Lesson 1: Introduction to the Cisco Router Command-Line Interface

Transcription

1 Lesson 1: Introduction to the Cisco Router Command-Line Interface Modes User Mode vs. Privileged Mode User mode is indicated by the > prompt next to the router name. In user mode, you can look at some of the router s settings. In privileged mode (indicated by the # prompt), you can use the different show commands to display all of the router s settings. Router> Router>enable The Enable and Enable Secret Passwords You can set an enable password to control access to privileged mode. This is a very important password because, command at the privileged mode prompt. Router> Router>enable config term Router(config)#enable password boson You can securely encrypt an enable password by using the enable secret command. Router(config)#enable secret cisco The enable secret The password is case-sensitive. A password set with the enable password command is stored as clear text, whereas a password set with the enable secret router with an enable secret password is preferred. The enable secret password always takes precedence if both the enable secret password and the enable password are set. command. To exit con- end command or press the CTRL+Z key combination. config t Router(config)#end 55

2 Accessing Help To view all commands available from a mode, type?; you do not have to press the ENTER key after typing the question mark. This will display a list of all available commands in the current mode. You can also use the question mark after you have started typing a command. For example, if you want to see all commands that can be used with the show command, type show? at the # prompt. show? access-expression List access expression access-lists List access lists backup Backup status cdp CDP information clock Display the system clock cls DLC user information compress Show compression statistics configuration Contents of Non-Volatile memory --More-- The Host Name host name is also visible via Cisco Discovery Protocol (CDP). However, the host name is not used for TCP/IP address resolution. The following code demonstrates how to set the host name of a router or switch. Router> Router>enable conf t Router(config)#hostname Router1 Router1(config)# in the router s command. The following is an example of the type of output you will see when you run the command. Router> Router>enable show running-config Building configuration... Current configuration:! version 12.0! hostname Router! interface Serial0 56

3 no ip address shutdown! interface BRI0 no ip address shutdown! interface Ethernet0 no ip address shutdown! line con 0 line aux 0 line vty 0 4! end in the router s CLI. If you erase erase startup-config Erasing the nvram filesystem will remove all files! Continue? [confirm] [OK] Erase of nvram: complete reload Proceed with reload? [confirm] Lesson 2: Basic Commands Show Commands Show Version The show version show version to obtain critical information, such as the router platform type, the operating system revision, the show version command. 57

4 Router>show version Router1 Operating System Software Router uptime is 2 minutes System returned to ROM by power-on System image file is flash:c2500.bin [output ommitted] 1 Ethernet/IEEE interface(s) 1 Serial(sync/async) network interface(s) 1 ISDN Basic Rate interface(s) 32K bytes of non-volatile configuration memory. 4096K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 Show Protocols show protocols command. The following is an example of the type of output you will see when you issue the show protocols command. Router>show protocols Global values: Internet Protocol routing is enabled BRI0 is administratively down, line protocol is Down Ethernet0 is administratively down, line protocol is Down Serial0 is administratively down, line protocol is Down Show Flash is an example of the type of output you will see when you issue the command. Router>show flash System flash directory: File Length Name/status c2500.bin [ bytes used, available, total] 4096K bytes of processor board System flash (Read/Write) Show History By default, the router s command-line interface (CLI) maintains in memory the last 10 commands you have entered. This default value can be changed. You can use one of two methods to cycle through previous router commands entered since the last power loss. To simultaneously view all of the past commands still in router memory, use the show history command. For single-line retrieval, use either the UP ARROW key or the CTRL+P key combination to see the previous command, and use either the DOWN ARROW key or the CTRL+N key combination to see the next command. Router>show history 58

5 show version show protocols show flash enable show running-config disable show history Show Clock The router keeps its own clock that can be used to synchronize devices. The show clock command displays the clock. show clock *00:38: UTC Mon Mar Show Hosts You can create a list of host names on your router. You can view the entries (if any) by typing show hosts. show hosts Default domain is not set Name/address lookup uses static mappings Host Flags Age Type Address(es) Show Users The show users command displays users who are connected to the router. show users Line User Host(s) Idle Location * 0 con 0 idle 00:00:00 Show Interfaces The show interfaces show interfaces BRI0 is administratively down, line protocol is down Hardware is BRI MTU 1500 bytes, BW 64 Kbit, DLY usec, rely 255/255, load 1/255 Encapsulation HDLC, loopback not set Last input never, output never, output hang never Last clearing of show interface counters never Input queue: 0/75/0 (size/max/drops); Total output drops: 0 Queuing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/0/256 (active/max active/max total) 59

6 Reserved Conversations 0/0 (allocated/max allocated) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 5 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions --More-- Notice the --More-- indicator. This means that more information pertaining to the last command can be displayed. To view more commands line by line, press the ENTER key. To view more output one screen at a time, press the SPACEBAR. To exit the output and return to the router prompt, press any letter. (It may be helpful to remember to press the E key for exit. ) Ping The ping command allows a user to test basic connectivity. The syntax for the ping command is as follows: ping ip_address The ping receives a reply, it will be noted in the CLI with an exclamation mark (!). If no reply is received, it will be noted with a period (.). The following shows the output of a successful ping of the IP address: ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 32/37/44 ms The following shows the output of a failed ping of the IP address: ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:... Success rate is 0 percent (0/5) The ping command is one of the most commonly used test tools. The PING protocol uses Internet Control Message Protocol (ICMP) to communicate with other routers. 60

7 Address Resolution Protocol (ARP) resolution. You can also use the command or the show ip interface command on the local router to view its IP addresses. IP Addressing The following syntax places an IP address on the interface: ip address ip_address subnet_mask Remember that /24 denotes a subnet mask of For your convenience, here is a handy table matching slash notation to the corresponding dotted decimal subnet masks: Slash Dotted Decimal Slash Dotted Decimal Slash Dotted Decimal / / / / / / / / / / / / / / / / / / / / / / / /

8 Router> Router>en conf t Router(config)#hostname Router1 Router1(config)#int e0 Router1(config-if)#ip address Router1(config-if)#no shut Router1(config-if)#int s0 Router1(config-if)#ip address Router1(config-if)#no shut Router1(config-if)#end Router1# You can use sh ip interface brief to view the IP addresses on the interface: Router1#sh ip interface brief Interface IP-Address OK? Method Status Protocol BRI0 unassigned YES manual up up Ethernet YES manual up up Serial YES manual up up Router1# Router> Router>en conf t Router(config)#hostname Router2 Router2(config)#int e0 Router2(config-if)#ip address Router2(config-if)#no shut Router2(config-if)#exit Router2(config)#exit Router2#exit Lesson 4: Router Interfaces Examining the Interfaces Routers can have many types of interfaces, such as Token Ring, FDDI, Ethernet, serial, ISDN, and so on. You will often need to view the status and settings, so you need to know a few important commands. The show interfaces command is one of the more important commands. show interface 62

9 Ethernet0 is administratively down, line protocol is down Hardware is Lance, address is cc4.f445 (bia cc4.f445) MTU 1500 bytes, BW Kbit, DLY 1000 usec, rely 255/255, load 1/255 Encapsulation ARPA, loopback not set, keepalive set (10 sec) [output omitted] This command produces output about each interface. In this case, you can see that Ethernet 0 is administratively down. That means that it has been turned off with the shutdown command. Ethernet 0 is Line protocol is Meaning administratively down up down down down down Indicates that the interface has been turned off with the shutdown command Indicates that the cable is connected, but keepalives are not being received Indicates a cabling problem, that no clock rate is set on the DCE, or that another router interface is shut down up up Indicates that the interface is connected and receiving keepalives You can view particular interfaces with the show interface command; for instance, you can issue the show interface serial 0 command. Alternatively, you can use the show ip interface brief command to quickly display the status of all interfaces. show ip int brief Interface IP-Address OK? Method Status Protocol Ethernet0 unassigned YES not set administratively down down PCbus0 unassigned YES not set administratively down down Serial0 unassigned YES not set up down Examining the Controllers Controllers are the part of the interface that makes the physical connection. The controller of most interest is the kind of cable that is attached to a serial interface. A data terminal equipment (DTE) cable is the cable you should typically use. If the local interface is the DTE side of the connection, the other end of the connection must provide clocking. Data communications equipment (DCE) means that this device must provide the clocking on the wire. The show controllers command will allow you to see if an interface is a DCE or DTE. show controllers serial 0 HD unit 0, idb = 0xA2B58, driver structure at 0xA7020 buffer size 1524 HD unit 0, V.35 DCE cable cpb = 0x42, eda = 0x2140, cda = 0x

10 NETSIM FOR CCNA LAB MANUAL - no shutdown command. conf t Router(config)#interface ethernet 0 Router(config-if)#no shutdown Router(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up %LINK-3-UPDOWN: Interface Ethernet0, changed state to up Router(config-if)#end If your interface is the DCE, you must provide clocking using the clock rate command. config t Router(config)#interface serial 0 Router(config-if)#clock rate Router(config-if)#end It is often helpful to use the description command to add a description of the purpose of the interface. conf t Router(config)#int e0 Router(config-if)#description My Connection to the Engineering Hub Router(config-if)#end You can use any of the following commands to view your changes: show running-config OR show interfaces OR show controllers Lesson 5: CDP - CDP is a Data Link protocol that operates at Layer 2 of the Open Systems Interconnection (OSI) model. This is important to understand because CDP is not routable and can only travel to directly connected devices. 64

11 CDP allows you to view information such as operating system version, protocol information, and much more. This information can be very handy for troubleshooting a variety of problems. CDP Commands The CDP commands are simple. See the following tables. no cdp run turns off CDP for the entire router cdp run turns on CDP for the entire router (default setting) cdp timer 120 cdp enable turns on CDP for the interface (default setting) no cdp enable turns off CDP for the interface Show Commands show cdp interface show cdp neighbor show cdp neighbor detail show cdp displays interface settings displays directly connected neighbors displays detailed information about neighbors displays general information Lesson 6: ARP ARP Commands Show arp The show arp command displays the Address Resolution Protocol (ARP) table, which contains detailed information about interfaces that are learning media access control (MAC) addresses. Looking at the table below, you can see that the router learned the IP address and MAC address of each Ethernet interface. The Age column indicates how long the router has had the information, and the Interface column indicates the interface from which it learned this information. Notice that the age of the address is not indicated because it is the IP address of the Ethernet port that is connected to the router. show arp Protocol Address Age (min) Hardware Addr Type Interface Internet c32.f57d ARPA Ethernet0 Internet e040 ARPA Ethernet0 Clear arp The information stored in the ARP table can become corrupted occasionally, which causes the router to experience packet-delivery problems. When this happens, the ARP table must be cleared and rebuilt. You must access 65

12 privileged mode and issue the clear arp command in order to clear the ARP table. After you have cleared the ARP table, you can view it again using the show arp command. In this example, notice that all entries, with the exception of the directly connected interfaces of the router, have disappeared. show arp Protocol Address Age (min) Hardware Addr Type Interface Internet e040 ARPA Ethernet0 Lesson 7: Routing Protocols RIP Routing Information Protocol (RIP) is a standards-based, distance vector, interior gateway protocol (IGP) that is used by routers to exchange routing information. RIP uses hop count to determine the best path between two locations. Hop count is the number of routers through which a packet must travel in order to reach the destination network. The maximum allowable number of hops a packet can traverse in an IP network where RIP is implemented is 15 hops. In a RIP network, each router broadcasts its entire RIP table to its neighboring routers every 30 seconds. When a router receives a neighbor s RIP table, it uses the information provided to update its own routing table and then sends the updated table to its neighbors. This procedure is repeated by each router and results in a state referred to as network convergence, in which all routers have an identical view of the internetwork topology. Router>en conf t Router(config)#hostname Router1 Router1(config)#int e0 Router1(config-if)#ip address Router1(config-if)#no shut %LINK-3-UPDOWN: Interface Ethernet0, changed state to up Router1(config-if)#exit Router1(config)#int s0 Router1(config-if)#ip address Router1(config-if)#no shut %LINK-3-UPDOWN: Interface Serial0, changed state to up %LINK-3-UPDOWN: Interface Serial0, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down Router1(config-if)#exit Router1(config)# RIP version 1 is classful, which means it does not include the subnet mask in its routing table updates. RIP version 2 is classless and does include the subnet information in its routing table updates. RIP version 1 is used 66

13 in the example above. In order to use RIP version 2, the version 2 command must be entered after the router rip command. To enable RIP as the routing protocol on Router 1, the router rip command must be issued. Notice the new mode the router has entered. Router1(config)#router rip Router1(config-router)# Once RIP is running on Router 1, network statements must be used to tell the router which networks it is connected to. Every router interface that is directly connected to an active network needs a network number. Some - Router 1 s Ethernet 0 interface has an IP address of with a /24 subnet mask, and its serial 0 interface has an IP address of with a /16 subnet mask. Because RIP is classful, only the class portions of the ad- network statement should be used for the Ethernet 0 interface, and the network statement should be used for the serial 0 interface. Router1(config-router)#network Router1(config-router)#network Router1(config-router)# Router>en conf t Router(config)#hostname Router2 Router2(config)#int e0 Router2(config-if)#ip address Router2(config-if)#no shut 00:17:25: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up Router2(config-if)#exit Router2(config)# 67

14 Now, the RIP information must be added. Router2(config)#router rip Router2(config-router)#network Router2(config-router)#exit Router2(config)#exit Router2# NETSIM FOR CCNA LAB MANUAL RIP should now be running on the network between Router 1 and Router 2. Router>en conf t Router(config)#hostname Router4 Router4(config)#int s0 Router4(config-if)#ip address Router4(config-if)#no shut 00:20:35: %LINK-3-UPDOWN: Interface Serial0, changed state to up Router4(config-if)#exit Router4(config)# Now, the RIP information must be added. Router4(config)#router rip Router4(config-router)#network Router4(config-router)#exit Router4(config)#exit Router4# show commands can be used to verify that the routers are receiving RIP routes. The most commonly used command is show ip route, which displays all entries in the routing table. This command should be issued at the privileged mode prompt on Router 4 to display the routes to the directly connected Router 1 and to the other routers on the network. Router4# show ip route Gateway of last resort is not set /16 is subnetted, 1 subnet C is directly connected, Serial 0 R [120/1] via :03:18, Serial 0 In the line R [120/1] via , 00:00:21, Serial0, the R indicates that this is a RIP route. The portion of the output indicates the destination network. The [120/1] portion of the output indicates that 120 is the administrative distance and that 1 hop is required to reach the destination. RIP s default administrative distance is 120; administrative distance is considered the trustworthiness of the route. If two routing protocols have the same route, the router will pick the route with the lower administrative distance. The via portion of the output indicates that is the address of the next hop. The Serial0 portion of the output indicates that this information was learned via the serial 0 interface. The show ip protocols command displays information about the IP routing protocols that are enabled. The following is example output from the show ip protocols command. 68

15 Router4#show ip protocols Routing Protocol is rip Sending updates every 30 seconds, next due in 12 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Redistributing: rip Default version control: send version 1, receive any version Interface Send Recv Key-chain Routing for Networks: Routing Information Sources: Gateway Distance Last Update :00:09 Distance: (default is 120) Router4# The output indicates that updates are being sent every 30 seconds. RIP is a distance vector routing protocol, so it exchanges its entire routing table every 30 seconds. The network is under the Routing for Networks area, which indicates that the network statement is working. Notice that the administrative distance is 120, which is the default. IGRP Interior Gateway Routing Protocol (IGRP) is a standards-based, distance vector IGP that is used by routers to exchange routing information. IGRP uses a composite metric of bandwidth and delay to determine the best path unit (MTU), reliability, and load for the link. In an IGRP network, each router broadcasts its entire IGRP table to its neighboring routers every 90 seconds. When a router receives a neighbor s IGRP table, it uses the information provided to update its own routing table and then sends the updated table to its neighbors. This procedure is repeated by each router and results in a state referred to as network convergence, in which all routers have an identical view of the internetwork topology. Router>en conf t Router(config)#hostname Router1 Router1(config)#int e0 Router1(config-if)#ip address Router1(config-if)#no shut 00:35:15: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up Router1(config-if)#exit Router1(config)#int s0 69

16 Router1(config-if)#ip address Router1(config-if)#no shut 00:35:16: %LINK-3-UPDOWN: Interface Serial0, changed state to up Router1(config-if)#exit 00:35:16: %LINEPROTO-5-UPDO WN: Line protocol on Interface Ethernet0, changed state to up IGRP is classful, which means it does not include the subnet mask in its routing table updates. To enable IGRP as the routing protocol on Router 1, the router IGRP AS command must be used. The AS param- administration with a common routing policy. The same autonomous system number must be used on every router with which Router 1 s routing table should be shared. In this example, autonomous system number 100 will be used. Notice the new mode the router has entered. Router1(config)#router IGRP 100 Router1(config-router)# Now that IGRP is running on the router, network statements must be used to tell the router which networks it is connected to. Every router interface that is directly connected to an active network needs a network number. Some networks will use the same IP addressing schemes with different subnets, and some will use entirely different addressing schemes. The diagram below shows two different addressing schemes. Router 1 s Ethernet 0 interface has an IP address of with a /24 subnet mask, and its serial 0 interface has an IP address of with a /16 subnet mask. Because IGRP is classful, only the class portions of network statement should be issued for the Ethernet 0 interface, and the network statement should be issued for the serial 0 interface. Router1(config-router)#network Router1(config-router)#network Router1(config-router)# 70

17 Router>en conf t Router(config)#hostname Router2 Router2(config)#int e0 Router2(config-if)#ip address Router2(config-if)#no shut 01:23:17: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up Router2(config-if)#exit 01:23:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up Router2(config)# Router2(config)#router IGRP 100 Router2(config-router)#network Router2(config-router)#exit Router2(config)#exit Router2# IGRP should now be running on the network between Router 1 and Router 2. Router>en conf t Router(config)#hostname Router4 Router4(config)#int s0 Router4(config-if)#ip address Router4(config-if)#no shut 01:23:17: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up 01:23:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up Router4(config-if)#exit Router4(config)# Router4(config)#router IGRP 100 Router4(config-router)#network Router4(config-router)#exit Router4(config)#exit Router4# show commands can be used to verify that the routers are receiving routes. The show ip route command should be issued on Router 4 to display the route to the directly connected Router 1. Router4#show ip route Gateway of last resort is not set 71

18 /16 is subnetted, 1 subnet C is directly connected, Serial 0 I [100/651] via :03:18, Serial 0 In the line I [100/651] via , 00:00:21, Serial0, the I indicates that this is an IGRP route. The portion of the output indicates the destination network. The 100 in the 100/651 notation indicates that 100 is the administrative distance (IGRP s default administrative distance is 100). If two routing protocols with the same route are available, the router will pick the route with the lower administrative distance. The 651 value indicates the calculated metric, which is based on bandwidth delay. The via portion of the output indicates the address of the next hop. The Serial0 portion of the output indicates that this information was learned via the serial 0 interface. The show ip protocols command displays information about the IP routing protocols that are enabled. Router4#show ip protocols Routing Protocol is igrp 100 Sending updates every 90 seconds, next due in 12 seconds Invalid after 270 seconds, hold down 280, flushed after 630 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates IGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0 IGRP maximum hopcount 100 IGRP maximum metric variance 1 Redistributing: igrp 100 Routing for Networks: Routing Information Sources: Gateway Distance Last Update :00:09 Distance: (default is 100) Router4# The output indicates that updates are being sent every 90 seconds. Because IGRP is a distance vector routing protocol, it exchanges its entire routing table every 90 seconds. The network is under the Routing for Networks area, which indicates that the network statement is working. Notice that the administrative distance is 100, which is the default. OSPF OSPF is a dynamic link-state, hierarchical IGP that is based on open standards. It was designed as a replacement for RIP and was derived from an early version of Intermediate System to Intermediate System (IS-IS). OSPF is a robust protocol whose features include least-cost routing, multipath routing, and load balancing. The shortest path through the network is calculated by using the Dijkstra algorithm. Cisco uses its own implementation of the OSPF standards with additional features that are important for interoperability. 72

19 a few phases of initialization. First, the router uses hello packets to identify its neighbors and develop adjacencies (relationships for exchanging routing updates) with them. The router then starts the ExStart phase, which is the initial database exchange. Next is the Exchange phase in which the Designated Router sends the routing information and receives an acknowledgement (ack) receipt from the new router. During the Loading phase, the which it is an active member of the network. Router>en conf t Router(config)#hostname Router1 Router1(config)#int e0 Router1(config-if)#ip address Router(config-if)#no shut 00:12:33: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up Router(config-if)#exit Router1(config)#int s0 Router1(config-if)#ip address Router1(config-if)#no shut 00:15:30: %LINK-3-UPDOWN: Interface Serial0, changed state to up 00:15:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up Router1(config-if)#exit Next, the router ospf 100 command should be issued to enable OSPF as the routing protocol. The 100 param- same for all of the routers within the OSPF area. The networks that are added to the OSPF session make up the area. Notice the new mode that the router enters once the command is issued. Router1(config)#router ospf 100 Router1(config-router)# Once OSPF is running on Router 1, network statements must be used to tell the router which networks it is connected to, as well as to assign it its wildcard mask and OSPF area. Every router interface that is directly connect- diagram below shows two different addressing schemes. 73

20 Router 1 s Ethernet 0 interface has an IP address of with a /24 subnet mask, and its serial 0 interface has an IP address of with a /16 subnet mask. When the network statements are issued, the class portions of the addresses, the wildcard masks, and the area IDs (an integer between 0 and 4,294,967,295) must be provided. Thus, on Router 1, the network area 0 command should be issued on the Ethernet 0 interface, and the network area 0 command should be issued on the serial 0 Router1(config-router)#network area 0 Router1(config-router)#network area 0 Router1(config-router)#exit Router1(config)#exit Router1# Now, the 100 and that the two networks were added to OSPF area 0. Router1#show running-config Router>en conf t Router(config)#hostname Router2 Router2(config)#int e0 Router2(config-if)#ip address Router2(config-if)#no shut Router2(config-if)#exit 00:21:23: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up 00:21:42: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up Router2(config)# 74

21 Router2(config)#router ospf 100 Router2(config-router)#network area 0 Router2(config-router)#exit Router2(config)#exit Router2# OSPF should now be running on the network between Router 1 and Router 2. Router>en conf t Router(config)#hostname Router4 Router4(config)#int s0 Router4(config-if)#ip address Router4(config-if)#no shut Router4(config-if)#exit Router4(config)#router ospf 100 Router4(config-router)#network area 0 Router4(config-router)#exit Router4(config)#exit Router4# OSPF should now be running on all three routers. The ping command can be used to test connectivity between the routers. From Router 1, Router 4 s serial 0 interface and Router 2 s Ethernet interface should be pinged. Router1#ping Router1#ping Next, Router 1 should be pinged from Router 2 and Router 4. Router2#ping Router4#ping If all pings succeed, the routers are talking to each other in both directions and routing is successful. Now, the show ip ospf interface Router1#show ip ospf interface This is an excellent command for learning all interface information. The output includes the interface IP address, area assignment, process ID, router ID, cost, priority, network type, timer intervals, and adjacent neighbor information. You can also see the Designated Router (DR)/Backup Designated Router (BDR) information when it is applied. Finally, the show ip ospf neighbor command should be issued. Router1#show ip ospf neighbor 75

22 This command displays all of the important information concerning neighbors and the adjacency state. It also Lesson 8: PPP with CHAP Authentication PPP Point-to-Point Protocol (PPP) is a protocol for communicating between two computers using a serial interface, typically a personal computer connected by phone line to a server. For example, your Internet service provider may supply you a PPP connection so that the provider s server can respond to your requests, pass them on to the Internet, and forward the Internet responses back to you. PPP is typically used with the Internet Protocol (IP). PPP is sometimes considered a member of the TCP/IP suite of protocols. PPP operates at the Data Link layer (Layer 2) of the Open Systems Interconnection (OSI) reference model. Essentially, it packages a computer s TCP/ IP packets and forwards them to the server where they can actually be put on the Internet. or satellite transmissions. It uses a variation of High Speed Data Link Control (HDLC) for packet encapsulation. PPP is usually preferred over the earlier de facto standard, Serial Line Internet Protocol (SLIP), because it can handle synchronous as well as asynchronous communication. PPP can share a line with other users, and it includes error detection that SLIP lacks. PPP is preferred over SLIP when possible. CHAP Challenge-Handshake Authentication Protocol (CHAP) provides a more secure procedure for connecting to a system than Password Authentication Protocol (PAP). Here s how CHAP works: After the link is made, the server sends a challenge message to the connection requestor. The requestor responds with a value obtained by using a one-way hash function. The server checks the response by comparing its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise, the connection is usually terminated. At any time, the server can request that a new challenge message be sent by the connected party. Because The following interface command enables PPP: encapsulation ppp PPP must be enabled on both ends of the link. The following interface command must be added in order for authentication to be enabled: ppp authentication chap The routers will now require authentication over the link. They will attempt to log in with their host names as 76

23 router, an entry that matches the remote router s user name and password must be made: username Other_Router password Other_enable_pass (R1)s s0(R2) PPP without CHAP Router 1: hostname R1 interface serial 0 encapsulation PPP no shutdown Router 2: hostname R2 interface serial 0 encapsulation PPP no shutdown PPP with CHAP Default Names and Password Router 1: hostname R1 enable secret toast1 username R2 password cool2 interface serial 0 encapsulation PPP ppp authentication chap no shutdown Router 2: hostname R2 enable secret cool2 username R1 password toast1 interface serial 0 encapsulation PPP ppp authentication chap no shutdown The following is a link where you can read more about PPP/CHAP authentication: 77

24 Lesson 9: Frame Relay NETSIM FOR CCNA LAB MANUAL Frame Relay is a network access protocol similar in principle to X.25. The main difference between Frame Relay forms both error detection and error correction, Frame Relay only performs error detection. X.25 performs data checking and correcting at the network level. Consequently, the network devices on an X.25 network correct the corrupt data or ask for the data to be retransmitted. The cost of such checking and retransmission is network delay. Frame Relay leaves the task of error correction to the protocols used by intelligent devices at each end of the network. These intelligent devices provide end-to-end data integrity. Because Frame Relay relies on the devices and less delay occurs overall. The following command can be used to add a description to an interface to help keep track of permanent virtual circuits (PVCs). An example of a description might be Frame Relay to Boston. description descriptive_string encapsulation frame-relay [cisco ietf] Relay subinterface: frame-relay interface-dlci dlci [broadcast] A DLCI is assigned by the local Frame Relay provider for every PVC connected to the router. DLCI numbers are not exchanged between routers. DLCI numbering at one Frame Relay site is mutually exclusive from DLCI numbering at another site. The broadcast keyword is optional and should only be included if broadcast packets (e.g., IP, RIP, or IPX RIP/SAP updates) need to be forwarded out of the subinterface. In static routing examples, routing updates are not required and the keyword is omitted. type from the Frame Relay provider: frame-relay lmi-type {ansi cisco q933a} LMI is a Frame Relay control protocol sent to the router from the Frame Relay switch at the service provider and is not exchanged between routers. The LMI type at one location does not have to match the LMI type at other locations. Supported LMI Types cisco ansi q933a default ANSI Annex D CCITT Q933a 78

25 protocol address and a Frame Relay DLCI: frame-relay map-ip ip_address dlci [broadcast] Again, the broadcast keyword is optional and should only be included if broadcast packets need to be forwarded out of the subinterface. In static routing examples, routing updates are not required and the keyword is omitted. point connection. interface serial0.subinterface_# [point-to-point multipoint] A subinterface is treated as if it were a separate interface dedicated for a PVC to a remote site. Serial0 indicates that the subinterface belongs to the physical serial 0 interface, and subinterface _# is the unique subinterface ID number. The subinterface ID number can be any unique value between 0 and 4,294,967,295 and does not have to be in any particular order (i.e., it is not necessary to begin with 1 and sequentially progress with 2, 3, and so on). In fact, to reduce confusion, it is good practice to identify a subinterface with the same number as the DLCI used on that subinterface. ip address ip_address subnet_mask Lesson 10: Access Lists of packets within a network based on information provided within the list. Standard IP access lists are very straightforward because the source IP address of a packet is the only criterion used to determine whether the packet should be permitted or denied. Access lists can be used for a variety of reasons, including controlling the propagation and reception of primary implementation, and the main topic of this lesson, is the implementation of the access list as a security mechanism. Implementing Restricted Access You may choose to implement security policies for a variety of reasons, including, but certainly not limited to, the Without the use of access lists, all packets within a network are allowed without restriction to all parts of the network. an outside network such as the Internet. This type of access list is typically placed at the point of connection between the two networks. When an access list is used for interdepartmental isolation, the access list is typically placed at strategic locations within the internal network. 79

26 The Basics of Standard IP Access Lists The basic format of the standard IP access list is as follows: access-list [#] [permit deny] [source_address any] [source_mask] An access list may contain multiple lines, each following the format shown above. The access list may specify multiple source IP addresses to be evaluated. Each line entry of the access list must maintain the same access list fore, the most general statements should be placed at the beginning of the list to avoid extra processing. list based on the access list number that is assigned. The numbering range for standard IP access lists is from 1 through 99. All standard IP access lists must be numbered within this range. After a number in the appropriate range has been assigned to the access list, the list dictates whether the packets to be evaluated will be permitted (allowed to pass) or denied (dropped and not allowed to pass). This is accomplished by using the permit or deny keyword in the access-list command. The keyword instructs the permitted or denied. The standard IP access list allows for a source mask to be applied to the source IP address. Although similar to the subnet mask that is applied to IP addresses, the source mask is somewhat different. When a source mask is used with IP access lists, a bit set to 0 means match exactly, and a bit set to 1 means do not care. For example, if you would like to include all hosts in the Class C network , the source address-source second, and third octets of the address ( ) must match exactly (indicated by 0.0.0, or all zeros, in the (indicated by 255, or all ones, in the source mask for the fourth octet). The use of this source address-source mask combination allows a single line in the access list to include all hosts in the network. Using the keyword any is the same as using a source address-source mask combination of The source mask indicates that you do not care which bits are set in any the router will, by default, use a source mask of and match exactly the address entered. After an access list has been created, the Cisco router will assume that any source IP addresses that are not explicitly permitted in the list will be denied. In other words, at the end of the access list, the router will implic , all other source addresses will be implicitly denied. Creating a Simple Standard IP Access List Now we will discuss creating a standard IP access list using the following format: access-list [#] [permit deny] [source_address any] [source_mask] 80

27 conf t Router(config)#access-list 1 permit host Router(config)#exit permit statement for host address Because the source mask was not speci- deny any statement at the end Applying the Access List to an Interface command for applying a standard IP access list to an interface is as follows: ip access-group [access_list_number] [in out] Access lists can be applied as either outbound or inbound on the router interfaces. When an access list is applied as an inbound list and the router receives an inbound packet, it checks the source address of the packet against the access list. The packet is routed to the destination interface if the source address matches a permit statement in the access list. The packet is discarded if the source address matches a deny statement in the access list. When an access list is applied as an outbound list and the router receives a packet on an interface, the packet is routed to the appropriate outbound interface, and the source address of the packet is then checked against the access list. At this point, the router either permits the packet to exit the interface if its source address matches a permit statement in the access list or discards the packet if its source address matches a deny statement in the access list. The following commands apply access list 1 to interface Ethernet 0 as an inbound access list. Note the in parameter in the ip access-group 1 command. conf t Router(config)#int Ethernet 0 Router(config-if)#ip access-group 1 in Router(config-if)#exit Router(config)#exit The following commands apply access list 1 to interface Ethernet 0 as an outbound access list. Note the out parameter in the ip access-group 1 command. conf t Router(config)#int Ethernet 0 Router(config-if)#ip access-group 1 out Router(config-if)#exit Router(config)#exit 81

28 Creating a More Advanced Standard IP Access List In this exercise, we will create access list 2 to meet the following criteria: Permit all packets originating from network Deny all packets originating from network Deny all packets originating from network , except for packets from a single host of The following commands will accomplish these goals: conf t Router(config)#access-list 2 deny Router(config)#access-list 2 permit host Router(config)#access-list 2 deny Router(config)#access-list 2 permit any Router(config)#exit permit statement for, takes care of this criteria. Review the criteria, and verify that the necessary tasks have been completed: Permit all packets originating from network The last line of the access list,, accomplishes this criterion. It is not necessary to explicitly permit the network in the access list because no other statements in the access list deny this network. Deny all packets originating from network , accomplishes of the fourth octet has been assigned to the subnet and the last seven bits have been reserved for host addressing. Thus, the source mask in the deny statement, , indicates that you do not care Deny all packets originating from network , except for packets from a single host of This has been accomplished with line two,, and line three,, of the access list. Remember that access lists stipulated that packets from network be denied and that packets from host be permitted. If lines two and three had been swapped and the entire network was denied prior to permitting host , packets with a source address of would match the more general criteria of deny

29 The last line of the access list,, accomplishes this by permit- Bringing It All Together In general, the process for creating and implementing standard IP access lists is as follows: Create the access list with a number in the range of 1 through Apply the access list, either inbound or outbound, to the appropriate interface. Items 1 and 2 above have been fairly well covered in this lesson. Lastly, the placement of the access list needs to be discussed. In general, standard IP access lists should be placed nearer to the destination than to the source. However, this is not an absolute rule; certain exceptions exist. Due to the fact that standard IP access lists only operate on the source address, detailed granularity is not always possible. Care must be taken to avoid implementing undesirable policies. If a standard access list is placed near the source, it is possible that access will be impeded to devices other than those intended. For example, if access list 2, which we created in this lesson, were implemented as an inbound access list on the Ethernet interface of a router directly connected to the network, the only host that would be allowed off the local segment would be This access list would most likely be implemented as an outbound access In the diagram below, assume that Workstation C has the IP address and that Workstation D has the IP address. You want to implement a policy for Workstation A that only allows Workstation C access from Ethernet C. You also want to implement a policy that will deny any access from Ethernet D. Access list placement is critical in this situation. If access list 2 from above is implemented as an outbound access list on Ethernet B, which is undesired. The same scenario holds true if the access list is implemented as an inbound access list on Router 1 s serial interface. If you place this access list as an outbound access list on Router 1 s Ethernet A interface, the desired policy is intact without any unwanted policy implementations. 83

30 Access List Cheat Sheet Wildcard masks have a variety of uses in access lists, but typically you will want to do one of the following: Match an entire subnet Match an IP range Match every host and any host Here are some simple examples to accomplish these requirements. All wildcard mask bits are zeros. For a standard access list to permit the host , you could use the following command: access-list 101 permit Because standard access lists assume a mask, you could rewrite the command as follows: access-list 101 permit For an extended access list to permit the same host of , you should use one of the following commands: access-list 101 permit ip any OR access-list 101 permit ip host any 84

31 Match an Entire Subnet The key to matching an entire subnet is to use the following formula for the wildcard mask: Wildcard mask = subnet So, for example, if the current subnet is , the mask would be , as calculated below: In this equation, subtract each octet separately since an IP address is not a whole number. To permit access to the network of with a subnet mask of , you should use the following commands. Using a standard access list: access-list 101 permit Using an extended access list: access-list 101 permit ip any To permit access to the network of with a subnet mask of , you should use the following commands. Using a standard access list: access-list 100 permit Using an extended access list: access-list 100 permit ip any Match an IP Range address from the higher IP address In this case, the wildcard mask for this range is To permit access to this range, you should use the following commands. Using a standard access list: access-list 100 permit Using an extended access list: access-list 100 permit ip any Note that each non-zero value in the mask must be one less than a power of 2 (i.e., 0, 1, 3, 7, 15, 31, 63, 127, 255). Match Every Host and Any Host This is the easiest access list to create. 85

32 Using a standard access list: access-list 1 permit any OR access-list 1 permit Using an extended access list: access-list 1 permit ip any any Lesson 11: Switches Switches, which work at the Data Link layer (Layer 2) of the Open Systems Interconnection (OSI) model, concentrate the point of attachment for workstations, servers, routers, hubs, and other switches. A switch provides a dedicated point-to-point connection between two networking devices; thus, collisions do not occur. Switch Components A switch includes all of the hardware components of a PC, including a CPU, RAM, and an internetwork operating system (IOS). A switch can be managed the same as a router; you can console into its console port, telnet to its IP address, and even change the IOS through the use of TFTP. Switches use some of the same commands that routers use. To check information about the interfaces, you can use the show interfaces command. To display the IP information for the interfaces, use the show ip interfaces show version command. To command. The show mac-address-table command displays the MAC table for the switch. The MAC table is the table that matches all the ports on the switch with the MAC addresses it has learned. Command-Line Interface User Mode vs. Privileged Mode User mode is indicated by the > prompt that follows the switch name. In user mode, you can look at some of the switch s settings, but you cannot change them. In privileged mode, accessed by using the enable command in user mode and indicated by the # prompt, you can use the different show commands to view all settings on the command. Switch> Switch>enable Switch# Accessing Help To view all commands available from this mode, type?. This will display a list of all available commands in the current mode. You can also use the question mark after you have started typing a command. For example if you want to use a show command but you do not remember which one to use, type show? to display all commands that you can use with the show command. r1#show? 86