Cheat Sheet for

Cisco Certified Network Associate Study Guide to Exam 640-507 (2nd Ed.)
I try to avoid repeating myself, so you might have to read the whole booklet to find a definition you need. When I introduce terms, I often show them in bold face type (but, then, I use bold face type for a lot of things). To save space, I use the following conventions: - I refer to OSI layers as “L2,” “L3,” &c., instead of “data-link” and “network.” - When I bother to show IOS prompts, I leave off the router names. - I shorten bandwidth to BW, virtual circuit to VC, configuration file to CF, &c. - The proper Latin plural of “status” is “stati” but I sometimes say “stats.” - “Et cetera” (or “etc.,” meaning “and so forth”) can also be written “&c.” I’ve borrowed from other sources, too, because I want as much of the exam here as possible. I’ve tried to make it all self-evident. This booklet, alone, might be enough to pass the exam (everything on my exam is here) but that wasn’t my goal. Although Lammle’s $140 book isn’t perfect (his Frame Relay stuff has several errors and omissions, for example, and the CD-ROMs are full of mistakes) but you should still buy it and the network simulator software that comes with it. My exam was 75 minutes & 65 questions. Different exams have different passing scores, so your final score is MEANINGLESS. Buona Fortuna! R.S.
Cisco ly Yours,

originally by Todd Lammle, published by Sybex; condensed May 2001 by Robert S. with gratitude to Shankar
“Good artists copy. Great artists steal.” – Pablo Picasso The best way to study something is to regurgitate it in one’s own words. When I studied CCNA, I wrote this thing. I reduced 700 pages to a fourteen-page booklet so I could carry it around, reviewing everywhere I went. This document is color-coded, with all the IOS commands in violet arial narrow, for example. As I realize the minimal benefits of color when one prints on black and white laser printers, I’ve tried to be sensible about my choices. I still suggest you print it in color, if possible. (Word Viewer wrongly italicizes my commands.) In each chapter, Todd Lammle lists key terms with which you should be familiar before the exam. I haven’t tried to define every term but I have written them in blue, underlined in squiggles, so look at each and ask, “Can I define this?” An easier color code to spot is my grey shading. This indicates stuff Lammle, instructors, and some unreliable friends have told me is not likely to be on the exam. Reading it might help your understanding but don’t sweat memorizing it. Wiggly red lines to either side show text I’ve been strongly warned to study. I’m more careful than Lammle to show correct prompts – I didn’t want to waste space repeating config t and int s0 – so it’s up to you to notice the mode we’re in. Contents: [Note: Chapters II & VI are paired.] I – LANs, OSI model, Cisco model (pg 1) II – switches, Spanning Tree Protocol (pg 5) III – IP subnetting (pg 6)

IV – router configuration basics (pg 7) V – IP routing, RIP, IGRP (pg 8) VI – VLANs, tagging, VLAN Trunk Protocol (pg 5) VII – boot-up & connectivity tools (pg 9)

VIII – IPX (pg 10) IX – access lists (pg 11) X – WANS, HDLC, PPP Frame Relay, ISDN (pg 12) Appendix B – the Catalyst 1900 switch (pg 14)

CHAPTER I – INTERNETWORKING and the OPEN SYSTEMS INTERCONNECTION MODEL or “Please Do Not Throw Sausage Pizza Around.” (5-7 questions on the OSI model; an unknown number on general networking) This chart summarizes the ISO Open Systems Interconnection model, laid out in more detail hereafter. A layered model reduces complexity, permits the use of standard interfaces, lets engineers make modular changes, lets different technologies inter-operate, accelerates evolution, and is easier to learn. Although all seven layers could be on the exam, they’re not equally critical: You can answer the basic OSI layer questions by knowing enough to tell them apart. The real reason to study layers 2 and 3, where switches and routers work, and L4, where many big protocols appear, is these descriptions form the foundation for much of the exam. If you don’t grasp the L2 – L4 details of this chapter well enough to write them out from memory, you’re toast. L2 Do Data-Link Destination functional Drop-boxes & mnemonic Doorsteps blasts frames nails packets Protocol Data into bits into frames Unit (PDU) a mailman finding a mailbox The Big Picture: sending and hardware It’s all about... receiving bits addressing physical framing key concepts topology puts bits on frames data for main network the wire local network operations This layer filters PDUs using… deviceshubs hardware (physical) addresses switches a conveyor This layer is belt analogous to... layer L1 mnemonic “Please name Physical L3 Not Network Navigates the National hiway Network wraps segments into packets a navigator finding a town L4 Throw Transport Truckers & Teamsters chops data into segments L5 Sausage Session Split-Second Sequencing L6 L7 Pizza Around!” Presentation Application Pasting Parts & Pieces into Proper Products

data a newspaper editor compiling documents file formats a corporate executive issuing instructions giving orders

a loading dock a dispatcher (or talk worker boxing a show host) shipment sequencing tasks logical (network) packing & shipping timing addressing routing end-to-end dialog control connections routes between provides flow control opens / closes networks sessions network addresses ports / sockets / protocol #s routers gateways

encryption, compression, assorted application translation functions demands transfers; IDs partners; final error resolution

The CISCO 3-LAYER where-you-should-spend-your-money MODEL CORE LAYER - speed is critical - can affect all users - should be fault-tolerant and reliable - no filtering, security slowdowns, or inter-VLAN routing - no workgroup access - could use FDDI, fast (100Mb) Ethernet, gigabit (1000Mb) Ethernet, or ATM - when improvements are necessary, upgrade; don’t expand DISTRIBUTION LAYER - routing - inter-VLAN routing - WAN access - gatekeeper to the core layer

- determines how best to handle requests - security, filtering, firewalls - queuing (print jobs, &c.) - transitions between routing protocols (including static routing) - definition of broadcast/multicast domains ACCESS LAYER - a.k.a. the “desktop layer” - more specific security - segmenting for more collision domains - connectivity to distribution layer via 100Mbps links - Dial on Demand Routing (DDR) - Ethernet switching - static routing - connect 10Mbps switches to workstations; 100Mbps switches to servers


the newspaper editor.port 80) -‘HyperText Transfer Protocol’ World Wide Web browsing . (Most applications.FTP (TCP . TIFF.SPX .X. & windowing) .‘Simple Mail Transfer Protocol’ e-mail sending .4995-4997 L6 Presentation Layer – “Pasting Parts & Pieces into Proper Products” * DATA STREAMS * It's all about FILE FORMATS. interaction with the user.ultimate authority over data integrity and error recovery PROTOCOLS (network applications) FOUND AT THIS LAYER: . the dispatcher / talk show host.535 application ports in both TCP and UDP flavors.'Electronic Data Interchange' for e-commerce transactions L4 Transport Layer – “Truckers & Teamsters” * chops data into SEGMENTS * It's all about PACKING & SHIPPING (either reliable TCP/SPX or unreliable UDP/IPX).‘Network News Transfer Protocol’ newsgroup post management . what you see on the screen. KEY CONCEPTS: file.application port / socket segmentation and reassembly.‘AppleTalk Session Protocol’ . half-. KEY CONCEPT: end-to-end connection NETWORK OPERATIONS PERFORMED: . the loading dock worker.‘Structured Query Language’ database sorting . Defines the way in which data is formatted. It defines the manner in which applications interact with the network. EBCDIC.remote UNIX GUI emulator . presentation of data to the programs in binary format.RPC .translation between file formats (MIDI.determining availability of communication partners and network resources . database. firewall filtering) PROTOCOLS (delivery control methods) FOUND AT THIS LAYER: . half-duplex. connection-oriented communication TECHNOLOGIES: .) L5 Session Layer – “Split-Second Sequencing” * DATA STREAMS * It's all about TIMING.TCP .gateways There are 65. and encoded. “Which port (which pipeline) do we stuff this into?” “Did the packets get where they should?” “What belongs in this pipe?” Defines protocols for structuring messages and supervises the validity of the transmission by performing some error checking.SNMP (TCP) .ASP . uses L3 IP and L4 TCP . Of these.400 . MPEG. the corporate executive. the game) 666 Ports below 1024 are called the “well known” ports and are assigned by the Internet Assigned Numbers Authority (IANA). converted. message. Manages simplex. by which a segment identifies which upperlayer protocol will use its data (e. asks. et seq.Telnet (UDP .port 23) . PICT. and full-duplex modes .‘User Datagram Protocol’ unreliable delivery boy using connectionless transfers . and full-duplex modes.SQL .flow control (buffering.opening. ASCII.error checking & correction by counting segments & requesting retransmissions . KEY CONCEPT: dialog control NETWORK OPERATIONS PERFORMED: . secure file management .‘File Transfer Protocol’ full-featured.‘Domain Name Service’ English-to-IP translation . performing security.encryption .terminal emulator program.‘Trivial File Transfer Protocol’ stripped-down file transfers .6660-6669.compression .X Window . and application services NETWORK OPERATIONS PERFORMED: . for very large chat servers] ConSeal VPN (TCP) . maintenance.IRC (TCP) – ‘Internet Relay Chat’ keyboard chat program .NNTP .alternative e-mail management . communications launching.port 25) .file sharing device driver for tiny Microsoft LANs (not routable) 2 .4000 IRC (TCP) .‘Remote Procedure Call’ for running a process on another machine . source-quench messages.API giving programs consistent set of tools to call for network functions . only use one flavor or the other.managing simplex.SMTP (TCP .‘Post Office Protocol’ e-mail receiving . multiplexing several streams onto one link .port 53) . specifically 6667 [also: 7000.THE UPPER LAYERS: COMMAND & CONTROL THE MIDDLE LAYERS: SHIPPING & RECEIVING L7 Application Layer * DATA STREAMS (MESSAGES) * It's all about GIVING ORDERS. keeps data separate for different applications. creates and reads segments. &c.acknowledging packet receipt during connection-oriented transfers . the ones from 1 to 254 are used by public applications and the ones from 255 to 1023 are used by proprietary (‘saleable’) applications. and administrative functions.NetBIOS .keeping data separate for different applications PROTOCOLS (for manipulating remote systems) FOUND AT THIS LAYER: .TFTP (UDP) .‘Sequenced Packet eXchange’ connection management tools added to IPX for reliable.K?”) . The highest level of the model.coordinating partnerships between multiple applications . and closure of sessions between devices / applications . JPEG. logging. however.NFS . data chopper & reassembler. presented. interaction between programs.‘Network File System’ sharing between different file systems .DNS (UDP .EDI .port 21) .NetBEUI . KEY CONCEPTS: . and terminal-emulation programs. print. data on the hard disk.HTTP (TCP .managing virtual circuits DISCRIMINATES BY: .POP3 (TCP) .g.UDP .1512 ICQ (UDP) .‘Transmission Control Protocol’ reliable delivery boy creating connection-oriented links . including database management.‘Simple Network Management Protocol’ (“Are you O. Ports 1024 and above are used as needed for addressing by the upper-layers or TCP during sessions. Coordinates communications and maintains the session for as long as it is of received packets following connectionless transfers . e-mail.) Here are a few ports: TCP 6 L2TP 115 echo 7 NNTP (TCP) 119 UDP 17 NTP 123 FTP data (TCP) 20 NetBIOS file share (UDP) 137 FTP control (TCP) NetBIOS file share (UDP) 138 21 Telnet (UDP) NetBIOS file share (TCP) 139 23 SMTP (TCP) news 144 25 DNS (UDP) SNMP 161 53 TFTP (UDP) 69 SNMP trap 162 finger 79 ------------------------------------------HTTP (TCP) NetWare IP 396 80 POP2 (TCP) 109 HTTPS (TCP) 443 POP3 (TCP) 110 RIP (UDP) 520 identification (TCP) 113 Doom (yes. Some examples: WINS . organizes and directs communication sessions.

‘Dynamic Host Configuration Protocol’ (“I’m new here.‘Source Service Access Point’ hardware address field .‘Internetwork Packet eXchange’ unreliable delivery boy using connectionless transfers.logical / network identification .Ethernet frames .‘Enhanced Interior Gateway Protocol’ routing scheme . software-based) . KEY CONCEPT: framing NETWORK OPERATIONS PERFORMED: .‘Packet Internetwork Groper’ connectivity detector  TraceRoute .‘Bootstrap Protocol’ (“I am diskless workstation YYY.passive hubs . Defines the mechanism for communicating with the transmission medium and interface hardware: voltages. does it go?” Validates the integrity of the flow of data from one node to another by synchronizing blocks of data and controlling the flow of data.OSPF . Shortest Path First’ routing scheme . & SNAP) .5 . “Where.AppleTalk .network interface cards (NICs) It's all about HARDWARE ADDRESSING. what is ALL my IP information?”) .25 .” “Buffer Full.‘SubNetwork Architecture Protocol’ data transfer.RIP .defined by 802.framing data for transmission onto the local network segment .active (amplifying) hubs .RSVP . software-based) . connection-oriented & 802.BGP .ordered delivery of frames .‘Layer 2 Tunneling Protocol’ frame disguising TECHNOLOGIES: .routers (slower.‘Routing Information Protocol’ routing scheme . 802. the long-haul navigator finding a town.RS-232.‘protocol numbers’ in IP packets identifying which L4 protocol the data is for PROTOCOLS (for routing and navigation) FOUND AT THIS LAYER: .defined by 802.‘Cisco Discovery Protocol’ investigation of neighbor devices .FCS .packet handling instructions .) SOME FRAME FIELDS of INTEREST: .optional flow control . and other serial line protocols . the conveyor belt.‘Border Gateway Protocol’ routing scheme .IPX .‘Destination Service Access Point’ hardware address field Those Wacky IEEE Specifications: It might help to list some big ones… 802.‘Point-to-Point Protocol’ fake Ethernet over modem or serial link .IGRP .repeaters . NetWare's alternative to TCP/IP .” and “Maximum Hop Count Reached” . precursor to Frame Relay . ASIC hardware-based) .routing / network navigation . wire speeds (data rates).‘High-level Data Link Control’ (generic or Cisco) error correction 3 .IGMP .putting bits onto the transmission medium TECHNOLOGIES: .physical / hardware / MAC identification . RS-449.concentrators .L2TP . L2 framing . exactly. KEY CONCEPT: physical topology (baseband or broadband) PROTOCOLS (for bit sequencing) FOUND AT THIS LAYER: .PPP .2 .HDLC .32 and other CCITT modem protocols NETWORK OPERATIONS PERFORMED: . application-specific integrated circuit (ASIC) hardware-based) . and connector pin-outs.2. the mailman finding a mailbox. IPX) addresses .802.framing . STP 802.Frame Relay frames (two varieties: Cisco & IETF) .optional flow control .5: Token Ring media access connectionless operations THE LOWER LAYERS: HARDWARE MANAGEMENT L1 Physical Layer * blasts frames into BITS * L2 Data-Link Layer – “Destination Drop-Boxes & Doorsteps” * nails packets into FRAMES or CELLS * It's all about SENDING AND RECEIVING BITS.EIGRP . “How do we get to that network from here?” Defines protocols for data routing to ensure that the information arrives at the correct destination node and manages communications errors.DSL “modems” .CRC (Cyclic Redundancy Check) error notification (not correction) DISCRIMINATES BY: .IPX frames (four varieties: Ethernet_II.ARP -‘Address Resolution Protocol’ (“What's the MAC address for this IP address?”) . 802.‘Internet Control-Message Protocol’ error-reporting.CSMA/CD .3.Token Ring .DHCP . VLANs. KEY CONCEPT: routing NETWORK OPERATIONS PERFORMED: .traces packet paths using ICMP timeouts  delivery of operational messages such as “Destination Unreachable.BootP . supporting:  PING .RARP -‘Reverse Address Resolution Protocol’ (“I am diskless workstation (IP.‘Resource reSerVation Protocol’ bandwidth reserver TECHNOLOGIES: .‘Internet Group Management Protocol’ membership manager for multicast groups .‘Internet Protocol’ connectionless network addressing and routing .X.ICMP .SSAP . exactly. and QoS .enables DTE use over DCE networks.modems .switches (fast. What is my IP address and what should I do first?”) .Token Ring frames .3 & 802.‘Frame Check Sequence’ field in Ethernet frame (holds the CRC value) .layer 3 switches (faster.breaking up collision domains .ATM (Asynchronous Transfer Mode) standard for cell-switched WANS .control-bit sequencing Media Access Control (MAC) sublayer controls access to the media .bridges (slower.logical topology .defines connection-oriented & connectionless operations.V.2: L2 framing.cable “modems” The TWO SUBLAYERS and THEIR SPECIFIC JOBS: L2a L2b Logical Link Control (LLC) sublayer handles L2 encapsulation .3: CSMA/CD & the Ethernets 802.CDP .line discipline . nobody knows what this is.IP .SNAP .error notification (not correction) in frames . What is my IP address?”) .MAC (hardware) addresses . switching.DQDB (Don’t worry.ISDN “clouds” .‘Open.‘Interior Gateway Routing Protocol’ routing scheme for large.DSAP .L3 Network Layer – “Navigates the National Highway Network” * wraps segments into PACKETS (data or route update) or DATAGRAMS * It's all about LOGICAL ADDRESSING. connection management.hardware (MAC) addresses PROTOCOLS (for transmission) FOUND AT THIS LAYER: .2 . heterogeneous networks .breaking up broadcast domains DISCRIMINATES BY: . is this going?” “When.1: bridging.

Switches don’t stop broadcasts and can do nothing to break up broadcast domains. But people gather in a hall to do business and Ethernet has nothing to do with the business discussed in this room. An Ethernet network. we’re just attaching all their wires together. especially for security reasons. A new device on a network checks to see the best speed and duplex mode it can use. the router couldn’t choose (“route”) between them. When one frame type is hidden inside another. They are all in the same room. Ethernet keeps improving. Network addresses. TCP and UDP. Each port forwards only frames addressed to the devices attached there. packets. Ethernet is a bit more unruly but it’s cheap and popular.for connecting a PC to the console port of a router .2782. and 100BaseFX can go 412m at ½-duplex or 2km in full-duplex mode. You need a router for that. And that’s why each interface on a router must attach to a different network: If two of its connections had the same network name. To work quickly. meaning they send data over any available path. it wouldn’t make sense for L3 to scribble network addresses like crazy all over those segments. another runs on optical fiber (100BaseFX) and a third on bundles of cruddy category-3 or -4 telephone wire (100BaseT4). Every device comes from its factory bearing a unique MAC address 48-bits long and written as 12 hexadecimal digits (each digit is 4 bits in size). “Base. Neither switches nor routers change the L3 addresses of passing packets. stands for baseband. Their shared collision domain can get only so busy before network traffic bogs down because there’s no time to get a word in. so we’re stuck with it. We’ve also seen how the CSMA/CD rules-of-order apply in this room so people don’t interrupt each other. this is called tunneling. Old 10Base5 runs up to 500m (the “5” means 500m) on big ugly coaxial cable nicknamed thicknet. From there. When we connect a bunch of devices to an Ethernet hub. It uses a scheme called carrier sense. so each machine hears everything being said. Now we need machines that can use this addressing power to decrease traffic. Put a single device on each port if you like. Such are the options with logical addressing. are then encapsulated in L2 frames. L2 frames are addressed with MAC addresses. like Token Ring. or even one multicast to a group of 75 members. then. LAN SEGMENTATION: Small Groups are Easier to Control If I want to send a message to 75 recipients I could direct it several ways. ADDRESSING: Flat and Lumpy Schemes A device’s “hardware” or “physical” or MAC address is a built-in L2 address read by switches. or they pass a ‘you-get-to-talk-now’ card (the “token”) in a ring around the group. Bridges are mostly obsolete now because adding a bunch more ports to a bridge gets you an even nicer device: a switch. a router. Works great – until you get a couple hundred chatty machines on the same wire. and 3) if two devices transmit simultaneously (a “collision”). The hub. The first six digits are a code for the manufacturer (in bigger words. A device using full-duplex must be attached to a switch (not a hub) and have its collision detection and loopback turned off. like 00e0. Then. Since separate VLANs must talk through routers.each pin connects to its twin: near end 1 2 3 6 far end 1 2 3 6 four-wire cross-over cable . source-quench messages. The important ones are found in my notes on each layer (pp 2 & 3). stores and reads only network addresses. If L4 has chopped some data into segments hoping they’ll be understood by another machine. “everyone divide your tasks the same way and there will be less confusion. Also at L2 is the idea that everyone has a seat with his name on it (a hardware address – more later about these). ISDN. such as IP or IPX.” If a lonely device using two wires in a cable can only transmit OR receive. on the other hand. which use a MAC address of all ones to reach every machine in a network. Slower but far more reliable are connection-oriented protocols establishing and reserving a specific virtual circuit with a partner before exchanging data. Today’s 10BaseT runs about 100m on 4-wire. A switch is just like a bridge with more ports. Routers divide broadcast domains because they direct traffic between different L3 network addresses and don’t (by default) transmit broadcasts. Routers can also filter packets by the protocols they use. by the time L2 got done adding the specific target’s physical address and L1 transmitted the result. meaning.” Packets can then be filtered by network ‘area codes’ and routers can operate efficiently with only L3 knowledge. are said to divide broadcast domains. it’s working in simplex mode. Whereas switches don’t alter the frames they sort. The only non-broadcast traffic leaving any domain is traffic specifically intended for another. A bridge learns the L2 addresses of devices it feeds and if it gets a frame not belonging to any of them. that’s as smart as it gets. then try again. PC to PC. CSU/DSU. DTE. frames.1e5d. What you’ve done is divide your big collision domain (your meeting hall) into smaller collision domains. one network-wide broadcast. The better idea is encapsulation: We leave all segments alone. AMEN.) L2 and L3 addresses have nothing to do with each other. DCE. 2) anyone can transmit at any time without waiting for permission.for connecting dissimilar devices: router to hub/switch. they back off for a while. expecting no reply or confirmation of receipt. Luckily. writing complex programs from simpler units assigned to the individual layers. those poor data segments would be a real mess to untangle. That OSI model is a way of charting the responsibilities of network components so the people who design or operate them can enjoy some clarity. RJ-45 Pinout for Console (“Rollover”) Cable: . But insert a bridge before each hub and you keep each hub from ever seeing traffic for the others. switches have no trouble finding a few L2 MAC addresses in the small meeting hall of a “flat” network segment. unshielded twisted-pair (UTP) cable connected with small plastic Registered Jack (RJ)-45 connectors. or in net-speak. Then the packets are left untouched as they.” Those tasks are the jobs of networking protocols like IP and IPX. L3 packets are addressed with Network addresses. is a bit like a meeting hall. you have one huge collision domain. It has to be clean and well built so everyone can find and hear everyone else. too.the pair of pairs swap partners: near end 1 2 3 6 far end 3 6 1 2 Eight-Wire. it blocks the frame. That means 1) each node or host (each PC) listens to the wire to see if anyone’s talking. This improves both security (by keeping private traffic private) and performance (by reducing collisions). category-3-or-better. Those rules are in L2 in the OSI model. The model says. Wire quality has as much to do with the available modes as does the sophistication of the devices. & BRI are in Chapter X. we know the patterns of the upper layers are intact in the bit stream. so the switch divides each port into its own collision domain with fewer members.” by the way. “using only one frequency. This quest for simplification also underlies layered architecture.The REST of CHAPTER ONE: Big Picture Networking – Of CSMA/CD and ETHERNET LANs Ethernet is a simple way of letting several computers talk on a network. the units passed from layer to layer. Now we’ve added FastEthernet at 100Mbps and Gigabit Ethernet at 1000Mbps. PC to hub/switch . and segments. in turn. Another result of the seven-layer model is the way jobs are sent between layers. like describing the room everyone meets in. letting devices be gathered into convenient groups we call “ ascending sequence segues to a descending sequence: near end 1 2 3 4 5 6 7 8 far end 8 7 6 5 4 3 2 1 The OSI MODEL ENCAPSULATES for YOUR SINS. hub to switch . Routers read the L3 addresses and get the packets to the right network on the Internet. an Organizationally Unique Identifier) and the last 6 are unique to the device. A slimmer coax called thinnet carries 10Base2 up to 185m. whereby the responses of the receiving device control how much info is transferred before an acknowledgement is required) to ensure they’re heard. your standard Ethernet cable . Some protocols are connectionless. although there are good and bad points to each. blissfully ignorant of any L2 details. are logical (made-up) addresses read by routers. VLANs. and windowing. They make everyone wait his turn. the protocols. just encapsulate them in L3 packets. Taking turns this way means only ½ the available BW can be used. L3 schemes use hierarchical addressing. remember? More on this in a moment. Almost nobody uses either one these days. (Each L3 address only works for one L3 protocol. are called protocol data units (PDUs). solve this problem with rigidly fascist control over the wire. There are several network address schemes. A different problem is with broadcasts. RJ-45 Pin-to-Pin Wiring Schemes (“Pinouts”) for 10BaseT or 100BaseT Ethernet: four-wire straight-through cable.. Any high-frequency signal can only go so far down a cable before it fades out.for connecting similar devices: router to router. and every device connected by them all sense each other’s state transitions (the voltage rises and drops making up digital messages). 100BaseTX can go 100m. Think of this when you study L1 of the OSI seven-layer cake. I could send 75 individual messages. If you have several hundred PCs linked by a bunch of hubs. A clever device that can talk and listen at the same time through a four-wire cable is using collision-free full-duplex mode. its cables. it is operating in half-duplex mode. the same collision domain. Standard Ethernet operates at 10Mbps and is called 10BaseT. So why assign L3 addresses when every device already has a MAC address? Because. ARP and RIP. while L2 addressing is “flat” with no address given any particular importance. Some other network schemes. One flavor of FastEthernet runs on high-quality category-5 wires where it’s called 100BaseTX. multiple access with collision detection or CSMA/CD (which I like to pronounce KIZ-muh-cud). Bits.] 4 . We’ve described the wires or “media” Ethernet uses. And when at last we blast the frames into bits at L1. These expect acknowledgements for their messages or use flow control (buffering. If it can use those same two wires to talk AND listen but must take turns doing either. a router replaces the L2 source and destination addresses of each frame it handles. [The terms WAN.

This router or other L3 device can provide inter-VLAN security. . department. forwarding THREE FRAME HANDLING MODES .Switches practice loop avoidance to stop broadcast storms. . and confusion in their filter tables caused by multiple paths. These frames’ max size is 1. . add. . even if the device moves around the network.They make forward-or-filter decisions whereby broadcasts (all 1s). A device thus ‘trunked’ can be part of up to 1005 VLANs simultaneously. Port transitions go as follows: 1.or full-duplex modes.The default mode for Catalyst switches is server mode. It offers low latency and full wire-speed operation in either half.Four VLAN trunk ID (tagging) methods are: 1) ISL (Inter-Switch Link).Switching is ASIC (hardware) –based.’ Frames get tagged when they first go down a trunked link.Cisco offers VLAN Management Policy Server (VMPS) software as a MACaddress-to-VLAN mapping database. . Trunk links have a default membership in VLAN 1 if the link fails. Broadcasts are an unpleasant fact of network life but dividing broadcast domains this way improves security and performance by breaking up flat networks.STP (IEEE 802. 3) LAN Emulation (LANE) couples VLANs over ATM.Designated ports are chosen by lowest cost path. VLANs can provide automated control of each port and its resources to simplify computer moves. . only destination header is checked (1st 13 Bytes) . VTP servers sharing VLAN info must use the same domain name. or protocols. the lowest MAC address wins. By default. first make it a client so it will be up-to-date.1q. it accepts the new info and overwrites its old database. . switch software can create dynamic VLANs based on applications.A group of connected switches is called a switch fabric. . a client must receive instructions from a server. blocking 2. VLAN TRUNK PROTOCOL (which has nothing to do with trunking.Access link ports are any ports connected to DTE devices (hosts). duplicate frames.768 is the default) and the lowest value wins.First turn one switch into a VTP server.Otherwise.VTP info moves between devices via trunk ports.] . Pruning is disabled by default on all switches. or delete VLANs or change VTP info in a VTP domain. . A trunked port can carry all VLANs Switc h qqqqqqqqqqq VLAN 1 VLAN 2 ISL ROUTER E0 One ISL interface.Hosts in different VLANs must communicate through a L3 device: a router with an interface for each VLAN.1q is an industry-standard tag that adds a field to the frame. Each access port is a member of a VLAN.Newer Cisco Catalyst switches use a point-to-point protocol designed for 802. Lowest cost ports leading back to the root bridge are called “root ports” and become the path for communications with the root. other devices reject Ethernet frames not 64 to 1. in which every broadcast is seen by every device. delete. although a host using that port is unaware of this because any VLAN info is stripped from arriving frames before they are delivered. user-defined VLAN ID or ‘color. VLANs must communicate via a Layer 3 device. it could learn from the router to pass packets between VLANs to speed their trip (“route once/switch many” or ROSM). . . a switch is like a bridge with many more ports. VLAN 1 can never prune because it is an administrative VLAN. Tagging assigns each frame a unique. as long as the network doesn’t change much. only VLANs 2-1005 can prune.cut-through: fastest possible. .VLAN Trunk Protocol is a misleading name for Cisco software that can add. . . L3 DEVICE E0 E1 . . Each switch in turn reads the tag and decides whether to send it out on another trunk port or out an access port to a host. Changes made in server mode are advertised domain-wide.” .We can divide a switch’s ports into subnetworks called virtual LANs (VLANs) organized by location. the tag is stripped off so the host won’t reject it as deformed. Only ISL-aware devices can read these frames. . including VLANs) [Note: I’m told most of Cisco’s switches were designed by companies Cisco purchased.A L3 “intelligent” switch is faster than a router and can sort by L3 addresses. and frames for unknown destinations go out all ports. VTP is unneeded if all your devices share a VLAN. servers. . Cisco calls a FastEthernet interface + ISL routing “a router-on-a-stick. learning all MAC addresses – a period also called a “forwarding delay” 4. (Maybe that’s where the name comes from: VLAN Trunk-traveling Protocol?) . 2) IEEE 802. using links’ accumulated BWs. adds. or server NICs.BUT it does not break up broadcast domains because broadcasts go out all ports. Please see page 14. It is an external tagging method in which the original frame is not altered but further encapsulated in a new tagging frame with a 26-Byte header and a 4Byte FCS field at its end.522 Bytes.Users grouped by interest are called VLAN organizations. Finally. . Before installing a new server. .You can turn on VTP pruning at a server to instruct all switches in a domain to withhold unnecessary broadcasts from disinterested trunk links. .. Priorities are compared (32. A transparent switch can still add and delete VLANs from its own.FragmentFree: (default mode for Catalyst 1900 switches) reads 1st 64B checking for collision damage before forwarding .There are two types of links (ports) in a switch fabric: .) . applications. or a route switch module (RSM) installed in the backplane of a 5000-Series switch to support up to 1005 VLANs.If all required host MAC addresses are entered into a database.If the switch in the picture was a L3 switch.A switch in client mode receives and acts on VTP info but cannot change it.1d) is a messy protocol that causes lots of delays and recalculates the entire tree every time the network configuration changes. meaning a trunked server can be reached by many subnets without the need to communicate through a L3 device. rejected if too short (<64B) or long (>1518B) or if it has a CRC failure. . including general switching) .10 (FDDI) Cisco’s proprietary tag for FDDI. Only this mode allows a switch to create. .Trunk link ports connect all (or only several) VLANs from switches to routers. all data stops for 50 seconds (“convergence time”) while STP re-configures all ports.. router interfaces. ISL can be used on switch ports. listening (exchanging BPDUs and checking for loops) – “forwarding delay” 3. When a switch sees an announcement with a higher revision number. and plug-and-play VLAN addition. and send the changes to the entire fabric. 5 . Each advertisement carries a revision number assigned by the VTP server. Such hosts must go through L3 devices to communicate outside their VLANs. . permits monitoring.This breaks up collision domains by sending only needed frames out each port. ISL is the only method on the exam. protocols or other factors. . .store-and-forward: entire frame checked.STP elects a root bridge based on its 8-Byte bridge ID (derived from its device priority and its MAC ID). dynamic reporting of added hosts. all possible VLANs are present on a trunked link between switches (unless manually removed by an administrator) but trunk links going to routers or servers carry only VLAN 1. . multicasts (host address = all 1s). as the frame leaves an access port. For this reason I haven’t much bothered to condense Lammle’s appendix B on switches. The parts of the appendix suggested to me (VLANs and trunking) are on page 14. . CHAPTER VI – VLANs (15-20 questions.1q called Dynamic Trunking Protocol (DTP) to control trunks in ISL or 802. These are stable and secure. puts SAID field in L2 header . as usual. . By default.The key method for loop avoidance is Spanning Tree Protocol (STP) using Bridge Protocol Data Unit (BPDU) multicasts exchanged every 2 seconds.CHAPTER II – SWITCHING (15-20 questions.or Gigabit Ethernet.You can add a password to control users’ adding switches to your VTP domain but the same password must be used on every switch throughout the domain.Switches perform address learning by reading frames’ source addresses.When network topology changes. method with greatest “latency” (delay).Root bridge decides ports settings on remaining devices: open (designated) or blocked (non-designated).Switches advertise VTP management info and all known VLANs to their domains every 5 minutes or whenever a change is made to the domain. allows VLANs trunked over mixed media. and changes and cut administrative costs.WHY VLANs? Each VLAN is a small scalable network segment & a separate broadcast domain. “APPENDIX B – The CATALYST 1900 SWITCH” Switc h qqqqqqqqqqq unassigned VLAN 1 VLAN 2 Here. The software looks up each MAC address in a database and connects it accordingly. . An ISL tag is applied ONLY as a frame leaves a trunk port and removed as the frame leaves an access port.Access controls can be established anywhere within the fabric. so their commands vary too widely to be exam-worthy. Before any of its ports can join a VLAN. If tied. function.Administrators create static VLANs by hand. This gives network-wide consistency. unshared database. .VLAN numbers can range from 1 to 1004. .Frame tagging is a L2 means of identifying Ethernet frames by their VLAN membership. This method is required if sending frames from Cisco switches to another maker’s gear. and rename VLANs. many VLANs TAGGING FRAMES for TRIPS DOWN TRUNKS .You can set a switch to transparent mode so it will forward advertisements but not act upon them. or other switches.518 Bytes long. one router interface goes to each VLAN . as opposed to bridges (software). 4) 802. an ISL-capable router (Series 2600 and up) that can speak to all VLANs through a single interface. a Cisco proprietary method using only Fast. for B: 255.18. it’s the A A A class address we broadcast to.10 /23 172. instead of writing out the address and its 122.18.0 122. 11111111. Our IP Earth more network addresses to work with so we don’t run out as fast.67. and vice-versa.10 /15 122.0 255.255. so we’re talking about 4.†The following .255. & C use the first.255.0 172. Each multiple is the first address of a different baby subnet. 65.67. for C: 255. broadcast address and valid 2 (in 3rd octet) 1 (in 3rd octet) 128 (in 4th octet) magic # host address range for our one machine at 172.Just because the mask is /25 doesn’t mean it’s a class C address! . or /24. is worth 256.32.69. the network address.Without the address.16. in every (the next network address).) Instead.10 /16 122.18.18. You might be asked how many hosts you have or.0. and Put another way.250. and 172. and gives planet of the mask.69.] We calculate new addresses by applying a “magic number” to the 122.127.0 because each number in the third octet.0. you can go on masking right into the next 110x 192-223 C 2.128 next NA 172.255 in decimal) The first four bits show the class.67.255. our first multiple. our third. but each of those also represents from 0 to 255 in the last octet. Those of us who can’t do math can cope somewhat by memorizing this table: stolen bits 1† 2 3 4 5 6 7‡ 8‡ mask (binary) 10000000 11000000 11100000 11110000 11111000 11111100 11111110 11111111 mask . All the dull addresses in between? Those can be 2 (in 2nd octet) 1 (in 2nd octet) 128 (in 3rd octet) magic # assigned to hosts.534 If 4.18.68. The more network ID bits.192.255 122. from 192 up to and first three octets..192 . it’s the address 255.254. 11111111. meaning huge corporation died and left us its entire class B network – but we only know 172.255. Don’t use more than 2 VLSMs on a network.192. is special.18.18.Don’t let anyone tell you.193 through 172.255.18. 172.202. That’s your final answer.69.18.0 172. say 172. exist in our range.255 122.0. Here.0 is the network address. so it’s the 1st address.255.097.254 is the host range.0 255. This scheme improves performance.18. So.255.096 hosts are still too many. BUT… .207.128.] IP ADDRESSING An IP address is of 32 bits divided into four octets of 4 Bytes.223 is our broadcast address.0 255. we’re going to apply the magic number to the fourth octet. /24 172. loopback tests) 10xx 128-191 B 16.0 net address hosts run from 172.Just because an address ends in .67.10.096 addresses. similarly.128. one address in it. respectively. as their network portion.255.0. The range of host addresses is every address between the network and the broadcast addresses.127 BC address 122.255.0 122.207. Our example segment had 16 values in the 3rd octet.67.69.250. Here are some you’re glad you don’t see everyday.534 host 122. our broadcast address is 172.11111111. our magic number is 32. This is normally class C turf.214 (127 reserved for it’s (magic number x 65.00000000 = 255. facilitates the use of expensive WAN links. empty octet to the right.192 (our network mask of 1s is applied to the IP address to mark its network portion.69.69.254. Remember that for counting in class A.69. just like usual.250.10 /25 address with every multiple of the magic number.128.128. so you have to pay attention to that 172 1111 240-255 E reserved reserved to know it’s still a class B.0 255. including mask is 16.255 is the broadcast address.208. “.0 can be private networks if kept off the Internet.255.18.0 net address entire mask. These let you create only two subnets and still use them both.202/20 to say we’ve got a mask Each octet you jump to the left represents 256 times the octet to its right. . Let’s change our mask by stealing four 255.0 next NA and carve out several smaller networks if we mask out (“steal”) an additional few 122.00000000. so just ignore the third octet and pretend we’re only stealing from the Subnetting means masking-off a range of IP addresses into a smaller network fourth. and. everything in between.11111111.1111010. here.18. But we know not to put 65.250.11001010 = 172.67.0 right on the “dot” between the 2nd and 3rd octets.70.255. The short answer is 4.128 next NA mask octet.67. especially A or B addresses using a little more or a It’s a class B.Just because an address ends in . Let’s say a address) and 172.10 /17 address network segment. Read the table for three stolen bits (from the fourth octet). we multiply 16 x 256 to find out how many addresses the fewer bits remain for any host IDs.0 122.255. is our host range.255 doesn’t mean it’s a broadcast address! .128 mask B B B class Our job now is to find the new network address.255.255 magic # 128 64 32 16 8 4 2 1 hosts 126 62 30 14 6 2 0‡ 0‡ networks 0† 2 6 14 30 62 126 254 Startling lessons learned: .255. onward: 172. The magic number for rd rd 172.255! .0 net address our .127 BC address 172.10 /23 122.0 255.1 to first first network host possible hosts in our range. allows 255.67. Our mask is segment to reduce its population. each: 11111111. The end. 172.11110000. /16.128 (one bit) masks only become valid if you say ip subnet-zero For class A: 255.224.69. [Also.128 masks are always illegal!” . from 192 to 207.67.255 172. 255.69. 172.0 172.Class can only be determined by looking at the first octet! .Just because the mask is 255.67. 10101100.255 20-ones-long. so on. Classes A. or 2 (in 3rd octet) 1 (in 3rd octet) 128 (in 4th octet) magic # “240 in the 3rd octet. 254 octet. Watch how the net address and the next net address change as another bit is stolen. 11111111 (= 255. Its node (or host) address is 202.*You’re can’t use first or last multiples. This keeps ‘classful’ routing protocols (RIP or IGRP) from getting confused by masks that aren’t /8.69.CHAPTER III – IP (5 questions) [Note: I moved lists of the individual protocols to Chapter I with their associated OSI layers.0. so its network address is 172. Our cheater’s table has no row for the 11 bits we’re SUBNETTING now stealing.68. since we’re ignoring the third octet better management.777.536) – 2.00000000 = 255.202 is valid and not reserved or illegal.240 .255.67.128 .70. 192.69.255 122. The broadcast address for our segment is the address right before 208.254 . from 16x0.252 .18.128 mask more juicy bits from the third octet: A A A class 11111111.0 255. A new segment starts 172.222.10 /24 . too.18.10 /25 address bits from the next. YOU MUST ABSOLUTELY KNOW HOW TO SUBNET QUICKLY FOR THE EXAM.You can waste less space by subnetting the first and last multiples even further with a variable-length subnet mask.0.10 is between multiples 172.00010010.0! .0 mask we route to.255.202.0 but.69. because we can’t use the network or broadcast addresses.* Which multiple are we in? Our 202. our second multiple.67.‡You can’t steal either 7 or 8 bits from a class C address. B. we can use a shorthand of 172. You’d have no hosts! Note the hosts are the magic numbers minus 2 and “networks” is just “hosts” upside-down.70.0.10. A subnet address lands between the magic number multiples 172. 6 .0.192.250.You may have to crunch the numbers to find out if a given host address is valid! And beware these strange rules: .18. 172.0 .255. like so: 172.1 to 172. 11111111. to mask just enough bits to leave a range of X hosts. the mask cannot tell you how many sub-networks you get! .0 doesn’t mean it’s a network address! .67. meaning 172.0.” for short.69.10 Some are harder than others.250. The last address before the next segment is special.18. Now.10. 172. The mask is now three bits into the fourth (and 111x 224-239 D multicast multicast final) octet.67.69.255 b/c address computers in one Ethernet network! (See the above table.0 122. first two.18. Class C numbers are in the table but counting class A and B hosts can be painful.Not all broadcast addresses end in .224 .0 and doesn’t mean it’s a class C address! .67.18.0. with 30 addresses.250.67.0. The magic number equals 256 minus the mask. we can subnet 122. The simplified formula is class notes 4 bits octet addresses addresses (magic number x 256) – 2 but if you’re instead counting steps in the second octet.18.67. Our mask is in the 3 octet.0.Not all network addresses end in .0.240. The normal class B mask that says where one ends and the other begins is little less than full octets.207. as you count up the 3 octet 172. we must subtract those two to see there are 4.70. They aren’t nearly as important as subnetting. .255. our new mask. 0xxx 1-126 A 126 16.18. meaning our 122.0. Here is that address in both binary and easy-to-read decimal: 172.69.255 from ‘0’ to ‘255’ a new segment starts at every multiple of 16.67.67. .

) .sets the encrypted enable password. .Commands from (config-xxxx)# prompts are called “subcommands.sets the Telnet password. set the three “line” passwords. IGRP. (config)# router rip to work on a routing protocol [prompt = (config-router)#].moves fwd one character CTRL-b or ← .(no space before the ?) gives all possible completions of the text “xxxxx” sh history . define an interface by slot / port_adapter / port#. CTRL-c terminates setup mode. overwriting “startup-config. and login.10. (You can’t Telnet to a virgin router until IP is set up. en password.View the two files with sh run and sh start.sets the plain-text enable password.erases a line CTRL-a .2500 Series routers have fixed configurations but 2600. en password.moves to end of line CTRL-f or → . unless you leave access open with line vty 0 4 then no login.) (config-if)# description Sales Department LAN labels the interface.pauses some running and returns to privileged exec mode processes (e. Telnet sessions) command ? . EIGRP.shows IOS version. . or Telnet entry.1 ----- ----exit ----disable ----exit ----exit ----- ----exit ----end ----exit ----- ----quit --------end ----- up: ----quit ----^z ----- ----logout --------^z ----logout ----^z --------- (config-line)# password bozo . only. (config)# banner motd <dc> Any character can be the delimiting character (DC) but the default is #.completes partial commands CTRL-c . encapsulations.) Note: Each file shows the IOS version in use when it was created. the second item shows L2 mismatched keepalives.VTY is usually lines 0-to-4. add an extra blank line before pressing the DC.The default bandwidth label on an interface is set to 1544kbps (T1 speed). collision stats.shows last 10 (default value) commands sh terminal . with configuration options for each interface. This replaces your running CF. rather than replacing an earlier IP set up. IP address & mask]. commands are called “major” or “global.port 0 is the only port available (config-line)# login (config-line)# password bozo .2 255. thus: interface ethernet 2/0/0.” Do this with copy running-config startup-config. L1/L2 status for all interfaces. (The label is case-sensitive. . (config-if)# shutdown turns it off . I always call it the “L1/L2 up/down stats. start over.sets session timeout. 3) Extended Setup.sets the plain-text ‘enable’ password. (The word “telnet” is understood if you just type the address or hostname. (The secondary command adds this info. Use copy run tftp or copy start tftp to make the backup and copy tftp run or copy tftp start to restore the desired file.Telnet (the best tool to verify IP connectivity) telnet <address/hostname>. The three Setup Mode options are: 1) Decline the initial config dialog.255. . en secret. hardware config.In User Exec Mode type > en and a password to go to Privileged Exec Mode.1 to make a subinterface [(config-subif)#]. or save & exit. use as a last resort clock rates not set. console port. applied lists. (config)# hostname Chicago labels the router.hold pop-up messages while typing (config-line)# line aux 0 . up/up = operational down/down = interface problem enable use-tacacs .Two passwords are available to enter the Privileged Exec (“enable”) Mode: Ethernet0 is up. . then one of these three options to enter Global Config Mode: # config terminal brings up the running-config file in RAM # config memory brings up the startup-config file in NVRAM (= copy start run) # config network gets a config file from a remote TFTP host (= copy tftp start) . Set HyperTerminal to your COM port at 9600 baud and turn on the router.16. Maximum Transmission Unit (1500 Bytes by default). type (config-if)# bandwidth 64 where the rate is in kbps. .turns optional encryption off MESSAGE of the DAY BANNER Shown at every console.moves back one word CTRL-p or ↑ .erases a word CTRL-u .(with a space) gives all possible options to follow “command” xxxxx? .You can encrypt the 4 plain-text passwords so sh running-config won’t show ‘em: . the remote end will say down and down. (config-if)# ip address 172. aux port. Shows L2 & L3 addresses. . (config)# line vty 0 4 to work on a line [the new prompt = (config-line)#]. for example: (config)# interface s0 to work on an interface (with a (config-if)# prompt). you can visit several sub-modes.” . Pressing it ends the message. this can be included in the encryption process if you desire sh <ip/ipx> interface brief just gives the status check with L1/L2 ups/downs.g. L3 protocols. not confirmed with real routers!) Mode: Prompt enter/leave IOS: none user exec: > privileged exec: # global config: (config)# interface: (config-if)# subinterface: (config-subif)# down: ----return ----enable ----config t ----int e0 ----int e0.Get the address of a neighbor with sh cdp neighbor detail. so for remote configuration use an AUX port & modem.On 7000 or 7500-Series routers with “Versatile Interface Processor” (VIP) cards. (Note the required space between the s and the 0. # sh controllers s 0 shows info about the physical interface and type of serial cable (config)# service password-encryption . Use (config-if)# clock rate 64000 with the rate in bps.CHAPTER IV – CONFIGURATION BASICS (10-15 questions) . To keep multiple banners on separate lines. more with “Enterprise” IOS (config-line)# login (config-line)# password bozo .) # sh running-config tells interface stati. & Telnet frequency (must be same on both ends).port 0 is the only port available (config-line)# login 7 . CF names and sources. Telnet will not operate until this is set.) To set it.” Possibilities are: The two can’t be in effect simultaneously.Interfaces are shutdown by default. if you try.Ping an interface using a specific protocol with ping <protocol> <address>.resizes command history buffer sh version .” IOS Commands to Move Up or Down Between Different Modes/Prompts (NOTE: Chart developed in-part from simulator software. .sets enable password on several routers using TACACS server up/down = connection trouble administratively down/down = disabled SETTING the OTHER PASSWORDS (& using OPTIONAL ENCRYPTION) .Saving your configuration copies the file “running-config” to NVRAM. (config-if)# no shutdown turns on an interface.Next. VTY password. If two DTE routers are directly attached (as in a lab). SERIAL INTERFACE SPEED SETTINGS . &c. incoming.From global config mode. # sh interface e0 as above.or half-duplex. INTERFACE DIAGNOSTICS .You can reset the counters for the above command with # clear counters <int#>. & carrier detect/keepalive status. if you like. (You can shorten the file names. the machine swaps the file you requested into RAM so you can work on it.turns optional encryption on (DTE or DCE) attached. The first item shows L1 cable or interface enable secret bozo .moves forward one word ESC-b . .ends any configuration mode CTRL-SHIFT-6 . descriptions. aux is typically used for modems but can also be used as a console connection (config-line)# line vty 0 4 . SNMP.recalls previous command CTRL-n or ↓ .Other banners are exec. (Boots to setup mode if no start file. BRI interface. .255. connect its console port to the serial port of a PC with a ‘console’ cable and a DB9-to-RJ45 adapter. 0 0 = never also: (config-line)# logging synchronous . COMAND LINE CURSOR GYMNASTICS and HELP COMMANDS CTRL-w .) (config-if)# no shut turns on service to the interface. . skip Setup.) Setup Mode is entered either by typing the setup command or by typing erase startup-config and rebooting. go to the Command-Line Interface. keepalive 5 PASSWORDS – en secret.If the interface is administratively off.shows terminal configuration & size of command history buffer terminal history size <0-256> .steps forward to next in history buffer newer command in history buffer TAB .Serial interfaces usually attach to a CSU/DSU that provides synch clocking. the ‘secret’ takes precedence. .If you use either of those last two.breaks off long data displays CTRL-z . so be careful! .sets the console port password also: (config-line)# exec-timeout <min> <sec> . Configuration Register code SAVING and VIEWING CONFIGURATIONS . or enable password bozo .A CF is an ASCII file and can be edited with any text editing program. You then have three final options: CLI.moves to start of line CTRL-e . type (config-if)# interface s0. (config-if)# media-type <100BaseX/MII> sets media type (normally auto-detected). did above.sets the auxiliary port password. & other protocols read this label to calculate routes.moves back a character ESC-f . IP CONFIGURATION (config)# int e0 engages Ethernet interface 0. OSPF. other interfaces [connector. plus tells if the interface is administratively down (using shutdown). and 7000 specify their interfaces with slots and port numbers: interface fastethernet 0/0. INTERFACE CONFIGURATION (config)# interface serial 0 engages an interface & changes the prompt to (config-if)#. the one at the DCE end of the cable must provide clocking. line protocol is up. this is the preferred one problems. 2) Basic Management Setup allows enough connectivity for management. (RIP ignores it.0 secondary configures IP.) (config)# enable password bozo . so it cannot be used in the text. asynch (modem) lines. the ones used to connect to the router: (config)# line console 0 . encapsulation methods. full. just like we sh <ip/ipx> interface shows L3 address. From there.To configure a router.Erase CFs with erase run and erase start. The setup sequence is: hostname. aux. 3600. . 4000. (config-line)# exit (config)# no service password-encryption . BW label. thus: . and review.In global config mode.You can also copy CFs to TFTP hosts.

its entry is automatically dropped from the table.RIP has a long convergence time. time to next update. then by other metrics.0 . (config)# router rip . if desired. and a means to maintain and verify routing tables. . STATIC ROUTING  no CPU overhead  requires deeper understanding . . and turns the interfaces on. itself.Route poisoning: dead routes are explicitly updated as being unreachable (16 responses. with a maximum hop count of 15. sh ip route a table of routes to all directly connected or reachable remote networks. If you’re Telnetting-in.three classes of routing protocols (RIP and IGRP.10. causing routing loops wherein rumor-fed routers endlessly pass around sh run shows the configurations you ordered. hops away) and receiving routers send explicit poison reverse updates as debug ip igrp transactions shows detailed contents of requests and responses.IGRP uses a composite metric of BW and delay by default but can also use keeps packets from being discarded due to unrecognized destinations. metric weights.2 where 172. “share over the routes in proportion .’ routing.255.RIP v1 uses only classful routing.2 INTERIOR GATEWAY ROUTING PROTOCOL (IGRP) . and dynamic: Holddowns are cleared early if a route update arrives with a better metric than the dead route had. Slow networks advertised. sh ip protocols shows settings: which routing protocol is in use. a set of networks under .255.0 255. .RIP will load balance between up to 6 links of equal cost.IGRP is a Cisco proprietary D/V protocol designed as an improvement to RIP. .0 .0 172. [100/160360] which shows the [default IGRP AD / composite metric].Default routing is a variant of static routing used only on stub networks (routers (config-router)# passive–interface s0 . default.Verifying IGRP routes with # sh ip route again shows similar tables. Some cures: debug ip rip shows routing updates as they come & go.0 172. They reset holddown timers if the timer expires. .255. but NO INFO ABOUT INDIVIDUAL ROUTES.permanent keeps unreachable networks from being deleted from the table.0. gateways found. of potential routes to other networks and the best route to each. /16.IGRP has maximum hop count of 100 by default with a maximum setting of 255.IGRP is configured thus: (config)# router igrp 10 .The ability to route requires a knowledge of a destination address.RIP is a D/V protocol sending a full table every 30 seconds.IGPs are used within autonomous systems (AS. you get pinhole congestion. including info about individual routes. or a new update says network status has changed. .AD = 100 . a learning relationship between neighboring routers. Directly . static routes have an S and a note (config)# no ip route 172. the best is chosen by AD.sets network to advertise (note: no mask!) DYNAMIC ROUTING: RIP & IGRP DISTANCE VECTOR PROTOCOLS .enables RIP DEFAULT ROUTING (config-router)# network 172.16. .IGRP can load balance up to 6 unequal routes using this command to control the . & L3 addresses.good for small networks but inefficient on large ones with slow WAN links or .Verifying static routes using # sh ip route shows the directly connected networks and any remote networks the router knows and can reach. but is hard to set up and consumes much BW.16.D/V tracks changes with periodic update broadcasts to all active interfaces. max hops.10.Holddowns: delays that make routers ignore updates to keep them from reinstating a dead route.update timer: sets update frequency (default = 30 seconds) connected interface 0 OSPF 110 static or default route 1 RIP 120 . . except with an R next to each dynamically acquired RIP table entry. forced (instead of periodic) updates to routing tables made when things change.0 172.0.invalid timer: sets time with no mention of route before route is declared invalid (default = 90 seconds) EIGRP 90 external EIGRP 170 .0.) flush = 7 x update.IGRP uses four timers: update = 90 seconds. but never change a routing table because of its higher cost (AD = 120). you must type terminal monitor to get these reports. . . “share only among routes with the same. reality.AD = 120  no network bandwidth  new routes must be added manually .RIP uses only one metric: hop count.16.2 is the .20. sometimes called a domain). . . requiring all devices to use the same subnet because it doesn’t send subnet info in its updates. & routing.RIP v2 does do classless routing but is not on the exam. and AD to each.16.0 0.Split horizon rules: routing info can’t be sent via the interface it arrived on. update frequency. It replaces multiple static route if you wish to limit RIP broadcast traffic commands with a single instruction to send all packets for unknown destinations to .flush timer: sets time after invalid status before the route is removed from the IGRP 100 unknown 255 (will never be used) .other commands to help control traffic distribution are: common administration. topology.Routers discard packets for unknown networks (if default routing is not enabled). debug ip igrp events summarizes IGRP info running on network.enables IGRP in AS number 10.255.CHAPTER V – IP ROUTING (6-10 questions) .Note: If RIP is accidentally left on.2 nd add default entry: ip route 0.admin_distance (AD.sets network to advertise (note: no mask!) . static routes have an AD of 1. (config-router)# traffic-share balanced meaning.turns on static routing .3 .255.Verifying dynamic routes with # sh ip route shows similar information as with . (Classless routing is set by default in newer IOS releases. use this command with default routing.0.16. the router gets a processing task proportional to the number of links in the network (making the router effectively forget about the holddown). lowest cost” 2) link state (OSPF) uses 3 tables: direct connections. investigation) ROUTING TABLE DIAGNOSTICS .  administrator oversight of security  only workable on small networks . 1) distance vector (RIP/IGRP) uses hop counts [but see IGRP details.Each interface on a router must attach to a different network.Verifying RIP with # sh ip route again shows a table of info similar to static the same default next hop (another router’s interface) or ‘gateway of last resort. 3) hybrid (EIGRP) uses bits of both . load. to their metrics. if needed) to each interface.RIP is configured thus: connected routes have a C beside them.20.Convergence occurs when all routers know the routes to all networks.uses routing protocols to automatically update tables (at a cost of bandwidth) balance between the lowest cost and the highest acceptable cost: . table (default = 240 seconds) The flush delay is used to inform other routers of the dead route’s impending removal.next_hop could also be the exit_interface for a point-to-point link (on a WAN). . .” and . .two types: Interior Gateway Protocols and Exterior Gateway Protocols (config-router)# variance <1-128> where the value is the metric variance multiplier . The INS and OUTS of DISTANCE VECTOR ROUTING (D/V) . improves stability by letting changes settle first.16. applies an IP address (and clock rate. . . L1/L2 up/down stats. and/or MTU (maximum transmission unit).Maximum hop counts: RIP permits 15 hops before a packet is discarded.10. it will continue to consume BW and CPU cycles. 0-255) is a scale of trust in routing information.Basic router set up (see Chapter IV) gives a hostname to the router. .0 255. timer settings. allowing protocols like RIP and IGRP to expect only /8. only.0 172.If dual routes exist to a network. sometimes rumors just aren’t good enough. . gateway of last resort.There are three types of routing: static. .10. Always reliability.20.” autonomous system must be configured with the same AS # (1-65535) (config-router)# network 172.sets interface to receive but not send updates with only one port leading to another router). except the several S entries have been replaced by one S* entry indicating the default route “candidate. .0 255.similar to a static route entry but with wildcards (vs.If two links have same hop count but different BW. packets convinced their neighbors can reach a deceased link. or /24 masks on each interface. rd .Triggered updates are immediate.16. . . load balancing. holddown = (3 x update) + 10 seconds .passes complete tables between routers (“routing-by-rumor” vs.1st delete static route entries with no ip route 172.If a network is unreachable.2 .16. so RIP (AD = 120) would never do anything similar to [1/3] that shows [AD / hops to the particular network]. 8 . convergence means discrepancies can develop between routing tables and sh protocols shows if routing is enabled. invalid = 3 x update. Cisco routers are classful.10. ROUTING INFORMATION PROTOCOL (RIP) . Some default ADs for various sources are: . are on the exam): (config-router)# traffic-share min meaning. . below].16. however.Syntax: ip route <dest_addr> <dest_mask> <next_hop> <admin_dist> permanent many routers (config)# ip route 172.RIP uses three timers: depending on its source. Typing ip classless.16. . all routers in an static routes.EGPs are used between autonomous systems. now with an gets a full view of the network (no rumors) by bandwidth analysis and I for “IGRP” next to each dynamically acquired table entry and a note similar to triggered updates. all requests and .removes static routes. hey. confirmations because. even though it will sometimes work without it. network and mask info) .

your interface connected to them. will help router boot if no real IOS is present.. and confirm the copy. . CR = xxx1: boot an IOS image from ROM 0x0002 . the destination filename. then > o/r 0x2142. Press ENTER ENTER to go back to that one. CONFIGURATION REGISTER MATH . on a 2600 Series router. a * marks the user (port) of the current terminal session. copy the startup-config file (it’s still there in NVRAM. press CTRL-SHIFT-6. xxx2=IOS from flash. TFTF can only copy the file to the default directory on the host. what they do. RAM contents with sh memory. You can Telnet into (but not from) a 1900 Series switch but you must first set its enable mode password level 15. sh buffers. . .erased whenever shutdown. functioning software and data.Mini-IOS .POST (power on self-test) .By default. holds the Cisco Internetwork Operating System (IOS). the IOS is stored in flash. Examine the CR with sh version and the stored configuration file with sh startup-config. what series they are. CR = xxx0: ROM monitor mode (no IOS) 0x0001.Using Telnet tests connectivity through the entire IP stack. viewed with # sh version .Type # copy flash tftp. (Note: This displays the same info as the sh flash command. type (config)# tftp server. But if an interface has CDP disabled.View neighbor info with # sh cdp neighbor. interrupt the boot sequence within 30 seconds with a break command (CTRL-BREAK) to get to the rommon 1> prompt (on some routers). This will also show any room available in flash for more file storage. your end will show all the hosts you’re connected to. CPU use with sh processes cpu.RxBOOT diagnostics mode.use that Mini-IOS hiding in ROM . In binary that equals 0010–0001–0000–0010.instructions encoded on EPROM chips.. save CF with copy start run. Some routers protect the flash in read-only mode unless you boot from ROM. Also. type > reload. and sh stacks. 1 = ignore NVRAM OEM bit enabled keyboard break disabled [function unknown] IP broadcast addresses use all zeros bits 11 & 12 control the console line speed boot the default ROM software if a network boot fails IP broadcast addresses use no network numbers enable dialog messages and ignore NVRAM contents .To reboot the router. If you’re Telnetting out. . any time you simply type a name or address into a router prompt. . Confirm. (It’s really more like ‘sh ports. . and their port or interface connected to you.checks hardware for configuration and errors . . RESTORING / UPGRADING the IOS from a TFTP HOST [Note: This procedure forces a reboot and terminates any Telnet sessions. able to load a real IOS into flash and bring up an interface RAM (a.Telnet is preferable to debug. boot ROM) . on a 2500 Series router. > o to reach the option menu.There’s still no CDP on an interface until it’s enabled using (config-if)# cdp enable.).All the active consoles and ports on your router are shown with # sh users. (config)# cdp run and no cdp run turn it on and off. . [or. otherwise setup mode starts. default = 60) and your CDP holdtime (seconds you’ll hold an incoming CDP packet. . This lets you get to the switch’s Management Console menus or command line.If you add all of these lines to your CF. The file’s name will be similar to c25000-js-l. .The IOS is loaded (from flash. Some CR examples: 2000 .# sh cdp (on either routers or switches) shows your CDP timer (seconds between your transmittals of CDP on all active interfaces. . The ROUTER BOOT SEQUENCE . its VTY password must be set.# sh cdp interface lists all your interfaces’ L1/L2 up/down stats.] . config t then set any passwords desired (enable secret bozo. then reload the router. BACKING UP the IOS to a TFTP HOST . Whew! CISCO DISCOVERY PROTOCOL .’) Again. holds packet buffers.k. . accept a backup of the running-config to the startup-config (if needs be).a. Four bits at a time it reads “2 – 1 – 0 – 2.Decline to enter setup mode (asked because there is no startup-config in use).] .Reboot. Clear your table of neighbor data with # clear cdp table. default = 180. Continued on page 14 with “TWO WAYS TO RESOLVE HOST NAMES…” 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0x0001 0x0002 0x0004 0x0008 0x0010 0x0020 0x0040 0x0080 0x0100 0x0200 0x0400 0x0800 0x1000 0x2000 0x4000 0x8000 bits 0-3 control the bootfield (the source of the IOS): 0x0000. type (config)# cdp timer <seconds> or cdp holdtime <seconds>.You can use Telnet to get CDP info from devices that aren’t your neighbors. so upgrade or use 95/98. . . the router will attempt each one in turn. then reset. SELECTING an IOS for your NEXT BOOT (config)# boot system flash <filename> .Change the CR with (config)# config-register <value>. does a checksum verification. router now has an operating system. 8. (You can ping from a 1900. DRAM) . and reboots. stores the startup-config file transferred to RAM at startup and the configuration register code for boot control. reset the CR with config-register 0x2102. <filename> is optional (config)# boot system tftp <filename> <server_addr> . .Why VTY? Because the old Teletype abbreviation is “TTY. and the running-config file.If a CF exists in NVRAM.] .Put the desired source file in the default TFTP folder on the host. can be erased or overwritten by special software commands). .) .# sh cdp traffic counts the CDP packets you’ve sent and received and their errors. some routers can keep the IOS here.Close a session from the remote end’s prompt with exit.Enter privileged mode with > enable. source filename. [WinNT’s HyperTerminal won’t do breaks.CDP gathers info about the hardware and protocols on directly connected Cisco neighbor devices.Type # copy tftp flash.16 binary bits / 4 hex digits.a.By your intended remote host to ensure you have connectivity.) bit . confirm the erasure of the flash (if there’s insufficient room for both the new and old files or if this is a virgin flash). then I for ‘initialize’ or. enter the IP address of the remote host.Turn on bit 6 by typing (config)# config-register 0x2142.ROM monitor . use ‘b’ to continue booting 2100 – force ROM monitor mode with rommon> prompt 2101 – boot IOS from ROM + NVRAM with router(boot)> (for upgrading flash) 2102 – normal boot up (i. by default). even though it wasn’t used) to the running-config file with copy start run. first.To get back your own prompt without disconnecting. and destination filename. .e. The router erases the flash. and cdp timer & holdtime settings. your remaining holdtimes for their last packets.) . flash .provides a user interface in the absence of any valid IOS image .get IOS from flash. the Cisco IOS assumes you want to Telnet there.To set these. encapsulations. This lists the devices’ IDs. with bits 1.Routers run CDP by default. . with IOS from flash + NVRAM) (2102-210F – use the default boot filename specified in NVRAM) 2141 – boot to ROM and skip the CF (for disaster recovery) 2142 – boot the IOS from flash but skip the CF (for password recovery) .# sh sessions lists current Telnet connections and their connection numbers with a * beside the most recently used.0x000F: use the IOS specified in NVRAM [function unknown] [function unknown] 0 = use CF from NVRAM. rommon 1> confreg 0x2142. (Note: Bits that are normally on are shown in bold type.Eject a guest with sh users to see his line number. programs with sh processes.Reload the router with # reload.CHAPTER VII – BOOT-UP & CONNECTIVITY TOOLS (unk # questions) ROUTER MEMORY COMPONENTS ROM (a. before you can Telnet in to a device. then x. NVRAM (non-volatile RAM) . [To make a router a TFTP host for storing flash images. . It’s identical to # sh cdp entry *. xx0x=use the CF in NVRAM. Do the same from your prompt with disconnect <connection_#/connection_name>. then clear line <#> to toss him. .instructions to initiate a start-up when the power comes on .Type # sh flash. yours included. which can place extreme traffic loads on a router.) When asked. then reboot RESETTING PASSWORDS by TURNING ON BIT 6 for ACCESS: . including: .] 9 .First. . xx4x=skip the CF. and confirm again.The CR is usually set to 0x2102. it won’t even be mentioned! TELNET or VTY (Virtual TeletYpe) .also holds its memory when shut down.Launch Telnet from any Cisco or DOS prompt by typing telnet and either the address or hostname to connect to. confirm again.The boot sequence is engaged to issue start up instructions. copy the existing operating system to a tftp host. Examine the IOS with sh version or the size & contents of the flash memory with sh flash. .called RxBOOT or bootloader by Cisco. . routing tables.” Does that help? . It uses L2 SNAP multicasts. Examine the CF with sh running-config. the source filename.# sh cdp nei detail adds L3 addresses and IOS versions to the above.bootstrap sequence .bin. xxx1=IOS from ROM.k. & 13 turned on. . It’s your best test.The POST loads from ROM and checks health of the machine. Run this command on the remote end (via Telnet) and you’ll see all its incoming connections. . at the console port. &c.get IOS from a network file (config)# boot system rom . so you need to set that up. enter the host IP address. transfers the data. it is loaded into RAM.” 0 0 1 0 0 0 0 1 0 0 0 0 0 0 1 0 bin dec 0 2 2 1 hex a 1 in this bit EEPROM chip (keeps its memory when the router is off.Simplified: xxx0=ROM monitor mode.112-18.

3 802. IPX ENCAPSULATION . most common (says Cisco) Ethernet_II arpa the best if using both TCP/IP and IPX Ethernet_SNAP snap Token –Ring sap default for Token Ring Token –Ring_SNAP snap FDDI_SNAP snap default for FDDI FDDI_802.x. OS/2. Here’s an example: 00007C80. you can ping that address three ways: ping <ipx_address> (although that wastes time trying to ping via IP. Unix.IPX addressing is hierarchical.identifies individual connections as virtual circuits. .CHAPTER VIII – IPX (4-5 questions on encap. You can avoid multiple frame types by making subinterfaces.Automatic IPX addressing means workstations require no DHCP or manual configuration.Two parts to IPX setup: enabling IPX routing and enabling IPX on an interface. ping ipx <ipx_address> 10 . and three for FDDI.. For example.Each frame type in use on a network segment constitutes a separate virtual IPX network with its own. servers answer with GNS replies containing pointers to specific servers holding the requested resources.sends everything via broadcasts (very resilient but problematic for big internetworks) SPX.I’ll label it as RIPIPX so as not to confuse it with TCP’s “RIP... but for only a single interface. .3 802.SERVER RELATIONS . . SERVER-SEVER RELATIONS . show ipx servers displays the accumulated SAP table info. the info comes from SAP tables on the servers. . types & how to turn on/off) – Part 1: IPX BASICS – Like IP.operates at the equivalent of L4 Novell RIP.Cisco routers can play this IPX update game. default for Ethernet Ethernet_802.3 802. . this is good because broadcasts don’t normally cross routers (keeps more traffic within individual segments). NT.stands for “Internetwork Packet eXchange” .stands for “Routing Information Protocol” .is a more advanced replacement for RIPIPX and SAP . Token Ring. each with a specific connection ID in the SPX header .. with ticks & hops.stands for “NetWare Link Services Protocol” .33E9 network portion node portion total up to 8 hex digits 12 hex digits = 20 hex digits 4 Bytes 6 Bytes = 10 Bytes (1/2 Byte per hex) 32 bits 48 bits = 80 bits (4 bits per hex) .2 802. . this can be a lousy idea because each frame type generates its own. two for Token Ring. say). . the remaining twelve form the node address. . . or FDDI.Clients broadcast GNS (“Get nearest Server”) requests. type CONFIG on that server. therefore communications using it get no acknowledgements .Servers speak to each other 2 ways: with SAP packets for service info and with RIPIPX for routing info. the fields in the four different IPX Ethernet frames look like this: Ethernet_802.Because of Novell changes through the years. added broadcasts. . thus: NetWare name Cisco name notes Ethernet_802.2 sap FDDI_RAW novell-fddi .0000. as in IP.The network portion of an IPX address is used.enables round-robin load sharing over several equalcost paths ipx per-host-load-share .Some examples of the above command: (config)# ipx network 20 (config)# ipx network 20 encapsulation sap secondary . show interface e0 DOES NOT SHOW IPX ADDRESS! show protocols lists 3 things: routed protocols.always sends traffic for a specific host via the same path when load sharing IPX DIAGNOSTICS show ipx route a table of routes to all reachable IPX segments. The first eight hex digits are the network address.. IPX is comprised of a suite of protocols.. however. debug ipx routing activity displays routing updates as they occur debug ipx sap activity displays SAP updates as they occur Once you have the IPX address of a remote router (using show cdp neighbor detail or show cdp entry * or by Telnetting into it). IPX addresses with encapsulation type. (config)# ipx routing . An administrator assigns the network number.Because L2 addresses are already included within the logical addresses.approximates L3 (mostly) and L4 functions ..To display frame types and IPX network IDs in use on a NW server. leading zeroes in the network address are usually not shown. show ipx interface e0 Same as above.. . or VMS. .Cisco HDLC remains the default encapsulation method for each serial interface. Pretty smart. This means every IPX address contains both L3 and L2 info.Both are sent in broadcasts at 60-second intervals. Novell’s layered protocols don’t. .adds-on connection oriented functions (akin to TCP) .2 LLC IPX Ethernet_II Ethernet IPX Ethernet_SNAP 802.stands for “Service Advertising Protocol” . IPX ADDRESSING .A warning about the secondary command: Although multiple frame types can be configured on a single segment (to support different generations of Novell. &c In summary.On a serial interface. except on subinterfaces). . is derived automatically by copying the device’s L2 MAC address.stands for “Sequenced Packet eXchange” .Broadcasts include the sender’s own info plus accumulated info about other used to advertise/request network services from NetWare servers NLSP.talks to higher layers via “sockets.provides security.” akin to TCP “ports” . to route packets between networks. as with any L3 a link-state routing protocol NCP. and other IPX settings. first) ping ipx <ipx_address> or. .0. as well.. – Part B: HOW TO DO IPX.3 IPX Ethernet_802.8609. these L2 frames come in four incompatible frame types for Ethernet. or respond on behalf of a remote NW server in a different network.Cisco routers can build their own SAP tables and respond as though they were NW servers. ipx maximum-paths <1-64> . unique IPX network address and its own broadcast traffic.Clients can run connectionless (like UDP). and IP and IPX addresses (with IPX encapsulation type.NetWare machines are either clients OR a distance/vector routing protocol . Period... however. rather than just a reconfiguration of the interface. . show ipx interfaces gives a long list: L1/L2 up/down stats. . Novell provides much internetworking capability on its own.The node portion. synchronization. . too. all NW servers become fully enlightened. there is no need for something like ARP to provide L3-to-L2 resolution. for more details.By convention. Eventually. CLIENT. . .uses “ticks” (18ths-of-a-second) and (if there’s a tie) hop counts as metrics . . show ipx traffic shows the number and type of IPX packets transmitted (both RIPIPX and SAP traffic). file access.automatically starts RIPIPX (config)# ipx network <network_ID_#> encapsulation <frame_type> secondary encapsulation <frame type> is optional (see default types in above table) secondary (also optional) indicates this command is an additional configuration with yet another frame type to use. ROUTER-WISE – IPX SETUP . L1/L2 up/down stats.” SAP. . mostly about access lists (chapter IX). instead.stands for “NetWare Core Protocol” . including all known servers and their offerings..2 sap for NW4.Servers almost always run the NetWare OS. follow the OSI model: IPX.2 LLC SNAP IPX See why it’s a problem? Cisco has five different names for the frame types.3 novell-ether used in NW3. DOS.Here we mean taking L3 IPX datagrams and framing them in L2 IPX frames for use on Ethernet. Windows. the default encapsulation remains Cisco proprietary HDLC.

255. Here the block size is eight and because “32” is.shows all lists and the interfaces using them with a zero.Once a packet finds a ‘permit’ or ‘deny’ match.deny traffic from just this host show access-list <id#> .16. because IP. For example: (config-if)# ip access-group 1 in OPERATIONAL RULES .shifts to the Telnet line-specific prompt (config-line)# access-class 1 in . .32. only).applies the specified list to this interface <ip_address> <wildcard> adds flexibility to the above.0. 31. you can opt to consider “blocks” of 4.16.0. Lists are applied specifically to traffic of one direction or the other. – even though they’re legitimate choices – cannot filter on L4 port numbers! <source_address> can appear in the following formats: LIST CONSTRUCTION GUIDELINES host <ip_address> as above .’ any traffic not passed will be discarded.CHAPTER IX – ACCESS LISTS (3 questions) . For example. either by name (telnet) or number (23) <1-99> is the list ID number. & port for any matches 1200 – 1299 IPX Summary Address extended log-input same as “log” also including input interface precedence match packets with given precedence value STANDARD IP LISTS tos match packets with given TOS value (config)# access-list <1-99> <deny/permit> <source_address> <port> application port.30.2 0.Apply standard lists as close to the destination as possible.16. lists cannot be edited in the Cisco IOS but the results of show running-config or show access-list can be copied to a text editor and changed. ICMP.deny traffic from this specific host ip access-group 100 out . protocol. access-list 100 deny tcp any host 255.2 .0 through 172.39.” in the above example) must be always a multiple of the block size. to kill just one test. & UDP in IP lists. as well as limiting access for improved security. SAP & SPX in IPX lists)  IP ‘port’ number (or IPX ‘socket’ number) .16.The tests in a list are always considered sequentially.2 .0 0.255 the numeral 7 means “deny 172. one test at a time.16.SYNTAX NOTE! access-list to create. In the wildcard each IP LIST DIAGNOSTICS 0 means “consider the corresponding octet in the IP address. only. <destination_address> can appear in the following formats: .Rather than considering an entire octet with a 0 or ignoring it with a 255.Access lists limit packets to specified segments for improved operation and simplified traffic patterns.30. source/dest. It’s typically TCP or UDP.If no ‘permit’ statement is included.0. They are then applied to an interface. respectively. <ip_address> <wildcard> as above .deny tcp packets from any <source_address> can appear in the following formats: source to host 172.’ Standard lists filter only by  source address or  destination address (IPX. by convention.Telnet lists are applied like other lists. TCP. 7. for example. <ip_address wildcard> as above .Apply extended lists and SAP filters close to the source to reduce network traffic.Lists filter only traffic from other routers.Each additional access-list command adds another test line to the specified list. no packets will pass.IP and IPX lists are either ‘standard’ or ‘extended.16. .deny traffic from any source (In the address.16.0 0. 11 . . ip access-group (or ipx ) to apply! IP LIST WILDCARDS USING “BLOCKS” . 32.” This is the block of eight network addresses from 32-to-39 because the wildcard to consider eight addresses is the number “7” and the starting address given in the corresponding (third) octet is “32.permit remaining ip packets from any source to access-list 1 deny host 172.Place the most specific tests first.same.30.0 .0 show ip access-list .0.16.De-apply a list with no ip access-group 1 in.” and each show access-list . type the whole line (no access-list 1… and remaining parameters). .2.Apart from that method.As you build a list. the smallest possible block. or 63.shows all lists by ID number and their configurations but does 255 means “ignore the corresponding octet. You can’t start a block at a value of 39. .Only one list per protocol or per direction may be placed on an interface. but with slightly different commands: (config)# access-list 1 deny 172. each new test is appended to its end.16.16.30. (Duh!) host <ip_address> as above .0. .255 .255 . log any hits host <ip_address> ‘host’ is the default command & may be eliminated: access-list 100 permit ip any any . 8.applies the access list to that Telnet line EXTENDED IP LISTS (config)# access-list <100-199> <deny/permit/dynamic> <protocol> <source_address> <destination_address> <option> <port> <dynamic> signifies a dynamic list of ‘permits’ and ‘denies. . . or 64 addresses within an octet by using the corresponding wildcards 3. not traffic originating in their router. nor can you start a block of 64 addresses with the value “40.16. .” Be as specific as you like: not show the interface to which a list is applied access-list 1 deny 172.shows which interfaces bear which lists show running-config .Slap an access list onto a port with only narrow permissions and you can any as above unwittingly block a lot of traffic.Lists are first created.“Inbound” means from segment to router. Hint: as a quick check.7.30.Each list ends with an implicit “deny everything else” statement.Extended lists can filter by  source address  destination address  L3 ‘protocol’ field (IP. addresses.deny traffic from all hosts in interface to which applied network segment 172. everything is proper.” -The starting address (“32. . in access-list 1 deny 172. a multiple of eight. .OR – any destination access-list 1 deny 172.0. that action is taken and no further testing of that packet occurs. 15.2 . specifically those for ports equal to 23. then delete it with no access-list 1.) any similarly means.” as in Continued on page 14 with “STANDARD IPX LISTS” access-list 1 deny any . eq equal to the specified port number ID NUMBER RANGES FOR ACCESS LISTS gt greater than the specified port number 1 – 99 IP standard lt less than the specified port number 100 – 199 IP extended neq not equal to the specified port number 200 – 299 Protocol Type Code range within the specified range of port numbers 300 – 399 DECnet <option> can appear in the following formats: 400 – 499 XNS standard eq equal to the specified port number 500 – 599 XNS extended gt greater than the specified port number 600 – 699 AppleTalk lt less than the specified port number 700 – 799 48-bit MAC Address standard neq not equal to the specified port number 800 – 899 IPX standard range within the specified range of port numbers 900 – 999 IPX extended established allow to pass (usually) if using an already-established connection 1000 – 1099 IPX SAP fragments check fragments 1100 – 1199 48-bit MAC Address extended log logs list #. any as above .deny packets from any source hostname <name> specifies one host: access-list 1 deny hostname RouterB .creates the access list (config)# line vty 0 4 . “consider packets from any source.30. whilst “outbound” means from router to segment. but for a specific list.255.The command (config-if)# ip access-group <1-99> <in/out> applies the specified list to this interface.32.30.0.” (But you can permit a block of 64 and then deny little blocks of 4 within it!) VTY (Telnet) ACCESS CONTROL (config)# access-list <1-99> <deny/permit> <source_address> . in detail access-list 1 deny 0.2 eq 23 log . also does not show the access-list 1 deny 172. 16. an ignored octet can contain any digits but is usually filled show ip interface . this rule means the starting address must be always a multiple of four.shows only ip (standard and extended) lists.’ <protocol> is a protocol sufficiently high up the OSI model to act upon the port number you’ll specify. The sequence matters! . in fact.Unless you end a list ‘permit all others. .IP and IPX lists work similarly. &c.

circuit-switched.connection-oriented . . LLC. can run in full-duplex. .45Mbps. Fun. using equal-sized 53-Byte packets or “cells”.a network layer protocol (L3) phase . late-1980s): .L2 with some L1 functions .uses generic HDLC but uses NCP to identify the L3 protocol it encapsulates . packet-switched (e. either on asynchronous (dial-up) or synchronous (ISDN) links .used over leased-line.Cisco HDLC is the default encapsulation for serial interfaces on Cisco routers. high-speed transfers .NBMA (Non-Broadcast. THEREFORE… . Everyone copied it.turns on PPP for a serial link (config)# hostname Chicago . used to encapsulate L3 contents with no ID . Multi-Access): will not broadcast.offers the lowest bandwidth of the three types . Note: both routers’ passwords must be identical (config-if)# ppp authentication chap . .2 specs on it and many vendors. and LAPM for modems.option to encrypt the password you are setting (config)# username Atlanta password bozo .25 users. not great for alternative to HDLC-NRM for error-prone connections ISDN (Integrated Services Digital Network – 1970s and 1980s): . LAPB for current X. . clear text authentication by the exchange of a password . LCP provides:  PAP or CHAP authentication  ‘Stacker’ or ‘Predictor’ (for Cisco) compression  ‘Quality’ and ‘Magic Number’ error-checking  ‘Multilink’ load splitting .g.56kbps to 2. L2.uses frame characters and checksums . no call & setup needed.allows dynamic bandwidth for occasional burst transfers .the successor to SLIP (Serial Line Internet Protocol) since the late 1980s Frame Relay (a child of X. &c.hooks DTE gear to DCE networks via a Packet Assembler/Disassembler (PAD) .PPP authentication methods: (You can use one. TCP. congestion control. LCP status.PAP (Password Authentication Protocol). . the digital connector CO = central office.comes in many flavors. or bursty traffic .bit-oriented . LAPD for ISDN D-channels. . Now HDLC has several variants: there’s NRM for SDLC users and the ITU-T bureaucrats in France made LAP for early X.L2 and a bit of L1 .used mostly over circuit-switched networks.25 or Frame Relay): .asynchronous serial (PPP dial-ups) or synchronous serial (ISDN) .always it so it can identify itself when authenticating (config)# service password-config .originally designed for ISDN.the L3 component of the stack is called PLP (Packet Level Protocol) . BUT… . you don’t share the wire .set authentication method.25. so it has better performance . Byte-Oriented L2 Protocols: . no matter who owns it DSU = data service unit.Each vendor (Cisco included) has a proprietary identification method for an encapsulated L3 protocol.connected only when needed (usually by a call through telco copper circuits) . need whole bytes for control info. ‘Normal Response Mode’ is an ISO-standard.good for infrequent.toll networks are ones using the public switched telephone network (PSTN) TELECOM CONNECTION TERMS DCE (“the mechanisms & links of the network portion”) CPE DTE CSU/ DSU CO POP DEMARC DCE = data communications equipment LOCAL LOOP DTE = data terminal equipment.synchronous serial (a direct.a back-up method to Frame Relay or a T1 leased line.a suite of protocols designed by ITU-T telco bureaucrats.bit-oriented .078kbps A Word about Bit.L1. may use single bits to hold control info. video. HDLC.features PAP or CHAP authentication . or packet-switched networks .ITU-T precursor to Frame Relay. or LAPB .a. as well as all the usual stuff debug ppp authentication .gives PPP info. IPX. DECnet. uses the X.It’s an ISO-standard means of identifying encapsulated L3 info.does not permit authentication . The IEEE built their 802. HDLC History: IBM made SDLC (Synchronous DLC) in the mid-‘70s as part of its System Network Architecture for mainframes. so it can be used to connect proprietary formats.CHAPTER X – WANs: When Ethernet Just Doesn’t Cut It (6-10 questions) CONNECTION TYPES leased serial line (a. a three-way handshake.. have their own flavors.k. a router or PC CPE = customer premises equipment. used to identify the L3 contents . &c.25.) . X. the T1 adapter & timing device.for encapsulation it can use PPP.can carry voice plus data.L2 and a bit of L1 . Cisco included. CSU = channel service unit.g. so it has weird terms . max.25. All connected routers are peers. onto all VCs. 100% digital from end-to-end .cheaper alternative to leased lines if you’re not constantly transmitting . SDLC.replaces Ethernet. LAPB.uses LAPB for L2 functions.a link establishment phase .Its L2 portion has three parts: . not both.CHAP (Challenge Handshake Authentication Protocol). which is too new) – HDLC (High-level Data-Link Control – developed from the 1970s. much more secure than PAP CONFIGURING PPP: (config-if)# encapsulation ppp .verifies your authentication setup More… 12 .used on ckt-switched networks like the “plain old telephone system” (POTS) . precisely timed digital link between 2 machines) . &c.Bit-Oriented protocols transmit frames regardless of content.industry-standard .ATM. high-speed traffic . ISDN or POTS/PSTN dial-up): . used to make/break connections. IP.LCP (Link Control Protocol).set the name of remote router and the password it must HDLC variant providing heavy error-checking for DTE-DCE connections .some overhead due to strict time-out and windowing requirements . not great for voice or video .Byte-Oriented protocols mark frame boundaries with specific characters.generic (not proprietary!) HDLC.. huh? X.expensive but the best for constant. audio.connection-oriented via private or switched virtual circuits (PVCs or SVCs) .line remains open into a “cloud” network of switches used by many clients .provides ‘fake Ethernet’ L2 encapsulation for L3 contents over a modem or serial point-to-point link. more efficient and trustworthy than Byte-Oriented. the stuff on-site.The generic. is called “cell-switched” circuit-switched (e. either router-to-router or host-to-network . good for branch offices . large authentication phase . now supports IP. AppleTalk.It does not identify the L3 protocol it encapsulates.121 international addressing standard LAPB (Link Access Procedure. like it sounds.supports most every type of upper-layer protocol PPP (Point-to-Point Protocol – late-1980s): .g. the provider’s nearest point-of-presence Demarcation (‘Demarc’) = point (equipment closet) where the CPE and Local Loop meet – SUMMARY of WAN PROTOCOLS (except dial-up but in digital format with immediate connections & higher speeds .mostly L2 with a L1 component . . and L3 . leaves any error checking to higher layers. onward): . 1980s): . video.provides L2 encapsulation & error-checking for point-to-point links on synchronous serial lines. & authentication .25 (1970s): .uses only best-effort delivery. – The DETAILS to KNOW about PARTICULAR PROTOCOLS – PPP .vs. Note: if you then say ppp authentication pap.often uses PPP for encapsulation. usually combined with the.Its L1 portion has one part: the EIA/TIA-232C (“RS-232”) serial link standard . & other LAN frames with Frame Relay frames for transparent transmission across packet-switched networks .25 stack but can stand alone . HDLC (default on BRI interfaces). making different vendor’s HDLCs incompatible. less error checking = less overhead than old X.a good alternative when you’re too far from a CO for DSL signals to reach . ISO version of HDLC is used by PPP (only place you’ll see it). “point-to-point dedicated line”): .NCP (Network Control Protocol). CHAP will be the default with PAP as a back up PPP DIAGNOSTICS: show interface s0 .synchronous serial.excellent for bursty traffic if reliable connections. so routers must copy routing protocols.was developed as part of the X. maintaining link integrity.used over packet-switched networks . e. . First the ISO made HDLC to give L2 framing to other networks. Balanced – actually “HDLC-LAPB”.PPP sessions are established in three phases: . simple flow control . generally superceded by bit-oriented protocols.

create a multipoint subinterface (config-subif)# no inverse-arp . It verifies flow.18 R T A In Europe & Australia: S/T ISDN switch cloud (NT1 stuff inside) TE2 . each connection needs its own subnet) and multipoint (several VCs connect.255. so routers must copy broadcasts onto all virtual circuits but SplitHorizon rules stop routing info (except from RIP. aspects. auto-assigns local or global DLCIs. and reports a circuit status as active. because that’s where they’re always pictured.turn off Inverse ARP (config-subif)# ip address 172. type 1): handles L1 ISDN specs. EIGRP. The default type is cisco and it’s proprietary. or deleted. The two link types are point-to-point (only 1 VC connects to your interface.2.FR is NBMA. Separate ‘full-mesh’ connections between every router might be complex and expensive. framing esf.1 255.Create a subinterface (a common interface trick.FECN (Forward Explicit Congestion Notification) bit: Gets turned on as a warning to the destination if a packet encounters congestion along its trip. &c. LT (Line Termination): a physical connection point into the telco network ET (Exchange Termination): the telco’s ISDN switch. pri-group <timeslots/range>.shows if router and switch are sharing correct LMI info TE1 S/T T A R TE2 TE1 (Terminal Equipment.BRI interface hookups may require you use isdn spid1 <spid> <local_dial#> and isdn spid2 <spid> <local_dial#> to configure the SPID (Service Protocol ID – like an account number) for each B channel to let your equipment talk to the ISDN switches. in the IP suite) and service updates (IPX SPA/GNS) from coming and going via the same interface. the first one in the cloud R reference point: between a TE2 and its TA.set IP address on subinterface (config-subif)# frame-relay map ip 172.line. more importantly. let broadcasts use this virtual circuit (config-subif)# frame-relay map ip 172. so their names often get combined and B) they must be the same as the 4-wire connections between European NT1s and TE1s/TAs.255.1 CHI-NY PVC 16 s0. no ISDN capability NT1 (Network Termination. LMI type. enter only these commands: (config-if)# int s0.0 .Q deal with switching and signaling BRI (Basic Rate Interface) 2B (bearer) + 1D (data) channels. IP or IPX addresses at the distant-end must be mapped to DLCIs at your end.7 <link_type>.) More… 13 .) on one physical interface. . .map Chicago’s IP address to your DLCI 16. .7 NY 17 ISDN (2-3 exam questions. ansi.CIR (Committed Information Rate): A provider’s guaranteed minimum rate with faster speeds possible if traffic is light. ISDN protocols starting with.E deal with ISDN use over existing phone systems .16. type 2): an ISDN-stupid device. use IETF encapsulation for this subinterface because Chicago has non-Cisco gear.set subinterface’s IP address .17 16 ietf broadcast . We can say for sure 1) S & T are electrically and functionally equivalent. I know the above D = control & signaling @ 64kbps totals don’t add up but try not to worry about it!] How ISDN connects: Router connects D channel to near-end ISDN switch.ISDN has an alphabet soup of component labels.’ the wireconverter thingy you must stick in front of a TE2 to get it to play ISDN games.18 17 .255. type 2): handles L2 & L3 ISDN specs. each with its own DLCI and L3 characteristics (IP address.16.create a multipoint subinterface (config-subif)# encapsulation frame-relay ietf . Helpful? I didn’t think so. FRAME RELAY EXAMPLE with STATIC MAPPING on ROUTER “NY”: (config)# int s0 .Use (config)# or (config-if)# isdn switch-type <keyword> to configure the correct ISDN switch type. . inactive.FR switches can apply three congestion control methods: .DE (Discard Eligibility) bit: Less-important packets have the DE bit turned on so they may be dumped if congestion occurs.) TA (Terminal Adapter): often incorrectly called an ISDN ‘modem. an NT2 connects to CPE gear by an ‘S’ and to an NT1 by a ‘T’. switch sets path to distant-end switch via SS7 signaling. distant-end switch connects D channel to remote router. . The local dial number may or may not be required. Instead. required on point-to-point subinterfaces.30. LMI type is auto-sensed but you can set it with (config-if)# frame-relay lmi-type <type>. traffic. all FR interfaces use the same subnet). expect definitions) .30. &c. where the keyword tells the manufacturer and switch type.16. 2 wires S and T reference points: Supposedly.On multipoint interfaces only. either statically or (using Inverse ARP) dynamically. I think he’s clueless about NT2s because other sources show them as in my picture (above) and they say an NT2 is often integrated with an NT1 into a single box. 2 wires V reference point: between ET and LT. part of the carrier network outside North America/Japan but here packaged as a separate box (a type of CSU/DSU) to connect to our primitive ISDN networks NT2 (Network Termination. . B channel(s) are connected from end to end. .048Mbps B = data @ 64kbps [Since 1k=1024 and 1M=1024k.7 multipoint .16.BECN (Backward Explicit Congestion Notification) bit: Gets turned on in a special packet sent back to the source as a warning. LMI stats # show interface s0 . The three LMI types are cisco (the default).] Static maps are more reliable because IARP sometimes makes nonsense mappings to unknown devices. automatic IARP mapping instead.30. Australia. Basic-5ess = an AT&T basic rate and Basic-ni1 = a National ISDN-1 switch. linecode b8zs. . errors. Lammle says they are usually provider equipment (like a switch or PBX) and only rarely seen as CPE gear. IETF type (config-subif)# ip address 172. lmi shows type.16.30. Low CIRs mean more packets are dispensable. total 2. In North America/Japan: V LT ISDN switch cloud ET U TE1 CO NY-ATL PVC NT1 module inside the TE1 TE1 V 24 X CO U LT = DLCI = CSU/DSU = FR Switch CHI-ATL PVC Frame Relay “cloud” of switches 42 ET NT 1 T NT 2 S S ATL 41 172. total 128kbps B = data @ 64kbps D = control & signaling @ 16kbps PRI (Primary Rate Interface) In North America: 23B + 1D channels (a “T1”). (config-subif)# frame-relay interface-dlci <16-1007> applies a DLCI to a specific subinterface. Sybex’s diagrams show no NT2s.turn on Frame Relay (config-if)# int s0. (config-if)# encapsulation frame-relay <type> enables FR on specified interface or subinterface and sets the encapsulation type used by the provider.16. so I made my picture from other sources. .. subinterfaces can host many VCs. and general LMI stats # debug frame-relay lmi . I have no idea how many wires it has. .FRAME RELAY (3 questions) 172.. ietf (Internet Engineering Task Force) is an encapsulation based on PPP and is for connections to non-Cisco equipment. total 1. not just a FR command) with (config-if)# interface s0.To use less-stable. &c: 30B + 1D channels (an “E1”). LMI traffic details pvc stats for PVCs (up/down) & DLCIs.A Link (or Local) Management Interface (LMI) tracks and maintains the link from the router to the FR switch.A full ISDN PRI setup goes: isdn switch-type <keyword>.30. [See the examples below.I deal with concepts.16. static/IARP mapping. (So I’m told. with their DE bits set to ‘on. optional on multipoint.544Mbps In Europe. (Maybe that’s why Lammle didn’t see them. . and q933a. route. type 1): an ISDN-ready device TE2 (Terminal Equipment. controller t1 <slot/port>.turn on Frame Relay. Every VC is labeled at either end with a Data-Link Connection Identifier or DLCI (“DEL-see”) numbered 16-1007. protocol.7 multipoint . or.255. Since IOS v11. IGRP. including BECN and FECN counts map L3 address-to-DLCI number mappings. and services (“Could you be more vague?”) .1 255.DTEs in FR connect via PVCs or SVCs.30. U reference point: between DCE (meaning “telecom”) line termination equipment and NT1s (only in North America and other ass-backward zones).set LMI keepalive (default = 10) .17 23 CHI CO 172.’ FRAME RELAY DIAGNOSTICS: # show frame-relay <x> where ‘x’= ip.30.go to a serial interface zero (config-if)# encapsulation frame-relay .map Atlanta’s IP to DLCI 17 (config-subif)# frame-relay keepalive <seconds> .0 .

above. (Note the minus sign. don’t negotiate off – no trunking. use (config)# ip name-server 192.shows IPX address.Switch ports are labeled by type slot/port (e.“List 1 says.255. desirable.60.creates and names VLAN 3 (config)# vlan 4 name tech .To set up DNS: Turn it back on with default is to monitor outbound traffic. set up a static route (so routing protocol traffic won’t keep you connected): # sh trunk (for all trunking ports) or # sh trunk <letter> (for specific ports) and (config)# ip route 172.) (config-if)# dialer idle-timeout <seconds> The default is 120 seconds. type hosts table.names the switch (config)# vlan 2 name sales . only (Remember those “Q” protocols?) <destination_ipx_address> For example: debug isdn q931 .gives L3 info (including call set-up & tear-down) (config)# access-list 800 permit 20 40 . L2. too EXTENDED IPX LISTS (config)# access-list <900-999> <deny/permit> <protocol> <source_ipx_address> <source_socket> <destination_ipx_address> <destination_socket> IPX SAP FILTER LISTS . negotiate conversion to trunked mode nonegotiate – permanent trunk port.Last step. To specify a particular protocol.255 bri0 -“get to 60.255.H> mask for specific source address 0 indicates all services. by default. specify the interesting traffic with a ‘dialer-list’ command: (config)# dialer-list 1 protocol ip permit .OUTPUT lists stop specified SAP updates from being sent by the router. continued from pg 11 show isdn status . only one VLAN is allowed per port: (config)# int e0/2 . continued from pg 9 (config)# int bri0 .…Then map them to ports: (Only static mapping is on the exam.16. (What? You thought you could leave it off?) . repeat for other ports # sh vlan – gives names.148. status. dynamic entries: a L2 or L3 . use no ip domain-lookup.choose the interface (config-if)# dialer-group 1 . type ping <protocol> <target>. and whether static or dynamic PUTTING MULTIPLE VLANs through ONE PORT by TRUNKING IT Add ALL the VLANs to a “trunked” port and set how it deals with the device plugged into it: (config-if)# trunk <option> where option is one of the following: auto – do trunk mode if the other device is on or desirable desirable – negotiate trunk mode if other device is on.applies it to specified interface.g.2” # sh trunk <letter> allowed-vlans to see remaining VLANs after some are removed.To tell the dialer when to bring up the second B channel. load level and the direction tells which traffic you want used as a trigger. The access list may values from each router it meets to send back a list of hops along the way. configure the dialer: HOST TABLES: ip host <name> <tcp_port#> <ip_addresses_1-8> The default port (config-if)# ip address 172.Both ping & trace work with many protocols. (6 servers.‘Ping’ requests ICMP echo packets from a target.” APPENDIX B – The CATALYST 1900 SWITCH. & other options.) <service_type> can appear in the following formats: <0-FFFF> service code: 4 = file server. broadcast. Same syntax for trace: trace <protocol> <target>.display call set-up/tear-down activity as it happens (config-if)# ipx access-group 800 out . port mappings # sh vlan 2 – as above.2 via bri0” Key Terms: auto duplex: duplex is set automatically.add to access list 100 PINGing and TRACEing (config-if)# dialer-group 1 . confirms L1. type no ip host Atlanta. Each is identified with a letter.for low-volume.8888 4 sappy_serv .50. To (config-if)# dialer load-threshold <1-255> <in/out/either>.To selectively remove a VLAN from a trunked port (for security. (optional) appends this domain name any time you type the name of a host. (config)# ip route 172. DNS entries will say temp.0 .Next step. bridge#.6666.“get to ’50 via 60.” View your host table with # sh hosts.shows the number called. an encapsulation type (config)# ip host Chicago 192. type # sh hosts.Must be placed on all participating routers! .H. . & L3 are talking to the provider’s switch STANDARD IPX LISTS show ip route .H. related to “switching. address table built dynamically. ISDN & DDR DIAGNOSTICS: ping or telnet . (config)# access-list 100 permit tcp any any eq smtp .First.repeat for each VLAN to kill .go to Ethernet port 2 (in slot 0) (config-if)# vlan-membership static 4 . this is the same as . occasional connections via POTS/PSTN (dial-up or ISDN) routing update issues): (config-if)# no trunk-vlan 5 .7777. 24 = router <N.’” CHAPTER VII – BOOT-UP & CONNECTIVITY TOOLS. .168.255. . applied lists.All participating routers require full static route knowledge of the network. Verify trunking with .To set the idle disconnect time for calls. The .map only one VLAN.used before dialing to check SPID validity.255. port security: frame restrictions on switch ports.70 points to your DNS server.60. . parent.Default routing can be used on stub networks (only one outlet to other networks).1900 switch passwords must be from 4 to 8 characters long (not case-sensitive). (config)# ip domain-name mycompany. Test with diagnostic info for all the above dialer commands show isdn active . (config)# ip domain-lookup.) All ports are initially mapped to VLAN 1.assign the interface an IP address number for TCP is 23 (so you can skip it) and you can list up to 8 IP addresses: (config-if)# no shut .The wildcard “-1” when used in either the source or destination address fields shutting down the interface with (config-if)# shutdown means “any host or network. ethernet 0/16. To view your table.16. MTU. ‘all IP traffic is interesting.Note: The access list is created but not applied anywhere.displays all the known routes (config)# access-list <800-899> <deny/permit> <source_ipx_address> debug isdn q921 . .16. CREATE YOUR VLANs… (config)# hostname MySwitch .” pg 5 . or fastethernet 0/26). or auto on – permanent trunk port.16. plus type. Verify with ping.2 name Chicago 8350661 .16. Small switches have only “slot zero. if a call is in progress CHAPTER IX – ACCESS LISTS.creates and names VLAN 4 . . thinking you might be naming a device you want to Telnet to.60.2 255.apply the dialer list to the specified interface .H> fully specific source address (both network and host) –1 indicates any network. where 1-255 is the relative turn this feature off. &c.1 255.0.list each the number(s) to .0.shows lists in detail (with all Fs instead of wildcards) (See IP LIST DIAGNOSTICS. note hyphens! IPX LIST DIAGNOSTICS show ipx interface .make sure ping and Telnet are designated “interesting” so the link TURNING OFF DEBUG comes up when you try to use them! undebug ip <specific debug command> or no debug all or undebug all or just un al show dialer . (config-if)# dialer map ip 172. be of any type. (This method uses the IP address of the next hop DOMAIN NAME SYSTEM (DNS): The IOS assumes you want to use DNS any router and the hostname of the remote router for authentication.You can extend the “interesting” list by pointing it to an access list: demands FQDNs (Fully Qualified Domain Names) to operate. max. ‘Trace’ uses TTL (time-to-live) . set-based: the older CLI for Cisco switches.apply List 1 to the specified interface TWO WAYS TO RESOLVE HOST NAMES to IP ADDRESSES: . &c. FIRST. breaks when idle time-out ends.set up the number(s) to dial – OR – Manual entries will say perm. ring#. only <N..60.2 .) * END * 14 . 7 = print server.168.applies it to the specified interface isdn disconnect interface bri0 . or DDR (Dial-on-Demand Routing) for ISDN or DIAL-UP .16.255.” Use (config)# int e0/16 to configure port 16.creates the list debug dialer . It looks for your typed gibberish in its .creates the list (config-if)# ipx input-sap-filter 1000 .0 172.connects when ‘interesting’ packets dictate. (config-if)# dialer-string 8350661 .Multiple ports can trunk. SAP filters for all interfaces show ipx access-list .hang up the specified L2 info.2 (config-if)# encapsulation ppp . try to convert other device to be on-trunk.10. (config)# dialer-list 1 list 100 -“ Use access list 100 to define dialer list 1.H.To remove an entry. as opposed to newer IOS-based types. which is more secure.add to access list 100 (config)# access-list 100 permit tcp any any eq telnet .creates and names VLAN 2 (config)# vlan 3 name marketing . (config)# access-list <1000-1999> <deny/permit> <source_ipx_address> <service_type> <SAP_server_name> <source_ipx_address> can appear in the following formats: <0-FFFFFFFF> network ID.255. This is a good idea because DNS . dial. # sh vlan-membership . for show access-list.turn the interface on (config)# ip host Atlanta 172. (config)# access-list 1000 permit 9e. STP.) time you type an unknown command.H. its VLAN.INPUT lists stop specified SAP traffic from updating the router’s SAP table.0 255.

SPECIAL BONUS PAGE: 10 things you should immediately dump onto your scratch paper as your exam begins (like.248 .2 Ethernet_II Ethernet_SNAP Cisco novell-ether (default) sap arpa snap 1 – 99 IP standard 100 – 199 IP extended 800 – 899 IPX standard U LT S T A NT 1 T NT 2 S TE1 R TE2 FILL-IN-THE-BLANKS PRACTICE SECTION: 7 6 5 4 3 2 1 3 Cisco layers _ source connected interface static or default route IGRP RIP 0= 1= 2= 0= AD protocol port # _ _ _ Novell Cisco (default) range class A B C hosts networks ISDN switch cloud IP standard IP extended IPX standard stolen bits 1 2 3 4 5 6 7 8 mask magic # 15 .192 .) CORE DISTRIBUTION ACCESS FTP Telnet SMTP DNS HTTP 1-126 128-191 192-223 stolen bits 1 2 3 4 5 6 7 8 mask .3 Ethernet_802.252 . before you forget them). 4 = ignore CF 2 1 0 2 Novell Ethernet_802.224 .240 . 7 6 5 4 3 2 1 All Application Data People Presentation Seem Session To Transport Segments Need Network Packets Data Data-Link Frames Processing* Physical Bits (* Or whatever works for you.128 .255 magic # 128 64 32 16 8 4 2 1 21 23 25 53 80 A B C hosts 126 62 30 14 6 2 0 0 networks 0 2 6 14 30 62 126 254 ISDN switch cloud V ET source connected interface static or default route IGRP RIP AD 0 1 100 120 0 = ROM monitor mode (no IOS) 1 = boot an IOS image from ROM 2 = use the IOS specified in NVRAM (default) 0 = use CF (default).254 .

Sign up to vote on this title
UsefulNot useful