Table of Contents PART I - Routing

Transcription

1

2 Table of Contents Preface Using the Book Connecting to the Cisco Device For Windows For Linux PART I - Routing Learning the Basics Command Modes Saving Configurations Show Commands for Information Gathering Setting Hostname Configuring an Ethernet Interface Assigning an IP Address Interface Speed and Duplex Subinterfaces Remote Management Enabling Telnet Enabling SSH Annoying IOS Features Asynchronous Logging IP Domain-lookup User Accounts and Banners

3 Creating a Local User Account Service Password-Encryption Setting Enable Secret Creating Login and MOTD Banners Static Routing Next-hop Method Exit Interface Method Assigning IP Default Gateway Show Commands RIP Starting RIP Routing Instance Announcing Networks Optional Tweaks Show Commands Debugging What to Keep in Mind RIP Configuration Sample OSPF Starting OSPF Routing Instance Announcing Networks Optional Tweaks Show Commands Debugging What to Keep in Mind

4 OSPF Configuration Sample EIGRP Starting EIGRP Routing Instance Announcing Networks Optional Tweaks Show Commands Debugging What to Keep in Mind EIGRP Configuration Sample IP Access Control List Creating and Applying a Standard ACL Creating and Applying an Extended ACL Removing Specific Rules in an ACL Show Commands Address Translation (NAT) PAT Static NAT Dynamic NAT Show Commands Debugging Connecting to WAN Configuring a Serial Interface HDLC PPP

5 Frame Relay DHCP Enabling DHCP Service Defining a DHCP Pool Excluding IP Addresses From the Leased Range Show Commands Debugging Managing Configurations and Software Backing Up Configuration Restoring Configuration Upgrading IOS Software Activating IOS Software Resetting Configuration to Factory Defaults PART II Switching It s The Same as on Routers VLAN Creating VLANs Configuring an Access Interface Show Commands VLAN Configuration Sample Assigning a Management IP Address MAC Address Table Clearing MAC Address Entries Static MAC Address

6 Show Commands Port Security Limiting Permitted MAC Address Entries Show Commands IEEE 802.1q Trunk Encapsulation Setting Interface Trunk Encapsulation Method Setting Interface Operation Mode to Trunk Native VLAN (Untagged) Limiting Permitted VLANs IEEE 802.1q Configuration Sample VLAN Trunking Protocol (VTP) VTP Domain Operation Modes VTP Pruning Show Commands VTP Configuration Sample Dynamic Trunking Protocol (DTP) EtherChannel EtherChannel Interface Modes and Protocols Static EtherChannel LACP PAgP Show Commands Debugging

7 EtherChannel Configuration Sample Spanning-Tree Protocol (STP) Enabling and Disabling Spanning-Tree Primary Root Secondary Root Port Priority Portfast Uplinkfast BPDU Guard Spanning-Tree Operation Mode Show Commands Debugging Spanning-Tree Configuration Sample Inter VLAN Routing Configuring Router Subinterfaces Configuring a Switch Uplink Interface Inter VLAN Routing Configuration Sample

8 Preface My primary concern in writing this book has been to get you started with Cisco routers and switches in the fastest time possible. It is a simple and practical foundation, from which you can begin to explore further if you wish to become a network engineer. Actual network management skills can be obtained by troubleshooting or configuring. There s not much you can do with your knowledge of networking concepts if you are not comfortable with the command line interface. What can you expect of this book? 1. Easy to follow configuration instructions. 2. No pages dedicated to theory. 3. Nothing beyond what you must know for the CCNA R&S exam. Using the Book The purpose of this section is to let you know how to read and use the book to your best advantage. 1. It s a reference, not a novel. You ll be given samples of configurations that you need to adjust to meet the needs of your network.

9 2. All commands that need to be typed into the terminal are formatted like this: Router(config)# hostname gateway 3. Below each command is a line explaining what it does: Router(config)# hostname gateway Sets router hostname to "gateway". 4. Notes are used to explain default characteristics of Cisco IOS in a given scenario, or to give you useful hints: Note: Administratively down is the default state of all Ethernet and Serial interfaces on Cisco routers. 5. Quotes under chapter titles are only there for entertainment. Don t take them seriously. 6. This book does not cover theory, and has a heavy focus on configuration. If you ever get stuck with what a term means, just Google it!

10 Connecting to the Cisco Device Most of the Cisco enterprise-class network equipment doesn t ship with a default IP address. The easiest way to apply initial configuration is to connect to your device using the Console port. Depending on the particular device model, it may be located on the front or back side. What will you need? 1. A serial cable. 2. (Windows) Virtual terminal software, such as Putty. 3. (Linux) A program called cu, which you can run inside the Linux terminal. For Windows This sample covers connecting to a Cisco device using Windows 7. Step 1: Install Putty (free software) 1. Download software at 2. Execute installer and follow instructions Step 2: Identify COM port number 1. Go to Device Manager 2. Select "View" from the upper menu, then click on "Show Hidden Devices" 3. Now expand the COM ports section. You will see the list of all active COM ports.

11 Step 3: Connect to your device In my case, the relevant COM port number was 3, and the full port label is "COM3". 1. Open Putty 2. Select Serial as the connection type 3. Enter your COM port number in the Serial line field 4. Click open You re done! Would you like to enter the initial configuration dialog? [yes/no]: no Router> For Linux This sample covers connecting to a Cisco device using Debian-based Linux distributions, such as Ubuntu. Step 1: Install cu (free software) user@linux~# sudo apt-get install cu Downloads and prompts to install cu, a common program. Step 2: Identify TTY number

12 If you are using a serial-to-usb adapter: user@linux~# cd /dev/ ls l grep ttyusb Navigates to the /dev/ directory and lists all teletype terminals (TTY) that have ttyusb included in the name. If you are using an old-fashioned COM port: user@linux~# cd /dev/ ls l grep ttys Navigates to the /dev/ directory and lists all teletype terminals (TTY) that have ttys included in the name. Step 3: Connect to your device In my case, the relevant TTY number was 0, and the full TTY label was ttyusb0. user@linux~# cu /dev/ttyusb0 s 9600 Cu starts emulating a Cisco terminal inside your Linux terminal. The parameter s specifies the line speed; 9600 is supported by most devices, and you really don t need more to apply the initial configuration. You re done! Would you like to enter the initial configuration dialog? [yes/no]: no Router> Note to VirtualBox users:

13 You might be unable to identify your COM/TTY number, because the VirtualBox host has ownership of the serial cable hardware. For instance, serial-to-usb adapters can t be shared by the host and guest systems at the same time. You can give the hardware ownership to the VirtualBox guest from the Devices submenu.

14 Part I Routing

15 Learning the Basics Would you like to enter the initial configuration dialog? [yes/no]: - Where am I? Command Modes Cisco IOS has three main command modes user EXEC, privileged EXEC and global configuration. Each command mode has its own set of commands for specific purposes.you ll start at user EXEC mode. User execution mode Some verification and troubleshooting commands are available. Often used by 1st level helpdesk personnel. You can identify user execution mode by the following prompt: Router> There s not much to do in this command mode for a network administrator, elevate to next

16 command mode by typing in enable command: Router> enable Moves to privileged execution mode. Privileged execution mode All verification and troubleshooting commands are available. Used by network administrators. The greater than prompt changes to hash: Router# If you are looking to verify or troubleshoot something, you ll find all the necessary commands available in this command mode. If you are looking to apply a configuration change, then elevate to the global configuration mode. Router# configure terminal Moves to global configuration mode. Global configuration mode Majority of configuration changes are applied here. Entering this command mode requires user to be in privileged execution mode, there are no shortcuts.

17 You can easily tell if you are in global configuration mode by the following prompt: Router(config)# This concludes the three main command modes of Cisco IOS. Type in exit or end, to move back to privileged execution mode: Router(config)# exit Moves back to privileged EXEC mode. Saving Configurations When you make a configuration change it s only the running-config (contents of DRAM) that gets updated. All configuration changes are lost in case of power outages or system reboots unless changes were also written to startup-config (NVRAM). For saving configurations navigate to privileged execution mode and use one of the commands below: Router# write memory Building configuration... [OK] Or Router# copy running-config startup-config Building configuration...

18 [OK] Both of these commands copy contents of running-config to NVRAM. There s no functional difference. Show Commands for Information Gathering Show commands help you verify configurations and troubleshoot. Some of them are listed below. Router> enable Navigates to privileged execution mode. Router# show interfaces description Lists all interfaces and their descriptions. Router# show interfaces summary Shows counter summary on all interfaces. Router# show ip interface brief Lists all interfaces and IP address information. Router# show interface gigabitethernet 0/1 Shows counter summary and status of the interface specified. Router# show running-config interface gigabitethernet 0/1 Shows configuration of the interface specified. Router# show version Shows brief system hardware information, including IOS version and configuration register

19 value. Router# show cdp neighbors detail Shows detailed information of neighboring devices that have Cisco Discovery Protocol enabled. Setting Hostname Let s take a look at how you can apply your very first configuration change. You can change the router hostname in global configuration mode. Router> enable Navigates to privileged execution mode. Router# configure terminal Navigates to global configuration mode. Router(config)# hostname CupOfTea Sets router hostname to CupOfTea. Terminal prompt will change: CupOfTea(config)# Starting to feel like a network engineer already? Don t forget to save the configuration! CupOfTea(config)# exit Navigates back to privileged execution mode. CupOfTea# write memory

20 Saves changes to NVRAM.

21 Configuring an Ethernet Interface Easy! Just use the no shut command. If the interface still doesn t come up try to reboot the router. Assigning an IP Address Router# show ip interface brief Lists all available interfaces on the router. In this sample we re going to modify configuration of the gigabitethernet 0/0 interface. Router# configure terminal Moves to global configuration mode. Router(config)# interface gigabitethernet 0/0 Moves to interface configuration mode. Router(config-if)# ip address Sets IPv4 address and network mask. Router(config-if)# ipv6 address 2001:0db8:3c4d:0015:0011:0000:abcd:ed1a/64 Sets IPv6 address and network mask. Router(config-if)# no shutdown Enables the interface. Note: Administratively down is the default state of all Ethernet interfaces on Cisco routers.

22 Interface Speed and Duplex According to best practice it s recommended to only change interface speed and duplex settings if you suspect that there might be a problem with auto negotiation. By default all Ethernet interfaces are configured with auto negotiation setting for interface speed and duplex. Router# show interface gigabitethernet 0/0 Shows interface speed and duplex settings. Router# configure terminal Moves to global configuration mode. Router(config)# interface gigabitethernet 0/0 Moves to interface configuration mode. Router(config-if)# speed auto Enables speed auto-negotiation. This is default setting. Router(config-if)# speed 1000 Forces interface into 1000Mbit/s operation mode. Router(config-if)# speed 100 Forces interface into 100Mbit/s operation mode. Router(config-if)# duplex auto Enables duplex auto-negotiation. This is default setting. Router(config-if)# duplex full Forces interface into full duplex operation mode. Router(config-if)# duplex half

23 Forces interface into half duplex operation mode. Subinterfaces One physical interface can be divided into multiple virtual interfaces. Router# show ip interface brief Lists all available interfaces on your router (including subinterfaces). Router# configure terminal Moves to global configuration mode. Router(config)# interface gigabitethernet 0/0.1 Creates subinterface (.1) on gigabitethernet 0/0 and moves to subinterface configuration mode. Router(config-subif)# ip address Assigns IPv4 address and network mask. Router(config-subif)# encapsulation dot1q 1 Assigns subinterface to VLAN1 broadcast domain. Sets VLAN encapsulation method to dot1q. Router(config-subif)# exit Moves back to global configuration mode. Router(config)# interface gigabitethernet 0/0.2 Creates another subinterface (.2) on gigabitethernet 0/0 and moves to subinterface configuration mode. Router(config-subif)# ip address

24 Assigns IPv4 address and network mask. Router(config-subif)# encapsulation dot1q 2 Assigns subinterface to VLAN2 broadcast domain. Sets VLAN encapsulation method to dot1q.

25 Remote Management This chapter teaches you how to enable Telnet and SSH protocols. Enabling Telnet Telnet enables you to remotely manage router. It s unencrypted and not very secure; the reason it s still being used is that not all devices support SSH. Note: Telnet sessions are prohibited by default. Without vty password configured you ll notice a following message, when you attempt to log in to your router, using Telnet: Password required, but none set. Configuring vty password: Router(config)# line vty 0 4 Enters into vty line configuration mode for lines 0-4. Router(config-line)# password cookie Sets password to cookie on vty lines 0,1,2,3 and 4. Router(config-line)# login Enables vty password authentication. Enabling SSH

26 If your device also supports SSH it s recommended that you use it instead of Telnet for remote management. As a first step you must create RSA crypto key pairs. Note: RSA crypto keys are non-exportable on Cisco routers and switches. Router(config)# crypto key generate rsa The name for the keys: MyRSA-Keys How many bits in the modulus: 1024 Generates RSA crypto key pairs. These will be used for SSH encryption. Router(config)# ip ssh version 2 Enables SSH version 2. Router(config)# line vty 0 4 Enters into vty line configuration mode for lines 0-4. Router(config-line)# password cookie Sets password to cookie on vty lines 0,1,2,3 and 4. Router(config-line)# login Enables vty password authentication. Optional: Prohibit Telnet and permit only SSH Router(config)# line vty 0 4

27 Enters into vty line configuration mode for lines 0-4. Router(config-line)# transport input ssh Permits remote management over vty lines 0 4 only via SSH protocol.

28 Asynchronous Logging Annoying IOS Features What? Nothing about Cisco IOS is annoying! Log messages are informative, but by default they come with an annoying flaw. If log event occurs it generates a new line in the command prompt, but doesn t include an ending line break after the message itself. Refer to the examples below. Let s say you re working on something and the command you re trying to execute is write memory. While at the middle of typing a log event occurs. Log event with asynchronous logging: Router# write me %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to upmory - Notice the last 4 letters ( mory ) of your command are now at the end of log event message. Log event without asynchronous logging: Router# write me %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up Router# write memory

29 - Your input remains on the same line. Configuring synchronous logging: Router(config)# line vty 0 4 Enters into line configuration mode for VTY lines 0-4. Router(config-line)# logging synchronous Forces a line break after log event. Router(config-line)# exit Moves back to global configuration mode. Router(config)# line console 0 Enters into line configuration mode for console line 0. Router(config-line)# logging synchronous Forces a line break after log event. IP Domain-lookup If you make a mistake when typing in commands IOS first tries to resolve input as a hostname. This causes excessive delays and makes you wonder if the router is having performance issues. Router(config)# no ip domain-lookup Disables IP domain-lookup feature.

30 User Accounts and Banners Welcome! This is the primary router: rtr-01. You can log in with password Cisco. Password: Creating a Local User Account Router(config)# username joe privilege 15 secret joe Creates a local user joe with full rights to all command modes. Users secret password is set to joe. Router(config)# username joe privilege 15 password joe Same as above but password is saved to configuration in plain-text, unless passwordencryption feature is globally enabled. Privilege level: Valid values are from 0 to 15. Higher value means more access. Service Password-Encryption Router(config)# service password-encryption Encrypts all system passwords.

31 Password-encryption feature: Globally encrypts all the passwords that would otherwise be added to configuration files in plain-text. Setting Enable Secret Router(config)# enable secret cookie Protects access to privileged exec mode with secret passphrase cookie. Creating Login and MOTD Banners Banners serve informational purpose. You can send out a warning to all unauthorized folks attempting to access your device by configuring a login banner. With a MOTD banner you can share operational information with your colleagues. Router(config)# banner login * This router belongs to company X. Unauthorized use is strictly prohibited. * Sets a login message that is displayed before user authentication. Router(config)# banner motd * Due to service migrations please do not apply any changes from 25.th to 27.th July. * Sets a welcome message that is displayed after successful user authentication. Message separator: You may use any special character as a message separator instead of asterisk (*). Requirement is that the same special character must not be used inside the message itself.

32 Static Routing This chapter teaches you how to create static routes. There are 2 methods for creating a static route next-hop or exit interface. Use the method you prefer. Next-hop Method Router(config)# ip route Specifies that to get to /24 network next-hop to take is Router(config)# ipv6 route 2001:0db8:3c4d::/ :0db8:3c99:1111:2222:3333:4444:aaa1/64 Specifies that to get to 2001:0db8:3c4d::/64 network next-hop to take is 2001:0db8:3c99:1111:2222:3333:4444:aaa1/64 Exit Interface Method Router(config)# ip route gigabitethernet 0/0 Specifies that to get to /24 network packets must be sent out of the gigabitethernet 0/0 interface. Router(config)# ipv6 route 2001:0db8:3c4d::/64 gigabitethernet 0/0 Specifies that to get to 2001:0db8:3c4d::/64 network packets must be sent out of the gigabitethernet 0/0 interface. Assigning IP Default Gateway IP packets with destinations that don t match any of the specified static or dynamically learned routes will be forwarded to default gateway. Destination address of a default route is /0 in IPv4 and ::/0 in IPv6.

33 Router(config)# ip default-gateway Sets IPv4 default gateway to Router(config)# ipv6 route ::/0 2001:0db8:3c99:1111:2222::1/64 Sets IPv6 default gateway to 2001:0db8:3c99:1111:2222::1/64 Show Commands Router# show ip route static Shows all IPv4 static routes. Router# show ip route Shows full IPv4 routing table. Router# show ipv6 static Shows all IPv6 static routes. Router# show ipv6 route Shows full IPv6 routing table.

34 RIP This chapter teaches you how to configure RIP protocol. Starting RIP Routing Instance Router(config)# router rip Starts RIP routing instance and moves to RIP configuration mode. Router(config-router)# version 2 Sets RIP version to 2. Note: Try to avoid using RIPv1 whenever possible. Announcing Networks Router(config)# router rip Starts RIP routing instance and moves to RIP configuration mode. Router(config-router)# version 2 Sets RIP version to 2. Router(config-router)# network Announces network as directly connected. Note: By default all the RIP-announced networks are summarized to their classful boundaries. In this case our network will be seen as a /24 (class C) network. But what if we wanted to announce /25 instead?

35 To announce more specific networks via RIP protocol this auto-summarization process must be stopped. Router(config-router)# no auto-summary Disables auto summarization. Although this command also works in RIPv1 it only has intended effect in RIPv2. Note: With auto-summary feature disabled RIP subnet masks are based on the interface configurations. Router(config)# interface gigabitethernet 0/1 Moves to interface configuration mode. Router(config-if)# ip address Sets IPv4 address and network mask. Router(config-if)# no shutdown Enables the interface. Note: At this point the RIP announcement of /25 network should work as expected. Optional Tweaks Router(router-config)# distance 90 Adjusts administrative distance from 120 (default) to 90. Possible values are from 1 to 255. Router(config-router)# no auto-summary Disables auto summarization to classful boundaries (enabled by default).

36 Router(config-router)# auto-summary Enables auto summarization. Router(config-router)# no ip split-horizon Disables IP split-horizon (enabled by default). Router(config-router)# ip split-horizon Re enables IP split-horizon. Router(config-router)# passive interface gigabitethernet 0/0 Sets interface Gi0/0 into passive state. RIP announcements will not be sent out of this interface anymore. Show Commands Router# show ip rip Shows brief overview of RIP routing processes. Router# show ip route rip Shows all routes learned from RIP protocol. Router# show ip rip neighbors Shows all RIP neighbors and their states. Router# show ip rip database Shows IPv4 RIP database Debugging Router# debug ip rip events Displays all RIP events. Router# debug ip rip database

37 Displays RIP database events. Router# debug ip rip bfd Displays RIP bfd events. Router# undebug all Stops all debugging events. What to Keep in Mind RIP has default administrative distance of 120. RIP is a distance-vector routing protocol. RIP maximum hop count is 15. RIP Configuration Sample Objective

38 Configure RIP routings so that all routers know about all the networks. Step 1: Configure the interfaces #R-one R-one(config)# interface gigabitethernet 0/0 Moves to interface configuration mode. R-one(config-if)# ip address Sets IPv4 address and network mask. R-one(config-if)# no shutdown Enables the interface. #R-two R-two(config)# interface gigabitethernet 0/0 Moves to interface configuration mode. R-two(config-if)# ip address Sets IPv4 address and network mask. R-two(config-if)# no shutdown Enables the interface. R-two(config)# interface gigabitethernet 0/1 Moves to interface configuration mode. R-two(config-if)# ip address

39 Sets IPv4 address and network mask. R-two(config-if)# no shutdown Enables the interface. #R-three R-three(config)# interface gigabitethernet 0/0 Moves to interface configuration mode. R-three(config-if)# ip address Sets IPv4 address and network mask. R-three(config-if)# no shutdown Enables the interface. Step 2: Configure RIP #R-one R-one(config)# router rip Starts RIP routing instance. Moves to RIP configuration mode. R-one(config-router)# version 2 Sets RIP version to 2. R-one(config-router)# no auto-summary Disables auto summarization.

40 R-one(config-router)# network Announces network /30 as directly connected. #R-two R-two(config)# router rip Starts RIP routing instance. Moves to RIP configuration mode. R-two(config-router)# version 2 Sets RIP version to 2. R-two(config-router)# no auto-summary Disables auto summarization. R-two(config-router)# network Announces network /30 as directly connected. R-two(config-router)# network Announces network /30 as directly connected. #R-three R-three(config)# router rip Starts RIP routing instance. Moves to RIP configuration mode. R-three(config-router)# version 2 Sets RIP version to 2. R-three(config-router)# no auto-summary Disables auto summarization.

41 R-three(config-router)# network Announces network /30 as directly connected.

42 OSPF Better than EIGRP, because it s not Cisco proprietary. Starting OSPF Routing Instance Every routing instance of OSPF must be assigned the process ID number. The process ID number is only locally significant and nothing happens if other routers use different process ID numbers. Router(config)# router ospf 1 Starts OSPF routing instance with process ID set to 1. Moves to OSPF configuration mode. Announcing Networks In OSPF the announced network must be associated with an area type. We re just going to stick to area 0, which represents the core or backbone area. Unlike regular subnet mask the network size of announced networks in OSPF must be defined by wildcard mask (reverse bits). Router(config)# router ospf 1 Starts OSPF routing instance with process ID set to 1. Moves to OSPF configuration mode. Router(config-router)# network area 0 Announces network /8 as directly connected in OSPF area 0.

43 Router(config-router)# network area 0 Announces network /16 as directly connected in OSPF area 0. Optional Tweaks Router(router-config)# distance 100 Sets administrative distance to 100. Possible values are from 1 to 255. Router(router-config)# event-log size 100 Sets event log cap to 100. Router(router-config)# neighbor Manually sets as an OSPF neighbor. Router(config-router)# passive interface gigabitethernet 0/0 Prevents OSPF updates to be sent out of Gi0/0 interface. Show Commands Router# show ip ospf Shows brief overview of OSPF routing processes. Router# show ip route ospf Shows all routes learned from OSPF protocol. Router# show ip ospf neighbor Shows all OSPF neighbors and their states. Router# show ip ospf interface gigabitethernet 0/0 Shows ospf information on Gi0/0 interface.

44 Debugging Router# debug ip ospf events Displays all OSPF events. Router# debug ip ospf adj Displays OSPF adjacency and neighbor state changes. Router# debug ip ospf hello Displays all OSPF hello messages. Router# undebug all Stops all debugging events. What to Keep in Mind OSPF default administrative distance is 110. OSPF is a link-state routing protocol that operates within a single AS. OSPF area 0 is also known as the core area. OSPF Configuration Sample

45 Objective Configure OSPF routings so that all routers know about all the networks. Step 1: Configure the interfaces #Router1 Router1(config)# interface gigabitethernet 0/0 Moves to interface configuration mode. Router1(config-if)# ip address Sets IPv4 address and network mask. Router1(config-if)# no shutdown Enables the interface. Router1(config-if)# exit

46 Moves back to global configuration mode. Router1(config)# interface gigabitethernet 0/1 Moves to interface configuration mode. Router1(config-if)# ip address Sets IPv4 address and network mask. Router1(config-if)# no shutdown Enables the interface. #Router2 Router2(config)# interface gigabitethernet 0/0 Moves to interface configuration mode. Router2(config-if)# ip address Sets IPv4 address and network mask. Router2(config-if)# no shutdown Enables the interface. Router2(config-if)# exit Moves back to global configuration mode. Router2(config)# interface gigabitethernet 0/1 Moves to interface configuration mode. Router2(config-if)# ip address Sets IPv4 address and network mask. Router2(config-if)# no shutdown

47 Enables the interface. #Router3 Router3(config)# interface gigabitethernet 0/0 Moves to interface configuration mode. Router3(config-if)# ip address Sets IPv4 address and network mask. Router3(config-if)# no shutdown Enables the interface. Router3(config-if)# exit Moves back to global configuration mode. Router3(config)# interface gigabitethernet 0/1 Moves to interface configuration mode. Router3(config-if)# ip address Sets IPv4 address and network mask. Router3(config-if)# no shutdown Enables the interface. Step 2: Configure OSPF #Router1 Router1(config)# router ospf 1

48 Starts OSPF routing instance with process ID set to 1. Moves to OSPF configuration mode. Router1(config-router)# network area 0 Announces network /30 as directly connected in OSPF area 0. Router1(config-router)# network area 0 Announces network /30 as directly connected in OSPF area 0. #Router2 Router2(config)# router ospf 1 Starts OSPF routing instance with process ID set to 1. Moves to OSPF configuration mode. Router2(config-router)# network area 0 Announces network /30 as directly connected in OSPF area 0. Router2(config-router)# network area 0 Announces network /30 as directly connected in OSPF area 0. #Router3 Router3(config)# router ospf 1 Starts OSPF routing instance with process ID set to 1. Moves to OSPF configuration mode. Router3(config-router)# network area 0 Announces network /30 as directly connected in OSPF area 0. Router3(config-router)# network area 0 Announces network /30 as directly connected in OSPF area 0.

49 EIGRP It s exactly like IGRP, only the letter E is different. Starting EIGRP Routing Instance Routing instances of EIGRP are started within a specified autonomous system. If you only use EIGRP internally you can make up any AS number you want for yourself. Router(config)# router eigrp 100 Starts EIGRP routing instance with the specified autonomous system number of 100. Moves to EIGRP configuration mode. Announcing Networks To announce networks via EIGRP wildcard mask must be used instead of subnet mask. Router(config)# router eigrp 100 Starts EIGRP routing instance with the specified autonomous system number. Moves to EIGRP configuration mode. Router(config-router)# network Announces network /30 as directly connected in AS100. Optional Tweaks Router(config-router)# no auto-summary

50 Disables auto summarization to classful boundaries. By default this setting is already disabled on newer IOS versions. Router(config-router)# auto-summary Enables auto summarization. Router(config-router)# distance 60 Sets administrative distance to 60. Possible values range from 1 to 255. Router(router-config)# neighbor Manually sets as a neighbor. Router(config-router)# passive interface gigabitethernet 0/0 Prevents EIGRP updates to be sent out of Gi0/0 interface. Show Commands Router# show ip eigrp Shows brief overview of EIGRP routing processes. Router# show ip route eigrp Shows all routes learned from EIGRP protocol. Router# show ip eigrp neighbors Shows all EIGRP neighbors and their states. Router# show ip eigrp interface gigabitethernet 0/0 Shows EIGRP information on Gi0/0 interface. Debugging Router# debug ip eigrp notifications

51 Displays all EIGRP events. Router# debug ip eigrp summary Displays EIGRP summary route processing events. Router# undebug all Stops all debugging events. What to Keep in Mind EIGRP default administrative distance is 90. EIGRP is a distance-vector routing protocol. It s Cisco proprietary. EIGRP Configuration Sample

52 Objective Configure EIGRP routings so that all routers know about all the networks. Step 1: Configure the interfaces #R-one R-one(config)# interface gigabitethernet 0/0 Moves to interface configuration mode. R-one(config-if)# ip address Sets IPv4 address and network mask. R-one(config-if)# no shutdown Enables the interface. R-one(config-if)# exit Moves back to global configuration mode. R-one(config)# interface gigabitethernet 0/1 Moves to interface configuration mode. R-one(config-if)# ip address Sets IPv4 address and network mask. R-one(config-if)# no shutdown Enables the interface. #R-two

53 R-two(config)# interface gigabitethernet 0/0 Moves to interface configuration mode. R-two(config-if)# ip address Sets IPv4 address and network mask. R-two(config-if)# no shutdown Enables the interface. R-two(config-if)# exit Moves back to global configuration mode. R-two(config)# interface gigabitethernet 0/1 Moves to interface configuration mode. R-two(config-if)# ip address Sets IPv4 address and network mask. R-two(config-if)# no shutdown Enables the interface. #R-three R-three(config)# interface gigabitethernet 0/0 Moves to interface configuration mode. R-three(config-if)# ip address Sets IPv4 address and network mask. R-three(config-if)# no shutdown

54 Enables the interface. R-three(config-if)# exit Moves back to global configuration mode. R-three(config)# interface gigabitethernet 0/1 Moves to interface configuration mode. R-three(config-if)# ip address Sets IPv4 address and network mask. R-three(config-if)# no shutdown Enables the interface. Step 2: Configure EIGRP #R-one R-one(config)# router eigrp 10 Starts EIGRP routing instance with the specified autonomous system number of 10. Moves to EIGRP configuration mode. R-one (config-router)# network Announces network /30 as directly connected in AS area 10. R-one(config-router)# network Announces network /30 as directly connected in AS10. #R-two

55 R-two(config)# router eigrp 10 Starts EIGRP routing instance with the specified autonomous system number of 10. Moves to EIGRP configuration mode. R-two (config-router)# network Announces network /30 as directly connected in AS10. R-two(config-router)# network Announces network /30 as directly connected in AS10. #R-three R-three(config)# router eigrp 10 Starts EIGRP routing instance with the specified autonomous system number of 10. Moves to EIGRP configuration mode. R-three (config-router)# network Announces network /30 as directly connected in AS10. R-three(config-router)# network Announces network /30 as directly connected in AS10.

56 IP Access Control List Can I use it to prevent my sister from accessing the internet? Creating and Applying a Standard ACL IP standard access list Filtering decisions are made based on source IP only. Numbers 1-99 and are used to define IP standard ACLs. Router(config)# access-list 1 permit Creates access list 1 and adds a rule that permits all packets originating from /24 network. Note: At this point our ACL has no effect because it s not yet applied to any of the interfaces. -- Meanings behind the commands Access-list: defines that we want to create or modify an ACL. 1: access list ID number which also defines that we are working with standard type of ACLs. Permit: packets that match all rule statements will be permitted.

57 : source network address criteria : source network wildcard mask for a /24 network. -- Router(config)# access-list 1 permit Adds another permitting rule to ACL 1 that permits packets originating from /24 network. Note: Packets originating from /24 and /24 will be permitted regardless of service port used. All other packets that don t match this criteria will be dropped, because of implicit deny rule at the end of every ACL. Router(config)# interface gigabitethernet 0/0 Moves to interface configuration mode. Router(config-if)# ip access-group 1 out Applies ACL 1 to Gi0/0 interface. Every packet that goes out of Gi0/0 interface will be investigated. Creating and Applying an Extended ACL IP extended access list Filtering decisions are made based on source IP, destination IP, service port number and IP protocol. Numbers and are used to define IP extended ACLs.

58 Router(config)# access-list 100 permit tcp eq 443 Creates an extended ACL 100, and adds a permitting rule with the following criteria: 1. Source IP is inside /24 network 2. Destination IP is inside /24 network 3. Destination service port is TCP 443 (HTTPS) -- Meanings behind the commands -- Access-list: defines that we want to create or modify an ACL. 100: access list ID number which also defines that we are working with extended type of ACLs. Permit: packets that match rule statements will be permitted. Tcp: protocol criteria : source network address : source network wildcard mask for a /24 network : destination network address : destination network wildcard mask for a /24 network. Eq: destination port number must be equal to. 443: destination port number must be 443.

59 Router(config)# access-list 100 permit tcp host host eq 80 Adds another permitting rule to extended ACL 100. This permitting rule is only for single host addresses. Router(config)# interface gigabitethernet 0/0 Moves to interface configuration mode. Router(config-if)# ip access-group 100 in Applies ACL 100 to Gi0/0 interface. Every packet that comes in from Gi0/0 will be investigated. Removing Specific Rules in an ACL Router(config)# ip access-list standard 1 Moves to ACL1 configuration mode. Router(config-std-nacl)# no 10 Removes first rule from ACL 1. Note: ACL rules/lines are numbered in increments of 10. First rule is nr.10, second nr.20 and so on. Show Commands Router# show access-lists Shows all ACLs, rules and rule numbers. Router# show access-list 1 Shows all ACL 1 information.

60 Address Translation (NAT) NAT usually indicates a firewall in network diagrams. PAT This is the most widely used NAT method. It enables multiple internal hosts to be hidden behind the same external IP address when communication in the public internet. Step 1: Create NAT pool Router(config)# ip nat pool public netmask Creates a NAT pool named public and defines an external IP address used inside the pool. IOS Syntax requires from to specification for the IP addresses even if we only want to use single IP in the whole pool. -- Meanings behind the commands: Ip nat pool: defines that we want to create a NAT pool. Public: name of the NAT pool. This can be anything you prefer : first IP address of the NAT pool : last IP address of the NAT pool. Netmask: keyword to specify a subnet mask.

61 : subnet mask. -- Step 2: Create ACL Router(config)# access-list 1 permit Creates ACL where we define our internal network that we want to use in address translations. Network size is defined by wildcard mask. Step 3: Specify NAT mapping Router(config)# ip nat inside source list 1 pool public overload Creates a NAT rule which says that outbound connections initiated from our internal network /24 will be used in NAT translations. External IP will be taken from pool named public. Overload subcommand Allows NAT to translate multiple inside devices to the single address in the pool. Step 4: Specify internal and external interfaces Router(config)# interface gigabitethernet 0/0 Moves to interface configuration mode. Router(config-if)# ip nat inside

62 Defines that Gi0/0 interface leads to our private network ( /24). Router(config-if)# exit Moves back to global config mode. Router(config)# interface gigabitethernet 0/1 Moves to interface configuration mode. Router(config-if)# ip nat outside Defines that Gi0/1 interface leads to public internet. Static NAT With this method one internal host will permanently get a dedicated external IP. This is widely used to make self-hosted web and mail servers publicly accessible. Step 1: Specify NAT mapping Router(config)# ip nat inside source static Creates a NAT rule which says that outbound connections initiated by will always be hidden behind Step 2: Specify internal and external interfaces Router(config)# interface gigabitethernet 0/0 Moves to interface configuration mode. Router(config-if)# ip nat inside Defines that Gi0/0 interface leads to our private network ( /24).

63 Router(config-if)# exit Moves back to global config mode. Router(config)# interface gigabitethernet 0/1 Moves to interface configuration mode. Router(config-if)# ip nat outside Defines that Gi0/1 interface leads to public internet. Dynamic NAT With this method each internal host will get a temporary external IP from a predefined pool until all the public connections are closed or timed out. For example if you have 8 external IP addresses to use then only 8 internal hosts are able to concurrently browse the public internet. There aren t many business situations where this NAT method would suit the best. In short it s a waste of public IP addresses. Step 1: Create NAT pool Router(config)# ip nat pool public netmask Creates NAT pool named public and defines external IP addresses that will be used to hide outbound connections. IP addresses from to are used to hide outbound connections. Step 2: Create ACL

64 Router(config)# access-list 1 permit Creates ACL where we define our internal network that we want to use in address translations. Network size is defined by wildcard mask. Step 3: Specify NAT mapping Router(config)# ip nat inside source list 1 pool public Creates a NAT rule which says that outbound connections initiated from our internal network /24 will be used in NAT translations. External IP will be taken from pool named public. Step 4: Specify internal and external interfaces Router(config)# interface gigabitethernet 0/0 Moves to interface configuration mode. Router(config-if)# ip nat inside Defines that Gi0/0 interface leads to our private network ( /24). Router(config-if)# exit Moves back to global config mode. Router(config)# interface gigabitethernet 0/1 Moves to interface configuration mode. Router(config-if)# ip nat outside Defines that Gi0/1 interface leads to public internet. Show Commands

65 Router# show ip nat translations Shows all NAT translations. Debugging Router# debug ip nat Real-time display of all translated packets. Router# undebug all Stops all debugging events.

66 Connecting to WAN Easy! I just have to plug a cable into my PC. Configuring a Serial Interface Serial interfaces are typically used to interconnect client and ISP equipment. Router(config)# interface serial 0/0/0 Moves to interface configuration mode. Router(config-if)# ip address Sets IPv4 address and network mask. Router(config-if)# clock rate Sets interface clock rate to 64Kbit/s. Router(config-if)# no shutdown Enables interface. Clock rate If your device is DTE (client-side) you don t need to specify clock rate. Clock rate must be specified on DCE (service provider) equipment. HDLC For serial interface to work you need to specify encapsulation method, either HDLC or PPP. If you don t specify an encapsulation method then HDLC will be used.

67 Router(config)# interface serial 0/0/0 Moves to interface configuration mode. Router(config-if)# encapsulation hdlc Sets encapsulation to HDLC. Encapsulation HDLC encapsulation is already default setting on synchronous serial interfaces and you only need to use this command if you want to return to HDLC from another encapsulation method. Alternative encapsulation method for serial links is PPP. PPP PPP is an alternative to HDLC as an encapsulation method on serial links. You should use it when you are concerned about security. In other cases default HDLC works fine. This protocol has optional authentication capabilities PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). #Configuring PPP encapsulation method: Router(config)# interface serial 0/0/0 Moves to interface configuration mode. Router(config-if)# encapsulation ppp Sets encapsulation method to PPP. Optional Tweaks:

68 Router(config-if)# ppp quality 90 Periodically checks PPP link for quality and sets quality threshold to 90%. If link quality goes below 90% link will shut down. This command is useful if you have a backup link available. This percentage threshold can be anything you prefer from 1 to 100. Router(config-if)# compress mppc Enables mppc compression algorithm. This reduces total traffic overhead on your serial link. Alternative compression algorithms for PPP are predictor and stac. #Configuring PAP (Password Authentication): Step 1: Create a dummy user for authentication: RouterOne(config)# username RouterTwo password PAP Creates user RouterTwo with case-sensitive password set to PAP. This is required to verify PAP authentication with peer. Important: It s required that username equals hostname of the peering router and the password must be exactly the same for both dummy users. RouterTwo(config)# username RouterOne password PAP Creates user RouterOne with case-sensitive password set to PAP. Step 2: Configure serial interface for PAP authentication: RouterOne(config)# interface serial 0/0/0 Moves to interface configuration mode.

69 RouterOne(config-if)# ppp authentication pap Enables PAP authentication protocol. RouterOne(config-if)# ppp pap sent-username RouterTwo password PAP Sets user credentials for PAP authentication. RouterTwo(config)# interface serial 0/0/0 Moves to interface configuration mode. RouterTwo(config-if)# ppp authentication pap Enables PAP authentication protocol. RouterTwo(config-if)# ppp pap sent-username RouterOne password PAP Sets user credentials for PAP authentication. Note: Unfortunately PAP does not encrypt user credentials when exchanging authentication details. For security reasons it s recommended to use CHAP protocol instead. #CHAP (Challenge Handshake Authentication): Step 1: Create a dummy user for authentication. RouterOne(config)# username RouterTwo password PAP Creates user RouterTwo with case-sensitive password set to PAP. This is required to verify PAP authentication with peer.

70 RouterTwo(config)# username RouterOne password PAP Creates user RouterOne with case-sensitive password set to PAP. Step 2: Configure serial interface for CHAP authentication: RouterOne(config)# interface serial 0/0/0 Moves to interface configuration mode. RouterOne(config-if)# ppp authentication chap Enables CHAP authentication protocol. RouterTwo(config)# interface serial 0/0/0 Moves to interface configuration mode. RouterTwo(config-if)# ppp authentication chap Enables CHAP authentication protocol. Frame Relay Frame relay is a legacy technology that is mostly replaced by MPLS today. There are no more multipoint frame-relay clouds in modern service provider networks, but it s quite common to see it configured between a service provider and client devices. #Configuring Frame Relay: This example covers setting up PVC 100 and 101 on separate subinterfaces. Both subinterfaces are configured on the same s0/0/0 physical interface.

71 Router(config)# interface serial 0/0/0 Moves to interface configuration mode. Router(config-if)# encapsulation frame-relay ietf Sets frame relay encapsulation type to IETF. This also affects all the subinterfaces. Router(config-if)# frame-relay lmi-type ansi Sets LMI type to ANSI. Router(config-if)# no shutdown Enables interface. Router(config-if)# exit Moves back to global configuration mode. Router(config)# interface serial 0/0/0.100 point-to-point Creates a point-to-point subinterface.100 on s0/0/0 and moves to subinterface configuration mode. Router(config-subif)# ip address Sets IP address and network mask to the subinterface. Router(config-subif)# frame-relay interface-dlci 100 Sets DLCI 100 to the subinterface. #If you need to add another PVC just keep creating new subinterfaces: Router(config)# interface serial 0/0/0.101 point-to-point Creates a point-to-point subinterface.101 on s0/0/0 and moves to subinterface configuration mode.

72 Router(config-subif)# ip address Sets IP address and network mask to the subinterface. Router(config-subif)# frame-relay interface-dlci 101 Sets DLCI 101 to the subinterface. #Show commands: Router# show frame-relay pvc Shows status of all PVCs configured. Router# show frame-relay map Shows DLCI map entries. Router# show frame-relay lmi Shows LMI stats.

73 DHCP This chapter teaches you how to configure your router as a DHCP server. Enabling DHCP Service Router(config)# service dhcp Enables DHCP server and relay services. By default DHCP services are already enabled. To disable DHCP: Router(config)# no service dhcp Disables DHCP server and relay services. Defining a DHCP Pool Router(config)# ip dhcp pool water Creates a DHCP pool named water and moves to DHCP configuration mode. Pool name can be anything you want. Router(dhcp-config)# network Specifies the range of IP addresses to be leased. Router(dhcp-config)# default-router Specifies the default router for the DHCP client. Router(dhcp-config)# dns-server Specifies the DNS server IP address.

74 Router(dhcp-config)# lease Adjusts DHCP lease time to 2 days, 0 hours and 0 minutes. Default setting is 1 day, 0 hours, 0 minutes. Excluding IP Addresses From The Leased Range Router(config)# ip dhcp excluded-address Specifies that IP addresses from to must not be leased via DHCP. Show Commands Router# show ip dhcp binding Shows all DHCP bindings. Router# show ip dhcp conflict Lists all IP conflicts learned by DHCP server. Debugging Router# debug ip dhcp server events Real-time display of all DHCP server events.

75 Managing Configurations and Software I started copying the IOS image about 10 minutes ago. How long will it take? Backing Up Configuration TFTP protocol is used to copy files between a Cisco device and a server. With appropriate software any regular PC is able to act as a TFTP server. Note: TFTP protocol uses UDP port 69. Copying configuration to TFTP server: Router# copy running-config tftp: Address or name of remote host []? Destination filename [Router-config]? running-config_backup Copies running-config to TFTP server and names it runningconfig_backup. Restoring Configuration Router# copy tftp: running-config Address or name of remote host []? Source filename []? running-config_backup Destination filename [running-config]? [ENTER] key Copies a file named running-config_backup from TFTP server to router and loads its contents into running-config.

76 Alternatively you can copy the configuration file to NVRAM so that changes won t become active before system reboot. Router# copy tftp: startup-config same as the above Upgrading IOS Software Step 1: Copy new IOS image from TFTP server to router Router# copy tftp flash: >Address or name of remote host? >source filename? /etc/ios_images/c3800-universalk9-mz bin >Destination filename? c3800-universalk9-mz bin Fetches new IOS image from TFTP server to flash memory. Step 2: Update system boot sector Router(config)# boot system flash: c3800-universalk9-mz bin Instructs system to load from the new software image after next reboot. Step 3: Save configuration and reboot router Router# write memory Saves configuration to startup-config (NVRAM).

77 Router# reload Reboots the system. Step 4 (optional): Delete old software image Router# dir flash: Lists all contents on flash memory. Software images have.bin file extension. Router# delete flash:c3800-lanbase-mz bin Deletes old software image that is no longer needed. Activating IOS Software Below is the standard procedure of IOS software activation. Step 1 of 5: Obtain PAK This is provided to you when you purchase a software image or additional feature set. Check your inbox or delivery notes. Step 2 of 5: Obtain UDI Switch# show license udi Displays UDI values that can be licensed. Step 3 of 5: Generate License

78 Go to: Follow instructions and generate license. PAK and UDI are required for this step. Copy received license file to TFTP server. Step 4 of 5: Install License Switch# license install tftp://srv/ios_licenses/29a.lic Installs license from 29a.lic file located on TFTP server. Step 5 of 5: Reboot the system Switch# reload After next reboot system will load with the new feature set enabled. Resetting Configuration to Factory Defaults Router# erase startup-config Removes statup-config file on NVRAM. Router# reload Reboots router. Do not save changes to NVRAM at this point. If everything is done correctly you will see the prompt indicating the system loaded from default configuration file:

79 Would you like to enter the initial configuration dialog? [yes/no]: I m sure you already know what the right answer to this question is. Resetting a switch configuration to factory defaults requires you to type in one additional command: Switch# delete flash:vlan.dat Removes VLAN database (vlan.dat file) on flash memory.

80 Part II Switching

81 It s The Same as on Routers Didn t find the chapter you were looking for in Part II Switching? Please refer to chapters in Part I Routing. Many aspects about configuring a switch are exactly the same as on routers. VLAN This chapter teaches you how to configure isolated broadcast domains (VLANs). Creating VLANs Switch(config)# vlan 2 Creates VLAN2 broadcast domain and moves to VLAN configuration mode. Switch(config-vlan)# name Network Administrators Sets optional VLAN name. Configuring an Access Interface Switch(config)# interface range gigabitethernet 0/1 Enters into interface configuration mode. Switch(config-if)# switchport mode access Sets interface to access mode. This prevents all trunk negotiations and permits operation of a single VLAN on the interface.

82 Switch(config-if)# switchport access vlan 2 Assigns interface to VLAN2 broadcast domain. Show Commands Switch# show vlan brief Lists all VLANs and the interfaces they are currently active on. Switch# show vlan id 5 Shows information about a particular VLAN. Switch# show running-config interface vlan 5 Shows running-config of a particular virtual VLAN interface. VLAN Configuration Sample Objective Configure VLANs and switch interfaces as in network diagram.

83 Step 1: Create VLANs L2Switch(config)# vlan 5 Creates VLAN5 broadcast domain and moves to VLAN configuration mode. L2Switch(config-vlan)# name Business Management Sets optional VLAN name. L2Switch(config-vlan)# vlan 10 Creates VLAN10 broadcast domain and moves to VLAN configuration mode. L2Switch(config-vlan)# name Network Administrators Sets optional VLAN name. L2Switch(config-vlan)# vlan 15 Creates VLAN15 broadcast domain and moves to VLAN configuration mode. L2Switch(config-vlan)# name Software Developers Sets optional VLAN name. L2Switch(config-vlan)# vlan 20 Creates VLAN20 broadcast domain and moves to VLAN configuration mode. L2Switch(config-vlan)# name Wireless Users Sets optional VLAN name. Step 2: Configure the interfaces Note: We re using the interface range command to concurrently apply identical configurations to multiple interfaces.

84 L2Switch(config)# interface range gigabitethernet 0/1 32 Enters into interface range configuration mode. L2Switch(config-if-range)# switchport mode access Sets interfaces to access mode. L2Switch(config-if-range)# exit Moves back to global configuration mode. #Business management L2Switch(config)# interface range gigabitethernet 0/1 10 Enters into interface range configuration mode. L2Switch(config-if-range)# switchport access vlan 5 Assigns interfaces to VLAN5 broadcast domain. L2Switch(config-if-range)# exit Navigates back to global config mode. #Network administrators L2Switch(config)# interface range gigabitethernet 0/11 20 Enters into interface range configuration mode. L2Switch(config-if-range)# switchport access vlan 10 Assigns interfaces to VLAN10 broadcast domain. L2Switch(config-if-range)# exit

85 Moves back to global configuration mode. #Software developers L2Switch(config)# interface range gigabitethernet 0/21 30 Enters into interface range configuration mode. L2Switch(config-if-range)# switchport access vlan 15 Assigns interfaces to VLAN15 broadcast domain. L2Switch(config-if-range)# exit Moves back to global configuration mode. #Wireless users L2Switch(config)# interface range gigabitethernet 0/31 32 Enters into interface range configuration mode. L2Switch(config-if-range)# switchport access vlan 20 Assigns interfaces to VLAN20 broadcast domain. L2Switch(config-if-range)# exit Moves back to global configuration mode.

86 Assigning a Management IP Address Switches can t have IP addresses because they are layer 2 devices. Assigning a management IP address: Switch(config)# vlan 10 Creates regular VLAN10 broadcast domain and moves to VLAN configuration mode. Switch(config-vlan)# name Dedicated Management VLAN Sets an optional VLAN name. Switch(config-vlan)# exit Moves back to global configuration mode. Switch(config)# interface vlan 10 Creates virtual VLAN interface 10 and moves to VLAN interface configuration mode. Switch(config-if)# description Management interface Sets optional interface description. Switch(config-if)# ip address Sets IPv4 address and network mask. Note: To remotely manage a switch via Telnet or SSH you must also configure the vty lines. Please refer to Remote Management chapter in Part I Routing.

87 MAC Address Table Verifying MAC address entries is usually the first thing administrator does to troubleshoot any potential layer-2 issues. This chapter teaches you a couple of things related to MAC addresses. Clearing MAC Address Entries Switch# clear mac address-table Clears all MAC address entries. Switch# clear mac address-table dynamic Clears MAC address entries that are dynamically learned by switch. Static MAC addresses entered by network administrator will remain in the table. Static MAC Address Switch(config)# mac address-table static aa:bb:aa:bb:aa:bb vlan 10 interface gigabitethernet 0/10 Enters a static MAC address entry to Gi0/10 interface. Switch(config)# no mac address-table static aa:bb:aa:bb:aa:bb vlan 10 interface gigabitethernet 0/10 Removes static MAC address entry from Gi0/10 interface. Show Commands Switch# show mac address-table Shows all MAC address entries. Switch# show mac address-table interface gigabitethernet 0/1

88 Shows MAC address entries on a specific interface. Switch# show mac address-table address aa:bb:cc:00:11:22 Shows an interface that has learned MAC address aa:bb:cc:00:11:22.

89 Port Security Port security features help to secure network from unauthorized access. All of these features are optional and not required. Limiting Permitted MAC Address Entries Switch(config)# interface gigabitethernet 0/10 Enters into interface configuration mode. Switch(config-if)# switchport port-security Enables port security on the interface. Switch(config-if)# switchport port-security maximum 1 Limits allowed MAC address entries to maximum of 1 on the port. Switch(config-if)# switchport port-security mac-address aa:bb:cc:dd:00:11 Sets a static secure MAC address entry into MAC address table. Switch(config-if)# switchport port-security violation protect Configures port to drop frames of unauthorized MAC addresses. Authorized MAC addresses can still send and receive frames. Switch(config-if)# switchport port-security violation shutdown Configures port to err-disable itself if a violation occurs. This also affects frames of authorized MAC address. Show Commands Switch# show port-security Shows all port security information on all interfaces.

90 Switch# show port-security interface gigabitethernet 0/10 Shows port security information on gigabitethernet 0/10 port.

91 IEEE 802.1q Trunk Encapsulation Trunk is the word you can use to describe me on Fridays and Saturdays. I ve tried IEEE 802.1q just once, it burns like hell! Setting Interface Trunk Encapsulation Method Switch(config)# interface gigabitethernet 0/1 Enters to interface configuration mode. Switch(config-if)# switchport trunk encapsulation dot1q Sets trunk encapsulation method to dot1q. Setting Interface Operation Mode to Trunk Switch(config-if)# switchport mode trunk Sets interface operation mode to trunk. Native VLAN (Untagged) By default all VLANs on a trunk link are tagged except for VLAN1. In more complicated network setups it s often required to have another VLAN as untagged. This can be accomplished by setting another VLAN as the native VLAN. Switch(config-if)# switchport trunk native vlan 10 Sets VLAN10 as native VLAN. Frames belonging to VLAN10 broadcast domain will be untagged.

92 Note: Native VLAN must be the same on both ends of the trunk link. In case of native VLAN mismatch the trunk link will fail. Limiting Permitted VLANs All VLANs are permitted on trunk interfaces by default. In production networks it s not the most optimal setting due to security reasons. Switch(config-if)# switchport trunk allowed vlan 10,20 Permits VLANs 10 and 20. All the other VLANs are now prohibited. Restoring a situation where all VLANs are permitted: Switch(config-ig)# switchport trunk allowed vlan all Permits all VLANs on a trunk interface. This is also the default setting. Adding and removing permitted VLANs: Switch(config-if)# switchport trunk allowed vlan add 30 Adds VLAN30 to the list of permitted VLANs. Switch(config-if)# switchport trunk allowed vlan remove 30 Removes VLAN30 from the list of permitted VLANs.

93 IEEE 802.1q Configuration Sample Objective Configure interface Gi0/1 as in network diagram. Restrict permitted VLANs to only those that are required. Also note that the frames of VLAN99 broadcast domain must be untagged. Step 1: Configure interface operation mode and encapsulation method L2Switch(config)# interface gigabitethernet 0/1 Enters to interface configuration mode. L2Switch(config-if)# switchport trunk encapsulation dot1q Sets trunk encapsulation method to dot1q. L2Switch(config-if)# switchport mode trunk Sets interface operation mode to trunk.

94 Step 2: Specify native (untagged) VLAN L2Switch(config-if)# switchport trunk native vlan 99 Sets native VLAN to 99. Step 3: Prohibit unrequired VLANs L2Switch(config-if)# switchport trunk allowed vlan 11,12,13,99 Permits VLANs 11, 12, 13 and 99. All the other VLANs are now prohibited.

95 VLAN Trunking Protocol (VTP) This protocol converts VLANs into trunks. VTP Domain Switch(config)# vtp domain vtp-domain.com Assigns switch to VTP domain named vtp-domain.com. Switch(config)# vtp password coffee Sets VTP domain password to coffee. Note: VTP password is an optional security feature. Operation Modes There are 3 VTP operation modes - server, transparent and client. Below is a brief description regarding the behavior of the switch, assuming all of the switches are configured in the same VTP domain. VTP Server Propagates own VLAN database to neighboring switches. VTP Transparent Shares propagations of VTP server with neighboring switches and updates own VLAN database.

96 VTP Client Updates own VLAN database only. VTP server propagations are not shared with neighboring switches. Switch(config)# vtp mode server Sets VTP operation mode to server. This is also default setting on all Cisco switches. Switch (config)# vtp mode transparent Sets VTP operation mode to transparent. Switch(config)# vtp mode client Sets VTP operation mode to client. Note: There s no command to disable VTP globally. However, if you don t want to use VTP you can set VTP operation mode to transparent on all the switches in your network, and refrain from configuring any VTP domains. VTP Pruning VTP Pruning is an optional performance tweak. VTP pruning reduces bandwidth consumption by restricting flooded traffic only to those trunk links that must be used to reach the destination. Switch(config)# vtp pruning Enables VTP pruning (disabled by default). Note: VTP pruning only needs to be configured on the VTP server switch.

97 Show Commands Switch# show vtp status Shows VTP mode and VTP domain information. Switch# show vtp password Used to verify if VTP administrative domain is protected by a password. VTP Configuration Sample Objective Configure VTP for standard hierarchy core (VTP server), distribution (VTP transparent) and access (VTP client). All interfaces operate in trunk mode with dot1q encapsulation.

98 Step 1: Configure VTP server switch Coral(config)# vtp mode server Sets VTP operation mode to server. Coral(config)# vtp domain vtp-domain.com Assigns switch to VTP domain named vtp-domain.com. Step 2: Configure VTP transparent switch Amber(config)# vtp mode transparent Sets VTP operation mode to transparent. Amber(config)# vtp domain vtp-domain.com Assigns switch to VTP domain named vtp-domain.com. Step 3: Configure VTP client switches Opal(config)# vtp mode client Sets VTP operation mode to client. Opal(config)# vtp domain vtp-domain.com Assigns switch to VTP domain named vtp-domain.com. Jade(config)# vtp mode client Sets VTP mode to client. Jade(config)# vtp domain vtp-domain.com Assigns switch to VTP domain named vtp-domain.com.

99 Dynamic Trunking Protocol (DTP) l usually configure DTP in case I want to increase network complexity for no reason. Configuring DTP: Switch(config)# interface gigabitethernet 0/1 Moves to interface configuration mode. Switch(config-if)# switchport mode dynamic desirable Makes interface attempt to establish a trunk link. Interface generates DTP frames and responds to them if received. Note: Trunk link is established if a neighboring interface is set to desirable, auto or trunk. Switch(config-if)# switchport mode dynamic auto Makes interface able to establish a trunk link. Interface won t generate DTP frames but responds to them if received. Note: Trunk link is established if neighboring a interface is set to desirable or trunk. Switch(config-if)# switchport nonegotiate Prevents interface from participating in DTP negotiations.

100 EtherChannel EtherChannel technology allows grouping of 2-8 physical Ethernet interfaces to create one logical interface for the purpose of providing high-speed interconnect links. EtherChannel Interface Modes and Protocols Mode ON / No Protocol Forces interface into EtherChannel without negotiation. Mode Desirable / PAgP Protocol Initiates EtherChannel negotiation. Mode Auto / PAgP Protocol Does not initiate EtherChannel negotiation, but responds to PAgP frames. Mode Active / LACP Protocol Initiates EtherChannel negotiation. Mode Passive / LACP Protocol Does not initiate EtherChannel negotiation, but responds to LACP frames. Static EtherChannel Switch(config)# interface range gigabitethernet 0/1 2 Moves into interface-range configuration mode. Switch(config-if-range)# channel-group 1 mode on Assigns interfaces into EtherChannel group 1. Forces interfaces into EtherChannel without negotiation.

101 Note: For EtherChannel to be established both ends of the connection must have channelgroup mode set to on. LACP Switch(config)# interface range gigabitethernet 0/1 2 Moves into interface-range configuration mode. Switch(config-if-range)# channel-group 1 mode active Assigns interfaces into EtherChannel group 1. Sets slave interfaces into negotiation initiating state and forces use of LACP protocol. Switch(config-if-range)# channel-group 1 mode passive Assigns interfaces into EtherChannel group 1. Sets slave interfaces into passive negotiation state and forces use of LACP protocol. Note: For EtherChannel to be established at least one end of the connection must have channel-group mode set to active, while the other end must be set to passive or active. PAgP Switch(config)# interface range gigabitethernet 0/1 2 Moves into interface-range configuration mode. Switch(config-if-range)# channel-group 1 mode desirable Assigns interfaces into EtherChannel group 1. Sets slave interfaces into negotiation initiating state and forces use of PAgP protocol. Switch(config-if-range)# channel-group 1 mode auto Assigns interfaces into EtherChannel group 1. Sets slave interfaces into passive negotiation state and forces use of PAgP protocol.

102 Note: For EtherChannel to be established one or both ends of the connection must have channel-group mode set to desirable, while the other end must be set to desirable or auto. Show Commands Switch# show etherchannel summary Shows all EtherChannels and assigned slave interfaces. Switch# show interfaces port-channel 1 Shows EtherChannel1 status and counters. Switch# show running-config interface port-channel 1 Shows configuration of EtherChannel1. Switch# show etherchannel detail Shows detailed information of all EtherChannels. Debugging Switch# debug etherchannel all Real-time display of all EtherChannel events. Switch# debug lacp all Real-time display of all LACP events. Switch# debug pagp all Real-time display of all PAgP events. Switch# undebug all Stops all debugging events.

103 EtherChannel Configuration Sample Objective Configure some 2-port EtherChannels as shown in network diagram. Dynamic EtherChannel negotiations should only be initiated by Distribution switch. All the switch interfaces shown in diagram operate as IEEE 802.1q encapsulated trunks. Step 1: Configure LACP EtherChannel Distribution(config)# interface range gigabitethernet 0/47 48 Moves into interface-range configuration mode. Distribution(config-if-range)# channel-group 1 mode active Assigns interfaces gi0/47 and gi0/48 into EtherChannel group 1. Sets slave interfaces into negotiation initiating state and forces use of LACP protocol.