CCNA Lab Manual

1
Cisco DEVICE AND

IOS BASICS
Device connectivity Basics

The series of diagrams below reveal the cable types used for various
device connectivity.
I. Console Connectivity to configure a switch using management host
a. PC serial port to Switch Console port
Catalyst Switch
Rollover cable is being used
Management Console
b. For remote Configuration through Auxiliary interface
Internet cloud
Aux 0
Remote computer
Modem
Modem
3
II. Network Connection
a. To cascade same type of device use Cross-Over cable.
b. For HUB/SWICH to PC/ROUTER straight through cable is used & Crossover cable is used between PC Router & Hub Switch.
Host
Straight Through cable
Switch
Cross Over cable
Cross Over cable

Router
HUB
Setting up the Management Console (windows environment):

First lets setup the Hyperterminal from windows for interfacing with
the Cisco Devices and issue commands. Here we go
Path to trigger the emulation software from your Desktop

Click start Programs Accessories Communications Hyper
Terminal
Well name our Session My_Lab. The next screen requires us to configure
the COM port to which we are going to connect our Cisco Device.
Next, choose the default settings, else communication will be a

problem !
On clicking OK, well see the below screen & we are ready to talk to
our CISCO Switch/Router !
IOS BASICS
Pressing the RETURN key takes us to the USER EXEC mode.
Switch con0 is now available
Press RETURN to get started.
Switch>
The > prompt denotes user exec mode. To move into Privilege mode, we
use the enable command.
Switch>enable
Switch#
Privilege mode is identified with the # symbol. configure terminal
command takes us into the global configuration mode where we can
configure global parameters like hostname etc for the entire device.
Switch#configure terminal
Switch(config)#
To get into any specific interface mode we have use the interface
command with relevant interface number. To configure parameters
specific to interface 1 of module 0, we issue the command as shown
below.
7
Switch(config)#interface fastethernet 0/1
Switch(config-if)#
This is the sequence with which we change modes in the forward
direction. Lets now move backwards now.
Switch(config-if)#exit
Switch(config)#
To go one step backward we have to use the command exit
Switch(config)#exit
Switch#
However, we must use the command disable to move from privilege to
user exec mode. If we use exit, itll log us out (and well again see
the first message
Press RETURN to get started)
Switch#disable
Switch>
To logout, we use the exit command again.
Switch>exit
Press RETURN to get started
NOTE : We can use ^Z to directly move backward 2 steps from interface
mode to privilege mode.
Config-if# ^Z
Switch#
Also note that we can use ? whenever we want to see the various
commands available in a particular mode or want to find out what
commands begin with a certain letter etc. This can be easily observed
in the below case.
Router#?
Exec commands:
access-enable
access-profile
access-template
archive
cd
<output omitted>
Create a temporary Access-List entry

Apply user-profile to interface
Create a temporary Access-List entry
manage archive files
Change current directory
Router#s? (displays all commands beginning with s)

*s=show send setup slip squeeze start-chat systat
8
If we typed a wrong spelling & try to use help the output will display
as Unrecognized command. The same message is displayed even if we try
to use help when no further arguments are possible (or wrong arguments
used). Look at the below examples...
Router#show router ?
% unrecognized command
Router#show ip a
% Ambiguous command:
Router#show ?
access-expression
access-lists
accounting
aliases
arp
<output omitted>
"show ip a"
List access expression
List access lists
Accounting data for active sessions
Display alias commands
ARP table
Another interesting aspect is that we dont have to type the entire

command. We can just type the first few letters of a command (to the
extent that only one command begins with the typed letters) and press
tab the command is completed for us! (Even if we dont complete the
command, itll accept!)
Using tab key
Lets just type sh and use the tab key tab key
Router#sh (tab)
Router#show
There are some shortcut keys thatll help us to work with IOS faster.
Their description & use is given below.
Shortcut keys to access your CLI mode
CTRL-A
CTRL-E
ESC-B
ESC-F
CTRL-B
LEFT ARROW
CTRL-F
RIGHT ARROW
CTRL-P
UP ARROW
CTRL-N
DOWN ARROW
CTRL-D
BACKSPACE
CTRL-R
CTRL-U
Moves the cursor to the beginning of the line

Moves the cursor to the end of the line
Moves the cursor back one word at a time
Moves the cursor forward one word at a time
Moves the cursor back one character at a time
Moves the cursor back one character at a time
Moves the cursor forward one character at a
time
Moves the cursor forward one character at a
time
Recalls the last command
Recalls the last command
Recalls the most previously executed command
Recalls the most previously executed command
Deletes the character the cursor is under
Deletes the character preceding the cursor
Redisplays the current line
Erases the line completely
9
CTRL-W
CTRL-Z
TAB
Erases the word the cursor is under

Takes you from Configuration mode back to
Privilege EXEC mode
Once you enter a few characters and hit the TAB
key, the IOS device completes the word,
assuming that you typed in enough characters to
make the command or parameter unique
When this appears at the beginning of a command
line, it indicates that there are more
characters to the right of the $.
10
Switching Labs
11
General Experiments with Basic Switch Commands
Assume we are on a Switch console and the switchs ready we see the
below message
(press the return key)
Switch> this is our user exec mode
To get into privilege mode use the command enable
Switch>enable
Switch# The prompt has changed from > to #. if you see # after
the hostname you are in Privilege mode
To get back from privilege mode to user exec mode use the command
disable
Switch#disable
Switch>
To get into global configuration mode use the following commands
Switch>enable
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# This prompt indicates global configuration mode
To get into specific interface mode use the following commands
Switch>enable
Enter configuration commands, one per line.
Switch(config)#interface Fastethernet 0/1
Switch(config-if)#
End with CNTL/Z.
Lets add some description to the interface fastethernet 0/1

indicating that Host1 is connected to this interface. We do this from
the specific interface mode
Switch>enable
Enter configuration commands, one per line.
Switch(config)#interface Fastethernet 0/1
Switch(config-if)#description Host1
End with CNTL/Z.
Check out this description in running configuration using the command

show running configuration
Switch#show running-config
Building configuration...
12
Current configuration : 130 bytes
!
interface FastEthernet0/1
description Host1
no ip address
end
(irrelevant output omitted)
Lets see some more basic show commands. (All show commands work only
in privilege mode)
To view details of interfaces/particular interface use
show interfaces (or) show interfaces <interface type interface id>
e.g.
Switch#show interfaces Fa 0/1
FastEthernet0/1 is down, line protocol is down
Hardware is FastEthernet,address is 000d.ed5b.49c1(bia 000d.ed5b.49c1)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
<output omitted>
We can also observe that its sufficient to use the first few letters
of the keyword Fastethernet once these letters identify the unique
command, the balance letters neednt be typed !
Switch#show interface vlan 1
Vlan1 is administratively down, line protocol is down
Hardware is CPUInterface,address is 000d.ed5b.49c0(bia 000d.ed5b.49c0)
Encapsulation ARPA, loopback not set
<output omitted>
Switch#Show spanning-tree
No spanning tree instances exist.
Following is the command to see the current device configuration which
is in the RAM.
Current configuration : 866 by
version 12.1
!
hostname Switch
!
description Host1
no ip address
<output omitted>
!
no ip address
!
interface Vlan1
no ip address
no ip route-cache
13
shutdown
!
line con 0
line vty 5 15
!
End
Switch#Show startup-config
!
version 12.1
!
hostname Switch
!
!
description Host1
no ip address
!
!
no ip address
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
line con 0
line vty 5 15
!
end
Another interesting command to view the connectivity status of various
interfaces is show interface status
Switch#show interface status
Port
Fa0/1
Fa0/2
Fa0/3
Fa0/4
Fa0/5
Fa0/6
Fa0/7
Fa0/8
Fa0/9
Fa0/10
Fa0/11
Fa0/12
Name
Host1
Status
connected
notconnect
notconnect
notconnect
notconnect
notconnect
notconnect
notconnect
notconnect
notconnect
notconnect
notconnect
Vlan
1
1
1
1
1
1
1
1
1
1
1
1
Duplex
a-half
auto
auto
auto
auto
auto
auto
auto
auto
auto
auto
auto
Speed
a-10
auto
auto
auto
auto
auto
auto
auto
auto
auto
auto
auto
Type
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
Now, lets see the content of the mac-address-table of our switch after disconnecting all connected computers (no devices connected to
any interface of the switch) using the show mac-address-table
command
14
Switch#show mac-address-table
Mac Address Table
-----------------------------------------Vlan
Mac Address
Type
Ports
--------------------No entries are seen! Lets connect a host (computer) to port no. 1 and
generate some traffic from it.
As soon as we connect the host to the switch in the port 1 the
following message can be observed on the screen
02:18:06:%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
02:18:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up
To generate traffic (for the switch to learn from source address of
frame) well ping from the host to some IP address & then execute the
show mac-address-table command again.
Switch2950#sh mac-address-table
Mac Address Table
-----------------------------------------Vlan
Mac Address
Type
Ports
--------------------1
0040.33a0.4bc7
Dynamic
Fa0/1
Total Mac Addresses for this criterion: 1
The above table reveals the mac address of the host connected to
interface fa0/1. It also reveals that this is a dynamically learnt
entry.
If 2 switches are interconnected directly to each other (cascading)
lets see what happens. We shall use this simple diagram for better
understanding.
F0/12
F0/12
Switch A
F0/1
0000.0000.0002
Switch B
F0/2
0000.0000.0001
F0/1
0000.0000.000A
F0/2
0000.0000.000B
15
Now we see Switch As mac address table as below
SwitchA#sh mac-address-table
Mac Address Table
-----------------------------------------Vlan
Mac Address
Type
Ports
--------------------1
0000.0000.0002
Dynamic
Fa0/1
1
0000.0000.0001
Dynamic
Fa0/2
1
0000.0000.000A
Dynamic
Fa0/12
1
0000.0000.000B
Dynamic
Fa0/12
1
0000.0000.00B1
Dynamic
Fa0/12
1
0000.0000.00B2
Dynamic
Fa0/12
We observe that this switch reveals the cascaded switch Bs connected
host mac addresses and switch Bs Base Mac address (0000.0000.00B1) &
switch Bs cascade interface Fa0/12 Mac address (0000.0000.00B2) also.
A similar output would be seen for switch Bs mac table (shown below).
The base Mac Address is common for the entire switch while every
interface of the switch has a unique Mac address of its own also.
SwitchB#sh mac-address-table
Mac Address Table
-----------------------------------------Vlan
Mac Address
Type
Ports
--------------------1
0000.0000.000A
Dynamic
Fa0/1
1
0000.0000.000B
Dynamic
Fa0/2
1
0000.0000.0001
Dynamic
Fa0/12
1
0000.0000.0002
Dynamic
Fa0/12
1
0000.0000.00A1
Dynamic
Fa0/12
1
0000.0000.00A2
Dynamic
Fa0/12
Lets see what show interface status command reveals
SwitchA#show interface status
Port
Name
Status
<output omitted>
Fa0/9
notconnect
Fa0/10
notconnect
Fa0/11
notconnect
Fa0/12
Trunk
SwitchB#show interface status
Port
Name
Status
<output omitted>
Fa0/9
notconnect
Fa0/10
notconnect
Fa0/11
notconnect
Fa0/12
Trunk
Vlan
1
1
1
1
Vlan
1
1
1
1
Duplex
auto
auto
auto
auto
Duplex
auto
auto
auto
auto
Speed Type
auto
auto
auto
auto
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
Speed Type
auto
auto
auto
auto
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
It displays the cascade link as TRUNK.

Another interesting command to view various details regarding the
switchs configuration is show version
16
Switch#show version
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1, RELEASE
SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sun 24-Nov-02 23:31 by antonino
Image text-base: 0x80010000, data-base: 0x80562000
ROM: Bootstrap program is CALHOUN boot loader
Switch uptime is 4 hours, 33 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6q4l2-mz.121-12c.EA1.bin"
cisco WS-C2950-12 (RC32300) processor (revision K0) with 21002K bytes
of memory.
Processor board ID FOC0739W1K0
Last reset from system-reset
Running Standard Image
12 FastEthernet/IEEE 802.3 interface(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:0D:ED:5B:49:C0
Motherboard assembly number: 73-5782-12
Power supply part number: 34-0965-01
Motherboard serial number: FOC07391MM3
Power supply serial number: PHI073402LD
Model revision number: K0
Motherboard revision number: A0
Model number: WS-C2950-12
System serial number: FOC0739W1K0
Configuration register is 0xF
To save our current configuration from RAM to NVRAM (startup
configuration) we use the command copy running-configuration startupconfiguration (Alternately the write command may also be used)
Switch#copy running-config startup-config
Destination filename [startup-config]?
[OK]
If we want to restart the switch use the following command
Switch#Reload (used to warm boot the switch)
To clear all the contents of the mac table, use the below command (this
will remove only dynamic entries. Static/Permanent entries will not be
removed).
Switch#clear mac-address-table *
To delete the startup configuration, use
Switch#erase startup-config
To change our switch name to Switch2950
17
Switch(config)#hostname Switch2950
Switch2950(config)#
To configure secret (encrypted) password for privilege mode (password
is set as cisco1 in the below example)
Switch2950(config)#enable secret cisco1
After configuring the secret password let see the output in show
running-config command
Switch2950#show run
<output omitted>
hostname Switch2950
!
enable secret 5 $1$z9ZE$mO/4D6DgtZcTrmzmyX3Ys/ (this is how the
encrypted password is seen)
!
<output omitted>
End
To configure enable password for privilege mode
Switch2950(config)#enable password cisco (to configure enable password
for privilege mode)
Switch2950#sh run
<output omitted>
hostname Switch2950
!
enable password cisco (our password is in clear text which is in
readable format)
!
<output omitted>
end
To configure the console password, the following is the sequence.
Switch2950(config)#line console 0
Switch2950(config-line)#login
% Login disabled on line 0, until 'password' is set
Switch2950(config-line)#password cisco
show running-config reveals
!
line con 0
password cisco
login
!
<Out put omitted>
18
If we restart / relogin into the switch, it asks for the password in
the beginning itself
Switch2950 con0 is now available
User Access Verification
Password: (here we have to supply the console 0 password to get into
user exec mode)
Lets observe the whole running-config output
Switch# show running-config
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$z9ZE$mO/4D6DgtZcTrmzmyX3Ys/
enable password cisco
!
ip subnet-zero
!
!
description Host1
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
19
no ip address
!
no ip address
!
no ip address
!
no ip address
!
!
interface Vlan1
no ip address
shutdown
!
ip http server
!
!
line con 0
password cisco
login
line vty 0 4
line vty 5 15
!
End
Note: if both secret and enable passwords exist, only secret will be
used to get into privilege mode.
Lets say we have some remote administrators wholl logon into this
switch remotely. (They can do so because Cisco switches run terminal
services). However, setting the vty password is a must for telnet
access & this is how we do it.
Lets start configuring the VTY sessions
Switch2950(config)#line vty 0 15
Switch2950(config-line)#login
20
This reveals that 16 simultaneous telnet sessions are possible! we have
to configure the password to enable all these 16 sessions
Switch2950(config-line)#password cisco
Switch2950(config-line)#
This config alone is not sufficient for telnetting. We need to define
an IP address to the switch and only then telnet is possible. Where do
we configure an IP address in the switch ?
Switch2950>enable
Switch2950#configure terminal
Switch2950(config)#interface vlan 1
Switch2950(config-if)#ip address 1.1.1.1 255.0.0.0 (this is the command
to configure ip address for an interface).
So, we configure the IP address to VLAN1 (well learn more about vlan
later).
Switch2950(config-if)#no shutdown (after assigning the ip address we
have enable the interface using the NO SHUTDOWN command). We will be
able to see the below message.
01:33:27: %LINK-3-UPDOWN: Interface Vlan1, changed state to up
01:33:29: %LINK-3-UPDOWN: Interface Vlan1, Line Protocol changed state
to up
Lets now see how we can control the speed & Duplex operation of the
switch
Switch2950(config)#interface fastethernet 0/1
Switch2950(config-if)#duplex half
Note : Duplex will not be set until speed is set to non-auto value
Switch2950(config-if)#speed 10
Switch2950(config-if)#duplex half
Now check the out put in show interface status command
Switch#show interface status
Port
Fa0/1
Fa0/2
Fa0/3
Fa0/4
Fa0/5
Fa0/6
Fa0/7
Fa0/8
Fa0/9
Fa0/10
Fa0/11
Fa0/12
Name
Host1
Status
connected
notconnect
notconnect
notconnect
notconnect
notconnect
notconnect
notconnect
notconnect
notconnect
notconnect
notconnect
Vlan
1
1
1
1
1
1
1
1
1
1
1
1
Duplex
half
auto
auto
auto
auto
auto
auto
auto
auto
auto
auto
auto
Speed
10
auto
auto
auto
auto
auto
auto
auto
auto
auto
auto
auto
Type
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
21
Had the switch auto negotiated, the output would have been
Port
Name
Status
Vlan
Duplex Speed
Fa0/1
Host1
connected
1
a-half
a-10
Fa0/2
notconnect
1
auto
auto
Fa0/3
notconnect
1
auto
auto
Fa0/4
notconnect
1
auto
auto
Fa0/5
notconnect
1
auto
auto
Fa0/6
notconnect
1
auto
auto
Fa0/7
notconnect
1
auto
auto
Fa0/8
notconnect
1
auto
auto
Fa0/9
notconnect
1
auto
auto
Fa0/10
notconnect
1
auto
auto
Fa0/11
notconnect
1
auto
auto
Fa0/12
notconnect
1
auto
auto
Type
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
a-half
a-10 means auto negotiated with connected device to half
duplex & 10 Mbps.
PORT SECURITY : Lets now learn how switch interfaces can be configured
to allow connectivity only for pre-defined hosts (based on their MacAddresses). This is done on a per interface basis.
Before configuring port security for the interfaces, lets see the
output of show port-security command
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count)
(Count)
(Count)
--------------------------------------------------------------------------------------------------------------------------------------------Total Addresses in System : 0
Max Addresses limit in System : 1024
Now lets configure port security for interface Fa 0/1 only system
with mac id 0000.0000.a111 should be allowed connectivity any other
device connection to this interface should result in the interface
shutting down.
Manual port security
Switch2950(config-if)#switchport mode access
Switch2950(config-if)#switchport port-security
Switch2950(config-if)#switchport port-security mac-address
0000.0000.A111
See the output in show running-config & show port-security
Switch2950#sh run
!
hostname Switch2950
!
!
!
22
switchport mode access
switchport port-security
switchport port-security mac-address 0000.0000.A111
no ip address
duplex half
speed 10
<output omitted>
Switch2950#show port-security
(Count)
(Count)
(Count)
----------------------------------------------------------------------Fa0/1
1
1
0
Shutdown
----------------------------------------------------------------------Total Addresses in System : 0
We can also ask the switch to auto-learn the mac address of the
connected host using the keyword sticky
Switch2950(config-if)#switchport port-security mac-address sticky
After configuring sticky if any traffic comes to the interface
fastethernet 0/2 of the switch will learn the mac-address and secure
it.
Switch2950#show running-config
!
hostname Switch2950
!
!
!
switchport port-security mac-address sticky
no ip address
<output ommitted>
(Count)
(Count)
(Count)
----------------------------------------------------------------------Fa0/1
1
1
0
Shutdown
Fa0/2
1
1
0
Shutdown
23
By default, only one mac-address will be locked to the interface this
can be changed as demonstrated below.
Increasing the maximum count of mac-address secured for the interface
Switch2950(config-if)#switchport port-security maximum
4 <0-132>
Switch2950#sh run
!
hostname Switch2950
!
!
switchport port-security maximum 4
no ip address
<output omitted>
(Count)
(Count)
(Count)
----------------------------------------------------------------------Fa0/1
1
1
0
Shutdown
Fa0/2
1
1
0
Shutdown
Fa0/3
4
0
0
Shutdown
The security action is shutdown by default & we can change this among
one of 3 modes.
Shutdown (default) - if violation happens interface will shutdown
automatically
Protect (dont log) - if violation happens interface wont shutdown,
wont allow for communication, wont log any error
Restrict (do log) - if violation happens interface wont shutdown but
no communication will be allowed & an alert would be sent / SNMP trap
sent.
The configuration may be done as shown below.
Switch2950(config-if)#switchport port-security violation shutdown /
protect / restrict
If we chose protect
24
Switch2950#sh run
!
hostname Switch2950
!
!
switchport port-security violation protect
no ip address
<output omitted>
(Count)
(Count)
(Count)
----------------------------------------------------------------------Fa0/1
1
1
0
Shutdown
Fa0/2
1
1
0
Shutdown
Fa0/3
4
0
0
Shutdown
Fa0/4
1
0
0
Protect
Spanning-tree protocol - L ets n ext d o som e b asic ob servation on S T P

F0/11
F0/11
Switch A
Switch B
1000.0000.000A
0000.0000.000A
With reference to the above diagram, the Root Bridge is Switch B

because it has the lowest mac-address 0000.0000.000A. Switch A will be
the non-root bridge. Lets see the output of show spanning-tree command
now.
SwitchB#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID
Priority
32769
Address
0000.0000.000A
This bridge is the root
Hello Time
2 sec Max Age 20 sec
Bridge ID
Forward Delay 15 sec
Priority
32769 (priority 32768 sys-id-ext 1)
Address
0000.0000.000A
Hello Time
2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
25
Interface
Port ID
Designated
Port ID
Name
Prio.Nbr
Cost Sts
Cost Bridge ID
Prio.Nbr
------------ -------- --------- --- ------ -------------------------Fa0/11
128.1
100 FWD
0 32769 1000.0000.000A 128.1
SwitchA#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID
Priority
32769
Address
0000.0000.000A
This bridge is the root
Hello Time
2 sec Max Age 20 sec
Bridge ID
Forward Delay 15 sec
Priority
32769 (priority 32768 sys-id-ext 1)
Address
1000.0000.000A
Hello Time
2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface
Port ID
Designated
Port ID
Name
Prio.Nbr
Cost Sts
Cost Bridge ID
Prio.Nbr
----------- -------- --------- --- --------- -------------------- ----Fa0/11
128.1
100 FWD
0 32769 0000.0000.000A 128.1
The next major topic we would like to see is VLAN.
The output of show vlan command when no vlans are configured is
Switch2950#show vlan
VLAN Name
Status
Ports
---- ------------------------ --------- ------------------------------1
default
active
Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
1002 fddi-default
active
1003 token-ring-default
active
1004 fddinet-default
active
1005 trnet-default
active
VLAN
---1
1002
1003
1004
1005
Type
----enet
fddi
tr
fdnet
trnet
SAID
-----100001
101002
101003
101004
101005
MTU Parent RingNo BridgeNo Stp BrdgMode Tran1 Tran2

---- ------ ------ -------- --- ------- ----- ----1500 0
0
1500 0
0
1500 srb
0
0
1500 ieee 0
0
1500 ibm 0
0
Remote SPAN VLANs

----------------------------------------------------------------------Primary Secondary Type
Ports
------- --------- ----------------- ----------------------------------We can observe that all the interfaces are associated with the default
VLAN1.
Now lets get on to creating STATIC VLANs & define port associations.
Two possibilities exist. One from the privilege mode (using VLAN
Database) & the second from global config mode.
26
Creating vlan using vlan database method
Switch2950#vlan database
Switch2950(vlan)#vlan 2 name CCNA creating VLAN with id 2 & name CCNA
VLAN 2 added:
Name: CCNA
Switch2950(vlan)#apply to save the configuration
APPLY completed.
Switch2950(vlan)#exit implicit save & exit
APPLY completed.
Exiting....
Using ^Z will not save the config & we will also exit from vlan
database.
After Vlan is created see the output of show vlan command
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------1
default
active
Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
2
CCNA
active
1002 fddi-default
active
active
active
1005 trnet-default
active
<output omitted>
Assigning vlan membership lets make interface fa0/4 a member of Vlan

2
Switch2950(config)#int fastEthernet 0/4
Switch2950(config-if)#switchport access vlan 2
Switch2950(config-if)# ^z
Interface 4 is now assigned to vlan 2
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------1
default
active
Fa0/1, Fa0/2, Fa0/3, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12
2
CCNA
active
Fa0/4
1002 fddi-default
active
active
active
1005 trnet-default
active
<output omitted>
You are seeing the output from show run command after assigning the
membership for the interface 4
Switch2950#show run
27
!
!
switchport access vlan 2
no ip address
end
Lets repeat the above using the second method - Creating vlan using
global configuration mode
Switch2950(config)#vlan 3
Switch2950(config-vlan)#name CCNP
Switch2950(config-vlan)#exit
Output of show vlan command after creating vlan 3 in global
configuration mode
Switch2950#sh vlan
VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------1
default
active
Fa0/1, Fa0/2, Fa0/3, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12
2
CCNA
active
Fa0/4
3
CCNP
active
1002 fddi-default
active
active
active
1005 trnet-default
active
We can see that the outcome is the same wherever we create the VLAN
from.
If we wanted to know the VTP Domain name, version used, VTP switch
mode, we use the command show vtp status
Switch2950#show vtp status
VTP Version
Configuration Revision
Maximum VLANs supported locally
Number of existing VLANs
VTP Operating Mode
VTP Domain Name
VTP Pruning Mode
VTP V2 Mode
VTP Traps Generation
:
:
:
:
:
:
:
:
:
2
1
64
6
Server
Null
Disabled
Disabled
Disabled
Lets change the switch mode to CLIENT.

Switch2950(vlan)#vtp client
Setting device to VTP CLIENT mode.
The same task using global configuration mode Switch2950#configure terminal
28
Switch2950(config)#vtp mode Server / Client / Transparent
VTP Version
VTP Operating Mode
VTP Domain Name
VTP Pruning Mode
VTP V2 Mode
:
:
:
:
:
:
:
:
:
2
1
64
6
Client
Null
Disabled
Disabled
Disabled
Now we are going to change vtp domain name from Null to Cisco using
vlan database method
Switch2950(vlan)#vtp domain Cisco
Changing VTP domain name from Null to Cisco
Switch2950(vlan)#exit
APPLY completed.
Exiting....
Same task using global configuration mode
Switch(config)#vtp domain Cisco
Changing VTP domain name from Null to Cisco
VTP Version
VTP Operating Mode
VTP Domain Name
VTP Pruning Mode
VTP V2 Mode
:
:
:
:
:
:
:
:
:
2
0
64
6
Server
Cisco
Disabled
Disabled
Disabled
29
Lets see how mac address table reflects the vlan configuration in the
below case.
F0/12
F0/12
Switch A
F0/1
0000.0000.0002
Switch B
F0/2
0000.0000.0001
F0/1
0000.0000.000A
F0/2
0000.0000.000B
Vlan 1
Vlan 2
Switch A & Bs mac address table & interface status reveal SwitchA#sh mac-address-table
Mac Address Table
-----------------------------------------Vlan
Mac Address
Type
Ports
--------------------1
0000.0000.0002
Dynamic
Fa0/1
2
0000.0000.0001
Dynamic
Fa0/2
1
0000.0000.000A
Dynamic
Fa0/12
2
0000.0000.000B
Dynamic
Fa0/12
<other entries omitted>
SwitchB#sh mac-address-table
Mac Address Table
-----------------------------------------Vlan
Mac Address
Type
Ports
--------------------1
0000.0000.000A
Dynamic
Fa0/1
2
0000.0000.000B
Dynamic
Fa0/2
1
0000.0000.0001
Dynamic
Fa0/12
1
0000.0000.0002
Dynamic
Fa0/12
<other entries omitted>
30
SwitchA#show interface status
Port
Name
Status
Fa0/1
connected
Fa0/2
connected
Fa0/3
notconnect
Fa0/4
notconnect
Fa0/5
notconnect
Fa0/6
notconnect
Fa0/7
notconnect
Fa0/8
notconnect
Fa0/9
notconnect
Fa0/10
notconnect
Fa0/11
notconnect
Fa0/12
Trunk
Vlan
1
2
1
1
1
1
1
1
1
1
1
1
Duplex
full
full
auto
auto
auto
auto
auto
auto
auto
auto
auto
auto
Speed
100
100
auto
auto
auto
auto
auto
auto
auto
auto
auto
auto
Type
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
SwitchB#show interface status

Port
Name
Status
Fa0/1
connected
Fa0/2
connected
Fa0/3
notconnect
Fa0/4
notconnect
Fa0/5
notconnect
Fa0/6
notconnect
Fa0/7
notconnect
Fa0/8
notconnect
Fa0/9
notconnect
Fa0/10
notconnect
Fa0/11
notconnect
Fa0/12
Trunk
Vlan
1
2
1
1
1
1
1
1
1
1
1
1
Duplex
full
full
auto
auto
auto
auto
auto
auto
auto
auto
auto
auto
Speed
100
100
auto
auto
auto
auto
auto
auto
auto
auto
auto
auto
Type
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
10/100BaseTX
To view trunk details we use the commands show interface <interface

id> trunk & show interface <interface id> switchport
SwitchA#show interface fastethernet 0/12 switchport
Name: Fa0/12
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: dynamic
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
We can even configure the mac-address statically. The following command
is used.
SwitchA(config)#mac-address static 0000.0000.AAAA vlan 3 interface
fastEthernet 0/11
Then our mac-address table looks like this
SwitchA#sh mac-address-table
Mac Address Table
-----------------------------------------Vlan
Mac Address
Type
Ports
--------------------1
0000.0000.000A
Dynamic
Fa0/1
2
0000.0000.000B
Dynamic
Fa0/2
3
0000.0000.AAAA
Static
Fa0/11
1
0000.0000.0001
Dynamic
Fa0/12
31
1
0000.0000.0002
Dynamic
Fa0/12
32
Routing
33
Static Routes
There are actually two ways that a router can learn a static route.
First, a router will look at its active interfaces, examine the
addresses configured on the interfaces and determine the corresponding
network numbers, and populate the routing table with this information.
This is commonly called a connected route.
The following example shows the routing table of a Router whose
Ethernet 0 interface has been configured with an IP Address 10.0.0.1 &
Serial 0 with 192.168.1.1. To view the Routing table, use the command
show ip route
Router_1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B
BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E
EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - ISIS inter area * - candidate default, U - per-user static route,
o ODR P - periodic downloaded static route
Gateway of last resort is not set
C
C
10.0.0.0/8 is directly connected, Ethernet0

192.168.1.0/24 is directly connected, Serial0
Explanation of the Routing Table Entries :

The top portion of the display for this command has a table of codes.
These codes, which describe a type of route that may appear in the
routing table, are shown in the first column at the bottom part of the
display.
C represents that its a directly connected network.
This is followed by Network ID & to which interface that network is
connected.
In 10.0.0.0/8, the /8 represents the subnet mask 255.0.0.0
Note : If we hadnt configured any IP address on the router, there
would be no entries in the routing table it would have been empty.
34
The second way is when we manually configure it. A static route is a

manually configured route on the router. Consider the below network
with IP addresses configured as shown.
192.168.1.1
S0
R1
192.168.1.2
S1
172.16.0.1
S0
172.16.0.2
S1
R2
E0
10.0.0.1
R3
E0
20.0.0.1
E0
30.0.0.1
Static Route Configuration

To configure a static route for IP, use one of these two commands:
Router(config)#ip route <Dest_Net_ID><subnet_mask><next_hop IP_address>
-orRouter(config)#ip route <Dest_Net_ID>< subnet_mask>< interface_to_exit>
The first parameter that you must specify is the destination network
number.
After the subnet mask parameter, you have two ways to specify how to
reach the destination network:
(i)By specifying the next hop neighbors IP address
as this is suitable for all environments)
(safe to use this
or
(ii)The routers specific exit interface to reach a destination
network. (Use this method if it is a point-to-point link only). In this
instance, you must specify the name of the interface on the router,
like serial0.
Here below is the configuration
neighbors IP address.
R1#sh run
version 12.2
of
Router
R1
with
the
next
hop
35
interface Ethernet0
ip address 10.0.0.1 255.0.0.0
!
interface Serial0
ip address 192.168.1.1 255.255.255.0
no fair-queue
clockrate 64000
!
ip route 20.0.0.0 255.0.0.0 192.168.1.2
ip route 30.0.0.0 255.0.0.0 192.168.1.2
ip route 172.16.0.0 255.255.0.0 192.168.1.2
ip http server
!
line con 0
transport input none
line aux 0
!
end
The following shows the routing table of a Router (R1 the leftmost
Router) with Static Routes configured.
R1#sh ip route
S
S
C
C
S
20.0.0.0/8 [1/0] via 192.168.1.2

172.16.0.0/16 [1/0] via 192.168.1.2
30.0.0.0/8 [1/0] via 192.168.1.2
This shows additional entries (configuration discussed next) with S

representing manually configured static routes.
Consider the entry - S
20.0.0.0/8 [1/0] via 192.168.1.2
Two values in [1 / 0] represent the Administrative Distance (AD) &

Metric value respectively (details discussed in separate section).
Suffice to remember that the first value is the AD value and its
default value is 1 for a static route. The next value indicates the
metric & the default value of a statically configured route is always
0.
via 192.168.1.2 represents the gateway address, i.e. the next routers
interface IP address this is the interface through which the data has
to travel from R1 to reach destination Network 20.0.0.0 (which is
connected to router R2).
36
Here below is the configuration of Router R2 with the exit interface
configuration.
R2#sh run
!
interface Ethernet0
ip address 20.0.0.1 255.0.0.0
!
interface Serial0
ip address 172.16.0.1 255.255.0.0
clockrate 64000
!
interface Serial1
ip address 192.168.1.2 255.255.255.0
!
no ip http server
ip classless
ip route 10.0.0.0 255.0.0.0 Serial1
ip route 30.0.0.0 255.0.0.0 172.16.0.2
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
end
The following table shows the routing table of R2
R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS
level-2 ia - IS-IS inter area, * - candidate default, U - peruser static route o - ODR, P - periodic downloaded static route
C
C
S
C
S

30.0.0.0/8 [1/0] via 172.16.0.2
In this example, there are three connected routes, and two static
routes. The static route (10.0.0.0) is treated as a directly connected
route, since it was created by specifying the interface to exit the
router SERIAL1.
37
BACKUP ROUTE
While configuring static route, optionally you can change the
administrative distance of a static route. If you omit this value, it
will have one of two defaults, depending on the configuration of the
previous parameter. If you specified the next hop neighbors IP
address, then the administrative distance defaults to 1. If you
specified the interface on the router it should use to reach the
destination, the router treats the route as a connected route and
assigns an administrative distance of 0 to it.
Please note that you can create multiple static routes to the same
destination. For instance, you might have primary and backup paths to
the destination. For the primary path, use the default administrative
distance value. For the backup path, use a number higher than this,
such as 2. Once you have configured a backup path, the router will use
the primary path, and if the interface on the router fails for the
primary path, the router will use the backup route.
The configuration of Router R3 with the interface the router should
exit to reach the destination network with a administrative distance
value of 2 and also with the next hop neighbors IP address pointing to
Router R2.
192.168.1.1
S0
R1
E0
10.0.0.1
192.168.1.2
S1
S0
172.16.0.1
R2
E0
20.0.0.1
R3#sh run
!
version 12.2
!
!
interface Ethernet0
ip address 30.0.0.1 255.0.0.0
duplex auto
speed auto
!
interface Serial0
ip address 172.16.0.2 255.255.0.0
!
interface Serial1
ip address 200.0.0.2 255.255.255.0
S1
200.0.0.1
172.16.0.2
S1
R3
S0
200.0.0.2
E0
30.0.0.1
38
!
ip route 20.0.0.0 255.0.0.0 172.16.0.1
ip route 20.0.0.0 255.0.0.0 Serial0 2
ip http server
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
password cisco
login
!
end
The following example shows the routing table of R3
R3#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
S
C
C
C
20.0.0.0/8 [1/0] via 172.16.0.1

Mark here that even though we have configured 20.0.0.0 network with the
outgoing interface Serial0 , it has not been populated in the routing
table because of higher Administrative Distance number.
172.16.0.1
S0
R2
E0
20.0.0.1
172.16.0.2
S1
R3
E0
30.0.0.1
Default Route Configuration

A default route is a special type of static route. Where a static route
specifies a path a router should use to reach a specific destination, a
default route specifies a path the router should use if it doesnt know
39
how to reach the destination. Sometimes this is also referred to as a
gateway of last resort.
Note that if a router does not have any path in its routing table
telling it how to reach a destination, and the router receives a packet
destined for this network, the router will drop the packet. Therefore,
a default route can serve as a catch-all: if there is no specific path
to the destination, the router will use the default route to reach it.
To set up a default route, use the following syntax for a static route:
Router(config)#ip route 0.0.0.0 0.0.0.0 IP_address_of_next_hop_neighbor
-orRouter(config)# ip route 0.0.0.0 0.0.0.0 interface_to_exit
The network number of 0.0.0.0/0 represents all networks, and a mask of
all 0s in the bit position represents all hosts in the specified
network.
The configuration of Router R3 with a default route is shown below.
R3#sh run
interface Ethernet0
ip address 30.0.0.1 255.0.0.0
duplex auto
speed auto
!
interface Serial1
ip address 172.16.0.2 255.255.0.0
!
ip route 0.0.0.0 0.0.0.0 Serial1
line con 0
!
end
The following table shows the routing table of R3
R3#sh ip route
Gateway of last resort is Serial0 to network 0.0.0.0
C
C
S*

0.0.0.0/0 [1/0] via Serial0
40
RIP
We shall have a simple setup to learn how RIP routing is enabled and
also try to find out what happens dynamically when a network change
occurs.
In this exercise, to emulate connected networks, well create virtual
interfaces called loopback interfaces. Well identify and configure
clockrate on DCE interfaces. Well verify our IP configuration using
the show ip interface brief command & finally enable RIP routing
protocol.
1.1.1.1
L0
Router1
11.0.0.1
11
Serial 1
3.3.3.3
L0
11.0.0.2
2
Serial 0
Router3
1. To create a loopback interface use the interface loopback <id>

command. This is very similar to a regular interface command
loopback automatically gets created.
Create a loopback interface in Router1

Router1(config)#int loopback 0
Router1(config-if)#ip address 1.1.1.1 255.0.0.0
Rotuer1(config-if)#exit
Create a loopback interface in Router3
Rotuer3(config)#int loopback 0
Rotuer3(config-if)#ip address 3.3.3.3 255.0.0.0
Rotuer3(config-if)#exit
2. We also need to identify if the WAN serial interface is a DCE or DTE
using show controllers serial 0 command because the DCE provides
clocking.
Router1#sh controller s 1
HD unit 0, idb = 0x29A524, driver structure at 0x2A1AE8
buffer size 1524 HD unit 0, V.35 DTE cable
cpb = 0xE1, eda = 0x4940, cda = 0x4800
RX ring with 16 entries at 0xE14800
00 bd_ptr=0x4800 pak=0x2A5AFC ds=0xE1ECC8 status=00 pak_size=0
01 bd_ptr=0x4814 pak=0x2A584C ds=0xE1E60C status=00 pak_size=0
02 bd_ptr=0x4828 pak=0x2A559C ds=0xE1DF50 status=00 pak_size=0
03 bd_ptr=0x483C pak=0x2A52EC ds=0xE1D894 status=00 pak_size=0
04 bd_ptr=0x4850 pak=0x2A503C ds=0xE1D1D8 status=00 pak_size=0
<output omitted>
Rotuer3#show controllers serial 0
HD unit 0, idb = 0x2A1B80, driver structure at 0x2A9140
41
buffer size 1524 HD unit 0, V.35 DCE cable
cpb = 0xE2, eda = 0x2940, cda = 0x2800
RX ring with 16 entries at 0xE22800
00 bd_ptr=0x2800 pak=0x2AD158 ds=0xE2C60C status=80
01 bd_ptr=0x2814 pak=0x2ACEA8 ds=0xE2BF50 status=80
02 bd_ptr=0x2828 pak=0x2ACBF8 ds=0xE2B894 status=80
03 bd_ptr=0x283C pak=0x2AC948 ds=0xE2B1D8 status=80
04 bd_ptr=0x2850 pak=0x2AC698 ds=0xE2AB1C status=80
pak_size=0
pak_size=0
pak_size=0
pak_size=0
pak_size=0
<output omitted>
The above reveals that Router3s serial interface is the DCE end &
implies that we need to configure the clockrate on Router3s S0
interface using the clock rate <value> command.
Router3(Config-if)#clock rate 64000
We can also view the enabled ROUTED PROTOCOL using show protocols
command.
(This reveals that IP is enabled).
Rotuer3#show protocols
Global values:
Internet Protocol routing is enabled
Ethernet0 is administratively down, line protocol is down
Ethernet1 is administratively down, line protocol is down
Loopback0 is up, line protocol is up
Internet address is 3.3.3.3/8
Serial0 is up, line protocol is up
Serial1 is administratively down, line protocol is down
When no routing protocol is configured, the Routing table displays
directly connected routes only (after configuring serial interface ip
address also).
Router3#show ip route
BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area * - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
C
C
3.0.0.0/8 is directly connected, Loopback0

3. Another useful command (to view various interface status) is the

show ip interface brief.
Router1#show ip interface brief
Interface
IP-Address
OK? Method Status
Protocol
42
Ethernet0
Loopback0
Serial0
Serial1
unassigned
1.1.1.1
unassigned
11.0.0.1
YES
YES
YES
YES
NVRAM
manual
NVRAM
manual
administratively down down

up
up
administratively down down
up
up
The method column tells us whether the interface configuration was

taken from NVRAM (startup-config) or was manually configured by the
administrator. The status & Protocol reveal the link (connected
network) status.
If status shows as up, the link is OK. If it shows as down, the network
is down. If its administratively down, it means that the network has
been manually shut down using the shutdown command. If protocol shows
as down, it means that the line protocol is not properly configured.
Typically either the encapsulation or the clock rate is not configured
properly.
ENABLING RIP PROTOCOL

Lets now enable the RIP Routing Protocol using Router RIP command &
publish directly connected Networks using Network <Network id>
command
Router3(config)#router rip
Router3(config-router)#Network 3.0.0.0
Router3(config-router)#Network 11.0.0.0
Router3(config-router)#end
Router3#
Lets see if the above 3 configurations are reflected in the runningconfig output
Router3#show running-config
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router3
!
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
!
no ip dhcp-client network-discovery
!
interface Loopback0
ip address 3.3.3.3 255.0.0.0
!
interface Ethernet0
43
no ip address
shutdown
!
interface Ethernet1
no ip address
shutdown
!
interface Serial0
ip address 11.0.0.2 255.0.0.0
clockrate 64000 <DCE interface>
!
interface Serial1
no ip address
shutdown
!
router rip
network 3.0.0.0
network 11.0.0.0
!
ip kerberos source-interface any
ip classless
ip http server
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
similarly in Router1,
Router1(config)#router rip
Router1(config-router)#network 1.0.0.0
Router1(config-router)#end
hostname Router1
!
interface Loopback0
ip address 1.1.1.1 255.0.0.0
!
interface Ethernet0
no ip address
shutdown
!
interface Serial0
no ip address
shutdown
!
interface Serial1
ip address 11.0.0.1 255.0.0.0
44
!
router rip
network 1.0.0.0
network 11.0.0.0
!
end
<output omitted>
We are clearly able to see the configuration changes in the runningconfig of both the routers. If we view Router1's routing table, well
be able to see what routes have been learnt through RIP.
Codes: C - connected, S - static, I - IGRP, R - RIP,
BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
E1 - OSPF external type 1, E2 - OSPF external type 2, E
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia area* - candidate default, U - per-user static route, o
M - mobile, B
inter area
type 2
- EGP
IS-IS inter
- ODR

C
R
C

3.0.0.0/8 [120/1] via 11.0.0.2, 00:00:05, Serial1
Consider the second entry of the routing table

R represents RIP learnt routes
[120/1] represents AD value of 120 for RIP & hop count of 1 to reach
network 3.0.0.0
via 11.0.0.2 denotes the gateway and also specifies that it is
reachable through router1's Serial 1 interface.
Router3's routing table displays similar entries
Rotuer3#sh ip route
BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area * - candidate default, U - per-user static route, o - ODR
R
C
C
1.0.0.0/8 [120/1] via 11.0.0.1, 00:00:00, Serial0

To view more details regarding the configured Routing Protocol (RIP in

our case), let's use the show ip protocols command.
45
This will display routing protocol details along with certain
parameters like timers, default AD value, routed networks, RIP version
etc
Router3#sh ip protocols
Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 2 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is
Incoming update filter list for all interfaces is
Redistributing: rip
Default version control: send version 1, receive any version
Interface
Send Recv Triggered RIP Key-chain
Loopback0
1
1 2
Serial0
1
1 2
Automatic network summarization is in effect
Routing for Networks:
3.0.0.0
11.0.0.0
Routing Information Sources:
Gateway
Distance
Last Update
11.0.0.1
120
00:00:17
Distance: (default is 120)
Routing Protocol is "rip"
(Displays various timer values)
Redistributing: rip
Default version control: send version 1, receive any version
(Configured RIP Version is 1)
Interface
Send Recv Triggered RIP Key-chain
Loopback0
1
1 2
Serial1
1
1 2
Automatic network summarization is in effect
Routing for Networks: (Displays networks published)
1.0.0.0
11.0.0.0
Gateway
Distance
Last Update
11.0.0.2
120
00:00:16
Distance: (default is 120) (Displays default AD value)
To view what information is exchanged between routers running RIP,
let's debug the RIP's operation using debug ip rip command
Rotuer3#debug ip rip
RIP protocol debugging is on
Rotuer3#
01:05:49: RIP: received v1 update from 11.0.0.1 on Serial0
(V1 represents version 1)
01:05:49:
1.0.0.0 in 1 hops
(This is what is received from router1)
01:05:59: RIP: sending v1 update to 255.255.255.255 via Loopback0 (3.3.3.3)
(Broadcast update sent)
01:05:59: RIP: build update entries
46
01:05:59:
network 1.0.0.0 metric 2 (metric refers to hop count)
01:05:59:
network 11.0.0.0 metric 1
01:05:59: RIP: sending v1 update to 255.255.255.255 via Serial0 (11.0.0.2)
01:05:59:
(30 sec periodic update)
01:06:18:
1.0.0.0 in 1 hops
01:06:27:
01:06:27:
01:06:27:
Rotuer3#undebug all (to switch off all debugging)
Observe that full routing table is not sent as updates in all directions
because of split horizon rule. Lets see how similar the debug output is in
router1
Router1#debug ip rip
Router1#
01:07:50:
3.0.0.0 in 1 hops
01:08:05:
01:08:05:
01:08:05:
01:08:18:
3.0.0.0 in 1 hops
01:08:33:
01:08:33:
01:08:33:
Rotuer1#undebug all
To verify the dynamic nature of the routing protocol, let's emulate a

network going down by shutting down the loopback 0 of router1 & observe
the debug output
1.1.1.1
L0
3.3.3.3
11.0.0.1
Router1
Serial 1
Router1(config-if)#shut
L0
11.0.0.2
Serial 0
Router3
47
Router1(config-if)#
01:21:17: %LINK-5-CHANGED:
administratively down
Interface
Loopback0,
changed
state
to
Router1#debug ip rip
01:21:17: RIP: sending v1 flash update to 255.255.255.255 via Serial1
(11.0.0.1) (this indicates a Triggered Update)
01:21:17: RIP: build flash update entries
01:21:17:
(metric 16 means infinity for RIP route poisoning)
01:21:19:
1.0.0.0 in 16 hops (inaccessible)
(inaccessible implies that Poison-Reverse message is received from Router3)
01:21:22:
Router1(config-if)#^Z
Now this change is also reflected in the routing table a network

thats gone down is immediately removed from the routing table.
Router1#sh ip route
01:21:30: %SYS-5-CONFIG_I: Configured from console by consoleroute
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR

R
C
3.0.0.0/8 [120/1] via 11.0.0.2, 00:00:22, Serial1

The above experiment reveals

connectivity information
that
the
routers
exchange
network
(i)
During Startup
(ii) Periodically (once in 30 secs)
(iii) Triggered (whenever network changes occur)
We are also able to observe how split horizon functions to ensure
routing updates are not sent in the direction from where they were
learnt.
Route poisoning & poison reverse were also observed.
48
IGRP
1.1.1.1
L0
Router1
100.0.0.1
11
Serial 1
3.3.3.3
L0
100.0.0.2
2
Serial 0
Router3
In this scenario, lets complete the basic interface configurations,

check the routing table content without configuring the routing
protocol & then proceed with protocol configuration & verification.
A partial running-config output reveals interface configuration
Router1#sh run
<output omitted>
!
interface Loopback0
ip address 1.1.1.1 255.0.0.0
!
interface Serial1
ip address 100.0.0.1 255.0.0.0
<output omitted>
!
End
The routing table reveals that the connected networks are up
Router1#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B BGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area * - candidate default, U - per-user static route, o
ODR P - periodic downloaded static route
C
C

Lets now configure IGRP routing protocol using

router igrp <AS number> command & publish connected networks using
network <network id> command.
Router1(config)#router igrp 100 (100 is the Autonomous System)
49
(publish directly connected networks)
The running config
configuration too.
on
routers
&
now
display
the
protocol
Router1#sh run
<output omitted>
!
interface Loopback0
ip address 1.1.1.1 255.0.0.0
!
interface Serial1
ip address 100.0.0.1 255.0.0.0
!
router igrp 100
network 1.0.0.0
network 100.0.0.0
!
<output omitted>
!
End
Router3(Config)#router igrp 100 (This AS number must be similar on all
the routers)
Router3(Config-router)# network 3.0.0.0
Router3(Config-router)# network 100.0.0.0
Router3#sh run
!
<output omitted>
!
interface Loopback0
ip address 3.3.3.3 255.0.0.0
!
interface Serial0
ip address 100.0.0.2 255.0.0.0
clockrate 64000
!
router igrp 100
network 3.0.0.0
network 100.0.0.0
!
<output omitted>
!
end
After configuring IGRP lets see if the routing tables of Routers 1 & 3
have information about IGRP learnt routes.
Router1#sh ip route
50
C
C
I

3.0.0.0/8 [100/8976] via 100.0.0.2, 00:00:01, Serial1
Router3#sh ip route
I
C
C
1.0.0.0/8 [100/8976] via 100.0.0.1, 00:01:03, Serial0

The I implies that this is an IGRP learnt route.

100 stands for the AD value &
8976 is the metric (composite BW & Delay)
sh ip protocols command gives us other useful information same as
what we saw for RIP.
Routing Protocol is "igrp 100"
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
IGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
IGRP maximum hopcount 100
IGRP maximum metric variance 1
Redistributing: igrp 100
1.0.0.0
100.0.0.0
Gateway
Distance
Last Update
100.0.0.2
100
00:00:09
Routing Protocol is "igrp 100"
51
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
IGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
IGRP maximum hopcount 100
IGRP maximum metric variance 1
Redistributing: igrp 100
3.0.0.0
100.0.0.0
Gateway
Distance
Last Update
100.0.0.1
100
00:00:13
Debug ip igrp transactions command give us details reg the metric,
updates etc
Rotuer3#debug ip igrp transactions
IGRP protocol debugging is on
Rotuer3#
00:29:14:IGRP: received update from 100.0.0.1 on Serial0
00:29:14:
network 1.0.0.0, metric 8976 (neighbor 501)
00:29:19:IGRP: sending update to 255.255.255.255 via Loopback0 (3.3.3.3)
00:29:19:
network 1.0.0.0, metric=8976
00:29:19:
00:29:19:IGRP: sending update to 255.255.255.255 via Serial0 (100.0.0.2)
00:29:19:
00:30:32:IGRP: sending update to 255.255.255.255 via Loopback0 (3.3.3.3)
00:30:32:
00:30:32:
00:30:32:IGRP: sending update to 255.255.255.255 via Serial0 (100.0.0.2)
00:30:32:
00:30:38:IGRP: received update from 100.0.0.1 on Serial0
00:30:38:
network 1.0.0.0, metric 8976 (neighbor 501)
Lets simulate a problem of network going down - on Router1. Well

shutdown the loopback 0 interface and this should reflect in router3s
Routing Table will display possibly down message for the hold-down
time period (280 secs).
1.1.1.1
L0
3.3.3.3
100.0.0.1
Router1
Serial 1
Router1(config-if)#shutdown
L0
100.0.0.2
Serial 0
Router3
52
Router1#sh run
!
hostname Router1
!
interface Loopback0
ip address 1.1.1.1 255.0.0.0
Shutdown
Observe the debug output after shutting down the loopback 0 interface
of router1 the metric value for network 1.0.0.0 goes to 4294967295
representing infinity.
Router3#debug ip igrp transactions
IGRP protocol debugging is on
00:47:00: IGRP: received update from 100.0.0.1 on Serial0
00:47:00:
network 1.0.0.0, metric 4294967295 (inaccessible)
00:47:00: IGRP: edition is now 3
00:47:00: IGRP: sending update to 255.255.255.255 via Loopback0 (3.3.3.3)
The routing table now reflects this change as possibly down doesnt
remove the entry immediately waits for hold-down timer to expire and
then decides to remove the entry/reinstate the entry if the network has
come up!
Rotuer3#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR

I
C
C
1.0.0.0/8 is possibly down, routing via 100.0.0.1, Serial0

Note : If the entry were to be removed, its not done so immediately

after hold down timer expires. Its removed only after the flush timer
(630 secs) expires.
53
EIGRP
S0
25.0.0.1
1.1.1.1
L0
Router1
50.0.0.1
S1
S0
25.0.0.2
50.0.0.2
S1
3.3.3.3
Router3
L0
BASIC CONFIGURATION
In this case, well consider a slightly different scenario where we
have two paths to a destination. Well be able to understand redundancy
& load balancing also with this case study.
Lets first configure the Routers according to the above diagram &
observe the routing table without configuring the routing protocols.
Router1(config)#
Router1(config)#int loop 0
Router1(config-if)#ip add 1.1.1.1 255.0.0.0
Router1(config-if)#exit
Router1(config)#int s0
Router1(config-if)#no shut
Router1#sh ip route
C
C
C

Similarly Configure Router3 & check out its Routing Table

Router3(config-if)#clock rate 64000
54
Router3#sh ip route
C
C
C

I)EIGRP OPERATION WITH EQUAL COST LOAD BALANCING

ENABLING EIGRP
Now, well enable the routing protocol on both the routers using
Router EIGRP <AS number> command & publish Networks using
Network <Network id> command
Router1(config)#router eigrp 200
Router1(config-router)#net 1.0.0.0
Lets see how this configuration reflects in the running configuration
of Router1 & Router3
Router1#sh run
<output omitted>
interface Serial0
ip address 25.0.0.1 255.0.0.0
!
interface Serial1
ip address 50.0.0.1 255.0.0.0
!
router eigrp 200
network 1.0.0.0
network 25.0.0.0
network 50.0.0.0
auto-summary
(Observe this is automatically added!)
55
no eigrp log-neighbor-changes
!
<output omitted>
End
Router3#sh run
<output omitted>
interface Serial0
ip address 25.0.0.2 255.0.0.0
clockrate 64000
!
interface Serial1
ip address 50.0.0.2 255.0.0.0
clockrate 64000
!
router eigrp 200
network 3.0.0.0
network 25.0.0.0
network 50.0.0.0
auto-summary
(Automatically added indicating Auto-summarisation)
no eigrp log-neighbor-changes)
<output omitted>
End
THE ROUTING TABLE

As there are 2 equally good paths between the routers, 2 routes must be
seen in the routing table of these routers. We can also see D in the
first column of the highlighted entry indicating EIGRP learnt routes.
Router1#sh ip route
C
C
D
C

3.0.0.0/8 [90/2297856] via 25.0.0.2, 00:02:25, Serial0
[90/2297856] via 50.0.0.2, 00:02:25, Serial1
The above indicates two paths to reach network 3.0.0.0 from Router1. A
similar table can be seen in Router3.
Router3#sh ip route
56
D
C
C
C
1.0.0.0/8 [90/2297856] via 25.0.0.1, 00:03:08, Serial0

[90/2297856] via 50.0.0.1, 00:03:08, Serial1
The show ip route eigrp command displays only EIGRP learnt routes.
Router1#sh ip route eigrp
D
3.0.0.0/8 [90/2297856] via 25.0.0.2, 00:04:43, Serial0
[90/2297856] via 25.0.0.2, 00:04:43, Serial0
Router3#sh ip route eigrp
D
1.0.0.0/8 [90/2297856] via 25.0.0.1, 00:03:19, Serial0
[90/2297856] via 50.0.0.1, 00:03:19, Serial1
THE NEIGHBOR TABLE

Lets look at the neighbor table contents next.
We use the sh ip eigrp neighbors command.
In this case, the same neighbor is learnt via 2 paths & hence 2
entries. Had there been only one path between the 2 routers, only one
entry would be seen.
Router1#sh ip eigrp neighbors
IP-EIGRP neighbors for process 200
H
Address
Interface
Hold Uptime
SRTT
(sec)
(ms)
1
50.0.0.2
Se1
14 00:01:47
28
0
25.0.0.2
Se0
14 00:09:34
30
RTO
Q
Cnt
200 0
200 0
Seq Type
Num
6
5
The first column indicates the order of learning Neighbors.

The next column points the connected interface IP of the neighbor.
Third column is this routers interface through which the neighbor is
connected.
A similar table is seen on Router3 as well.
H
Address
Interface
Hold Uptime
SRTT
(sec)
(ms)
1
50.0.0.1
Se1
11 00:03:32
28
0
25.0.0.1
Se0
11 00:11:12 726
RTO
Q
Cnt
200 0
4356 0
Seq Type
Num
6
7
57
THE TOPOLOGY TABLE
Lets now view the topology table entries using the sh ip eigrp
topology command. We should be able to see the successor & feasible
successor apart from Feasible & Advertised Distance values.
Router1#sh ip eigrp topology
IP-EIGRP Topology Table for AS(200)/ID(1.1.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 1.0.0.0/8, 1 successors, FD is 128256
via Connected, Loopback0
via Summary (128256/0), Null0
via 50.0.0.2 (2297856/128256), Serial1 (Both are equally good)
via 25.0.0.2 (2297856/128256), Serial0 (Hence two successors )
via Connected, Serial0
In the highlighted entry (2297856/128256) 2297856 is the feasible
distance & 128256 is the advertised distance.
If both paths were with different metrics, the one with the best metric
would have been the successor & the other feasible successor. Then it
would display 1 successor & not 2 successors as well see in the next
section.
Pin the first column indicates that its in the passive state.
Lets observe Router3s Topology Table much the same !
via 50.0.0.1 (2297856/128256), Serial1
via 25.0.0.1 (2297856/128256), Serial0
58
II) EIGRP REDUNDANCY BACKUP PATH
S0
25.0.0.1
1.1.1.1
L0
Router1
50.0.0.1
S1
S0
25.0.0.2
50.0.0.2
S1
3.3.3.3
Router3
L0
Well change the bandwidth of both the paths ensuring they have
different metrics.
Router1#conf t
Router1(config-if)#bandwidth 128
Another useful command to view the running config of a specific
interface is sh run interface <type id>
Router1#sh run int s1
!
interface Serial1
bandwidth 128
ip address 50.0.0.2 255.0.0.0
end
Lets change on Router3 also
Router3#conf t
Router3(config-if)#bandwidth 128
Router3#sh run int s1
!
interface Serial1
bandwidth 128
ip address 50.0.0.2 255.0.0.0
clockrate 64000
end
Having changed the metrics, we now have one path which is better than
the other. So well be able to see only the best path in the Routing
table.
Router1#sh ip route
EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-
59
IS inter area * - candidate default, U - per-user static route,
C
C
D
C

3.0.0.0/8 [90/2297856] via 25.0.0.2, 00:01:36, Serial0
If we see the topology table, well be able to see both the best
(successor) & the next best (feasible successor) paths
P 3.0.0.0/8, 1 successors, FD is 2297856 (1 successor is displayed)
via 25.0.0.2 (2297856/128256), Serial0
(Successor)
via 50.0.0.2 (20640000/128256), Serial1 (Feasible Successor)
However, the neighbor table is still the same.
Router1#sh ip eigrp nei
H
Address
Interface
Hold Uptime
SRTT
(sec)
(ms)
0
25.0.0.2
Se0
10 00:00:44
32
1
50.0.0.2
Se1
14 00:25:33
36
RTO
Q Seq Type
Cnt Num
200 0 25
1140 0 24
Lets see the tables of Router3

Router3#sh ip route
D
C
1.0.0.0/8 [90/2297856] via 25.0.0.1, 00:00:40, Serial0

60
C
C


via 25.0.0.1 (2297856/128256), Serial0
via 50.0.0.1 (20640000/128256), Serial1
H
Address
Interface
Hold Uptime
SRTT
(sec)
(ms)
0
25.0.0.1
Se0
13 00:01:56
29
1
50.0.0.1
Se1
10 00:26:51
38
RTO
Q
Cnt
200 0
1140 0
Seq Type
Num
23
22
Back up path
If the best path goes down, the feasible successor immediately gets
installed in the routing table. This is how the feasible successor
works like a backup path.
To simulate this situation, lets bring down Router1s Serial 0.
S0
25.0.0.1
1.1.1.1
L0
Router1
50.0.0.1
S1
S0
25.0.0.2
50.0.0.2
S1
3.3.3.3
Router3
L0
Router1#conf t
Router1(config-if)#shutdown
Router1#sh ip route
EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-
61
IS inter area * - candidate default, U - per-user static route,
C
C
D

3.0.0.0/8 [90/20640000] via 50.0.0.2, 00:00:23, Serial1
The second path (feasible successor) is automatically installed in the

Routing table. Even the neighbor table displays only one entry,
indicating that only this link is up and the other is down.
H
Address
Interface
Hold Uptime
SRTT
(sec)
(ms)
1
50.0.0.2
Se1
10 00:15:46
53
RTO
Q Seq Type
Cnt Num
1140 0 15
Similar changes can be observed on Router3s tables as well.

Router3#sh ip route
D
C
C
1.0.0.0/8 [90/20640000] via 50.0.0.1, 00:01:03, Serial1


H
Address
Interface
Hold Uptime
SRTT
(sec)
(ms)
1
50.0.0.1
Se1
14 00:12:23
45
RTO
Q Seq Type
Cnt Num
1140 0 15
III) UNEQUAL COST LOAD BALANCING

S0
25.0.0.1
1.1.1.1
L0
Router1
50.0.0.1
S1
S0
25.0.0.2
50.0.0.2
S1
3.3.3.3
Router3
L0
If we want to ensure both the paths carry the traffic proportionately

(load balance), its possible for us to instruct IGRP & EIGRP to do
so using the variance <value> command.
62
In the above case, the ratio between the successor metric & the
feasible successor metric is 20640000 /2297856 = 8.98. Round it to 9.
If we choose a variance of 9, it means that all paths within this ratio
(w.r.t successor) would be considered for load balancing (max 6 paths).
Hence well be able to see the second entry in the Routing Table even
though its metric is not the best.
Shall we check it out? To do so, we must configure variance on Router1
& Router3.
Router1(config-router)#variance 10
Router3(config-router)#variance 10
Lets see how it reflects in the routing table.
C
C
D
C

3.0.0.0/8 [90/2297856] via 25.0.0.2, 00:00:01, Serial0
[90/20640000] via 50.0.0.2, 00:00:01, Serial1
D
C
C
C
1.0.0.0/8 [90/2297856] via 25.0.0.1, 00:00:03, Serial0

[90/20640000] via 50.0.0.1, 00:00:03, Serial1
This clearly tells us that traffic is carried proportionately on both

the paths.
63
OSPF
I) OSPF ON POINT-TO-POINT WAN LINK
OSPF offers the widest features & its behavior is different in
different environments. The first case well take up is point to point
WAN and understand OSPF operation. Consider the below diagram.
25.0.0.1
1.1.1.1
L0 Router 1 S0
3.3.3.3
25.0.0.2
Router
3
L0
S0
IP ADDRESS CONFIGURATION
Router1(config)#int serial 0
Router3(config)#int serial0
OSPF CONFIGURATION
To configure the OSPF Routing Protocol, we use router OSPF <process
id> syntax. A point to be noted is that the process id can be different
in different routers this does not refer to the Autonomous System
number like other protocols.
The command to publish Networks is
network <net id><wild card mask><area><area id>
Router1(config)#router ospf 1
Router1(config-router)#network 1.0.0.0 0.255.255.255 area 0
64
VERIFICATION
Lets verify OSPF configuration & operation just like we did with other
protocols.
Router1#sh run
!
hostname Router1
!
!
interface Loopback0
ip address 1.1.1.1 255.0.0.0
!
interface Serial0
ip address 25.0.0.1 255.0.0.0
!
router ospf 1
log-adjacency-changes
network 1.0.0.0 0.255.255.255 area 0
network 25.0.0.0 0.255.255.255 area 0
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
End
Router1#sh ip route
C
O
C

3.0.0.0/32 is subnetted, 1 subnets
3.3.3.3 [110/65] via 25.0.0.2, 00:04:41, Serial0
Router1#sh ip route ospf

O
3.3.3.3 [110/65] via 25.0.0.2, 00:04:47, Serial0
Router1#sh ip ospf neighbor
Neighbor ID Pri
3.3.3.3
1
State
FULL/
Dead Time
00:00:33
Address
25.0.0.2
Interface
Serial0
65
A new command is sh ip ospf interface. The highlighted part in the

output gives us some important information.
Router1#sh ip ospf interface
Internet Address 25.0.0.1/8, Area 0
Process ID 1, Router ID 1.1.1.1,Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 3.3.3.3
Suppress hello for 0 neighbor(s)
Process ID 1, Router ID 1.1.1.1, Network Type LOOPBACK, Cost: 1
Loopback interface is treated as a stub Host
The database table will give us information about various types of link
state advertisements. In this example, we see only router link states
within a single area area 0
Each router in the area advertises details of links connected to it.
This advertisement is seen only within the area to which the router is
connected.
Link id represents the advertising routers router id ADV Router
also refers to the same info. Link count represents the no. of links
connected to this router within this area.
Router1#sh ip ospf database
OSPF Router with ID (1.1.1.1) (Process ID 1)
Router Link States (Area 0)
Link ID
1.1.1.1
3.3.3.3
ADV Router
1.1.1.1
3.3.3.3
Age
158
159
Seq#
Checksum Link count
0x80000003 0x9BAA
3
0x80000003 0xD163
3
Well be able to make similar observations on Router3 also.

Router3#sh run
!
hostname Router3
!
!
interface Loopback0
ip address 3.3.3.3 255.0.0.0
66
!
interface Serial0
ip address 25.0.0.2 255.0.0.0
clockrate 64000
!
router ospf 3
network 3.0.0.0 0.255.255.255 area 0
network 25.0.0.0 0.255.255.255 area 0
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
Router3#sh ip route
O
C
C

1.1.1.1 [110/65] via 25.0.0.1, 00:05:26, Serial0

O
1.1.1.1 [110/65] via 25.0.0.1, 00:05:29, Serial0
Neighbor ID
1.1.1.1
Pri
1
State
FULL/ -
Dead Time
00:00:39
Address
25.0.0.1
Interface
Serial0
Network type is shown as POINT_TO_POINT for a WAN link

Next 0x0(0)/0x0(0)
67
Link ID
1.1.1.1
3.3.3.3
ADV Router
1.1.1.1
3.3.3.3
Age
362
362
Seq#
Checksum Link count
0x80000003 0x9BAA
3
0x80000003 0xD163
3
II) OSPF IN LAN :
2.2.2.2 L0
Router 2
25.0.0.2 F0/0
1.1.1.1
25.0.0.1
Router
1
L0
E0
25.0.0.3
3.3.3.3
E0 Router 3 L0
Well be able to observe the election of DR & BDR. Well see additional
entries in database table.
CONFIGURATION
Router1(config)#int e0
68
Router2(config)#int f0/0
Router3(config)#int e0
Router1# sh run
!
hostname Router1
!
!
interface Loopback0
ip address 1.1.1.1 255.0.0.0
!
interface Ethernet0
ip address 25.0.0.1 255.0.0.0
!
router ospf 1
network 1.0.0.0 0.255.255.255 area 0
network 25.0.0.0 0.255.255.255 area 0
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
End
Router1#sh ip route
69
C
O
O
C

2.2.2.2 [110/11] via 25.0.0.2, 00:25:03, Ethernet0
3.3.3.3 [110/11] via 25.0.0.3, 00:25:03, Ethernet0

O
2.2.2.2 [110/11] via 25.0.0.2, 00:25:07, Ethernet0
O
3.3.3.3 [110/11] via 25.0.0.3, 00:25:07, Ethernet0
The neighbor table state tells us the state of each neighbor router
in the lan DR/BDR/DROTHER
Neighbor ID Pri
State
3.3.3.3
1
FULL/DROTHER
2.2.2.2
1
FULL/BDR
Dead Time
00:00:38
00:00:35
Address
25.0.0.3
25.0.0.2
Interface
Ethernet0
Ethernet0
In the below output, observe - Network type is shown as Broadcast.

Ethernet0 is up, line protocol is up
Process ID 1, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 1.1.1.1, Interface address 25.0.0.1
Backup Designated router (ID) 2.2.2.2, Interface address 25.0.0.2
Next 0x0(0)/0x0(0)
Adjacent with neighbor 2.2.2.2 (Backup Designated Router)
An additional entry Net Link State displays the advertisement by
a DR in LAN. There would be as many entries as there are LANs in this
area.
70
Link ID
count
1.1.1.1
2.2.2.2
3.3.3.3
ADV Router
Age
Seq#
Checksum Link
1.1.1.1
2.2.2.2
3.3.3.3
1552
1553
1542
0x80000002 0xFBDB
0x80000003 0xEBB
0x80000002 0x2499
2
2
2
Net Link States (Area 0)

Link ID
25.0.0.1
ADV Router
1.1.1.1
Age
1542
Seq#
Checksum
0x80000002 0x748A
Link Id represents the Ethernet interface address of Router1 & Adv.

Router represents the Router id of Router1.
NOTE : Router id is the highest loopback address. If there is no
loopback defined, then its the highest active interface address.
Similar details can be seen on Router2 & Router3 as below.
Router2#sh ru
!
hostname "Router2"
!
!
interface Loopback0
ip address 2.2.2.2 255.0.0.0
!
ip address 25.0.0.2 255.0.0.0
duplex auto
speed auto
!
router ospf 2
network 2.0.0.0 0.255.255.255 area 0
network 25.0.0.0 0.255.255.255 area 0
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
Router2#sh ip route
71
O
C
O
C

1.1.1.1 [110/11] via 25.0.0.1, 00:27:37, FastEthernet0/0
25.0.0.0/8 is directly connected, FastEthernet0/0

O
O
FastEthernet0/0 is up, line protocol is up
Transmit Delay is 1 sec, State BDR, Priority 1
Next 0x0(0)/0x0(0)
Adjacent with neighbor 1.1.1.1 (Designated Router)
Neighbor ID Pri
State
3.3.3.3
1
FULL/DROTHER
1.1.1.1
1
FULL/DR
Dead Time Address

00:00:37 25.0.0.3
00:00:35 25.0.0.1
Interface
FastEthernet0/0
FastEthernet0/0
Observe that the Router database tables of all the routers within the
same area have the same details under ROUTER LINK STATES.
72
Link ID
count
1.1.1.1
2.2.2.2
3.3.3.3
ADV Router
Age
Seq#
Checksum Link
1.1.1.1
2.2.2.2
3.3.3.3
1705
1705
1695
0x80000002 0x00FBDB 2
0x80000003 0x000EBB 2
0x80000002 0x002499 2

Link ID
25.0.0.1
ADV Router
1.1.1.1
Age
1696
Seq#
Checksum
0x80000002 0x00748A
Router3#sh run
!
hostname Router3
!
!
interface Loopback0
ip address 3.3.3.3 255.0.0.0
!
interface Ethernet0
ip address 25.0.0.3 255.0.0.0
!
router ospf 3
network 3.0.0.0 0.255.255.255 area 0
network 25.0.0.0 0.255.255.255 area 0
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
Router3#sh ip route
O
O
C
C

1.1.1.1 [110/11] via 25.0.0.1, 00:30:16, Ethernet0
2.2.2.2 [110/11] via 25.0.0.2, 00:30:16, Ethernet0
73
O
1.1.1.1 [110/11] via 25.0.0.1, 00:30:21, Ethernet0
O
2.2.2.2 [110/11] via 25.0.0.2, 00:30:21, Ethernet0
Neighbor ID Pri
State
2.2.2.2
1
FULL/BDR
1.1.1.1
1
FULL/DR
Dead Time
00:00:31
00:00:31
Address
25.0.0.2
25.0.0.1
Interface
Ethernet0
Ethernet0

Transmit Delay is 1 sec, State DROTHER, Priority 1
Next 0x0(0)/0x0(0)
Adjacent with neighbor 2.2.2.2 (Backup Designated Router)
Adjacent with neighbor 1.1.1.1 (Designated Router)
Link ID
count
1.1.1.1
2.2.2.2
3.3.3.3
ADV Router
Age
Seq#
Checksum Link
1.1.1.1
2.2.2.2
3.3.3.3
37
1866
1856
0x80000003 0xF9DC
0x80000003 0xEBB
0x80000002 0x2499
2
2
2

Link ID
25.0.0.1
ADV Router
1.1.1.1
Age
38
Seq#
Checksum
0x80000003 0x728B
OSPF MULTI AREA

Well configure 3 routers in a multi-area environment comprising area
0, 1 & 2. The configuration & database table differences can be seen in
the relevant outputs.
74
Area1
Area 0
3.3.3.3 L0
Area 2
25.0.0.1
1.1.1.1
50.0.0.1
25.0.0.2
Router
50.0.0.2 Router 2 2.2.2.2
Router
1
S1
L0
Router 3 S0
S1
L0
1
S0/0
CONFIGURATION :
(Note that the area ids differ in the above syntax)
Router1#sh run
!
hostname Router1
!
!
interface Loopback0
ip address 1.1.1.1 255.0.0.0
!
interface Serial1
ip address 25.0.0.1 255.0.0.0
!
router ospf 1
network 1.0.0.0 0.255.255.255 area 1
network 25.0.0.0 0.255.255.255 area 0
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
Router2#sh run
75
!
hostname "Router2"
!
!
interface Loopback0
ip address 2.2.2.2 255.0.0.0
!
interface Serial0/0
ip address 50.0.0.2 255.0.0.0
no fair-queue
!
router ospf 2
network 2.0.0.0 0.255.255.255 area 2
network 50.0.0.0 0.255.255.255 area 2
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
Router3#sh run
!
!
interface Loopback0
ip address 3.3.3.3 255.0.0.0
!
interface Serial0
ip address 50.0.0.1 255.0.0.0
clockrate 64000
!
interface Serial1
ip address 25.0.0.2 255.0.0.0
clockrate 64000
!
router ospf 3
network 3.0.0.0 0.255.255.255 area 0
network 25.0.0.0 0.255.255.255 area 0
network 50.0.0.0 0.255.255.255 area 2
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
76
ROUTING TABLE :
Router1#sh ip route
C
O IA 50.0.0.0/8 [110/192] via 25.0.0.2, 00:03:44, Serial1
O IA
2.2.2.2 [110/129] via 25.0.0.2, 00:03:44, Serial1
O
3.3.3.3 [110/65] via 25.0.0.2, 00:03:44, Serial1
C
In the above output, O represents OSPF learnt routes within the same
area & O IA represents inter-area learnt OSPF routes.
O IA 50.0.0.0/8
2.0.0.0/32
O IA
2.2.2.2
3.0.0.0/32
O
3.3.3.3
[110/192] via 25.0.0.2, 00:03:51, Serial1

is subnetted, 1 subnets
[110/129] via 25.0.0.2, 00:03:51, Serial1
[110/65] via 25.0.0.2, 00:03:51, Serial1
Router2#sh ip route
O IA
1.1.1.1 [110/129] via 50.0.0.1, 00:06:01, Serial0/0
C
50.0.0.0/8 is directly connected, Serial0/0
C
O IA
3.3.3.3 [110/65] via 50.0.0.1, 00:06:03, Serial0/0
O IA 25.0.0.0/8 [110/192] via 50.0.0.1, 00:06:01, Serial0/0
O IA
1.1.1.1 [110/129] via 50.0.0.1, 00:06:07, Serial0/0
O IA
3.3.3.3 [110/65] via 50.0.0.1, 00:06:09, Serial0/0
77
O IA 25.0.0.0/8 [110/192] via 50.0.0.1, 00:06:07, Serial0/0
Router3#sh ip route
O IA
1.1.1.1 [110/65] via 25.0.0.1, 00:08:15, Serial1
C
O
2.2.2.2 [110/65] via 50.0.0.2, 00:08:25, Serial0
C
C
O IA
O
1.0.0.0/32
1.1.1.1
2.0.0.0/32
2.2.2.2
[110/65] via 25.0.0.1, 00:08:23, Serial1
[110/65] via 50.0.0.2, 00:08:33, Serial0
NEIGHBOR & DATABASE TABLES :

Neighbor ID
3.3.3.3
Pri
State
1
FULL/ -
Dead Time
00:00:33
Address
25.0.0.2
Interface
Serial1
The below database table shows database of all connected areas

Router1 is connected to area 0 & area 1 and hence both are displayed.
Summary Net Link States represent the Link State Advertisements from
other areas.
Link ID
count
1.1.1.1
3.3.3.3
ADV Router
Age
Seq#
Checksum Link
1.1.1.1
3.3.3.3
256
255
0x80000003 0x5EFB
0x80000005 0xD061
Summary Net Link States (Area 0)

Link ID
1.1.1.1
ADV Router
1.1.1.1
Age
1487
Seq#
Checksum
0x80000001 0x47EC
2
3
78
2.2.2.2
50.0.0.0
3.3.3.3
3.3.3.3
256
256
0x80000001 0x5F88
0x80000002 0xA5D7

Link ID
count
1.1.1.1
ADV Router
Age
Seq#
Checksum Link
1.1.1.1
1486
0x80000002 0xD152

Link ID
2.2.2.2
3.3.3.3
25.0.0.0
50.0.0.0
ADV Router
1.1.1.1
1.1.1.1
1.1.1.1
1.1.1.1

Neighbor ID Pri
State
3.3.3.3
1
FULL/ -
Age
252
253
253
253
Seq#
0x80000001
0x80000001
0x80000002
0x80000001
Dead Time
00:00:31
Address
50.0.0.1
Checksum
0x1E91
0x6D7E
0x2876
0x66DF
Interface
Serial0/0

Link ID
count
2.2.2.2
3.3.3.3
ADV Router
Age
Seq#
Checksum Link
2.2.2.2
3.3.3.3
406
400
0x80000003 0x00D036 3
0x80000004 0x009288 2

Link ID
1.1.1.1
3.3.3.3
25.0.0.0
ADV Router
3.3.3.3
3.3.3.3
3.3.3.3
Age
390
1620
390
Seq#
0x80000001
0x80000001
0x80000002
Checksum
0x008D5E
0x00AE75
0x00EBAA

Neighbor ID
1.1.1.1
2.2.2.2
Pri
1
1
State
FULL/
FULL/
Dead Time
00:00:38
00:00:32
Address
25.0.0.1
50.0.0.2
Interface
Serial1
Serial0

Link ID
count
1.1.1.1
3.3.3.3
ADV Router
Age
Seq#
Checksum Link
1.1.1.1
3.3.3.3
532
530
0x80000003 0x5EFB
0x80000005 0xD061
2
3
79
Link ID
1.1.1.1
2.2.2.2
50.0.0.0
ADV Router
1.1.1.1
3.3.3.3
3.3.3.3
Age
1763
531
531
Seq#
0x80000001
0x80000001
0x80000002
Checksum
0x47EC
0x5F88
0xA5D7
Checksum Link

Link ID
count
2.2.2.2
3.3.3.3
ADV Router
Age
Seq#
2.2.2.2
3.3.3.3
538
532
0x80000003 0xD036
0x80000004 0x9288
3
2

Link ID
1.1.1.1
3.3.3.3
25.0.0.0
ADV Router
3.3.3.3
3.3.3.3
3.3.3.3
Age
521
1753
522
Seq#
0x80000001
0x80000001
0x80000002
Checksum
0x8D5E
0xAE75
0xEBAA

Next 0x0(0)/0x0(0)
Serial0/0 is up, line protocol is up
Next 0x0(0)/0x0(0)
80
Process ID 3, Router ID 3.3.3.3,Network Type POINT_TO_POINT, Cost:
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit
Next 0x0(0)/0x0(0)
Process ID 3, Router ID 3.3.3.3,Network Type POINT_TO_POINT, Cost:
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit
Next 0x0(0)/0x0(0)
64
5
64
5
81
CDP
Cisco Discovery Protocol (CDP) helps us to gather details regarding
Cisco Devices (All Devices) directly connected to the device on which
we are running the protocol. This is a Cisco Proprietory Protocol.
S0
100.0.0.245
Router1
S0
100.0.0.2
FRSW
To view CDP information

Router1#sh cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
To find out brief details regarding directly connected CISCO Devices,
Router1#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID
FRSW
Local Intrfce
Ser 0
Holdtme
167
Capability
R
Platform
2520
Port ID
Ser 0
For detailed neighbor information,

Router1#sh cdp neighbors detail
------------------------Device ID: FRSW
(neighbors Hostname)
Entry address(es):
IP address: 100.0.0.245 (Interface IP address)
Platform: cisco 2520, Capabilities: Router
(Indicates neighbor is a router)
Interface: Serial0, Port ID (outgoing port): Serial0
Holdtime : 159 sec
Version :
IOS (tm) 2500 Software (C2500-JK8OS-L), Version 12.2(1d), RELEASE
SOFTWARE (fc1)
advertisement version: 2 (CDP version number)
Lets view the same on the other router
FRSW#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
82
Device ID
Local Intrfce
Holdtme
Capability
Port ID
Router1
Ser 0
137
R
0
FRSW#sh cdp neighbors detail
------------------------Device ID: Router1
Entry address(es):
IP address: 100.0.0.2
Platform: cisco 2500, Capabilities: Router
Interface: Serial0, Port ID (outgoing port): Serial0
Holdtime : 132 sec
Platform
2500
Ser
Version :
SOFTWARE (fc1)
advertisement version: 2
Router boot sequence

We can make the router boot from different sources by changing the boot
field (last 4 bits) in the 16 bit config register. The various
possibilities are as under.
0x2100 ROMMON - for diagnostic
0x2101 Mini IOS in ROM
0x2102 Boot from first file in Flash (default value)
0x2102 0x210F with Boot System commands defined can make the router
boot from any other file in Flash / tftp server (remote boot).
0x indicates its a hexa value
When we normally boot a router (from flash), we should see the default
config-register value 0x2102 from the show version output.
Router1#sh version
SOFTWARE (fc1)
Compiled Sun 03-Feb-02 22:01 by srani
Image text-base: 0x0307EEE0, data-base: 0x00001000
ROM: System Bootstrap, Version 11.0(10c), SOFTWARE
BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c),
RELEASE SOFTWARE (fc1)
Router1 uptime is 10 minutes
System image file is "flash:c2500-jk8os-l.122-1d.bin"
83
cisco 2500 (68030) processor (revision N) with 14336K/2048K bytes of
memory.
Processor board ID 21580975, with hardware revision 00000000
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
1 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read ONLY)
Configuration register is 0x2102
Router1#
To change the config register value and make it boot from ROM Monitor
mode, the below command is used.
Router1(config)#config-register 0x2100
Router1(config)#^Z
Router1# reload (warm boot)
System configuration has been modified. Save? [yes/no]: hit the key Y
Proceed with reload? [confirm]hit the return key
>
This prompt indicates that the router has booted in ROMMON. This offers
only character based support, not command based support.
I
O
R
H
?
for
for
for
for
for
initialize
config mode
register
help
help
From ROMMON mode, to change the config register value to 0x2101 (to
make it boot from mini IOS), lets use the below syntax
> o/r 0x2101

> I
(to change config register value)

(to initialize - reboot)
The router reboots

Copyright (c) 1986-2002 by cisco Systems, Inc
Router1#(boot)>
This is the mini IOS prompt and this works much like our regular mode.
The major difference is that this mode doesnt support many commands.
84
IOS Backup
E0
10.0.0.100
TFTP SERVER
10.0.0.2
Consider the above scenario. Wed like to take a back up of our IOS
image from the router to the tftp server. The process is very simple as
demonstrated below.
First lets view our IOS file stored in the flash.
Router1#sh version
SOFTWARE (fc1)
Compiled Sun 03-Feb-02 22:01 by srani
Image text-base: 0x0307EEE0, data-base: 0x00001000
ROM: System Bootstrap, Version 11.0(10c), SOFTWARE
BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c),
RELEASE SOFTWARE (fc1)
AccessSrv uptime is 3 minutes
System image file is "flash:/c2500-jk8os-l.122-1d.bin"
cisco 2509 (68030) processor (revision M) with 14336K/2048K bytes of
memory.
Processor board ID 22068840, with hardware revision 00000000
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
1 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
8 terminal line(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read ONLY)
Configuration register is 0x2102
Backing up is using the command copy flash tftp. Well be able to see
a series of exclamation marks on the console screen indicating that
back up is in progress.
85
Router1#copy flash tftp

Source filename []? c2500-jk8os-l.122-1d.bin
Address or name of remote host []? 10.0.0.2
Destination filename [c2500-jk8os-l.122-1d.bin]?
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! <process omitted> 15686
Bytes transferred successfully on Friday Jan 13 14:41:03 2006
On the host running tftp server, well be able to see a series of #
during the backup process.
86
ACCESS CONTROL LIST ACL
A company - Madras Plastic & Co. has 2 offices one located in Chennai
and another in salem. Chennai office is the Head Office and salem a
branch office. They have some ftp and web servers at their Head Office
but restrictions are to be imposed (as listed below) for users from
Salem office. Certain other restrictions on Chennai LAN users are also
to be implemented as below.
1. Salems System Admin does not want to provide access (to his
Network) to the Chennai user 10.0.0.4.
2. Only 172.16.0.2 must be allowed to download from the companys FTP
server
3. 172.16.0.3 must not be allowed access to web server located in head
office.
4. Chennai Network users are not allowed to telnet Salem router.
So we are going to configure some Access-Control-list on these two
routers. This is done in two steps.
(i)Create Access Lists (ACL) in Global Configuration Mode.
(ii)Apply them to Router interfaces specifying direction.
Lets first understand how to create Standard and Extended access list
Standard (In global configuration mode)
Chennai(Config)# access-list < no. > permit / deny < sources network/ip
address> <wild card mask>
Standard access list number range is 1 to 99.

Wild card mask is just the opposite of SubNet Mask
87
Extended (In global configuration mode)
Chennai(Config)# access-list < no.> permit / deny < protocol > <
sources network/ip address > < wild card mask> < destination network/ip
address > <wild card mask> eq < port no./ service name >
extended access list number range is 100 to 199

Specify both source & destination address
Specify protocol
Specify particular application port no. for filtering
Implementation command at specific interface mode

Chennai(Config-if)# ip access-group <access-list no.> <in / out>
Note : default is out
Now well implement the security policy.
Condition 1. 10.0.0.4 should not access salem office network this is
a policy to be defined in Salem router using a standard Access List.
Salem(Config)#access-list 10 deny 10.0.0.4 0.0.0.0
Salem(Config)#access-list 10 permit any
We can configure the same command using the keyword Host to represent
a single computer in which case the Wild Card Mask is not required.
Salem(Config)#access-list 10 deny host 10.0.0.4 Salem(Config)#accesslist 10 permit any
(The permit any command at the last is necessary to override the
implicit deny of ACLs)
As the second step well now apply this ACL as outbound (leaving the
router) on interface Ethernet 0. This is because the traffic has to be
filtered when it enters the Salem LAN and Standard ACLs are applied
closest to the destination Network.
Salem(config-if)#ip access-group 10 out
Lets check show running-config output
Salem# show running-config
!
interface Ethernet0
description connected to Salem Local Area Network
ip address 10.0.0.1 255.0.0.0
ip access-group 10 out
!
<some output omitted>
!
access-list 10 deny 10.0.0.4 0.0.0.0
access-list 10 permit any
88
Our second task is to control access to FTP & Web Servers. Only Host
172.16.0.2 can download from FTP server(port 20)& Host 172.16.0.3
cannot access webserver (WWW port 80).
Chennai(config)#access-list 100 permit tcp host 172.16.0.2
host 10.0.0.2 eq ftp
Chennai(config)#access-list 100 deny tcp any
host 10.0.0.2 eq ftp
Chennai(config)#access-list 100 deny tcp host 172.16.0.3
host 10.0.0.3 eq 80
Chennai(config)#access-list 100 permit ip any any
Observe, we have used ftp in the first case & port no. 80 in the next.
Both forms are acceptable.
This access-list is applied on interface s0 as inbound access-list as
we are trying to control traffic entering the router.
Chennai(Config)#interface s0
Chennai(config-if)#ip access-group 100 in
Lets check running-config
Chennai# show running-config
!
interface Serial0
description connected to public network
ip address 200.0.0.5 255.255.255.252
ip access-group 100 in
!
<some output omitted>
!
Now lets see some ACL show commands
Salem#show ip access-list
Standard IP access list 10
deny
10.0.0.4
permit any
Salem#show ip int Ethernet0 (displays application & direction of ACL )
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 10
Inbound access list is not set
Proxy ARP is enabled
Security level is default
<output omitted>
Chennai#show ip access-list
Extended IP access list 100
deny tcp host 172.16.0.2 host 10.0.0.2 eq telnet
deny tcp host 172.16.0.3 host 10.0.0.3 eq www
89
deny tcp host 172.16.0.4 any
permit ip any any
Chennai#show ip int Serial0
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 100
Proxy ARP is enabled
Security level is default
Split horizon is enabled
<output omitted>
The final task is Chennai network users should not telnet
router:
salem
Salem(config)#access-list 1 deny 10.0.0.0 0.255.255.255

Salem(config)#access-list 1 permit any
where should we apply this ?
Salem(config)#line vty 0 4
Salem(config-line)#access-class <access-list no.> in / out
Yes! for telnet, we deploy the access-list on vty ! We use accessclass and not access-group here.
Command continues
Salem(config-line)#access-class 1 in
Lets see some show commands for this configuration
Salem#show ip access-list
Standard IP access list 1
deny
10.0.0.0, wildcard bits 0.255.255.255
permit any
Salem#show running-config
!
line vty 0 4
access-class 1 in
password cisco
login
Lets try telnetting from the host & see what happens.
90
Observe the message in the above screen !
91
NAT - NETWORK ADDRESS TRANSLATION

s0
e0
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
NAT
200.0.0.1
ISP
10.0.0.5
Gateway for all computers is 10.0.0.1
I) STATIC NAT : In the above scenario, an office uses private

addresses for all its systems & requires to use static NAT (one-one
fixed mapping) to communicate via Internet. The config. is as discussed
below.
The inside & outside Network Interfaces have to be defined for all NAT
implementations. Lets begin with this first. The syntax is simple and
evident from the below config.
Router1(config)#interface ethernet0
Router1(config-if)#ip nat inside
Router1(config-if)#no shutdown
Router1(config)#interface serial 0
Router1(config-if)#ip nat outside
Next lets define the static NAT using the command
ip nat inside source static <inside local address><inside global
address>
and map our private address 10.0.0.2 to public address 200.0.0.10
Router1(config)#ip nat inside source static 10.0.0.2 200.0.0.10
Router1(config)#ip route 0.0.0.0 0.0.0.0 200.0.0.2
- default route defined to reach the ISP.
The above is reflected in the running config too.
!
hostname Router1
92
!
!
interface Ethernet0
ip address 10.0.0.1 255.0.0.0
ip nat inside
!
interface Serial0
ip address 200.0.0.1 255.0.0.0
ip nat outside
!
ip nat inside source static 10.0.0.2 200.0.0.10
ip route 0.0.0.0 0.0.0.0 200.0.0.2
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
To view the NAT table, use the command show ip nat translations
Router1#show ip nat translations
Pro Inside global Inside local
--- 200.0.0.10
10.0.0.2
Outside local
---
Outside global
---
To view inside & outside interfaces, use the command show ip nat
statistics
Router1#show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
Serial1
Inside interfaces:
Ethernet0
Hits: 4 Misses: 0
Expired translations: 0
Dynamic mappings:
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile,
B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type
2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
C
S
C

20.0.0.0/8 [1/0] via 200.0.0.2
93
To observe the Static NAT function, well initiate a ping from host
10.0.0.2 to a remote host 20.0.0.10 and use debug ip nat to display
the details.
10.0.0.2 must translate to 200.0.0.10 as per our NAT table.
Router1#debug ip nat
01:54:09: NAT*: s=10.0.0.2->200.0.0.10, d=20.0.0.10 [63104]
ICMP echo request packet
01:54:09: NAT*: s=20.0.0.10, d=200.0.0.10->10.0.0.2 [274]
ICMP echo reply packet
s stands for source IP
-> means translated to
d stands for destination IP
As ping sends echo request 4 times & receives an equal no. of replies,
we see the above repeated 3 more times.
01:54:10:
01:54:10:
01:54:11:
01:54:11:
01:54:12:
01:54:12:
NAT*:
NAT*:
NAT*:
NAT*:
NAT*:
NAT*:
s=10.0.0.2->200.0.0.10, d=20.0.0.10
s=20.0.0.10, d=200.0.0.10->10.0.0.2
s=10.0.0.2->200.0.0.10, d=20.0.0.10
s=20.0.0.10, d=200.0.0.10->10.0.0.2
s=10.0.0.2->200.0.0.10, d=20.0.0.10
s=20.0.0.10, d=200.0.0.10->10.0.0.2
[63107]
[275]
[63111]
[276]
[63114]
[273]
94
II) DYNAMIC NAT : For Dynamic NAT too well use the same scenario.
Lets configure the inside & outside interface first.
Router1(config)#interface ethernet0
Router1(config-if)#ip nat inside
Router1(config)#interface serial 0
Router1(config-if)#ip nat outside
Router1(config)#ip route 0.0.0.0 0.0.0.0 serial 0
Well now configure the pool of Public IPs using the command
ip nat pool <pool name><start IP><end IP>netmask<subnet Mask>
Router1(config)#ip nat pool RJP 200.0.0.1 200.0.0.2 netmask 255.0.0.0
Well now have to define a list of our internal IP address using
accesslist (purely for the purpose of listing the IP addresses & not
for any Security configuration). Well define all 10.0.0.0 network IPs
in our list.
Router1(config)#Access-list 1 permit 10.0.0.0 0.255.255.255
Finally the list has to be mapped to the pool using the command
ip nat inside source list <list name> pool <pool name>
Router1(config)#ip nat inside source list 1 pool RJP
Here we have many internal IP addresses and only 2 valid public IP
addresses for NATing - this means only 2 internal hosts can dynamically
associate with the pool addresses simultaneously and communicate via
internet. Only when released after a timeout (default 24 hrs), the
others may be able to use the same pool IPs.
Router1#sh run
!
hostname Router1
!
!
interface Ethernet0
ip address 10.0.0.1 255.0.0.0
ip nat inside
!
interface Serial0
ip address 200.0.0.1 255.0.0.0
ip nat outside
!
ip nat pool RJP 200.0.0.1 200.0.0.2 netmask 255.0.0.0
ip nat inside source list 1 pool RJP
!
95
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
End
Router1#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile,
B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type
2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
C
S*
C

The NAT table is empty before any traffic flow.

Router1#sh ip nat translations
<The translation table is empty>
Additional config. details are seen in sh ip nat statistics command
Router1#sh ip nat stat
Router1#sh ip nat statistics
Outside interfaces:
Serial0
Inside interfaces:
Ethernet0
Hits: 0 Misses: 0
Dynamic mappings:
-- Inside Source
access-list 1 pool RJP refcount 0
pool RJP: netmask 255.0.0.0
start 200.0.0.1 end 200.0.0.2
type generic, total addresses 2, allocated 0 (0%), misses 0
Lets try initiating ping from 3 internal hosts simultaneously.
IP NAT debugging is on
Router1#
01:31:49: NAT: s=10.0.0.2->200.0.0.1, d=20.0.0.1 [13426]
01:31:49: NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.2 [13426]
96
01:31:50:
01:31:50:
01:31:51:
01:31:51:
01:31:52:
01:31:52:
NAT*:
NAT*:
NAT*:
NAT*:
NAT*:
NAT*:
s=10.0.0.2->200.0.0.1, d=20.0.0.1
s=20.0.0.1, d=200.0.0.1->10.0.0.2
s=10.0.0.2->200.0.0.1, d=20.0.0.1
s=20.0.0.1, d=200.0.0.1->10.0.0.2
s=10.0.0.2->200.0.0.1, d=20.0.0.1
s=20.0.0.1, d=200.0.0.1->10.0.0.2
[13427]
[13427]
[13432]
[13432]
[13437]
[13437]
01:32:10:
01:32:10:
01:32:11:
01:32:11:
01:32:12:
01:32:12:
01:32:13:
01:32:13:
NAT: s=10.0.0.3->200.0.0.2, d=20.0.0.1 [1473]

NAT*: s=20.0.0.1, d=200.0.0.2->10.0.0.3 [1473]
NAT*: s=10.0.0.3->200.0.0.2, d=20.0.0.1 [1474]
NAT*: s=20.0.0.1, d=200.0.0.2->10.0.0.3 [1474]
NAT*: s=10.0.0.3->200.0.0.2, d=20.0.0.1 [1475]
NAT*: s=20.0.0.1, d=200.0.0.2->10.0.0.3 [1475]
NAT*: s=10.0.0.3->200.0.0.2, d=20.0.0.1 [1476]
NAT*: s=20.0.0.1, d=200.0.0.2->10.0.0.3 [1476]
01:34:42:NAT:translation failed(A),
dropping packet s=10.0.0.4 d=20.0.0.1
01:34:48: NAT: translation failed (A),
The third translation fails as there are no free IPs in the pool as the
first 2 pings have exhausted the available pool IPs.
Router1#sh ip nat
Pro Inside global
--- 200.0.0.1
--- 200.0.0.2
translations
Inside local
10.0.0.2
10.0.0.3
Outside local
-----
Outside global
-----

Outside interfaces:
Serial0
Inside interfaces:
Ethernet0
Hits: 8 Misses: 4
Dynamic mappings:
-- Inside Source
start 200.0.0.1 end 200.0.0.2
Its possible to remove all the dynamic entries in the Nat table using
the command clear ip nat translations *.
97
III) NAT with PAT : This is for simultaneous use of single (or more
than one) Public IP by many internal hosts. Port numbers are used for
this purpose. Consider the same scenario as before - the only
difference in configuration would be the overload keyword used in the
list-pool mapping.
Router1(config)#ip nat pool RJP 200.0.0.1 200.0.0.1 netmask 255.0.0.0
Router1(config)#Access-list 1 permit 10.0.0.0 0.255.255.255
Router1(config)#ip nat inside source list 1 pool RJP overload
Router1#sh run
!
hostname Router1
!
!
interface Ethernet0
ip address 10.0.0.1 255.0.0.0
ip nat inside
!
interface Serial0
ip address 200.0.0.1 255.0.0.0
ip nat outside
!
ip nat pool RJP 200.0.0.1 200.0.0.1 netmask 255.0.0.0
ip nat inside source list 1 pool RJP overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
End
<The table is empty>
Outside interfaces:
Serial0
Inside interfaces:
Ethernet0
Hits: 28 Misses: 4
Dynamic mappings:
-- Inside Source
98
start 200.0.0.1 end 200.0.0.1
Allocated 0 implies unused pool addresses.
Initiating simultaneous ping from multiple hosts results in the below
debug output.
IP NAT debugging is on
Router1#
01:31:49: NAT: s=10.0.0.2->200.0.0.1, d=20.0.0.1 [13426]
01:31:49: NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.2 [13426]
01:31:50: NAT*: s=10.0.0.2->200.0.0.1, d=20.0.0.1 [13427]
01:31:50: NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.2 [13427]
01:31:51: NAT*: s=10.0.0.2->200.0.0.1, d=20.0.0.1 [13432]
01:31:51: NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.2 [13432]
01:31:52: NAT*: s=10.0.0.2->200.0.0.1, d=20.0.0.1 [13437]
01:31:52: NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.2 [13437]
01:32:10:
01:32:10:
01:32:11:
01:32:11:
01:32:12:
01:32:12:
01:32:13:
01:32:13:
NAT: s=10.0.0.3->200.0.0.1, d=20.0.0.1 [1473]

NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.3 [1473]
NAT*: s=10.0.0.3->200.0.0.1, d=20.0.0.1 [1474]
NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.3 [1474]
NAT*: s=10.0.0.3->200.0.0.1, d=20.0.0.1 [1475]
NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.3 [1475]
NAT*: s=10.0.0.3->200.0.0.1, d=20.0.0.1 [1476]
NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.3 [1476]
01:32:32:
01:32:32:
01:32:37:
01:32:37:
01:32:38:
01:32:38:
01:32:39:
01:32:39:
NAT: s=10.0.0.4->200.0.0.1, d=20.0.0.1 [1492]

NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.4 [1492]
NAT*: s=10.0.0.4->200.0.0.1, d=20.0.0.1 [1506]
NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.4 [1506]
NAT*: s=10.0.0.4->200.0.0.1, d=20.0.0.1 [1511]
NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.4 [1511]
NAT*: s=10.0.0.4->200.0.0.1, d=20.0.0.1 [1517]
NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.4 [1517]
01:34:11:
01:34:11:
01:34:16:
01:34:16:
01:34:17:
01:34:17:
01:34:18:
01:34:18:
NAT: s=10.0.0.5->200.0.0.1, d=20.0.0.1 [1553]

NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.5 [1553]
NAT*: s=10.0.0.5->200.0.0.1, d=20.0.0.1 [1566]
NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.5 [1566]
NAT*: s=10.0.0.5->200.0.0.1, d=20.0.0.1 [1571]
NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.5 [1571]
NAT*: s=10.0.0.5->200.0.0.1, d=20.0.0.1 [1577]
NAT*: s=20.0.0.1, d=200.0.0.1->10.0.0.1 [1577]
Lets see the clear difference in the NAT table - the last no. 512,513
etc is the port no. used to identify the internal host that originated
the traffic.
Pro Inside global
Inside local
icmp 200.0.0.1:512
10.0.0.2:512
icmp 200.0.0.1:513
10.0.0.3:513
icmp 200.0.0.1:514
10.0.0.4:514
Outside local
20.0.0.1:512
20.0.0.1:513
20.0.0.1:514
Outside global
20.0.0.1:512
20.0.0.1:513
20.0.0.1:514
99
icmp 200.0.0.1:515
10.0.0.5:515
20.0.0.1:515
20.0.0.1:515

Outside interfaces:
Serial0
Inside interfaces:
Ethernet0
Hits: 56 Misses: 8
Dynamic mappings:
-- Inside Source
start 200.0.0.1 end 200.0.0.1
Allocated 1 implies that the single pool IP has been used.
100
WAN
I) PPP & HDLC on Point to Point Link (Leased Line)
s0
L0
5.5.5.5
R1
R1
200.0.0.1
s0
200.0.0.2
R2
R3
L0
6.6.6.6
The default encapsulation on WAN Serial interface of a CISCO Router is

HDLC. No further configuration is called for in a simple Point-to-Point
Link. This is seen from the output of show interface command as below.
Hardware is HD64570
Encapsulation HDLC, loopback not set
Keepalive set (10 sec)
If we are to connect to a non-Cisco Router or if we want to implement
Authentication at the datalink layer, we need to go in for the
standards based PPP encapsulation.
Router1(config-if)#int s0
Router1(config-if)#encapsulation ppp
Router1(config)#int loopback0
Router1(config-if)#ip route 6.0.0.0 255.0.0.0 200.0.0.2
PPP supports optional Authentication with PAP or CHAP. Well begin with
PAP first.
a. PAP Authentication
First, PAP Authentication has to be enabled in the interface config
mode.
Router1(config-if)#ppp authentication pap
Next is to configure the other routers name as the username and choose
a common password (This alone is a global config command).
Router1(config)#username Router2 password cisco
Router2 is the other routers hostname & cisco is the password
101
An additional command to inform this routers name to the other router

is also to be configured.
Router1(config-if)#ppp pap sent-username Router1 password cisco
Router1#sh int s0
Hardware is HD64570
Encapsulation PPP, loopback not set
LCP Open
Open: IPCP, CDPCP
Similar configuration has to be done with Router2
Verification :
sh run, sh ip route & sh interface commands are used
Router1#sh run
!
hostname Router1
!
!
username Router2 password 0 cisco
!
interface Loopback0
ip address 5.5.5.5 255.0.0.0
!
interface Serial0
ip address 200.0.0.1 255.0.0.0
encapsulation ppp
ppp authentication pap
ppp pap sent-username Router1 password 7 0822455D0A16
!
ip route 6.0.0.0 255.0.0.0 200.0.0.2
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
End
Router2#sh run
!
102
hostname Router2
!
!
!
interface Loopback0
ip address 6.6.6.6 255.0.0.0
!
interface Serial0
ip address 200.0.0.2 255.0.0.0
clockrate 64000
encapsulation ppp
ppp authentication pap
ppp pap sent-username Router2 password 7 05080F1C2243
!
ip route 5.0.0.0 255.0.0.0 200.0.0.1
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
Router1#sh ip route
type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - ISIS inter area * - candidate default, U - per-user static route,
C
C
C
S
200.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

6.0.0.0/8 [1/0] via 200.0.0.2
Router2#sh ip route
type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - ISIS inter area * - candidate default, U - per-user static route,
103
C
C
S
C

5.0.0.0/8 [1/0] via 200.0.0.1
Router2s s0 is currently down. Output of s0 on router 1 displays LCP

closed
Router1#sh int s0
Serial0 is down, line protocol is down
Hardware is HD64570
LCP Closed
LCP closed indicates that the PPP link is not up yet.
Using Debug ppp authentication command we can see the authentication
process. Its a 2-way handshake & bidirectional both routers
authenticating each other.
Router1#debug ppp authentication
PPP authentication debugging is on
Router1#
00:24:50: Se0 PPP: Treating connection as a dedicated line
00:24:50: %LINK-3-UPDOWN: Interface Serial0, changed state to up
00:24:50: Se0 PAP: O AUTH-REQ id 1 len 18 from "Router1"
00:24:50: Se0 PAP: I AUTH-REQ id 2 len 18 from "Router2"
(Authentication request username, password sent)
00:24:50: Se0 PAP: Authenticating peer Router2
00:24:50: Se0 PAP: O AUTH-ACK id 2 len 5
00:24:50: Se0 PAP: I AUTH-ACK id 1 len 5
(Authentication acknowledged if username, password correct)
00:24:51: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0,
changed state to up
Once s0 of Router2 goes up, interface status shows LCP open. Wan link
is now up.
Router1#sh int s0
Hardware is HD64570
LCP Open
104
b. CHAP Authentication
The configuration is exactly like PAP only that sent username is not
required here. The below would show us the difference.
Router1(config-if)#ppp authentication chap
Router2(config-if)#ppp authentication chap
Router1#sh run
!
hostname Router1
!
!
!
interface Loopback0
ip address 5.5.5.5 255.0.0.0
!
interface Serial0
ip address 200.0.0.1 255.0.0.0
encapsulation ppp
ppp authentication chap
<output omitted>
Router2#sh run
!
hostname Router2
!
!
!
105
interface Loopback0
ip address 6.6.6.6 255.0.0.0
!
interface Serial0
ip address 200.0.0.2 255.0.0.0
clockrate 64000
encapsulation ppp
ppp authentication chap
<output omitted>
Router1#sh ip route
C
C
C
S

6.0.0.0/8 [1/0] via 200.0.0.2
Router2#sh ip route
C
C
S
C

5.0.0.0/8 [1/0] via 200.0.0.1
VERIFICATION USING DEBUG COMMAND

Router1#debug ppp authentication
PPP authentication debugging is on
01:13:37: Se0 PPP: Treating connection as a dedicated line
01:13:37: Se0 CHAP: O CHALLENGE id 114 len 28 from "Router1"
01:13:37: Se0 CHAP: I CHALLENGE id 113 len 28 from "Router2"
(A challenge is sent and another received)
01:13:37: Se0 CHAP: O RESPONSE id 113 len 28 from "Router1"
01:13:37: Se0 CHAP: I RESPONSE id 114 len 28 from "Router2"
(Username, password is sent/received only after the challenge)
01:13:37: Se0 CHAP: O SUCCESS id 114 len 4
01:13:37: Se0 CHAP: I SUCCESS id 113 len 4
(If username & password are correct, authentication is successful)
01:13:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0,
changed state to up
The link now goes up !
Also note that the 3-way authentication process is bidirectional both
the routers authenticate each other.
106
II) ISDN
L0
1.1.1.1
200.0.0.2
BRI0
R4
R1
R4
ISDN
Cloud
BRI0
200.0.0.1
ISDN no:24731102
R3
R5
R5
L0
2.2.2.2
ISDN no:252912
Consider the above scenario where there are 2 offices of the same
organization connected over a dial-up ISDN. The requirement being the
ISDN connection should automatically come up whenever there is a
traffic flow between the offices. This is referred to as Dial on Demand
routing.
This is a 3 step process
(i)
Configure static route between the offices
(ii) Define Interesting Traffic
(iii) Configure Dialer
Step (i) Static route configuration
Step (ii) Interesting Traffic definition using dialer list
Router4(config)#dialer-list 1 protocol ip permit
Router5(config)#dialer-list 2 protocol ip permit
Note : If we want to selectively allow access for ISDN dial-up, well
then have to define the allowed IP addresses in an access-list and
invoke in a dialer list as shown below.
Config # dialer-list 1 protocol ip list <ACL no.>
e.g. Router4(config)#dialer-list 1 protocol ip list 10
Router4(config)#access-list 10 permit 1.1.1.1 0.0.0.0
Step (iii) Dialer configuration
We need to define the destination IP, number to be dialed & Interesting
traffic list to be used.
Router4(config-if)#dialer-group 1
Router4(config-if)#dialer map ip 200.0.0.2 252912
Router5(config-if)#dialer-group 2
107
Router5(config-if)#dialer map ip 200.0.0.1 24731102
As ISDN service providers use different types of ISDN switches, we need
to specify the appropriate switch type in our router. In our case well
specify basic-net3.
Router4(config)#isdn switch-type basic-net3
Router5(config)#isdn switch-type basic-net3
VERIFICATION
Running config of
routers 4 & 5
Router4#sh run
!
hostname Router4
!
!
isdn switch-type basic-net3
!
interface Loopback0
ip address 1.1.1.1 255.0.0.0
!
!
interface BRI0
ip address 200.0.0.1 255.255.255.0
dialer map ip 200.0.0.2 252912
dialer-group 1
!
ip route 2.0.0.0 255.0.0.0 200.0.0.2
!
dialer-list 1 protocol ip permit
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
End
Router5#sh run
!
hostname Router5
!
nable password cisco
!
!
interface Loopback0
108
ip address 2.2.2.2 255.0.0.0
!
interface BRI0
ip address 200.0.0.2 255.255.255.0
dialer map ip 200.0.0.2 24731102
dialer-group 2
!
ip route 1.0.0.0 255.0.0.0 200.0.0.1
!
dialer-list 2 protocol ip permit
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
When there is no traffic between the 2 offices, lets find out the ISDN
call status using the below 2 commands.
Router4#sh isdn status
Global ISDN Switchtype = basic-net3
ISDN BRI0 interface
dsl 0, interface ISDN Switchtype = basic-net3
Layer 1 Status:
ACTIVE
Layer 2 Status:
TEI = 64, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
Layer 3 Status:
0 Active Layer 3 Call(s)
Active dsl 0 CCBs = 0
The Free Channel Mask: 0x80000003
Total Allocated ISDN CCBs = 0
The above would be the typical output if the configuration is correct.
0 Active layer 3 calls mean that ISDN link is not yet up.
Router4#sh isdn active
----------------------------------------------------------------------ISDN ACTIVE CALLS
----------------------------------------------------------------------Call
Calling Called Remote Seconds Seconds Seconds Charges
Type
Number Number Name
Used
Left
Idle
Units/Currency
----------------------------------------------------------------------sh ISDN active output reveals that no ISDN call is in progress.
Router4#sh int bri 0
BRI0 is up, line protocol is up (spoofing)
Hardware is BRI
109
Router4#sh int bri 0:1
BRI0:1 is down, line protocol is down
Hardware is BRI
Look at the difference sh int bri 0 shows the line protocol as up
whereas sh int bri 0:1 shows line protocol is down. This implies that
BRI config is correct. Since there is no traffic, the BRI channel 1 is
still down (Recall each BRI interface has 2 B channels).
Similar outputs can be observed on Router5 as well.
----------------------------------------------------------------------Call
Calling Called Remote Seconds Seconds Seconds Charges
Type
Number
Number Name
Used
Left
Idle
Units/Currency
--------------------------------------------------------------------------------------------------------------------------------------------Router5#sh isdn status
ISDN BRI0 interface
Layer 1 Status:
ACTIVE
Layer 2 Status:
Layer 3 Status:
Hardware is BRI
BRI0:1 is down, line protocol is down
Hardware is BRI
To check our DDR config, well initiate ping from router4s loopback &
checkout if the WAN link comes up automatically.
110
Router4#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
00:37:39: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 32/33/36 ms
00:37:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1,
changed state to up
Router4#sh isdn status
ISDN BRI0 interface
Layer 1 Status:
ACTIVE
Layer 2 Status:
Layer 3 Status:
CCB:callid=8002, sapi=0, ces=1, B-chan=1, calltype=DATA
Observe the above output shows 1 Active Layer 3 calls now which was not
the case earlier.
sh isdn active gives us details of currently active calls.
----------------------------------------------------------------------Call Calling
Called Remote Seconds Seconds Seconds Charges
Type Number
Number Name
Used
Left
Idle
Units/Currency
----------------------------------------------------------------------Out
252912
14
107
12
0
Hardware is BRI
The BRI channel 1 protocol is also up now.
BRI0:1 is up, line protocol is up
Hardware is BRI
Debug output gives us greater details.
111
Router4#debug dialer
Dial on demand events debugging is on
Router4#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
00:41:30: BR0 DDR: Dialing cause ip (s=200.0.0.1, d=2.2.2.2)
00:41:30: BR0 DDR: Attempting to dial 252912
00:41:31: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
00:41:31: BR0:1 DDR: dialer protocol up
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 32/32/32 ms
changed state to up
00:43:32: BR0:1 DDR: idle timeout
00:43:32: BR0:1 DDR: disconnecting call
00:43:32: %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected from
252912 , call lasted 121 seconds
00:43:32: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
changed state to down
112
III) Frame-Relay
Point-to-Point WAN configuration
L0
1.1.1.1
s0
R1
150.0.0.1
FR
Cloud
150.0.0.2
s0
R2
L0
2.2.2.2
Frame-Relay is typically a PVC and the configurations are fairly

simple. Once encapsulation Frame-relay is configured on the WAN Serial
Interface, it supports both Multipoint & Point-to-Point connections
without any further configuration.
Router1(config-if)#encapsulation frame-relay
Router2(config-if)#int s0/0
As usual, lets view the running config & routing tables of both the
routers.
Router1#sh run
!
hostname Router1
!
!
interface Loopback0
ip address 1.1.1.1 255.0.0.0
!
interface Serial0
ip address 150.0.0.1 255.255.0.0
encapsulation frame-relay
!
router rip
network 1.0.0.0
network 150.0.0.0
line con 0
line aux 0
113
line vty 0 4
password cisco
login
!
End
Router2#sh run
!
hostname "Router2"
!
!
interface Loopback0
ip address 2.2.2.2 255.0.0.0
!
interface Serial0/0
ip address 150.0.0.2 255.255.0.0
no fair-queue
!
route rip
network 2.0.0.0
network 150.0.0.0
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
End
Router1#sh ip route
C
R
R
C

2.0.0.0/8 [120/1] via 150.0.0.2, 00:00:17, Serial0
3.0.0.0/8 [120/1] via 150.0.0.3, 00:00:08, Serial0
Router2#sh ip route
R
C
R
C
1.0.0.0/8 [120/1] via 150.0.0.1, 00:00:02, Serial0/0

3.0.0.0/8 [120/2] via 150.0.0.1, 00:00:02, Serial0/0
If the frame-Relay link were up, we will be able to see the PVC status
as active & well also be able to view the DLCI number.
Router1#sh frame-relay pvc
PVC Statistics for interface Serial0 (Frame Relay DTE)
114
Local
Switched
Unused
Active
1
0
0
Inactive
0
0
0
Deleted
0
0
0
Static
0
0
0
DLCI = 100,DLCI USAGE = LOCAL,PVC STATUS = ACTIVE,INTERFACE = Serial0

input pkts 41
output pkts 50
in bytes 4032
out bytes 4806
dropped pkts 0
in FECN pkts 0
in BECN pkts 0
out FECN pkts 0
out BECN pkts 0
in DE pkts 0
out DE pkts 0
out bcast pkts 12
out bcast bytes 970
pvc create time 00:40:28, last time pvc status changed 00:37:30
To view the DLCI no. mapping, use the below command
Router1#sh frame-relay map
Serial0 (up): ip 150.0.0.2 dlci 100(0x64,0x1840), dynamic,
broadcast,, status defined, active
The LMI type can be seen as below
Router1#sh frame-relay lmi
LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0
Invalid Prot Disc 0
Invalid dummy Call Ref 0
Invalid Msg Type 0
Invalid Status Message 0
Invalid Lock Shift 0
Invalid Information ID 0
Invalid Report IE Len 0
Invalid Report Request 0
Invalid Keep IE Len 0
Num Status Enq. Sent 244
Num Status msgs Rcvd 245
Num Update Status Rcvd 0
Num Status Timeouts 0
Lets see Router2s outputs also.
PVC Statistics for interface Serial0/0 (Frame Relay DTE)
Local
Switched
Unused
Active
1
0
0
Inactive
0
0
0
Deleted
0
0
0
Static
0
0
0
DLCI = 200, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE =

Serial0/0
input pkts 60
output pkts 50
in bytes 5966
out bytes 5158
dropped pkts 0
in pkts dropped 0
out pkts dropped 0
out bytes dropped 0
in FECN pkts 0
in BECN pkts 0
out FECN pkts 0
out BECN pkts 0
in DE pkts 0
out DE pkts 0
out bcast pkts 20
out bcast bytes 2038
Serial0/0 (up): ip 150.0.0.1 dlci 200(0xC8,0x3080), dynamic,
115
Router2#sh frame-relay lmi
LMI Statistics for interface Serial0/0(Frame Relay DTE)LMI TYPE = CISCO
Invalid Unnumbered info 0
Invalid Prot Disc 0
Invalid dummy Call Ref 0
Invalid Msg Type 0
Invalid Status Message 0
Invalid Lock Shift 0
Invalid Information ID 0
Invalid Report IE Len 0
Invalid Report Request 0
Invalid Keep IE Len 0
Num Status Enq. Sent 256
Num Status msgs Rcvd 257
Num Update Status Rcvd 0
Num Status Timeouts 0
NOTE : The show frame-relay PVC command would show inactive entry
if the remote WAN link were down. If the local link were down, it would
have shown as deleted.
116
HUB & SPOKE configuration Diagram
L0
s0
R3
3.3.3.3
150.0.0.2
L0
1.1.1.1
S0.1 150.0.0.1
R1
S0.2 160.0.0.1
FR
Cloud
160.0.0.2
s0
R2
2.2.2.2
L0
Such a configuration would warrant configuring the HUB router with subinterfaces as shown below.
Router1(config)#int serial 0.1
This would be the normal sub-interface creation command.
However, in a Frame-Relay environment, the sub-interface type also has
to be specified during configuration.
Router1(config)#int serial 0
Router1(config)#int s0.1 ?
multipoint
Treat as a multipoint link
point-to-point Treat as a point-to-point link
Lets create 2 point-to-point sub-interfaces
Router1(config)#int s0.1 point-to-point
Router1(config-subif)#ip add 150.0.0.1 255.255.0.0
Router1(config-subif)#exit
Router1(config)#int s0.2 point-to-point
Router1(config-subif)#ip add 160.0.0.1 255.255.0.0
Router1(config-subif)#
Once created, we also need to associate appropriate DLCI to the subinterfaces on the HUB Router.
Router1(config)#int s0.1
Router1(config-subif)#frame-relay interface-dlci 100
Router1(config-fr-dlci)#exit
Router1(config)#int s0.2
Router1(config-subif)#frame-relay interface-dlci 300
Router1(config-fr-dlci)#exit
Router1#sh run
117
!
hostname Router1
!
!
interface Loopback0
ip address 1.1.1.1 255.0.0.0
!
interface Serial0
no ip address
ip split-horizon
!
interface Serial0.1 point-to-point
ip address 150.0.0.1 255.255.0.0
frame-relay interface-dlci 100
!
interface Serial0.2 point-to-point
ip address 160.0.0.1 255.255.0.0
frame-relay interface-dlci 300
!
router rip
network 1.0.0.0
network 150.0.0.0
network 160.0.0.0
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
Router1#sh ip route
C
R
R
C
C

2.0.0.0/8 [120/1] via 150.0.0.2, 00:00:13, Serial0.1
3.0.0.0/8 [120/1] via 160.0.0.2, 00:00:27, Serial0.2
160.0.0.0/16 is directly connected, Serial0.2
150.0.0.0/16 is directly connected, Serial0.1
Well now be able to see 2 active PVCs on the HUB Router.

Local
Switched
Unused
Active
2
0
0
Inactive
0
0
0
Deleted
0
0
0
Static
0
0
0

Serial0.1
118
input pkts 53
output pkts 59
in bytes 4998
out bytes 7384
dropped pkts 0
in FECN pkts 0
in BECN pkts 0
out FECN pkts 0
out BECN pkts 0
in DE pkts 0
out DE pkts 0
out bcast pkts 46
Serial0.2
input pkts 20
output pkts 48
in bytes 1730
out bytes 7118
dropped pkts 0
in FECN pkts 0
in BECN pkts 0
out FECN pkts 0
out BECN pkts 0
in DE pkts 0
out DE pkts 0
out bcast pkts 33
Serial0.2 (up): point-to-point dlci, dlci 300(0x12C,0x48C0), broadcast
status defined, active
Serial0.1 (up): point-to-point dlci, dlci 100(0x64,0x1840), broadcast
status defined, active
Router2#sh run
!
hostname "Router2"
!
!
interface Loopback0
ip address 2.2.2.2 255.0.0.0
!
interface Serial0/0
ip address 150.0.0.2 255.255.0.0
no fair-queue
!
router rip
network 2.0.0.0
network 150.0.0.0
!
<output omitted>
Other Routers display similar details
Router2#sh ip route
R
C
R
R
1.0.0.0/8 [120/1] via 150.0.0.1, 00:00:16, Serial0/0

3.0.0.0/8 [120/2] via 150.0.0.1, 00:00:16, Serial0/0
160.0.0.0/16 [120/1] via 150.0.0.1, 00:00:16, Serial0/0
119
C

PVC Statistics for interface Serial0/0 (Frame Relay DTE)
Local
Switched
Unused
Active
1
0
0
Inactive
0
0
0
Deleted
0
0
0
Static
0
0
0

Serial0/0
input pkts 145
output pkts 125
in bytes 16384
out bytes 12708
dropped pkts 0
in pkts dropped 0
out pkts dropped 0
out bytes dropped 0
in FECN pkts 0
in BECN pkts 0
out FECN pkts 0
out BECN pkts 0
in DE pkts 0
out DE pkts 0
out bcast pkts 84
Serial0/0 (up): ip 150.0.0.1 dlci 200(0xC8,0x3080), dynamic,
Router3#sh run
!
hostname Router3
!
!
interface Loopback0
ip address 3.3.3.3 255.0.0.0
!
interface Serial0
ip address 160.0.0.2 255.0.0.0
!
router rip
network 3.0.0.0
network 160.0.0.0
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
Router3#sh ip route
120
R
R
C
R
C
1.0.0.0/8 [120/1] via 160.0.0.1, 00:00:23, Serial0

2.0.0.0/8 [120/2] via 160.0.0.1, 00:00:23, Serial0
150.0.0.0/16 [120/1] via 160.0.0.1, 00:00:23, Serial0

Local
Switched
Unused
Active
1
0
0
Inactive
0
0
0
Deleted
0
0
0
Static
0
0
0

Serial0
input pkts 141
output pkts 85
in bytes 17588
out bytes 8688
dropped pkts 0
in FECN pkts 0
in BECN pkts 0
out FECN pkts 0
out BECN pkts 0
in DE pkts 0
out DE pkts 0
out bcast pkts 35
Serial0 (up): ip 160.0.0.1 dlci 400(0x190,0x6400), dynamic,

CCNA Lab Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNA Lab Manual

Uploaded by

Copyright:

Available Formats

1

Cisco DEVICE AND

Device connectivity Basics

Rollover cable is being used

b. For remote Configuration through Auxiliary interface

Straight Through cable

Cross Over cable

Setting up the Management Console (windows environment):

Path to trigger the emulation software from your Desktop

Next, choose the default settings, else communication will be a

Create a temporary Access-List entry

Router#s? (displays all commands beginning with s)

Another interesting aspect is that we dont have to type the entire

Moves the cursor to the beginning of the line

Erases the word the cursor is under

End with CNTL/Z.

Lets add some description to the interface fastethernet 0/1

End with CNTL/Z.

Check out this description in running configuration using the command

It displays the cascade link as TRUNK.

Spanning-tree protocol - L ets n ext d o som e b asic ob servation on S T P

With reference to the above diagram, the Root Bridge is Switch B

Forward Delay 15 sec

Forward Delay 15 sec

MTU Parent RingNo BridgeNo Stp BrdgMode Tran1 Tran2

Remote SPAN VLANs

Assigning vlan membership lets make interface fa0/4 a member of Vlan

Lets change the switch mode to CLIENT.

SwitchB#show interface status

To view trunk details we use the commands show interface <interface

Total Mac Addresses for this criterion: 5

10.0.0.0/8 is directly connected, Ethernet0

Explanation of the Routing Table Entries :

The second way is when we manually configure it. A static route is a

Static Route Configuration

(safe to use this

20.0.0.0/8 [1/0] via 192.168.1.2

This shows additional entries (configuration discussed next) with S

20.0.0.0/8 [1/0] via 192.168.1.2

Two values in [1 / 0] represent the Administrative Distance (AD) &

20.0.0.0/8 is directly connected, Ethernet0

20.0.0.0/8 [1/0] via 172.16.0.1

Default Route Configuration

172.16.0.0/16 is directly connected, Serial0

1. To create a loopback interface use the interface loopback <id>

Create a loopback interface in Router1

3.0.0.0/8 is directly connected, Loopback0

3. Another useful command (to view various interface status) is the

OK? Method Status

administratively down down

The method column tells us whether the interface configuration was

ENABLING RIP PROTOCOL

Gateway of last resort is not set

1.0.0.0/8 is directly connected, Loopback0

Consider the second entry of the routing table

1.0.0.0/8 [120/1] via 11.0.0.1, 00:00:00, Serial0

To view more details regarding the configured Routing Protocol (RIP in

To verify the dynamic nature of the routing protocol, let's emulate a

Now this change is also reflected in the routing table a network

Gateway of last resort is not set

3.0.0.0/8 [120/1] via 11.0.0.2, 00:00:22, Serial1

The above experiment reveals

In this scenario, lets complete the basic interface configurations,

1.0.0.0/8 is directly connected, Loopback0