), which is an affiliate of Boson Software (http://www.boson.com ). Please feel free to download my exams and try them out (you get to look at a dozen questions free without having to activate them. Each exam has over 450 questions, with 20+ simulation questions. I have an exam on INTRO (640-821), ICND (640-811), and two on the CCNA (640-801). If you have any further questions about my book, my practice exams, or this Cram Sheet, please visit my web page at http://www.quizware.com/dealgroup or you can email me at
[email protected] . Thanks for your suppor s upport! t! And An d good luck studying!!!
Richard A. Deal Richard A. Deal
[email protected] 3
Chapter 1: Networking Technologies SOHO is a term used to describe users working from a home or small office. A branch office is a small group of users connected in a small area called a LAN. Mobile users constantly change their access point for connections, which can be LAN or WAN. The corporate office is where most users and resources are located. Ethernet has either a physical bus, star, or point-to-point topology; but logically it is represented as a bus. FDDI uses both a physical and logical ring topology. Token Ring uses a physical star topology, but a logical ring topology. ISDN and analog circuit-switched connection are used for temporary or backup connections. Leased lines (dedicated circuits) are used to provide guaranteed bandwidth across short distances. Packet- and cell-switched services are used when you have a single connection to the WAN, but need to connect to multiple destinations. Cellswitched services (ATM and SMDS) provide a high level of QoS, while packet-switched services (Frame Relay and X.25) provide a low level. An intranet is local to one company. An extranet extends an intranet, providing services to known external users and companies. An internet provides connections across a public network for unknown users. VPNs can be used to protect/encrypt traffic for internet/extranet traffic.
4
Chapter 2: Networking Concepts The OSI Reference Model (ORM) defines the process of connecting two layers, promotes interoperability between vendors, separates a process into simpler components, and compartmentalizes the design process for vendors, simplifying implementation and troubleshooting. The ORM has seven layers: application, presentation, session, transport, network, data link, and physical. The top layer, application provides the user interface and includes applications like FTP, web (HTTP), email (SMTP), and telnet. The presentation layer defines how information is presented to the user and includes the following: ASCII, EBCIDIC, BMP, GIF, JPEG, WAV, AVI, and MPEG. The session layer sets up and tears down network connections and includes NFS and RPCs. The transport layer can provide a guarantee or no guarantee for delivery of data and includes TCP and UDP from TCP/IP. The network layer, where routers function, defines a logical topology and layer-3 addressing. Protocols at this layer included TCP/IP, IPX, and AppleTalk. The data link layer, where switches, bridges, and NICs operate, defines MAC (hardware) addresses and how devices communicate on a media type. Protocols at this layer include IEEE’s 802.2, 802.3, 802.5, Ethernet II, HDLC, PPP, and Frame Relay. The physical layer, where hubs and repeaters operate, defines the physical properties of connections and communications, which includes wires, like UTP and fiber, and connectors, like RJ-45 and DB-9. Copper cabling is susceptible to EMI (electromagnetic interference) while fiber is not. Narrowband solutions provide connectivity at lower data rates, but can be increased by using spread spectrum, which spreads a signal across multiple frequencies. Cisco’s Aironet uses spread spectrum. Broadband solutions provide higher data rates and is used by Sprint’s PCS and can provide national coverage. For international coverage, satellite can be used, but it has a high latency and cost. 802.11b, called Wi-Fi, operates at 2.4 GHz at speeds of 11 Mbps. 802.11a operates at 5 GHz at speeds of 54 Mbps. 802.11g operates at 2.4 GHz at speeds of 54 Mbps. 802.11b and 802.11g are interoperable. The first six hexadecimal digits of a MAC address represent the OUI. MAC addresses must be unique within a broadcast domain (VLAN), but can be duplicated across broadcast domains. A unicast is sent to a single device; a broadcast is sent to every device; and a multicast is sent to a group of devices. Ethernet uses CSMA/CD. No one device has priority over another. Before transmitting, the device senses the wire. If two devices transmit simultaneously, a collision occurs. When this happens, they generate a jam signal, wait a random period, and retry transmitting again. IEEE 802.2 uses a SAP or SN AP field to differentiate amongst encapsulated protocols. A SNAP frame sets the SAP fields to 0xAA to indicate a SNAP frame. SNAP is used to
5
extend the number of protocols 802.2 frames can transport. Ethernet II, developed by DEC, Intel, and Xerox (DIX), and IEEE’s 802.3 are not compatible. Ethernet II doesn’t have sublayers while 802.3 has two (LLC and MAC) and Ethernet II has a type field while 802.3 has a length field. Half-duplex (Hubs, 10BaseT, 10Base2, and 10Base5) connections are used in a shared medium and allow a device to either send or receive. Half-duplex connections experience collisions. Full-duplex connections require point-to-point connections, where devices can simultaneously send and receive without collisions occurring. Bridges learn, forward and remove loops (using STP). The three types of traffic bridges flood are broadcasts, multicasts, and unknown destinations. Bridges and switches are used to solve bandwidth and collision problems--routers can do this, but they cost more. The network layer defines logical addresses, finds layer-3 paths to destinations, and connects different media types together, like serial and Ethernet. Routers make routing decisions based on the network component of an address. A routing table stores the locations of networks. Routers allow you to build a scalable hierarchical network, contain broadcasts and multicasts, find optimal paths to destinations, switch packets on the same interface, implement QoS, filter and encrypt traffic, and many other things. The transport layer sets up and maintains a session connection between devices, provides for reliable or unreliable delivery of data, implements flow control through ready/not ready signals or windowing, and multiplexes connections. When providing reliable delivery of data, the transport layer goes through a three-way handshake. Source and destination port numbers are used to multiplex connections. Flow control is used to ensure a source doesn’t overrun a destination with too much data. Ready/not ready signals are not efficient for flow control because they cause unnecessary delays and drops of traffic. Windowing defines a specified amount of data that can be sent, and then the source has to wait for an acknowledgment before sending more data. A PDU is a generic term used to describe information. Data is something the application, presentation, and session layers create. The transport layer encapsulates this in a segment. The network layer encapsulates this in a packet or datagram (IP). The data link layer encapsulates this in a frame. The physical layer converts this to a physical layer signal on the physical medium used. The destination goes through a de-encapsulation process. Cisco uses a 3-layer hierarchical design: core, distribution, and access. The core, using switches, provides a high-speed switching infrastructure and doesn’t perform packet manipulations. The distribution layer, using switches and routers, separates the core and access layers, providing a logical boundary and containing broadcasts. Policies are implemented here. The access layer provides a user’s initial access to the network.
6
Chapter 3: IP Addressing IP addressing is a VERY important topic on the INTRO, ICND, and C CNA exams. If you don’t understand IP addressing and subnetting, you will probably fail the exam. TCP, at the transport layer, provides for flow control and reliable connections, and includes applications like FTP (21), telnet (23), SMTP (25), and HTTP (80). A TCP segment includes source and destination port numbers, a sequence number, an acknowledgement number, code bits (control and synchronization functions), a window size, and a checksum, among other things. TCP uses a 3-way handshake (SYN, SYN/ACK, and ACK) when setting up a reliable connection. PAR (positive acknowledgment and retransmission) is used by TCP to recover from lost segments: the same segment is sent repeatedly, with a small delay between segments, until an ACK is received from the destination. ACKs can be sent along with sequence numbers in the same segment. UDP, at the transport layer, doesn’t provide any reliability or flow control, bu t is more efficient than TCP, and includes applications like DNS (53), TFTP (69), SNMP (161) and RIP (520). IP, at the network layer, uses the TTL field to limit the number of hops a packet can travel. Protocols that use IP include ICMP, IGRP, IPv6, TCP, and UDP, among others. Ping and traceroute use ICMP, where are used to test connectivity between devices. Ping generates an echo and expects and echo reply from the destination. ARP resolves an IP address to a MAC address and RARP, using a layer-2 function, allows a device to acquire a layer-3 address. DHCP allows a device to acquire an IP address, subnet mask, DNS, TFTP, and WINS server addresses, a domain name, and length of the address lease. When a device needs to send something to another broadcast domain, it uses the real destination layer-3 address in the packet, but the MAC address of the default gateway in the frame. Computers deal with numbers in binary. A byte has 8 bits, where each bit has a decimal value, shown below: Bit Position Decimal Value
8 128
7 64
6 32
5 16
4 8
3 4
2 2
1 1
To convert a binary value into a decimal value, add up the decimal values equivalent to the bits that are turned on (set to 1). Hexadecimal has a range of values from 0-9 and A-F and are represented in 4 bits. Use this chart to convert between the three numbering schemes: Decimal 0
Binary 0000
Hex 0 7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
1 2 3 4 5 6 7 8 9 A B C D E F
IP addresses are 32-bits in length and represented in a dotted decimal notation. Remember the following table for IP addresses:
Network bytes (bits) Host bytes/bits High order bits Addresses
A 1 (8)
B 2 (16)
C 3 (24)
3 (24) 0 1-126
2 (16) 10 128-191
1 (8) 110 192-223
D
E
1110 224-239
11110 240-254
Networks 0, 127, and 255 are reserved: 0 represents all IP addresses, 127 is the loopback and for testing, and 255 is for broadcasts. Class D addresses are used for multicasting and Class E are reserved. Each network has a network (wire) number, a directed broadcast, and host addresses (between the first two values). Each network loses two host addresses (network and broadcast). Knowing the number of host bits, the total number of host addresses in a network is 2N - 2, while the total number of addresses in a network is 2N. Subnet masks define the network and host boundary in IP addresses. A binary 1 indicates a network number and a binary 0 indicates a host component. All the binary 1s and 0s must be contiguous, and the length of the subnet mask is 32 bits. When subnetting, the first and last subnets in a network (subnet 0) may or many not be valid. Remember this important point for the exam. To convert a binary subnet mask into a decimal mask, add up the host bit values, creating a decimal number, and subtract this from 255, which results in the subnet mask value. When developing an IP addressing scheme, use these steps: (1) figure out the net work and host requirements; (2) satisfy host and ne twork requirements; (3) figure out the subnet mask; (4) figure out the n etwork addresses; (5) figure out the directed broadcas ts 8
for your networks; (6) figure out the host values for your networks. The directed broadcast address is one number less than the next network number. If you are given a specific address and subnet mask, and asked to determine if this is a network, host, or directed broadcast address, follow these steps: (1) Examine the subnet mask and find the interesting octet (boundary between networks and hosts--non-255 number); (2) Subtract the interesting octet from 256 (this results in the multiple that network numbers are increasing by in the interesting octet); (3) Write down the ne twork numbers starting at 0; (4) Write down the broadcast addresses for those around the address in question (the broadcast address is one less than the next network number); (5) Write down the host addresses (addresses between the network and broadcast addresses). You can use Boson’s subnet calculator to check your results when practicing your IP addressing (http://www.boson.com/promo/utilities/subnetter/ip_subnetter.htm).
9
Chapter 4: Preparing Network Connections Hubs and repeaters connect devices together in the same collision domain. Repeaters repeat a signal and are used to extend the length of a cable. A hub is repeater. These devices operate at layer-1 in the same collision, or bandwidth domain. Switches and bridges are used to solve collision and bandwidth problems. Switches dedicate a port to each device (separate collision/bandwidth domain), which is called micro segmentation. Routers connect broadcast domains together and don’t propagate broadcasts by default. Out-of-band (console and aux ports) management doesn’t affect the traffic on the backplane of a device while in-band (telnet, SNMP, web b rowser) management does. Most Cisco console connections use an RJ-45 rollover cable and an RJ-45-to-DB-9 terminal adapter. With a rollover cable, the pins on the two sides of the cable are reversed. When setting up a console connection, configure the following in your terminal package: speed (9,600 bps), data bits (8), stop bits (1), parity (none), flow control (none). The nomenclature for switch’s interfaces is type slot_# /port_#. Interface types include ethernet, fastethernet, or gigabit. The slot number is always 0 for the 1900 and 2950 switches. The port number starts at 1 and works its way up. The nomenclature of router interfaces is the same, but more types are included, like atm, asynch, bri, ethernet, fddi, serial, tokenring. However, port numbers always start at 0. Plus for non-modular routers, omit the slot_# and the “/”--just specify the port_#. When connecting Ethernet devices together, use a crossover cable for DTE-to-DTE and DCE-to-DCE connections and a straight cable for DTE-to-DCE connections. A DTE is a router, PC, or file server and a DCE is a hub or switch. A crossover cable crosses over pins 1-3 and 2-6. For serial connections, Cisco uses a proprietary DB-60 or DB-21 interface connector.
10
Chapter 5: Basic Switch and Router Configuration IOS stands for Internetwork Operating System and its ad vantages include features, connectivity, scalability, reliability, and security. When the Cisco device boots up, it runs POST, finds and loads the IOS, and finds and loads the configuration file. You can access a Cisco device via a console or aux port or the VTY ports via telnet, TFTP, SNMP, or a web browser. The IOS has three different modes: User EXEC, Privilege EXEC, and Configuration. From User EXEC mode, use the enable command to access Privilege EXEC mode. To go back to User EXEC mode, use the disable command. To log out of either mode, use the exit command. Use the configure terminal command to access Configuration mode. Use the hostname command to change the name of the device—this name has local significance only. To enable an interface on any device, use the no shutdown command. To disable an interface, use the shutdown command. If you are in a Subconfiguration mode and enter a Global command, typically the router executes the command as a Global command and takes you back to Global mode. The exit command takes you back one Configuration level. The end or CNTRL -Z control sequence exits Configuration mode. The show running-config command displays the IOS device’s currently running configuration in RAM. Any command that examines or manipulates configuration files must be executed from Privilege EXEC mode. You can use the help command or the ? to pull up context-sensitive help; and you can abbreviate commands to their most unique characters. You can use the context-sensitive help when doing the simulation questions on the INTRO, ICND, and CCNA exams. There are four editing features supported by the IOS: symbolic translation, command prompting, syntax checking, and command recall. The router holds the last 10 executed commands in its history buffer.
A takes you to the beginning of a line and E to the end. P takes you to a previous command and N to a more recent one. From the main menu of the 1900, enter K to access the IOS. The enable password level 1|15 command configures the User (1) and Privilege (15) EXEC passwords. To assign a password to the 1900, us the ip address command; and to assign the default gateway address, use the ip default-gateway command. The configuration on the 1900 is automatically saved. On the 2950 or router, use the line password command to secure User EXEC access. Routers support five VTYs (0-4). Use the login command to allow login access on your VTYs. The enable password command configures an unencrypted Privilege EXEC password and the enable secret command creates an encrypted one. To assign a password to the 2950, us the ip address command under the VLAN interface (interface vlan1); and to assign the default gateway address, use the ip default-
11
gateway command. The 2950 and routers do NOT automatically save their
configurations. To save the configuration on a 2950 or router, use the copy runningconfig startup-config command. When a router doesn’t contain a configuration file in NVRAM when it boots up, it takes you into the System Configuration Dialog, which can be reached via the Privilege setup EXEC command. To break out of the scrip without saving your changes, use C. At the end of the script, answering 0 aborts the script and ignores your input; a 1 takes you back to the beginning of the script and remembers your previous answers; a 2 ends the script, but saves and executes your changes. Anything in []s are default values. The script takes you through global configurations first, and then interface configurations. You cannot configure everything with this script. On a router, use the banner motd command to create a login banner and the exectimeout command to set up the idle timeout for management connections. The terminal monitor Privilege EXEC command allows you to view console output on non-console lines. If an interface is “up and up” the physical and data link layers are operational; “up and down” indicates a data link layer problem; “down and down” indicates a physical layer problem; “administratively down and down” indicates a disabled interface (shutdown command). Use the show interfaces command to verify its status. If you are copying and pasting a configuration file into a router, and the router interface is disabled with the shutdown command, your pasted configuration file must contain the no shutdown command in order to active the interface. This is a common problem when copying and pasting a configuration file from an old router to a new router, where the interfaces on the new router are disabled by default. For serial interfaces on routers in a back-to-back connection, use the show controller command to determine the DTE and DCE--the clock rate command configures the physical speed for the connections. The bandwidth command does not change the speed of the interface: it affects only the metric used by certain routing protocols. On routers, configure IP add resses on interfaces with the ip address command. If you misconfigured an IP address on a router’s interface, use the no ip address command to remove it or the ip address command to overwrite the old one. The show ip interface command displays if an ACL is app lied to an interface. The show version command displays the IOS version, the uptime, the amount of RAM, NVRAM, and flash, the type and number of interfaces, and the configuration register value.
12
Chapter 6: Managing Your Network Device On a Cisco device, POST executes hardware tests. The bootstrap program (not the IOS) finds and loads the IOS image. ROMMON contains a mini-operating system (not the IOS) used for debugging and low-level testing of the Cisco device. The Mini-IOS is a stripped down IOS stored in ROM and is used to perform an emergency boot of the router if it can’t find an IOS image--this mode is called RXBOOT mode. All of these components are stored in ROM. The operating system is stored in flash and the configuration file is stored in NVRAM. When booting up, the router runs POST, loads the bootstrap program, loads the IOS, and executes the configuration file. You can use boot system commands to affect where the router should find and load the IOS: flash, a TFTP server, or ROM. If these commands don’t exist in NVRAM, the default bootup process is used. The configuration register is used by the device to determine how it boots up and finds its components. A 0x0 in the fourth digit means the router will boot into ROMMON mode; a 0x1 causes the router to boot into RXBOOT mode (Mini-IOS); a 0x2 causes the router to boot up using the default process. The configuration register can be used with the show version command. The default value is 0x2102. If you need to perform the password recovery procedure, break into ROMMON mode by using the sequence when the router begins to boot. Change the configuration register to 0x2142 and boot up the router. Break out of the System Configuration Dialog and enter Privilege EXEC mode. Copy the NVRAM configuration into RAM. Enter Configuration mode, change the passwords, enable the router’s interfaces, and change the configuration register back to 0x2102 (config-register). Exit to Privilege EXEC mode and save the configuration from RAM to NVRAM. Anytime you execute a copy command that copies from RAM to something else, the router uses an overwrite process. Anytime you copy something into RAM, the router uses a merge process. The show flash and show version commands display the amount of flash in your router. Cisco images use a naming convention that describes the platform image, the feature set, if the image is compressed or relocatable, and the IOS version and revision numbers. Before loading an IOS image on a TFTP server, check to make sure it is reachable ping ( ), check its disk space, check to see if the file nomenclature of the IOS is supported, and verify if the file must exist (empty) first before you can cop y to it. The copy flash tftp command backs up the IOS image and the copy tftp flash command upgrades it. The reload command reboots the router. The show interfaces command and CDP tests layer-2 connectivity. The ping and traceroute commands test layer-3 connectivity. The telnet command tests layer-7
13
connectivity. debug commands test layer-2 through layer-7 connectivity. The undebug all or no debug all command disables all debug functions. CDP is enabled on every Cisco device by default. Multicast updates are generated every 60 seconds with a hold-down timer of 180. Neighboring Cisco devices will never forward another neighbor’s messages. CDP is supported on ATM, Ethernet, FDDI, Frame Re lay, HDLC, and PPP interfaces. Use the no cdp run command to globally disable CDP and the no cdp enable command to disable CDP on an interface. The show cdp neighbors command displays your directly connected Cisco devices, and adding the detail parameter displays their layer-3 ad dresses. The simple ping and traceroute commands can be executed from both User and Privilege EXEC modes, but the extended versions can only be executed from Privilege EXEC mode. Ping uses ICMP echo messages to test connectivity. If the destination is reachable, the destination responds back with an echo reply (“!”); otherwise, an intermediate router responds back with either a destination or network unreachable message (“.”, “n”, or “u”). An “a” indicates the ICMP message was filtered. With an extended ping, you can enter the following information: protocol, source and target address, number of tests (5), packet size (100 bytes), timeout (2 seconds), type of service, fragmentation, data pattern, and IP header options. If you are experiencing connection problems, first check internal connectivity by pinging your loopback address (127.0.0.1). If this fails, there is a problem with you r TCP/IP protocol stack. Next, ping your PC’s IP address. Fix it with either ipconfig or winipcfg. Next ping your default gateway. If this fails, check your PC’s subnet mask and the configuration of the default gateway (router). The traceroute command lists each router the packet goes through when traveling to the destination, and is used to troubleshoot routing problems. The 1900 does not support telnet. To suspend a telnet session, use the 6 x control sequence. Pressing on an empty line resumes the last suspended telnet session. To resume a specific suspended telnet session, use the resume command. The show sessions command to displays your suspended telnet sessions and the disconnect command disconnects them.
14
Chapter 7: Bridging and Switching Bridges perform switching in software and switches in hardware (ASICs). Bridges only support store-and-forward switching while switches can support store-and-forward, cutthrough, and fragment-free switching. Store-and-forward pulls in the whole frame, checks the CRC, and the forwards the frame; cut-through reads the first 14 bytes (through the destination MAC) and forwards the frame; fragment-free reads the first 64 bytes and forwards the frame. The 1900 supports all three (defaults to fragment-free), but the 2950 only supports store-and-forward. Bridges support 2-16 ports while switches can support dozens or hundreds. Bridges only support half-duplex while switches support both half- and full-duplex. All ports in a bridge are in the same broadcast domain while switches can break up broadcast domains with VLANs. With bridges, there is only one instance of STP, while switches can support 1 instance per VLAN. Bridges/switches have three main functions: learn, forward, and remove loops. Bridges learn by placing source MAC addresses and their connected ports in a CAM (port address) table. This table is used to intelligently forward frames. Broadcasts, multicasts, and unknown destinations are always flooded. The show mac-address-table command displays the CAM table contents, including the MAC address, port, VLAN, and the method (static or dynamic) from which user’s device was learned. The IEEE 802.1D (STP) protocol is used to remove loops. Switches use BPDUs to share topology information, which are generated every 2 seconds. The switch’s ID is composed of a priority and MAC address. The switch with the lowest ID is chosen as the root. A BPDU’s path cost is incremented by the post cost when received on a port. Each switch chooses a root port to reach the root switch. This is chosen by the lowest accumulated path cost to the root, the connected switch with the lowest switch ID, the port with the lowest priority, or the physically lowest-numbered port, in that order if there are multiple ports or ties. Each segment also uses one port on one switch to reach the root, called the designated port. This is chosen by using the connected switch with the lowest accumulated path cost, the switch with the lowest ID, the port with the lowest priority, or the lowest physically-numbered port. When STP is running, a port can go through four states: blocking (20 seconds), listening (15 seconds), learning (15 seconds), and forwarding, which can take from 30-50 seconds to converge. In all states, BPDUs are processed on the port. In the learning state, the CAM table is built. In the forwarding state, user frames are forwarded through ports. All ports on Cisco switches are enabled. The 1900’s 10BaseT are half-duplex, the 100Base and the 2950s are auto-sensing. CDP and STP is enabled for all ports. No passwords or IP addresses are configured on the switches. The duplex command configures the duplexing the speed command configures the speed (only the 2950): use the show interfaces command to verify your interfaces’ configuration. 15
The port secure command on the 1900 enables port security--up to 132 addresses can be dynamically learned. To disable port security, reset the addresses to 132 and use the no port secure command. To backup a 1900’s configuration to a TFTP server, use copy nvram tftp:. To restore it, use copy tftp: nvram . To delete it, use delete nvram , which sets the switch back to its factory defaults.
16
Chapter 8: Virtual LANs A VLAN is a group of devices in the same subnet or broadcast domain, providing location independence. This make adds, moves, and changes easier and allows you to group users together based on job functions. Routers are used to move packets between broadcast domains. Both the 1900 and 2950 support 64 VLANs. Static VLANs are manually configured and are called port-based VLAN. Dynamic VLANs have the switch, with the assistance of a VMPS server, put a device in the VLAN based on information from the device, like its MAC address, layer-3 address, or the user’s user or group name. An access-link connects a switch to a normal Ethernet NIC where standardized Ethernet frames are transmitted. A trunk allows you to carry traffic for multiple VLANs. Cisco supports four trunking methods: ISL (Cisco-proprietary), IEEE’s 802.1Q, ATM’s LANE, and 802.10 with FDDI (Cisco-proprietary). ISL adds a 26-byte header and 4-byte trailer to the user’s frame--the 1900 only supports ISL. 802.1Q inserts a 4-byte tag into the user’s frame and recomputes the FCS--the 2950 only supports this. PVST supports one STP instance per VLAN and works ISL trunks. CST supports one instance of STP for all VLANs and works on 802.1Q trunks. On the 1900, the show spantree command displays STP information; on the 2950, the show spanningtree command displays STP information. Cisco’s VTP is used to share VLAN information across trunk connections and ensures a consistent VLAN implementation is maintained across all switches in the same domain. VTP supports three modes: server, client, and transparent. Servers generate VTP multicasts every 5 minutes. Here is a comparison of the three different VTP modes:
Adds, modifies, and deletes VLANs Generates VTP messages Propagates VTP messages Accepts changes in VTP messages Default mode
Server Y Y Y Y Y
Client N N Y Y N
Transparent Y N Y N N
Clients don’t store VLAN information locally--the generate an advertisement request when they boot up and learn this from a server. Servers generate subset and summary advertisements. VTP switches use highest configuration version number in server messages to determine who has the most current VLAN information. VTP pruning can be used to dynamically prune inactive VLANs from trunks, but requires switches to be in server mode. By default, switches don’t have a domain name configured and default to server mode. No password is configured and pruning and traps are enabled on the 1900, bu t disabled
17
on the 2950. To set up VTP on a 1900, use the following commands: vtp domain, vtp , vtp pruning enable|disable, server|client|transparent, vtp password and vtp trap enable. On the 2950, VTP is set up from Privilege EXEC mode with the vlan database command. Use these commands in this mode to configure VTP: , vtp pruning, vtp domain, vtp server|client|transparent, vtp password abort (don’t save), and exit (save). DTP is a Cisco-proprietary protocol that is used to dynamically form trunks on ports. To form a trunk one side needs to be set to either on or desirable and the other to on, auto, or desirable. To disable DTP, but still set up a trunk, use no-negotiate. The default mode is auto. The 1900 trunk command enables trunking and the show trunk A|B command verifies trunking. The 2950 switchport mode command configures trunking and the show interfaces switchport|trunk command verifies it. Every Cisco switch comes with 5 pre-configured VLANs: 1 and 1002 -1005. All interfaces, by default, belong to VLAN 1--this is also the management VLAN where CDP, DTP, VTP messages are generated. In order to add, delete, or change VLANs, your switch must be in VTP server or transparent mode. You can change a VLAN name, but changing its number requires deleting it and then adding it with the co rrect number. If you need to delete a VLAN, first reassign any ports to a different VLAN; otherwise the ports will be placed in VLAN 1. The vlan command creates VLANs (on the 2950 this is done in the VLAN database). On the 1900, use the vlan-membership static command to associate ports to VLANs; on the 2950 use the switchport mode access and switchport access vlan commands. Use the show vlan command to display your VLANs.
18
Chapter 9: Routing Overview The three main functions of a router is to learn about neighboring routers, find and choose the best path to destination networks, and keep this information up-to-date. These routes can be configured statically or learned dynamically. A connected route is a network directly connected to a router’s interface. A routed protocol is a layer-3 protocol like IP or IPX. A routing protocol determines how to get a rou ted protocol’s traffic to a destination. Routing protocols include RIP, IGRP, OSPF, and EIGRP. Each routed protocol has its own routing table on the router. You should consider the following when choosing a routing protocol: routing metrics, how routing information is shared, convergence of the protocol, overhead, and processing of routing information. An autonomous system is a group of networks under a single administrative control and these are uniquely identified by a unique number. Administrative distances are used to range IP routing protocols and is proprietary to Cisco: the lower the number the more preferred. Here are some default distances: connected (0), static (0 or 1), EIGRP (90), IGRP (100), OSPF (110), and RIP (120). Within a routing protocol, metrics are used to choose the best path. The lower the metric the better the route. Here are some common metrics used by routing protocols: Metric Bandwidth Cost Delay Hop count Load MTU Reliability
Routing Protocols EIGRP, IGRP OSPF EIGRP, IGRP RIP EIGRP, IGRP EIGRP, IGRP EIGRP, IGRP
Description Capacity of the links in Kbps Inverse of the bandwidth Measurement of time Number of routers away Utilization Frame size Least amount of errors or down time
To configure a static route, use the ip route command. You can specify a neighboring router or your router’s exit interface as the next hop. A default route has an address of 0.0.0.0/0. Classful protocols only understand class subnets and only support one subnet mask per class address (RIPv1 and IGRP). Classful protocols support more than one subnet mask per class address (RIPv2, EIGRP, OSPF, BGP, and IS-IS). Use the show ip route command to display your IP routing table. Here are some routing protocol codes: R (RIP), I (IGRP), D (EIGRP), and O (OSPF). The routing table lists network numbers, subnet masks, the neighboring router that advertised the route, the interface used to reach the route, and how old the route is. A router-on-a-stick is a router with a trunk interface that routes traffic between VLANs on the trunk. This is done by creating subinterfaces on the router.
19
Distance vector protocols use the Bellman-Ford algorithm to choose paths. They are easy to set up and troubleshoot and have low overhead for memory and processing cycles: When a route is received on an interface, the router increments the metric, compares this to the routing table, and updates it, if necessary. Distance vector protocols use periodic broadcasts. Link state protocols use the Dijkstra algorithm to choose paths to destinations and create a loop-free topology. Unlike distance vector protocols, they are more CPUand memory-intensive. They use multicasts to disseminate routing information and only advertise changes. They support route summarization and hierarchical routing. Convergence occurs when all routers understand the current topology of the network, which can be done by examining their routing tables. A routing loop is where routers have a misunderstanding of how to reach destinations in a network. Distance vector protocols have problems with routing loops. Counting to infinity is where packets travel around a routing loop forever: hop count limits are used to prevent this. Split horizon prevents a router from advertising a route out an interface from which it was learned. When a network is not reachable, a router assigns an infinite metric to it, poisoning it (poisoned route). A router that receives a poisoned route will generate a poison reverse, breaking the split horizon rule by advertising it out all interfaces, including the source interface. A router uses hold-down timers to keep the poisoned route in the routing table long enough so that all routers can learn about and process the change. The hold down timer is typically three times the update interval, which slows down convergence.
20
Chapter 10: Configuring Distance Vector Protocols To enable routing on your router, you need to perform two things: put IP addresses on your interfaces (and enable them) and configure a routing protocol. The order of these two items is not important. Use the router command to enter an IP routing protocol and the network command to specify a network (interfaces) that will participate in the routing protocol. For classful protocols, I highly recommend that you put in the class address (not the subnetted address) when configuring the network statement on any exam questions--it’s a simulator, not a full-functioning router. RIPv1 is a classful, distance vector protocol and broadcasts routing updates every 30 seconds. It uses hop count as a metric and has a hold-down timer of 180 and a flush period of 240 seconds. RIP can load balance, by default, acros s 4-equal cost paths, but this can be increased to 6. RIPv2 is a hybrid protocol: it is classless (supports VLSM and route summarization), triggered updates, and multicasts. It is backwards compatible with RIPv1. Use the router rip command to take you into IP RIP’s configuration and the network command to specify the interfaces that will participate in RIP. The version command specifies, globally, which version of RIP your router will use. By default, a Cisco RIP router will only generate RIPv1 updates, but will receive either RIPv1 or v2. Use the show ip protocols command to view your RIP configuration. The debug ip rip command displays RIP updates your router generates or receives on a interface. Cisco’s IGRP (Interior Gateway Routing Protocol) is a classful, distance vector protocol and broadcasts updates every 90 seconds, with a hold-down period of 280 seconds and a flush period of 630 seconds. It uses triggered updates to speed up convergence. Its default metrics include bandwidth and delay, but you can also enable reliability, load, and MTU for the metric algorithm. Unlike RIP, IGRP supports load balancing across unequ al-cost paths by using the variance command. When configuring IGRP, you must specify the autonomous system number after entering the router igrp command. Routers in different autonomous systems will not share routing information. The network command specifies the interfaces that will participate in IGRP--use classful network numbers with this command. Use the show ip protocols command to view IGRP’s configuration. The debug ip igrp events command displays IGRP routing updates, like when an updates is received or generated, while the debug ip igrp transactions command displays the actual contents of the routing updates.
21
Chapter 11: Configuring Advanced Routing Protocols OSPF (Open Shortest Path First) is an open standard routing protocol that uses a link state algorithm called the SPF (shortest path first) algorithm. Developed by Dijkstra, this algorithm guarantees a loop-free topology. It uses triggered, incremental updates and multicasts to communicate with other OSPF routers. OSPF uses cost as a metric, which is an inverse of the bandwidth of a link. OSPF is classless and supports VLSM and route summarization. It supports a two layer hierarchy using areas: area 0 is the backbone and other areas are connected to the backbone. OSPF is typically used in large routing environments with mixed-vendor router products. OSPF has more overhead than distance vector protocols: it requires more memory to hold additional information (neighbor and topology/database tables), requires extra CPU processing to run the SPF algorithm, especially when you turn on your routers, requires a careful design to create a hierarchical network, and is difficult to configure and troubleshoot. Each OSPF router has an ID. The ID is used to differentiate between different OSPF routers. If the router has a loopback interface(s), the highest IP address between these interfaces is chosen; otherwise, the highest IP address on an active interface is chosen. If there are no active interfaces on the router, OSPF will not start. It is reco mmended to create a loopback interface for the OSPF router ID. To create a loopback interface, use the interface loopback command. OSPF routers use Link State Advertisements (LSAs) to communicate with each other. To build and maintain a neighbor relationship, OSPF routers generate hello LSAs every 10 seconds. On broadcast links, OSPF routers share routing information to a DR (designated router) via 224.0.0.6, who disseminates this to everyone else on the segment via 224.0.0.5. The router with the highest priority is chosen as the DR and the second highest as the BDR. If there is a tie, the router with the highest router ID is chosen. DRs and BDRs are not used on point-to-point links. OSPF routers shared connected routes with the DR, which includes the ID of the advertising router, the type of link-state for the route, the cost of the route, and the sequence number for the advertised route. Distance vector protocols, on the other hand, share almost any route in their routing table (connected or remote) with their neighbors. OSPF routers go through an initialization process to determine if they can become neighbors. If they don’t then they won’t share routing information. If OSPF rou ters enter a two-way state, they are neighbors; however, routing information is always disseminated via the DR on multi-access segments. Whenever routing information is shared, an acknowledgement is shared to verify receipt of the update. To configure OSPF, use the router ospf command and specify the process ID--this is used to differentiate between different OSPF processes running on the same router. The
22
network command is used to specify which interfaces participate in OSPF and has this
syntax: network network_# wildcard_mask area area_# . The wildcard mask is an inverted subnet mask and is used to match on all interfaces, a range of interfaces, or one specific interface. The area number specifies which are this interface(s) belong to. Area 0 is the backbone. For serial interfaces, the bandwidth defaults to 1,544 Kbps. Since OSPF uses cost (bandwidth inverse) as a metric, you’ll want to change this metric on serial interfaces that are clocked differently bandwidth ( command). The following table shows the default cost values for OSPF interfaces: Interface Cost
56 Kbps 1,785
64 Kbps 1,652
T1 64
Ethernet 10
Fast Ethernet 1
To see your router’s ID as well as the ID of the DR and BDR, use the show ip ospf interface command. This also displays the hello (10) and dead (40) timer values, the number of neighbors, as well as the number of OSPF adjacencies. To see a list of neighbors, use the show ip ospf neighbor command, which displays the neighbors, their states, their IDs, and the interface they are connected to. Cisco’s EIGRP (Enhanced IGRP) is a hybrid of IGRP. It uses the same metrics (bandwidth, delay, reliability, load, and MTU), but is more scalable. It uses multicasts (224.0.0.10) and incremental updates to reduce the amount of bandwidth for routing updates. It is classless and supports VLSM and route summarization. It can route for three routed protocols: IP, IPX, and AppleTalk. EIGRP uses the DUAL algorithm to build a loop-free topology. EIGRP routers generate multicast hellos every 5 seconds on LAN interfaces. They use the hellos to build neighbor relationships and as a keep-alive function. Other message types include update, query, reply, and acknowledgement. Whenever routing information is shared, an acknowledgement is shared to verify receipt of the update. EIGRP has more overhead than IGRP. It has a neighbor table, which lists the adjacencies that have been built with other tables, and a topology table, which contains a list of all routes and paths to reach these routes (basically a copy of each neighbor’s routing table). For each routed protocol EIGRP is routing for, the router maintains a separate set of EIGRP neighbor, topology, and routing tables. In the topology table, a successor route has the best path to reach the destination. DUAL takes the successor routes in the topology table and builds the routing table. A feasible successor is a valid backup path to reach a destination (has a worse metric than a successor, but is not part of a routing loop). If a successor route fails, DUAL can immediately take a feasible successor backup route and plug it into the routing table, speeding up convergence. An advertised distance of a route is the metric a neighbor advertises for a route. When this route is received on a router’s interface, the router increments the metric, resulting a value called the feasible distance. For a route to be considered a feasible successor, its advertised metric must be less than the current successor route’s feasible distance.
23
Configuring EIGRP is just like configuring IGRP. Use the router eigrp command, along with the autonomous system number. Routers in different AS numbers will not share routing updates; however an IGRP and EIGRP router in the same AS will share routes with each other. To specify the interfaces that participate in EIGRP, use the network command--even through EIGRP is classless, configure it as a classful protocol. In other words, enter the classful network number with the network command. When looking at the routing table with the show ip route command, EIGRP routes show up as a “D”.
24
Chapter 12: Advanced IP Addressing VLSM (Variable Length Subnet Masking) provides two advantages: provides for more efficient use of your address space and allows you to perform route summarization. VLSM requires a routing protocol to be classless. Basically, VLSM is taking a class network, subnetting it once, and then taking a subnet, and subnetting it further. This process can be repeated. In other words, you can have mo re than one subnet mask for a network number. To perform VLSM, use these steps: (1) Find the segment with the largest number o f devices; (2) Find the appropriate subnet mask for this segment; (3) Write down the list of network numbers created by this mask; (4) For a smaller segment, take one of the subnetted network numbers and apply a different, yet appropriate, mask to it; (5) Write down your subnetted subnets. If you need even smaller segments, go back to step 4. Where VLSM extends the networking bits to the right, route summarization brings them back to the left. Route summarization takes a bunch of contiguous networks (with the high-order bits in common) and advertises the summarized route with a new subnet mask value (that covers the range of subnets). This, route summarization reduces the sizes of routing tables, the sizes of routing updates, and contain networking problems within defined boundaries. Classless Interdomain Routing (CIDR), or supernetting, takes VLSM one step further. VLSM can only summarize back to the class network boundary (A, B, or C). CIDR allows you to summarize class network numbers, like multiple Class C networks. If you use hierarchical add ressing, you gain the following benefits: more efficient routing, reduced routing table sizes and decreased memory with route summarization, simplified troubleshooting, and less routing traffic. When setting up route summarization, remember that the routing protocol must carry the subnet mask with the routing entry, routers make routing decisions based on all 32 bits of the destination address, and summarized routes must have the same highest-order matching bits. Classless protocols support discontiguous subnets because their routing updates carry the subnet mask with them. Classful protocols, however, don’t support discontiguous subnets: they only advertise network numbers…not subnet masks.
25
Chapter 13: IP Access-Lists Access control lists (ACLs) are used for many purposes, include the filtering of traffic on interfaces. These are basically a group of statements that define policies. Each group of ACL statements is differentiated by assigning it a unique name or number. When an ACL is applied inbound, the ACL is processed first before any further processing is pe rformed on inbound traffic. When an ACL is applied outbound, traffic is first routed to the interface and then the ACL is processed to determine if it is allowed or denied. Standard IP ACLs can filter only on the source IP address, while extended IP ACLs can filter on source and destination add resses, IP protocol, and IP protocol information, like ICMP message types and UDP and TCP port numbers. Standard IP ACLs use numbers from 199 and 1,300-1,999 while extended IP ACLs use numbers from 100-199 and 2,000-2,699. When a match occurs against a statement, an ACL can either permit or deny the packet. The order of the statements is important because ACLs are processed top-down, starting with the first statement; once a match is found, no further statements are processed. If the last ACL statement is process and no match is found, the packet is dropped (this is called the implicit deny statement). Therefore, an ACL should have at least one permit statement to make sense. Because order is important, place the most restrictive statements at the top and the least restrictive statements at the bottom. When applied to an interface, a router cannot filter traffic itself creates. Plus, if you apply an empty ACL to an interface (no ACL entries), all traffic is permitted by default--you need at least one statement in the ACL for the implicit deny to function. Only one ACL, per protocol, can be applied to one direction on an interface: in other words, you can’t apply two IP ACLs inbound on the same interface, but could have an IP ACL applied in and out. To activate an IP ACL on an interface, us the ip access-group command and specify either in or out out. When setting up ACLs, place standard ACLs as close to the destination devices as possible. When using extended ACLs, place them as close to the source devices as possible. To edit an ACL, perform the following steps: (1) Execute the show running-config command and copy your ACL statements; (2) Paste the commands in a text editor and edit them; (3) Remove the ACL from the interface with the no ip access-group ACL_# in|out command; (4) Delete the old ACL: no access-list ACL_#; (5) Copy and paste the text editor ACL back into the router; (6) Reapply the ACL to the interface with the ip access-group command. ACL entries use wildcard masks to match against bits in the addresses of packets. A 0 in a wildcard mask bit means it must match and a 1 means it doesn’t have to match. To create a wildcard mask, take the corresponding subnet mask and invert it. The trick to doing this is subtracting each octet in the subnet mask from 255. For example 255.255.255.240 would result in a wildcard mask of 0.0.0.15. For instance, to match on
26
all addresses, use this: 0.0.0.0 255.255.255.255, which is represented as any. To match on a specific address, use a wildcard mask of 0.0.0.0. To create a standard IP ACL, use this command: access-list 1-99|1600-1999 permit|deny source_IP_address [wildcard_mask] [log]. If you omit the wildcard mask, it defaults to 0.0.0.0 (an exact match). If you want to restrict telnet access to a router, create a standard ACL and list the IP addresses that are allowed, and then apply this ACL to your router’s VTY lines with the access-class in command. To create an extended IP ACL, use this command: access-list 100-199|20002699 permit|deny IP_protocol source_address source_wildcard_mask [protocol_information] destination_address [protocol_information ] [log]. Note that you destination_wildcard_mask must specify both the source and destination addresses and wildcard masks. For TCP or UDP, use the tcp or udp protocol parameters. With TCP traffic, using the parameter allows you to filter on TCP control information, like the ACK established and RST bits--basically is allows or denies connections with these set. You can also specify operators (eq , neq , range, lt, gt) and port numbers (or names) for the source and/or destination. To filter on ICMP traffic, specify the echo protocol. To filter on a specific ICMP message type, specify the type , like these: administratively, echo, echo-reply, host-unreachable, net-unreachable, and prohibited traceroute. To create a standard named ACL, use the following configuration: Router(config)# ip access-list standard ACL_name Router(config-std-acl)# permit|deny source_IP_address [wildcard_mask]
For an extended named ACL, use the following configuration: Router(config)# ip access-list extended ACL_name Router(config-ext-acl)# permit|deny IP_protocol [protocol_information] source_IP_address wildcard_mask destination_IP_address wildcard_mask [ protocol_information] [log]
Note that you are taken into a Subconfiguration mode with either of the above two configurations. The show ip interfaces and show running-config commands display if you have applied an ACL to an interface. To list all your ACLs and statements on a router, use the show access-lists command. To only list IP ACLs, use the show ip access-list command.
27
Chapter 14: Additional IP Features Private IP addresses are defined in RFC 1918 and include 3 classes of addresses: A (10.0.0.0), B (172.16.0.0-172.31.0.0), and C (192.168.0.0-192.168.255.0). You can only use these addresses in a private network. To access the Internet, these addresses must be translated by a translation device. You might need to use address translation if: your ISP didn’t assign you enough public addresses an you had to use private ones; you are using public addresses, change ISPs, and your new ISP won’t support your public address space; you merge two companies together that are using the same, overlapping, address space; you want to assign the same IP address to multiple machines such that the Internet sees these machines as one logical device. Address translation has many terms. Local refers to an address used by a device on the inside of your network. Global refers the address that represents the local device as the packet leaves your network (has been translated). Typically, an inside local IP address is a device with an associated private address and an inside global IP address is a device with an associated public address. With NAT, one IP address is translated to another. With PAT (address overloading), many IP addresses are translated one IP address, and port numbers are used to differentiate the inside devices. PAT supports up to 4,000 devices using the same address. Port address redirection allows you to redirect traffic to a specific address (or port) to a different address (or port)--this is used when your ISP only assigns you a single public IP address, and you need to allow outside access to internal resources. With static translation, you manually configure the translation on the address translation device; with dynamic, the address translation device performs the translation automatically. Address translation advantages include an almost inexhaustible number of addresses at your disposal, the ability to hide your internal network addressing design, tighter control over traffic entering and leaving your network, and the ability to more easily change ISPs or merge with other networks. Address translation disadvantages include difficult troubleshooting, added delay to connections, and not all applications support, like multimedia and NetBIOS. To create a static NAT translation, use this command: ip nat inside|outside source static. To create a dynamic NAT translation, use these commands: ip nat pool and ip nat inside source list . To perform PAT with global addresses, add the overload parameter to the ip nat pool command. To activate address translation, you must specify which interfaces are internal and external with the ip nat inside|outside Interface commands. To view the entries in your router’s address translation table, use the show ip nat translations command. To clear dynamic entries from this table, use the clear ip nat translations command. To see the router actually perform address translation, use the debug ip nat command.
28
DHCP provides these advantages: reduces configuration errors, reduces the amount o f configuration, and centralizes IP addressing information. When a DHCP client goes through four steps when requiring addressing information: Client generates a DHCPDISCOVER; (2) All servers respond back with a DHCPOFFER; (3) Client accepts one of the offers with a DHCPREQUEST; (4) The server acknowledges the lease of the address with a DHCPACK. To enable your router to become a DHCP server, use the service dhcp command. DHCP servers can assign IP addresses, subnet masks, default gateway addresses, DNS, TFTP, and WINS server addresses, and a domain name. To have your router use DHCP to acquire addressing information, use the ip address dhcp Interface command.
29
Chapter 15: WAN Introduction The most important factor when choosing a WAN service is typically cost. The CPE (Customer Premises Equipment) is your networking equipment, including your router and modem/NT1/CSU/DSU. The demarcation point is the boundary where the carrier’s responsibility stops and yours begins. The local loop is the connection from the carrier to the demarcation point. The CO (central office) is the carrier’s switch at the local office and the toll network is the infrastructure the carrier uses to support your connection. There are four types of WAN services: leased lines (dedicated), circuit-switched connections (ISDN and analog), packet-switched connections (Frame Relay and X.25), and cell-switched connections (ATM and SMDS). Leased lines are used for shortdistance connections where you need guaranteed bandwidth for a constant amount of traffic. Circuit-switched connections are used to backup primary connections, provide access for SOHO users, and provide temporary bandwidth boosts. In the US, analog connections are restricted to 53 Kbps by the FCC. Packet/cell-switched services are used when your router has a single WAN interface, but needs to connect to multiple devices. HDLC is based on ISO standards and supports synchronous and asynchronous connections. SDLC, developed by IBM, is used in IBM SNA environments. LAPB is used by X.25 and has error detection and correction. LAPF is used by Frame Relay. PPP is an open standard typically used for dialup and dedicated connections. HDLC is the default encapsulation on Cisco synchronous serial interfaces. This is proprietary to Cisco-Cisco added a field to ISO’s HDLC header (up and down status); in other words, Cisco’s HDLC only works with other Cisco devices. To set the encapsulation to HDLC on a serial interface, execute encapsulation hdlc. To view the encapsulation used on your serial interfaces, use the show interfaces command. If two sides are configured with different encapsulations, the interface status will be “up and down”. PPP is an open standard that dynamically configures connections, authenticates remove devices, compresses packet headers, tests the quality of links, performs error detection (and correction), and supports bundling of multiple physical connections into a logical channel. PPP has two components: LCP and NCP. LCP sets up and maintains a PPP connection, including authentication, if configured. NCP negotiates the protocols that will be encapsulated in PPP frames, like IP and CDP. To specify PPP as a frame type on an interface, execute the encapsulation ppp command. Upon a successful LCP and NCP negotiation, protocols listed in the output of the show interfaces command should be listed as “open”. To troubleshoot LCP and NCP problems, use the debug ppp negotiation command. PPP supports two authentication protocols: PAP and CHAP. PAP sends the username and password across the connection in clear text while CHAP sends an output hashed value created by the MD5 hash function. PAP uses a two-way handshake while CHAP uses a three-way handshake when performing authentication. To build a local authentication
30
database, use the username command. To enable authentication, use the ppp authentication pap|chap Interface command. If you are experiencing problems with authentication, use the debug ppp authentication command
31
Chapter 16: Frame Relay To figure out the number of connections or circuits you need to fully mesh a network, use this formula: (N * (N – 1)) / 2. Any solution that uses VCs (virtual circuits) is best used when your router has a single interface, but needs to connect to multiple destinations. VCs are easier to provision and can more easily allot bandwidth to match than channelized connections (TDM). A PVC is similar to a leased line and should be used when you have constant data being sent. An SVC is similar to a circuit-switched connection and should be used when you have small amounts of period data. LMI (Local Management Interface) defines how a Frame Relay DTE (router) and DCE interact (switch). There are three LMI standards: Cisco (Gang of Four), ITU-T’s Q.933 Annex A, and ANSI’s Annex D. Every 10 seconds, a Cisco router generates an LMI status enquiry and the switch will respond back, if there. On every 6th message, the router asks for a full status update of all of th e VCs the router is connected to. A DLCI (data link connection identifier) defines the address of a VC. These addresses are locally significant and can be different on different WAN segments. Switches take care of the conversion of DLCI numbers in this instance. Certain DLCI numbers are reserved for management purposes. ANSI’s Annex D and ITU-T’s Annex A LMI use DLCI 0 and Cisco’s LMI uses 1,023. When connecting to Frame Relay DTEs together, if the carrier’s infrastructure is ATM, the FRF.5 Networking Interworking is used. However, if one DTE uses Frame Relay, and the carrier and the other DTE uses ATM, FRF.8 Service Interworking is used for the connection. The access rate is the physical speed of the connection from your router to the carrier. CIR (committed access rate) is the guaranteed data rate for a VC. BC (committed burst rate) is a higher average data rate allowed by the carrier for your VC, but over a smaller period than CIR. As long as your data rate stays within these parameters, the carrier will not mark the DE (discard eligible) bit in the frame header, lowering the priority for your nonconforming traffic. BE (excessive burst rate) is the maximum data rate the carrier will service your VC: if you exceed this the carrier drops your frames. When your total of the accumulated CIR values of your VCs on an interface exceed the access rate, you have an oversubscription problem: you are betting that all VCs will run slower, on average, than their configured CIRs. FECN and BECN (forward and backward explicit congestion notification) are used to indicate congestion on a VC. When traffic is traveling to a destination, and the carrier experiences congestion, the carrier can mark the FECN bit in the frame header. When the destination receives the frame, it responds back to the source with a BECN. This indicates to the source that there is congestion from the source to the destination, and allows the source to slow down its traffic rate for the VC. To configure Frame Relay on your serial interface, use the encapsulation framerelay [cisco|ietf] command. There are two supported encapsulations: Cisco’s and IETF’s. Cisco’s is the default, but use IETF for ve ndor interoperability. As of IOS 11.2, 32
Cisco routers can autosense the LMI type used by the carrier. You can also hardcode the LMI type with the frame-relay lmi-type cisco|ansi|q933a command. Use either the show frame-relay lmi or show interfaces command to verify your LMI configuration and operation. To see the actual LMI messages sent and received, use the debug frame-relay lmi command. You can resolve layer-3 to DLCI numbers via static configuration or Inverse ARP. With a static definition, you use the frame-relay map command. This command requires you to specify the protocol, destination layer-3 address, and local DLCI number to use to reach the destination. By default broadcasts don’t traverse a manually resolve VC unless you add the broadcast parameter. Inverse ARP will dynamically determine the layer-3 address the destination is using on a VC. It is automatically enabled and occurs every 60 seconds. When the destination responds back, the source examines the DLCI number in the frame to determine what VC to use to reach the destination. Before Inverse ARP occurs, the VC must be in an active state. There are three states for a VC: active, inactive, and deleted. An active VC is operational between both DTE endpoints. An inactive VC is active between the DTE and some part of the carrier’s network, but not to the destination DTE. A deleted VC has lost communications with the local DCE (you are no longer receiving LMI replies from the carrier’s switch). To view the statuses of you r VCs, use the show frame-relay pvc command. To see both the dynamic and statically configured resolutions for VCs, use the show frame-relay map command. NBMA (Non-Broadcast Multi-Access) is an environment where many devices are connected together, but it doesn’t support a traditional broadcast environment like Ethernet in a LAN. NBMA occurs in environments that use VCs. To emulate a broadcast environment, devices replicate a broadcast across each VC they are connected to. This can create a problem if the network is not fully meshed--in this case, not all devices receive the broadcast. With distance vector protocols that use broadcasts to disseminate routing updates, this presents reachability problems because of split horizon. If A is attached to B and C, but B and C don’t have a VC between them, when B generates a routing update, only A sees it--A can’t forward it to C because of the split horizon rule. To overcome this problem, use one of these four solutions: Use a fully meshed, instead of a partially meshed, network; Use static routes; Disable split horizon; use Subinterfaces on the hub router in the hub-and-spoke design. The recommended approach is subinterfaces. When creating a subinterface, use the: interface serial #.subinterface_# point-to-point|multipoint. Multipoint subinterfaces have the same split horizon problem that partially meshed environments encounter. The main problem of using pointto-point subinterfaces is that each point-to-point connection requires its own network number. When using subinterfaces, only the encapsulation frame-relay and frame-relay lmi-type commands are configured on the physical interface--all other configurations are done on the subinterfaces. If you are using Inverse ARP, specify the DLCI(s) associated with the subinterface by using the frame-relay interfacedlci command; for manual resolution, use the frame-relay map command.
33
Chapter 17: ISDN ISDN (Integrated Services Digital Network) is a group o f standards that define how voice and data connections can be dynamically set up across digital circuits. ISDN is better than analog modem connections because it has a faster setup time (1 second), supports multiple services (data, video, and voice), and has guaranteed data rates. A DS0 is the smallest type of channelized connection and is clocked at 64Kbps. A DS1 comes in two flavors: T1 (24 DS0s, clocked at 1.544 Mbps) and E1 (32 DS0s, clocked at 2.048 Mbps). T1s are common in North America while E1s are popular in Europe and most of the rest of the world. ISDN supports two connections: BRI (Basic Rate Interface) and PRI (Primary Rate Interface). This table compares the two: Connection Bearer Channels Signaling Channels Total Bandwidth
BRI 2 1 192 Kbps
PRI T1 23 1 1.054 Kbps
PRI E1 30 2 2.048 Kbps
B (Bearer) channels are used to transport user information and D (signaling) channels are used to set up and tear down connections. Each channel is a DS0 (64 Kbps). The BRI’s D channel is broken into two components: 16 Kbps is used for signaling and 48 Kbps is used for framing, clocking, and synchronization. ITU-T’s Q.921 signaling data link layer protocol is used for an ISDN user device and a carrier’s ISDN Switch to communicate with each other. LAPD is the frame format used by this standard, which is based on HDLC. ITU-T’s Q.931 standard defines how ISDN phone calls are made and torn down. A TE1 is an ISDN end-user device with a native ISDN interface (BRI or PRI), which connects to an NT1 or NT2. A TE2 has a non-native ISDN interface and needs a TA (Terminal Adapter) to connect to a NT1 or NT2. An NT2 is used to connect multiple ISDN end-user devices together and connects to an NT1. An NT1 connects to the carrier and coverts the carrier’s 2-wire connection to an ISDN 4-wire connection. The NT1 and NT2 are typically in the same chassis. The LE (Local Exchange) is the connection between your NT1 and the carrier’s ISDN switch. The “R” reference point is the connection between a TE2 and a TA. The “S” reference point is the connection between a TA or TE2 to a NT2. The “T” reference point is the connection between the NT2 and NT1. The “U” reference point is the connection between the NT1 and LE. If an interface is labeled “S/T”, this means that it has a native ISDN interface with a built-in NT1. To configure the ISDN switch globally or on an interface, use the isdn switch-type command. You need to use the switch type that the carrier switch is emulating. The interface configuration overrides the global setting. If your carrier is using a National
34
ISDN-1 or Nortel DMS-100 switch, you might have to configure SPIDs for your two B channels in your BRI by using the isdn spid1|spid2 command. If you have a PRI, you must first configure your T1 or E1 controller interface. To access it, use the controller command and use the framing, linecode, clock source, pri-group, and no shutdown commands. T1s typically use ESF framing and B8ZS linecoding while E1s use CRC4 and HDB3. The pri-group command specifies which channels in the T1 or E1 that you can use. All other configurations, like the ISDN switch type and addressing, are done under a logical serial interface: interface serial port_#:23|15. 15 is used to signify the signaling channel on an E1 and 23 for a T1. To see the data link layer status of the ISDN connection between you and the carrier, use the show isdn status command. For Q.921, if you see MULTIPLE_FRAME_ESTABLISHED, then the data link layer is functioning correctly. DDR (Dial-on Demand Routing) should be used for backing up a primary WAN connection, short and temporary phone calls, and situations where traffic is periodic with little bandwidth. When using DDR, your router goes through 4 steps to set up a phone connection: (1) Router checks an incoming packet to destinations in its routing table and determines if it the destination is the DDR interface; (2) For DDR interfaces, the router checks to make sure that the traffic is interesting; (3) For interesting traffic, the router will make a phone call to the destination if one isn’t already established; (4) The router switches traffic out of the DDR interface. To prevent a routing protocol from triggering phone calls, you typically use static routes (ip route) and dialer-lists. Dialer-lists are used to d efine interesting traffic (dialerlist command). They are activated on a router’s DDR interface with the dialergroup command. For legacy DDR, use the dialer map Interface command to define the destination to call. With this command, you specify the layer-3 protocol and destination address of the remote router, the phone number to call, if broadcasts are allowed (optional), a remote device name (used with PPP PAP or CHAP--optional), and the speed of the link (optional). DDR connections have a default idle timeout of 120 seconds. The timeout measures interesting traffic denoted in the dialer-list commands. If no interesting traffic traverses the circuit, it will be torn down after the idle timeout is reached. Please note that once a circuit is established, both interesting and non-interesting traffic can traverse it, but only interesting traffic can keep it up. A default fast idle time of 10 seconds can be used to prematurely terminate a cu rrently idle B channel to establish a phone call for a new connection. You can also have DDR bring up a second channel when bandwidth becomes saturated on the first B channel with the dialer load-threshold command. A value of 1 represents 1%, 128 50%, and 255 100% load. The show dialer command displays all currently active phone calls (analog and digital) while the show isdn active command only displays active ISDN calls. The debug dialer command displays when traffic triggers or terminates any type of phone 35
