IOS Essentials Version 1.0.2 - November 16, 2015 by Christian Bürli www.macparc.ch/ccna
Table of Contents 1 2 3
Basic Switch Configuration ............................................................................................................................................... 6 Basic Router Configuration ............................................................................................................................................... 7 Verification Commands ...................................................................................................................................................... 8 3.1 Various show Commands ........................................................................................................................................ 8 3.2 Output Filters ............................................................................................................................................................... 8 4 Command History Feature ................................................................................................................................................ 9 5 Switch Management Interface Configuration ........................................................................................................... 9 5.1 Configure Switch Management Interface ......................................................................................................... 9 5.2 Configure Switch Default Gateway ..................................................................................................................... 9 5.3 Verify Switch Management Interface Configuration ................................................................................... 9 5.4 VLAN Creation and Association to a Switch Port ......................................................................................... 9 6 Configure Switch Ports .................................................................................................................................................... 10 6.1 Duplex and Speed .................................................................................................................................................... 10 6.2 Auto-MDIX .................................................................................................................................................................. 10 7 Switch & Port Security ..................................................................................................................................................... 11 7.1 Configure SSH for Remote Management ....................................................................................................... 11 7.2 Secure/Disable Unused Ports ............................................................................................................................ 12 7.3 DHCP Snooping ......................................................................................................................................................... 12 7.4 Configure Port Security ......................................................................................................................................... 13 7.5 Configure Violation Mode .................................................................................................................................... 13 7.6 Verify Port Security ................................................................................................................................................ 14 7.7 Configure Network Time Protocol (NTP) ..................................................................................................... 14 8 VLANs ...................................................................................................................................................................................... 15 8.1 Create VLAN(s) ......................................................................................................................................................... 15 8.2 Assigning Ports to VLANs .................................................................................................................................... 15 8.3 Remove VLAN Assignment .................................................................................................................................. 15 8.4 Deleting VLANs ......................................................................................................................................................... 15 8.5 Display VLAN Information .................................................................................................................................. 16 8.6 Display Interface VLAN (or Trunk) Configuration .................................................................................... 16 9 Trunks ..................................................................................................................................................................................... 17 9.1 Trunk Configuration ............................................................................................................................................... 17 9.2 Resetting Trunk ........................................................................................................................................................ 17 9.3 Dynamic Trunk Protocol (DTP) ........................................................................................................................ 17 10 Troubleshoot VLANs and Trunks ................................................................................................................................ 19 10.1 Missing VLAN ............................................................................................................................................................ 19 10.2 Troubleshooting Trunks ....................................................................................................................................... 20 10.3 Common Problems with Trunks ....................................................................................................................... 20 10.4 Security – Protect Ports with PVLAN Edge .................................................................................................. 21 11 Inter-VLAN Routing .......................................................................................................................................................... 22 11.1 Legacy Inter-VLAN Routing ................................................................................................................................ 22 11.2 Router-on-a-Stick Inter-VLAN Routing .......................................................................................................... 23 11.3 Multilayer Switch Inter-VLAN Routing .......................................................................................................... 24 11.4 Troubleshoot Inter-VLAN Routing ................................................................................................................... 26 12 Static Routing ....................................................................................................................................................................... 27 12.1 IPv4 Static Route ...................................................................................................................................................... 27 12.2 IPv4 Default Static Route ..................................................................................................................................... 28 12.3 IPv4 Summary Static Route ................................................................................................................................ 28 12.4 IPv4 Floating Static Route .................................................................................................................................... 29 12.5 Troubleshoot IPv4 Static Route Configuration ........................................................................................... 30 12.6 IPv6 Static Route ...................................................................................................................................................... 30 12.7 IPv6 Default Static Route ..................................................................................................................................... 31 12.8 IPv6 Summary Static Route ................................................................................................................................ 31
2
13 Dynamic Routing ................................................................................................................................................................ 32 13.1 Check for Dynamic Routing Protocols ............................................................................................................ 32 13.2 Enable RIP or RIPv2 (IPv4) ................................................................................................................................. 33 13.3 Enable RIPng (IPv6) ............................................................................................................................................... 34 14 Single-Area OSPFv2 (IPv4) ............................................................................................................................................ 35 14.1 Router ID ..................................................................................................................................................................... 35 14.2 Enable OSPF on Interfaces ................................................................................................................................... 36 14.3 Propagating a Default Static Route in OSPF ................................................................................................. 38 14.4 OSPF Cost .................................................................................................................................................................... 39 14.5 Secure OSPF with MD5 Authentication .......................................................................................................... 42 14.6 Verify OSPF ................................................................................................................................................................. 43 15 Single-Area OSPFv3 (IPv6) ............................................................................................................................................ 46 15.1 Differences between OSPFv2 and OSPFv3 ................................................................................................... 46 15.2 Steps to Configure OSPFv3 .................................................................................................................................. 46 15.3 Configure Link-Local Addresses ....................................................................................................................... 47 15.4 OSPFv3 Router ID .................................................................................................................................................... 48 15.5 Enable OSPFv3 on Interfaces ............................................................................................................................. 49 15.6 Modify OSPFv3 Hello and Dead Intervals ..................................................................................................... 50 15.7 Propagating a Default Static Route in OSPFv3 ............................................................................................ 51 15.8 Verify OSPFv3 ........................................................................................................................................................... 52 16 Multiarea OSPF .................................................................................................................................................................... 54 16.1 Configure Multiarea OSPFv2 .............................................................................................................................. 54 16.2 OSPF Route Summarization ................................................................................................................................ 55 16.3 Configure Multiarea OSPFv3 .............................................................................................................................. 56 16.4 Verify Multiarea OSPF ........................................................................................................................................... 57 17 EIGRP for IPv4 ..................................................................................................................................................................... 59 17.1 Router ID ..................................................................................................................................................................... 59 17.2 The network Command ........................................................................................................................................ 60 17.3 Passive Interfaces .................................................................................................................................................... 61 17.4 Automatic Summarization ................................................................................................................................... 62 17.5 Manual Summarization ......................................................................................................................................... 64 17.6 Propagating a Default Static Route .................................................................................................................. 65 17.7 Fine-tuning EIGRP Interfaces ............................................................................................................................. 66 17.8 MD5 Authentication ............................................................................................................................................... 67 17.9 Troubleshoot EIGRP ............................................................................................................................................... 69 17.10 Verify EIGRP for IPv4 ....................................................................................................................................... 70 18 EIGRP for IPv6 ..................................................................................................................................................................... 73 18.1 Configure IPv6 Link-local Adresses ................................................................................................................. 73 18.2 Configure EIGRP for IPv6 ..................................................................................................................................... 73 18.3 Enable EIGRP for IPv6 on Interfaces ............................................................................................................... 74 18.4 Passive Interfaces .................................................................................................................................................... 74 18.5 Manual Summarization ......................................................................................................................................... 75 18.6 Propagating a Default Static Route .................................................................................................................. 76 18.7 Fine-tuning EIGRP Interfaces ............................................................................................................................. 77 18.8 MD5 Authentication ............................................................................................................................................... 78 18.9 Troubleshoot EIGRP ............................................................................................................................................... 78 18.10 Verify EIGRP for IPv6 ....................................................................................................................................... 79 19 Access Control Lists (ACLs) ........................................................................................................................................... 81 19.1 Numbered and Named ACLs ............................................................................................................................... 81 19.2 Wildcard Bit Mask Abbrevations ...................................................................................................................... 81 19.3 The Implied "Deny All Traffic" Criteria Statement ................................................................................... 81 19.4 Standard ACLs (IPv4) ............................................................................................................................................ 82 19.5 Extended ACLs (IPv4) ............................................................................................................................................ 87 19.6 IPv6 ACLs .................................................................................................................................................................... 91 19.7 Verify ACLs ................................................................................................................................................................. 93
3
20 DHCP ........................................................................................................................................................................................ 95 20.1 Basic DHCPv4 Configuration .............................................................................................................................. 95 20.2 Verify DHCPv4 .......................................................................................................................................................... 96 20.3 DHCPv4 Relay ........................................................................................................................................................... 97 20.4 Configure a Router as DHCP Client .................................................................................................................. 97 20.5 Verify DHCPv4 Relay & Services ....................................................................................................................... 98 20.6 Debug DHCPv4 .......................................................................................................................................................... 98 20.7 DHCPv6 ........................................................................................................................................................................ 99 21 NAT for IPv4 ....................................................................................................................................................................... 105 21.1 Static NAT ................................................................................................................................................................. 105 21.2 Dynamic NAT ........................................................................................................................................................... 107 21.3 PAT (NAT Overload) ............................................................................................................................................ 109 21.4 Port Forwarding (Tunneling) ........................................................................................................................... 111 21.5 Troubleshoot NAT ................................................................................................................................................. 112 22 Spanning Tree .................................................................................................................................................................... 113 22.1 Default Switch STP Settings .............................................................................................................................. 113 22.2 Configure and Verify the Bridge ID (BID)/Priority ................................................................................ 113 22.3 Configure and Verify Port Cost ........................................................................................................................ 114 22.4 PortFast and BPDU Guard .................................................................................................................................. 115 22.5 PVST+ Load Balancing ......................................................................................................................................... 116 22.6 Rapid PVST+ ............................................................................................................................................................ 117 22.7 Analyzing the STP Topology ............................................................................................................................. 118 22.8 STP Status Overview ............................................................................................................................................ 118 22.9 First Hop Redundancy Protocols (FHRP) ................................................................................................... 119 23 EtherChannel ..................................................................................................................................................................... 121 23.1 Link Aggregation Control Protocol (LACP) ................................................................................................ 121 23.2 Port Aggregation Protocol (PagP) .................................................................................................................. 122 23.3 Verify EtherChannel ............................................................................................................................................. 123 24 Point-to-Point Connections ......................................................................................................................................... 125 24.1 Configure HDLC Encapsulation ....................................................................................................................... 125 24.2 Verify a Serial Interface ...................................................................................................................................... 125 24.3 Configure PPP Encapsulation ........................................................................................................................... 127 24.4 Verify PPP Configuration/Encapsulation ................................................................................................... 131 25 Frame Relay ........................................................................................................................................................................ 133 25.1 Basic Frame Relay Configuration ................................................................................................................... 133 25.2 Configure a Static Frame Relay Map ............................................................................................................. 134 25.3 Configure Point-to-Point Subinterfaces ....................................................................................................... 136 25.4 Local Management Interface (LMI) ............................................................................................................... 137 25.5 Verify Frame Relay ............................................................................................................................................... 138 25.6 Troubleshoot Frame Relay ................................................................................................................................ 140 26 PPPoE Client Configuration for DSL ......................................................................................................................... 141 27 Virtual Private Networks (VPNs) .............................................................................................................................. 142 27.1 GRE Tunnel ............................................................................................................................................................... 142 28 Monitoring the Network ............................................................................................................................................... 144 28.1 Syslog .......................................................................................................................................................................... 144 28.2 Simple Network Management (SNMP) ........................................................................................................ 148 28.3 NetFlow ...................................................................................................................................................................... 150 29 Troubleshooting the Network .................................................................................................................................... 154 29.1 Data Collection for Documentation ............................................................................................................... 154 29.2 Gather Symptoms .................................................................................................................................................. 155 29.3 Troubleshooting IP Connectivity .................................................................................................................... 156 30 IOS Images & Licensing ................................................................................................................................................. 163 30.1 Display the IOS Image .......................................................................................................................................... 163 30.2 IOS Backup ............................................................................................................................................................... 164 30.3 Select Boot System ................................................................................................................................................ 165 30.4 IOS Licensing ........................................................................................................................................................... 166 IOS Shortcuts ................................................................................................................................................................................ 172 4
5
1 Basic Switch Configuration Switch> enable Switch# configure terminal Switch(config)# hostname S1 S1(config)# no ip domain-lookup S1(config)# enable secret class S1(config)# line S1(config-line)# S1(config-line)# S1(config-line)# S1(config-line)#
console 0 logging synchronous password cisco login exit
S1(config)# line S1(config-line)# S1(config-line)# S1(config-line)#
vty 0 4 password cisco login exit
S1(config)# line S1(config-line)# S1(config-line)# S1(config-line)#
aux 0 password cisco login exit
S1(config)# service password-encryption R1(config)# banner motd #Authorized Personnel Only!# S1(config)# interface vlan 1 S1(config-if)# description VLAN 1 S1(config-if)# ip address 172.16.5.2 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# exit S1(config)# ip default-gateway 172.16.5.1 S1(config)# end S1# write Building configuration… [OK]
Restore a switch into its factory default condition with 1 default VLAN Switch# delete flash:vlan.dat Switch# erase startup-config Switch# reload
6
2 Basic Router Configuration Router> enable Router# configure terminal Router(config)# hostname R1 R1(config)# no ip domain-lookup R1(config)# enable secret class R1(config)# line R1(config-line)# R1(config-line)# R1(config-line)# R1(config-line)#
console 0 logging synchronous password cisco login exit
R1(config)# line R1(config-line)# R1(config-line)# R1(config-line)#
vty 0 4 password cisco login exit
R1(config)# line R1(config-line)# R1(config-line)# R1(config-line)#
aux 0 password cisco login exit
R1(config)# service password-encryption R1(config)# banner motd #Authorized Personnel Only!# R1(config)# interface g0/0 R1(config-if)# description Link to LAN 1 R1(config-if)# ip address 172.16.5.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# exit R1(config)# interface g0/1 R1(config-if)# description Link to LAN 2 R1(config-if)# ip address 192.168.5.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# exit R1(config)# interface serial 0/0/0 R1(config-if)# description Link to R2 R1(config-if)# ip address 209.10.5.1 255.255.255.0 R1(config-if)# clock rate 128000 R1(config-if)# no shutdown R1(config-if)# exit R1(config)# interface loopback 0 R1(config-if)# ip address 10.0.0.1 255.255.255.0 R1(config-if)# end R1# write
Resetting Router Configuration Router# erase startup-config Router# reload
7
3 Verification Commands
3.1 Various show Commands Display interface status Display current startup configuration Display current operation configuration Display commands configured on a specified int Display information about flash file system Display system hardware and software status Display history of commands entered Display IP information for all interfaces Display IP information about an interface Display contents of the IPv4 routing table (RAM) Displays configured routing protocols Displays info about learned OSPF neighbors Displays info about the enabled routed protocol Displays info on directly connected devices Display the MAC address table
S1# show interfaces interface-id S1# show startup-config S1# show running-config S1# show running-config interface interface-id S1# show flash S1# show version S1# show history R1# show ip interface [ brief ] R1# show ip interface-id R1# show ip route R1# show ip protocols R1# show ip ospf neighbor R1# show protocols R1# show cdp neighbors S1# show mac-address-table
or
S1# show mac address-table
3.2 Output Filters To enable the filtering command, enter a pipe (|) character after the show command and then enter a filtering parameter and a filtering expression. Example: S1# show ip interface brief | exclude unassigned Filtering parameters that can be configured after the pipe: section Shows entire section that starts with the filtering expression include Includes all output lines that match the filtering expression exclude Excludes all output lines that match the filtering expression begin Shows all the output lines, starting with the line that matches the filtering expression 8
4 Command History Feature To recall the most recent command in the history buffer, press Ctrl+P or the Up Arrow key. To return to more recent commands in the history buffer, press Ctrl+N or the Down Arrow key. Show command history buffer: R1# show history By default, command history is enabled and the system captures the last 10 command lines in its history buffer. Command to increase or decrease the size of the buffer (for the current terminal session): R1# terminal history size 100
5 Switch Management Interface Configuration
5.1 Configure Switch Management Interface S1# configure terminal S1(config)# interface vlan 99 S1(config-if)# ip address 192.168.1.2 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# end S1# copy running-config startup-config
5.2 Configure Switch Default Gateway
S1# configure terminal S1(config)# ip default-gateway 192.168.1.1 S1(config)# end S1# copy running-config startup-config
5.3 Verify Switch Management Interface Configuration
S1# show ip interface brief
5.4 VLAN Creation and Association to a Switch Port The SVI for VLAN 99 will not appear as "up/up" until VLAN 99 is created and there is a device connected to a switch port associated with VLAN 99. To create a VLAN with the vlan_id of 99, and associate it to an interface, use the following commands: S1# configure terminal S1(config)# vlan vlan_id S1(config-vlan)# name vlan_name S1(config-vlan)# exit S1(config)# interface interface-id S1(config-if)# switchport access vlan vlan_id
9
6 Configure Switch Ports
6.1 Duplex and Speed S1# configure terminal S1(config)# interface FastEthernet 0/1 S1(config-if)# duplex full S1(config-if)# speed 100 S1(config-if)# end S1# copy running-config startup-config
6.2 Auto-MDIX S1# configure terminal S1(config)# interface FastEthernet 0/1 S1(config-if)# duplex auto S1(config-if)# speed auto S1(config-if)# mdix auto S1(config-if)# end S1# copy running-config startup-config
Verify Auto-MDIX S1# show controllers ethernet-controller fa 0/1 phy | include Auto-MDIX
10
7 Switch & Port Security
7.1 Configure SSH for Remote Management Verify SSH support S1# show ip ssh
Configure the IP domain S1# configure terminal S1(config)# ip domain-name cisco.com
Generate RSA key pairs S1(config)# crypto key generate rsa The name for the keys will be S1.cisco.com … How many bits in the modulus [512]: 1024 …
(Deleting RSA key pairs) S1(config)# crypto key zeroize rsa
Configure user authentication S1(config)# username admin secret ccna
Configure the vty lines S1(config)# line S1(config-line)# S1(config-line)# S1(config-line)#
vty 0 15 transport input ssh login local exit
Enable SSH version 2 S1(config)# ip ssh version 2 S1(config)# exit
11
7.2 Secure/Disable Unused Ports
S1(config-if)# shutdown
Configure a range of ports
S1(config)# interface range FastEthernet0/5 – 24 S1(config-if-range)# shutdown
7.3 DHCP Snooping Enable DHCP snooping S1(config)# ip dhcp snooping
Enable DHCP snooping for specific VLANs S1(config)# ip dhcp snooping vlan 10,20
Defining the trusted ports S1(config)# interface FastEthernet0/1 S1(config-if)# ip dhcp snooping trust
Limit the rate at which bogus DHCP requests can continually be sent through untrusted ports S1(config)# interface FastEthernet0/2 S1(config-if)# ip dhcp snooping limit rate 5
12
7.4 Configure Port Security 7.4.1
Static Secure MAC Addresses
S1(config-if)# switchport port-security mac-address mac-address
7.4.2
Dynamic Secure MAC Addresses
S1(config)# interface FastEthernet 0/1 S1(config-if)# switchport mode access S1(config-if)# switchport port-security
7.4.3 Sticky Secure MAC Addresses To convert dynamically learned MAC addresses to sticky secure MAC addresses S1(config)# interface FastEthernet 0/1 S1(config-if)# switchport mode access S1(config-if)# switchport port-security S1(config-if)# switchport port-security maximum 50 S1(config-if)# switchport port-security mac-address sticky
Manually defined sticky secure MAC addresses S1(config-if)# switchport port-security mac-address sticky mac-address
Disable sticky learning S1(config-if)# no switchport port-security mac-address sticky
7.5 Configure Violation Mode S1(config-if)# switchport port-security violation {protect | restrict | shutdown}
13
7.6 Verify Port Security 7.6.1
Verify Port Security Settings
S1# show port-security [interface interface-id]
7.6.2
Verify sticky MAC – Running Config
S1# show run | begin FastEthernet 0/5
7.6.3
Verify Secure MAC Addresses
S1# show port-security address
7.7 Configure Network Time Protocol (NTP) 7.7.1 Configuring NTP on a Router NTP server R1(config)# ntp master 1
NTP client R2(config)# ntp server 10.0.0.1
7.7.2
Verify NTP
R2# show ntp associations
R2# show ntp status
14
8 VLANs
8.1 Create VLAN(s) S1# configure terminal S1(config)# vlan vlan-id S1(config-vlan)# name vlan-name S1(config-vlan)# end
Good practice, but not necessary: Normal Range VLANs (1–1005) are saved to vlan.dat (flash memory). S1# copy running-config startup-config
Create a series of VLAN IDs S1(config)# vlan 100,125,130,140-159
8.2 Assigning Ports to VLANs S1# configure terminal S1(config)# interface [range] interface-id S1(config-if)# switchport mode access S1(config-if)# switchport access vlan vlan-id S1(config-if)# end
8.3 Remove VLAN Assignment
S1# configure terminal S1(config)# interface [range] interface-id S1(config-if)# no switchport access vlan S1(config-if)# end
8.4 Deleting VLANs
S1# configure terminal S1(config)# no vlan vlan-id S1(config)# end
Deleting the entire vlan.dat file (reset to factory default VLAN configuration) S1# delete flash:vlan.dat
or S1# delete vlan.dat
15
8.5 Display VLAN Information Display contents of the vlan.dat file S1# show vlan [brief | id vlan-id | name vlan-name | summary]
8.6 Display Interface VLAN (or Trunk) Configuration S1# show interfaces [interface-id | vlan vlan-id | ] switchport
16
9 Trunks
9.1 Trunk Configuration S1# configure terminal S1(config)# interface interface-id S1(config-if)# switchport mode trunk S1(config-if)# switchport trunk native vlan vlan-id S1(config-if)# switchport trunk allowed vlan vlan-list S1(config-if)# end
9.2 Resetting Trunk S1# configure terminal S1(config)# interface interface-id S1(config-if)# no switchport trunk allowed vlan S1(config-if)# no switchport trunk native vlan S1(config-if)# end
Return Port to Access Mode
S1(config-if)# switchport mode access
9.3 Dynamic Trunk Protocol (DTP) 9.3.1
Negotiated Interface Modes
S1(config-if)# switchport mode access
Permanent nontrunking mode, regardless of whether the neighboring interface is a trunk interface.; negotiates to convert the link into a nontrunk link. S1(config-if)# switchport mode dynamic auto
Default switchport mode for all Ethernet interfaces. The interface is able to convert the link to a trunk link if the neighboring interface is set to trunk or desirable mode. S1(config-if)# switchport mode dynamic desirable
Able to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode. S1(config-if)# switchport mode trunk
Permanent trunking mode, even if the neighboring interface is not a trunk interface; negotiates to convert the neighboring link into a trunk link.
17
9.3.2 DTP Configuration Matrix Results of the DTP configuration options on opposite ends of a trunk link
9.3.3 Disable DTP E.g. to enable trunking from a Cisco switch to a device that does not support DTP S1(config-if)# switchport nonegotiate
Prevents the interface from generating DTP frames. You can use this command only when the interface switchport mode is access or trunk. You must manually configure the neighboring interface as a trunk interface to establish a trunk link. 9.3.4
Determine the Current DTP Mode
S1# show dtp interface interface-id
18
10 Troubleshoot VLANs and Trunks
10.1 Missing VLAN
Step 1: Use the show vlan command to check whether the port belongs to the expected VLAN. If the port is assigned to the wrong VLAN, use the switchport access vlan command to correct the VLAN membership. Use the show mac address-table command to check which addresses were learned on a particular port of the switch and to which VLAN that port is assigned. Step 2: If the VLAN to which the port is assigned is deleted, the port becomes inactive. Use the show vlan or show interfaces switchport command. Examples:
S1# show mac-address-table interface FastEthernet 0/1
S1# show interfaces FastEthernet 0/1 switchport
19
10.2 Troubleshooting Trunks
Step 1: Use the show interfaces trunk command to check whether the local and peer native VLANs match. If the native VLAN does not match on both sides, VLAN leaking occurs. Step 2: Use the show interfaces trunk command to check whether a trunk has been established between switches. Statically configure trunk links whenever possible. Cisco Catalyst switch ports use DTP by default and attempt to negotiate a trunk link. Example:
S1# show interfaces FastEthernet 0/1 trunk
10.3 Common Problems with Trunks
20
10.4 Security – Protect Ports with PVLAN Edge The PVLAN Edge feature has the following characteristics: • A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port, except for control traffic. Data traffic cannot be forwarded between protected ports at Layer 2. • Forwarding behavior between a protected port and a nonprotected port proceeds as usual. • Protected ports must be manually configured. 10.4.1 Configuring the PVLAN Edge Feature S1(config-if)# switchport protected
10.4.2 Disable Protected Port
S1(config-if)# no switchport protected
10.4.3 Verify the PVLAN Edge Configuration
S1# show interfaces interface-id switchport
21
11 Inter-VLAN Routing
11.1 Legacy Inter-VLAN Routing
11.1.1 Switch Configuration
S1# configure terminal S1(config)# vlan 10 S1(config-vlan)# vlan 30 S1(config-vlan)# interface f0/11 S1(config-if)# switchport access S1(config-if)# interface f0/4 S1(config-if)# switchport access S1(config-if)# interface f0/6 S1(config-if)# switchport access S1(config-if)# interface f0/5 S1(config-if)# switchport access S1(config-if)# end
vlan 10 vlan 10 vlan 30 vlan 30
11.1.2 Router Configuration R1(config)# interface g0/0 R1(config-if)# ip address 172.17.10.1 255.255.255.0 R1(config-if)# no shutdown R1(config)# interface g0/1 R1(config-if)# ip address 172.17.30.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# end
22
11.2 Router-on-a-Stick Inter-VLAN Routing
11.2.1 Switch Configuration S1(config)# vlan 10 S1(config-vlan)# vlan 30 S1(config-vlan)# interface f0/5 S1(config-if)# switchport mode trunk S1(config-if)# end
11.2.2 Router Configuration R1(config)# interface g0/0.10 R1(config-subif)# encapsulation dot1q 10 R1(config-subif)# ip address 172.17.10.1 255.255.255.0 R1(config-subif)# interface g0/0.30 R1(config-subif)# encapsulation dot1q 30 R1(config-subif)# ip address 172.17.30.1 255.255.255.0 R1(config-subif)# interface g0/0 R1(config-if)# no shutdown R1(config-if)# end
Verify Subinterfaces: R1# show vlan R1# show ip route
Verify Routing: PC1> ping 172.17.30.23 PC1> tracert 172.17.30.23
23
11.3 Multilayer Switch Inter-VLAN Routing 11.3.1 Inter-VLAN Routing with Switch Virtual Interfaces (SVI) S1(config)# interface vlan 10 S1(config-if)# ip address 172.17.10.1 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# exit S1(config)# interface vlan 30 S1(config-if)# ip address 172.17.30.1 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# exit S1(config)# ip routing
11.3.2 Inter-VLAN Routing with Routed Ports S1(config)# interface fastethernet 0/1 S1(config-if)# no switchport S1(config-if)# ip address 172.17.10.1 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# exit S1(config)# interface fastethernet 0/3 S1(config-if)# no switchport S1(config-if)# ip address 172.17.30.1 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# exit S1(config)# ip routing
24
11.3.3 Static Routing on a Cisco Catalyst 2960 Switch
Check setting template
S1(config)# show sdm prefer
Enable the routing functionality on the Cisco 2960 Layer 2 switch Full-featured multilayer switches (e.g. Cisco Catalyst 3560 Series) support the EIGRP, OSPF, and BGP routing protocols. S1(config)# sdm prefer lanbase-routing S1(config)# do reload
S1(config)# interface fastethernet 0/6 S1(config-if)# switchport access vlan 2 S1(config-if)# interface vlan 1 S1(config-if)# ip address 192.168.1.1 255.255.255.0 S1(config-if)# interface vlan 2 S1(config-if)# ip address 192.168.2.1 255.255.255.0 S1(config-if)# no shutdown S1(config)# ip routing
Configure default route
S1(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.254
Configure a static route to the remote network 192.168.2.0/24 (VLAN 2) on the Router R1 R1(config)# ip route 192.168.2.0 255.255.255.0 g0/1
25
11.4 Troubleshoot Inter-VLAN Routing The issues common to legacy inter-VLAN routing and router-on-a-stick inter-VLAN routing are also manifested in the context of Layer 3 switching. To troubleshoot issues, the following items should be checked for accuracy: VLANs: VLANs must be defined across all the switches. VLANs must be enabled on the trunk ports. Ports must be in the right VLANs. SVIs: SVIs must have the correct IP address or subnet mask. SVIs must be up. SVIs must match with the VLAN number. Routing: Routing must be enabled. Each interface or network should be added to the routing protocol. Hosts: Hosts must have the correct IP address or subnet mask. Hosts must have a default gateway associated with an SVI or routed port.
26
12 Static Routing
12.1 IPv4 Static Route A static route can be configured to reach a specific remote network. R1(config)# ip route network-address subnet-mask {next-hop-ip | exit-intf [ip-adress]} [ distance ] [ name name ] [ permanent ] [ tag tag ]
The distance parameter is used to create a floating static route by setting an administrative distance that is higher than a dynamically learned route. Common Examples: Next-hop address: R1(config)# ip route 172.16.1.0 255.255.255.0 172.16.2.2 Exit interface: R1(config)# ip route 172.16.1.0 255.255.255.0 serial 0/0/0 Fully specified: R1(config)# ip route 172.16.1.0 255.255.255.0 G0/1 172.16.2.2 Verifying R1# R1# R1# R1# R1# R1#
ping 192.168.2.2 traceroute 192.168.2.10 show ip route show ip route static | begin Gateway show ip route 192.168.2.1 show running-config | section ip route
27
12.2 IPv4 Default Static Route A default static route is similar to a default gateway on a host. The default static route specifies the exit point to use when the routing table does not contain a path for the destination network. R1(config)# ip route 0.0.0.0 0.0.0.0 {next-hop-ip | exit-intf}
Common Examples: Next-hop address: R1(config)# Exit interface: R1(config)# Fully specified: R1(config)# Verifying: R1# show ip route
ip route 0.0.0.0 0.0.0.0 192.168.6.2 ip route 0.0.0.0 0.0.0.0 serial 0/0/0 ip route 0.0.0.0 0.0.0.0 serial 0/0/0 192.168.6.2 static
12.3 IPv4 Summary Static Route Example:
The four static route entries could be reduced to 172.20.0.0/14 entry. The four static route entries can be removed and replaced by a summary static route. R1(config)# no ip route 172.20.0.0 255.255.0.0 serial 0/0/0 R1(config)# no ip route 172.21.0.0 255.255.0.0 serial 0/0/0 R1(config)# no ip route 172.22.0.0 255.255.0.0 serial 0/0/0 R1(config)# no ip route 172.23.0.0 255.255.0.0 serial 0/0/0 R1(config)# R1(config)# ip route 172.20.0.0 255.252.0.0 serial 0/0/0
28
12.4 IPv4 Floating Static Route Floating static routes are static routes that have an administrative distance greater than the administrative distance of another static route or dynamic routes. They are very useful when providing a backup to a primary link.
By default, static routes have an administrative distance of 1, making them preferable to routes learned from dynamic routing protocols. For example, the administrative distances of some common dynamic routing protocols are: • EIGRP = 90 • IGRP = 100 • OSPF = 110 • IS-IS = 115 • RIP = 120 The administrative distance of a static route can be increased to make the route less desirable than that of another static route or a route learned through a dynamic routing protocol. In this way, the static route “floats” and is not used when the route with the better administrative distance is active.
Verification shows that the default route to R2 is installed in the routing table. Note that the backup route to R3 is not present in the routing table.
29
12.5 Troubleshoot IPv4 Static Route Configuration Common IOS troubleshooting commands include: • • • • •
ping target-ip-address source { ip-address | exit-intf } traceroute show ip route show ip interface brief show cdp neighbors [detail]
(extended ping)
12.6 IPv6 Static Route Enable IPv6 Routing: R1(config)# ipv6 unicast-routing
R1(config)# ipv6 route ipv6-prefix/prefix-length { ipv6-address | exit-intf }
Verifying: R1# show ipv6 route Common Examples: Next-hop address: R1(config)# ip route 2001:db8:acad:2::/64 2001:db8:acad:4::2 Exit interface: R1(config)# ip route 2001:db8:acad:2::/64 s0/0/0 Fully specified: R1(config)# ip route 172.16.1.0 255.255.255.0 s0/0/0 fe80::2 Verifying R1# R1# R1# R1# R1# R1#
ping 192.168.2.2 traceroute 192.168.2.10 show ipv6 route show ipv6 route static show ipv6 route 2001:db8:acad:3:: show running-config | section ipv6 route
30
12.7 IPv6 Default Static Route Enable IPv6 Routing: R1(config)# ipv6 unicast-routing
R1(config)# ipv6 route ::/0 { ipv6-address | exit-intf }
Common Examples: Next-hop address: Exit interface: Verify:
R1(config)# ipv6 route ::/0 2001:db8:acad:4::2 R1(config)# ipv6 route ::/0 serial 0/0/0
R1# show ipv6 route static
12.8 IPv6 Summary Static Route Example: The four static route entries could be reduced to 2001:db8:acad::/61 entry. The four static route entries can be removed and replaced by a summary static route. R1(config)# no ipv6 route 2001:db8:acad:1::/64 2001:db8:feed:1::2 R1(config)# no ipv6 route 2001:db8:acad:2::/64 2001:db8:feed:1::2 R1(config)# no ipv6 route 2001:db8:acad:3::/64 2001:db8:feed:1::2 R1(config)# no ipv6 route 2001:db8:acad:4::/64 2001:db8:feed:1::2 R1(config)# R1(config)# ipv6 route 2001:db8:acad::/61 2001:db8:feed:1::2
31
13 Dynamic Routing
13.1 Check for Dynamic Routing Protocols Determine which routing protocols are supported by the IOS R1(config)# router ? respectively R1(config)# ipv6 router ?
Verify the IPv4 routing protocol settings currently configured R1# show ip protocols respectively R1# show ipv6 protocols
32
13.2 Enable RIP or RIPv2 (IPv4)
R1(config)# router rip
Disable and eliminate RIP R1(config)# no router rip
Configure which locally connected networks should be advertised R1(router-config)# network network-address
Example: R1(config)# router rip R1(router-config)# network 192.168.1.0 R1(router-config)# network 192.168.2.0
Enable RIPv2 R1(config)# router rip R1(router-config)# version 2
Disable automatic network number summarization R1(router-config)# no auto-summary
(RIPv2 must be enabled before automatic summarization is disabled.) Configure passive interfaces (stop routing updates out of specified interfaces) R1(router-config)# passive-interface intf
Examples: R1(config)# router rip R1(router-config)# passive-interface serial 0/0/0
Stop routing updates out of all interfaces R1(router-config)# passive-interface default
Re-enable routing updates out of a specified interface R1(router-config)# no passive-interface gigabitethernet 0/1
Propagate a default route (configured on the edge router)
R1(config)# ip route 0.0.0.0 0.0.0.0 serial 0/0/0 192.168.6.2 R1(config)# router rip R1(router-config)# default-information originate
33
13.3 Enable RIPng (IPv6)
R1(config-if)# ipv6 rip domain-name enable
Example: R1(config)# ipv6 unicast-routing R1(config)# R1(config)# interface g0/1 R1(config-if)# ipv6 rip RIP-AS enable R1(config-if)# no shutdown R1(config-if)# exit R1(config)# R1(config)# interface s0/0/1 R1(config-if)# ipv6 rip RIP-AS enable R1(config-if)# no shutdown
Propagate a default route (configured on the edge router)
R1(config)# ipv6 route 0::/0 2001:db8:feed:1::1 R1(config)# interface s0/0/1 R1(config-if)# ipv6 rip RIP-AS default-information originate
Display (only) the RIP routes from the IPv6 routing table R1# show ipv6 route rip
34
14 Single-Area OSPFv2 (IPv4) Enter router OSPF configuration mode
R1(config)# router ospf process-id
Example: R3(config)# router ospf 10 The process-id value represents a number between 1 and 65,535 and is selected by the network administrator. The process-id value is locally significant, which means that it does not have to be the same value on the other OSPF routers to establish adjacencies with those neighbors.
14.1 Router ID 14.1.1 Configure & Verify Router ID
R1(config-router)# router-id rid R1# show ip protocols
Example:
R3(config-router)# router-id 3.3.3.3
14.1.2 Modify Router ID Modify router ID by clearing the routing process
R1# clear ip ospf process Reset ALL OSPF processes? [no]: y
Verify (only Router ID section)
R1# show ip protocols | section Router ID
14.1.3 Using a Loopback Interface as the Router ID R3(config)# interface loopback 0 R3(config-if)# ip address 3.3.3.3 255.255.255.255 R3(config-if)# end
35
14.2 Enable OSPF on Interfaces 14.2.1 Assigning Interfaces to an OSPF Area
R1(config-router)# network network-address wildcard-mask area area-id
Example:
R1(config-router)# network 172.16.1.0 0.0.0.255 area 0 R1(config-router)# network 10.10.10.0 0.0.0.3 area 0 R1(config-router)# network 10.10.10.4 0.0.0.3 area 0
14.2.2 Assigning Interfaces to an OSPF Area with a Quad Zero As an alternative, OSPFv2 can be enabled using the interface IPv4 address with a quad 0 wildcard mask. R1(config-router)# network intf-ip-address 0.0.0.0 area area-id Example: R1(config-router)# network 172.16.1.1 0.0.0.0 area 0 R1(config-router)# network 10.10.10.1 0.0.0.0 area 0 R1(config-router)# network 10.10.10.5 0.0.0.0 area 0 The advantage of specifying the interface is that the wildcard mask calculation is not necessary. OSPFv2 uses the interface address and subnet mask to determine the network to advertise. 14.2.3 Change the OSPF Interface Priority The OSPF DR and BDR election decision is based on the following criteria: Step 1: The routers in the network elect the router with the highest interface priority as the DR. The router with the second highest interface priority is elected as the BDR. The priority can be configured to be any number between 0 – 255. The higher the priority, the likelier the router will be selected as the DR. If the priority is set to 0, the router is not capable of becoming the DR. The default priority of multiaccess broadcast interfaces is 1. Therefore, unless otherwise configured, all routers have an equal priority value and must rely on another tie breaking method during the DR/BDR election. Step 2: If the interface priorities are equal, then the router with the highest router ID is elected the DR. The router with the second highest router ID is the BDR.
36
14.2.4 Modify OSPFv2 Hello and Dead Intervals R1(config-if)# ip ospf hello-interval seconds R1(config-if)# ip ospf dead-interval seconds
Reset to default values (Hello = 10 s; Dead = 40 s):
R1(config-if)# no ip ospf hello-interval R1(config-if)# no ip ospf dead-interval
Verify OSPF intervals:
R1# show ip ospf interface interface R1# show ip ospf interface interface | include Timer
Verify OSPF timer activity:
R1# show ip ospf neighbor
37
14.2.5 Configure Passive Interfaces
R1(config-router)# passive-interface intf
Example: R1(config-router)# passive-interface GigabitEthernet 0/0 All interfaces can be made passive: R1(config-router)# passive-interface default Re-enabled interface: R1(config-router)# no passive-interface GigabitEthernet 0/1
14.3 Propagating a Default Static Route in OSPF
To propagate a default route, the edge router – aka the entrance, gateway, or autonomous system boundary router (ASBR) - must be configured with: • A default static route using the ip route 0.0.0.0 0.0.0.0 {ip-address | exit-intf} command. • The default-information originate router configuration mode command instructs the router to be the source of the default route information and propagate the default static route in OSPF updates.
38
14.4 OSPF Cost 14.4.1 Verify Cost of a Route (Metric)
14.4.2 Adjust Reference Bandwith OSPF uses a reference bandwidth of 100 Mb/s (cost=1) for any links that are equal to or faster than a fast Ethernet connection. To assist OSPF in making the correct path determination, the reference bandwidth must be changed to a higher value to accommodate networks with links faster than 100 Mb/s. Gigabit Ethernet: R1(config-router)# auto-cost reference-bandwidth 1000 10 Gigabit Ethernet: R1(config-router)# auto-cost reference-bandwidth 10000 Return to default: R1(config-router)# auto-cost reference-bandwidth 100 OSPF cost if the reference bandwidth is set to Gigabit Ethernet:
39
14.4.3 Verify Link Cost
14.4.4 Adjust Interface Bandwith Setting Use the show interfaces command to view the interface bandwidth setting.
On Cisco routers, the default bandwidth on most serial interfaces is set to 1.544 Mb/s. Adjust the interface bandwidth:
R1(config)# intf R1(config-if)# bandwidth kilobits
Restore to the default value:
40
R1(config-if)# no bandwidth [kilobits]
14.4.5 Manually Setting the OSPF Cost As an alternative to setting the default interface bandwidth, the cost can be manually configured on an interface. R1(config)# intf R1(config-if)# ip ospf cost value
Both the bandwidth interface command and the ip ospf cost interface command achieve the same result, which is to provide an accurate value for use by OSPF in determining the best route. An advantage of configuring a cost over setting the interface bandwidth is that the router does not have to calculate the metric when the cost is manually configured. In contrast, when the interface bandwidth is configured, the router must calculate the OSPF cost based on the bandwidth. The ip ospf cost command is useful in multi-vendor environments where non-Cisco routers may use a metric other than bandwidth to calculate the OSPF costs.
41
14.5 Secure OSPF with MD5 Authentication 14.5.1 Enable OSPF MD5 Authentication Globally R1(config)# area area-id authentication message-digest R1(config-if)# ip ospf message-digest-key key md5 password
14.5.2 Enable OSPF MD5 Authentication on a Per-Interface basis R1(config-if)# ip ospf message-digest-key key md5 password R1(config-if)# ip ospf authentication message-digest
42
14.6 Verify OSPF 14.6.1 Verify OSPF Neighbors
R1# show ip ospf neighbor
FULL state means that the router and its neighbor have identical OSPF LSDBs. On multiaccess networks such as Ethernet, two routers that are adjacent may have their states displayed as 2WAY. The dash indicates that no DR or BDR is required because of the network type. Two routers may not form an OSPF adjacency if: • The subnet masks do not match, causing the routers to be on separate networks. • OSPF Hello or Dead Timers do not match. • OSPF Network Types do not match. • There is a missing or incorrect OSPF network command. 14.6.2 Verify OSPF Protocol Settings The show ip protocols is a quick way to verify vital OSPF configuration information. This includes the OSPF process ID, the router ID, networks the router is advertising, the neighbors the router is receiving updates from, and the default administrative distance (default is 110 for OSPF). R1# show ip protocols
43
14.6.3 Verify OSPF Process Information The show ip ospf command displays the OSPF area information and the last time the SPF algorithm was calculated. R1# show ip ospf
44
14.6.4 Verify OSPF Interface Settings
R1# show ip ospf interface [brief]
R1# show ip ospf interface interface
14.6.5 Verify the OSPF Learned Routes Display only the OSPF learned routes in the routing table. R1# show ip route ospf 14.6.6 Verify OSPF MD5 authentication
R1# show ip ospf interface interface
R1# show ip ospf interface | include Message
45
15 Single-Area OSPFv3 (IPv6)
15.1 Differences between OSPFv2 and OSPFv3
15.2 Steps to Configure OSPFv3
46
15.3 Configure Link-Local Addresses Unless configured manually, Cisco routers create the link-local address using FE80::/10 prefix and the EUI-64 process. EUI-64 involves using the 48-bit Ethernet MAC address, inserting FFFE in the middle and flipping the seventh bit. For serial interfaces, Cisco uses the MAC address of an Ethernet interface. Configuring the link-local address manually provides the ability to create an address that is recognizable and easier to remember. As well, a router with several interfaces can assign the same link-local address to each IPv6 interface. This is because the link-local address is only required for local communications. R1(config)# interface GigabitEthernet 0/0 R1(config-if)# ipv6 address FE80::1 link-local R1(config-if)# exit R1(config)# interface Serial 0/0/0 R1(config-if)# ipv6 address FE80::1 link-local R1(config-if)# exit R1(config)# interface Serial 0/0/1 R1(config-if)# ipv6 address FE80::1 link-local R1(config-if)# exit
47
15.4 OSPFv3 Router ID Enter router OSPFv3 configuration mode
R1(config)# ipv6 router ospf process-id
Example:
R3(config)# ipv6 router ospf 10
15.4.1 Configure & Verify OSPFv3 Router ID R1(config-rtr)# router-id rid R1# show ipv6 protocols
Example:
15.4.2 Modify OSPFv3 Router ID
R1# ipv6 router ospf 10 R1(config-rtr)# router-id 1.1.1.1 R1(config-rtr)# end R1# clear ipv6 ospf process Reset ALL OSPF processes? [no]: y R1# show ipv6 protocols
48
15.5 Enable OSPFv3 on Interfaces OSPFv3 uses a different method to enable an interface for OSPF. Instead of using the network router configuration mode command to specify matching interface addresses, OSPFv3 is configured directly on the interface. R1(config-if)# ipv6 ospf process-id area area-id
49
15.6 Modify OSPFv3 Hello and Dead Intervals
R1(config-if)# ipv6 ospf hello-interval seconds R1(config-if)# ipv6 ospf dead-interval seconds
Reset to default values (Hello = 10 s; Dead = 40 s):
R1(config-if)# no ipv6 ospf hello-interval R1(config-if)# no ipv6 ospf dead-interval
Verify OSPF intervals: Verify OSPF timer activity:
R1# show ipv6 ospf interface interface | include Timer
R1# show ipv6 ospf neighbor
50
R1# show ipv6 ospf interface interface
15.7 Propagating a Default Static Route in OSPFv3
To propagate a default route, the edge router – aka the entrance, gateway, or autonomous system boundary router (ASBR) - must be configured with: • A default static route using the ipv6 route ::/0 {ipv6-address | exit-intf} command. • The default-information originate router configuration mode command instructs the router to be the source of the default route information and propagate the default static route in OSPF updates.
51
15.8 Verify OSPFv3 15.8.1 Verify OSPFv3 Neighbors
R1# show ipv6 ospf neighbor
15.8.2 Verify OSPFv3 Protocol Settings R1# show ipv6 protocols
15.8.3 Verify OSPF Process Information R1# show ipv6 ospf
52
15.8.4 Verify OSPFv3 Interface Settings
R1# show ipv6 ospf interface [brief]
R1# show ipv6 ospf interface serial 0/0/1
15.8.5 Verify the IPv6 Routing Table R1# show ipv6 route ospf
53
16 Multiarea OSPF
16.1 Configure Multiarea OSPFv2
A router simply becomes an Area Border Router (ABR) when it has two network statements in different areas.
54
16.2 OSPF Route Summarization 16.2.1 Interarea Route Summarization
Interarea route summarization occurs on Area Border Routers (ABRs) and applies to routes from within each area. It does not apply to external routes injected into OSPF via redistribution.
16.2.2 External Route Summarization External route summarization is specific to external routes that are injected into OSPF via route redistribution. Again, it is important to ensure the contiguity of the external address ranges that are being summarized. Generally, only Autonomous System Boundary Routers (ASBRs) summarize external routes. External route summarization is configured on ASBRs using the summary-address address mask router configuration mode command. R2(config-router)# summary-address 172.16.0.0 255.255.224.0
55
16.3 Configure Multiarea OSPFv3
56
16.4 Verify Multiarea OSPF The same verification commands used to verify single-area OSPF also can be used to verify the multiarea OSPF topology: • show ip ospf neighbor • show ip ospf • show ip ospf interface
Commands that verify specific multiarea information include: • show ip protocols
• show ip ospf interface brief
57
• show ip route ospf
• show ip ospf database
Note: For the equivalent OSPFv3 command, simply substitute ip with ipv6.
58
17 EIGRP for IPv4
R1(config)# router eigrp autonomous-system
Example: R1(config)# router eigrp 1 The autonomous-system argument can be assigned to any 16-bit value between the number 1 and 65,535. All routers within the EIGRP routing domain must use the same autonomous system number. Remove the EIGRP routing process: no router eigrp autonomous-system
17.1 Router ID 17.1.1 Configure & Verify Router ID
R1(config-router)# eigrp router-id ipv4-address
R1# show ip protocols
17.1.2 Using a Loopback Interface as the Router ID R3(config)# interface loopback 0 R3(config-if)# ip address 3.3.3.3 255.255.255.255 R3(config-if)# end
59
17.2 The network Command • Enables any interface on this router that matches the network address in the network router configuration mode command to send and receive EIGRP updates. • The network of the interfaces is included in EIGRP routing updates.
60
To configure EIGRP to advertise specific subnets only, use the wildcard-mask option with the network command: R1(config-router)# network network-address [wildcard-mask]
Some IOS versions also let you enter the subnet mask instead of a wildcard mask. However, if the subnet mask is used, the IOS converts the command to the wildcard-mask format within the configuration.
17.3 Passive Interfaces There are two primary reasons for enabling the passive-interface command: • To suppress unnecessary update traffic, such as when an interface is a LAN interface, with no other routers connected • To increase security controls, such as preventing unknown rogue routing devices from receiving EIGRP updates R1(config)# router eigrp as-number R1(config-router)# passive-interface interface-type interface-number
To configure all interfaces as passive, use the passive-interface default command. To disable an interface as passive, use the no passive-interface interface-type interface-number command.
61
17.4 Automatic Summarization 17.4.1 Configure EIGRP Automatic Summarization R1(config)# router eigrp as-number R1(config-router)# auto-summary
17.4.2 Verify Auto-Summary
62
EIGRP for IPv4 automatically includes a Null0 summary route whenever the following conditions exist: • There is at least one subnet that was learned via EIGRP. • There are two or more network EIGRP router configuration mode commands. • Automatic summarization is enabled. The Null0 interface is a virtual IOS interface that is a route to nowhere, commonly known as "the bit bucket." Packets that match a route with a Null0 exit interface are discarded. The purpose of the Null0 summary route is to prevent routing loops for destinations that are included in the summary, but do not actually exist in the routing table.
63
17.5 Manual Summarization 17.5.1 Configure EIGRP Manual Summarization R1(config)# router eigrp as-number R1(config-if)# ip summary-address eigrp as-number network-address subnet-mask
Note: Summary routes have to be configured on all interfaces that send EIGRP packets.
17.5.2 Verify Manual Summary
64
17.6 Propagating a Default Static Route 17.6.1 Configure a Default Static Route in EIGRP
17.6.2 Verify Default Static Route in EIGRP
65
17.7 Fine-tuning EIGRP Interfaces 17.7.1 EIGRP Bandwidth By default, EIGRP uses only up to 50 percent of an interface’s bandwidth for EIGRP information. This prevents the EIGRP process from over-utilizing a link and not allowing enough bandwidth for the routing of normal traffic. R1(config-if)# ip bandwidth-percent eigrp as-number percent
17.7.2 Hello Intervals and Hold Timers
R1(config-if)# ip hello-interval eigrp as-number seconds
R1(config-if)# ip hold-time eigrp as-number seconds
17.7.3 Load Balancing Cisco IOS, by default, allows load balancing using up to four equal-cost paths; however, this can be modified - up to 32 equal-cost routes can be kept in the routing table. R1(config-router)# maximum-paths value
66
17.8 MD5 Authentication Step 1: Create a keychain and key
a) In global configuration mode, create the keychain. b) Specify the key ID which is used to identify an authentication key within a keychain. The range of keys is from 0 to 2,147,483,647. It is recommended that the key number be the same on all routers in the configuration. c) Specify the key string for the key. The key string is similar to a password. Routers exchanging authentication keys must be configured using the same key string. Step 2: Configure EIGRP authentication using keychain and key
a) In global configuration mode, specify the interface on which to configure EIGRP message authentication. b) Enable EIGRP message authentication. The md5 keyword indicates that the MD5 hash is to be used for authentication. c) Specify the keychain that should be used for authentication. The name-of-chain argument specifies the keychain that was created in Step 1.
67
Verify EIGRP MD4 authentication: Adjacencies are only formed when both connecting devices have authentication configured,. To verify that the correct EIGRP adjacencies were formed after being configured for authentication, use the show ip eigrp neighbors command on each router.
After EIGRP message authentication is configured on one router, any adjacent neighbors that have not yet been configured for authentication are no longer EIGRP neighbors - the following IOS message appears: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.3.2 (Serial0/0/0) is down: authentication mode changed
When the adjacent interface is configured, the adjacency is re-established and the following IOS message will be displayed: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.3.2 (Serial0/0/0) is up: new adjacency
68
17.9 Troubleshoot EIGRP
69
17.10 Verify EIGRP for IPv4 17.10.1 Examine Neighbors
17.10.2 Examine the IPv4 Routing Table
70
17.10.3 Examine Routing Protocol Processes
Default Administrative Distances:
71
17.10.4 Examine Topology Table
All links can be displayed using the show ip eigrp topology all-links command. 72
18 EIGRP for IPv6
18.1 Configure IPv6 Link-local Adresses
Verify link-local addresses:
18.2 Configure EIGRP for IPv6
R1(config)# ipv6 router eigrp autonomous-system R1(config-rtr)# eigrp router-id ipv4-address R1(config-rtr)# no shutdown
73
18.3 Enable EIGRP for IPv6 on Interfaces
R1(config-if)# ipv6 eigrp autonomous-system
18.4 Passive Interfaces
74
18.5 Manual Summarization Note: Autosummarization is not available for EIGRP IPv6 networks. 18.5.1 Configure EIGRP Manual Summarization
R1(config-if)# ipv6 summary-address eigrp as-number prefix/prefix-length
18.5.2 Verify Manual Summary
75
18.6 Propagating a Default Static Route 18.6.1 Configure a Default Static Route in EIGRP
18.6.2 Verify Default Static Route in EIGRP
76
18.7 Fine-tuning EIGRP Interfaces 18.7.1 EIGRP Bandwidth By default, EIGRP uses only up to 50 percent of an interface’s bandwidth for EIGRP information. R1(config-if)# ipv6 bandwidth-percent eigrp as-number percent
18.7.2 Hello Intervals and Hold Timers R1(config-if)# ipv6 hello-interval eigrp as-number seconds R1(config-if)# ipv6 hold-time eigrp as-number seconds
77
18.8 MD5 Authentication The algorithms and the configuration to authenticate EIGRP for IPv6 messages are the same as EIGRP for IPv4. The only difference is the interface configuration mode commands use ipv6, instead of ip. R1(config-if)# ipv6 authentication mode eigrp as-number md5 R1(config-if)# ipv6 authentication key-chain eigrp as-number name-of-chain
Example:
18.9 Troubleshoot EIGRP The following commands are used with EIGRP for IPv6: •
R1# show ipv6 eigrp neighbors
•
R1# show ipv6 route
•
R1# show ipv6 protocols
78
18.10 Verify EIGRP for IPv6 18.10.1 Examine Neighbors
18.10.2 Examine IPv6 Routing Protocol Processes
79
18.10.3 Examine the IPv6 Routing Table
80
19 Access Control Lists (ACLs)
19.1 Numbered and Named ACLs
19.2 Wildcard Bit Mask Abbrevations The host keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match or only one host is matched. Example: Instead of entering 192.168.10.10 0.0.0.0, you can use host 192.168.10.10. The any option substitutes for the IP address and 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses. Example: Instead of entering 0.0.0.0 255.255.255.255, you can use the keyword any.
19.3 The Implied "Deny All Traffic" Criteria Statement By default, there is an implied deny at the end of all ACLs for traffic that was not matched to a configured entry. A single-entry ACL with only one deny entry or an ACL without any entry has the effect of denying all traffic. At least one permit ACE must be configured in an ACL or all traffic is blocked. Although all ACLs end with an implicit deny statement, we recommend the use of an explicit deny statement. You can display the count of packets denied by issuing the show access-list command. Because only packets denied by explicit deny statements are counted, you will find out more information about who your access list is disallowing if an explicit deny statement exists. Standard ACL: R1(config)# access-list 1 deny any Extended ACL: R1(config)# access-list 100 deny ip any any IPv6 ACL: R1(config-ipv6-acl)# access-list 100 deny ip any any
81
19.4 Standard ACLs (IPv4) 19.4.1 Configure Standard ACL R1(config)# access-list access-list-number { deny | permit | remark } source [ source-wildcard ][ log ]
Examples:
R1(config)# access-list 1 remark Permit hosts from the 192.168.10.0 LAN R1(config)# access-list 1 permit 192.168.10.0 0.0.0.255 R1(config)# access-list 1 deny 192.168.0.0 0.0.255.255
Remove ACL (from router):
R1(config)# no access-list 1
82
19.4.2 Apply Standard ACL to Interfaces R1(config-if)# ip access-group { access-list-number | access-list-name } { in | out }
Remove ACL (from interface):
R1(config-if)# no ip access-group 1
19.4.3 Named Standard ACL
R1(config)# ip access-list [standard | extended] name R1(config-std-nacl)# [deny | permit | remark ] {source [source-wildcard]} [log] R1(config-if)# ip access-group name [in | out]
Example:
83
19.4.4 Commenting ACLs
R1(config)# access-list access-list_number remark remark
R1(config-std-nacl)# remark remark
Remove remark:
R1(config)# no access-list access-list_number remark remark
R1(config-std-nacl)# no remark remark
84
19.4.5 Edit Standard Numbered ACL Edit Numbered ACL using a text editor:
Edit Numbered ACL using a text editor:
85
19.4.6 Edit Standard Named ACL Add a line to a named ACL:
19.4.7 Using a Standard ACL to Secure VTY Access If the Cisco IOS software on your router does not support SSH, you can improve the security of administrative lines by restricting VTY access (define which IP addresses are allowed Telnet access to the router). You can also use this technique with SSH to further improve administrative access security.
86
19.5 Extended ACLs (IPv4) 19.5.1 Configure Extended ACL R1(config)# access-list access-list-number {deny | permit | remark} protocol source [source-wildcard]} [operator oparand] [port port-number or name] destination [destination-wildcard] [operator oparand] [port port-number or name] [established]
Examples:
87
Generating port numbers:
R1(config)# access-list 100 permit tcp any any eq ?
19.5.2 Apply Extended ACL to Interfaces
R1(config-if)# ip access-group { access-list-number | access-list-name } { in | out }
88
19.5.3 Filter Traffic with Extended ACL The example shown denies FTP traffic from subnet 192.168.11.0 going to subnet 192.168.10.0, but permits all other traffic. FTP uses TCP ports 20 and 21; therefore the ACL requires both port name keywords ftp and ftp-data to deny FTP.
FTP uses TCP ports 20 and 21; therefore the ACL requires both ports ftp and ftp-data to deny FTP. If using port numbers instead of port names, the commands would be written as: access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 20 access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 21
To prevent the implied deny any statement at the end of the ACL from blocking all traffic, the permit ip any any statement is added.
89
19.5.4 Named Extended ACL
R1(config)# ip access-list [standard | extended] name R1(config-ext-nacl)# [deny | permit | remark ] {source [source-wildcard]} [log] R1(config-if)# ip access-group name [in | out]
Remove ACL from router: R1(config)# no ip access-list extended name Remove Named Extended ACL from interface: R1(config-if)# no ip access-group name
19.5.5 Edit Extended ACL
90
19.6 IPv6 ACLs 19.6.1 Default IPv6 ACL Statements IPv6 includes an implicit "Deny All Traffic" statement at the end of each ACL (similar to every IPv4 standard or extended ACL): deny ipv6 any any The difference is IPv6 also includes two other implicit statements by default: permit icmp any any nd-na permit icmp any any nd-ns These two statements allow the router to participate in the IPv6 equivalent of ARP for IPv4. Recall that ARP (Layer 2) is used in IPv4 to resolve Layer 3 addresses to Layer 2 MAC addresses. IPv6 uses ICMP Neighbor Discovery (ND, Layer 3) messages to accomplish the same thing. ND uses Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messages. 19.6.2 Configure IPv6 ACL
91
Examples:
R1(config)# ipv6 access-list NO-R3-LAN-ACCESS R1(config-ipv6-acl)# deny ipv6 2001:db8:cafe:30::/64 any R1(config-ipv6-acl)# permit ipv6 any any R1(config-ipv6-acl)# end
R1(config)# ipv6 access-list NO-FTP-TO-LAN-11 R1(config-ipv6-acl)# deny tcp any 2001:db8:cafe:11::/64 eq ftp R1(config-ipv6-acl)# deny tcp any 2001:db8:cafe:11::/64 eq ftp-data R1(config-ipv6-acl)# permit ipv6 any any R1(config-ipv6-acl)# exit R1(config)# interface g0/0 R1(config-if)# ipv6 traffic-filter NO-FTP-TO-LAN-11 in R1(config-if)# end
19.6.3 Apply IPv6 ACL to Interfaces
R1(config-if)# ipv6 traffic-filter access-list-name { in | out }
92
19.7 Verify ACLs
R1# show access-lists
Clear counter: R1# clear access-list counters access-list_number R1# show ip interface interface
93
R1# show ipv6 interface interface
R1# show running-config
94
20 DHCP
20.1 Basic DHCPv4 Configuration Exclude specific address range (for routers, servers, printers, etc.):
R1(config)# ip dhcp excluded-address low-address [high-address]
Configuring a DHCPv4 pool:
R1(config)# ip dhcp pool pool-name
Configuring specific tasks (in DHCPv4 configuration mode):
Example:
Re-enable (disable) DHCP
R1(config)# (no) service dhcp
95
20.2 Verify DHCPv4
R1# show running-config | section dhcp
R1# show ip dhcp binding
R1# show ip dhcp server statistics
96
20.3 DHCPv4 Relay
R1(config-if)# ip helper-address dhcp-server-address
By default, the ip helper-address command forwards the following eight UDP services: • Time (Port 37) • TACACS (Port 49) • DNS (Port 53) • DHCP/BOOTP client (Port 67) • DHCP/BOOTP server (Port 68) • TFTP (Port 69) • NetBIOS name service (Port 137) • NetBIOS datagram service (Port 138)
20.4 Configure a Router as DHCP Client
R1(config-if)# ip address dhcp
97
20.5 Verify DHCPv4 Relay & Services
R1# show running-config | section interface interface-id
In the figure, the show running-config | include no service dhcp command verifies that the DHCPv4 service is enabled since there is no match for no service dhcp. If the service had been disabled, the no service dhcp command would be displayed in the output.
20.6 Debug DHCPv4
Verify that the router is receiving DHCPv4 requests from clients. This troubleshooting step involves configuring an ACL for debugging output. The figure shows an extended ACL permitting only packets with UDP destination ports of 67 or 68 (used by DHCPv4 clients and servers). The extended ACL is used with the debug ip packet command to display only DHCPv4 messages. Another useful command for troubleshooting DHCPv4 operation is the debug ip dhcp server events command which reports server events, like address assignments and database updates. It is also used for decoding DHCPv4 receptions and transmissions.
98
20.7 DHCPv6 DHCPv6 messages from the server to the client use UDP destination port 546. The client sends DHCPv6 messages to the server using UDP destination port 547. 20.7.1 Stateless Address Autoconfiguration (SLAAC)
RA messages are configured on an individual interface of a router. To re-enable an interface for SLAAC that might have been set to another option, the M and O flags need to be reset to their initial values of 0. R1(config-if)# no ipv6 nd managed-config-flag R1(config-if)# no ipv6 nd other-config-flag
99
20.7.2 Stateless DHCPv6 (Router as Server)
R1(config-if)# ipv6 nd other-config-flag
Example:
20.7.3 Stateless DHCPv6 (Router as Client) R1(config-if)# ipv6 enable
R1(config-if)# ipv6 address autoconfig
100
20.7.4 Verify Stateless DHCPv6 Server R1# show ipv6 dhcp pool
R1# show ipv6 interface interface-id
R1# debug ipv6 dhcp detail
101
20.7.5 Stateful DHCPv6 (Router as Server)
R1(config-if)# ipv6 nd managed-config-flag
Example:
20.7.6 Stateful DHCPv6 (Router as Client) R1(config-if)# ipv6 enable R1(config-if)# ipv6 address dhcp
102
20.7.7 Verify Stateful DHCPv6 Server R1# show ipv6 dhcp pool
R1# show ipv6 dhcp dhcp binding
R1# show ipv6 interface interface-id
103
20.7.8 DHCPv6 Relay
R1(config-if)# ipv6 dhcp relay destination dhcpv6-server-address
20.7.9 Troubleshoot/Verify DHCPv6 Troubleshooting issues with DHCPv4 and DHCPv6, involves the same tasks: • Resolve address conflicts • Verify physical connectivity • Test connectivity using a static IP address • Verify switch port configuration • Test operation on the same subnet or VLAN R1# show ipv6 dhcp conflict R1# show ipv6 interface interface R1# debug ipv6 dhcp detail
104
21 NAT for IPv4
21.1 Static NAT 21.1.1 Configure Static NAT
105
21.1.2 Verify Static NAT
106
21.2 Dynamic NAT 21.2.1 Configure Dynamic NAT
Example:
107
21.2.2 Verify Dynamic NAT
108
21.3 PAT (NAT Overload) 21.3.1 Configure PAT with Address Pool
Example:
109
21.3.2 Configure PAT with Single Address
21.3.3 Verify PAT
110
21.4 Port Forwarding (Tunneling)
Example:
Similar to static NAT, the show ip nat translations command can be used to verify the port forwarding.
111
21.5 Troubleshoot NAT
R1# debug ip nat [detailed]
debug ip nat detailed generates more overhead than debug ip nat, but it can provide the detail
that may be needed to troubleshoot a NAT issue.
* (asterisk) - The asterisk next to NAT indicates that the translation is occurring in the fast-switched path. The first packet in a conversation is always process-switched, which is slower. The remaining packets go through the fast-switched path if a cache entry exists. 112
22 Spanning Tree
22.1 Default Switch STP Settings
22.2 Configure and Verify the Bridge ID (BID)/Priority Method 1: Method 2:
S1(config)# spanning-tree vlan vlan-id root primary S2(config)# spanning-tree vlan vlan-id root secondary S3(config)# spanning-tree vlan vlan-id priority value
S1# show spanning-tree
113
22.3 Configure and Verify Port Cost Default Port Costs
Configure Port Cost:
S1(config)# interface interface-id S1(config-if)# spanning-tree cost value
Reset Port Cost (to Default): S1(config-if)# no spanning-tree cost Verify Port Cost:
114
22.4 PortFast and BPDU Guard When a switch port is configured with PortFast that port transitions from blocking to forwarding state immediately, bypassing the usual 802.1D STP transition states (the listening and learning states). You can use PortFast on access ports to allow these devices to connect to the network immediately. PortFast is useful for DHCP. Without PortFast, a PC can send a DHCP request before the port is in forwarding state, denying the host from getting a usable IP address and other information. In a valid PortFast configuration, Bridge Protocol Data Units (BPDU) should never be received, because that would indicate that another switch (or bridge) is connected to the port, potentially causing a spanning tree loop. When BPDU guard is enabled, it puts the port in an error-disabled state on receipt of a BPDU. This will effectively shut down the port. S1(config)# interface interface-id S1(config-if)# spanning-tree portfast S1(config-if)# spanning-tree bpduguard enable
Enable PortFast on all nontrunking interfaces:
S1(config)# spanning-tree portfast default
Enable BPDU guard on all PortFast-enabled ports:
S1(config)# spanning-tree portfast bpduguard default
Verify PortFast and BPDU Guard:
S1# show running-config | begin spanning-tree
115
22.5 PVST+ Load Balancing Example:
S3(config)# spanning-tree vlan 20 root primary S3(config)# spanning-tree vlan 10 root secondary S1(config)# spanning-tree vlan 10 root primary S1(config)# spanning-tree vlan 20 root secondary
Alternatively: Verify:
S3(config)# spanning-tree vlan 20 priority 4096 S3(config)# spanning-tree vlan 10 priority 8192
S1(config)# spanning-tree vlan 10 priority 4096 S1(config)# spanning-tree vlan 20 priority 8192
S1# show running-config | begin spanning-tree
116
22.6 Rapid PVST+
Example:
Verify:
S1# show running-config | begin spanning-tree
117
22.7 Analyzing the STP Topology
22.8 STP Status Overview
S1# show spanning-tree
S1# show spanning-tree vlan vlan_id
118
22.9 First Hop Redundancy Protocols (FHRP)
22.9.1 Hot Standby Router Protocol (HSRP)
R1(config-if)# standby [group-number] priority priority R1(config-if)# standby [group-number] preempt [delay {minimum | reload | sync} seconds] R1(config-if)# standby [group-number] ip ip-address [secondary]
Active Router: Standby Router: Disable HSRP: Verify HSRP:
R1(config-if)# standby 1 priority 150 (default priority is 100) R1(config-if)# standby 1 preempt R1(config-if)# standby 1 ip 192.168.1.254 R2(config-if)# standby 1 ip 192.168.1.254 R1(config-if)# no standby 1 R1# show standby [all] [brief]
R1# show standby type number [group-number | all] [brief]
119
22.9.2 Gateway Load Balancing Protocol (GLBP) R1(config-if)# glbp [group-number] priority priority R1(config-if)# glbp [group-number] preempt [delay {minimum | reload | sync} seconds] R1(config-if)# glbp [group-number] ip ip-address [secondary]
Active Router: Standby Router: Disable GLBP: Verify GLBP:
glbp glbp glbp glbp
1 1 1 1
priority 150 (default priority is 100) preempt ip 192.168.1.254 load-balancing round-robin
R2(config-if)# glbp 1 ip 192.168.1.254 R2(config-if)# glbp 1 load-balancing round-robin R1(config-if)# no glbp [group-number] ip ip-address [secondary] R1# show glbp [all] [brief]
120
R1(config-if)# R1(config-if)# R1(config-if)# R1(config-if)#
23 EtherChannel
23.1 Link Aggregation Control Protocol (LACP)
Step 1: Specify the interfaces that compose the EtherChannel group S1(config)# interface range interface Step 2: Create the port channel interface
S1(config-if-range)# channel-group identifier mode active
Example:
121
23.2 Port Aggregation Protocol (PagP)
Step 1: Specify the interfaces that compose the EtherChannel group S1(config)# interface range interface Step 2: Create the port channel interface S1(config-if-range)# channel-group identifier mode desirable Example: S1(config)# interface range f0/1 - 2 S1(config-if-range)# channel-group 1 mode desirable Creating a port-channel interface Port-channel 1 S1(config-if-range)# no shut
S2(config)# interface range f0/1 - 2 S2(config-if-range)# channel-group 1 mode auto Creating a port-channel interface Port-channel 1 S2(config-if-range)# no shut
122
23.3 Verify EtherChannel
S1# show etherchannel summary
S1# show etherchannel port-channel
123
S1# show interface port-channel channel-number
S1# show interfaces interface etherchannel
S1# show run | begin interface port channel
124
24 Point-to-Point Connections
24.1 Configure HDLC Encapsulation
Cisco HDLC (cHDLC) is the default encapsulation method used by Cisco devices on synchronous serial lines. If connecting non-Cisco devices, use synchronous PPP.
24.2 Verify a Serial Interface
125
126
24.3 Configure PPP Encapsulation
R1(config)# interface serial 0/0/0 R1(config-if)# encapsulation ppp
24.3.1 PPP Compression
R1(config)# interface serial 0/0/0 R1(config-if)# encapsulation ppp R1(config-if)# compress [ predictor | stac ]
127
24.3.2 Link Quality Monitoring R1(config)# interface serial 0/0/0 R1(config-if)# encapsulation ppp R1(config-if)# ppp quality 80
The ppp quality percentage command ensures that the link meets the quality requirement set; otherwise, the link closes down. Disable LQM: R1(config-if)# no ppp quality
128
24.3.3 Multilink PPP Step 1: Create a multilink bundle. • The interface multilink number command creates the multilink interface. • In interface configuration mode, an IP address is assigned to the multilink interface. • The interface is enabled for multilink PPP. • The interface is assigned a multilink group number. Step 2: Assign interfaces to the multilink bundle. Each interface that is part of the multilink group: • Is enabled for PPP encapsulation. • Is enabled for multilink PPP. • Is bound to the multilink bundle using the multilink group number configured in Step 1.
To disable PPP multilink, use the no ppp multilink command.
129
24.3.4 PPP Authentication To specify the order in which the CHAP or PAP protocols are requested on the interface, use the ppp authentication interface configuration command, as shown in the figure. Use the no form of the command to disable this authentication.
PAP:
CHAP: 130
24.4 Verify PPP Configuration/Encapsulation
131
Turn off debug mode:
R1# undebug all
132
(short: un all or u all )
25 Frame Relay
25.1 Basic Frame Relay Configuration
Step 1: Set the IP address on the interface Step 2: Configure encapsulation encapsulation frame-relay [cisco | ietf] The cisco encapsulation type is the default Frame Relay encapsulation enabled on supported interfaces. Use this option if connecting to another Cisco router. Use the ietf encapsulation option if connecting to a non-Cisco router. Step 3: Set the bandwidth Step 4: Set the LMI type (optional)
Verify configuration: show interfaces serial
133
25.2 Configure a Static Frame Relay Map
R1(config-if)# frame-relay map protocol protocol-address dlci [broadcast] [ietf] [cisco]
Use the keyword ietf when connecting to a non-Cisco router.
Verify:
134
A primary tool of Frame Relay is Inverse Address Resolution Protocol (ARP). Whereas ARP translates Layer 3 IPv4 addresses to Layer 2 MAC addresses, Inverse ARP does the opposite. The corresponding Layer 3 IPv4 addresses must be available before VCs can be used. An example of using static address mapping is a situation in which the router at the other side of the Frame Relay network does not support dynamic Inverse ARP for a specific network protocol. To provide connectivity, a static mapping is required to complete the remote network layer address to local DLCI resolution. Another example is on a hub-and-spoke Frame Relay network. Use static address mapping on the spoke routers to provide spoke-to-spoke reachability. Because the spoke routers do not have direct connectivity with each other, dynamic Inverse ARP would not work between them. Dynamic Inverse ARP relies on the presence of a direct point-to-point connection between two ends. In this case, dynamic Inverse ARP only works between hub and spoke, and the spokes require static mapping to provide reachability to each other.
Verify:
135
25.3 Configure Point-to-Point Subinterfaces Subinterfaces address the limitations of Frame Relay networks by providing a way to subdivide a partially meshed Frame Relay network into a number of smaller, fully meshed, or point-to-point, subnetworks. Each subnetwork is assigned its own network number and appears to the protocols as if it were reachable through a separate interface.
Example:
136
25.4 Local Management Interface (LMI) Basically, the LMI is a keepalive mechanism that provides status information about Frame Relay connections between the router (DTE) and the Frame Relay switch (DCE). Every 10 seconds or so, the end device polls the network, either requesting a dumb sequenced response or channel status information. If the network does not respond with the requested information, the user device may consider the connection to be down. When the network responds with a FULL STATUS response, it includes status information about DLCIs that are allocated to that line. The end device can use this information to determine whether the logical connections are able to pass data.
Display the LMI type:
Starting with the Cisco IOS software Release 11.2, the default LMI autosense feature detects the LMI type supported by the directly connected Frame Relay switch. Based on the LMI status messages it receives from the Frame Relay switch, the router automatically configures its interface with the supported LMI type acknowledged by the Frame Relay switch. If it is necessary to set the LMI type, use the frame-relay lmi-type [cisco | ansi | q933a] interface configuration command. Configuring the LMI type disables the autosense feature.
137
25.5 Verify Frame Relay
Use the show frame-relay pvc [interface interface] [dlci] command to view PVC and traffic statistics.
After the statistics are gathered, use the clear counters command to reset the statistics counters. 138
To clear dynamically created Frame Relay maps that are created using Inverse ARP, use the clear frame-relay inarp command. To confirm whether the frame-relay inverse-arp command resolved a remote IPv4 address to a local DLCI, use the show frame-relay map command to display the current map entries:
When an Inverse ARP request is made, the router updates its map table with three possible PVC connection states: • ACTIVE - Indicates a successful end-to-end (DTE to DTE) circuit. • INACTIVE - Indicates a successful connection to the switch (DTE to DCE) without a DTE detected on the other end of the PVC. This can occur due to incorrect configuration on the switch. • DELETED - Indicates that the DTE is configured for a DLCI that the switch does not recognize as valid for that interface.
139
25.6 Troubleshoot Frame Relay Use the debug frame-relay lmi command to determine whether the router and the Frame Relay switch are sending and receiving LMI packets properly.
LMI exchange messages: • out is an LMI status message sent by the router. • in is a message received from the Frame Relay switch. • A full LMI status message is a type 0. • An LMI exchange is a type 1. • dlci 102, status 0x2 means that the status of DLCI 102 is active. The possible values of the status field are as follows: • 0x0 - The switch has this DLCI programmed, but for some reason it is not usable. The reason could possibly be the other end of the PVC is down. • 0x2 - The Frame Relay switch has the DLCI and everything is operational. • 0x4 - The Frame Relay switch does not have this DLCI programmed for the router, but that it was programmed at some point in the past. This could also be caused by the DLCIs being reversed on the router, or by the PVC being deleted by the service provider in the Frame Relay cloud.
140
26 PPPoE Client Configuration for DSL 1.
To create a PPP tunnel, the configuration uses a dialer interface. A dialer interface is a virtual interface. The PPP configuration is placed on the dialer interface, not the physical interface. The dialer interface is created using the interface dialer number command. The client can configure a static IP address, but will more likely be automatically assigned a public IP address by the ISP.
2.
The PPP CHAP configuration usually defines one-way authentication; therefore, the ISP authenticates the customer. The hostname and password configured on the customer router must match the hostname and password configured on the ISP router. Notice in the figure that the CHAP username and password match the settings on the ISP router.
3.
The physical Ethernet interface that connects to the DSL modem is then enabled with the command pppoe enable that enables PPPoE and links the physical interface to the dialer interface. The dialer interface is linked to the Ethernet interface with the dialer pool and pppoe-client commands, using the same number. The dialer interface number does not have to match the dialer pool number.
4.
The maximum transmission unit (MTU) should be set down to 1492, versus the default of 1500, to accommodate the PPPoE headers.
R1(config)# interface dialer 2 R1(config-if)# encapsulation ppp R1(config-if)# ip address negotiated R1(config-if)# ppp chap hostname Fred R1(config-if)# ppp chap password Barney R1(config-if)# ip mtu 1492 R1(config-if)# dialer pool 1 R1(config-if)# no shutdown R1(config-if)# interface g0/1 R1(config-if)# no ip address R1(config-if)# pppoe enable R1(config-if)# pppoe-client dial-pool-number 1 R1(config-if)# no shutdown R1(config-if)# exit
141
27 Virtual Private Networks (VPNs)
27.1 GRE Tunnel GRE is used to create a VPN tunnel between two sites. 27.1.1 Configure GRE Tunnel Step 1: Create a tunnel interface using the interface tunnel number command. Step 2: Specify the tunnel source IP address. Step 3: Specify the tunnel destination IP address. Step 4: Configure an IP address for the tunnel interface. Step 5: (Optional) Specify GRE tunnel mode as the tunnel interface mode. GRE tunnel mode is the default tunnel interface mode for Cisco IOS software.
142
27.1.2 Verify GRE Tunnel To determine whether the tunnel interface is up or down, use the show ip interface brief command; to verify the state of a GRE tunnel, use the show interface tunnel command.
If OSPF has also been configured to exchange routes over the GRE tunnel, verify that an OSPF adjacency has been established over the tunnel interface using the show ip ospf neighbor command.
143
28 Monitoring the Network
28.1 Syslog 28.1.1 Service Timestamp To enhance real-time debugging and management, log messages can be time-stamped and the source address of syslog messages can be set. To display the amount of time since the device last booted on logged events, enter: R1(config)# service timestamps log uptime
Force each logged event to display the date and time associated with the event (more useful): R1(config)# service timestamps log datetime
When using the datetime keyword, the clock on the networking device must be set. This can be accomplished in one of two ways: • Manually set, using the clock set command • Automatically set, using the Network Time Protocol (NTP):
A network device can be configured as either an NTP server, thereby allowing other devices to synchronize off of its time, or as an NTP client.
144
28.1.2 Default Logging By default, Cisco routers and switches send log messages for all severity levels to the console. On some IOS versions, the device also buffers log messages by default. To enable these two settings, use the following commands: R1(config)# logging console
R1(config)# logging buffered
The show logging command displays the default logging service settings on a Cisco router:
28.1.3 Syslog Severity Level
145
28.1.4 Configure Syslog Step 1: Configure the destination hostname or IP address of the syslog server: R1(config)# logging 192.168.1.3
Step 2: Control the messages that will be sent to the syslog server with the logging trap level global configuration mode command. For example, to limit the messages to levels 4 and lower (0 to 4), use one of the two equivalent commands: R1(config)# logging trap 4 R1(config)# logging trap warning
Step 3: Optionally, configure the source interface with the logging source-interface interface-type interface number global configuration mode command. This specifies that syslog packets contain the IPv4 or IPv6 address of a specific interface, regardless of which interface the packet uses to exit the router. For example, to set the source interface to g0/0, use the following command: R1(config)# logging source-interface g0/0
A loopback interface is created, then shut down, and then brought back up. The console output reflects these actions. The only messages that appear on the syslog server are those with severity level of 4 or lower (more severe). The messages with severity level of 5 or higher (less severe) appear on the router console output, but do not appear on the syslog server output.
146
28.1.5 Verify Syslog Use the show logging command to view any messages that are logged. When the logging buffer is large, it is helpful to use the pipe option (|) with the show logging command. The pipe option allows to specifically state which messages should be displayed. E.g. issuing the show logging | include changed state to up command ensures that only interface notifications stating that the interface has “changed to state up” will be displayed. Issuing the show logging | begin June 12 22:35 command displays the contents of the logging buffer that occurred on or after June 12.
147
28.2 Simple Network Management (SNMP) 28.2.1 Configure SNMP Step 1: (Required) Configure the community string and access level (read-only or read-write) with the snmp-server community string ro | rw command. Step 2: (Optional) Document the location of the device using the snmp-server location text command. Step 3: (Optional) Document the system contact using the snmp-server contact text command. Step 4: (Optional) Restrict SNMP access to NMS hosts (SNMP managers) that are permitted by an ACL: define the ACL and then reference the ACL with the snmp-server community string access-list-number-or-name command. This command can be used both to specify a community string and to restrict SNMP access via ACLs. Step 1 and Step 4 can be combined into one step, if desired; the Cisco networking device combines the two commands into one if they are entered separately. Step 5: (Optional) Specify the recipient of the SNMP trap operations with the snmp-server host host-id [version{1| 2c | 3 [auth | noauth | priv]}] community-string command. By default, no trap manager is defined. Step 6: (Optional) Enable traps on an SNMP agent with the snmp-server enable traps notification-types command. If no trap notification types are specified in this command, then all trap types are sent. Repeated use of this command is required if a particular subset of trap types is desired.
By default, SNMP does not have any traps set. Without this command, SNMP managers must poll for all relevant information. 148
28.2.2 Verify SNMP To verify the SNMP configuration, use any of the variations of the show snmp privileged EXEC mode command. The most useful command is simply the show snmp command, as it displays the information that is commonly of interest when examining the SNMP configuration.
The show snmp command output does not display information relating to the SNMP community string or, if applicable, the associated ACL. Using the show snmp community command, the SNMP community string and ACL information will be displayed:
149
28.3 NetFlow 28.3.1 Configure NetFlow Step 1: Configure NetFlow data capture - NetFlow captures data from ingress (incoming) and egress (outgoing) packets. Step 2: Configure NetFlow data export - The IP address or hostname of the NetFlow collector must be specified and the UDP port to which the NetFlow collector listens. Step 3: Verify NetFlow, its operation and statistics - After configuring NetFlow, the exported data can be analyzed on a workstation running an appropriate application. Minimally, one can rely on the output from a number of show commands on the router itself.
A NetFlow flow is unidirectional. This means that one user connection to an application exists as two NetFlow flows, one for each direction. To define the data to be captured for NetFlow in interface configuration mode: • Capture NetFlow data for monitoring incoming packets on the interface using the ip flow ingress command. • Capture NetFlow data for monitoring outgoing packets on the interface using the ip flow egress command. To enable the NetFlow data to be sent to the NetFlow collector, there are several items to configure on the router in global configuration mode: • NetFlow collector’s IP address and UDP port number - Use the ip flow-export destination ip-address udp-port command. Some common UDP ports allocated are 99, 2055, and 9996. • (Optional) NetFlow version to follow when formatting the NetFlow records sent to the collector - Use the ip flow-export version version command. NetFlow exports data in one of five formats (1, 5, 7, 8, and 9). Version 9 is the most versatile export data format, but not backward compatible. Version 1 is the default version, it should be used only when it is the only NetFlow data export format version that is supported by the NetFlow collector software. • (Optional) Source interface to use as the source of the packets sent to the collector - Use the ip flow-export source typenumber command. 150
28.3.2 Verify NetFlow To display a summary of the NetFlow accounting statistics, as well as which protocol uses the highest volume of the traffic, and to see between which hosts this traffic flows, use the show ip cache flow command.
The output at the top of the display confirms that the router is collecting data. The first highlighted entry lists a count of 178,617 packets monitored by NetFlow. The end of the output shows statistics about three flows, the highlighted one corresponding to an active HTTPS connection between the NetFlow collector and R1. It also shows the source port (SrcP) and destination port (DstP) in hexadecimal. (Hexadecimal 01BB is equal to decimal 443, the well-known TCP port for HTTPS.) Significant fields in the flow switching cache lines:
151
Significant fields in the activity by protocol lines:
Significant fields in the NetFlow record lines:
152
Although the output of the show ip cache flow command confirms that the router is collecting data, to ensure that NetFlow is configured on the correct interfaces in the correct directions, use the show ip flow interface command:
To check the configuration of the export parameters, use the show ip flow export command.
The first highlighted line shows that NetFlow is enabled with Version 5 export format. The last highlighted lines show that 1764 flows have been exported in the form of 532 UDP datagrams to the NetFlow collector at 192.168.1.3 via port 2055.
153
29 Troubleshooting the Network
29.1 Data Collection for Documentation When documenting the network, it is often necessary to gather information directly from routers and switches. Obvious useful network documentation commands include ping, traceroute, and telnet as well as the following show commands: • The show ip interface brief and show ipv6 interface brief commands are used to display the up or down status and IP address of all interfaces on a device. • The show ip route and show ipv6 route commands are used to display the routing table in a router to learn the directly connected neighbors, more remote devices (through learned routes), and the routing protocols that have been configured. • The show cdp neighbor detail command is used to obtain detailed information about directly connected Cisco neighbor devices. The following table lists some of the most common Cisco IOS commands used for data collection:
154
29.2 Gather Symptoms
155
29.3 Troubleshooting IP Connectivity 29.3.1 Step 1: Verify the Physical Layer The most commonly used IOS commands for this purpose are show processes cpu, show memory, and show interfaces.
29.3.2 Step 2: Check for Duplex Mismatches
156
29.3.3 Step 3: Verify Layer 2 and Layer 3 Addressing on the Local Network Verify mappings between destination IP addresses and Layer 2 Ethernet addresses on the PC:
Verify the neighbor table on the Cisco IOS router:
A switch forwards a frame only to the port where the destination is connected. To do this, the switch consults its MAC address table. The MAC address table lists the MAC address connected to each port.
157
Example: Missing default gateway on PC
Example: VLAN mismatch
158
29.3.4 Step 4: Verify Default Gateway Missing IPv4 gateway:
R1 has a default route via router R2, but notice the ipconfig command reveals the absence of an IPv6 global unicast address and an IPv6 default gateway.
Using the show ipv6 interface GigabitEthernet 0/0 command , it can be seen that although the interface has an IPv6 address, it is not a member of the All-IPv6-Routers multicast group FF02::2. This means the router is not sending out ICMPv6 RAs on this interface.
159
29.3.5 Step 5: Verify Correct Path
To verify that the current IPv6 path matches the desired path to reach destinations, use the show ipv6 route command on a router to examine the routing table. 160
29.3.6 Step 6: Verify the Transport Layer Two of the most common issues that affect transport layer connectivity include ACL configurations and NAT configurations. A common tool for testing transport layer functionality is the Telnet utility. Successful Telnet connection:
Testing the transport layer over IPv6 using port 80 (HTTP) from a PC:
Successul router Telnet connection over IPv6:
Testing the transport layer over IPv6 using port 80 (HTTP) from a router:
161
29.3.7 Step 7: Verify ACLs
Use the show ipv6 access-list and show ipv6 interfaces command to show the contents of all IPv6 ACLs configured on a router. 29.3.8 Step 8: Verify DNS When you configure DNS on the device, you can substitute the hostname for the IP address: Use the ip host command to enter name to IPv4 mapping to the switch or router. The ipv6 host command is used for the same mappings using IPv6.
To display the name-to-IP-address mapping information on the Windows-based PC, use the nslookup command.
162
30 IOS Images & Licensing
30.1 Display the IOS Image
30.1.1 IOS 12.4 Software Image Name
30.1.2 IOS 15.2 Software Image Name
The memory location can include f (flash), m (RAM), r (ROM) or l (relocatable). The compression format can be either z (zip) or x (mzip).
163
30.2 IOS Backup Step 1: Ensure that there is access to the network TFTP server. Ping the TFTP server to test connectivity.
Step 2: Verify that the TFTP server has sufficient disk space to accommodate the Cisco IOS Software image. Use the show flash0: command on the router to determine the size of the Cisco IOS image file.
Step 3: Copy the image to the TFTP server using the copy source-url destination-url command.
(Copy an image from a TFTP server:)
164
30.3 Select Boot System To upgrade to the copied IOS image after that image is saved on the router's flash memory, configure the router to load the new image during bootup using the boot system command. Save the configuration. Reload the router to boot the router with new image.
• Specify the flash device as the source of the Cisco IOS image:
R1(config)# boot system flash0://c1900-universalk9-mz.SPA.152-4.M3.bin
• Specify the TFTP server as a source of Cisco IOS image:
R1(config)# boot system tftp://c1900-universalk9-mz.SPA.152-4.M3.bin
If there are no boot system commands in the configuration, the router defaults to loading the first valid Cisco IOS image in flash memory and running it. After the router has booted, to verify the new image has loaded, use the show version command.
165
30.4 IOS Licensing 30.4.1 Install an IOS License
Step 1: Purchase the software package or feature to install. Step 2: Obtain a license.
Step 3: Install the license. Use the license install stored-location-url privileged exec mode command to install a license file. Then reload the router using the privileged exec command reload.
166
30.4.2 License verification
Use the show license feature command to view the technology package licenses and feature licenses supported on the router.
167
30.4.3 Activate an Evaluation Right-To-Use License An Evaluation license is good for a 60 day evaluation period. After the 60 days, this license automatically transitions into an Evaluation Right-To-Use license (RTU). These licenses are available on the honor system and require the customer’s acceptance of the EULA.
30.4.4 Backup a License The license save command is used to copy all licenses in a device and store them in a format required by the specified storage location. The command to back up a copy of the licenses on a device is: R1# license save file-sys://lic-location
Use the show flash0: command to verify that the licenses have been saved.
Saved licenses are restored by using the license install command.
168
30.4.5 Uninstall a License Step 1: Disable the technology package. Disable the active license with the command: R1(config)# license boot module module-name technology-package package-name disable
Reload the router using the reload command. A reload is required to make the software package inactive.
Step 2: Clear the license. Clear the technology package license from license storage: R1# license clear feature-name Clear the license boot module module-name technology-package package-name disable command used for disabling the active license: R1(config)# no license boot module module-name technology-package package-name disable
Some licenses, such as built-in licenses, cannot be cleared. Only licenses that have been added by using the license install command are removed. Evaluation licenses are not removed.
169
170
171
IOS Shortcuts Down Arrow / Ctrl-N
Scroll forward through former commands
Up Arrow / Ctrl-P
Scroll backward through former commands
Tab
Completes the remainder of a partially typed command or keyword
?
Help – lists possible choices, subcommands or missing parameters
Ctrl-A
Moves to the beginning of the line
Ctrl-E
Moves to the end of the line
Ctrl-R
Redisplays a line
Ctrl-Z
Exits the configuration mode and returns to privileged EXEC mode
Ctrl-C
Exits the configuration mode or aborts the current command
Ctrl-Shift-6
Interrupt an IOS process such as ping or traceroute
172