r.� Pfssor I� Messer
James "Professor Messer
!"#$%&" (%&&%")& *+&,# **-./0**.1 2334235 6*.72 *#8"&% .#9%& Wrien by James “Professor” Messer Copyright © 2017 by Messer Studios, LLC hp://www.ProfessorMesser.com All rights reserved. No part of this book may be reproduced or transmied in any form or by any means, electronic or mechanical, including photocopying, recording, or by any informaon storage and retrieval system, without wrien permission from the publisher. First Edion: March 2017 /":;%<:"= 1,=>#?@%;A%<%>9& All product names and trademarks are the property of their respecve owners, and are in no way associated or aliated with Messer Studios, LLC. “Professor Messer” is a registered trademark of Messer Studios LLC. “Cisco” and “IOS” are registered trademarks of Cisco Systems, Inc.
B:">+>A :>; 7+&,@:+<%" This book is designed to provide informaon about the Cisco CCENT/CCNA 100-105 ICND1 cercaon exam. However, there may be typographical and/or content errors. Therefore, this book should serve only as a general guide and not as the ulmate source of subject informaon. The author shall have no liability or responsibility to any person or enty regarding any loss or damage incurred, or alleged to have incurred, directly or indirectly, by the informaon contained in this book.
*#>9%>9& Introducon
+C
3D3 4 EC%"C+%?
2
The 100-105 Cisco ICND1 Exam Introducon to the Cisco CLI
1 1
2D3 4 .%9?#"= F8>;:<%>9:@&
2
1.1 - Introducon to Ethernet - The Ethernet Frame 1.1 - The OSI Model and TCP/IP Model 1.1 - Encapsulaon and decapsulaon 1.2 - Common Port Numbers 1.2 - TCP Header 1.2 - UDP Header 1.2 - TCP Communicaon 1.3 - Enterprise Infrastructure Components 1.4 - Network Architectures 1.5 - Network Topologies 1.6 - Network Cabling 1.7 - Troubleshoong Methodologies 1.8 - IPv4 Addressing 1.9 - IPv4 Address Types 1.10 - Private IPv4 Addressing 1.11 - IPv6 Addressing 1.12 - Conguring IPv6 Addressing 1.12 - Troubleshoong IPv6 Addressing 1.13 - IPv6 Neighbor Discovery Protocol 1.13 - IPv6 Addressing with DHCP and SLAAC 1.14 - IPv6 Address Types
GD3 4 H1. I?+9,J+>A F8>;:<%>9:@& 2.1 - LAN Swching Concepts 2.3 - Troubleshoong Cable and Interface Issues 2.4 - Introducon to VLANs 2.4 - Conguring VLANs 2.4 - Troubleshoong VLANs 2.5 - Conguring Interswitch Connecvity 2.5 - Troubleshoong Interswitch Connecvity 2.6 - Conguring CDP and LLDP 2.7 - Conguring Port Security 2.7 - Troubleshoong Port Security
3.0 - Roung Fundamentals 3.1 - Introducon to Roung 3.2 - Understanding Roung Tables 3.3 - Roung Metrics and Administrave Distances 3.4 - Router on a Sck and Layer 3 Switches 3.5 - Stac and Dynamic Roung 3.6 - IPv4 Stac Roung
1 2 ! ! ! " " "
5 # # $ $
9 10 11 11 12 13 14 14
2K 16 16 18 19 19 20 20 21 21 22
GL 24 25 26 27 28 29
3.6 - IPv6 Stac Roung 3.6 - Troubleshoong Stac Roung 3.7 - An Overview of RIPv2 3.7 - Conguring RIPv2 3.7 - Oponal RIPv2 Features 3.7 - Troubleshoong RIPv2
LD3 4 6>$":&9"8,98"% I%"C+,%& 4.1 - An Overview of DNS 4.2 - Troubleshoong DNS 4.3 - An Overview of DHCP 4.3 - Conguring DHCP 4.4 - Troubleshoong DHCP 4.5 - Conguring NTP 4.6 - An Overview of Access Lists 4.6 - Conguring Standard Numbered Access Lists 4.6 - Conguring Extended Numbered Access Lists 4.6 - Conguring Named Access Lists 4.6 - Troubleshoong Access Lists 4.7 - An Overview of Network Address Translaon 4.7 - Conguring Network Address Translaon 4.7 - Troubleshoong Network Address Translaon
5D3 4 6>$":&9"8,98"% (:+>9%>:>,%
5.1 - Conguring Syslog 5.2 - Conguraon Management 5.2 - Discovering Devices with CDP and LLDP 5.2 - Switch and Router Licensing 5.2 - Conguring Timezones 5.2 - Conguring Loopback Interfaces 5.3 - Inial Device Conguraon 5.4 - Conguring IOS Passwords 5.4 - Conguring Banners 5.4 - Device Hardening 5.5 - Upgrading and Recovering IOS 5.5 - IOS Password Recovery 5.5 - IOS File System Management 5.6 - Troubleshoong with Ping 5.6 - Troubleshoong with Traceroute 5.6 - Logging at the Terminal
30 31 32 !! !"
35
MK !# !#
37 37 39 39 41 42 42 "! "" "#
47 49
53
50 51 51 52 53 53 54 54 55 55 56 58 59 60 60 60
Introduction
If you're in the Iomaon Tecology dusty, ten you kow that Csco cercaos ae some of the most accepted (and most diicut) cetfcatons to ear. Cisco certicatos rage om a fundamenta etwoing knowedge to te most advaced etworg tecooges today. Cisco certficaton exams test you o the specifcs o routers, switces ports protocos ad much moe 've created these Course Notes to help you throug te detais tat you eed to kow for te exam. Best of luc wth your studes! - Proesso Messe
The Cisco CCENT/CCNA Roung and Swtchng cerfcaon Eang the Csco Ceried Network Assocate Roug ad Switcng (CCNA R&S cetcaon equres ethe the completo of two sepaate exams (te CND 100105 ad ICND2 20005 o the completo of a sgle combied exam (the 200125 THE INERCONNECING CISCO NEORK DEVICES 1 (CNDl) 100-105 EXAM ese ICND 0005 Course Notes ocus on the contet equed to pass the st haf o te CCNA R&S. assing te CND 100105 exam eans you te Csco Cetfed Enty Netwoing echncia CCENT) cetcaton so you ca ear some cedetas as you move away towads acievg you CCNA R&S cetfcaon. Heres the breakdown o eac tecology secton and te percetage of each topic o te 100105 exam: Secto .0 Network Fudamentals 20% Secto 2.0 LAN Switcing undametas 26% Secto 3.0 Routng undametas 25% Secto 4.0 astucture Sevices 5% Secto 5.0 astucte Mainteance 4%
How to use ths book Oce you're comortabe wt a of the sectos i te oica Cisco 0005 exam objectves you ca use these otes as a cosoidated summay o the most mportat topcs. These Couse Notes folow the same format ad numbering sceme as te ofica exam obectves so t shoud be easy to coss referece these otes wth al of you oter study materials.
© 2017 Messer Studis, LLC
Professo Messer's Cisco CCENT/CCNA 100-105 ICNDl Course Notes vPage
http /wwPrfssoessecm
p Pr
Professor Messer's
Cisco CCENT/CCNA 100-105 ICNDl Course Notes
hp:/ /www.PoessoMesercom
The 100-105 Cisco ICNDl Exam
• Exa t 90 nut • 45 t 55 qutn
100-105 Exam Objectves
• • • •
10 - Ntrk Fundantal (20%) 20 - AN Siting Fundanta (26%) 30 Rutng Fundantal (25%) 40 Infatutu Srvi (15%)
• Sring rag btn 300 and ,000 nt • Pang i givn at
• 50 - Infratrutu aintnan (4%)
t bgnnng t xa
Introducton to the Csco CU
a a g • ntrfa t OS tug a CU • ut at t ttng n t t dv • Cand in Inta • A iat rult in a n f abld txt ·I • Sial ab t a nl nta • Pt - T ya intfa • Ar t ntrk , . • Baud at T d f t data (9600 baud) • Tlnt, SSH • Parity Nn Serial cae to a consoe nterface • Data bit - 8 • Fr t utr • 9-in ia nnt r SB intrfa • St bit 1 • Fr t t ut • Fl ntl nn • 9in ria nnt, RJ45 nnt, SB ntra • Yu igt nd a SB t ria abl � - · Confgurat i • And a t adatr Serial prt Po: Bud R: d ne • 960 • EXEC d lm Bi Stopbt Flow ct • Exut ad a a nral u 8 • N guan ang ald . Adva Couan Ons • Pivilgd EXEC d K • Enabl d • Inal gin t u d • " t nt vigd d • And t lav How to connect
noe
1.1 Introducion to Ethernet The Ethernet Frame Field
Byes
Descrpton
e
7
enn one d zeo d o yncnon (000.)
F
r g
Don A Ad
n d f do di
orc A Ade
en A ddre e oc dece
Ety
2
i t data nai t ayad
Pod
4
Lr nd hh
CS
C S CRC ks
Preamble © 27Mesr Sdios, LC
SFD estnao MAC
Souce C
Type
ayoad
Prfss Mss's s ENT/NA 1-5 IND s Nos Pg
FCS htp /wv.Pfesessecm
-- ·
1
•
.
Unlock the enre book at hp://www.profesormesse.com/icnd 1
Jt
•
t
-
.
1
�
•
.
. •
,.
..
'
'
.
,
1
•
'
.
·-
View every page: htp://www.professormesse.com/icndl
.7 - Troubleshootng Methodologies Fault isoaion and documentaon • Idenfy where the problem migt be • And where it s not • Lmt the scop e and sa ve tme • Random g uesses aren 't efc ent • Docmentaton • We dont document enoug • Someone may have done ths b efore • Capture yor nque loc al perspectve
Veify and monto • Does your proposed x work? • Test and conrm
• Some xes reqr e ongong monto rng • ntermtent sse s • Conf rm te re soluon • May take mnutes, ours or day s • Don't forget to docment • t wl save yo
Resove or escaate • The clock s tcking • And tme is almost aways drectl y relatabe t o money • Yo're lookng for te roo t cause • Address te root cau se and solve te sse • Wat appens if te roo t cause cant b e fond? • Escalate to the next person/ organizaton n te lst • Yor organz aton may ave an escala on process • Balances tme with money
next tme
.8 1Pv4 Addessng C ss
. Ladig . 8,ts
Nwk 8is
eang
·Is
Number of etos
Hosts pe eto
Delt S nt Ms
Class A
Ox (1-26)
24
4
2..
B
Q 8-9
6
,8
6
0
ass
lOX (192-223)
8
0715
5
555555.
(439
Not defn
Not e
Not e
Not ene
Not ne
Cass D (muI cat)
E (reseved)
1 24
255
Class A
t
Nt
Nt
Not
0
0
11111111 00000000 00000000 00000000
Network (8) I ____Hm(24____ 255
Class B
0
Not
255
0
0
11111111 11111111 00000000 00000000
New( 16 I .__s{6 255
Class C
255
255
0
11111111 11111111 11111111 00000000
The constucton of an 1Pv4 subnet • Network address • The rst P addr ess of a s bnet • Set all ost bits t o O (0 deci mal)
• First usabe host address • ne number higher than te net work address • Network broadcast address • he ast P address of a s bnet • Set all host bts t o 1 (255 decim al) • Last sabe ost address • ne nmber lower than te broadcast address
.Nwr (4 _I H © 07 M Sudi, LC Pf r' c ET/A -5 Dl r Pag
hp
See all of these great notes: hp://www.professormesse.com/icnd
' 1 i
-
, 1 . 1
1
.
•
.
-
.
.
.
.
.
.
.
.
'
M
•
�
•
t
'.
+
.
.
.
1.14 - 1Pv6 Address Types {contnud} nk ocal • Commuicate o the oca subet • Evey 1Pv6 terace gets a oca addess •fS0::/0 • f80 + 54 zero bits 64 bt teace ID • Eectvey becomesf8 0::/ 6 • Routers wo't orward these pacets • Everytg stays o the oca etwo •Used mosty or admstave purposes • Roug, Neigbo Dscovey Protoco etc.
Socted-node multcast address • Evey devce ceates a Pv6 soicted-ode mucast addess •Commoy used NOP •Uses FF02:::FF /0
•Wi=M
oictdoe
F02:00000000:0000:0000:0001:F****** • Loca subet • Based o te Pv6 uicast addess
Mtcast • Commuicate to mupe devices simutaeousy • Witout commucag to eveyoe
ff :
• Commoy used o routg protocos • y routers ruig that potoco wi ste
ff 8 :
Prefx
Scop o A eve o e o eo
: te o A deve t t rgo o A e e m og
: Go IAA d
• Mucast addresses sta with 111111 •FF00::/8
ff :
ee o A m oop
Modifed EU64
Atoconguraton
•Use the MAC addess to create a statc Pv6 addess • You just eed te 1Pv6 pex
• tateu autocoguato •DHCPv6 • P addess segs are detemed by the DCP sever
• Add addoa bts to te 4-bt MAC addess to create a EU64 addess • p the 7t bt ad add FF F
• tateess addess autocoguao (AC) •Use NP to deteme the subet prex •Use the moded EU64 to compete te addess • No server eeded
• Easy to cogue •Taes secods •Aways the same 1Pv6 address
• More Pv6 Addessig wit DCP ad AAC
• ee moe Cogurg 1Pv6 Addresses nycast
• Cogue the same 1Pv6 aycast address o deret devces • oos ie ay othe ucast addess • Pacets set to a aycast addess ae deiveed to the cosest iteace
# ipv6 address 2001:1:1:1:7/128 anycast
R 1 itc i G/ up, Un c I J • O, ·� F ll H(s) :1 7 Sb S !! V 88. 6 1
•Aouce te same route out o mutpe data ceters • Cets use te data ceter cosest to them • Aycast DN
I
2 :2 8A G2 : ::2 ff& U bytes C ro $g o ry 0 s e< u ' O n D ND a 3 D dve ech m pMe D dv a u e e 9
_ .,• I
� "
© 2017 Mr S dio , LC
P ' c ENT/A -5 IDl u ag 5
-
hp wv.ofom
�- _.
-
·
�- -
.-
.
�-
_
�
,.....
...• •
2.5 - Confguring lnterswitch Connectvity 802.lQ trunking • Take a normal Ethernet frame Pream ble
VN10-�· VN20_
FD Desnon MAC
Souce
Typ
od
FC
• Add a VLAN header in the frame
Etherne Swich
a
FD Ds M
c MA
VN
Type
Payload
FC
• VAN IDs - 12 bits long, 4,094 VANs • "Normal range through 005, "Extended range 006 throgh 4094 • 0 and 4095 are reserved VLAN numbers
Ethere Swch
VN0. V20
• Before 802.lQ there was SL (InterSwitch nk) • SL s no longer sed; everyone now uses the 802lQ standard The natve VLN • Ths s dferent than the "default VLAN • The defat VAN s the VLAN assgned to an nterface by defaut
runk conguraon • Use #p • Congures a trnk to se all known VLANs
• Each trunk has a nave VAN • The nave VAN doesn't add an 802lQ header
• Dynamc Trnking Protoco (DTP) • Atomacaly congres trunkng arameters • Dene the tye of trunk • IEEE 802lQ S or negotate
• The nave VLAN connects swtches without a tag • Some devces wont tak 802lQ • Just use the nave VAN !
• Dene the admnstratve mode • Do not trunk always trunk or negotate a trunk
• Natve VLAN should match between switches • You II get a message f the VLAN IDs dont match 1
Swtchport modes • access
Tr commads
• A nontrunked ort • trunk • A trunk ort
•Switch(cong-if)#sp •Switch(cong-if)#sp
•Switch(cong-if)#sp
•dynamic desirable • nitates and resonds to trnk negotaon messages •dynamic auto • Does not iniate but does resond to trnk negoaon messages
•Switch(cong-if)#sp
•# •#
2.5 Toubeshoong lnteswitch Connecvity Troubeshootng VLN configurations
• Check VLAN assgnments on the swtch • This s one of the most common ssues yoll nd • Check VLAN assgnments between swtches • This issue usally aears drng inita conguraton • Very the list of trunked VLANs • Create good documentaton • Check the dynamic trunk assgnments • Another intal confg gone wrong
Checking VLN assgnments • ist all VLANs and their associated interfaces Switch#s Switch#s • ist all interaces associated with a secfc VAN Switch#s • View a secfc interface VLAN confgraton Switch#s O/ p • View a ist of MAC addresses and their VLAN assgnments Switch#s
Dynamc trunking
• Dont confgure dynamc trunkng on one sde and • oth swtches have to be congred with the right trunking mode statc on the other • Dont confgre both sides as dynamic auto • oull end u with an access ort wth no trunkng • ts not as "auto as you mght like © 2017 ti, L
f ' E/ -5 I · g
h w
Read more about this book: hp://www.professormesse.com/icndl
.,
.
.
-
-
· .
.
. �:•
.
3.6 - 1Pv4 Stac Roung Host and etwork oues • Sac oue ex hop ca be a IP addess o ieface Routerl(confg)#ip route 10.10.20.0 255.255.255.0 1010.50.2 Routerl(confg)#ip route 101020.0 255.2552550 s0/3/0 • Desao s based o he mos specfc oue • A mas of "all oes is he mos specic • Roue o a specc P add ess/hos • Use a mas of 255. 255.255.255 Routerlconfg)#ip route 10.10.20.3 255.255.255255 10.10.502 outer#shw ip roue aic
S S
10.000/8 varaby ubnetted, 9 ubnet, 2 mak 00200/24 drecty connected, Sera0/3/0 00202/32 [l/0] va 00402
Net hop P addess vs erae • Sac oue o ex hop IP addess • Foadig oue eeds he L2 addess of he ex hop P addess • ARP fo 10 10 5 0 , ee he 2 fame ad sed o he esoed MAC • Sac oue o ex hop eface • Foadig oue assumes he desao P addess s decly coeced • ARP is se o he desao IP addess hough he ex hop eface • Po-opo coecos • Use ex hop eace o ex hop IP addess • Mulpo coecos • Use ex hop P addess Routerlconfg)#ip route 1010.20.0 255.255.255.0 1010.502 Routerlconfg)#ip route 1010200 255255255.0 s0/3/0 Populang a stac rote
• Sac oue h ex hop ieace • Ieface has o be up/up • Sac oue h e x hop P addess • Mus hae a oue o he IP addess • Wihou hese a oue does' appea i he abe • Nee shos up • Foce a oue o appea h he pemae eyod Routerlcong)#ip route 10.10.203 255255.255.255 S0/0/1 permanent • The eface o oue sll has o be aaiabe • The paces ae dopped oheise Defat outes
• A oue he o ohe oue maches • he "gaeay of las eso • A emoe sie may hae o y oe oue • Go ha ay ·> es of he od • Ca damacaly smp y he oug pocess • Wos co juco h al ohe oug mehods
©
7 Messr Stdios, LC
Router2#w Codes: L - loca - cnnectd, S satic, - P M - mbil 8 - BG? D , X extena I , p 2 SP NS type 1 N2 -, OSF A· SS eKtena E - SP etenal p 1 E - OSPF exeal te 2 E • EP II, I v- v, * - cndae efaut, - pr-ser staic re - O P - priodi dnlde sac ue
I Gtea lst rert is 0 .0 0
to netrk 0
v , , C 0.2.0/2 s dety conncted, Ggabtthenet00 10..21/32 is dietly conncted Ggabitterne00 44 , 10.2/32 i dietl conncted, Sril0/3 000.00 [J i 10. /wPofoecom Professor Messe's Cisc o CCENT/CCA100-05 ICDl Course otes· age9
There's a lot more right here: hp://www.professormesser.com/icnd
3. 7 - An Overview of RI Pv2 Dynamic routng protocols • isten for subnet nformaton from other routers • Sent from router to rouer
IGP (Interior Gateway Protoco) • Used wihin a snge auonomous system (AS) • No ntended to route between AS • hat's why theres Exerior Gateway Protocos (EGPs)
• Provide subne nformaon to oter routers • Te other rouers wa you know • Deermine he best path based on te gathered nformaon • Every roung protocol as its own way of dong tis • Wen nework changes occur, update the avaiabe roues • Dferent convergence process for every dynamc roung prooco
• 1Pv4 dynamic routng • OSPFv2 (Open Shortest Pa First • RIPv2 (Roung nformaon Protoco version 2) • EGRP (Enanced nerior Gateway Routng Protoco) • 1Pv6 dynamic roung • OSPFv3 • EGRP for Pv6 • RIPng (RP next generaton)
Whic routng protoco to use? • Wat exacty is a route? • s it based on he stae of the ink? • s it based on ow far away it s?
nk state routng protocols • nrmaton passed between routers s reaed to e curren connectvty • f i's up you can get tere. • f i's down you can.
• How does the prooco deermne he bes path? • Some formua is apped to te criera o create a metrc • Rank te roues from bes o wors
• Consider the speed of e nk • aster is aways beer rig?
• Recover aer a cange o he nework • Convergence me can vary widey between routng protocos
• Very scaabe • sed most often n arge networks
• Standard or proprieary protoco? • OSPF and RP are standards basc funcons of EGRP are standard (RFC 7868)
• OSPF S-S • Large scaabe roung proocos
Dstance-vector routng protocos • nformaon passed beween rouers contans roung tabes • How many ops" away is anoter nework? • e decidng vector" s he dstance"
• Good for smaer neworks • Doesnt aways scae we to very arge neworks • RIP RIPv2 BGP
• suay automac - very te configuraton
Routerl#dbg ip v I n s n P: c 2 a trom 172.62 n /3/ 9804 000 h 192.6830/24 via 00.0 n hops
Sam .10
Routerl
u# r et n # 2 2, n / 9800/4 000 h
Suet 726/4 Swltch3
bn 83
Teal'c .10
© Mr dios, LL C
Pf ' c ENTNA -5 IND N - Pg
hpw
-
,'
�
-
-
-
4.4 - Troubleshootng DHCP onrm you elay aget • If the DHCP s eve is't i or P sbet, o eed anip helper-ddress • te DHCP sever s oca, o ea s eqed • Roter-oa-stck • Separate sbets • Need a ip helper-ddress o eac sbteace • Use show ip iterfce • sef we o cat vew the cofgato
�outer2#shw ip interface g0/0 igabitEternet0/0 i up, line protocol i up (connected) Internet addre i 10.10.30.1/24 Broadcat addre i 255255255255 Addre determined by etup command MTU i 100 bte Helper addre i 172.6.1. Drecte roacat orarng i diabed Outgoing acce lit i not et nbound acce lit i not et Proxy ARP i enabled Security level i default Split orizon i enabled CMP redirect are alay ent
No DHCP ddss ssd
DHCP ddss s ssd wh bd o
• Te DHCP ea aget ses the ea iteface IP addess as the sorce P addess • The DHCP seve copaes te etwok cogao to the ea P address • The sbet as sets te rage
• ts eas to iscogre a DHCP poo • So a cofgato optos • Yo a ot ave te rigt address forato
• DHCP ea teface ad DHCP poo etwor age st atc • Wtot a atc, a P addess is ot oeed
• coect DNS va es • No ae resoto bt P woks
• If o have coectvit te ae the copaiso • Check te ip helper-ddress iterface • Copae it to the etwork cofgato i te poo
• coect deat gatewa assged • Cocates to devces o te oca sbet o
• TP addess is corect assged • VoIP poe doest dow oad a cograo fe
t lwys te wok • Cetrazed DHCP serves rel o a stable/vad etwo coecto • Yo cat get a P addess ess theres a ik • Use pig ad trceroute to vadate te coecto • The i betwee the DHCP ea terace ad the p heper-addess Bw h DHCP d h ly
• DHCP is al abot boadcasts • 2.255255.255 "a oes broadcast • Roters do ot orward DHCP boadc ast pacets • O a ote broadcast packets
D ouehoog • Cor the ip helper-ddress terfaces ad P addesses • Oe wrog teface o address s fatal • DHCP poo etwork cofgato sod atc ea iterface P • Cec a poos IP add esses ad sbet ass • Check te etwok betwee DHCP sever IP address ad DHCP rea P addess • Coecvt s cca
• Mae sre te DHCP clet s a VLAN with a ip helper-ddress • Check oca AN betwee the DHCP rea • Boadcasts ae ve liitg aget ad te DHCP ciet • Basic coectvt is rered • Eas to be paced i te wrog VLAN
45 - Confguring NTP NTP (Nwok me Poool)
• Swtces, roters, ewals seves, workstatos Eve devce as its ow cock • Scozg te cocks becoes crtca - Log les, atetcao forato, otage detais • Atoatc pdates - o fashg 12:00 ghts • Fexibe o coto ow cocks are pdated • Ve accate Accac s bette ta ilisecod o a oca etwok © 2017 Messer Studis, LLC
Professor Messe's Cisco CCENT/CCA 100-05 ICDl Course otes age 39
http /wwPrfssoessecm
4.6 - Confguring Standard Numbered Access Lsts Standard numbered ACs AC syntax • Standard ACL • Souce IP addre ss is the only citeria
• Standad numbered ACs use access list numbes between 1-99 o 1300-1999 • The gap s reserved for other protocols (AppleTalk, DECnet IPX etc.)
• Numbered AC • ACs ae efeenced by number instead o a name
g # {1-99 I 1300-1999} permit I deny} source [sourcewildcard]
I any}
g # 1 deny 10.10.1.77 g # 1 permit all
Configing standa d numbeed ACLs
Vewing ALC configat on nformation
• Choose route interace and directon •R4# • Put a standad AC L nea the destnat on IP - pevents nadvert ent dscards • Vew al ACs • Use the So urce IP addess make sue to use t he corec t decto n •R4# / • Ceate the ACs using global conguraon commands • Interace nformaton shows whch • opdown matching deault s to deny f nothng else matches ngong and outgong ACLs are associated wth the interface • Add the ACL to the nteace ip aooess-grup 1 in ip aooessgrup 2 ut
• Prevent Sam rom accessng Jack's sever
Routr4(config)#aess-ls 1 deny 10.00 Rout(ong)Uaessls prit a oog# g0/0 (#p aces-roup
• Pck a locaon c losest to the des naon
0Su.bne0t4 g
g7/6gn04 Subnet3 \ , - �_ /1 .l m Sswi,ch2l � - S · g! ( <1O-i 2 HLadr ·2 Routerl gO/�g� .1 Rut3 Router
Danfel
s
t4
Jack
4.6 Co nfguring Extended Numbered Access Liss Extended nmbeed acce ss lists !IP Heade • Simar to standard numbered ACLs • op-down irst-match logc ingess or egress iterng • Now youll have many more ilteng optons • Souce IP address desnaon P addess protocol
Extended nmbered 1Pv4 AC
':�-------4bys------------- Vrsio
Typ o Svic
Idti
Tm o -
tl Lgth
Flgs
Prol
rgm Ot
Hd Chksum •
P Addrss
stiio IP Addrss • Synta x is smilar to the standard number ACs Os d Pddig • Adds addtona matching eywods • Uses number anges 00-199 and 2000-2699 • protoco - ip tcp udp icmp access list 101 deny iomp any any • souce_p souce_pot dest_ip dest_pot access list 101 deny top 10.10.10.0 000255 10.10200 0.00255 eq 80
© M o
LC
Pf 'CCENTCNA 5 ICND C N P
hnp
o m
I
-
--
:
•
-
•
e
I, •
:
"
.
-
1
-
'
"
.
4.7 - Confguring Network Address Translaon (contnued) outerl#shw ip nat statistics Tota tranation: 3 (0 tatc, 3 dynamc, 3 extended) utide Interface: Sera0/3/0 Inde nterface: GgabitEternet0/ Hit: 68 Mie: 35 �xpred tranaton: Dync appng:
Monitoring NAT oveload/P
Router#sw ip nat ro nide goba cp 92.1.1.1:024 cp 92.1.1.1:025 cp 92111:027
translations
nide oca 1.10.20.51027 1.10.20.71027 110201:1027
Outide oca 04.2.9.63:8 4.2.9.63:8 042963:8
Outde goba 104.20.1963:80 104.20.1963:80 104201963:80
4.7 Troubleshootng Network Address Translaton Toubleshootng best-pactces • U ACL • Ck •ip nat insideip nat outside • W AC NPA • AC NA • • AC NA • NA • • k • A k Statc NA toubleshootng • • ' nsd ba addss IS snd
Dynamc NA ACL • AC k
outer(cog)# g0/0 outer(cog-f )#ip inside outer(cogf )#interface s0/3/0 outer(cogif)# nat outside outerl( cog-if )#exit
outer(cog)#
nat inside source static 10.10.20.10 92.1.1.10
outer(cog)# outer(cog)#
nat inide ource static 10.10.20.50 92.1.1.50 nat inside source static 10.10.2070 921170
outer(cong)# g0/0 Router(congf)# nat inside Router(cong-f)# s0/3/0 Router(cong-f)# nat outside Router(cong-f)# Router(cong)#sss 1 permit 10.10.20.0 0.0.0.255 Router(cong)# nat pool midway 94.1.1.1 94.1.1.2 netmask Router(cong)# nat inside source list pool midway
• A ACL NA
255.255.255.0
Dynamc NA poo • v • NA
outer(cong)# g0/0 outer(cong-if)# nat inside outer(cong-if)# s0/3/0 outer(cong-if)# nat outside outer(congif)# outer(cong)#sss 1 peit 10.10.20.0 0.0.0.255 outer(cong)# nat pool midway 94.1.1.1 94.1.1.2 netmask
• Ck
outer(cong)#
show ip nat statistics
255.255.255.0
nat inside source list 1 pool midway
• Y' N ' k NAT oveload / P toubleshootng • A N • v k • ' v • Y v qk © 2017 Messer Studis. LLC
outer(cong) interface g0 0 outer(cong-if)# nat inside outer(congif)# s0/3/0 outer(cong-if)# nat outside outer(cong-if)# outer(cong)#sss 1 permit outer(cong)# nat inside source
- 10.10.20.0 0.0.0.255 list interface s0/3/0 overloa
000
http /wwPrfssoessecm
-
-
-
-
5.3 - Inital Device Confguraton Boong 1OS •Performs a PT • Power n elf est • asic hardwae check
What o need • Hostname
• oots from RM • ootstrap program s copied into RAM
• Enable password •A less-sece version o the enable secret passwod • Remove t afte configrng the device
• Enable secet passwod •Potects privleged EXEC and congaon modes
• ootstap boots an I image o RM Monito (ROMMON} • ROMMON s used fo adminstratve and maintenance prposes • loads the statup-cong le
•Vrtual terminal password •T e passwod sed when accessing te devce ove the network
• Loaded into RAM as running-confg na ece congaon •No configuaton le? No problem.
•Confige NMP management (yes or no) •Physcal nterface o management • Need P address and subnet mas
•ystem Confgaon Diaog (etup Mode) • Men-drven configuraton on a new devce •Yo don't have to use etp Mode •Confgre the dvevice toug e temal
54 - Confguring 10S Passwords Authentcatng to 10S devces •Most organzaons wil se an extenal AAA serve •Authentcaton, Authorzaon, and Accounng •No passwods on te I devce
User mode and privieged mode passwods •Console password • Protects connecons trogh te console port
•You migt want a backup login
•vty passwod •Potects connectons trogh te
•Just in case •Potental secrty concern •toe te passwords secuely
vta teletype port (telnet o ) • Enable passwod •Prompts wen enteng enable mode
Teletype lies •Inbound connecons ae made over TY lines •Many dieent TY lnes on an device
•CTY - Consoe inteace •TY Asynconos seria interaces •AUX Auxiliary pot •VTY - Virtual teletype/vtal teminal •View wit shw le
• t no passwods configured no passwods ae reqred •A bad dea Atentatg to 10S deves • Most oganzaons wil use an externa AAA serve •Athencaton Atorizaton and Acconng •No passwords on the devce
•You mght want a bacp login •st n case •Potenal security concern •tore te passwods securey �outerl#cg ina
Confgurg es •Consoe password
•elnet/ passwod
• Enabe/Privleged EXEC mode passwod © 2017 Mr Studio, LLC
�nter confguration comands, ouer(cong)# cns 0one per line. ouer(cong-line# sgc ouer(congline# Rouer# mna ner confguraion comands, one per line. ouer(cog)# vy O 4 ouer(congline# ouer(congline# ouer# na ner conguraion comands one per ne. outer(confg#b sc chynn
Pfess esse's sc ENT/NA -5 INDl se Nes Page 54
End with CNTL/Z.
End wih N/
End N/. http wom
See the enre book: hp://www.professormesse.com/icndl
-
" I
-
5.6 - Logging at the Terminal (contnued) teinal monitor • M h gs SSH sss Houter4�1na monitor Router4# 000078: Mr 7 20:58:8303: %LIPROO-5UPOW: Lie protoco o Iterfce V2 chged stte to do 000079 ,r 7 20589,327 %LIEROTO5UDOW Lie protocol o Iterfce FstEtheret0/2 chged stte to do Router4# 000080 ,r 7 2058:20,342 %LI3UPDO: terfce FstEtheret0/2 chged stte to do Router4# 00008: ,r 7 20:58:28,562: %LIK3UPDO: terfce FstEtheret0/2 chged stte to p 000082 ,r 7 2058:29,569 %LIEROTO5UDOW Lie protocol o Iterfce FstEtheret0/2 chged stte to up Router4# 000083 ,r 7 20:58:56.656: %LIROTO5UDOW: Lie protoco o Iterfce V2 chged stte to p Router4# loggg oter4#w Syslog loggig ebed (0 messges dropped 0 messges rteimited 0 shes 0 overrus disbed terig disbled)
No Active Messge iscrimitor. No Ictive essge Discrimitor. Cosoe oggig: eve debggig 83 messges ogged disbed lterig disbed Mitor loggig eve debggig 6 messges ogged xm disbed lterig disbled Loggig to: vty(6) Buer oggig eve debggig 83 messges ogged l disbed lterig disbled Exceptio Loggig size 4096 bytes Cout d timestmp oggig messges: disbed File oggig disabled Persistet oggig: disbed No ctive lter modes Trp oggig level iormtio 87 messge ies ogged Loggig SourceIterce:
VR me
og Buer (4096 bytes 8,37 %LK3UOWN: Iterce stEtheret0/3 chged stte to p
Severity leels
• Lggg vs c b dvduy c gud • Ech svc c hv 's w vbsy • gs dspyd f h v d w ( sv) • Cs gs loin onole 7 0 • M gs 1 loin monitor 6 2 • I bu gs loin ere 4 3 • Sysg 4 loin tra 6
5
I
W
N
Dbuggg f • M OS csss • My df dbug ps • bg dbug w us dd sucs • Mk su yu hv h vhd Roter4#o roe • If yu' ccg v ssh, b su b ggg Roter4#teinal monitor © 2017 Messer Studis, LLC
If
Professor Messe's Cisco CCENT/CCA 100-05 ICDl Course otes age 61
http /wwPrfssoessecm
Pfsr M�
Thank you for viewing this sample of my ICND Course Notes. Good studies! hp://wwwprofessormessecom/icnd