This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.

com)

Network Technologies

Information and Communication Technology

Training Institute, Union of Myanmar

[Cisco Routing & Switching]

Caution: This textbook is intended for use in training courses at
Information and Communication Technology Training Institute only.
Unauthorized copy of any part or all of this material is strictly prohibited.

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
1/200

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Document History
Date Version By Remarks
4 April 2010 1.00 T. D. Win, K. P. Thant, First version
T. Naing
28 April. 1.01 T. D. Win, S. T. D. Testing , modifying and adding for
2010 Win, K. P. Thant, T. training course with Cisco devices
Naing
5 July.2010 1.02 S.T. D.Win, K.P.Thant Modifying and adding sub topics
30 Jan 2011 1.03 K. P. Thant Redraw some figure, support Cisco
1800 Series, Cisco 2600, Cisco 2800
and Catalyst 2960 Series
1 Aug 2011 1.04 K.P. Thant, T. Naing Editing some facts and LAB.

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
2/200

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Copyright Information
Copyright © 2006 ICTTI. All rights reserved.

Cisco® and Cisco® Systems are registered trademarks of Cisco Systems, Inc. and /or its
affiliates in the U.S. and certain countries.

SUSE®, openSUSE®, the openSUSE® logo, Novell®, the Novell® logo, the N® logo, are
registered trademarks of Novell, Inc. in the United States and other countries. Linux is a
registered trademark of Linus Torvalds.

The example companies, organizations, products, domain names, e-mail address, logos,
people, places, and events depicted herein are fictitious. No association with any real
company, organization product, domain name, e-mail address, logo, person, place, or event
is intended or should be inferred.

All other products and company names are the trademarks, registered trademarks, and
service marks of the respective owners. Throughout this manual, ICTTI and JICA have used
its best efforts to distinguish proprietary trademarks from descriptive names by following the
capitalization styles used by the manufacturer.

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
3/200

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Contents at a Glance
1. CISCO Routers and LAN Switches <Day 1> ................................................................ 10
2. Router Basic Configuration <Day 2> ............................................................................ 29
3. IP Routing <Day 3-4-5> ................................................................................................ 62
4. LAN Switching <Day 6> ................................................................................................ 99
5. Virtual LANs <Day 7>.................................................................................................. 124
6. Network Security <Day 8-9> ....................................................................................... 144
7 WAN <Day 10> ........................................................................................................... 182
References ......................................................................................................................... 197
Tables and Figures ............................................................................................................. 198
Indexes ............................................................................................................................... 200

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
4/200

..................... Windows ......................... 10 1............... Status ................................................. 31 2..................................................... 13 1................................................4............ 10 1......................3.................1..7. 35 S-AN-A-1..........1..................................................................................6...........................3...........................................3......... Basic Configuration ........ Cisco Router Series .....................1.. 18 1.... Cisco IOS Modes .............................................2..................................... Domain Name Services ......3.... 23 1...................................................1................................. Managing Configuration Register .................... Content Sensitive Help ......................................... 22 1.... 34 2.......................................2...................................................................... Simple Network Management Protocol (SNMP) ......... 22 1..........................2............... 29 2................1..................... 32 2.................................ucss@gmail...................................................1...........2........................ Virtual Terminal (VTY) .................................5.......com) Table of Contents 1...................1.. 22 1.................4............................................... Union of Myanmar 5/200 ...........2.............3..2.............. Connecting to a Cisco Router ................................................................................................1..............4............... 26 2............... Command Syntax Check ................................. Download IOS in ROMmon Mode .................5..... Console Connection......... 29 2......................................... 34 2.........6.............................2....1...........1.......................................................3....... 31 2...............04 Network Technologies – ICTTI..................... Cisco Router Introduction ............................ 16 1.. 11 1.....2...........................2........... Banners. 30 2......................................... 10 1...........................3......... 25 1.......................... 17 1................. 30 2.................... Cisco Router Management ............4...................... 30 2...... Hot Keys ........................ 32 2.................2. Hostname ..1..................2........................ CISCO Routers and LAN Switches <Day 1> .......................2.................................................................................................... Cisco Switching Products ...... 33 2..... Backing up and Restoring the Cisco IOS ............. This copy of textbook is granted only for: Chan Myae (shweyoe........................... The Router Boot Sequence .......................4...........1..............................1....................... Privileged password .......... 34 2...................... 25 1......................................................................... Managing Cisco IOS Images ......1................................................................................................... Clock and NTP..................... Login Configuration ............................... 34 2.......3..........................................3.... Cisco IOS ..........................4....................... 12 1.......... Router Basic Configuration <Day 2> .. Command Abbreviation .................1..... Command Line Interface (CLI) ....... 29 2.. Linux ......................................................................................................1.........................1.......2..................1.......................1....................2..................................

.... 40 2.................... 43 2............1................................................................................. 65 3.......................... 62 3................................... 62 3...................2............. 36 2.......................................... 37 2...........................2... CDP Timers and Holdtime Information.................................................................................................. Verify the Static Routing ............................. 65 Hands-on-Lab 4 – Static Route 1 .......................................4.........................3...................... Encrypting Passwords ............................. 42 2......3...........................................................................1...........3...... 71 3...... 52 Hands-on-Lab 2 – Router Interface Commands .. Cisco Discovery Protocol (CDP) .1. Logging ...............2............................. SSH..... 39 2......................................................................... Interface State ....................................... 55 Hands-on-Lab 3 – Router Management ........................ 43 2...............................................................................................................1...................... 37 2...04 Network Technologies – ICTTI........5. IP Address on an Interface ......................................... Password Removal .....3............................. 64 3................................................1............1................................. Union of Myanmar 6/200 ......3......... Setting up user IDs .......... Using a Remote Log Server .......... Gathering Interface Traffic........................................2...................................... 40 2......................................ucss@gmail.............2............................ 49 2........ Configure RIP Protocol ..............................2...................6........................6.........................3................. Verify the configuration .............. RIP ........................4.........................3.................... 38 2............3.......................................................... Port and Interface Information ...7.................................................. 73 3.... Configure Default Routing .. 35 2........4..................................................................................................................................... 49 2.................... 41 2.............................................. Basic Routing .. 62 3.........7.....2.........................2.................6.....5..................................3................. Serial Interface Commands ....... Introduction to IP Routing ...............3......................... Clearing the Configuration and Reloading the Router .6............................2..........4....................................................................5................................................... 65 3.......... Neighbor Information ...... 39 2............................ 69 3.......4.........................7...3...............3...............com) 2...................7.... Bringing Up an Interface .......1..............1.......... Router Interfaces ... Router Management ....................... Verify the RIP Routing ........2................................................................5....................... 43 2.......................................... 73 S-AN-A-1...............................1.... Enabling local router logging ..................... IP Routing <Day 3-4-5> ......... This copy of textbook is granted only for: Chan Myae (shweyoe...........................................................................................................6...........................2..1......... Configure Static Routing................................................................... 65 3.......................... 59 3.............................................................. Configuring the Routers....... 49 Hands-on-Lab 1 – Introduction to Router Commands ........ Auxiliary Line ..... 40 2...................................4..... Primary Terminal Line ................................................. 41 2....... 67 Hands-on-Lab 5 – Static Route 2 ...................................... 47 2.......4.....................

UplinkFast ....................5.....3............... Types of STP ..................................................... RIP v2 ...4... Holding Down RIP Propagations ...........2...... Spanning Tree Operation ................................... Verifying EIGRP Routing ....................2..........................3............................................................................................... Loop Guard ..... 78 3................................................3..............ucss@gmail..... 112 4....3............. Root Bridge ...................... 78 3...9.......... 100 4.......4.......4...........................................................................04 Network Technologies – ICTTI........................ Union of Myanmar 7/200 ..................................................11 BPDU Filtering ......4.............................3.... 90 Hands-on-Lab 7 – EIGRP ............................3............................................5 RIP and OSPF with Default Route ............................3..............5.......................... 79 3................................ BackboneFast ...................................................3.. 99 4............................................................................................. Configuring Single Area OSPF ..................... Configuring EIGRP Routing.1.......3...................................................................5...............................................3................ 93 Hands-on-Lab 8 – OSPF ............6.................3.........3. Configuring the Switch IP Address ........................................... 99 4......................................................... 80 3....6 OSPF and Default Route ........................................ 106 4................................................. PortFast .......................................................................................................................1.. 113 S-AN-A-1.................... Root Guard ............4......2................ Root Ports and Designated Ports ............. EIGRP and OSPF ........... Configuring the Layer 2 Forwarding Path with the MAC Address Table (CAM) 103 4..... 105 4....................... Verify the Single Area OSPF ....2.......2.... 101 4.....................3.... 77 3.... 96 4.......3.......................4......... LAN Switching <Day 6> ........ 112 4........................... 77 3... 89 Hands-on-Lab 6 – RIPv2 ......................... 83 3.................................................................4.........4.. 85 3..........................2.................. 113 4........3................2................1................................................................... 111 4..3................................ 107 4.......................................... Verify the RIP v2 Configuration .....7......................................... 109 4............................................................................ 100 4.............. LAN Switch Configuration and Operation ................... 85 3.......................... 111 4........ Securing Unused Switch Interfaces .........................................................................................................1 RIP and Default Route............................................................................ 103 4....3................................................ Layer 2 Switch Operation ...........................................................................................12 UDLD ...................2........................3............. 112 4.........................3...................... 77 3................. 112 4..............1.. Spanning Tree Protocol (STP)........4....3...............8................................................................. Configuring Switch Interfaces .................. 112 4....................................................................................................... This copy of textbook is granted only for: Chan Myae (shweyoe..............13 Spanning Tree Protocol Configuration ..3........ 108 4.10 BPDU Guard .............com) 3......................................................................

... VLAN Basic .................2................. 139 6.............2 DHCP .3 Verify and Troubleshoot NAT ...........2 Applying an Access-List to a VTY Line ..........................................1.....................................3..............4 Standard ACL ..................... 135 5....................................................................... 166 6..............3...................... VLAN Memberships ............ Introduction to VLAN ................04 Network Technologies – ICTTI..................................................1 IP Standard Access-Lists ....................................................................................................................................4 NAT ............................................................................ 167 S-AN-A-1.............1.......2...............1..........................................................1.. 149 6...............3...............................................2 DHCP Relay Agent . 125 5....... Securing Switch Access ....... Union of Myanmar 8/200 ..............4..............1........1 Port Security .. 148 6........................ 166 6................... 152 6........................................................................................... 160 6................ 164 6. 124 5.......3 Access Control List (ACL)..........2 NAT Overload or Port Address Translation (PAT) ...................2....3................................4.................................................................................................. 124 5............1...........................5 Dynamic NAT................................................3................................4.............................ucss@gmail................................................................................................................................................................................. 149 6.........4 Static NAT : Port Forwarding (Destination NAT) ............................................................... 127 5..... 157 6......... 144 6....... 131 5.......................................... Inter-VLAN Routing : Router-on-a-Stick ...................................................... 144 6........................................................... 151 6........... This copy of textbook is granted only for: Chan Myae (shweyoe..........1...........................................................1..................................................................................... Network Security <Day 8-9> ...... VLAN with VTP Domain ............................................................................................................... 133 5.1.............3 IP Extended Access-Lists .............................................................2........... 121 5.........................................................................................4.. Identifying VLANs .. 144 6. How VTP Works ........................................ 127 5.......................................................1..............2.............. Why use VLANs?......................2..... 153 6..........................5 Extended ACL.............2............... Virtual LANs <Day 7>........................1..................2.3...................... Configuring VLANs ...1...............com) Hands-on-Lab 9 – Switching Lab .............. 159 6............... 155 6..... 129 5.................................................11 VTP Pruning ..4......3......................................................... 164 6.......................................3... VLAN Trunking Protocol (VTP) ........................... VLAN Enabled Switches...................................................3.............................1 Types of NAT ............................. VTP Modes .........3..................................................................................6 Named ACL ..................3....... 132 5..... 126 5.4..........1 DHCP Server .......................................... 133 4............................................................. 135 5......................................................3........... 153 6...5.............................................2 DHCP Snooping ...................................... 159 6.... 150 6...................7 VTY ACL ...................................

....................................................... 187 7.................. Union of Myanmar 9/200 ................... 189 7................3 WAN Encapsulation .....................................1 Introduction to Wide Area Networks ....................................................................................................................................................................5 Verifying PPP..............................................5 Security .............. 182 7...4... 194 7...................................... 197 Tables and Figures .....................................................................................2 Mismatched IP Addresses ..........................................................................04 Network Technologies – ICTTI.................. 185 7............................................................................................................. 194 7........ 183 7...............................................................................................4 Configuring PPP ...5...................1 Anti-Spoofing ...........................................................5..........................2 Disable unused services..................... 180 7 WAN <Day 10> ...........................................................1 Mismatched WAN Encapsulations ........... 197 External Links ..................6 ICMP Redirect with NAT..........................................5.5 PPP Encapsulation ................4...6....................................................ucss@gmail..................... 172 6................................ 188 7.................................................................................................................................................................................................................................................................. 179 Hands-on-Lab 12 – DHCP................................................................................................................................................................2 PPP Session Establishment ............................................................... 200 S-AN-A-1......... 185 7.............................................................................5..............................................6.....................................................5.................................................3 PPP Authentication Methods .............................. 182 7............................................................. 193 7.....................................6 Verifying PPP Authentication........1 Overview of PPP.............................................................................5...................... 168 6.......................... 200 Keywords ................................................................................................6 Troubleshooting .4 HDLC Encapsulation.......................... NAT .............................. 199 Indexes ....................... 199 References ....................................................................................................................... 172 6. 191 7...5................................. 171 6...............................................................................................5............................ 186 7..................................................................................................................... 173 Hands-on-Lab 10 – Configuring Port Security.................................................................. 197 Bibliography ........................com) 6..................................2 WAN Connection Types ..... 198 Figures .. 184 7...................................... 194 References .... This copy of textbook is granted only for: Chan Myae (shweyoe................................. 198 Tables ............................................................................................................................... 175 Hands-on-Lab 11 – DHCP ...7 NAT and VLAN ...............

1. the NVRAM area is somewhere between 16 and 256Kb. You can synchronize the two configuration files by simply copying the running-config onto the startup-config file: Router#copy running-config startup-config Many engineers still use the old version of this command. There are other types of non-volatile solid state storage. This copy of textbook is granted only for: Chan Myae (shweyoe. for storing information. Flash storage is similar to Random Access Memory (RAM). On most Cisco routers. depending on the size and function of the router. Cisco Router Management 1. It has its own operating system.1. S-AN-A-1. Cisco Router Introduction A Cisco router is as a special-purpose computer. which is called the Internetwork Operating System (IOS). Only the startup-config is stored in NVRAM.com) Cisco Routing & Switching 7/9/2012 CISCO Routers and LAN Switches <Day 1> Cisco Router Management 1. such as Erasable Programmable Read Only Memory (EPROM). so it is called non-volatile RAM (NVRAM).04 Network Technologies – ICTTI. there is the configuration file that the router uses to boot. There is the configuration file that describes the current running state of the router. which is canned the startup-config. rather than disks. The basic system administration functions that a router engineer must perform are discussed. Cisco routers use flash memory. Then. Union of Myanmar 10/200 . but the amount of storage needed to run a router is relatively small compared to the amount needed to run a general-purpose computer. Flash storage media is significantly more expensive and slower than disk storage. CISCO Routers and LAN Switches <Day 1> 1. which is called the running-config. as well as files and file systems. Flash also has the important benefit that it tends to be more reliable than disk storage. Router#write memory Most of the examples throughout this book assume that you have IOS Version 12. There are two important configuration files on any router.ucss@gmail.1. but it does not need power to retain information.

routing tables. it is socketed. It is an EPROM. The Router Boot Sequence When a router boots up. Flash Flash is used for permanent storage of a full Cisco IOS software image in compressed form. NVRAM Non-Volatile RAM (NVRAM) is used for writable permanent storage of the startup configuration. 1. The boot ROM is not erasable. This copy of textbook is granted only for: Chan Myae (shweyoe. so it can be replaced. to test the hardware and load the necessary software.04 Network Technologies – ICTTI. To verify the hardware components. ROM ROM is used for permanently storing startup diagnostic code (ROM Monitor) and emergency OS. the router performs a POST.ucss@gmail.2. The POST stored in and run from ROM checks for the different interfaces on the router. Fast Switching cache. running configuration. and show command Table 1 – Router’s memories RAM RAM (DRAM) is used at run time for executable Cisco IOS software (and its subsystems). Union of Myanmar 11/200 .POST). and to load the Cisco IOS software from the Flash to the Memory. S-AN-A-1. called the boot sequence. it performs a series of steps. The boot sequence consists of the following steps: Step 1.com) Cisco Routing & Switching 7/9/2012 CISCO Routers and LAN Switches <Day 1> Cisco Router Management show running-config show version show protocols (write terminal) (show hardware) show memory RAM (running-config Programme Running configuration file buffer) Flash memory ROM NVRAM (IOS) (ROMMON (startup-config) miniOS) show startup-config show flash show interface (show configuration) Figure 1 – Router’s component. packets. The main task for the boot ROM is to perform some hardware diagnostics during boot up on the router (Power On Self Test . where the startup configuration is stored in the same Flash device where the boot code is loaded.1. and so on.

RELEASE SOFTWARE (fc1) TAC Support: http://www. Inc. Managing Configuration Register The default configuration setting on Cisco routers is 0x2102. Step 3. 1.ucss@gmail. software version. called running-config file. 8192K bytes of processor board System flash (Read/Write) Configuration register is 0x2142 Before you change the configuration register. … 128K bytes of non-volatile configuration memory. These are the main reasons you would want to change the configuration register:  To force the system into the ROM monitor mode  To select a boot source and default boot filename  To enable or disable the Break function  To control broadcast addresses  To set the console terminal baud rate  To load operation software from ROM  To enable booting from a Trivial File Transfer Protocol (TFTP) server You can change the configuration register by using the config-register command. Router#sh version Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-C-M). This command will display system hardware configuration information. You can see the current value of the configuration register by using the show version command. The configuration register setting of 0x2102 tells the router to look in NVRAM for the boot sequence. The IOS software looks for a valid configuration file stored in NVRAM. If a startup-config file is in NVRAM.3.04 Network Technologies – ICTTI. make sure you know the current configuration register value. Version 12. Step 4. and the names of the boot images on a router.cisco. startup-config file. the router will copy this file and place it in RAM. This copy of textbook is granted only for: Chan Myae (shweyoe.com) Cisco Routing & Switching 7/9/2012 CISCO Routers and LAN Switches <Day 1> Cisco Router Management Step 2. S-AN-A-1.1.com/tac Copyright (c) 1986-2001 by cisco Systems.2(4)T1. Union of Myanmar 12/200 . The bootstrap which is a program in ROM looks for and loads the Cisco IOS software from flash memory in all Cisco routers.

4.04 Network Technologies – ICTTI.1.ucss@gmail. 8192K bytes of processor board System flash (Read/Write) Configuration register is 0x2142 The show version command displays the current configuration register value and also what that value will be when the router reboots.com) Cisco Routing & Switching 7/9/2012 CISCO Routers and LAN Switches <Day 1> Cisco Router Management Router(config)#config-register 0x2102 Router(config)#^z Router#sh ver 128K bytes of non-volatile configuration memory. Stop the router. This copy of textbook is granted only for: Chan Myae (shweyoe. Union of Myanmar 13/200 . Router#sh ver 128K bytes of non-volatile configuration memory. and start again the router. Cisco Router Series 7200 Series AS 5000 Series 4000 Series 3600 Series 2600 Series 2500 1700 Series Central site solutions Series 1600 Series 1000 Series 800 Series Branch office solutions 700 Series Small office solutions Residential telecommuter site solutions Figure 2 – Cisco Router Series and the sites for which they are Suited S-AN-A-1. Any change to the configuration register won’t take effect until the router is reloaded. 8192K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 1.

The Cisco 2600 series features single or dual fixed LAN interfaces. S-AN-A-1. synchronous. and WAN options beyond ISDN are important. Up to four network module slots are available for LAN and WAN requirements. and ISDN lines. The 700 router has been optimized for interoperability with Cisco core networks. and 3600 data WAN interface cards. This copy of textbook is granted only for: Chan Myae (shweyoe. ISDN BRI. multiprotocol ISDN router. 2600. The Cisco 1720 access router delivers optimized security. Union of Myanmar 14/200 . with at least two of the following interfaces: Ethernet. The 800 series ISDN access routers provide big-business networking benefits to small offices and corporate telecommuters. The Cisco 800 series routers are Cisco’s lowest-priced routers that are based on Cisco IOS software. higher performance. high performance solutions for Internet and corporate LAN access. easy-to-manage. and flexibility in a desktop form factor for small. designed for telecommuters. asynchronous serial. The Cisco 1000 series router is intended for remote office networking where Cisco IOS software.com) Cisco Routing & Switching 7/9/2012 CISCO Routers and LAN Switches <Day 1> Cisco Router Management The Cisco 700 series. Token Ring. integration. and an autosensing 10/100-Mbps Fast Ethernet LAN port to provide investment protection and flexibility for growth. These cards are shared with the 1700. although these routers can connect to any network that supports the relevant standards for ISDN and IP/Internetwork Packet Exchange (IPX) routing. A network module slot and two WAN interface card slots are available for WAN connections. and will be shared in future modular branch office-type products. synchronous serial. These routers are typically fixed configuration. but they have a slot that accepts a WAN interface card. The Cisco 2500 series routers provide a variety of models that are designed for branch office and remote site environments.and medium-sized businesses.ucss@gmail. The 3600 series multiservice access servers/routers also offer a modular solution for dial-up and permanent connectivity over asynchronous. and for small branch offices that want to deploy Internet/intranet access or Virtual Private Networks (VPNs). The Cisco 1600 series routers are similar to the Cisco 1000 series routers. and a hub. manageable. The Cisco 1720 access router features two modular WAN slots that support 1600. The Cisco 800 series offers secure. and 3600 series.04 Network Technologies – ICTTI. is a low-cost. 2600.

two WAN interface card slots 3600 series Two and four network module slots on the 3620 and 3640. The AS5000 series contains synchronous serial. Branch Routers – Cisco 800. which are ideal for the mixed-media requirements that are becoming more prevalent every day.04 Network Technologies – ICTTI. serial (1005 router) 1600 series ISDN BRI. communication servers. The Cisco 7200 routers are also very high-performance. modular Central site routers that support a variety of LAN and WAN technologies. basic telephone service ports. Table 2 – Remote Access Options for each Series of Router Router Platform Remote Access Options 700 series ISDN BRI. 1 WAN interface card slot 1700 series 2 WAN interface card slots 2500 series Family of routers that offers various ISDN BRI. and asynchronous modem access server functionality. and WAN interfaces 2600 series Various fixed LAN interface configurations.com) Cisco Routing & Switching 7/9/2012 CISCO Routers and LAN Switches <Day 1> Cisco Router Management The Cisco 4500 and 4700 series access routers are high-performance modular Central site routers with support for a wide range of LAN and WAN technologies. channel banks. Union of Myanmar 15/200 . switches. entry-level Cisco IOS software 1000 series ISDN BRI. The AS5000 series is extremely popular because it integrates the functions of standalone CSUs.ucss@gmail. respectively 4000 series T1/E1 ISDN PRI S-AN-A-1. digital ISDN. serial. The 4500 and 4700 are intended for large regional offices that do not require the density of the 7200 series. one network module slot. basic telephone service ports 800 series ISDN BRI. modems. The Cisco AS5000 series is Cisco’s line of universal integrated access servers. and routers in a single chassis. The 7200 is targeted for large regional offices that require high-density solutions. This copy of textbook is granted only for: Chan Myae (shweyoe. Their modular design allows easy reconfiguration as needs change. 2800 and 3800 Integrated Series Routers WAN Routers – Cisco 7200 VXR Series and Cisco 7301 Router The following table highlights some of the features and WAN options for each series of routers.

5. Union of Myanmar 16/200 .com) Cisco Routing & Switching 7/9/2012 CISCO Routers and LAN Switches <Day 1> Cisco Router Management AS5000 series Access server with multiple T1/E1 ISDN PRI and modem capabilities 7200 series Supports a wide range of WAN services.  Cisco Linksys Switch  Cisco Catalyst Switch The Cisco Linksys switch brand includes a variety of switches designed for use in the home. When selecting a branch office router. When selecting a branch office router. with the required high port density necessary for a scalable enterprise WAN (1) Central Site Router Equipment Choose the router that supports the WAN protocols that you will use. all of which have S-AN-A-1. The Cisco Catalyst switch brand includes a large collection of switches. Cisco Switching Products Cisco has two major brands of LAN switching products.ucss@gmail. For example. typical Cisco solutions include the following:  Cisco 1600 series  Cisco 1700 series  Cisco 2500 series  Cisco 2600 series (3) Telecommuter Site Router Equipment Choose the router that supports the WAN protocols and interfaces that you will use. typical Cisco solutions include the following:  Cisco 3600 series  Cisco 4000 series  Cisco AS5x00 series  Cisco 7000 series (2) Branch Office Router Equipment Choose the router that supports the WAN protocols and interfaces you will use. typical Cisco solutions include the following:  Cisco 700 series (760 or 770)  Cisco 800 series  Cisco 1000 series 1. When selecting a Central site router.1. the 1600 series router and the respective WAN interface card is an example of a branch office router that will support the interfaces required. This copy of textbook is granted only for: Chan Myae (shweyoe.04 Network Technologies – ICTTI.

Cisco IOS Software is implemented on most Cisco hardware platforms. Backplane Catalyst 2950 48 “10/100” ports 13. and so on) in mind. Backplane Catalyst 3550 (EMI) 48 “10/100” ports or 24Gpbs 12 “10/100/1000” ports Catalyst 6500 Over 500 “10/100/1000” 256Gpbs ports 1. functions. This copy of textbook is granted only for: Chan Myae (shweyoe.04 Network Technologies – ICTTI. hundreds of new S-AN-A-1. This software enables network services in Cisco products. Cisco IOS Software is the unifying thread that connects otherwise disparate networks to build a scalable network infrastructure.ucss@gmail. Cisco IOS (1) Introduction Cisco IOS Software is network system software that tightly integrates a broad range of Internet and enterprise network hardware. with the addition of thousands of new features.6. governments. The Catalyst switches have a wide range of sizes. serving as an end-to-end solution for global networking. (2) Cisco IOS Trains A Cisco IOS train is a vehicle for delivering releases that evolve from a common code base.com) Cisco Routing & Switching 7/9/2012 CISCO Routers and LAN Switches <Day 1> Cisco Router Management been designed with Enterprises (companies. In recent years. Port Density Max. including carrying the chosen network protocols and functions.6Gpbs Catalyst 3550 (SMI) 48 “10/100” ports or 24Gpbs 12 “10/100/1000” ports Catalyst 4000/4500 with 240 “10/100/1000” ports 64Gpbs Supervisor Engine III or IV Table 4 – Distribution and Core Layer Switches Model Max.1. controlling access and prohibiting unauthorized network use. and forwarding rates. Table 3 – Access Layer Switches Model Max. It enables network services and Internet applications. and adding interfaces and capability as needed for network growth. Cisco offers a wide variety of Catalyst switches that fit within each Layer of the Cisco Hierarchical network model. Union of Myanmar 17/200 . including switches and routers. Port Density Max.

Cisco IOS Software diversified from one train of releases to multiple trains supporting different feature sets for different customer needs. supports advanced QoS. Table 5 – Types of Trains Type Description Train Name mainline Consolidates releases and fixes defects. This copy of textbook is granted only for: Chan Myae (shweyoe. 12.3 B (3) Cisco IOS Software Images A Cisco IOS image is a binary executable file of a feature set for a specific platform.3. You move in S-AN-A-1. representing supported platform and feature set combinations. format and other information about the image file. Inherits features from the 12. 12. c3825-entbasek9-mz.T. and a wide array of platforms.4(22) T with the Enterprise Base feature set for the Cisco 3825 router. security. 12. Union of Myanmar 18/200 . Figure 3 shows the image name of Cisco IOS Software Release 12. and fixes defects. 12. 12. and 12.ucss@gmail.2 S Consolidates 12. E Targets enterprise core and SP edge. and firewall. parent T train. 12. which supports high-end backbone routing. feature set. Multiple images exist for a release. and fixes defects.1 E voice. and does not add additional features. B Supports broadband features and fixes defects. Cisco IOS Modes The Cisco IOS command-line interface is organized around the idea of modes. The Cisco IOS Software image name represents the hardware.7.04 Network Technologies – ICTTI.0S.bin Hardware Feature Set Memory Location Compression Format Train Number Maintenance Release Train Identifier Figure 3 – Example of a Cisco IOS Software Image Name 1.4 T Introduces new features and fixes defects.2 mainline.1E.com) Cisco Routing & Switching 7/9/2012 CISCO Routers and LAN Switches <Day 1> Cisco Router Management applications.4 T S Contains features and a command-set for specific ISP equipment.1.124-22.

In any mode. etc Setup Create the initial From Prompted dialog S-AN-A-1.04 Network Technologies – ICTTI. router operating operating enter enable parameters parameters. settings temporary basis. Router>? Table 6 – Summary of Command Mode Mode of Usage How to enter Prompt About this mode Operation the mode User Change terminal First level Router> Change terminal EXEC settings on a accessed. interface parameters for the type number. password Perform the command verification steps Global Modify From Router(config)# To configure Config configuration that privileged parameters that affect the system EXEC. and some of these commands are only available in that mode. Perform basic perform basic tests tests. Ethernet Serial ISDN. enter f)# configure interface. This copy of textbook is granted only for: Chan Myae (shweyoe. and list Display system system information information Privileged System From user Router# Configure your EXEC administration. Each mode has a set of commands available in that mode. Union of Myanmar 19/200 . and which mode you are in determines what commands you can use. enter apply to your as a whole. typing a question mark will display a list of the commands available in that mode.com) Cisco Routing & Switching 7/9/2012 CISCO Routers and LAN Switches <Day 1> Cisco Router Management and out of several different modes while configuring a router. configure router as a whole terminal. Interface Modify the From global Router(config-i Use this mode to Config operation of an mode. set EXEC mode. various LAN and WAN interfaces as.ucss@gmail.

Union of Myanmar 20/200 .04 Network Technologies – ICTTI. To enter global configuration mode. S-AN-A-1. (2) Privileged EXEC Mode: Privileged commands include the following:  Configure – Changes the software configuration. line settings. enter the command configure terminal. (1) User EXEC Mode: When you are connected to the router. Enter the command disable to exit from the privileged EXEC mode and return to user EXEC mode. (3) Configuration Mode Configuration mode has a set of sub-modes that you use for modifying interface settings. Use caution with configuration mode because all changes you enter take effect immediately. This copy of textbook is granted only for: Chan Myae (shweyoe.  Debug – Display process and hardware event messages. you are started in user EXEC mode.com) Cisco Routing & Switching 7/9/2012 CISCO Routers and LAN Switches <Day 1> Cisco Router Management configuration. The user EXEC commands are a subset of the privileged EXEC commands. privileged EXEC mode. routing protocol settings.  Setup – Enter configuration information at the prompts. enter command setup. and so forth.ucss@gmail.

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Cisco Routing & Switching 7/9/2012
CISCO Routers and LAN Switches <Day 1>
Cisco Router Management

User EXEC
Router>
enable exit

Privileged EXEC
Router#
configure terminal exit
Ctrl+z

Global Config Ctrl+z
Router(config)# or
End
interface exit

Interface Config
Router(config-if)#

Figure 4 – Command Mode Transition

From global configuration mode, you can access specific configuration modes, which
include, but are not limited to, the following:

 Interface: Supports commands that configure operations on a per-interface basic
 Subinterface: Supports commands that configure multiple virtual interfaces on a
single physical interface
 Controller: Supports commands that configure controllers (for example, E1 and T1
controllers)
 Line: Supports commands that configure the operation of a terminal line (for
example, the console or the vty ports)
 Router: Supports commands that configure an IP routing protocol
If you enter the exit command, the router backs out one level, eventually logging out. In
general, you enter the exit command form one of the specific configuration modes to return
to global configuration mode. Press Ctrl-Z or enter end to leave configuration mode
completely and return to the privileged EXEC mode.

Commands that affect the entire device are called global commands. The hostname and
enable password commands are examples of global commands.

Commands that point to or indicate a process or interface that will be configured are called
major commands. When entered, major commands cause the CLI to enter a specific
configuration mode. Major commands have no effect unless you immediately enter a
subcommand that supplies the configuration entry. Notice that entering a major command

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
21/200

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Cisco Routing & Switching 7/9/2012
CISCO Routers and LAN Switches <Day 1>
Connecting to a Cisco Router

switches from one configuration mode to another.

Table 7 – Major Commands and Subcommands
Major command Subcommand
RouterX(config)#interface serial 0 RouterX(config)#shutdown

RouterX(config-if)#line console 0 RouterX(config-line)#password cisco

RouterX(config-line)#router rip RouterX(config-router)#network 10.0.0.0

1.2. Connecting to a Cisco Router
We can access the Cisco IOS through the console port of a router, from a modem into the
auxiliary (or Aux) port, or even through Telnet. Access to the IOS command line is called an
EXEC session.

We can connect to a Cisco router to configure it, verify its configuration, and check statistics.
There are different ways to connect a router, but the first place is the console port. The
console port is usually an RJ-45 connection located at the back of the router. There is
another port, an auxiliary port which is the same as a console port. The auxiliary port allows
configuring modem commands so that a modem can be connected to the router. For
example, it lets you dial up a remote router and attach to the auxiliary port if the router is
down and you need to configure it out-of-band (that is out of the network). We can use
Telnet, in-band, to connect to any active interface on a router, such as an Ethernet or serial
port.

1.3. Console Connection
First, connect a Console Cable between the PC’s COM1 port and the router’s console port.
The cable is blue color, and must be rolled up cable; it is neither straight, nor crossover
cable.

If your PC does not have a COM port especially on laptop PC, you can use an USB-Serial
port converter, so the console cable can be connected.

1.3.1. Linux
From Linux, “minicom” command can be used to the Cisco device, so install the “minicom”
package.

This command with “-s” option shows the setup menu to configure for the configuration.

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
22/200

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Cisco Routing & Switching 7/9/2012
CISCO Routers and LAN Switches <Day 1>
Console Connection

# minicom –s

Configure the Serial port setup like below.
A - Serial Device : /dev/ttyS0
B - Lockfile Location : /var/lock

C - Callin Program :

D - Callout Program :

E - Bps/Par/Bits : 9600 8N1
F - Hardware Flow Control : No

G - Software Flow Control : No

Change which setting?

Select “Save setup as dfl” and then “Exit”. The terminal will connect to the Cisco device.

To close the terminal session, you need to press the “Ctrl-A”, and “q” key, then go back the
shell prompt.

Next time, you just enter this command to connect.
# minicom

1.3.2. Windows
(1) Hyper Terminal
[Hyper Terminal] is the default tool shipped together with Windows. When you open the
[Hyper Terminal], enter the connection name, and click [OK].

Change the COM properties especially at the [Bits per second] textbox to 9600.

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
23/200

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Cisco Routing & Switching 7/9/2012
CISCO Routers and LAN Switches <Day 1>
Console Connection

(2) Putty
Putty to connect the console, select [Serial].

(3) Tera Term
Tera Term to connect the console, select [Serial], and desired port.

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
24/200

you can use the copy flash tftp command to copy the IOS to the TFTP server as shown below: Router#copy flash tftp Source filename []?c2800nm-ipbase-mz.text 5 drwx 512 Mar 1 1993 06:38:29 +06:30 c2800nm-ipbase-mz. Backing up and Restoring the Cisco IOS We can back up the Cisco IOS to a TFTP server by using the copy flash tftp command. the IP address of TFTP server is 192.168. Router#show flash Directory of flash:/ 2 -rwx 1560 May 13 2010 14:37:44 +06:30 vlan. we need to set up TFTP server.129.16. http://pagesperso-orange. For example.bin 547 -rwx 5 Mar 1 1993 11:30:39 +06:30 private-config. 1.129. round-trip min/avg/max = 4/4/8 ms Secondly.fr/philippe.0. check connectivity like this. This command requires only the source filename and the IP address of the TFTP server.168. we check the source filename of the router by using show flash command.04 Network Technologies – ICTTI.129 Type escape sequence to abort.168. Firstly. Union of Myanmar 25/200 . On a new router.text 21710744 bytes total (17950208 bytes free)  Backing up the Cisco IOS After we check the TFTP server and router connection that is working.bin Address or name of remote host []?192. 100-byte ICMP Echos to 192. we can get TFTPD32 from.124-3g. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).dat 3 -rwx 1048 Mar 1 1993 11:30:39 +06:30 multiple-fs 4 -rwx 7534 Mar 1 1993 11:30:38 +06:30 config. We make sure solid connectivity to the TFTP server by using ping command.ucss@gmail. Router#ping 192. This copy of textbook is granted only for: Chan Myae (shweyoe. the IOS should be backed up. Sending 5.0. To install TFTP server.124-3g.jounin/tftpd32. It can easily start TFTP server.com) Cisco Routing & Switching 7/9/2012 CISCO Routers and LAN Switches <Day 1> Managing Cisco IOS Images 1. Managing Cisco IOS Images Occasionally the router will need to have the IOS upgraded or restored.0.4.1.html.129 S-AN-A-1.0.4.

21710744 bytes] 21710744 bytes copied in 82.bin … Loading c2800nm-ipbase-mz.724 secs (357532 bytes/sec) Router# or This will copy the IOS file on the machine into the TFTP server.0.124-3g.129/c2800nm-ipbase-mz.4.2. Download IOS in ROMmon Mode It explains how to download an IOS image file to a Cisco 2600/2800/3800 Series Router using TFTP using the ROMmon tftpdnld command. Router#copy tftp flash Address or name of remote host []?192. you need to restore the Cisco IOS to a flash memory to replace an original file. This command requires the IP address of the TFTP host and the name of the file you want to download. We make sure the file you want to place in flash memory is in the default TFTP directory on your host.bin tftp://192. S-AN-A-1.bin Destination filename[c2800nm-ipbase-mz.129 (via FastEthernet0/0): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [OK .04 Network Technologies – ICTTI.0. You can download the file from a TFTP server to flash memory by using the copy tftp flash command.com) Cisco Routing & Switching 7/9/2012 CISCO Routers and LAN Switches <Day 1> Managing Cisco IOS Images Destination filename[c2800nm-ipbase-mz.129  Restoring the Cisco Router IOS When a router’s original file has been damaged or if you want to upgrade the IOS.ucss@gmail.124-3g. this just won’t work.124-3g.129 Source filename []?c2800nm-ipbase-mz. #copy flash:c2800nm-ipbase-mz.0.168.168.168. Union of Myanmar 26/200 .124-3g.168.880 secs (261954 bytes/sec) Router# 1.bin from 192.124-3g.bin]? [enter] %Warning: There is a file already existing with this name Do you want to over write? [confirm] [enter] Accessing tftp://192. If the file is not in the default directory of the TFTP host.124-3g.bin]? [enter] !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!! 21710744 bytes copied in 60. This copy of textbook is granted only for: Chan Myae (shweyoe.0.

rommon 3 > set PS1=rommon ! > IP_ADDRESS=172.0.0.1 rommon 19 > TFTP_SERVER=192.255.0 DEFAULT_GATEWAY=172.250 IP_SUBNET_MASK: 255. Copying file c2600-jk9o3s-mz.0. The IOS file is available at TFTP server’s iosfoder/c2600-jk9o3s-mz.3 TFTP_FILE: iosfolder/c2600-jk9o3s-mz.255.250 rommon 17 > IP_SUBNET_MASK=255.!!!!!!!!!!!!!!!!!!!.10 TFTP_FILE=iosfolder/c2600-jk9o3s-mz.123-10 to flash.04 Network Technologies – ICTTI. Now you can download.123-10 You can specify the ROMmon environment variables.3 !!!!!.0.16.168.0. rommon 21 > tftpdnld IP_ADDRESS: 192.0.bin.0.123-10 You need use the sync command to save ROMmon environment variables to nonvolatile RAM (NVRAM).0 rommon 18 > DEFAULT_GATEWAY=192. You do not need to specify . rommon 16 > IP_ADDRESS=192.!! File reception completed.123 IP_SUBNET_MASK=255.168.com) Cisco Routing & Switching 7/9/2012 CISCO Routers and LAN Switches <Day 1> Managing Cisco IOS Images You can view the ROMmon environment variables by using the set command.168.16. as shown here.255.168.123-10 Invoke this command for disaster recovery only. Union of Myanmar 27/200 .2 TFTP_SERVER=172. S-AN-A-1.123-10. This copy of textbook is granted only for: Chan Myae (shweyoe.16.18.255.168.0.123-10 from 192.168. WARNING: all existing data in all partitions on flash will be lost! Do you wish to continue? y/n: [n]: y Receiving c2600-jk9o3s-mz.bin extension.1 TFTP_SERVER: 192.168.255.0.3 rommon 20 > TFTP_FILE= iosfolder/c2600-jk9o3s-mz.ucss@gmail.255.0 DEFAULT_GATEWAY: 192.

Union of Myanmar 28/200 .ucss@gmail.04 Network Technologies – ICTTI.com) Cisco Routing & Switching 7/9/2012 CISCO Routers and LAN Switches <Day 1> Managing Cisco IOS Images Erasing flash at 0x607c0000 program flash location 0x60440000 rommon 22 > S-AN-A-1. This copy of textbook is granted only for: Chan Myae (shweyoe.

enter a question mark (?) in the place of a keyword or argument.word help and command syntax help. a terminal emulator. To use word help. Router Basic Configuration <Day 2> 2. Include a space before the question mark. or argument options that are available based on the syntax the user has already entered. The following is an example of word help: Router#co? configure connect copy Command syntax help can be used to obtain a list of command. [1] 2.ucss@gmail. type in the characters in question followed immediately by the question mark (?).04 Network Technologies – ICTTI. This is a useful tool for a new user because at any time during an EXEC session. The following is an example of command syntax help: Router#configure ? memory Configure from NV memory network Configure from a TFTP network host overwrite-network Overwrite NV memory from TFTP network host=20 terminal Configure from the terminal <cr> S-AN-A-1. To use command syntax help. or a Telnet connection. a user can type a question mark (?) to get help.1. Command Line Interface (CLI) Cisco uses the acronym CLI to refer to the terminal user command-line interface to the IOS. The router will then display a list of available command options with <cr> standing for carriage return. Word help can be used to obtain a list of commands that begin with a particular character sequence. The router will then display a list of commands that start with the characters that were entered. Content Sensitive Help Cisco IOS CLI offers context sensitive help. The term CLI implies that the user is typing commands at a terminal. Two types of context sensitive help are available . Do not include a space before the question mark.1. This copy of textbook is granted only for: Chan Myae (shweyoe.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Command Line Interface (CLI) 2. keyword. Union of Myanmar 29/200 .1.

keyword.04 Network Technologies – ICTTI. Table 8 – Summary of Hot Keys Key Description Delete Removes one character to the right of the cursor. The following table lists some editing shortcuts that are available. the IOS CLI editor provides hot keys. typo or invalid command option).1. or argument. Ctrl-W Erases a word.ucss@gmail.4. Ctrl-Z Ends configuration mode and returns to the EXEC. Command Syntax Check If a command is entered improperly (e. The following example displays what happens if the keyword "fastethernet" is spelled incorrectly. The router will issue the following error message if you do not supply enough characters. TAB Finishes a partial command. Command Abbreviation Commands and keywords can be abbreviated to the minimum number of characters that identifies a unique selection.g. Ctrl-U Erases a line. Router(config)#interface fastethernat ^ % Invalid input detected at '^' marker. 2.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Command Line Interface (CLI) 2. Backspace Removes one character to the left of the cursor.3. Ctrl-R Redisplays a line. You could not abbreviate the command to "con" because more than one command could fit these criteria. This copy of textbook is granted only for: Chan Myae (shweyoe.2.1. S-AN-A-1. Hot Keys For many editing functions. Up Arrow Allows user to scroll forward through former commands.1. Ctrl-A Moves the cursor to the beginning of the current line. Union of Myanmar 30/200 . For example. Router(config)#i % Ambiguous command: "i" 2. you can abbreviate the "configure" command to "conf" because "configure" is the only command that begins with "conf". the router will inform the user and indicate where the error has occurred. A caret symbol (^) will appear underneath the incorrect command.

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Cisco Routing & Switching 7/9/2012
Router Basic Configuration <Day 2>
Basic Configuration

Down Arrow Allows user to scroll backward through former
commands.

2.2. Basic Configuration
2.2.1. Status
Show system hardware and software status
Router>enable

Router#show version
Cisco Internetwork Operating System Software

IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(19c), RELEASE SOFTWARE (fc2)

Show system memory statistics information
Router#show memory
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)

Processor 81C319DC 100460068 3738100 96721968 96573512 96583824

I/O 7C00000 4194304 1724720 2469584 2467872 2464444

Show router’s protocol at network layer and address.
Router#show protocols
Global values:

FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.0.101/24

BRI0/0 is up, line protocol is up

Internet address is 192.168.1.101/24

BRI0/0:1 is down, line protocol is down

BRI0/0:2 is down, line protocol is down

Show router’s running configuration.
Router#show running-config

Building configuration...

Current configuration : 701 bytes

!

version 12.2
service timestamps debug uptime

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
31/200

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Cisco Routing & Switching 7/9/2012
Router Basic Configuration <Day 2>
Basic Configuration

service timestamps log uptime

no service password-encryption

Show router’s startup configuration at NVRAM
Router #show startup-config

Using 701 out of 29688 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

Show router’s interfaces.
Router #show interfaces

FastEthernet0/0 is up, line protocol is up

Hardware is AmdFE, address is 000f.2411.9440 (bia 000f.2411.9440)

2.2.2. Hostname
You can set the identity of the router with the hostname command. This is only locally
significant, which means that it has no bearing on how the router performs name lookups or
how the router works on the internetwork. Change router’s hostname
Router>enable

Router#configure terminal

Router(config)#hostname cisco1

cisco1(config)#

2.2.3. Banners
A banner is a little security notice to give any and all who dare attempt to telnet or dial into
your internetwork. And you can create a banner to give anyone who shows up on the router
exactly the information you want to them to have.

There are four available banner types: exec process creation banner, incoming terminal line
banner, login banner, and message of the day banner.

Router(config)#banner ?

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
32/200

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Cisco Routing & Switching 7/9/2012
Router Basic Configuration <Day 2>
Basic Configuration

LINE c banner-text c, where 'c' is a delimiting character

exec Set EXEC process creation banner

incoming Set incoming terminal line banner

login Set login banner

motd Set Message of the Day banner

prompt-timeout Set Message for login authentication timeout

Message of the day (MOTD) is the most extensively used banner. It gives a message to
every person dialing into or connecting to the router via Telnet or an auxiliary port, or even
through a console port as seen here:
Router(config)#banner motd ?

LINE c banner-text c, where 'c' is a delimiting character

Router(config)#banner motd c

Enter TEXT message. End with the character 'c'.

Router(config)#banner motd #
If you are not authorized to be in ICTTI network, then you must disconnect

immediately.

#
Router(config)#^z

Router#exit

Router con0 is now available

Press RETURN to get started.

If you are not authorized to be in ICTTI network, then you must disconnect

immediately.

Router>en

Router#

The preceding MOTD banner essentially tells anyone connecting to the router to get lost if
they’re not on the guest list. The part to understand is the delimiting character which is used
to tell the router when the message is done. You can use any character you want for it, but
you can’t use the delimiting character in the message itself.

2.2.4. Clock and NTP
Configure time, timezone and NTP server

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
33/200

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Cisco Routing & Switching 7/9/2012
Router Basic Configuration <Day 2>
Login Configuration

Router#configure terminal

Router(config)#clock timezone MMT 6 30

Router#clock set 17:16:00 21 dec 2005

Router(config)#ntp server 192.168.0.1

2.2.5. Domain Name Services
Configure to use DNS to resolve hostnames
Router(config)#ip domain-lookup

Router(config)#ip domain-name foobar.site

Router(config)#ip domain-list foobar.site

Router(config)#ip name-server 192.168.0.1

Router(config)#ip name-server 192.168.0.2

domain-name: Define the default domain name
domain-list: Domain name to complete unqualified host names.

When you miss type a command, the router will wait a while for a timeout, so you might
disable the domain lookup.
Router(config)#no ip domain-lookup

2.2.6. Simple Network Management Protocol (SNMP)
Enable SNMP protocol on the router for monitoring. The traffic can be monitored by Cacti or
other tools.
Router(config)#snmp-server community public RO

Note: SNMP version 1 transmits clear text community string which can easily revealed by
sniffer.

2.3. Login Configuration

2.3.1. Privileged password
To assign the privileged level password, use enable password command
Router(config)#enable password test

However, you can see the password by show running-config
Router#show running-config

enable password test

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
34/200

3.2. and the login must be configured on the VTY. Router(config)#enable secret testuser You should never use the same password for the enable password and enable secret commands. you need to connect to the console port and at a minimum enable one interface and set the VTY password.04 Network Technologies – ICTTI. Primary Terminal Line This is the basic connection into every router. Router#conf t Router(config)#enable secret cisco1 Router(config)#line vty 0 4 Router(config-line)#password cisco2 Router(config-line)#login Router(config-line)#exit The VTY password must be encrypted by the following command. Virtual Terminal (VTY) The Virtual Teletype (VTY) lines are used to configure Telnet access to a Cisco router. After one interface is enabled and the VTY lines are configured. The router warns you against doing this. Re-enter the enable secret. 2. However. so the connection will not be disconnected.3.ucss@gmail. Router(config)#enable password test Router(config)#enable secret test The enable secret you have chosen is the same as your enable password. an administrator can then Telnet into the router and do the final configurations from that connection. This is not recommended. S-AN-A-1.3.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Login Configuration … To enable strong. This copy of textbook is granted only for: Chan Myae (shweyoe. To initially set up a router. Router(config)#line vty 0 4 Router(config-line)#exec-timeout 0 0 2. Union of Myanmar 35/200 . Router(config)#service password-encryption Increase the telnet session timeout. To accept the telnet connection. but will accept it. use the enable secret command. nonreversible encryption of the privileged password. configure enable secret (or enable password).

This copy of textbook is granted only for: Chan Myae (shweyoe. The default is 10 minutes. logging synchronous is a very cool command. aux is called the auxiliary port. The messages still pop up. go into global configuration mode and type line aux ?. R0(config)#line axu 0 S-AN-A-1. Router(config)#line console 0 Router(config-line)#exec-timeout 0 0 Router(config-line)#logging synchronous Router(config-line)# 2. Router(config)#line con 0 Router(config-line)#exec-timeout 0 0 To stop annoying console messages from popping up and disrupting the input when we are trying to type.4. There is only one console port on all routers.483 seconds.04 Network Technologies – ICTTI. Union of Myanmar 36/200 . To configure a console user-mode password.ucss@gmail.147. use the Line command from global configuration mode. and on some it is called the aux port. use a question mark with the Line command as shown: R0(config)#line ? < 0-4> First Line Number aux Auxiliary line console Primary terminal line vty Virtual terminal To configure the auxiliary password. This makes it very important to protect the console port with a password. so the command is Router#conf t Router(config)#enable secret cisco1 Router(config)#line console 0 Router(config-line)#password cisco2 Router(config-line)#login Router(config-line)#exit We can set the console to go from never timing out (0 0) to timing out in 35. Auxiliary Line On some routers.791 minutes and 2.3. To find the complete command-line name on your router.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Login Configuration the console port can be used to configure the complete configuration at any time. but you are returned to your router prompt without your input interrupted.

6. This copy of textbook is granted only for: Chan Myae (shweyoe. Encrypting Passwords You need to encrypt passwords so that they do not appear in plain-text in the router S-AN-A-1.0.168.5. When you enable the aaa new-model command. Use the following set of configuration commands to enable locally administered user IDs: Router#configure terminal Enter configuration commands. the router immediately begins to prompt for usernames and passwords.04 Network Technologies – ICTTI. User Access Verification Username: user1 Password: password1 Router> Compare this to how the router behaves by default: % telnet Router2 Trying 192.101… Connected to Router. % telnet Router Trying 192. Escape character is ‘^]’.168. Union of Myanmar 37/200 . Setting up user IDs Assign individual (or group) user IDs and passwords to network staff.100… Connected to Router.3. End with CNTL/Z Router(config)#username user1 password password1 Router(config)#username user2 password password2 Router(config)#aaa new-model Router(config)#aaa authentication login default local Enabling locally administered usernames overrides the default VTY password-based authentication system. one per line.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Login Configuration R0(config-line)#login R0(config-line)#password aux 2.3.0.ucss@gmail. Escape character is ‘^]’. User Access Verification Password: password1 Router2> 2.

domain1... console.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Login Configuration configuration file as “enable password”.04 Network Technologies – ICTTI. and AUX. and line connection as VTY.3.site Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. SSH SSH is used to increase the security to access router instead of Telnet You need the following configuration.[OK] R1(config)#ip ssh time-out 15 R1(config)#ip ssh authentication-retries 2 R1(config)#username user1 secret user1password R1(config)#line vty 0 4 S-AN-A-1.site R1(config)#crypto key generate rsa The name for the keys will be: R1.ucss@gmail.  Hostname  Domain name  Asymmetric keys  Local authentication These are optional to configure  Timeouts  Retries Router> Router>en Router#conf t Router(config)#host R1 R1(config)#ip domain-name domain1. Router(config)#service password-encryption Following command shows what the enable secret command looks like in the router’s configuration file Router#show running-config | include secret enable secret 5 $1$u76B$IOFVJ7VxfVXYVpGDrFTcI0 2. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys .7. Union of Myanmar 38/200 . Choosing a key modulus greater than 512 may take a few minutes. This copy of textbook is granted only for: Chan Myae (shweyoe.

1. You can turn it on with the no shutdown command.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Router Interfaces R1(config-line)#transport input ssh R1(config-line)#login local R1(config-line)#exit To login to the remote router by SSH R2# ssh -l user1 192.0. changed state to up S-AN-A-1. Router Interfaces Type interface ? to see all the interfaces available on the router.3 Group-Async Async Group interface Lex Lex interface Loopback Loopback interface MFR Multilink Frame Relay bundle interface Multilink Multilink-group interface Null Null interface Serial Serial Tunnel Tunnel interface Vif PGM Multicast Host interface Virtual-Template Virtual Template interface Virtual-TokenRing Virtual TokenRing range interface range command 2. Union of Myanmar 39/200 . Router(config)#interface fastethernet 0/0 Router(config-if)#no shutdown 00:08:47 %LINK-3-UPDOWN: Interface Fastethernet0/0. Router(config)#interface ? Async Async interface BVI Bridge-Group Virtual Interface CTunnel CTunnel interface Dialer Dialer interface FastEthernet FastEthernet IEEE 802.04 Network Technologies – ICTTI.4.168. changed state to up 00:08:47 %LINEPROTO-5-UPDOWN: Line protocol on Interface Fastethernet0/0.ucss@gmail.1 2. Bringing Up an Interface All interfaces are shut down by default. This copy of textbook is granted only for: Chan Myae (shweyoe.4.

255. Router(config-if)#ip address 192. are all DTE devices.255. Router# show interfaces fa0/0 fa0/0 is up. Typically. This would be the DCE end of the cable.ucss@gmail. This copy of textbook is granted only for: Chan Myae (shweyoe. you need the bandwidth for the serial interface. DCE-Router(config-if)#bandwidth 64 Note that the value of the clock rate and the bandwidth are depending on the WAN connectivity.80 255. the interface will be attached to a CSU/DSU type of device that provides clocking for the line. then you must use.168.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Router Interfaces Router(config-if)#exit Router(config)#exit Router#show interface Fa0/0 FastEthernet0/0 is up. DCE-Router#conf t DCE-Router(config)#int s0/0 DCE-Router(config-if)#clock rate 64000 The next. Union of Myanmar 40/200 . there are a couple of specifics that need to be discussed.168. when in production. line protocol is up 2.80 255.04 Network Technologies – ICTTI.4. and you must tell an interface to provide clocking if it is to act as a DCE device.4. line protocol is up S-AN-A-1. 2. by default. the bandwidth command is configured in kilobits.2.255. if you have a back-to-back configuration used in a lab environment. However. Unlike the clock rate command. Serial Interface Commands To configure a serial interface.0 Router(config-if)#no shut If you want to add a second subnet address to an interface.2. IP Address on an Interface Router(config)#interface fa0/0 Router(config-if)#ip address 192.255.4.1.3.0 secondary 2.4. one end must provide clocking. for example. Cisco routers. Interface State One of the most important elements of the show interfaces command output is the display of the line and data-link protocol status.

no keepalives . xml disabled. network monitoring. and security auditing. Union of Myanmar 41/200 .5. mismatch in the encapsulation type  Interface problem – fa0/0 is down. Enabling local router logging This configuration changes format of date.04 Network Technologies – ICTTI. 2. Logging Many network administrators overlook the importance of router logs.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Logging Hardware is HD64570 Based on the output of the show interfaces command. line protocol is down . some other interface problem  Disabled – fa0/0 is administratively down. You can use the show logging command to view this buffer. line protocol is down . line protocol is up  Connection problem – fa0/0 is up. filtering disabled Monitor logging: level debugging. 12 messages logged. filtering disabled) Console logging: level debugging. Routers with more than 32MB of memory can safely dedicate 32KB. xml disabled. 2 messages rate-limited. This copy of textbook is granted only for: Chan Myae (shweyoe. 0 flushes. To be safe. save log into memory. Router(config)#service timestamps debug datetime localtime show-timezone year Router(config)#service timestamps log datetime localtime show-timezone year Router(config)#logging buffered 16000 debugging A good rule is to set your logging buffer to 16KB for smaller routers. Router>show logging Syslog logging: enabled (1 messages dropped. 0 messages logged. or even 64KB without problem. xml disabled.5.1.ucss@gmail. 0 overruns. manually disabled by using shutdown command 2. always check the amount of free memory on your router with the show memory command before increasing your buffer size. possible problems can be fixes as follows:  Operational – fa0/0 is up. line protocol is down . a cable might never have been attached . Logging is critical for fault notification. S-AN-A-1.

This copy of textbook is granted only for: Chan Myae (shweyoe. The syslog protocol uses UDP port 514.5.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Logging filtering disabled Buffer logging: level debugging.168. In other words. xml disabled. being able to view log messages from all of your routers in a single location can be quite useful.2. problem resolution.100 MMT: %SYS-5-CONFIG_I: Configured from console by console Feb 1 2008 08:54:18. Union of Myanmar 42/200 . The primary advantage is that messages sent to the server are stored to disk. which severely limits the number of log messages that can be stored. 16 message lines logged Log Buffer (16000 bytes): Feb 1 2008 08:52:20. A router stores logging messages in internal system memory. and security investigations. S-AN-A-1.100 MMT: %SYS-5-CONFIG_I: Configured from console by console 2. 12 messages logged.ucss@gmail. Forwarding all router log messages to a common log file can assist in fault isolation. Finally. Using a Remote Log Server Use the following command to send router log messages to a remote syslog server Router#conf t Router(config)#logging on Router (config)#logging 192. and messages are forwarded asynchronously without acknowledgement from the server. All other form of router logging are lost when the router reload. filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Trap logging: level informational.04 Network Technologies – ICTTI. communications between the router and server flow in a single direction with the server acting as a passive receiver. including vital log messages that occur just before a router crashes due to error.2 Router (config)#logging facility local1 Router (config)#logging source-interface FastEthernet 0/0 Forwarding log messages to a remote slog server has several advantages over just retaining log messages locally on the router. Another advantage of using a remote syslog server is storage capacity.0.

2.ucss@gmail. Cisco Discovery Protocol (CDP) Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help administrators collect information about both locally attached and remote devices. CDP holdtime is the amount of time that the device will hold packets received from neighbor devices. 2. End with CNTL/Z. one per line.6. S-AN-A-1. Neighbor Information The show cdp neighbors command delivers information about directly connected devices.6.1. use the global commands cdp holdtime and cdp timer. Router(config)#cdp ? advertise-v2 CDP sends version-2 advertisements holdtime Specify the holdtime (in sec) to be sent in packets timer Specify the rate at which CDP packets are sent (in sec) run Router(config)#cdp hold Router(config)#cdp holdtime ? <10-255> Length of time (in sec) that receiver must keep this packet Router(config)#cdp timer ? <5-254> Rate at which CDP packets are sent (in sec) 2. To configure the CDP holdtime and timer on a router.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Cisco Discovery Protocol (CDP) 2. Router#sh cdp Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled Router#conf t Enter configuration commands. This copy of textbook is granted only for: Chan Myae (shweyoe. Union of Myanmar 43/200 .04 Network Technologies – ICTTI.6. CDP Timers and Holdtime Information CDP timer is how often CDP packets are transmitted out all active interfaces.

168.Host. B .Router.IGMP. T .2 255. r .Source Route Bridge S .2 Figure 5 – CDP Neighbor Information R1#config t R1(config)#int f0/0 R1(config-if)#ip address 192.Switch.255.168.Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID R0 Fas 0/0 8 R 2621 Fas 0/0 R0#sh cdp neighbors Capability Codes: R .0.Host. B . I .Trans Bridge.Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID S-AN-A-1.1 255.1 192.0.Switch.255. Union of Myanmar 44/200 .Source Route Bridge S .Trans Bridge. I . H .ucss@gmail. T .04 Network Technologies – ICTTI.168. r . This copy of textbook is granted only for: Chan Myae (shweyoe.IGMP.0 R1(config-if)#no shut R1(config-if)#cdp enable R1(config)#cdp holdtime 10 R1(config)#cdp timer 5 R0#config t R0(config)#int f0/0 R0(config-if)#ip address 192.Router.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Cisco Discovery Protocol (CDP) R1 R0 f 0/0 f 0/0 192.255.255.0.0.0 R0(config-if)#no shut R0(config-if)#cdp enable R0(config)#cdp holdtime 10 R0(config)#cdp timer 5 R1#sh cdp neighbors Capability Codes: R .168. H .

switch.ucss@gmail. Union of Myanmar 45/200 . Port ID (outgoing port): FastEthernet0/0 Holdtime : 7 sec Version : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-C-M). RELEASE SOFTWARE (fc1) TAC Support: http://www. You can check detailed information about each device. Inc. Holdtime The amount of time the router will hold the information before discarding it if no more CDP packets are received.cisco. Compiled Fri 26-Oct-01 00:19 by ccai advertisement version: 2 Duplex: half S-AN-A-1.2(4)T1. or repeater.04 Network Technologies – ICTTI. Version 12.2 Platform: cisco 2621. such as the router. Local Interface The port or interface on which you are receiving the CDP packet.com/tac Copyright (c) 1986-2001 by cisco Systems.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Cisco Discovery Protocol (CDP) R1 Fas 0/0 7 R 2621 Fas 0/0 Table 9 – CDP information Field Description Device ID The hostname of the device directly connected. This copy of textbook is granted only for: Chan Myae (shweyoe.168. Port ID The neighbor device’s port or interface on which the CDP packets are multicast. R1#sh cdp neighbors detail ------------------------- Device ID: R0 Entry address(es): IP address: 192. Capability The capability of the neighbor. Platform The type of Cisco device directly connected.0. The capability codes are listed at the top of the command output. Capabilities: Router Interface: FastEthernet0/0.

com/tac Copyright (c) 1986-2001 by cisco Systems. RELEASE SOFTWARE (fc1) TAC Support: http://www. Compiled Fri 26-Oct-01 00:19 by ccai advertisement version: 2 Duplex: half The show cdp entry * protocols command and show cdp entry * version will show the IP address and IOS version of each directly connected neighbor.1 Platform: cisco 2621.04 Network Technologies – ICTTI.0.0. Inc.168.cisco. Version 12. Port ID (outgoing port): FastEthernet0/0 Holdtime : 8 sec Version : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-C-M).ucss@gmail. This copy of textbook is granted only for: Chan Myae (shweyoe.cisco.2(4)T1. Capabilities: Router Interface: FastEthernet0/0.2 R1#sh cdp entry * version Version information for R0 : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-C-M).com/tac Copyright (c) 1986-2001 by cisco Systems.168. Union of Myanmar 46/200 . Inc.2(4)T1. Compiled Fri 26-Oct-01 00:19 by ccai S-AN-A-1. R1#sh cdp entry * protocol Protocol information for R0 : IP address: 192. RELEASE SOFTWARE (fc1) TAC Support: http://www. Version 12.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Cisco Discovery Protocol (CDP) R0#sh cdp neighbors detail ------------------------- Device ID: R1 Entry address(es): IP address: 192.

Fragmented: 0 CDP version 1 advertisements output: 0. RELEASE SOFTWARE (fc1) TAC Support: http://www. Chksum error: 0. Input: 0 CDP version 2 advertisements output: 289.6. Port and Interface Information The show cdp traffic command displays information about interface traffic.168.cisco. R1#sh cdp traffic CDP counters : Total packets output: 289. This copy of textbook is granted only for: Chan Myae (shweyoe.com/tac Copyright (c) 1986-2001 by cisco Systems.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Cisco Discovery Protocol (CDP) R0#sh cdp entry * protocol Protocol information for R1 : IP address: 192. Fragmented: 0 CDP version 1 advertisements output: 0. Gathering Interface Traffic.1 R0#sh cdp entry * version Version information for R1 : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-C-M). Chksum error: 0. Encaps failed: 0 No memory: 0.3. Input: 0 CDP version 2 advertisements output: 300. Invalid packet: 0. Version 12.0. Input: 298 The show cdp interface command gives you the CDP status on router interfaces or switch ports. including the number of CDP packets sent and received and the errors with CDP. S-AN-A-1. Union of Myanmar 47/200 . Compiled Fri 26-Oct-01 00:19 by ccai 2.2(4)T1. Encaps failed: 0 No memory: 0. Input: 286 Hdr syntax: 0. Invalid packet: 0. Input: 286 R0#sh cdp traffic CDP counters : Total packets output: 300. Inc. Input: 298 Hdr syntax: 0.04 Network Technologies – ICTTI.ucss@gmail.

This copy of textbook is granted only for: Chan Myae (shweyoe. Current configuration : 470 bytes ! S-AN-A-1. line protocol is down Encapsulation ARPA Sending CDP packets every 5 seconds Holdtime is 10 seconds R1#sh run Building configuration. Union of Myanmar 48/200 . line protocol is up Encapsulation ARPA Sending CDP packets every 5 seconds Holdtime is 10 seconds FastEthernet0/1 is administratively down.. line protocol is up Encapsulation ARPA Sending CDP packets every 5 seconds Holdtime is 10 seconds FastEthernet0/1 is administratively down..04 Network Technologies – ICTTI..ucss@gmail. line protocol is down Encapsulation ARPA Sending CDP packets every 5 seconds Holdtime is 10 seconds R0#sh cdp interface FastEthernet0/0 is up.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Cisco Discovery Protocol (CDP) R1#sh cdp interface FastEthernet0/0 is up. hostname R1 ! … cdp timer 5 cdp holdtime 10 ! … ! end R0#sh run Building configuration..

Router Management 2. This copy of textbook is granted only for: Chan Myae (shweyoe.155: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram Router#reload System configuration has been modified. In Windows. I prefer to use Tera Term. so make a router without password.1.7. Router>enable Router#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] <enter> [OK] Erase of nvram: complete *12 7 17:53:03.04 Network Technologies – ICTTI.7. Save? [yes/no]: no<enter> 2.7. Password Removal This procedure removes all the configurations for the Cisco 1700. S-AN-A-1.2. 2600 and 2800.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Router Management hostname R0 ! … cdp timer 5 cdp holdtime 10 ! …! end 2. First. 1800. Clearing the Configuration and Reloading the Router You can delete the current startup configuration files and return the router to its factory default settings. Union of Myanmar 49/200 .ucss@gmail. connect a console cable to the router.

S-AN-A-1. rommon 1>confreg 0x2142 rommon 2>reset After reboot. remove the startup-config. It shows a configuration dialog because there is no startup-config.04 Network Technologies – ICTTI. For Tera Term. and then change the configuration registry. the prompt shows as ROMmon. send as shown or just ALT+B. and then send a break command. If succeeded. You need to restart the router and send a break key to the router in order to start as a ROMmon environment. Off and on power a switch. This copy of textbook is granted only for: Chan Myae (shweyoe. Union of Myanmar 50/200 . change the configuration registry back to normal. --.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Router Management Choose [Serial] and port which has connected to the router. change to enable mode.ucss@gmail. and then type reset to reboot the router. type no to the setup question.System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no]:no Router>enable Router#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]Enter Erase of nvram: complete Router#conf t Router(config)#config-register 0x2102 Router(config)#^Z Switch off and on the router.

com/en/US/products/hw/routers/ps259/products_password_recover y09186a0080094675. This copy of textbook is granted only for: Chan Myae (shweyoe.04 Network Technologies – ICTTI.cisco. Union of Myanmar 51/200 .ucss@gmail.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Router Management Reference: http://www.shtml S-AN-A-1.

Enter into privileged mode. What command did you use? ________________________________________________________________________ ________________________________________________________________________ 5. Return into user mode.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Hands-on-Lab 1 – Introduction to Router Commands Hands-on-Lab 1 – Introduction to Router Commands Router Number (assigned by the Instructor): ________________ 1.04 Network Technologies – ICTTI. What command did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 6. What command did you use? ________________________________________________________________________ ________________________________________________________________________ S-AN-A-1. What type of cable did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 2. Connect to your router’s Console port. Union of Myanmar 52/200 . Log off of your router. This copy of textbook is granted only for: Chan Myae (shweyoe. What software program did you use to connect to your router’s Console port? What settings did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 3. What router “mode” did you start in? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 4.ucss@gmail.

Union of Myanmar 53/200 . and then enter into global configuration mode. Set the encrypted password for privileged mode to be “cisco”. what command do you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 8. This copy of textbook is granted only for: Chan Myae (shweyoe. What is displayed? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 10. Type a “?” at the command prompt. Enter into privileged mode. Type “clock ?” at the command prompt.04 Network Technologies – ICTTI. What mode did you need to enter to accomplish this? What command did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ S-AN-A-1. To enter into global configuration mode.ucss@gmail. What command do you use to exit out of global configuration mode? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 9. What is displayed? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 12. Type “c?” at the command prompt. What is displayed? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 11. Log back into your router.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Hands-on-Lab 1 – Introduction to Router Commands 7.

Set the password for your virtual terminal (telnet) ports to be “cisco”. Union of Myanmar 54/200 .04 Network Technologies – ICTTI. Set a banner message to appear on your router at login. Set the password for your console port to be “cisco”. This copy of textbook is granted only for: Chan Myae (shweyoe. What mode did you need to enter? What commands did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 15. What command did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ S-AN-A-1.ucss@gmail. What mode did you need to enter to accomplish this? What commands did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 14. Type whatever banner you wish (feel free to be creative).com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Hands-on-Lab 1 – Introduction to Router Commands ________________________________________________________________________ 13.

com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Hands-on-Lab 2 – Router Interface Commands Hands-on-Lab 2 – Router Interface Commands Router Number (assigned by the Instructor): ________________ 1. This copy of textbook is granted only for: Chan Myae (shweyoe. Bring this interface up from being administratively down. Configure the correct IP address for your Ethernet interface (supplied by your instructor). What command(s) did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ S-AN-A-1. What commands did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 4.ucss@gmail. Union of Myanmar 55/200 . Enter interface configuration mode for the first Ethernet interface on your router. Do the same for the first Serial interface on your router. What command did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 3. Configure the correct IP address for your Serial interface (supplied by your instructor). What command did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 2.04 Network Technologies – ICTTI. What command(s) did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 5.

to document what they are connecting to. What command(s) did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 7.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Hands-on-Lab 2 – Router Interface Commands 6. Ensure that your router number is reflected somewhere in the hostname.ucss@gmail. This copy of textbook is granted only for: Chan Myae (shweyoe. What is the status of your Serial and Ethernet interfaces? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 8. For example: My_Router2. Union of Myanmar 56/200 . At this point. View the current status of your interfaces. Set the hostname for your router. S-AN-A-1. Should the above command be configured on the connected serial interfaces of both routers. or on just one side of the serial cable? If the latter. ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 11.04 Network Technologies – ICTTI. on what side of the serial cable should this command be used? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 10. to ensure communication with the serial interface of the directly connected router? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 9. your serial interface may show a line protocol status of “down”. but you can be creative. What additional command must you configure on your Serial interface. Set a “description” on both of your interfaces.

Union of Myanmar 57/200 .ucss@gmail. This copy of textbook is granted only for: Chan Myae (shweyoe. What command did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 13. what will happen the next time the router is rebooted? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 16. View the configuration file stored in RAM. View the configuration file stored in NVRAM (25xx series router) or Flash (26xx series router). If you erase the startup configuration. Did you receive a reply? Can you ping all routers directly connected to you? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ S-AN-A-1. Ping your neighbor’s router. What command did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 14. What command would you use to erase the startup configuration? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 15.04 Network Technologies – ICTTI.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Hands-on-Lab 2 – Router Interface Commands What commands did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 12.

com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Hands-on-Lab 2 – Router Interface Commands 17.ucss@gmail. Save your router configuration. What command did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ S-AN-A-1.04 Network Technologies – ICTTI. What command will provide you with a brief. This copy of textbook is granted only for: Chan Myae (shweyoe. Union of Myanmar 58/200 . summarized view of the status and IP information on your interfaces? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 19. Can you currently ping routers not directly connected to you? Why or why not? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 18.

Union of Myanmar 59/200 . and write it below. This copy of textbook is granted only for: Chan Myae (shweyoe. Verify that CDP is enabled on your router. When backing up your IOS. what additional information were you asked to specify? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 5. Check the current value of the configuration register on your router.ucss@gmail. Back up your current IOS to a tftp server. What are configuration registers? What do they control on Cisco routers? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 2. Copy that same IOS image back to the router. What command did you use? How often does your router send CDP packets? ________________________________________________________________________ S-AN-A-1. What command did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 3. What command did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 4.04 Network Technologies – ICTTI. What command did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 6.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Hands-on-Lab 3 – Router Management Hands-on-Lab 3 – Router Management Router Number (assigned by the Instructor): ________________ 1.

via either console or telnet. Disable name resolution on your router.ucss@gmail. What CDP command did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 8. 30 seconds of inactivity. but change only the password (leave all other configuration intact). What mode did you need to enter to accomplish this? What commands did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 10. What command did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 11. Ensure that anyone logged into your router. Perform the password recovery procedure: Change the ‘enable’ password to “ICTTI”.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Hands-on-Lab 3 – Router Management ________________________________________________________________________ ________________________________________________________________________ 7. are automatically logged off after 5 minutes. What command did you use? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ 9.04 Network Technologies – ICTTI. Union of Myanmar 60/200 . Disable CDP. Pretend that you forgot your ‘enable’ password. What steps did you take to accomplish this? ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ S-AN-A-1. Check the status of your connected neighbors. This copy of textbook is granted only for: Chan Myae (shweyoe.

04 Network Technologies – ICTTI.com) Cisco Routing & Switching 7/9/2012 Router Basic Configuration <Day 2> Hands-on-Lab 3 – Router Management ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ S-AN-A-1. Union of Myanmar 61/200 . This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.

cisco2600 series. Router>enable Router#conf t Router(config)#hostname Router0 Router0(config)#enable secret testuser Router0(config)#line console 0 Router0(config-line)#password testuser Router0(config-line)#login Router0(config-line)#exit S-AN-A-1.16.10 pc0 pc1 Figure 6 – Lab Network Diagram for IP routing 3.0/24 Router2 Fa0/0 Fa0/0 Fa0/1 Fa0/0 . interface descriptions.0/24 .10 .3.0.2 Fa0/1 . we will build the routing tables.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Introduction to IP Routing 3.1 . we use cisco1800 series. and cisco2800 series. This copy of textbook is granted only for: Chan Myae (shweyoe.1 . In this lab.1. Union of Myanmar 62/200 .ucss@gmail.0.1 Fa0/1 .1.1. and IP addresses of each interface. password. and dynamic routing protocols.04 Network Technologies – ICTTI. default. 172. Connect to the Router0 and set the hostname.0/24 Router1 .0/24 .2 . Configuring the Routers After the configurations are complete.1 .2.0/16 Router0 . Introduction to IP Routing This chapter will provide configuration of several routers in the lab and then turn on IP routing using static. IP Routing <Day 3-4-5> 3.1.

1 255.2.1 255.0 Router1(config-if)#description connection to Router2 Router1(config-if)#no shutdown Router1(config-if)#exit S-AN-A-1.0 Router0(config-if)#description connection to LAN 0 Router0(config-if)#no shutdown Router0(config-if)#exit Router0(config)#exit Router0#copy running-config startup-config Connect to the Router1 Router>enable Router#conf t Router(config)#hostname Router1 Router1(config)#enable secret testuser Router1(config)#line console 0 Router1(config-line)#password testuser Router1(config-line)#login Router1(config-line)#line vty 0 4 Router1(config-line)#password testuser Router1(config-line)#login Router1(config-line)#interface fastethernet 0/0 Router1(config-if)#ip address 172.1.16.255.ucss@gmail.255.04 Network Technologies – ICTTI.255.1 255.1.255.16.255.0 Router1(config-if)#description connection to Router0 Router1(config-if)#no shutdown Router1(config-if)#interface fastethernet 0/1 Router1(config-if)#ip address 172. Union of Myanmar 63/200 .255.255.0 Router0(config-if)#description connection to Router1 Router0(config-if)#no shutdown Router0(config-if)#interface fastethernet 0/1 Router0(config-if)#ip address 172.255.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Introduction to IP Routing Router0(config-line)#line vty 0 4 Router0(config-line)#password testuser Router0(config-line)#login Router0(config-line)#exit Router0(config)#interface fastethernet 0/0 Router0(config-if)#ip address 172.2 255.0.16. This copy of textbook is granted only for: Chan Myae (shweyoe.16.

2 255.2. The show ip route command is used to see the routing table on your router. Union of Myanmar 64/200 . Verify the configuration 1.3. run the following two commands. It is important to notice that only the directly connected networks are showing. In order to send packets to another network not in the routing table.0 Router2(config-if)#description connection to LAN 3 Router2(config-if)#no shutdown Router2(config-if)#exit Router2(config)#exit Router2#copy running-config startup-config 3.1.0 Router2(config-if)#description connection to Router1 Router2(config-if)#no shutdown Router2(config-if)#interface fastethernet 0/1 Router2(config-if)#ip address 172. Starting at the Router0 to the Router2. Router0#show running-config Router0#show ip route The running-config shows the complete configuration your router is running.04 Network Technologies – ICTTI. This copy of textbook is granted only for: Chan Myae (shweyoe.255.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Introduction to IP Routing Router1(config)#exit Router1#copy running-config startup-config Connect to the Router2 Router>enable Router#conf t Router(config)#hostname Router2 Router2(config)#enable secret testuser Router2(config)#line console 0 Router2(config-line)#password testuser Router2(config-line)#login Router2(config-line)#line vty 0 4 Router2(config-line)#password testuser Router2(config-line)#login Router2(config-line)#interface fastethernet 0/0 Router2(config-if)#ip address 172.255.255.2.16.ucss@gmail.255. It means the routers can only route to the directly connected networks.16. S-AN-A-1. we must configure the routing table with this network.1 255.

255.16. use the ping command to verify IP connectivity between routers.0 255.255.16.255.2.2 From the Router1 Router1(config)#ip route 172.0.16.1 Router2(config)#ip route 172. Verify the Static Routing It is important to be able to verify your configuration. Basic Routing This lab will build the routing table by hand.2. and PCs 3.0 255.2. From the Router0 to Router2.16.0 255.0 172.255.2 Router0(config)#ip route 172.2. Router0#show ip route Once you verify the routing tables in all routers.1.255.0.16.16.16.255.0 255.0 and 172. and a static route must be configured for EVERY network that is not directly connected.3.0 255.0 172.2.1.2. The next hop gateway is always 172.1 3.ucss@gmail. which means you will create static routing tables on each router. and is better when you are learning IP routing.1.1.2.0 172.0 172. Configure Static Routing From Router0. use the ip route command to configure static routing.2 From the Router2 Router2(config)#ip route 172.0 172. Configuring default routing on a router is not like setting the default gateway on a host.255.3.255. From the Router0 Router0(config)#ip route 172. which means that if a packet is destined for a network that is not listed in the routing table. However.3.1.2.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Basic Routing 3.0. the router will forward S-AN-A-1.0.255.1.16.1 Router1(config)#ip route 172. Configure Default Routing Static routing is great in small networks.16.255.1. This copy of textbook is granted only for: Chan Myae (shweyoe. you can set what is called a gateway of last resort.255.0 172. Remember that a router is the default gateway and you cannot set a default gateway on a router.04 Network Technologies – ICTTI.16.2.16. 3.16.16.16. The Router0 router is connected to networks 172.0 255.255. Union of Myanmar 65/200 .16. use the show ip route command.2.

255. use ip route command.2 Router0(config)#ip classless From the Router2 Router2(config)#ip route 0.1.0.0. You must also use the ip classless command enabled when using default routing. Router0 and Router2 are stub routers to the LANs because they are the only way in and out of the LAN.0.0 255.16. In other words.ucss@gmail.16. Router2(config)#no ip route 172. To configure default routing. which means that there is not another router on the connected networks.255.0 0.2 Router0(config)#no ip route 172.0.0.255.0 172. add the default route to router Router1.2. Union of Myanmar 66/200 .255.1 From the Router0.1.0 172. which means all networks all masks. Before configuring router Router0 and Router2 with default routing. there is only one way in and out. which will then route the packet. Router0(config)#no ip route 172.0 255. This copy of textbook is granted only for: Chan Myae (shweyoe.2.1 Router2(config)#no ip route 172.255.1 Router2(config)#ip classless S-AN-A-1.0.0 255.0 172.1. you must remove the static routers we created previously.16. but instead to forward them to the default route address.255.0 172.0.0.255.0 172.16. Router0(config)#ip route 0.0 172. Remove static routes from the Router0 router.2. but instead of using the network and subnet mask. you use all zero.16.16.3.2. The default route command will tell the router to send all packets destined for any network not in the routing table to the Router1.0. You can only configure default routing on a router that is connected to a stub network.16. This tells the router to not drop packets.2 Remove static routes from the Router2 router.0 0. Router1 cannot use default routing since it is connected to multiple routers.16.16.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Basic Routing the packet to the default route.255.1.04 Network Technologies – ICTTI.16.0 255.

ucss@gmail.0.0. 4 Cisco 1800 series. Design the topology  Select the Cisco devices from (Cisco 2800 series.  Fill the address table.0/24 172.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Hands-on-Lab 4 – Static Route 1 Hands-on-Lab 4 – Static Route 1 PC5 PC6 192.0/24 172.0.0/30 10.0/16 PC4 PC2 1.4/30 PC3 PC1 192. This copy of textbook is granted only for: Chan Myae (shweyoe.0/24 R0 10.168.168.04 Network Technologies – ICTTI.0/24 192.  Cable the networks according to the topology taking care that match the documentation above.24. Device Interface IP Address Subnet Mask Default Gateway R0 F0/0 NA F0/1 NA S0/0 NA S0/1 NA R1 F0/0 NA F0/1 NA S0/0 NA R2 F0/0 NA S-AN-A-1.65.0/16 R1 R2 192.64. Union of Myanmar 67/200 .0.0.0.0.25. Cisco2600 series).168.1.168.

 cisco as the line password and class as the secret password.  Configure R0 with static routes using the local interface. Configure static and default routing. Test connectivity  You should now have end-to-end connectivity.  Configure R1 and R2 with exactly one default route using the local interface. Union of Myanmar 68/200 . 4.  Use 64000 as the clock rate. Configure the router  For the WAN links.  R0 is the DCE for all other WAN links.  For the LAN links. assign the first address to R0 and second address to the other router.ucss@gmail.  Troubleshoot until pings are successful.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Hands-on-Lab 4 – Static Route 1 F0/1 NA S0/0 NA PC1 PC2 PC3 PC4 PC5 PC6 2. This copy of textbook is granted only for: Chan Myae (shweyoe.  Assign the . Make sure to include the default gateway. Submit Routers’ configuration file to Moodle. Make sure to also configure hostnames.10 address to the PCs. assign the first address to the router interface. 3. 5. S-AN-A-1.04 Network Technologies – ICTTI. Use ping to test connectivity across the network.

04 Network Technologies – ICTTI. Union of Myanmar 69/200 .ucss@gmail. This copy of textbook is granted only for: Chan Myae (shweyoe.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Hands-on-Lab 5 – Static Route 2 Hands-on-Lab 5 – Static Route 2 Device Interface IP Address Subnet Mask HQ F0/0 F0/1 S0/0 S0/1 S0/2 S0/3 R1 F0/0 F0/1 S0/0 R2 F0/0 F0/1 S0/0 R3 F0/0 F0/1 S0/0 ISP S0/0 S-AN-A-1.

3. Submit routers’ configuration and routing tables to Moodle. HQ is the DCE for all other WAN links. R2. assign the first IP address to HQ. subnet 1 to the f0/1.  HQ should have three static routes and one default route. design an appropriate addressing scheme.  R1.  ISP is the DCE in its WAN link to HQ. R2. Configure the router  Using the addressing scheme. Test connectivity  You should now have end-to-end connectivity.  Assign the first IP address to the router interface. This will include the three WAN links between HQ and the branch routers R1.  Use 64000 as the clock rate. Subnet the address space based on the host requirements. 6. 4.  cisco as the line password and class as the secret password. Union of Myanmar 70/200 . Configure static and default routing. and R3 routers each have an address space. and Cisco2600 series. configure the routers with basic configuration including addressing and hostname. 5. Use ping to test connectivity across the network. Cisco2800 series. R1. and R3. assign subnet zero to the f0/0 LAN.ucss@gmail.  For each address space.  ISP should have seven static routes. Select the device from Cisco 1800 series.  Troubleshoot until pings are successful.  Document the IP addresses and subnet masks. Design the topology Based on the network requirements shown in the topology.  Each router should be able to ping all other router interface and the Server. This copy of textbook is granted only for: Chan Myae (shweyoe. 2. R2. and the second IP address to the PC.04 Network Technologies – ICTTI. S-AN-A-1.  The HQ.  For the WAN links.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Hands-on-Lab 5 – Static Route 2 F0/0 SRV 1. and R3 should have one default route.

RIP sends the complete routing table out to all active interfaces every 30 seconds. ia . Routing tables are then converged.IS-IS level-2. Only the directly connected networks should be in the routing table.1.OSPF inter area N1 . IA .0 172. one of the first dynamic routing protocols created. which means that all routers in the inter-network have the same routing information.OSPF. L2 .OSPF NSSA external type 1.candidate default.mobile.connected.2 Router0(config)#exit Router0#show ip route Codes: C .IS-IS level-1.0.BGP D . meaning that 16 is deemed unreachable. R .0. I .EGP i . which means that all devices in the network must use the same subnet mask. U .0.static. To configure RIP routing.periodic downloaded static route S-AN-A-1. B . Router0(config)#no ip route 0.RIP. RIP only uses hop count to determine the best way to a remote network.per-user static route. E . Then use the router rip command to configure RIP. N2 .0 0. o . This is because RIP version 1 doesn’t send updates with subnet mask information. RIP works well in small networks. O .IGRP. and then verify the routing table with the show ip route command.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> RIP 3. delete the default route. L1 .IS-IS.OSPF external type 1. RIP version 2 provides something called prefix routing and does send subnet mask information with the route updates.3. but it’s inefficient on large networks with slow WAN links or on networks with a large number of routers installed. but it has a maximum allowable hop count of 15 by default.16.ucss@gmail.IS-IS inter area * .EIGRP.OSPF NSSA external type 2 E1 . Union of Myanmar 71/200 . This is called classless routing.OSPF external type 2. EX . M . It is easy and works pretty well in small to medium size networks. first remove the static and default routing configured on the routers. RIP version 1 uses only classful routing. From the Router0.0. This copy of textbook is granted only for: Chan Myae (shweyoe. S .EIGRP external.ODR P . RIP Dynamic routing is the process of routers running routing protocols that find and advertise networks in the inter-network to other routers. E2 . This lab will configure Routing Information Protocol (RIP).04 Network Technologies – ICTTI. Routing Information Protocol (RIP) is a true distance-vector routing protocol.

OSPF.IS-IS level-1.0 is directly connected.periodic downloaded static route Gateway of last resort is not set 172.ucss@gmail.255.04 Network Technologies – ICTTI. O .16.1 Router2(config)#exit Router2#show ip route Codes: C .0 172.IS-IS level-2. o .0 172. U .0 0. R . EX .EIGRP.OSPF external type 1. R .EGP i . IA .0.mobile. M .0.0 is directly connected.16. I . IA . M .IS-IS level-1.OSPF external type 2.OSPF NSSA external type 1.0 255.16.3. U .2 Router1(config)#exit Router1#show ip route Codes: C .2.OSPF NSSA external type 1.0. E .0 172. N2 . E . L1 .OSPF external type 1. FastEthernet0/1 C 172. FastEthernet0/0 C 172.2.2. E2 .OSPF external type 2.candidate default.connected.16.OSPF NSSA external type 2 E1 .com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> RIP Gateway of last resort is not set 172. L2 .BGP D .0 is directly connected.255.0. Union of Myanmar 72/200 .RIP.IS-IS level-2.0.candidate default.16.EIGRP external. This copy of textbook is granted only for: Chan Myae (shweyoe. N2 .IS-IS inter area * .1 Router1(config)#no ip route 172. FastEthernet0/0 From the Router1 Router1(config)#no ip route 172.IGRP.16.ODR P . EX .IS-IS.EIGRP.255.connected.0.16.EIGRP external.ODR P .16.periodic downloaded static route S-AN-A-1.255. FastEthernet0/1 From the Router2 Router2(config)#no ip route 0.16. E2 .OSPF inter area N1 . 2 subnets C 172.0.static.OSPF inter area N1 .IS-IS inter area * .0 is directly connected.per-user static route.1.RIP. I .static.IS-IS.mobile.16.0/24 is subnetted.per-user static route.1. o . O .0 255.IGRP. S . L1 .16. ia . B .0/24 is subnetted. 3 subnets C 172. B . L2 .OSPF NSSA external type 2 E1 . ia .OSPF.1.EGP i .BGP D .0. S .

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Cisco Routing & Switching 7/9/2012
IP Routing <Day 3-4-5>
RIP

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 2 subnets

C 172.16.2.0 is directly connected, FastEthernet0/0

C 172.16.3.0 is directly connected, FastEthernet0/1

3.3.1. Configure RIP Protocol
From the Router0, configure RIP routing and tell RIP the network you want to advertise
Router0(config)#router rip

Router0(config-router)#network 172.16.0.0

The important thing to notice here is that the network address is a classful address, which
means you use the classful boundary. For instance, we use 172.16.0.0 class B network
address and subnet that network with 24bits of subnetting. This means that third octet is
used for subnets and the fourth octet is the host addresses for each subnet. RIP is a classful
routing protocol, which means that you do not type in any subnet addresses, only the class
B address.

From the Router1
Router1(config)#router rip

Router1(config-router)#network 172.16.0.0

From the Router2
Router2(config)#router rip

Router2(config-router)#network 172.16.0.0

3.3.2. Verify the RIP Routing
From the Router0, use the show ip route command to verify the routing table.
Router0#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
73/200

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Cisco Routing & Switching 7/9/2012
IP Routing <Day 3-4-5>
RIP

P - periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 5 subnets

C 172.16.0.0 is directly connected, FastEthernet0/1

C 172.16.1.0 is directly connected, FastEthernet0/0

R 172.16.2.0 [120/1] via 172.16.1.2, 00:00:11, FastEthernet0/0

R 172.16.3.0 [120/2] via 172.16.1.2, 00:00:11, FastEthernet0/0

Notice the “R”, which means it is a RIP found route. The “C” is a directly connected network.
You should see two directly connected.

From the Router1,
Router1#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 5 subnets

R 172.16.0.0 [120/1] via 172.16.1.1, 00:00:20, FastEthernet0/0

C 172.16.1.0 is directly connected, FastEthernet0/0

C 172.16.2.0 is directly connected, FastEthernet0/1

R 172.16.3.0 [120/1] via 172.16.2.2, 00:00:15, FastEthernet0/1

From the Router2,
Router2#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
74/200

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Cisco Routing & Switching 7/9/2012
IP Routing <Day 3-4-5>
RIP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 5 subnets

R 172.16.0.0 [120/2] via 172.16.2.1, 00:00:19, FastEthernet0/0

R 172.16.1.0 [120/1] via 172.16.2.1, 00:00:19, FastEthernet0/0

C 172.16.2.0 is directly connected, FastEthernet0/0

C 172.16.3.0 is directly connected, FastEthernet0/1

Router2#

From the Router0, use the debug ip rip command to see RIP updates being sent and
received on the router
Router0#debug ip rip

RIP protocol debugging is on

Router0#RIP: sending v1 update to 255.255.255.255 via FastEthernet0/0

(172.16.1.1)
RIP: build update entries

network 172.16.0.0 metric 1

RIP: sending v1 update to 255.255.255.255 via FastEthernet0/1 (172.16.0.1)
RIP: build update entries

network 172.16.1.0 metric 1

network 172.16.2.0 metric 2

network 172.16.3.0 metric 3

network 172.16.4.0 metric 2

RIP: received v1 update from 172.16.1.2 on FastEthernet0/0
172.16.2.0 in 1 hops

172.16.3.0 in 2 hops

172.16.4.0 in 1 hops

You can see from the updates that we’re sending out information about networks 172.16.0.0,
172.16.1.0, 172.16.2.0, 172.16.3.0. But both the 172.16.0.0 network and the 172.16.1.0
network are being advertised with a hop count (metric) of 1, meaning that these networks
are directly connected. The 172.16.2.0 is being advertised as a metric of 2, which means

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
75/200

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Cisco Routing & Switching 7/9/2012
IP Routing <Day 3-4-5>
RIP

that it is not directly connected.

To turn off debugging, use the no debug all command or the undebug all command.
Router0#no debug all

All possible debugging has been turned off

To see the routing protocol timers, use the show ip protocols command
Router0#show ip protocols

Routing Protocol is "rip"

Sending updates every 30 seconds, next due in 10 seconds

Invalid after 180 seconds, hold down 180, flushed after 240

Outgoing update filter list for all interfaces is not set

Incoming update filter list for all interfaces is not set

Redistributing: rip

Default version control: send version 1, receive any version
Interface Send Recv Triggered RIP Key-chain

FastEthernet0/0 1 2 1

FastEthernet0/1 1 2 1

Automatic network summarization is in effect

Maximum path: 4

Routing for Networks:

172.16.0.0

Passive Interface(s):

Routing Information Sources:

Gateway Distance Last Update

172.16.1.2 120 00:00:19

Distance: (default is 120)

Another good command is the show protocols command, which shows you the routed
protocol configuration of each interface.
Router0#show protocols

Global values:

Internet Protocol routing is enabled

FastEthernet0/0 is up, line protocol is up

Internet address is 172.16.1.1/24
FastEthernet0/1 is up, line protocol is up

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
76/200

yet that same interface can still receive RIP updates. The routing tables will look the same as version 1 unless you have VLSM networks configured. Union of Myanmar 77/200 .3.0. This command prevents RIP update broadcasts from being sent out a specified interface.3. RIP v2 This lab will configure RIP v2 From the Router0.16.1/24 3.0 From the Router2.04 Network Technologies – ICTTI.0. Classless inter-Domain Routing (CIDR) uses the VLSM.4. Both RIPv1 and RIPv2 use the same timers. Router2(config)#router rip Router2(config-router)#version 2 Router2(config-router)#network 172. and the easiest one is through the passive-interface command. Router1(config)#router rip Router1(config-router)#version 2 Router1(config-router)#network 172.ucss@gmail.3. From the Router0. Router0(config)#router rip Router0(config-router)#version 2 Router0(config-router)#network 172.0.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> RIP Internet address is 172. configure RIP routing to use version 2. use the show ip route command to verify the routing table. Notice the timers. Router0#show ip route To see the routing protocol timers. 3.0 3. configure RIP routing to use version 2.3.16. Verify the RIP v2 Configuration The new feature that is now provided is variable length subnet masks (VLSM) support. use the show ip protocols command. S-AN-A-1. Holding Down RIP Propagations There’s a few different ways to stop unwanted RIP updates from propagating across your LANs and WANs.16.16.0 From the Router1. This copy of textbook is granted only for: Chan Myae (shweyoe. configure RIP routing to use version 2.5.0. The administrative distance is 120 by default. RIP is sent out every 30 seconds by defaults.

4.0.04 Network Technologies – ICTTI.16.ucss@gmail.4. so it will automatically overwrite RIP found routes in the routing table. it uses Autonomous System (AS) to create groups of routers that share routing information.0 Configure the Router1 Router1(config)#router eigrp 10 Router1(config-router)#network 172.1.0. This copy of textbook is granted only for: Chan Myae (shweyoe. Also. Configure the Router0 to use EIGRP with an AS of 10. All routers must use the same AS number if you want them to share information. EIGRP and OSPF Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary Hybrid routing protocol.0.0 S-AN-A-1.16.0.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> EIGRP and OSPF Router0#config t Router0(config)#router rip Router0(config-router)#version 2 Router0(config-router)#network 172.0 Configure the Router2 Router2(config)#router eigrp 10 Router2(config-router)#network 172.16.16. It uses the properties of both Distance Vector and Link State and uses an administrative distance of 90. Router0(config)#router eigrp 10 Router0(config-router)#network 172. Configuring EIGRP Routing To configure EIGRP. it is basically the same as IGRP except you add the letter “E” in front of IGRP.0 Router0(config-router)#passive-interface fastethernet 0/1 3. 3. just like IGRP. Open Shortest Path First (OSPF) is an open standards routing protocol that has been implemented by a wide variety of network vendors. The major difference between IGRP and EIGRP is that EIGRP uses three different tables to create a stable routing environment and additionally EIGRP only sends updates when needed whereas IGRP broadcasts routing table entries every 90 seconds. including Cisco. Union of Myanmar 78/200 .

4. This is EIGRP.2. From the Router0. Router0#show ip route Notice the “D” found routers.04 Network Technologies – ICTTI.ucss@gmail. Router0#show ip protocols From the Router0. Router0#show ip eigrp neighbors IP-EIGRP neighbors for process 10 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 172.16. The hold timer can also be adjusted on a per interface basis: Router(config-if)# ip hold-time eigrp autonomous-system-number seconds 3. use the show ip eigrp neighbors command to see the EIGRP neighbor table. all the routing tables should have EIGRP found routes. reliability. This copy of textbook is granted only for: Chan Myae (shweyoe. Verifying EIGRP Routing Since EIGRP has a better administrative distance than RIP. and load for a path and the composite metric. The command “show ip route destination-network-number” output the total delay.0 Use the show ip protocols command from the Router0 router.2 Fa0/0 10 00:03:13 40 500 0 6 From the Router. Notice also that there is no timer for EIGRP. Notice that EIGRP.1. Union of Myanmar 79/200 . use the show ip route command to verify the routing table.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> EIGRP and OSPF The hello-interval can be changed with the following command in interface configuration mode: Router(config-if)# ip hello-interval eigrp autonomous-system-number seconds A rule of thumb is to keep the hold-time at three times the hello-interval. Router0# sh ip route 172. This table holds information about the router’s directly connected neighbor. IGRP and RIP are running on the router.16.1. use the show ip eigrp topology command to see the EIGRP topology S-AN-A-1. minimum bandwidth. which means it does not periodically. minimum MTU.

We will process on each router. FD is 33280 via 172.04 Network Technologies – ICTTI.16.0/24. 1 successors. FD is 28160 via Connected.3.16.0/24.16. A .3.2. This lab will be simple. The command to activate the OSPF routing process is as follows Router(config)#router ospf ? <1-65535> A value in the range 1-65535 identifies the OSPF Process ID.1.Query.Update.16.16. Configuring Single Area OSPF The easiest (and least scalable) way to configure OSPF is simply to use a single area.1.1. FD is 30720 via 172. U . FastEthernet0/1 P 172.Passive.ucss@gmail.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> EIGRP and OSPF table. 1 successors.0/24. This copy of textbook is granted only for: Chan Myae (shweyoe. It is purely a local value and its number is basically irrelevant. 1 successors. EIGRP has a better administrative distance than OSPF. Different OSPF routers do not have to use the same Process ID in order to communicate. Configure the Router0 to start the OSPF process. R .4.Reply.Active. Union of Myanmar 80/200 . Router0#show ip eigrp topology IP-EIGRP Topology Table for AS 10 Codes: P . and then configure the interfaces to be in OSPF area 0. which is a unique number on this router that groups a series of OSPF configuration commands under a specific running process.16. Q .0/24. FastEthernet0/0 P 172. S-AN-A-1. This table shows the entire network as the Router0 understands it. The only time an OSPF number would matter is when you have multiple OSPF Autonomous System (AS) connecting together on the same network. r . FastEthernet0/0 3. FD is 28160 via Connected.Reply status P 172. which requires a minimum of two commands. Remember the number does not matter.2 (33280/30720). we need to also disable the EIGRP routing processes on each router.0. Since. 1 successors. FastEthernet0/0 P 172.2 (30720/28160).

This will also configure the networks you will advertise to others.255.04 Network Technologies – ICTTI. A 255. This is achieved with the following command as an example.255.255).255.0 and identify each OSPF interface individually. If you insist on matching a range of networks.0.1.1. First disable EIGRP and IGRP.1 only and nothing else.255. A 0 octet in the wildcard mask indicates that the corresponding octet in the network must match exactly.255. Router0(config)#no router eigrp 10 Router0(config)#router ospf 100 Configure the Router1 Router1(config)#no router eigrp 10 Router1(config)#router ospf 100 Configure the Router2 Router2(config)#no router eigrp 10 Router2(config)#router ospf 100 After starting the OSPF process (and disabling EIGRP on each router). S-AN-A-1.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> EIGRP and OSPF The number can even all be the same on all routers.1. on the other hand.255. This copy of textbook is granted only for: Chan Myae (shweyoe.0 0.0.0.0-1.0.0.0.255 would match anything in the range 1.1. Union of Myanmar 81/200 .1. Router0(config-router)#network 10.0) and wildcard mask (0.1.0 0. This is useful if you want to activate OSPF on a specific interface. It is simpler and safer to stick to using wildcard masks of 0.0.ucss@gmail.0 would match 1.1. indicates that you do not care what the corresponding octet is in the network number.1 0. The combination of the two numbers identifies the interfaces that OSPF will operate on and that will also be included in its OSPF Link State Advertisements (LSA).B.255.C.0. A network and wildcard mask combination of 1.255 area ? <0-4294967295> OSPF area ID as a decimal value A. you need to identify the interfaces on which to activate OSPF communications and the area in which each resides.0. the network and wildcard mask combination of 1.0.0.D OSPF area ID in IP address format The first two arguments of the network command are the network number (10.

0.0. Area 0. we only support area 0 in this module at this time.0.2 0.0.0. The wildcard mask of 0. No difference in function on the router or OSPF. but the fourth octet value is irrelevant.16.2.16.0.1 Router1 Fastethernet 0/0 172.0.0.0 area 0 Router0(config-router)#network 172. and is identical to area 0.0.0.255.0. for instance.1 Configure the Router0 to advertise both directly connected networks with OSPF Router0(config-router)#network 172.1.04 Network Technologies – ICTTI.1 0.0 and advertise that in area 0.0 area 0 tells the OSPF process to advertise the interface 172.255 area 0 The command: network 172.16.1 0.ucss@gmail.1 into area 0. This copy of textbook is granted only for: Chan Myae (shweyoe.1.3. It indicates the area to which the interfaces identified in the network and wildcard mask portion belong.1 0.16.1 Router0 Fastethernet 0/1 172.16.16.0.16. but is more precise.0.0. With a wildcard of 0.1.255.255 area 0 tells the router OSPF process to look for any interface in subnet 172.0 0. Again.2 Router1 Fastethernet 0/1 172.0.0. this tells the OSPF process to match the first three octets exactly.0 0.0.0 0.16. Remember that OSPF routers will only become neighbors if their interfaces share a network that is configured to the same area number.0 tells the process to match each octet exactly.1 Router2 Fastethernet 0/0 172.16.16.0.16. Configure the Router1 Router1(config-router)#network 172. We could have used this command as well: network 172.255.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> EIGRP and OSPF The final argument is the area number.2.0.0.2 Router2 Fastethernet 0/1 172.0.255 area 0 Understand that all we are doing is advertising OSPF networks and this lab is showing the S-AN-A-1.0 is a legitimate area.0. The command: network 172.16.0.16. The format of the area number is either a decimal value from the range 1-4294967295 or a value represented in standard dotted-decimal notation.0.0 area 0 Router1(config-router)#network 172.0. Router Interface IP Address Router0 Fastethernet 0/0 172. Union of Myanmar 82/200 .1.1.0 area 0 which is just another way to advertise the same interface.16.1.

The wildcard mask of 0.4. it is just for some example.16.255. area information. Minimum LSA arrival 1 secs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs Number of external LSA 0.1.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> EIGRP and OSPF many ways to accomplish the same thing. place that interface in area 0. but the other three octets can be any value.0.16. This copy of textbook is granted only for: Chan Myae (shweyoe. Configure the Router2 to advertise both directly connected networks with OSPF.2 into area 0. SPF statistics.ucss@gmail.255. Hold time between two SPFs 10 secs Minimum LSA interval 5 secs.0 area 0 tells the OSPF process to advertise the interface 172. Union of Myanmar 83/200 . Here is a sample output from the Router0.0 0.0 area 0 Router2(config-router)#network 172.04 Network Technologies – ICTTI. Information contained therein includes the Router ID.0 area 0 3.2 0. Once found. and LSA timer information.255 area 0 tells the OSPF process to look for an interface configured with network 172 in the first octet.1 Supports only single TOS(TOS0) routes Supports opaque LSA SPF schedule delay 5 secs.0. the first command is really not needed. Checksum Sum 0x000000 Number of opaque AS LSA 0. The network command 172.1. The command: network 172.4.3. Understand that with this second command.0.0. Router0#show ip ospf Routing Process "ospf 100" with ID 172.0. The show ip ospf command is used to display OSPF configuration for one or all OSPF processes running on the router.0. Verify the Single Area OSPF This section describes several ways to verify proper OSPF configuration and operation. The command: network 172. Checksum Sum 0x000000 Number of DCbitless external and opaque AS LSA 0 S-AN-A-1.0 tells the process to match all four octets exactly.2.0.16.1.1 0. Router2(config-router)#network 172.0.0 will find any interface that has an IP address that starts with 172 and put that in area 0.0.0.0.16.0.2 0.16.

Checksum Sum 0x000000 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 The information displayed by the show ip ospf database command indicates the number of links and the neighboring Router ID. Union of Myanmar 84/200 . timer intervals. Process ID. Data is displayed about OSPF information for all interfaces or for specified interfaces. 1 normal 0 stub 0 nssa External flood list length 0 Area BACKBONE(0) Number of interfaces in this area is 2 Area has no authentication SPF algorithm executed 5 times Area ranges are Number of LSA 3. Router0#show ip ospf interface The show ip ospf neighbor command is very useful. Router ID. area assignment. Router0#show ip ospf neighbor The show ip protocols command is useful whether you are running OSPF. priority.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> EIGRP and OSPF Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 1. or any other routing protocol you can configure on your router. RIP. and adjacent neighbor information.. Router0#show ip ospf database The show ip ospf interface command displays all interface-related OSPF information. DR/BDR (if applicable). IGRP. It provides an excellent overview of the actual operation of all currently running protocols Router0#show ip protocols S-AN-A-1. EIGRP.04 Network Technologies – ICTTI. network type. Checksum Sum 0x00F725 Number of opaque link LSA 0.ucss@gmail. ISIS. Here is a sample output from the Router0. The output is broken down by area. that information is also displayed. This copy of textbook is granted only for: Chan Myae (shweyoe. cost. Information includes the interface IP address. If DR or BDR exists. It summarizes the pertinent OSPF information regarding neighbors and the adjacency state. BGP.

0.0.255.10 f0/0 PC1 PC2 SRV (1) Configure without propagating the default route R1 hostname R1 interface FastEthernet0/0 ip address 172.255.252 ! router rip version 2 passive-interface FastEthernet0/0 network 172.0. type of OSPF area.0/24 .0/30 192.1 DCE DCE . 3.126 f0/0 . Union of Myanmar 85/200 .168. 172.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> RIP and OSPF with Default Route Based upon this output.1.04 Network Technologies – ICTTI.254 f0/0 .255.10.2 255. networks and areas configured for OSPF.5.1 255. and OSPF Router IDs of neighbors.255.10.0. you can determine the OSPF Process ID.10.10. OSPF Router ID.0/25 172.10.10. the default static route needs to be advertised to all other routers that use the dynamic routing protocol.2 .0/30 R1 R2 ISP s0/0 s0/1 s0/0 s0/0 . This copy of textbook is granted only for: Chan Myae (shweyoe.1 .1 RIP and Default Route To provide the internet connection to all the networks in the RIP routing network. a static default route is configured on R2 and advertised to R1 dynamically.5 RIP and OSPF with Default Route 3.128/25 192.1.1 f0/0 .ucss@gmail.1 f0/0 172.2 . To do so.129 f0/0 .0.1.128 ! interface Serial0/0 ip address 172.0 ! S-AN-A-1.168.

04 Network Technologies – ICTTI.168.10.0/16 is variably subnetted. 2 masks S-AN-A-1. Union of Myanmar 86/200 .1 255.0.10.0 ! ISP hostname ISP interface FastEthernet0/0 ip address 192.252 clockrate 64000 ! router rip version 2 passive-interface FastEthernet0/0 passive-interface Serial0/0 network 172.255.255.0.255.1.0 ! interface Serial0/0 ip address 192.0 Serial0/0 Routing table on R1 R1#sh ip route … Gateway of last resort is not set 172.255.0 255.10.1 255.128 ! interface Serial0/0 ip address 192.255.0.10.0.252 ! interface Serial0/1 ip address 172.255.10.255.1.0.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> RIP and OSPF with Default Route R2 hostname R2 interface FastEthernet0/0 ip address 172.255.2 255.ucss@gmail.129 255.168.255.255.1. This copy of textbook is granted only for: Chan Myae (shweyoe.1 255.252 clockrate 64000 ! ip route 172.255.168. 3 subnets.254.

U.0.10. 1 subnets C 192.168.0. R2#conf t Enter configuration commands.10.0.0 is directly connected.10.10. 3 subnets.0.1.1.10 Type escape sequence to abort.0. Serial0/0 C 172.0. Union of Myanmar 87/200 .04 Network Technologies – ICTTI.0.10.0/30 is directly connected.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> RIP and OSPF with Default Route R 172.10. Serial0/1 192.0.0.0 Serial0/0 R2(config)#^Z R2#sh ip route … S-AN-A-1. End with CNTL/Z.168. 2 masks C 172.0.168. 100-byte ICMP Echos to 192.0. Serial0/1 C 172.0/25 is directly connected. Sending 5. 00:00:13. Sending 5. 00:00:00.0/30 is subnetted. 100-byte ICMP Echos to 192.0 0.0/25 [120/1] via 172.10.1.128/25 [120/1] via 172. timeout is 2 seconds: . one per line.0.ucss@gmail.10.10. Serial0/0 PC1 and PC2 cannot ping to SRV PC1#ping 192. Success rate is 0 percent (0/5) (2) Propagate the default route Configure a static route on R2.10 Type escape sequence to abort.0/16 is variably subnetted.2. FastEthernet0/0 C 172. R2(config)#ip route 0. FastEthernet0/0 R 172.1. and see the routing table. This copy of textbook is granted only for: Chan Myae (shweyoe.10. timeout is 2 seconds: U. Serial0/0 Routing table on R2 R2#sh ip route Gateway of last resort is not set 172.1.128/25 is directly connected.U.168.1.U.168.1.168.U Success rate is 0 percent (0/5) PC2#ping 192.0/30 is directly connected.10.0.

0/16 is variably subnetted.10.0/30 is directly connected.0.0.168.0 172. 2 masks C 172. Union of Myanmar 88/200 . 2 masks R 172. 00:00:06.0. 3 subnets. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). recycle R1 and R2 (restart).0/25 [120/1] via 172. PC2#ping 192.0. 3 subnets.10 S-AN-A-1.1. Serial0/0 S* 0.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> RIP and OSPF with Default Route Gateway of last resort is 0.0.0.04 Network Technologies – ICTTI.0/30 is subnetted.0. R1#sh ip route … Gateway of last resort is 172. Serial0/1 C 172.0. This copy of textbook is granted only for: Chan Myae (shweyoe.0. Serial0/0 C 172.0/16 is variably subnetted. R2 needs to propagate the default route to the RIP neighbors. round-trip min/avg/max = 76/87/108 ms But PC1 still cannot ping to SRV.10.0.1. Serial0/0 Now PC2 can ping to SRV. Sending 5.0.0.10. Serial0/0 Now PC1 also can ping to SRV PC1#ping 192.1.0/0 is directly connected.10.168. 1 subnets C 192. 00:00:07.1 to network 0.10. R2#conf t R2(config)#router rip R2(config-router)#default-information originate After the configuration.1.0 is directly connected.0.0. Serial0/0 R* 0.0.ucss@gmail.0.10. 100-byte ICMP Echos to 192.10.0/0 [120/1] via 172.2. FastEthernet0/0 R 172.0. FastEthernet0/0 C 172.0. R1 received the default route.0.1.10.1.10. 00:00:07.1.10.0 to network 0. Serial0/1 192.0/25 is directly connected.1.10 Type escape sequence to abort.128/25 is directly connected.168.168.10.0 172.1.1.10.168.0/30 is directly connected.10.128/25 [120/1] via 172.

1.04 Network Technologies – ICTTI.0.0.0 Serial0/0 S-AN-A-1.1.ucss@gmail.0 0. Sending 5. Union of Myanmar 89/200 .7 area 0 default-information originate ! ip route 0.6 OSPF and Default Route Use “default-information originate” statement to propagate the static route into the OSPF domain.0 0.1 log-adjacency-changes network 10.0.0.0.0. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). This copy of textbook is granted only for: Chan Myae (shweyoe.168. router ospf 1 router-id 1.0.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> OSPF and Default Route Type escape sequence to abort.1. 100-byte ICMP Echos to 192. round-trip min/avg/max = 76/87/108 ms 3.1.10.

This copy of textbook is granted only for: Chan Myae (shweyoe.165.129 255.252 NA S-AN-A-1.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Hands-on-Lab 6 – RIPv2 Hands-on-Lab 6 – RIPv2 Addressing Table Device Interface IP Address Subnet Mask Default Gateway HQ F0/0 NA F0/1 NA S0/0 210.ucss@gmail.255.252 NA S0/1 NA S0/2 NA B1 F0/0 NA F0/1 NA S0/0 NA B2 F0/0 NA F0/1 NA S0/0 NA ISP F0/0 210.165.202.255.255.2 255.04 Network Technologies – ICTTI.255.201. Union of Myanmar 90/200 .

configure the PCs with an IP address. Select the devices (Cisco 1800 series. Use cisco as the line password (console and telnet). make sure you include the following  Disable automatic summarization  Stop routing updates on interfaces that are not connected to RIP neighbors  Set a default route from HQ to ISP S-AN-A-1.255. including addressing and hostnames.129 PC1 PC2 PC3 PC4 PC5 PC6 1.165. 4.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Hands-on-Lab 6 – RIPv2 S0/0 210. Use class as the enable secret password. configure the routers with basic configuration.165. and Cisco2600 series). In your configuration.201.130 255.202. 2. Union of Myanmar 91/200 . make sure that each device can ping its directly connected neighbor.ucss@gmail.255. then LAN2. and default gateway.  Using your documentation. Design an addressing scheme  Address the LANs in order starting with LAN1. This copy of textbook is granted only for: Chan Myae (shweyoe.202.255. subnet masks and default gateway addresses. subnet mask.255. Test connectivity  Before continuing.04 Network Technologies – ICTTI.252 NA SRV 210.  Address the WANs in order starting with WAN1. Configure and verify RIPv2 routing Configure all devices with RIPv2 routing. Use the first address for the router interface and the last address for the PC.1 255.165.252 210.  Record the network addresses in dotted-decimal/slash format  Document the IP addresses. Apply a basic configuration  Using your design. Cisco2800 series. 3. HQ is the first usable address in all WAN links. then WAN2. 5.

Union of Myanmar 92/200 .1. All routers should be converged on all the 10.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Hands-on-Lab 6 – RIPv2  Redistribute default route from HQ  Use verification commands to check your configuration.ucss@gmail. Submit the document.0/24 and 172.04 Network Technologies – ICTTI. 6. Test connectivity and examine the configuration  Test connectivity and examine the configuration  Issue show ip route command to verify the routing table 7. This copy of textbook is granted only for: Chan Myae (shweyoe.224/29 subnets.1.16. S-AN-A-1.0.

255.255.165.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Hands-on-Lab 7 – EIGRP Hands-on-Lab 7 – EIGRP Addressing Table Device Interface IP Address Subnet Mask Default Gateway HQ F0/0 NA F0/1 NA S0/0 210.ucss@gmail.1 255.255.201.04 Network Technologies – ICTTI.202.252 NA S-AN-A-1.255.165. This copy of textbook is granted only for: Chan Myae (shweyoe.165.252 NA S0/0 210.129 255.2 255.252 NA S0/1 NA S0/2 NA B1 F0/0 NA F0/1 NA S0/0 NA B2 F0/0 NA F0/1 NA S0/0 NA ISP F0/0 210.201.255. Union of Myanmar 93/200 .255.

4.202. subnet masks and default gateway addresses. 3.2. including addressing and hostnames.255.0/22. Apply a basic configuration  Using your design. assign the first address to the router interface.130 255. subnet mask. Assign WAN subnets according to the following specifications  Subnet 0 to the WAN link between HQ and B1  Subnet 1 to the WAN link between HQ and B2  Subnet 2 to the WAN link between B1 and B2  Record the network addresses in dotted-decimal/slash format  Document the IP addresses.04 Network Technologies – ICTTI.165. configure the routers with basic configuration.  For LANs.  Using your documentation. Test connectivity  Before continuing. then LAN2. This copy of textbook is granted only for: Chan Myae (shweyoe. assign the first address to B1.252 210. Starting with the largest subnets requirements on B1. assign subnets in order throughout the topology. and default gateway. Assign the last address to the PC. assign the first address to the HQ router.30. use the address space 10. Design an addressing scheme  For the LANs. Use cisco as the line password (console and telnet). Union of Myanmar 94/200 .32. Configure and verify EIGRP routing S-AN-A-1.202. 2.  For the WANs.0. configure the PCs with an IP address.255.  For WAN links between branch routers.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Hands-on-Lab 7 – EIGRP SRV 210.0/27. LAN1 first. use the address space 172.129 PC1 PC2 PC3 PC4 PC5 PC6 1.  For WAN links to HQ.ucss@gmail.165. Use class as the enable secret password. make sure that each device can ping its directly connected neighbor.

0/22. and “show ip eigrp neighbors”.0/28 subnets.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Hands-on-Lab 7 – EIGRP Configure all devices with EIGRP routing.30.  Change the hello intervals for the 64 kbps links to 60 seconds. and the hold down timer to 180 seconds.32. “show ip eigrp topology”.0. All routers should be converged on all the 10. 8. 6. make sure you include the following  Disable automatic summarization  Stop routing updates on interfaces that are not connected to EIGRP neighbors  Use verification commands to check your configuration. 5. This copy of textbook is granted only for: Chan Myae (shweyoe. and 172.04 Network Technologies – ICTTI. Union of Myanmar 95/200 . The links between the branch routers are for back up purposes only. Configure Static and Default Routing  Configure redistribution of default route so all routers and PCs can go to ISP. 7. Test connectivity and examine the configuration  Test connectivity and examine the configuration  Use verification commands as. Submit the document with Routers’ configuration and test result. Fine-tune EIGRP  Adjust bandwidth values used to calculate metrics.2. In your configuration.ucss@gmail. Configure the bandwidth value to 64 kbps so that EIGRP does not equal-cost load across the T1 links to HQ and the backup links to the neighboring branch router. ISP will need a default route configured. “show ip route”. S-AN-A-1.

4 255.2 255.1.255.255.255. Union of Myanmar 96/200 .165.1.1. This copy of textbook is granted only for: Chan Myae (shweyoe.248 F0/1 F1/0 ISP F0/0 211.255.04 Network Technologies – ICTTI.1 255.255.248 F0/1 R4 F0/0 10.5 255.252 SRV 211.5 PC1 PC2 PC3 PC4 S-AN-A-1.202.252 R2 F0/0 10.165.255.1.ucss@gmail.165.255.248 S0/0 211.255.165.1 255.255.1.255.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Hands-on-Lab 8 – OSPF Hands-on-Lab 8 – OSPF Addressing Table Device Interface IP Address Subnet Mask R1 F0/0 10.255.1.248 F0/1 F1/0 R3 F0/0 10.202.3 255.1.255.1.202.255.6 211.2 255.252 S0/0 211.202.165.255.202.

ucss@gmail. Test connectivity and examine the configuration S-AN-A-1. R3. Use cisco as the line password (console and telnet). Configure Single-Area OSPF routing  Configure OSPF (Process ID 1) routing on each Router  Verify that all routes were learned. configure the routers with basic configuration.10 address to the PCs.04 Network Technologies – ICTTI. and R4 to force the DR/BDR election. Configure Static and Default Routing  On R1.40. 5. Make sure to include the default gateway.0. 6.  Assign the . create a default route to ISP and propagate the route within OSPF updates.  R4 should always become the BDR  All priorities should be set on f0/0  Restart R1. R2. Use class as the enable secret password. including addressing and hostnames. Host Name Interface Number of Hosts R2 F0/1 6000 R2 F1/0 800 R3 F0/1 2000 R4 F0/1 3500 R4 F1/0 1000 2. the only two specific static route address to the ISP 3.0/16 to create an efficient addressing scheme that meets the following requirements.  Assign the default route to the SRV. 4. Fine-tuning OSPF  R1 will never participate in a DR/BDR election  R2 will always become the DR  R3 and R4 will both have the same priority of 100. Start with the largest network and move to the smallest. Union of Myanmar 97/200 .com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Hands-on-Lab 8 – OSPF PC5 1. Design an addressing scheme Use the 172. This copy of textbook is granted only for: Chan Myae (shweyoe. Apply a basic configuration  Using your design.

04 Network Technologies – ICTTI.ucss@gmail. Submit the document with Routers’ configuration and test result. “show ip route”. and “show ip ospf neighbor”.com) Cisco Routing & Switching 7/9/2012 IP Routing <Day 3-4-5> Hands-on-Lab 8 – OSPF  Test connectivity and examine the configuration  Use verification commands as. “show ip ospf database”. S-AN-A-1. 7. This copy of textbook is granted only for: Chan Myae (shweyoe. Union of Myanmar 98/200 .

04 Network Technologies – ICTTI. it places the frame in that port’s egress queue. each switch port offers dedicated bandwidth across a switching fabric to another switch port. Hosts can talk and listen at the same time. On each switch port. When a Layer 2 switch receives a frame on a port.  Bandwidth is no longer shared. Instead. LAN Switching <Day 6> 4. (These connections change dynamically. isolated from the others. Union of Myanmar 99/200 . At its most basic level. the frame is placed in the egress queue of all ports and is flooded throughout the network. If the destination MAC address in the frame is not in the MAC address table. it places that frame in one of the port’s ingress queues. Good frames are regenerated when they are forwarded or transmitted.1.)  Errors in frames are not propagated. Each frame received on a switch port is checked for errors. This is known as store-and-forward switching technology: Packets are received.  You can limit broadcast traffic to a volume threshold.  Host connections can operate in full-duplex mode because there is no contention on the media. This copy of textbook is granted only for: Chan Myae (shweyoe. an Ethernet switch provides isolation from other connected hosts in several ways:  The collision domain’s scope is severely limited. where each switch port is its own Ethernet LAN segment. Layer 2 Switch Operation A Layer 2 switch is basically a multiport transparent bridge. if a shared-media hub is connected. such that the switch will not forward a frame unless it knows the destination’s location. the collision domain consists of the switch port itself and the devices directly connected to that port—either a single host or.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> Layer 2 Switch Operation 4. the set of hosts connected to the hub. When the switch decides which port that frame should sent out of. and then forwarded. All the decisions are made simultaneously by independent portions of switching hardware and can be described as follows:  L2 forwarding table S-AN-A-1. stored for inspection. Frame forwarding is based completely on the MAC addresses contained in each frame. Layer 2 switches contain queues where frames are stored after they are received and before they are sent.  Other types of intelligent filtering or forwarding become possible.ucss@gmail.

Using Quality of Service (QoS). the TCAM also contains access lists to filter frames based on IP address or TCP/UDP port. it must consult two tables:  Content Addressable Memory (CAM).2.ucss@gmail. we can give a higher preference to more critical traffic. to allow other IP-based management protocols such as Simple Network Management Protocol (SNMP) to function as intended. VLAN 1. by placing that traffic in a high priority queue. You can statically configure a switch with its IP address/mask/gateway or the switch can dynamically learn this information using DHCP.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> LAN Switch Configuration and Operation  SecurityACLs  QOS ACls Each port can be configured with multiple ingress or egress queues.  Ternary Content Addressable Memory (TCAM). such as video conferencing. the switch needs an IP address. idle CAM table entries are kept for 300 seconds before they are deleted. In effect.2. which is Cisco’s term for the MAC address table. Union of Myanmar 100/200 . Thus. each queue can be assigned a different priority.1. which contains access lists that can filter frames by MAC address. (1) Static IP Address Configuration S-AN-A-1. Switches do not need IP address to be able to forward Ethernet frames. By default.04 Network Technologies – ICTTI. or to allow access to the switch using graphical tools such as Cisco Device Manager (CDM). Before a Layer 2 switch can take a frame from one port’s ingress queue to another port’s egress queue. LAN Switch Configuration and Operation 4. In multi-layer switches. It can also be referred to as the Layer 2 Forwarding Table. and QoS accesslists to prioritize traffic. 4. This copy of textbook is granted only for: Chan Myae (shweyoe. Configuring the Switch IP Address To allow Telnet or SSH access to the switch. a switch’s VLAN 1 interface gives the switch an interface into the default VLAN used on all ports of the switch – namely. This interface plays the same role as an Ethernet interface on a PC. An IOS-based switch configures its IP address and mask on special virtual interface called the VLAN 1 interface.

2.1 (2) Dynamic IP Address Configuration with DHCP Switch#configure terminal Switch(config)#interface vlan 1 Switch(config-if)#ip address dhcp Switch(config-if)#no shutdown Switch(config-if)#exit 4.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> LAN Switch Configuration and Operation Switch#configure terminal Switch(config)#interface vlan 1 Switch(config-if)#ip address 192.10 S-AN-A-1. fastethernet 0/7.168.ucss@gmail.0 Switch(config-if)#no shutdown Switch(config-if)#exit Switch(config)#ip default-gateway 192. tengigabitethernet.1. vlan). as detailed in the following sections.255. Configuring Switch Interfaces You can configure the individual ports on a switch with various information and settings. All port numbers and the commas that separate them must be separated with spaces.04 Network Technologies – ICTTI.255.10 255.1. Union of Myanmar 101/200 . gigabitethernet. To select several arbitrary ports for a common configuration setting.168. you can identify them as a “range” entered as a list.2. Use the following command in global configuration mode: Switch(config)# interface range fastethernet 0/3. fastethernet0/9 switch(config)# interface range fastethernet 1/0 . enter the following command in global configuration mode: Switch(config)# interface type modular/number The port is identified by its Ethernet type (fastethernet. This copy of textbook is granted only for: Chan Myae (shweyoe. (1) Selecting Ports to Configure To select a single switch port.

Be sure to set both ends of a link to the same speed and duplex settings to eliminate any chance that the two ends will be mismatched. Autonegotiation is allowed only on UTP Fast Ethernet and Gigabit Ethernet ports. use the following interface-configuration command: Switch(config-if)# speed {10 | 100 | 1000 | auto} (3) Port Duplex Mode You also can assign a specific link mode to Ethernet-based switch ports. Union of Myanmar 102/200 . In this mode. or autonegotiated mode. whereas 1000BASE-T ports can be set to speeds of 10. and Auto (the default) for autonegotiate mode. enter the following command in interface configuration mode: Switch(config-if)# duplex {auto | full | half} For instance. Gigabit Ethernet GBIC ports always are set to a speed of 1000. Fast Ethernet 10/100 ports can be set to speeds of 10.04 Network Technologies – ICTTI. Switch(config)# interface gig 3/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Switch(config-if)# interface gig 3/2 Switch(config-if)# speed 100 Switch(config-if)# duplex full S-AN-A-1. 100. you could use the commands in the followings to configure 10/100/1000 interfaces GigabitEthernet 3/1 for autonegotiation and 3/2 for 100-Mbps full duplex (no autonegotiation). and Auto (the default). Therefore. To set the link mode on a switch port.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> LAN Switch Configuration and Operation (2) Port Speed You can assign a specific speed to switch ports through switch-configuration commands. the port participates in a negotiation by attempting full-duplex operation first and then half-duplex operation if full duplex is not successful. 100.ucss@gmail. To specify the port speed on a particular Ethernet port. The autonegotiation process repeats whenever the link status changes. This copy of textbook is granted only for: Chan Myae (shweyoe. the port operates in half-duplex. 1000. full-duplex.

2. Union of Myanmar 103/200 .  Prevent VLAN trunking and VTP by making the port a nontrunking interface using the switchport mode access interface subcommand. Cisco makes some general recommendations to override the default interface settings to make the unused ports more secure.2. This copy of textbook is granted only for: Chan Myae (shweyoe. The good intentions of Cisco for “plug and play” operation have an unfortunate side effect in that defaults expose switches to some security threats. you can use the following form of the show mac address-table EXEC command: Switch# show mac address-table dynamic [address mac-address | interface type mod/num | vlan vlan-id ] To view all dynamic MAC entires in the CAM: S-AN-A-1. along with a time stamp. for any currently unused switch interfaces. the previous entry is deleted. every interface defaults to negotiate to used VLAN features called VLAN trunking and VLAN Trunking Protocol (VTP). Then. Configuring the Layer 2 Forwarding Path with the MAC Address Table (CAM) All Catalyst switch models use a CAM table for Layer 2 switching. Additionally. 4. The interfaces automatically negotiate the speed and duplex. The recommendations for unused interfaces are as follows:  Administratively disable the interface using the shutdown interface subcommand. with all interfaces assigned to VLAN 1.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> LAN Switch Configuration and Operation 4. the source MAC addresses are learned and recorded in the CAM table.04 Network Technologies – ICTTI. As frames arrive on switch ports.4.3. The port of arrival and the VLAN both are recorded in the table. If a MAC address learned on one switch port has moved to a different port. only its time stamp is updated.  Assign the port to an unused VLAN using the switchport access vlan number interface subcommand.ucss@gmail. Securing Unused Switch Interfaces Cisco originally chose the default interface configuration settings on Cisco switches so that the interfaces would work without any overt configuration. the MAC address and time stamp are recorded for the most recent arrival port. To view the contents of the CAM table. and each interface begins in and enabled (no shutdown) state. If a MAC address is found already present in the table for the correct arrival port. So.

2dc1 Dynamic 1 FA1/5 0000.-------------------- 0000.eba3 Dynamic 1 FA1/2 0000.001e.bb3a Dynamic 1 FA1/1 0000.345e Dynamic 1 FA1/1 0000.8b11.2a52 Dynamic 1 FA1/1 0000. Union of Myanmar 104/200 .3519 Dynamic 1 FA1/4 0000.8465 Dynamic 1 FA1/5 0050.90ab To change the aging timer for dynamically learned MAC addresses in the CAM from its default of 300 seconds to 360 seconds: S-AN-A-1.001e.8b11.001e.-----------. This copy of textbook is granted only for: Chan Myae (shweyoe.54da DYNAMIC Fa0/6 Total Mac Addresses for this criterion: 1 Switch# To view the number of MAC addresses per VLAN: Switch# show mac address-table count To clear the entire dynamic contents of the CAM: Switch# clear mac address-table dynamic To clear a single entry of the CAM: Switch# clear mac address-table dynamic address 1234.001e.04 Network Technologies – ICTTI.001e.----------.001e.---.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> LAN Switch Configuration and Operation Destination Address Address Type VLAN Destination Port ------------------.ucss@gmail.54da Mac Address Table ------------------------------------------ Vlan Mac Address Type Ports ---.---.54da Dynamic 1 FA1/6 To view a specific dynamic address in the CAM: Switch# show mac address-table dynamic address 0050.8b11.face Dynamic 1 FA1/3 0000.5678.001e.----- 54 0050.001e.

2233. Secondary Root Bridge Root Bridge Core BackboneFast Layer Distribution BackboneFast Layer Loop Guard Access UplinkFast Port Security Layer DHCP Snooping PortFast IP Source Guard Dynamic ARP BPDU Guard Inspection Root Guard Figure 7 . However. the LAN would be unusable. which is bad. This copy of textbook is granted only for: Chan Myae (shweyoe.2233. However. Some users’ traffic travels a seemingly longer path through the network. So.04 Network Technologies – ICTTI. STP blocks some ports from forwarding frames so that only one active path exists between any pair of LAN segments (collision domains). which makes the LAN usable. If frames looped indefinitely.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> Spanning Tree Protocol (STP) Switch(config)# mac address-table aging-time 360 To statically add to the CAM a MAC address of 0011.ucss@gmail. frames would loop for an indefinite period of time in networks with physically redundant links.3.4455 vlan 1 interface fa0/0 4. because a shorter physical path is blocked. the network does not actively take advantage of some of the redundant links. Spanning Tree Protocol (STP) STP is a layer 2 protocol that is used to maintain a loop-free switched network. the net result is good. To prevent looping frames. Without Spanning Tree Protocol (STP).4455. which is good. Union of Myanmar 105/200 . Frames do not loop infinitely.STP Configuration S-AN-A-1. STP has some minor unfortunate side effects compared to the major benefit of letting you build redundant LANs. The result of STP is both good and bad. which resides on Port FA0/0 on VLAN 1: Switch(config)# mac address-table static 0011. because they are blocked to prevent frames from looping.

with RSTP features working in switches that support it. This instance is referred to as the Common Spanning Tree (CST).1d protocol with the definition of Rapid Spanning Tree Protocol (RSTP).1Q) The IEEE 802. RSTP improves network convergence when topology changes occur. RSTP can be deployed alongside traditional 802. S-AN-A-1. and 15 seconds for Forward Delay ( Learning) create STP’s relatively slow convergence. (4) Per-VLAN Spanning Tree Cisco has a proprietary version of STP that offers more flexibility than the CST version. offering better performance and tuning for specific conditions. 15 seconds for Forward Delay ( Listening) . and STP features working in the switches that support only STP.1d IEEE standard. Union of Myanmar 106/200 . It also specifies only a single instance of STP that encompasses all VLANs.1Q standard specifies how VLANs are to be trunked between switches. they can be as low as 1 to 2 seconds.1d STP bridges and switches. (3) Rapid Spanning Tree Protocol (IEEE 802. as defined in standard 802. This allows the STP on each VLAN to be configured independently. The overriding reason is convergence.1w. RSTP convergence times typically take less than 10 seconds.04 Network Technologies – ICTTI. With all these similarities.1w) The IEEE has improved the 802.1D) IEEE defines the original.ucss@gmail. STP takes a relatively long time to converge (50 seconds with the default settings).3. All CST BPDUs are transmitted over trunk links using the native VLAN with untagged frames. or traditional STP in the 802.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> Spanning Tree Protocol (STP) 4.1. Per-VLAN Spanning Tree (PVST) operates a separate instance of STP for each individual VLAN. you might be wondering why the IEEE bothered to create RSTP in the first place. This copy of textbook is granted only for: Chan Myae (shweyoe. In some cases. (2) Common Spanning Tree ( IEEE 802. The three waiting periods of (by default) 20 seconds for Maximum Age. The Spanning Tree Protocol (STP) provides network link redundancy so that a Layer2 switched network can recover from failures without intervention in a timely manner. Types of STP (1) Spanning Tree Protocol ( IEEE802.

STP will elect a root bridge/switch. In networks where PVST and CST coexist. This copy of textbook is granted only for: Chan Myae (shweyoe. 4. designated port – the port on that link that provides the highest bandwidth to the root.1w standard . (6) Rapid Per-VLAN Spanning Tree Protocol Rapid Per-Vlan Spanning Tree Plus is a Cisco implementation of RSTP based on 802. interoperability problems occur. Each and every link between two switches must have one. Spanning Tree Operation STP’s job is to find all links in the network and shut down any redundant ones. Per-VLAN Spanning Tree Plus (PVST+) effectively supports three groups of STP operating in the same campus network:  Catalyst switches running PVST  Catalyst switches running PVST+  Switches running CST over 802.2. Union of Myanmar 107/200 . PVST requires the use of Cisco Inter-Switch Link (ISL) trunking encapsulation between switches. Every port on the root switch is a designated port.ucss@gmail. This mode is known as Rapid PVST+ ( RPVST+).04 Network Technologies – ICTTI. and only one. so BPDUs are never exchanged between STP types. STP places this least-root-cost interface. called S-AN-A-1.1Q To do this. PVST+ acts as a translator between groups of CST switches and groups of PVST switches. STP uses three criteria to choose whether to put an interface in forwarding state:  STP elects a root bridge. Both non-root port and non-designated port are placed in the blocking state. thereby preventing network loops from occurring.  Each non-root bridge considers one of its ports to have the least administrative cost between itself and the root bridge. STP puts all interfaces on the root bridge in forwarding state. This means that each VLAN will have its own independent instance of RSTP running on the switch. Each requires a different trunking method.You can improve the efficiency of each STP instance by configuring a switch to begin using RSTP instead. Firstly.3. thus breaking the switching loop. (5) Per-VLAN Spanning Tree Plus Cisco has a second proprietary version of STP that allows devices to interoperate with both PVST and CST.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> Spanning Tree Protocol (STP) Because of its proprietary nature.

The lowest-cost bridge on each segment is called the designated bridge. The lower value is the better one when it comes to electing a root bridge.  Many bridges can attach to the same Ethernet segment.04 Network Technologies – ICTTI.3. The bridge with the lowest administrative cost from itself to the root bridge. and the default is 32. nor are any frames received on these interfaces considered for forwarding. Table 10 – STP: Reasons for Forwarding or Blocking Characterization of STP State Description Port All the root bridge’s Forwarding The root bridge is always the designated bridge on ports all connected segments. the MAC address becomes the tiebreaker which one has the lowest (best) ID. is called the designated port. On a root bridge Switch(config)#spanning-tree vlan 1-100 root primary Or specify the priority to 0 (zero). Root Bridge The bridge ID is used to elect the root bridge in the STP domain and to determine the root port for each of the remaining devices in the STP domain. is placed in forwarding state. Each non-root bridge’s Forwarding The root port is the port receiving the lowest-cost root port BPDU from the root. Each LAN’s designated Forwarding The bridge forwarding the lowest-cost BPDU onto port the segment is the designated bridge for that segment.ucss@gmail. in forwarding state. Table 10 summarizes the reasons why STP places a port in forwarding or blocking state. 4. Switch(config)#spanning-tree vlan 1-100 priority 0 S-AN-A-1. This ID is 8 bytes long and includes both the priority and the MAC address of the device. If two switches or bridges happen to have the same priority value. All other ports Blocking The port is not used for forwarding frames. The priority must be 0-61440. attached to that segment. This copy of textbook is granted only for: Chan Myae (shweyoe. as compared with the other bridges attached to the same segment. The default priority on all devices running the IEEE STP version is 32768.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> Spanning Tree Protocol (STP) that bridge’s root port.  All other interfaces are placed in blocking state. Union of Myanmar 108/200 .3.768. and that bridge’s interface.

--------. the port cost of the receiving port is added to the root path cost in the BPDU.3. If desired.4. GigabitEthernet 0/1 is configured as a trunk port. To set a switch port’s path cost. shows the port cost for each of the VLANs.Nbr Type ---------------. or the port on each switch that has the lowest path cost to get to the Root Bridge.--.-------. You can use the following command to change the cost to 2. Root Ports and Designated Ports The second step in the STP process is identifying Root Ports. Switch(config)#spanning-tree vlan 1-100 priority 49152 4.04 Network Technologies – ICTTI. and the Root Bridge cannot have a Root Port.1 P2p S-AN-A-1. Each switch has only one Root Port. Displaying STP Port Cost Values on an Interface : Switch# show spanning-tree interface gigabitEthernet 0/1 Vlan Role Sts Cost Prio. The port or port path cost is inversely proportional to the port’s bandwidth.1 P2p VLAN0010 Desg FWD 2 128. and 20. switch (config-if)# spanning-tree [vlan vlan-id] cost cost-value For example.152. carrying VLANs 1. As a switch receives a BPDU. a Gigabit Ethernet interface has a default port cost of 4. This copy of textbook is granted only for: Chan Myae (shweyoe. but only for VLAN 10: Switch(config-if)# spanning-tree vlan 10 cost 2 You can see the port cost of an interface by using the following command: Switch# show spanning-tree interface type mod/num [cost] As an example. Union of Myanmar 109/200 . The Root Path Cost for each active port of a switch is determined by the cumulative cost as a BPDU travels along.ucss@gmail.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> Spanning Tree Protocol (STP) On a secondary root bridge Switch(config)#spanning-tree vlan 1-100 root secondary Other bridges. 10.-------------------------------- VLAN0001 Root FWD 4 128.---. make lower priority as 49. a port’s cost can be modified from the default value.

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Cisco Routing & Switching 7/9/2012
LAN Switching <Day 6>
Spanning Tree Protocol (STP)

VLAN0020 Root FWD 4 128.1 P2p

To change an interface’s Path Cost from its defaults:
Switch(config)# int f0/24

Switch(config-if)# spanning-tree cost 4

Table 11 – STP Path Cost

Link Bandwidth STP Cost
4 Mbps 250
10 Mbps 100
16 Mbps 62
45 Mbps 39
100 Mbps 19
155 Mbps 14
622 Mbps 6
1 Gbps 4
10 Gbps 2

The next criteria of an STP decision is the port ID. The port ID value that a switch uses is
actually a 16-bit quantity: 8 bits for the port priority and 8 bits for the port number. The port
priority is a value from 0 to 255 and defaults to 128 for all ports. Whichever interface has the
lowest Port ID will become the Root Port. Remember, that port priority is the last tiebreaker
STP will consider . Lowering this values will ensure a specific interface becomes the Root
Port.

To configure port priority,
switch (config-if)# spanning-tree [vlan vlan-id] port-priority

Switch(config)# int fa0/10

Switch(config-if)# spanning-tree port-priority 50

To Confirm STP Port Priority Values with the show spanning-tree interface command,
Switch#show spanning-tree interface gigabitEthernet 3/16

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
110/200

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Cisco Routing & Switching 7/9/2012
LAN Switching <Day 6>
Spanning Tree Protocol (STP)

Vlan Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

VLAN0010 Desg FWD 4 64.144 Edge P2p

VLAN0100 Desg FWD 4 64.144 Edge P2p

VLAN0200 Desg FWD 4 128.144 Edge P2p

The third and final step in the STP process is to identify Designated Ports. Each network
segment requires a single Designated Port, which has the lowest path cost leading to the
Root Bridge. This port will not be placed in a blocking state. A port cannot be both a
designated Port and a Root Port. Ports on the Root Bridge are never placed in a blocking
state, and thus become Designated Ports for directly attached segments.

4.3.5. PortFast
PortFast enables fast connectivity to be established on access-layer switch ports to
workstations that are booting up.

Enable PortFast by default
Switch(config)#spanning-tree portfast default

%Warning: this command enables portfast by default on all interfaces. You

should now disable portfast explicitly on switched ports leading to hubs,

switches and bridges as they may create temporary bridging loops.

Disable Portfast on ports to the uplink, hub, and switch.
Switch(config)#interface range GigabitEthernet 0/1 - 2

Switch(config-if-range)#no spanning-tree portfast

This command will use a macro to enable PortFast, access port
Switch(config)#interface range fastEthernet 0/1 - 24

Switch(config-if-range)#switchport host

switchport mode will be set to access

spanning-tree portfast will be enabled

channel group will be disabled

4.3.6. UplinkFast
UplinkFast enables fast-uplink failover on an access-layer switch when dual uplinks are
connected into the distribution layer.
S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
111/200

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Cisco Routing & Switching 7/9/2012
LAN Switching <Day 6>
Spanning Tree Protocol (STP)

Configure on the access switch only.
Switch(config)#spanning-tree uplinkfast

4.3.7. BackboneFast
BackboneFast enables fast convergence in the network backbone (core) after a
spanning-tree topology change occurs.

If you enable BackboneFast, you must configure on all switches.
Switch(config)#spanning-tree backbonefast

4.3.8. Root Guard
Switch(config)#int range f 0/1 - 24
Switch(config-if-range)#spanning-tree guard root

4.3.9. Loop Guard
Switch(config-if-range)#int range g 0/1 - 2

Switch(config-if-range)#spanning-tree guard loop

4.3.10 BPDU Guard
The BPDU guard feature was developed to further protect the integrity of switch ports that
have PortFast enabled. If any BPDU (whether superior to the current root or not) is received
on a port where BPDU guard is enabled, that port immediately is put into the errdisable
state.

To configure BPDU guard as a global default, affecting all switch ports with a single
command,
Switch(config)# spanning-tree portfast bpduguard default

To enable or disable BPDU guard on a per-port basis,
Switch(config-if)# [no] spanning-tree bpduguard enable

4.3.11 BPDU Filtering
In special cases when you need to prevent BPDUs from being sent or processed on one or
more switch ports, you can use BPDU filtering to effectively disable STP on those ports.

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
112/200

This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)

Cisco Routing & Switching 7/9/2012
LAN Switching <Day 6>
Spanning Tree Protocol (STP)

To configure BPDU filtering as a global default,
Switch(config)#spanning-tree portfast bpdufilter default

4.3.12 UDLD
Usually two unidirectional links as uplink and downlink are used for one fiber link. If any link
problem happens in one link, STP protocol cannot detect the problem. UDLD (Unidirectional
Link Detection) must be configured on Fiber and SPF ports in order to detect unidirectional
link problem.

If it is configured on the global configuration, this configuration will be applied on all the fiber
ports otherwise configure only on a specific interface. It must be enabling at both side of
fiber.
Switch(config)#udld enable

4.3.13 Spanning Tree Protocol Configuration
Cisco switches use STP by default. You can buy some switches, connect them with
Ethernet cables in a redundant topology, and STP will ensure that no loops exist. And you
never even to think about changing any of the settings. You might want to change some of
STP’s default settings. This section shows a simple example of how to examine STP
parameters and change some common STP parameters.

The following examples were taken from a small network with two switches, as shown in
Figure 10. Two 2950s connect using crossover cables. The cables are plugged into
interfaces 0/9 and 0/12 on both switches.

Fa0/9 Fa0/9

Fa0/12 Fa0/12
S1-2950 S2-2950

Figure 8 – Two-Switch Network

(1) Basic STP Show commands
Example 1 lists information about the current state of STP in this network, with all default
STP parameters.

S-AN-A-1.04
Network Technologies – ICTTI, Union of Myanmar
113/200

--.43bd.43bd.9 P2p Fa0/12 Altn BLK 19 128.-------. the SW1 output lists the root bridge ID.--.04 Network Technologies – ICTTI. The bridge ID combines the priority and the MAC address used to identify S-AN-A-1.--------. Union of Myanmar 114/200 .Nbr Type ---------------. comprised of the priority and MAC address.4880 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.7340 Cost 19 Port 9 (FastEthernet0/9) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0019.-------.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> Spanning Tree Protocol (STP) S1#sh spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0009.43bd.Nbr Type ---------------.9 P2p Peer(STP) Fa0/12 Desg FWD 19 128.568d.ucss@gmail.12 P2p S2#sh spanning-tree VLAN0001 Spanning tree enabled protocol rstp Root ID Priority 32769 Address 0009.- Fa0/9 Root FWD 19 128. This copy of textbook is granted only for: Chan Myae (shweyoe.---. first.12 P2p Peer(STP) This example lists the output of the show spanning-tree command on SW1.7340 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0009.---.7340 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.--------. At the beginning of the example.---------- Fa0/9 Desg FWD 19 128.

the output lists SW1-2950’s own bridge ID. First. S1#debug spanning-tree switch state Spanning Tree Port state changes debugging is on S1(config)#int f0/12 S1(config-if)#spanning-tree cost 2 S1(config-if)# 00:36:21: STP: VLAN0001 new root port Fa0/12. the port cost is changed on fastethernet 0/12. you see SW1 port 0/9 in forwarding state and 0/12 in blocking state. SW1 must choose one interface to put into forwarding state and one into blocking state to avoid a loop. and both tie in every respect. From the topology. SW1-2950 becomes the root by changing its bridge priority. However. The topology in this example ends up with SW2 as the root bridge. Union of Myanmar 115/200 . the default IEEE port cost for FastEthernet interfaces. cost 2 00:36:21: STP SW: Fa0/12 new listening req for 1 vlans 00:36:21: STP: VLAN0001 Fa0/12 -> listening 00:36:21: STP: VLAN0001 sent Topology Change Notice on Fa0/12 00:36:21: STP SW: Fa0/9 new blocking req for 1 vlans 00:36:21: STP: VLAN0001 Fa0/9 -> blocking 00:36:36: STP SW: Fa0/12 new learning req for 1 vlans 00:36:36: STP: VLAN0001 Fa0/12 -> learning 00:36:51: STP SW: Fa0/12 new forwarding req for 1 vlans 00:36:51: STP: VLAN0001 Fa0/12 -> forwarding S1#sh spanning-tree VLAN0001 S-AN-A-1. you know that the two BPDUs are both from SW2. Next. SW1-2950 receives BPDUs on FastEthernet ports 0/9 and 0/12. You can see in the example that the port cost is 19 on each interface. which makes SW1-2950 transition that port from blocking state to forwarding state and interface fastethernet 0/9 to blocking state.04 Network Technologies – ICTTI. So.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> Spanning Tree Protocol (STP) each bridge or switch. This copy of textbook is granted only for: Chan Myae (shweyoe. So SW1 breaks the tie by using the lowest internal interface number.ucss@gmail. on SW1-2950. which is FastEthernet 0/9. so it forwards on both interfaces. Notice that the root bridge ID is different from SW1-2950's bridge ID. (2) Changing STP Port Costs and Bridge Priority In Example 2. in the example. the configuration changes to affect the spanning tree. Next.

4880 00:43:16: STP: VLAN0001 we are the spanning tree root 00:43:16: STP SW: Fa0/9 new listening req for 1 vlans 00:43:16: STP: VLAN0001 Fa0/9 -> listening 00:43:16: STP: VLAN0001 Topology Change rcvd on Fa0/9 00:43:16: STP: VLAN0001 Topology Change rcvd on Fa0/9 00:43:31: STP SW: Fa0/9 new learning req for 1 vlans 00:43:31: STP: VLAN0001 Fa0/9 -> learning 00:43:46: STP SW: Fa0/9 new forwarding req for 1 vlans 00:43:46: STP: VLAN0001 Fa0/9 -> forwarding S1#sh spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 0019.--.---.9 P2p Fa0/12 Root FWD 2 128.------------ Fa0/9 Altn BLK 19 128.4880 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec S-AN-A-1.568d.04 Network Technologies – ICTTI.12 P2p S1(config)#spanning-tree vlan 1 root primary S1(config)# 00:43:16: setting bridge id (which=1) prio 24577 prio cfg 24576 sysid 1 (on) id 6001.4880 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.568d.Nbr Type ---------------.7340 Cost 2 Port 12 (FastEthernet0/12) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0019. This copy of textbook is granted only for: Chan Myae (shweyoe.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> Spanning Tree Protocol (STP) Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0009.--------.ucss@gmail.0019.-------.568d.43bd. Union of Myanmar 116/200 .

-------------------------------- Fa0/9 Root FWD 19 128.12 P2p Peer(STP) This example starts with the debug spanning-tree command on SW1-2950.9 P2p Peer(STP) Fa0/12 Altn BLK 19 128.7340 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio. Union of Myanmar 117/200 .-------------------------------- Fa0/9 Desg FWD 19 128.--.--------.---.04 Network Technologies – ICTTI.43bd.568d.ucss@gmail.--------. This command tells the switch to issue informational messages whenever STP performs any significant work. (The default cost on a 100-Mbps link is 19.9 P2p Fa0/12 Desg FWD 2 128.-------. Next.--.4880 Cost 19 Port 9 (FastEthernet0/9) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0009. S-AN-A-1.) Immediately following this command. you see the first meaningful debug messages.Nbr Type ---------------.4880 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio. These messages show up in the example as a result of the commands shown later in the example output. This copy of textbook is granted only for: Chan Myae (shweyoe.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> Spanning Tree Protocol (STP) Bridge ID Priority 24577 (priority 24576 sys-id-ext 1) Address 0019.---.568d.-------.12 P2p S2#sh spanning-tree VLAN0001 Spanning tree enabled protocol rstp Root ID Priority 24577 Address 0019.Nbr Type ---------------. the port cost of the SW1-2950 interface fastethernet 0/12 is changed using the spanning-tree cost 2 command.

So the debug messages simply reinforce the notion of the Forward Delay timer. (3) Example STP Configuration Figure 9 – Three-Switch Network Firstly. The debug messages that follow confirm this fact.576.0 Switch1(config-if)#no shutdown Configure Switch2 and Ping switch1 to switch2. based on the changed cost of interface fastethernet 0/12.10 255. Following the debug messages.0 S-AN-A-1.255. Notice that the message stating that fastethernet 0/12 moves to listening state is followed by a message stating that fastethernet 0/12 has been placed in learning state—and the time stamp shows that this message was issued 15 seconds after the first one. Similarly. with the cost to the root bridge now only 2.04 Network Technologies – ICTTI. the output of the show spanning-tree command lists fastethernet 0/9 as blocking and fastethernet 0/12 as forwarding. This command changes the bridge priority to 24.20 255. The next change occurs when the spanning-tree vlan 1 root primary command is issued on SW1-2950. which makes SW1-2950 the root. configure Switch1. This copy of textbook is granted only for: Chan Myae (shweyoe.255.ucss@gmail. the message stating that fastethernet 0/12 was placed in forwarding state happens 15 seconds after that. Union of Myanmar 118/200 .16. Switch1(config)#int vlan 1 Switch1(config-if)#ip address 172.0. and it includes a time stamp.255.16.255.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> Spanning Tree Protocol (STP) SW1-2950 issues a message each time an interface transitions to another state. Switch2(config)#int vlan 1 Switch2(config-if)#ip add 172.0.

Sending 5.16.0. 100-byte ICMP Echos to 172.16.16.DE25 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.20 Type escape sequence to abort.04 Network Technologies – ICTTI.0. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).0. Switch3(config)#int vlan 1 Switch3(config-if)#ip address 172.0.16.16.10 Type escape sequence to abort.0 Switch3(config-if)#no shutdown Ping Switch3 to Swtich1 and Switch2. This copy of textbook is granted only for: Chan Myae (shweyoe.30 255. Sending 5.ucss@gmail.16. Sending 5.DE25 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 1 (priority 0 sys-id-ext 1) Address 0060. round-trip min/avg/max = 4/7/12 ms Switch3#ping 172.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> Spanning Tree Protocol (STP) Switch2(config-if)#no shutdown Switch2#ping 172.10 Type escape sequence to abort. Switch3#ping 172.255. 100-byte ICMP Echos to 172.10.16.0.3E3A. round-trip min/avg/max = 4/4/5 ms Configure Switch3. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).Nbr Type S-AN-A-1. round-trip min/avg/max = 8/9/14 ms Switch1#sh spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 1 Address 0060.0. 100-byte ICMP Echos to 172.3E3A.10.255.20. Union of Myanmar 119/200 .0.

3E3A.853E.--------.4 P2p Switch2#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 1 Address 0060.-------.04 Network Technologies – ICTTI.1 P2p Fa0/2 Desg FWD 19 128.Nbr Type ---------------.--.85DA.Nbr Type S-AN-A-1.-------.1 P2p Fa0/2 Altn BLK 19 128.-------------------------------- Fa0/1 Desg FWD 100 128.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> Spanning Tree Protocol (STP) ---------------.3 P2p Fa0/4 Desg FWD 19 128.006E Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.2 P2p Switch3#show spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 1 Address 0060.3E3A.---.--------.5AB3 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio. This copy of textbook is granted only for: Chan Myae (shweyoe.2 P2p Fa0/3 Desg FWD 19 128. Union of Myanmar 120/200 .---.-------------------------------- Fa0/1 Root FWD 19 128.DE25 Cost 19 Port 1(FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000C.DE25 Cost 19 Port 2(FastEthernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000C.ucss@gmail.--.

1.255.16.16.1 255.  Determine which switch is selected as the root switch with the factory default settings.1 255.16.16.--------.12 172.1.1.0 Switch3 S3 ictti cisco 172. VLAN 1 IP Default Subnet Mask Designation Name Password and Console Address Gateway IP Passwords Address Switch1 S1 ictti cisco 172.255. This copy of textbook is granted only for: Chan Myae (shweyoe.13 172.1.255.10 172.2 P2p Hands-on-Lab 9 – Switching Lab S1 S2 Fa0/2 Fa0/2 Fa0/4 Fa0/3 S3 Fa0/4 Fa0/3 Fa0/10 Fa0/9 PC1 PC2 Switch Switch Enable Secret Enable.0 Objective  Create a basic switch configuration and verify it.16.1 P2p Fa0/2 Root FWD 19 128.1.ucss@gmail.1.255.255. S-AN-A-1.255.1.16.0 Switch2 S2 ictti cisco 172.  Force the other switch to be selected as the root switch. VTY. Union of Myanmar 121/200 .--.1.04 Network Technologies – ICTTI.11 172.-------------------------------- Fa0/1 Altn BLK 100 128.0 Switch4 S4 ictti cisco 172.1 255.---.16.-------.255.1 255.16.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> Hands-on-Lab 9 – Switching Lab ---------------.255.

This copy of textbook is granted only for: Chan Myae (shweyoe. The following steps are to be executed on each switch unless specifically instructed otherwise. Step 1 Configure the switches Configure the hostname. What is the bridge id of the non-root switch? ___________________________________ h. The configuration output used in this lab is produced from a 2950 series switch. mask. S2 and S3? ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ b. Union of Myanmar 122/200 . What are the MAC addresses of the switches : S1. a. Which ports are blocking on the root switch? ___________________________________ f. What is the priority of the root switch? ________________________________________ c. Which ports are blocking on the non-root switch? ________________________________ j.ucss@gmail. Which switch should be the root of the spanning-tree for VLAN 1? __________________ ______________________________________________________________________ Step 4 Display the spanning-tree table on each switch Examine the output and answer the following questions. Step 3 Verify connectivity and display the show interface VLAN options ___________________ a. Any other switch used may produce different output. Which ports are forwarding on the root switch? _________________________________ e. as well as the management LAN settings. Which switch is the root switch? _____________________________________________ b. What is the status of the link light on the blocking port? ___________________________ S-AN-A-1. What is the bridge id of the root switch? _______________________________________ d. What is the priority of the non-root switch? _____________________________________ g. Which ports are forwarding on the non-root switch? ______________________________ i. Step 2 Configure the hosts attached to the switches Configure the host to use the same subnet for the address. These values are shown in the chart. access and command mode passwords. and default gateway as on the switch.04 Network Technologies – ICTTI.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> Hands-on-Lab 9 – Switching Lab Background/Preparation Cable a network similar to the one in the diagram.

Which ports are forwarding on the secondary-root switch? ________________________ i. What is the priority of the non-root switch? _____________________________________ g. Step 6 Display the switch spanning-tree table after reassigning Examine the output and answer the following questions. a. a. Union of Myanmar 123/200 . What is the priority of the secondary-root switch? ________________________________ g. PC1 and PC2 is needed to allow faster STP convergence by bypassing the typical STP listening and learning state. Step 8 Verify the running configuration files on each switch Specify the running configuration files on the switches that were changed to be the root bridge. Which ports are forwarding on the non-root switch? ______________________________ i. Which switch is the root switch? _____________________________________________ b. by using default values. What is the bridge id of the non-root switch? ___________________________________ h. It is necessary to force the “S2” switch as shown in figure to become the root switch. S2 is preferred as the root switch. secondary root bridge. It is also necessary to force the “S1” switch to become the secondary root bridge. BPDU guard is needed to apply to all user ports where PortFast is enabled. b.ucss@gmail. S-AN-A-1. S4 is never expected to be root. What is the bridge id of the secondary-root switch?______________________________ h. and configured STP features. eliminating the normal 30 seconds of STP delay. Which ports are blocking on the non-root switch? ________________________________ j. What is the bridge id of the root switch? _______________________________________ d. When new switch S4 connects to S3 from fa0/4.com) Cisco Routing & Switching 7/9/2012 LAN Switching <Day 6> Hands-on-Lab 9 – Switching Lab Step 5 Reassign the root bridge It has been determined that the switch selected as the root bridge. Which ports are forwarding on the root switch? _________________________________ e. Which ports are blocking on the root switch? ___________________________________ f.04 Network Technologies – ICTTI. This copy of textbook is granted only for: Chan Myae (shweyoe. c. What is the priority of the root switch? ________________________________________ c. is not the best choice. What is the status of the link light on the blocking port? ____________________________ Step 7 Applying STP Features in the Network Configure the following conditions.

In a small network. the more broadcasts and packets each switch must handle. Union of Myanmar 124/200 . Virtual LANs <Day 7> 5. is adequate for small networks and is implemented using Layer 2 switching. individual collision domain segments are created for each device plugged into each port on the switch by having the largest benefit of the layer 2 switched networks as shown in Figure 11. it has one broadcast domain. this might not necessarily be an issue. Actually. See in figure. as illustrated in Figure 10.Flat Network Structure Now. This is no hierarchy with a flat network design. This copy of textbook is granted only for: Chan Myae (shweyoe. Host A sending out a broadcast and all ports on all switches forwarding it. For example. Host A Figure 10 . but the actual design is not physically flat. as long as the network stays small and manageable.04 Network Technologies – ICTTI. Introduction to VLAN A flat network topology. The flat network topology is not divided into layers or modules and can make troubleshooting and isolating of network faults a bit more challenging than in a hierarchical network. and because each network device within the topology is performing the same job.ucss@gmail. the larger number of users and devices.1. a flat network design can be easy to implement and manage.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> Introduction to VLAN 5. S-AN-A-1.

A VLAN is treated like its own subnet or broadcast domain. VLAN Basic A virtual LAN (VLAN) is a network composed of logical broadcast domains (or) is a logical grouping of network users and resources connected to administratively defined ports on a switch. plus you cannot stop users from trying to respond to broadcasts.Benefit of Switched Network One of considerable issue in the switched networks is security. Software Development Department VLAN1 VLAN2 Network Technology Department VLAN1 VLAN2 VLAN3 Physical LAN Physical LAN VLAN3 Figure 12. This copy of textbook is granted only for: Chan Myae (shweyoe. All users can see all devices by default in typical layer 2 switched internetworks. So.ucss@gmail. meaning that frames broadcast onto the network are only switched between the ports logically grouped S-AN-A-1.04 Network Technologies – ICTTI. 5. Union of Myanmar 125/200 . you are given the ability to create smaller broadcast domains within a layer 2 switched internetworks by assigning different ports on the switch to different sub networks.Concept of Virtual LANs When VLANs are created.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> Introduction to VLAN Host A Host D Figure 11 . And you cannot stop devices from broadcasting.1.1. such kinds of problems can be solved by associating layer 2 switching with virtual LAN (VLAN).

you will need to decide which switches need which VLANs. This copy of textbook is granted only for: Chan Myae (shweyoe. a VLAN is a broadcast domain created by one or more switches. the first consideration for setting up VLANs in your network is planning your environment.  The set of devices in a VLAN typically also is in the same IP subnet. if a design specified two separate broadcast domains.ucss@gmail. or router can be used to essentially route packets between VLANs.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> Introduction to VLAN within the same VLAN.1. Union of Myanmar 126/200 . In the other words.  Layer 2 switches forward frames between devices in the same VLAN. First. two switches would be used—one for each broadcast domain.04 Network Technologies – ICTTI. The switch creates a VLAN simply by putting some interfaces in one VLAN and some in another.2. before VLANs existed.  A Layer 3 switch. The following list hits the high points:  A collision domain is a set of network interface cards (NICs) for which a frame sent by one NIC could result in a collision with a frame sent by any other NIC in the same collision domain. VLANs are pretty simple in concept and in practice. multilayer switch. you can just configure the VLANs with no other considerations. they cannot forward frames between different VLANs. VLAN Memberships The two common approaches to assigning VLAN membership are as follows:  Static VLANs  Dynamic VLANs Static VLANs are also referred to as port-based VLANs.  VLANs are typically created by configuring a switch to place each port in a particular VLAN. devices in different VLANs are in different subnets. If you need to span multiple switches with VLAN information.  A VLAN is essentially a broadcast domain. 5. Static VLAN assignments are S-AN-A-1. Will the VLANs span multiple switches. Generally. or will you only be segmenting one switch? If you only have one switch to segment. Detailed explanations concerned with VTP are discussed in section 5.  A broadcast domain is a set of NICs for which a broadcast frame sent by one NIC is received by all other NICs in the same broadcast domain.2. You will also need to configure trunking and set up VLAN Trunking Protocol (VTP).

For example. As a device enters the network.3. If the user changes ports and needs access to the same VLAN. This copy of textbook is granted only for: Chan Myae (shweyoe. Union of Myanmar 127/200 . It also allows a system administrator to manage all VLANs from a central point and order all switches to update the VLAN information along the entire network. the device queries a database for VLAN membership.04 Network Technologies – ICTTI. 5. Dynamic VLANs are specified by MAC address. 5.1. it will effectively change VLANs. VLAN Enabled Switches Not all switches support VLANs. Assuming the same scenario. there has been some compatibility issues associated with multi-vendor VLAN devices. if a machine is moved. an administrator can assign switch ports to VLANs dynamically based on information such as the source MAC address of the device connected to the port or the username used to log onto that device. a system administrator will enter MAC addresses for all machines connecting to the switch. Each MAC address can then be associated with a certain VLAN. The VMPS database automatically maps MAC addresses to VLANs. As a device enters the network.4.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> Introduction to VLAN created by assigning ports to a VLAN. This way. you won't get "the works" unless you are using a Cisco Catalyst. The first 6 ports are associated with VLAN1 and the last 6 ports are associated with VLAN2. it will retain the original VLAN membership regardless of its port number.ucss@gmail. While most expensive switches do. However. Why use VLANs? VLANs offer a number of advantages over traditional LAN's. VLAN Trunking Protocol (VTP) enables Cisco switches to advertise VLAN routes to other VTP enabled switches. They are: (1). let us say a 12 port fastethernet switch is split for the creation of 2 VLANs. Performance S-AN-A-1. Most organizations using VLANs have figured out it is worth shelling out the extra cash to go with Cisco equipment and get the extra features and functionality.1. the device automatically assumes the VLAN of the port. See also FreeNAC which implements a VMPS server. If a machine is moved from port 3 to port 11. With a VLAN Management Policy Server [VMPS]. Cisco has created proprietary protocols to manage VLANs. These addresses will be stored in a memory chip inside the switch that forms a database of local MAC addresses. 3com Superstack switches also have great VLAN support. the network administrator must manually make a port-to-VLAN assignment for the new connection.

Moreover. which results in reduced performance. set up firewalls.04 Network Technologies – ICTTI. placing only those users who can have access to that data on a VLAN can reduce the chances of an outsider gaining access to the data. VLAN's can also be used to control broadcast domains. depending on the type of VLAN. The use of VLAN's reduces the number of routers needed. and inform the network manager of an intrusion. sensitive data may be broadcast on a network. Resources such as a printer would be located on the second floor. other administrative work can be reduced or eliminated. (2) Formation of Virtual Workgroups With VLAN's it is easier to place members of a workgroup together. VLAN's can be used to create broadcast domains which eliminate the need for expensive routers. if the broadcast traffic is intended only for 5 of the users. and reconfiguration of hubs and routers becomes necessary. In addition. which would be inconvenient for the lone fourth floor user. VLAN's can reduce the need to send such traffic to unnecessary destinations. (5) Security Periodically. routers require more processing of incoming traffic. Union of Myanmar 128/200 . additions and changes. Consider the situation where one user of the workgroup is on the fourth floor of a building. If a user is moved within a VLAN.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> Introduction to VLAN In networks where traffic consists of a high percentage of broadcasts and multicasts. Some of these tasks can be simplified with the use of VLAN's. In such cases. As the volume of traffic passing through the routers increases. Compared to switches. For example. since VLAN's create broadcast domains using switches instead of routers. the only way this would be possible is to physically move all the members of the workgroup closer together. (4) Reduced Cost VLANs reduce the time it takes to implement moves. and changes of users in the network. S-AN-A-1.ucss@gmail. and the other workgroup members are on the second floor. reconfiguration of routers is unnecessary. in a broadcast domain consisting of 10 users. This copy of textbook is granted only for: Chan Myae (shweyoe. moves. so does the latency in the routers. Without VLAN's. then placing those 5 users on a separate VLAN can reduce traffic. re-cabling. Every time a user is moved in a LAN. new station addressing. restrict access. (3) Simplified Administration Seventy percent of network costs are a result of adds.

to send a broadcast packet to.1.04 Network Technologies – ICTTI. or interface(s). A means of keeping track of users & frames as they S-AN-A-1. 5.5. you need to configure a VLAN tagging method on the ports that supply the link. This copy of textbook is granted only for: Chan Myae (shweyoe. VLAN Tagging support allows administrators to deploy ProxySG appliances in line with switches that are routing VLAN traffic without the risk of losing VLAN ID information. More specifically.Example of Identifying VLANs by Ports (2) VLAN Tagging or Frame Tagging When you want traffic from multiple VLANs to be able to traverse a link that interconnects two switches (or) VLANs span multiple switches. A VLAN is a method of creating independent logical networks within a physical network. Figure 14 shows the tagged frames and untagged frames.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> Introduction to VLAN (6) Flexibility and Scalability  What if no hub ports are available for a department LAN?  What if no physical space is available for new users?  Physically locate new user in another department and plug computer into that department’s hub  User must obtain Sales resources by traversing a router  “Don’t SPAN the WAN”. VLAN Tagging is the practice of inserting a VLAN ID into a packet header in order to identify which VLAN (Virtual Local Area Network) the packet belongs to. Union of Myanmar 129/200 .ucss@gmail. switches use the VLAN ID to determine which port(s). keep resources local VLANs overcome these problems. Identifying VLANs (1) VLANs defined by Port Group Figure 13 . Frames are handled according to the type of link they are traversing.

Union of Myanmar 130/200 .com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> Introduction to VLAN travel the switch fabric & VLANs:  User-defined ID assigned to each frame  VLAN IDs compared to information in filter table for routing purposes  VLAN ID is removed before exiting trunked links & access links Figure 14 .Distinguish between Tagged Frames and Untagged Frames (3) VLANs and Network Switches – Link Types Differentiate the linked types are shown in Figure 15.04 Network Technologies – ICTTI.  Access link  Receive and transmit Untagged frames  Default port configuration on switches  Usually used to connect end-stations to the network  PC do not need to change their frame format  Trunk link  Receive and transmit Tagged frames  Must be configured explicitly on switches  Usually used in switch-to-switch connections and to servers/routers  Hybrid link  Accepts both tagged and untagged frames  Differentiates frame according to the “type” field (0x8100 or not)  Trunk links are usually also Hybrid links  Used on ports on which both hosts and servers / routers / switches are connected S-AN-A-1. This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.

 IEEE 802. ISL is usually the best choice. even in situations where few users are connected in that VLAN. All unknown unicasts and broadcasts in a VLAN are flooded over the entire VLAN.2. a Cisco switch and an Avaya switch). There are occasions. All switches in the network receive all broadcasts.1Q 802. This copy of textbook is granted only for: Chan Myae (shweyoe. VLAN Trunking Protocol (VTP) VLAN Trunking Protocol (VTP) ensures that all switches in the VTP domain are aware of all VLANs. There are a number of tagging methods (or) VLAN identification methods) such as InterSwitch Link (ISL) and 802. however. When interconnecting two Cisco switches. when VTP can create unnecessary traffic.1Q is an Industry standard trunking protocol if you need to interconnect switches of different types (for example. S-AN-A-1.Linked Types (4) VLAN Identification Methods VLAN identification is what switches use to keep track of all those frames as they are traversing a switch fabric.  Inter-Switch Link (ISL) ISL is a way of explicitly tagging VLAN information onto an Ethernet frame.04 Network Technologies – ICTTI. Union of Myanmar 131/200 . VTP pruning is a feature used to eliminate (or prune) this unnecessary traffic. 5. ISL is a Cisco proprietary VLAN tagging methods.  IEEE 802.ucss@gmail.10 (dot10q) Cisco proprietary method for transporting VLAN information inside standard FDDI frames.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> VLAN Trunking Protocol (VTP) Figure 15 .  LAN Emulation (LANE) Used for trunking VLANs over ATM links.1Q.

and information about which switches have ports assigned to each VLAN. and parts of VLAN 3 were on all ten switches.2. The VTP server then sends out a VTP advertisement that includes the new configuration revision number. you have not yet seen how to configure VLANs.1. VTP defines a Layer 2 messaging protocol that allows the switches to exchange VLAN configuration information so that the VLAN configuration stays consistent throughout a network. you can configure that information in one switch. such as duplicate VLAN names or incorrect VLANtype settings. so to better appreciate VTP. consider this example: If a network has ten interconnected switches. Cisco switches use the proprietary VTP to exchange VLAN configuration information between switches. By configuring the details on one (or more) VTP server and propagating the information through advertisements. VTP manages the additions. So VTP allows switched network solutions to scale to large sizes by reducing the manual configuration needs in the network. With VTP. deletions. and VTP will distribute that information to the rest of the switches. The VTP process begins with VLAN creation on a switch called a VTP server.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> VLAN Trunking Protocol (VTP) By default. The VTP advertisement includes a configuration revision number. VLAN names and numbers.ucss@gmail. For instance. Union of Myanmar 132/200 . Each time a VTP server modifies its VLAN information.04 Network Technologies – ICTTI. However. VTP makes VLAN configuration easier. and the other nine switches would learn about VLAN 3 dynamically. When a switch receives a VTP advertisement with a larger configuration revision number. How VTP Works VTP floods advertisements throughout the VTP domain every 5 minutes. you would have to enter the same config command on all ten switches to create the VLAN. This copy of textbook is granted only for: Chan Myae (shweyoe. minimizing misconfigurations and configuration inconsistencies that can cause problems. Both VTP clients and servers hear the VTP messages and update their configuration based on those messages. you would create VLAN 3 on one switch. and name changes of VLANs across multiple switches. all switches know the names and numbers of all VLANs. if you want to use VLAN 3 and name it “accounting. One of the most important components of the VTP advertisements is the configuration revision number. or whenever there is a change in VLAN configuration. all Cisco Catalyst switches are configured to be VTP servers. S-AN-A-1. Figure 18 illustrates how VTP operates in a switched network. 5. The changes are distributed as a broadcast throughout the network. it updates its VLAN configuration. it increments the configuration revision number by 1.

2. and delete VLANs and specify other configuration parameters.3. VTP server is the default mode. you can create.04 Network Technologies – ICTTI.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> VLAN Trunking Protocol (VTP) (1 ) Add New VLAN (2 ) Rev 3 Rev4 (3) send VTP Advertisement (3 ) send VTP Advertisement VTP Server VTP VTP Client Client (4 ) Rev 3 Rev 4 (4 ) Rev 3 Rev4 (5 ) Syn New VLAN Info (5 ) Syn New VLAN Info Figure 16 .  Client—VTP clients behave the same way as VTP servers.  Transparent—VTP transparent switches do not participate in VTP. for the entire VTP domain. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. 4. change. or delete VLANs on a VTP client. VTP servers advertise their VLAN configuration to other switches in the same VTP domain and synchronize their VLAN configuration with other switches based on advertisements received over trunk links.11 VTP Pruning VTP pruning is a feature that you use in order to eliminate or prune this unnecessary traffic. but you cannot create.2. modify. such as VTP version and VTP pruning. VTP Modes VTP operates in one of three modes:  Server mode  Client mode  Transparent mode  Server—In VTP server mode.VTP Operation 5.ucss@gmail. but transparent switches do forward VTP advertisements that they receive out their trunk ports in VTP Version 2. It also allows switches to prevent broadcasts and unknown unicasts from flowing to switches S-AN-A-1. Union of Myanmar 133/200 . This copy of textbook is granted only for: Chan Myae (shweyoe.

0 at 3-1-93 00:08:24 Local updater ID is 172.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> VLAN Trunking Protocol (VTP) that do not have any ports in that VLAN. s1#show vtp status VTP Version : 2 Configuration Revision : 1 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Server VTP Domain Name : DOMAIN1 VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x7F 0x37 0x5A 0xA6 0x0A 0xAA 0xA9 0x19 Configuration last modified by 0.2 on interface Vl1 (lowest numbered VLAN interface found) S-AN-A-1.16. Union of Myanmar 134/200 .0.0.16. It enabled switches sends broadcasts only to trunk links that actually must have the information.04 Network Technologies – ICTTI. We can check VTP status with show vtp status command.0.0.16.ucss@gmail.2 on interface Vl1 (lowest numbered VLAN interface found) Use the following command to enable VTP Pruning s1(config)#vtp pruning Pruning switched on s1(config)#do show vtp status VTP Version : 2 Configuration Revision : 2 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Server VTP Domain Name : DOMAIN1 VTP Pruning Mode : Enabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x09 0x93 0x62 0xEA 0x38 0x07 0x14 0xE1 Configuration last modified by 172. This copy of textbook is granted only for: Chan Myae (shweyoe.0.2 at 3-1-93 01:43:51 Local updater ID is 172.

04 Network Technologies – ICTTI. Configuring VLANs 5.1 description native vlan1 encapsulation dot1Q 1 native S-AN-A-1. Union of Myanmar 135/200 .3. Use IEEE 802. Figure 19 illustrates a router attached to a core switch.ucss@gmail. The configuration between a router and a core switch is sometimes referred to as a router on a stick. Router0#sh run hostname Router0 interface FastEthernet0/0 no ip address ! interface FastEthernet0/0.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> Configuring VLANs 5. Inter-VLAN communication cannot occur without a Layer 3 device. such as a router. Figure 17 – Router on a Stick (1) Configuring VLAN on Router This is the defining VLANs on router sub-interfaces. VLANs perform network partitioning and traffic separation at Layer 2. Inter-VLAN Routing : Router-on-a-Stick Inter-VLAN communication occurs between broadcast domains via a Layer 3 device. frames are switched only between ports within the same broadcast domain. This copy of textbook is granted only for: Chan Myae (shweyoe. In a VLAN environment.3.1.1Q to enable trunking on a router subinterface.

255. Switch# sh vlan S-AN-A-1.255. See the following example. VLANs always are referenced by a VLAN number.1. all switch ports are assigned to VLAN 1.168. VLANs 1002 to 1005 are reserved for legacy functions related to Token Ring and FDDI switching.255.04 Network Technologies – ICTTI.0 ! (2) Configuring VLAN on Switch The switch commands needed to configure static VLANs. are set to be a VLAN type of Ethernet.255.0 ! interface FastEthernet0/0.1 255.1 255. Union of Myanmar 136/200 .3. use the global config vlan command.3 description vlan3 encapsulation dot1Q 3 ip address 192. the VLAN must be assigned to specific switch ports. the VLAN must be created on the switch.255. This copy of textbook is granted only for: Chan Myae (shweyoe.2.ucss@gmail. VLANs 1 and 1002 through 1005 automatically are created and are set aside for special uses. Swich# config t Switch(config)# vlan ? WORD ISL VLAN IDs 1-4094 internal internal VLAN Switch(config)# vlan 2 Switch(config)# name Software_Development_Department Switch(config)# vlan 3 Switch(config)# name Network_Technology_Department Verify the VLAN information by using this command.2 description vlan2 encapsulation dot1Q 2 ip address 192.0 ! interface FastEthernet0/0. By default. VLAN 1 is the default VLAN for every switch port. Then. First. if it does not already exist.1 255.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> Configuring VLANs ip address 192. which can range from 1 to 1005. For example. To configure VLANs on a Cisco Catalyst switch.168.255.168.

ucss@gmail. 2960A#vlan database 2960A(vlan)# 2. Switch0#exit 3. Switch(config-if)# switchport mode ? . from port number 6 to 12 can access VLAN 3. To configure VLANs on the 2960 series switch. Switch0(vlan)#vlan 2 name Sales VLAN 2 added: Name: Sales Switch0(vlan)#vlan 3 name Marketing VLAN 3 added: Name: 2960A(vlan)#vlan 2 name Sales VLAN 2 added: Name: Sales Switch0(vlan)#exit APPLY completed. For example. To assign switch ports to VLANs Each port on a switch can be configured in a specific VLAN (access port) by using the interface switchport command. use the vlan # name command. Switch# conf t Switch(config)# int f0/10 Switch(config-if)# switchport ? .12 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 3 S-AN-A-1..04 Network Technologies – ICTTI. Exiting…. Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 2 You can also configure multiple ports at the same time with the interface range command. To configure VLANs on the 2960 switch. This copy of textbook is granted only for: Chan Myae (shweyoe.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> Configuring VLANs 1... Union of Myanmar 137/200 . Switch# conf t Switch(config)# int range f0/6 ..

Switch# conf t Switch(config)# int f0/1 Switch(config-if)# switchport mode trunk To configure the Trunk port on Cisco 3560 multilayer switch.10 255.168.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> Configuring VLANs 4. Union of Myanmar 138/200 .. Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch0 configuration hostname Switch0 interface FastEthernet0/1 description Trunk Link to Router0 switchport mode trunk ! interface FastEthernet0/10 switchport access vlan 2 switchport mode access ! interface FastEthernet0/20 switchport access vlan 3 switchport mode access ! interface Vlan1 ip address 192..255. It is a little different on the Cisco 3560 switch.1. To configure Trunk port To configure trunking on a FastEthernet port. This copy of textbook is granted only for: Chan Myae (shweyoe. Switch# conf t Switch(config)# int f0/1 Switch(config-if)# switchport trunk encapsulation ? . use the interface command trunk [parameter].168.0 ! ip default-gateway 192. On Cisco 2960.1.255.1 S-AN-A-1.04 Network Technologies – ICTTI.ucss@gmail.

255.2.255.255.1 255.1.255.255.3 encapsulation dot1Q 3 ip address 172.1 encapsulation dot1Q 1 native ip address 172.04 Network Technologies – ICTTI.0 ! interface FastEthernet0/0. This copy of textbook is granted only for: Chan Myae (shweyoe. VLAN with VTP Domain Figure 18 – VTP Domain on Router (1) Router Router0#sh run hostname Router0 interface FastEthernet0/0 no ip address ! interface FastEthernet0/0.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> Configuring VLANs 5. Union of Myanmar 139/200 .16.0 ! S-AN-A-1.16.3.0 ! interface FastEthernet0/0.3.16.1 255.2.1 255.ucss@gmail.2 encapsulation dot1Q 2 ip address 172.255.

16.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> Configuring VLANs (2) Switch Connect into Switch0 switch and set the hostname. interface descriptions.0 Switch0(config-if)#no shutdown Switch0(config)#interface GigabitEthernet 1/1 Switch0(config-if)#description Trunk Link to Router0 Switch0(config-if)#switchport mode trunk Switch0(config-if)#interface GigabitEthernet 1/2 Switch0(config-if)#description Trunk Link to Switch1 Switch0(config-if)#switchport mode trunk Switch0(config-if)#exit Switch0(config)#exit Switch0#ping 172.16.10 255. Switch>en Switch#conf t Enter configuration commands.ucss@gmail. Switch(config)#hostname Switch0 Switch0(config)#enable password test Switch0(config)#enable secret secret Switch0(config)#line console 0 Switch0(config-line)#password test Switch0(config-line)#login Switch0(config-line)#line vty 0 15 Switch0(config-line)#password test Switch0(config-line)#login Switch0(config-line)#exit Switch0(config)#ip default-gateway 172.16.1.10/24.16. The IP address of the switch will be 172. and default-gateway information. one per line. subnet mask.255.1. IP address.1. with a default gateway of 172. End with CNTL/Z.16.1 Switch0(config)#interface VLAN 1 Switch0(config-if)#ip address 172.04 Network Technologies – ICTTI.1. Union of Myanmar 140/200 .1 (3) VTP Configuration Create a VTP domain of testdomain and leave the Switch0 as a VTP server Switch0(config)#vtp domain testdomain S-AN-A-1.1.1. This copy of textbook is granted only for: Chan Myae (shweyoe.255.

1 Switch1(config)#interface vlan 1 Switch1(config-if)#ip address 172.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> Configuring VLANs Switch0(config)#vtp mode server Connect to the Switch1 switch and set the hostname.11 255.16.16. and configure the Switch1 as a VTP client. interface descriptions.1. The IP address of the switch will be 172. Switch>en Switch#conf t Switch(config)#hostname Switch1 Switch1(config)#enable password test Switch1(config)#enable secret secret Switch1(config)#line console 0 Switch1(config-line)#password test Switch1(config-line)#login Switch1(config-line)#line vty 0 15 Switch1(config-line)#password test Switch1(config-line)#login Switch1(config-line)#exit Switch1(config)#ip default-gateway 172.04 Network Technologies – ICTTI.1.255.1.16.1 Configure the Switch1 to be a member of the VTP domain testdomain.16. Switch0#vlan database Switch0(vlan)#vlan 2 name Sales S-AN-A-1. subnet mask. with a default gateway of 172.ucss@gmail.0 Switch1(config-if)#no shutdown Switch1(config)#interface GigabitEthernet 1/1 Switch1(config-if)#description Trunk Link to Switch0 Switch1(config-if)#switchport mode trunk Switch1 (config-if)#exit Switch1(config)#exit Switch1#ping 172. IP address.1.16. Switch1(config)#vtp domain testdomain Switch1(config)#vtp mode clientt Create two VLANs on Switch0 called Sales and Marketing. and default-gateway information. This copy of textbook is granted only for: Chan Myae (shweyoe.255.1.11/24. Union of Myanmar 141/200 .1.

04 Network Technologies – ICTTI. Fa0/4 Fa0/5. 1-3. which is configured on the Router0.------------------------------- 1 default active Fa0/1. The default gateway will be 172. Fa0/10.-------------------------------.0/24. Fa0/3.16. Sales. Switch1(config)#interface fastethernet 0/10 Switch1(config-if)#switchport access vlan 2 Switch1(config-if)#switchport mode access S-AN-A-1. Switch1#show vlan VLAN Name Status Ports ---.--------.2. Exiting…. PC0 and PC2 will be in VLAN2.16.16. This copy of textbook is granted only for: Chan Myae (shweyoe. which has a subnet address of 172.1.11. Union of Myanmar 142/200 . Fa0/7.ucss@gmail. Connect to the Switch0 and make port f0/10 a member of VLAN 2. Fa0/6. Fa0/11.10 and PC2 will be 172. Note that we created the two VLANs using 2 and 3. PC0 will be 172. VLAN 1 is configured by default on all switches and cannot be changed or deleted.2. Switch0(config)#interface fastethernet 0/10 Switch0(config-if)#switchport access vlan 2 Switch0(config-if)#switchport mode access Connect to the Switch1 and make port f0/10 a member of VLAN 2. that were shared via VTP from the 2960A switch.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> Configuring VLANs VLAN 2 modified: Name: Sales Switch0(vlan)#vlan 3 name Marketing VLAN 3 modified: Name: Marketing Switch0(vlan)#exit APPLY completed. Fa0/8 Fa0/9.2. Go to the Switch1 and type in show VLAN to verify the VLAN information was shared with VTP.16. Fa0/12 2 Sales active 3 Marketing active You should see three VLANs. Fa0/2.2.

with a default gateway of 172. Verify that you can ping PC1 from PC3. then you better be sure you do not create a physical loop on the switch network or it will bring your network down.16.11 S-AN-A-1. You are telling the switch not to check for loops using these ports. >ping 172.2. configure port F0/20 to be a member of VLAN 3. Switch0#config t Switch0(config)#interface fastethernet 0/20 Switch0(config-if)#switchport access vlan 3 Switch0(config-if)#switchport mode access Connect to the Switch1 and make port F0/20 a member of VLAN 3. with a default gateway of 172.3.3.16.1. Configure PC2 with an IP address of 172.11 Once you can ping. From the Switch0.16.16. However.2.com) Cisco Routing & Switching 7/9/2012 Virtual LANs <Day 7> Configuring VLANs You can configure portfast on the access port. with a default gateway of 172.16.1.2.2. This copy of textbook is granted only for: Chan Myae (shweyoe. Verify you have set up the VLANs correctly by pinging from PC0 to PC2. Switch1#config t Switch1(config)#interface fastethernet 0/20 Switch1(config-if)#switchport access vlan 3 Switch1(config-if)#switchport mode access Configure PC1 with an IP address of 172.3.11/24.10/24. >ping 172.1.16.2. you know you have configured at least one VLAN correctly.1.16. Union of Myanmar 143/200 . This enables a switch port to come up quickly and not to wait the typical 50 seconds for spanning-tree to go through its cycle.04 Network Technologies – ICTTI.16.11/24 with a default gateway of 172. Configure PC3 with an IP address of 172.10/24.ucss@gmail.3.16. if you turn portfast on. Switch1(config-if)#spanning-tree portfast Configure PC0 with an IP address of 172.3.16. Configure PC1 and PC3 to be in VLAN3.

S-AN-A-1. Securing Switch Access Traditionally. Where user workstations are stationary. 6.1.ucss@gmail. Users can be authenticated as they connect to or through a switch.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Securing Switch Access 6. Catalyst switches can detect and prevent certain types of attacks.  Port security does not support Switch Port Analyzer (SPAN) destination ports. User access can be recorded as switch accounting information. their MAC addresses can be learned dynamically or added to a list of addresses to expect on a switch port. This copy of textbook is granted only for: Chan Myae (shweyoe.1 Port Security In some environments.1X port-based authentication cannot both be configured on the same port.04 Network Technologies – ICTTI. Union of Myanmar 144/200 .  Port security does not support EtherChannel port-channel interfaces. If stations are mobile. The physical switch port access also can be controlled based on the user’s MAC address or authentication. Several features can be used to validate information passing through a switch so that spoofed addresses can’t be used to compromise hosts. The engineer can use port security to restrict that interface so that only the expected devices can use it. and can be authorized to perform certain actions on a switch.  Port security and 802. it is important to limit the access that users receive. In addition. This reduces exposure to some types of attacks in which the attacker connects a laptop to the wall socket that connects to a switch port that has been configured to use port security. As networks grow and as more confidential data and restricted resources become available. their MAC addresses always can be expected to connect to the same access-layer switch ports.1Q tunnel ports. a network must be secured by controlling what stations can gain access to the network itself. users have been able to connect a PC to a switched network and gain immediate access to enterprise resources.1. Network Security <Day 8-9> 6.  Port security supports trunks  Port security supports IEEE 802. Catalyst switches have a variety of methods that can secure or control user access.

5b02 Switch(config-if)# switchport port-security mac-address 0001.04 Network Technologies – ICTTI. begin by enabling it with the following interface-configuration command: Switch(config)# interface fa0/5 Switch(config-if)# switchport port-security Next.1111. There are three violation actions a switch can take:  shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap Notification S-AN-A-1. Union of Myanmar 145/200 . Port Security will allow only one MAC on an interface. MAC addresses that are dynamically learned with Port Security are referred to as Sticky Addresses. You can explicitly configure addresses or they can be learned dynamically from port traffic. To configure port security on an access-layer switch port.5555 Only hosts configured with the above two MAC addresses will be able to send traffic through this port.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Securing Switch Access Catalyst switches offer the port security feature to control port access based on MAC addresses. up to 1024: Switch(config-if)# switchport port-security maximum 2 To statically specify the allowed MAC address(es) on a port: Switch(config-if)# switchport port-security mac-address 0006. no aging occurs. Switch(config-if)# switchport port-security aging time 10 Port Security can instruct the switch on how to react if an unauthorized MAC address attempts to forward traffic through an interface (this is considered a violation). you must identify a set of allowed MAC addresses so that the port can grant them access. the remaining addresses are learned dynamically. By default. This copy of textbook is granted only for: Chan Myae (shweyoe. By default.ucss@gmail. Switch(config-if)# switchport port-security mac-address sticky Dynamically learned addresses can be aged out after a period of inactivity (measured in minutes). If the number of static addresses configures is less than the maximum number of addresses secured on a port. The maximum number of allowed MACs can be adjusted.332C.

Switch(config-if)# switchport port-security violation {shutdown | restrict | protect} As an example of the portect mode.Port Security Configuration Example Show the status.2222. a switch interface has received the following configuration commands: Switch(config)#int f 0/1 Switch(config)#switchport mode access Switch(config-if)#switchport port-security Switch(config-if)#switchport port-security violation protect Server 1 Fa0/1 0200.  protect—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.1111.1111 Interface FastEthernet 0/2 Switchport mode access Switchport port-security S-AN-A-1. Switch# show running-config Interface FastEthernet 0/1 Switchport mode access Switchport port-security Switchport port-security mac-address 0200.04 Network Technologies – ICTTI.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Securing Switch Access  restrict—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment. This copy of textbook is granted only for: Chan Myae (shweyoe.2222 Fa0/3 User1 Figure 19. Union of Myanmar 146/200 .1111.ucss@gmail.1111 Server 2 Fa0/2 0200.

Switch#show port-security interface fa0/2 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address : 0200.04 Network Technologies – ICTTI.ucss@gmail.2222.2222 Security Violation Count : 0 To display a summary of the port-security status with the show port-security command. Switch#show port-security interface fa0/2 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 S-AN-A-1.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Securing Switch Access Switchport port-security mac-address maximum 1 Switchport port-security mac-address sticky To show the port status with the show port-security interface command. Union of Myanmar 147/200 . Switch#sh port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/1 1 1 1 Up Fa0/2 1 1 1 Up To display port security status. This copy of textbook is granted only for: Chan Myae (shweyoe.

With DHCP snooping. Union of Myanmar 148/200 . It works with information from a DHCP server to:  Track the physical location of hosts. only a whitelist of IP addresses may access the network. DHCP snooping is a series of layer 2 techniques. and the DHCP server manages the access control. Only specific IP addresses with specific MAC addresses on specific ports may access the IP network.2 Switch(config-if-range)#ip dhcp snooping trust Show the status Switch#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: S-AN-A-1.04 Network Technologies – ICTTI.1111. DHCP snooping also stops attackers from adding their own DHCP servers to the network.2 DHCP Snooping When DHCP servers are allocating IP addresses to the clients on the LAN. So DHCP snooping ensures IP integrity on a Layer 2 switched domain.  Ensure that hosts only use the IP addresses assigned to them. It disables all the ports to run DHCP Server Switch(config)# ip dhcp snooping Specify VLAN to enable DHCP snooping Switch (config)#ip dhcp snooping vlan 1 100 It will enable to run DHCP Server on an interface Switch(config)#int range g 0/1 .ucss@gmail.  Ensure that only authorized DHCP servers are accessible.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Securing Switch Access Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address : 0200. This copy of textbook is granted only for: Chan Myae (shweyoe. The whitelist is configured at the switch port level.1. DHCP snooping can be configured on LAN switches to harder the security on the LAN to allow only clients with specific IP/MAC addresses to have access to the network.1111 Security Violation Count : 0 6.

0 255. You can see the address bindings S-AN-A-1.201 192.168.1.1.ucss@gmail.2 DHCP 6. ------.254 Router1(config)#ip dhcp pool LAN-POOL-1 Router1(dhcp-config)#network 192.3 Router1(dhcp-config)#netbios-name-server 192.0 Router1(dhcp-config)#default-router 192.1.1 172. ---------------- GigabitEthernet0/1 yes unlimited GigabitEthernet0/2 yes unlimited 6.1 192.2.168.1.1.25.168. This copy of textbook is granted only for: Chan Myae (shweyoe.1. the router will allocate IP addresses by binding them to device MAC addresses in the configured pool.1.2 Router1(dhcp-config)#netbios-node-type h-node Router1(dhcp-config)#lease 2 12 30 Router1(dhcp-config)#exit The lease command takes up to three options: lease days hours minutes with hours and minutes being optional. Router1#conf t Router1(config)#ip dhcp excluded-address 192.168.site Router1(dhcp-config)#dns-server 172. Union of Myanmar 149/200 .1 DHCP Server To a router to be a DHCP server and allocate dynamic IP addresses to client workstation.1.168.255.1 Router1(dhcp-config)#domain-name domain1.168.168.255.04 Network Technologies – ICTTI. When DHCP is enabled.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> DHCP none Insertion of option 82 is enabled circuit-id format: vlan-mod-port remote-id format: MAC Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Interface Trusted Rate limit (pps) -----------------------. Following set of configuration commands allow the router to dynamically allocate IP addresses to client workstations.25.1.99 Router1(config)#ip dhcp excluded-address 192.

However. Union of Myanmar 150/200 . DHCP server can provide IP addresses only when a DHCP request broadcast is received. 168. VLAN1 : 192.1.1 255.3 S-AN-A-1.2.255.0. 168.0.3.10.255.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> DHCP Router1#show ip dhcp binding 6.0.255.168. and this is normally limited within the same network. the DHCP Request broadcast is forwarded into the DHCP server and it can reply the valid IP address to the client at the different network.168.0. interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip address 192. This copy of textbook is granted only for: Chan Myae (shweyoe.0/24 IP DHCP Client Figure 20 – DHCP Relay Agent The sub-interfaces f0/0.04 Network Technologies – ICTTI.255.0 ip helper-address 192.1 255. By the DHCP Relay Agent configuration. deploying a DHCP server at each subnet is not cost efficient.0/24 DHCP Server DHCP Request IP IP DHCP Client VLAN2 : 192.0/24 DHCP Request DHCP DHCP Request Relay Agent IP DHCP Client DHCP Request VLAN3 : 192.2 DHCP Relay Agent Normally.0 ! interface FastEthernet0/0. 168.168.3 are configured as a DHCP Relay Agent.168.2. and DHCP Discover request is forwarded to the DHCP server of 192.2 and f0/0.2 encapsulation dot1Q 2 ip address 192.ucss@gmail.

S-AN-A-1.168.100 192.ucss@gmail.168.0 ip helper-address 192.3 encapsulation dot1Q 3 ip address 192.10.168.04 Network Technologies – ICTTI. option routers 192. /etc/dhcp. There are two types of access lists used  Standard access lists: These use only the source IP address in an IP packet to filter the network. This copy of textbook is granted only for: Chan Myae (shweyoe. Cisco Router and MS Windows Server).0 netmask 255.168.250.1.250.255. } subnet 192.100 192. Sensitive device can also be protected from unauthorized access.3 Access Control List (ACL) Access Control List (ACL) gives network managers a huge amount of control over traffic flow throughout the network.conf would include the following subnet lease ranges as follows.255.168. With access lists.168.10.0.20.250. Union of Myanmar 151/200 .20.255.168.255.e.0 { range 192. option routers 192. } The same concept can be used at any DHCP server product (i.168. 6.255.168.20.100 192.168. Access lists can be used to permit or deny packets moving through the router.1 255.20.0.168.0 { range 192. This basically permits or denies an entire suite of protocols.0 { range 192.255.168.0.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Access Control List (ACL) ! interface FastEthernet0/0. permit or deny Telnet (VTY) access to or from a router.10.0 netmask 255.1.20. managers can gather basic statistics on packet flow and security policies can be implemented.10.255.168. } subnet 192.255.0 netmask 255.0. subnet 192.3 ! In a case of Linux DHCP server.

Union of Myanmar 152/200 .16.ucss@gmail. and port number at the Transport layer header. This copy of textbook is granted only for: Chan Myae (shweyoe. Router0#conf t Router0(config)#access-list 10 deny host 172.1 IP Standard Access-Lists This example will have you block access to network 172.16. 6.40. PC0. Router0(config)#interface serial 1/0 Router0(config-if)#ip access-group 10 in This applied the access-list 10 to the serial 0/1 interface of Router0 and filtered any incoming packets.3.0 from host 172.50. S-AN-A-1.04 Network Technologies – ICTTI. Type show running-config to see both the access-list and to verify the interface where the access-list is applied.3 Connect to the Router0 and create an access-list. protocol field in the Network layer header.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Access Control List (ACL)  Extended access lists: It checks for source and destination IP address.  Outbound access list: Packets are routed to the outbound interface and then processed through the access list.50.3 Router0(config)#access-list 10 permit any Add the access-list 10 to the serial 0/1 interface of Router0 and filtered any incoming packets. Once you create an access list. Router0 can’t ping to PC1. Router0#show running-config And then test it.16. you apply it to an interface with either an inbound or outbound list  Inbound access list: Packets are processed through the access list before being routed to the outbound interface.

ucss@gmail.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Access Control List (ACL) PC1 can’t also ping to PC0 and Router0. Router0#conf t Router0(config)#no access-list 10 Router0(config)#no access-list 20 Router0(config)#interface serial 0/1 Router0(config-if)#no ip access-group 10 in Router0(config)#line vty 0 4 S-AN-A-1. Union of Myanmar 153/200 .3. PC1 can ping Router1.3 Router0(config)#access-list 20 permit any Apply the access-list directly to the VTY lines and not to an interface. Router0(config)#line vty 0 4 Router0(config-line)#access-class 20 in 6.04 Network Technologies – ICTTI.16. Remove the standard access-list on the Router0. Router0(config)#access-list 20 deny host 172. Table 12 – Access List Number Range Access List Number Range Description 1-99 IP standard access list 100-199 IP extended access list 200-299 Protocol type-code access list 600-699 Appletalk access list 700-799 48-bit MAC address access list 800-899 IPX standard access list 900-999 IPX extended access list 1000-1099 IPX SAP access list 1100-1199 Extended 48-bit MAC address access list 1200-1299 IPX summary address access list 1300-1999 IP standard access list (expanded range) 6.50.3.2 Applying an Access-List to a VTY Line You can use a standard IP access list to control access by placing the access list on the VTY lines.3 IP Extended Access-Lists This will create a new access-list that is more succinct on the Router0. This copy of textbook is granted only for: Chan Myae (shweyoe.

255.0.0.0 0.0 eq domain S-AN-A-1.0.0.0.0.0.40.0.0.3 172.14 255.0 0. Router0(config)#access-list 110 deny tcp host 172.0.15 gt 1023 access-list 100 permit tcp any 202.0.0.16. This copy of textbook is granted only for: Chan Myae (shweyoe.15 access-list 100 permit tcp any 202.50.0 0.0.240 ip access-group 100 in ip access-group 101 out no ip redirects no ip proxy-arp ip accounting access-violations no cdp enable ! access-list 100 permit icmp any 202.0.40. but still allow to ping.0. Union of Myanmar 154/200 .16.0.0.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Access Control List (ACL) Router0(config-line)#no access-class 20 in Remove the access-list on the serial 0/1 interface Router0(config)#interface serial 1/0 Router0(config-if)#no ip access-group 10 in Create an access-list on the Router0 to block Telnet access into the 172.0 0.0.ucss@gmail.0.255 eq telnet Router0(config)#access-list 110 permit ip any any Apply this access-list to the serial interface 0/1 of the Router0 to filter the packets coming into the router.0.255.15 gt 1023 access-list 100 permit udp any 202.16.04 Network Technologies – ICTTI.1 0.0.0 network. Router0(config)#interface serial 1/0 Router0(config-if)#ip access-group 110 in Verify the configuration by show running-config Router0#show running-config This is a sample ACL ! interface FastEthernet0/0 ip address 202.0.0 0.0.15 established access-list 100 permit tcp any 202.0.

15 eq 2049 log access-list 100 deny udp any 202.1 .168.0.0.0 eq www access-list 100 deny tcp any 202.0/24 R1 .0.0 eq domain access-list 100 permit tcp any 202.15 eq 6000 log access-list 100 deny ip any any log access-list 101 permit ip 202.0 eq pop3 access-list 100 permit tcp any 202.0.11 PC1 PC2 S-AN-A-1.0 0.04 Network Technologies – ICTTI.0.0 0.0.0.0.0/24 S0 .0.0.0.168.0 0.ucss@gmail.2 0.0.0.0.0.0 eq smtp access-list 100 permit tcp any 202.15 any access-list 101 deny ip any any log no cdp run snmp-server community public RO line vty 0 4 access-class 101 in exec-timeout 0 0 password 7 12345678901234567890 transport input telnet transport output none ! 6.0.0.0.0.1 0.2 0.0 0.0.0. This copy of textbook is granted only for: Chan Myae (shweyoe.0 eq domain access-list 100 permit udp any 202.0.10 F0/1 F0/0 F0/0 .0.10 .0.0.0.1 0.0.3.0.15 eq 2049 log access-list 100 deny tcp any 202.2 0.0.1 0.0.1 192.0.0.0.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Access Control List (ACL) access-list 100 permit udp any 202.0 eq domain access-list 100 permit tcp any 202.0.0. R0 192.0.0.0.0.0.0.1.4 Standard ACL This is an example of Standard ACL. Union of Myanmar 155/200 .

ucss@gmail.0 0.0 192. Union of Myanmar 156/200 .0.255.0 0.255.168.0. This copy of textbook is granted only for: Chan Myae (shweyoe.1.255.10 access-list 1 permit any R1 hostname r1 … interface FastEthernet0/0 ip address 192.10 255.255.1 PC1 hostname pc1 … interface FastEthernet0/0 ip address 192.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Access Control List (ACL) Configuration of a Standard ACL on R0  R0 denies PC1 to access R1  R0 permits any host to access R1 This is a sample configuration on R0 hostname r0 … interface FastEthernet0/0 ip address 192.0 … ! interface FastEthernet0/1 ip address 192.168.168.0.0.04 Network Technologies – ICTTI.1.0.1 255.168.0.168.0.1.255.0 … ! ip route 0.0 … ! ip route 0.0.1 S-AN-A-1.168.255.0 192.0.0.0.255.10 255.168.0.255.1 255.0 ip access-group 1 out … ! access-list 1 deny 192.

1.255.3.0 ip access-group 100 in … S-AN-A-1.255.0 0.0.0.1 6.168. This copy of textbook is granted only for: Chan Myae (shweyoe.255.0/24 R1 .168.255.11 255. Union of Myanmar 157/200 . R0 192.168.0.1 .5 Extended ACL This is an example of “Extended ACL” using the same network as the standard.168.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Access Control List (ACL) PC2 hostname pc2 … interface FastEthernet0/0 ip address 192.0.  R0 denies PC1 to telnet to R1  R0 permits any host to telnet R1 This is a sample configuration on R0 hostname r0 … ! interface FastEthernet0/0 ip address 192.0 192.1 192.10 .10 F0/1 F0/0 F0/0 .0.ucss@gmail.168.11 PC1 PC2 Configure an Extended ACL on R0.0.0.04 Network Technologies – ICTTI.0.0 … ! ip route 0.1 255.0/24 S0 .

0. the telnet access is permitted.168. ! interface FastEthernet0/0 ip address 192..1.168.1.255.255. service password-encryption ! hostname r1 ! enable secret 5 $1$4hrB$NgcokrRg1/QR9FffAE1Ut.04 Network Technologies – ICTTI.1..10 Trying 192.10 host 192. the telnet access is denied. Open User Access Verification S-AN-A-1.255.0.1.0.255.10 . This copy of textbook is granted only for: Chan Myae (shweyoe..1.1.168.168.168.168. pc2>telnet 192.10 255.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Access Control List (ACL) ! interface FastEthernet0/1 ip address 192. pc1>telnet 192.10 eq telnet access-list 100 permit ip any any R1 requires VTY configuration in order to accept telnet.10 Trying 192.ucss@gmail.0 192.0 ! ip route 0.0 0.168. gateway or host down From PC2.1 ! line vty 0 4 exec-timeout 0 0 password 7 0822455D0A16 login ! From PC1.1. Union of Myanmar 158/200 .168..1.10 .168.0.1 255.0 … ! … access-list 100 deny tcp host 192. % Destination unreachable.0.

 PC1 is an administrator’s PC.3. Named IP ACLs allow you to delete individual entries in a specific ACL. Union of Myanmar 159/200 .1 192.0/24 R1 .11 PC1 PC2 Configure a VTY ACL on R0.168. If you are using Cisco IOS Release 12.6 Named ACL The named ACL feature allows you to identify standard and extended IP ACLs with an alphanumeric sting (name) instead of the current numeric representations.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Access Control List (ACL) Password: r1> 6. you can insert statements only at the bottom of the named ACL. R0 192.10 F0/1 F0/0 F0/0 . If you are using a software version earlier than Cisco IOS Release 12.1 .3.168. so R0 accept VTY connection only from PC1 S-AN-A-1.04 Network Technologies – ICTTI.10 .0/24 S0 .0.7 VTY ACL This is a practice of “VTY ACL” using the same network as the standard.1.3. you can use sequence numbers to insert statements anywhere in the named ACL.ucss@gmail. This copy of textbook is granted only for: Chan Myae (shweyoe. 6.3.

1 .0.255. 255.ucss@gmail.21 Default Gateway: 202. 168.1. Union of Myanmar 160/200 .252 Router(config-if)#ip nat outside Router(config-if)#exit Router(config)#interface FastEthetnet 0/1 Router(config-if)#ip address 192. 224 Default Gateway: 192.0.0 Router(config-if)#ip nat inside This command shows the NAT translation result.4 NAT One of the most important drawbacks to IP version 4 (IPv4) is the limited number of unique network addresses.16.0.168. all of your internal devices use the same external global address as the router’s external interface.30 192.0.0.5 255.168.0/28 Network Mask: 255.14 HOST: 2800A PCs SNMP. 255.0. 168.0. Router#show ip nat translations Figure 21 and Table 13 shows another sample of NAT router configuration.0. 202. NAT.255.255 Router(config)#ip nat inside source list 15 interface FastEthetnet 0/0 overload Router(config)#interface FastEthernet 0/0 Router(config-if)#ip address 172. In the Network Address Translation (NAT) configuration. routable IPv4 addresses. Router#conf t Router(config)#access-list 15 permit 192. 255.0 Network Address: 202.168.0 Network Mask: 255.255.0.0. NAT provides a short-term solution to this problem by translating private IPv4 addresses into globally unique.0.0.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> NAT 6. This copy of textbook is granted only for: Chan Myae (shweyoe. the Internet is running out of address space.255. ACL Servers Figure 21 – NAT Sample Network S-AN-A-1. LAN DMZ Network Address: 192. 255.04 Network Technologies – ICTTI. Two solutions to this dilemma are Network Address Translation (NAT) and IP version 6 (IPv6). IPv6 is the long-term solution by increasing the size of an IP address to 128 bits.0 0.0.1 255.

This copy of textbook is granted only for: Chan Myae (shweyoe..2 NTP server 202.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname 2800A ! boot-start-marker boot-end-marker ! logging buffered 64000 debugging enable secret 5 $1$XU1n$pltI. 202.0/24 External Network (DMZ) 202. Current configuration : 2083 bytes ! version 12. 2800A#show running-config Building configuration.168.0.IGoFdQLPIRw9Qa0V/ enable password test ! clock timezone MMT 6 30 no network-clock-participate aim 0 no network-clock-participate aim 1 no aaa new-model ip subnet-zero no ip source-route S-AN-A-1.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> NAT Table 13 – NAT Sample Network Information LAN 192.0.0.0.2 This is a complete configuration based on the above network.0.ucss@gmail. Union of Myanmar 161/200 .0/28 CISCO Router GigabitEthernet0/0: 192.04 Network Technologies – ICTTI.site DNS server 202.14 Domain Name domain1.0.0.0.0.168.0.0..1 GigabitEthernet0/1: 202.0.1.

1 255.0.site ip domain name domain1.2 no ftp-server write-enable ! ! interface GigabitEthernet0/0 description LAN ip address 192.14 255. Union of Myanmar 162/200 .0.0.ucss@gmail. This copy of textbook is granted only for: Chan Myae (shweyoe.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> NAT ! ! ip cef ! ! ip ips notify SDEE ip ips po max-events 100 ip domain list domain1.255.04 Network Technologies – ICTTI.255.0.site ip name-server 202.0 ip access-group 100 in no ip redirects no ip proxy-arp ip accounting access-violations ip nat inside ip virtual-reassembly no ip mroute-cache duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 description WAN ip address 202.168.0.240 ip access-group 101 out no ip redirects no ip proxy-arp ip accounting access-violations ip nat outside S-AN-A-1.255.0.0.255.1 ip name-server 202.

0.255 any access-list 102 deny ip any any log snmp-server community public RO snmp-server enable traps tty no cdp run ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 access-class 102 in password secret S-AN-A-1.0.168.0.0.0 0.0.0 GigabitEthernet0/1 no ip http server no ip http secure-server ip nat inside source list 1 interface GigabitEthernet0/1 overload ! ! logging facility local1 logging source-interface GigabitEthernet0/1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.0. This copy of textbook is granted only for: Chan Myae (shweyoe.0.0 0.0.0.0.0 0.0.0.168.15 any access-list 102 permit ip 192.0.255 access-list 100 permit ip 192.15 any access-list 101 deny ip any any log access-list 102 permit ip 202.0 0.04 Network Technologies – ICTTI.ucss@gmail.0.168.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> NAT ip virtual-reassembly no ip mroute-cache duplex auto speed auto ! ip classless ip route 0.0.0.0.0 0.0.0.0.255 any access-list 100 deny ip any any log access-list 101 permit ip 202. Union of Myanmar 163/200 .0 0.0.

Overloading is also known as port address translation (PAT).4.04 Network Technologies – ICTTI.2 NAT Overload or Port Address Translation (PAT) PAT allows you to translate multiple internal addresses into a single external address. essentially allowing the internal addresses to share one external address. Advertising only one address effectively hides the internal network from the world. Union of Myanmar 164/200 . Usually. This copy of textbook is granted only for: Chan Myae (shweyoe. S-AN-A-1. Static NAT is particularly useful when a device must be accessible from outside the network. NAT has many forms and can work in the following ways:  NAT Overload : Maps multiple unregistered IPv4 addresses to a single registered IPv4 address (many to one) by using different ports.  Static NAT: Maps an unregistered IPv4 address to a registered IPv4 address (one to one). NAT enables private IPv4 internetworks that use nonregistered IPv4 address to connect to the Internet.1 Types of NAT NAT operates on a Cisco router and is designed for IPv4 address simplification and conservation. you can configure NAT to advertise only one address for the entire network to the outside world.0. NAT connects two networks and translates the private(inside local) addresses in the internal network into public addresses (inside global) before packets are forwarded to another network.  Dynamic NAT: Maps an unregistered IPv4 address to a registered IPv4 addresses from a group of registered IPv4 addresses.ucss@gmail. As part of this functionality.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> NAT login transport input telnet transport output none ! scheduler allocate 20000 1000 ntp server 202. 6.4.2 ! end 6.0. thus providing additional security.

The cloud is connected to the existing LAN (192.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> NAT This is a practice of making a NAT router.0. Union of Myanmar 165/200 . F0/1 F0/0 PC1 R0 Figure 22 – Port Address Translation This is the R0 router NAT configuration.0.0. This copy of textbook is granted only for: Chan Myae (shweyoe.168.1/24.site ip name-server 192.168.255.168.0.0 ip nat inside … ! ip nat inside source list 15 interface FastEthernet0/0 overload … ip route 0. R0: f0/0 is connected to the C0 cloud therefore bridged.255.04 Network Technologies – ICTTI.ucss@gmail.168.69 255.168.0 ip nat outside … ! interface FastEthernet0/1 ip address 192. R0#show running-config … hostname r0 … clock timezone MMT 6 30 … ip domain list domain1.0. so the f 0/0 has the IP address of the existing LAN.255.3 … interface FastEthernet0/0 ip address 192.0.0/24).168.0.site ip domain name domain1.0.3 … access-list 15 permit 192.0 0.0 0.0 192.1.1.1.0.255 S-AN-A-1.1 255.168. PC1 is in the different network 192.255.0.

round-trip min/avg/max = 92/250/877 ms This shows the result of the translations on the R0 R0#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 192.168.4. # show ip nat statistics To view NAT translations in real-time #debug ip nat To clear all dynamic NAT entries from the translation table: #clear ip nat translation * 6.3:10 6.168. This copy of textbook is granted only for: Chan Myae (shweyoe. and how many have been allocated.3 Type escape sequence to abort.0. S-AN-A-1.168.69:10 192.3 Verify and Troubleshoot NAT To verify the NAT Operation # show ip nat translations This command shows the total number of active translations.168. 100-byte ICMP Echos to 192.ucss@gmail.0.0.0.3:10 192.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> NAT The PC1 is able to ping to the outside host. and how many addresses are in the pool. pc1#ping 192.0.1. Sending 5.4. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).168.04 Network Technologies – ICTTI. NAT configuration parameters. Union of Myanmar 166/200 .4 Static NAT : Port Forwarding (Destination NAT) Port Forwarding or Destination NAT allows the outside PC to access to the internal network servers.3.100:10 192. The following figure shows the use of discrete address mapping with static NAT translations.168.

Union of Myanmar 167/200 .0 ip nat outside … ! interface FastEthernet0/1 ip address 192.168.120 netmask 255.255.200.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> NAT Figure 23 – Static NAT Address Mapping ip nat inside source static tcp 192.4.0.ucss@gmail.3 … interface FastEthernet0/0 ip address 192.100 192.0.255.168.0 ip nat inside … ! ip nat pool test 192. R0#show running-config … hostname R0 … clock timezone MMT 6 30 … ip domain list domain1.100.0.1.0.168.3 S-AN-A-1.1 255.201 80 extendable 6.site ip domain name domain1.04 Network Technologies – ICTTI.0. This copy of textbook is granted only for: Chan Myae (shweyoe.255.0 ip nat inside source list 10 pool test ip route 0.0 0.168.0 192.0.0.69 255.168.168.100 80 210.0.site ip name-server 192.5 Dynamic NAT This is the R0 router with dynamic NAT configuration.1.0.255.255.255.168.

This copy of textbook is granted only for: Chan Myae (shweyoe.1 .168.69 R1 S0 FW PC2 . pc1#ping 192.  C0 bridges FW to the external network  FW is configured as NAT  PC1’s default route is R1 because the traffic to the PC2 is more than the external network (C0).0/24 192.0.100 192.10. 192. The firewall is configured with NAT.168.  PC2 should be able to communicate with PC1 and the external network (C0).0.04 Network Technologies – ICTTI.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> NAT access-list 10 permit 192.0 0.1.ucss@gmail.168.0/24 F0/1 F0/0 F0/1 F0/0 .10 .1 .1. 100-byte ICMP Echos to 192.168.0.0. S-AN-A-1.10 PC1 Figure 24 – ICMP Redirect Example The configuration is.2 .160.20.0.3 Type escape sequence to abort.100 -------. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). Union of Myanmar 168/200 .0/24 192. -------- 6.4. round-trip min/avg/max = 92/250/877 ms This shows the result of the translations on the R0 R0#show ip nat translations Pro Inside global Inside local Outside local Outside global --.6 ICMP Redirect with NAT This is a practice of how ICMP works.168.168.3.  PC1 should be able to communicate with PC2 and the external network (C0).255 The PC1 is able to ping to the outside host.168. Sending 5. so this topology may similar to the real implementation.192.0.

0 … ! … ip route 0.168.0.10.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> NAT FW Configuration.168.0 192.10.0.168. hostname fw … ! interface FastEthernet0/0 ip address 192.3 ip route 192.168.0 0.255.1 S-AN-A-1.255.1 255.168.168.0 0.255.168.20.255.2 … access-list 15 permit 192.168.255. Union of Myanmar 169/200 .255 access-list 15 permit 192.0.255 R1 configuration hostname r1 … interface FastEthernet0/0 ip address 192.10.0.0. There is a static route to 192.255.0 0.ucss@gmail.255.0.20.0/24 network.0 ip nat inside … ! ip nat inside source list 15 interface FastEthernet0/0 overload … ip route 0.0.0.168.20.0.10.0.0.168.20.255.0 255.0 192.168. This copy of textbook is granted only for: Chan Myae (shweyoe.0 192.255.69 255.0 ip nat outside … ! interface FastEthernet0/1 ip address 192.1 255.10.04 Network Technologies – ICTTI.0.0 0.255.0 … ! interface FastEthernet0/1 ip address 192.2 255.0.0.

S .EIGRP.10.10. L1 .168.20.04 Network Technologies – ICTTI.20.168.168.168.69:10 192.OSPF inter area N1 .168.10:10 192.2 redirects to .OSPF NSSA external type 2 E1 .0. N2 .IS-IS level-1.168.0.mobile.3:6 icmp 192.168.168.0.0.168.3 NAT translation result at FW after pinging from PC1 and PC2 to 192. FastEthernet0/0 S* 0.168.ucss@gmail.static.OSPF. EX .0.168.0. Union of Myanmar 170/200 .3:6 192.69:6 192.20.periodic downloaded static route Gateway of last resort is 192.168. ip address : 192.0/24 [1/0] via 192.10 default gateway : 192.168.candidate default.10 default gateway : 192. fw#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 192. P . FastEthernet0/1 S 192. L2 .2 PC2 is configured with the following IP address.168.10.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> NAT PC1 is configured with the following IP address.0/24 is directly connected.168. E2 . The gateway .1 by ICMP redirect reply and communicate to the external. ip address : 192. * .0.0.0.168.IS-IS inter area.0.0.OSPF external type 2 i . U .10.20. su .3 S-AN-A-1.0.3.3 to network 0.0.IS-IS.168.3 Type escape sequence to abort.connected.168.EIGRP external. IA .0/0 [1/0] via 192. M .168.OSPF NSSA external type 1.168. This copy of textbook is granted only for: Chan Myae (shweyoe.10.3:10 PC1 to the external network by traceroute.RIP. pc1>traceroute 192.ODR.per-user static route o .IS-IS summary.OSPF external type 1.BGP D .3:10 192.0. R . Tracing the route to 192.1 This is the routing table at FW fw#show ip route Codes: C .10:6 192. B .0/24 is directly connected.2 C 192.0 C 192.168.0.IS-IS level-2 ia .0. O .

This copy of textbook is granted only for: Chan Myae (shweyoe.20.ucss@gmail.1 64 msec 56 msec 76 msec 2 192.10.7 NAT and VLAN Continuing the previous configuration. hostname r0 ! interface FastEthernet0/0 no ip address S-AN-A-1. Union of Myanmar 171/200 .168. Bridge Connection PC1 F0/0 F0/1 S0 R0 NAT Configuration External LAN PC2 Figure 25 – VLAN with NAT The configuration is.3 Type escape sequence to abort.168.168.04 Network Technologies – ICTTI.168.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> NAT 1 192.  R0 and C0 (external LAN) are bridged.168.0. connect the R0 to the external LAN by NAT configuration. R0 configuration will be.4.10.1 76 msec 108 msec 76 msec 3 192.0.3 112 msec 116 msec 128 msec PC2 to the external network by traceroute pc2#traceroute 192.1 153 msec 117 msec 52 msec 3 192.0.2 108 msec 76 msec 52 msec 2 192.168.168.  R0 and S0 are connected by dot 1Q trunking.10.3 1 192.168.  R0 is configured as NAT  PC1 and PC2 are in the different VLANs and connected by R0.0. Tracing the route to 192.3 100 msec 100 msec 84 msec 6.

1 ! access-list 15 permit 192. S-AN-A-1.0 0.255.0.0 ip nat inside … ! interface FastEthernet0/1 ip address 192.255.0.0 192.0.255.0.255 6.255.255.0.168.0 0.168. Union of Myanmar 172/200 .168.0 ip nat inside ! interface FastEthernet0/0.2. This copy of textbook is granted only for: Chan Myae (shweyoe.0.1.04 Network Technologies – ICTTI.255 access-list 15 permit 192.ucss@gmail.0 ip nat outside … ! ip nat inside source list 15 interface FastEthernet0/1 overload … ip route 0.1 255.255.168.0 0.5 Security 6.168.1 255.1 Anti-Spoofing The IP Address Spoofing is a technique to change a source IP address in a packet to become someone.0. Figure 28 explains the attacker in the WAN crafts packets which have a source IP address of an administrator PC which is located in the LAN.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Security … ! interface FastEthernet0/0.2.1.1 encapsulation dot1Q 2 ip address 192.0.168.0.5.60 255.2 encapsulation dot1Q 3 ip address 192.0.

0.0. Disable Finger. and Source Route.1 255. following ACL needs to be configured at each interface.1.0 0.ucss@gmail.0.0 ip access-group 100 in ! interface FastEthernet0/1 ip address 192. Router(config)#no ip finger Router(config)#no ip source-route S-AN-A-1.255. This copy of textbook is granted only for: Chan Myae (shweyoe. 168.2 Disable unused services Disable unused services for the better security.255. these options are enabled before IOS 11. Union of Myanmar 173/200 .0/24 192.0/24 . Small Server Router(config)#no service tcp-small-servers Router(config)#no service udp-small-servers In default.0. 254 Administrator IP Spoofing by modifying the source IP address into 192.1 F0/1 F0/0 .0. interface FastEthernet0/0 ip address 192.1.168.04 Network Technologies – ICTTI.1 .5.255 any access-list 101 deny ip any any log 6.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Security LAN WAN 192. 254 Figure 26 – Anti Spoofing by ACL To protect from the spoofing access. 168. 168.255.1.255.0 ip access-group 101 in ! access-list 100 permit ip 192.0. and disabled after IOS 12.0.168.0 0.168.1.168.255 any access-list 100 deny ip any any log access-list 101 permit ip 192.0.1 255.

04 Network Technologies – ICTTI. Router(config)#no cdp run Disable CDP at interface Router(config-if)#no cdp enable Disable HTTP Server Router(config)#no ip http server Router(config)#no ip http secure-server S-AN-A-1.ucss@gmail. This copy of textbook is granted only for: Chan Myae (shweyoe.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Security Disable CDP at global level if not used. Union of Myanmar 174/200 .

Background/Preparation Cable a network similar to the one in the diagram. Union of Myanmar 175/200 . VLAN 1 IP Default Subnet Mask Designation Name Password and Console Address Gateway IP Passwords Address Switch Switch 1 ictti cisco 192. Perform those steps on all switches in this lab assignment before continuing.168. as well as the management LAN settings. Step 2 Configure the hosts attached to the switch a. and default gateway as on the switch.1.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Hands-on-Lab 10 – Configuring Port Security Hands-on-Lab 10 – Configuring Port Security Fa0/1 Fa0/4 PC1 PC2 PC3 Switch Switch Enable Secret Enable. refer to the Basic Switch Configuration lab.04 Network Technologies – ICTTI. VTY.255.1 255. access and command mode passwords.ucss@gmail.  Configure port security on individual FastEthernet ports.2 192. The configuration output used in this lab is produced from a 2950 series switch.168. If problems occur while performing this configuration.255. This copy of textbook is granted only for: Chan Myae (shweyoe.0 Objective  Create and verify a basic switch configuration. Step 1 Configure the switch Configure the hostname. Configure the hosts to use the same IP subnet for the address. Note: Go to the erase and reload instructions at the end of this lab.1. mask. The following steps are intended to be executed on each switch unless specifically instructed otherwise. S-AN-A-1. These values are shown in the chart.

0 and the default gateway is 192.as follows: --------------------------------------------------------------------------- Step 8 Verify the results a. Do the MAC addresses match the host MAC addresses? ----------------------------------- Step 6 Determine the show MAC table options a.1. The subnet mask is 255. PC1 -------------------------------------------------------------------------------------------------------- c. Were the pings successful? ----------------------------------------------------------------------- c. Determine and record the layer 2 addresses of the PC network interface cards. This copy of textbook is granted only for: Chan Myae (shweyoe.1.1. It needs to be configured with the address 192.255. Union of Myanmar 176/200 . check by using Start > Run > cmd > ipconfig /all.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Hands-on-Lab 10 – Configuring Port Security b. check by using Start > Run > winipcfg. Step 3 Verify connectivity a. There is a third host needed for this lab. b. Step 4 Record the host MAC addresses a. Note: Do not connect this PC to the switch yet.7. If the answer is no.04 Network Technologies – ICTTI. Click on More info. If running Window 98.255. troubleshoot the hosts and switch configurations.ucss@gmail. Enter the following to determine the MAC address table --------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------- Step 7 Setup a static MAC address Setup a static MAC address that was recorded for PC1 in Step 4 on FastEthernet interface 0/1. If running Windows 2000.168. How many dynamic addresses are there? ------------------------------------------------------- c. Enter the following to verify the MAC address table entries: S-AN-A-1. b. To verify that hosts and switch are correctly configured. ping the switch IP address from the hosts.168. PC2 -------------------------------------------------------------------------------------------------------- Step 5 Determine what MAC addresses that the switch has learned a. b. Determine what MAC addresses the switch has learned by using the show mac-addresstable command. How many total MAC addresses are there? ----------------------------------------------------- d.

at the Privileged EXEC mode prompt: b.7.1. Connect to the port on the PC that has been given the IP address 192. as follows. Determine the options for setting port security on interface FastEthernet 0/4.7. This copy of textbook is granted only for: Chan Myae (shweyoe. Record any observations. Enter the following to verify the mac–address table entries: ---------------------- b. How many total MAC addresses are there now ? ------------------------------------ Step 9 List port security options a.168. --------------------------------------------------------------------------------------- Step 10 Verify the results a. Disconnect the PC attached to FastEthernet 0/4. This ensures that there is traffic from the PC to the switch. This PC is now connected to interface FastEthernet 0/4. ------------------------------------------------------------------ Step 13 Show port 0/4 configuration information a. This PC has not yet been attached to the switch. ---------------------------------------------------------------------------------------------------- b. It may be necessary to ping the switch address 192. If necessary. What other action options are available with port security? ---------------------- c.168.04 Network Technologies – ICTTI.2 from the PC 192.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Hands-on-Lab 10 – Configuring Port Security b. Union of Myanmar 177/200 .168.ucss@gmail. How are the address types listed for the two MAC addresses? ----------------- Step 11 Limit the number of hosts per port a.168. To see the configuration information for just FastEthernet port 0/4. What is the state of this interface? FastEthernet0/4 is -------------------------------. Record any observations.1. d. type show interface fastethernet 0/4. c.2 to generate some traffic.1. ping the switch address 192. Enter the following to make the port security action to shutdown: b. ---------------------------------------------------------------------------- Step 12 Configure the port to shut down if there is a security violation a. Line protocol is------------------------------ S-AN-A-1.1. It has been decided that in the event of a security violation the interface should be shut down. To allow the switchport FastEthernet 0/4 to accept dynamically learned MAC address. On interface FastEthernet 0/4 set the port security maximum MAC count to 1 as follows: ---------------------------------------------------------------------------------------------------- b.

Step 15 Exit the switch Type exit to leave the switch welcome screen.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Hands-on-Lab 10 – Configuring Port Security Step 14 Reactivate the port a. Then switch hosts and try again.1. Plug in the original host. logoff by typing exit. S-AN-A-1. and turn all the devices off. Try reactivating this port a few times by switching between the original port 0/4 host and the new one. Once the steps are completed. type the no shutdown command on the interface and ping using the DOS window.ucss@gmail. Union of Myanmar 178/200 . This will set the number of ping packets to 200 instead of 4. The ping will have to be repeated multiple times or use the ping 192. b.2 –n 200 command.04 Network Technologies – ICTTI. This copy of textbook is granted only for: Chan Myae (shweyoe. Then remove and store the cables and adapter.168. If a security violation occurs and the port is shut down. use the no shutdown command to reactivate it.

1. This copy of textbook is granted only for: Chan Myae (shweyoe.168.0/24 192. S-AN-A-1. Configure Router1 to provide DHCP to PC1 and Router2 to provide DHCP to PC2. At the end of the lab. PC1 and PC2 should be able to ping each other.168.168.04 Network Technologies – ICTTI.0/24 Configure the above network with the above network addressing.2. Union of Myanmar 179/200 .ucss@gmail.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Hands-on-Lab 11 – DHCP Hands-on-Lab 11 – DHCP PC1 PC2 Fa0/0 Fa0/1 Fa0/1 Fa0/0 Net 1 Net 2 Net 3 192.3.0/24 192.

100 – 254 F0/0 192. create a standard ACL.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Hands-on-Lab 12 – DHCP.0/24 192.10.0/30 10.0.11.0/24 192.10 .10 .0/24 1.1 .20. This copy of textbook is granted only for: Chan Myae (shweyoe.  Configure the interfaces on R1 to apply NAT.1.254 R2 R3 F0/0 F1/0-7 F1/ 8 -15 VLAN 10: Marketing VLAN 11: Sales S0 PC1 PC2 PC3 192.0.1 . R2.168.  The ISP has assigned one public address to R1.30. “show ip ospf database”.0. Union of Myanmar 180/200 .168. Configure NAT (PAT)  To define the internal addresses that are translated to a public address in the NAT process.11.1 S0/1 .100 . and “show ip ospf neighbor”.168. NAT Hands-on-Lab 12 – DHCP.  On R1.168.168.0.0.100 – 254 192. and R3  Verify that all routes were learned.04 Network Technologies – ICTTI.1 .0/30 S0/0 S0/0 .5 S0/2 Inside Web Server 10. This address is used to all other internal hosts that access the Internet  Configure NAT with overload.10.20.168. “show ip route”. create a default route to ISP and propagate the route within OSPF updates.0.2 S0/0 .4/30 S0/0 .0/24 SRV 192.6 DHCP 192.0.0/24 210.ucss@gmail. Configure Single-Area OSPF routing  Configure OSPF (Process ID 1) routing on R1.168.  Test connectivity and examine the configuration  Use verification commands as. Configure each of the interfaces S-AN-A-1.2 . also called Port Address Translation (PAT) uses port numbers to distinguish packets from different hosts that are assigned the same public IP address. 2. NAT NAT www R1 ISP 210.

Configure DHCP  Configure PCs as a DHCP client. “ show ip route”. and 192.20. Configure Static NAT for an inside web server (Destination NAT)  Configure port forwarding on the R1 to provide the Web access so that it can be accessed from outside the network.  Use NAT verification commands as. and “show ip ospf neighbor”. Union of Myanmar 181/200 . “show ip nat statistics”.  On R2. 5. configure DHCP Relay Agent so the PC1 and PC2 can acquire IP addresses from R3. 192.168.0/24. 3. and configure VLAN on each port. “show ip ospf database ”.168.  Connect PCs to the switch S0.  Assign IP addresses on each VLAN interface which will become a default gateway of each VLAN.04 Network Technologies – ICTTI.0/24.168. Test connectivity and examine the configuration  Test connectivity and examine the configuration  Use OSPF verification commands as. 4.10.  On R3. S-AN-A-1.11. 8.com) Cisco Routing & Switching 7/9/2012 Network Security <Day 8-9> Hands-on-Lab 12 – DHCP. “show ip nat translations”. This copy of textbook is granted only for: Chan Myae (shweyoe. NAT using the ip nat {inside | outside} command. Configure R2 and make two VLANs.0/24. three DHCP pools on R2 for the network 192.ucss@gmail.

This copy of textbook is granted only for: Chan Myae (shweyoe.com) Cisco Routing & Switching 7/9/2012 WAN <Day 10> Introduction to Wide Area Networks 7 WAN <Day 10> 7. Major Characteristics of WANs:  They connect devices that are separated by wide geographical areas  They use the services of carriers. Some services are considered Layer 2 connections between your remote locations. typically provided by a telephone company (Telco) over its WAN switches. Figure 27 illustrates the relationship between the common WAN technologies and the OSI model. Union of Myanmar 182/200 .1 Introduction to Wide Area Networks WANs are most often charge-for-service networks. providing the means for users to access resources across a wide geographic area.  They use serial connection of various types to access bandwidth over large geographic areas. most WAN technologies operate at the lowest two levels of the OSI model – the physical and data link layers although some implement the network layer as well. Higher-layer protocols such as IP are encapsulated when sent across the WAN link. Figure 27 – Mapping the OSI Model to WAN Protocols S-AN-A-1. Some of these technologies include a serial point-to-point (leased line) connection and Frame Relay connections.ucss@gmail.04 Network Technologies – ICTTI. A variety of WAN technologies exist.

7.2 WAN Connection Types WAN are generally grouped into three separate connection types:  Point-to-Point technologies  Circuit-switched technologies  Packet-switched technologies Figure 28 – WAN Connection Types 7.1. Union of Myanmar 183/200 . A leased line is a pre-established WAN communications path that goes from the CPE (Customer premises equipment) through the DCE switch. think phone call.2.2 Circuit switching When you hear the term circuit switching. S-AN-A-1.1 Point-to-Point Technologies (Leased Lines) These are usually referred to as a point-to-point or dedicated connection. HDLC and PPP encapsulations are frequently used on leased lines. Circuit switched lines are generally low-speed compared to point-to-point lines. and provide guaranteed bandwidth from location to another. This copy of textbook is granted only for: Chan Myae (shweyoe. point-to-point links require no call-setup. It uses synchronous serial lines up to 45Mbps. The big advantage is cost—you only pay for the time you actually use. Generally.com) Cisco Routing & Switching 7/9/2012 WAN <Day 10> WAN Connection Types 7. then over to the CPE of the remote site. Point-to-Point technologies are leased from a service provider. It requires call-setup to occur before information can be transferred.04 Network Technologies – ICTTI.2. and the connection is usually always on. No data can transfer before an end-to-end connection is established.ucss@gmail.1. Circuit switching uses dial-up modems or ISDN and is used for low-bandwidth data transfers.

ucss@gmail.ATM is the international standard for cell relay. dedicated links. you need to configure the Layer 2 encapsulation type to use. Synchronous Optical Network (SONET). S-AN-A-1. which must be manually specified. PPP was designed to work with several network layer protocols. Packet switching will only work for you if your data transfers are the bursty type—not continuous. Fixed-length cells allow processing to occur in hardware. including IP. Frame Relay and X.  Point-to-Point Protocol (PPP) – PPP provides router-to-router and host-to-network connections over synchronous and asynchronous circuits. This copy of textbook is granted only for: Chan Myae (shweyoe. The choice of encapsulation protocol depends on the WAN technology and the communicating equipment.3 WAN Encapsulation Each WAN connection uses an encapsulation protocol to encapsulate traffic while it is crossing the WAN link. PPP also has a built-in security mechanism.04 Network Technologies – ICTTI. such as Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). video. ATM is designed to take advantage of high-speed transmission media such as E3.1.2. in which multiple service types (such as voice. Typical WAN protocols include the following:  High-Level Data Link Control (HDLC)—HDLC is the default encapsulation type on point-to-point. or data) are conveyed in fixed-length (53-byte) cells. bandwidth is not guaranteed. HDLC specifies a data-encapsulation method on synchronous serial links using frame characters and checksums. but is instead allocated on a best effort basis.3 Packet switching This is a WAN switching method that allows you to share bandwidth with other companies to save money.com) Cisco Routing & Switching 7/9/2012 WAN <Day 10> WAN Encapsulation 7.  Asynchronous Transfer Mode (ATM) . If communicating with a non-Cisco device. thereby reducing transit delays. Union of Myanmar 184/200 . 7. Serial interfaces support a wide variety of WAN encapsulation types. A WAN is usually terminated on a Cisco device’s serial interface. It is a bit-oriented synchronous data link layer protocol. To ensure that the correct encapsulation protocol is used. It is used typically when communicating between two Cisco devices. synchronous PPP is a more viable option.25 are packet-switching technologies with speeds that can range from 56Kbps up to T3 (45Mbps). Thus. and T3.

25.5 PPP Encapsulation Wide-area networking services are typically leased from a service provider.com) Cisco Routing & Switching 7/9/2012 WAN <Day 10> HDLC Encapsulation  Frame Relay – A successor to X. Cisco’s implementation of HDLC is proprietary. SLIP is the predecessor of PPP. This section describes the operation.25 to compensate for older.  X. PPP is a common Layer2 protocol for the WAN. switched data link layer protocol that handles multiple virtual circuits (VC).4 HDLC Encapsulation High-Level Data-link Control (HDLC) is a WAN encapsulation protocol used on dedicated point-to-point serial lines. S-AN-A-1. and will not work with other routers. Balanced (LAPB) 7. and verification of PPP. This protocol is an industry-standard.04 Network Technologies – ICTTI. PPP emerged as an encapsulation protocol for transporting IP traffic over point-to-pint (leased line) serial connections. Union of Myanmar 185/200 . HDLC is also Cisco’s default encapsulation type for serial point-to-point links. This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.25/Link Access Procedure. HDLC provides no authentication mechanism. 7. such as error correction and flow control that were employed in X. Frame relay is streamlined to eliminate some of the time-consuming processes. less reliable communication links. configuration. Though HDLC is technically an ISO standard protocol.  Serial Line Internet Protocol (SLIP)—SLIP is a standard protocol for point-to-point serial connections using a variation of TCP/IP. Some WAN services operate as Layer 2 connections between your remote locations and are typically provided by a telephone company (Telco) provider over its WAN switches.

Union of Myanmar 186/200 .04 Network Technologies – ICTTI.5.  LCP – for establishing.  HDLC – for encapsulating packets into frames over serial lines. Figure 30 – Overview of PPP Components S-AN-A-1. V. maintaining.com) Cisco Routing & Switching 7/9/2012 WAN <Day 10> PPP Encapsulation Figure 29 – Point-to-Point Protocol Stack 7. This copy of textbook is granted only for: Chan Myae (shweyoe.). and terminating point-to-point links.35. ISDN.ucss@gmail. etc.1 Overview of PPP PPP is an international standard encapsulation used for the following types of connections (physical interfaces):  Asynchronous Serial : Plain old telephone service (POTS) dialup  Synchronous Serial : ISDN or point-to-point leased PPP has four components:  Physical – standard for physical serial communication (such as EIA/TIA-232-C.  NCP – allows multiple Layer-3 protocols (such as IP and IPX) to be encapsulated into frames.

the PPP devices send NCP packets to choose and configure one or more network layer protocols.5. PPP uses its Network Control Protocol (NCP) component to encapsulate multiple protocols. PPP supports several features that standalone HDLC does not:  Authentication  Compression  Multilink  Callback  Error Control 7. as shown in Figure 30. (3) Network Layer Protocol Phase In this phase. PPP uses another of its major components. This copy of textbook is granted only for: Chan Myae (shweyoe. (2) Authentication Phase (optional) PPP supports two authentication protocols: PAP and CHAP. each PPP device sends LCP packets to configure and test the data link.04 Network Technologies – ICTTI. the Link Control Protocol (LCP). Union of Myanmar 187/200 .ucss@gmail. S-AN-A-1. datagrams from each network layer protocol can be sent over the link. such as IP. PPP supports vendor interoperability. After each of the chosen network layer protocols is configured. to negotiate and set up control options on the WAN data link.com) Cisco Routing & Switching 7/9/2012 WAN <Day 10> PPP Encapsulation Because it is standardized.2 PPP Session Establishment Figure 31 – PPP Session Establishment Three phases of a PPP session establishment are described in the following list: (1) Link Establishment Phase In this phase.

the authentication is acknowledged.3 PPP Authentication Methods There are two methods of authentication that can be used with PPP links: PAP and CHAP. After the PPP link establishment phase is complete. occurs at the startup of a link and periodically thereafter to verify the identity of the remote node using a three-way handshake. the connection is terminated immediately. Passwords are sent across the link in plain text. PPP is not a strong authentication protocol. After the PPP link establishment phase is complete. If the values match. The remote node responds with a value that is calculated using a one-way hash function. PAP is a two-way handshake that provides a simple method for a remote node to establish its identity. This copy of textbook is granted only for: Chan Myae (shweyoe. PAP is performed only upon initial link establishment. which uses a three-way handshake.04 Network Technologies – ICTTI. based on the password and challenge message. CHAP uses an MD5 has. typically Message Digest Algorithm 5 (MD5).5. the local router sends a challenge message to the remote node. Figure 32 – PAP and CHAP Authentication S-AN-A-1.com) Cisco Routing & Switching 7/9/2012 WAN <Day 10> PPP Encapsulation 7. Otherwise. the remote node A repeatedly sends a username and password pair to the router until authentication is acknowledged or the connection is terminated.ucss@gmail. CHAP. Union of Myanmar 188/200 . The local router checks the response against its own calculation of the expected hash value.

follow these simple router commands: Router#config t Enter configuration commands.5. PPP encapsulation has to be enabled on both interfaces connected to a serial line in order to work. Now. usernames.4. To configure it from the CLI. choose the authentication type. you need to set the hostname of the router. if it’s not already.04 Network Technologies – ICTTI. End with CNTL/Z. The remote routers must also be configured with usernames and passwords. It’s a plain-text password that you can see with a show run command.com) Cisco Routing & Switching 7/9/2012 WAN <Day 10> PPP Encapsulation 7. and passwords. First. This copy of textbook is granted only for: Chan Myae (shweyoe. one per line. you can encrypt the password by using the command service password-encryption. You must have a username and password configured for each remote system you plan to connect to. End with CNTL/Z.4.4 Configuring PPP 7.5. after you’ve set the hostname.1 Configuring PPP on Cisco Routers Configuring PPP encapsulation on an interface is really pretty straightforward. Union of Myanmar 189/200 .2 Configuring PPP Authentication After you configure your serial interface to support PPP encapsulation. Also. And it’s case sensitive too. 7.5. the password on both routers must be the same. Then you set the username and password for the remote router that will be connecting to your router: Here’s an example: Router#config t Enter configuration commands. Router(config)#int s0 Router(config-if)#encapsulation ppp Router(config-if)#^Z Router# Of course. either CHAP or PAP: S-AN-A-1. you can configure authentication using PPP between routers. remember that the username is the hostname of the remote router that’s connecting to your router.ucss@gmail. Router(config)#hostname RouterA RouterA(config)#username RouterB password cisco When using the hostname command. one per line.

ucss@gmail.1 255.1 255. This copy of textbook is granted only for: Chan Myae (shweyoe.com) Cisco Routing & Switching 7/9/2012 WAN <Day 10> PPP Encapsulation RouterA#config t Enter configuration commands. one per line.1. S0/1 S0/1 R1 R2 hostname R1 hostname R2 username R2 password cisco username R1 password cisco ! ! int serial 0/1 int serial 0/1 ip address 10. In this example.04 Network Technologies – ICTTI.255.0 encapsulation ppp encapsulation ppp ppp authentication chap ppp authentication chap Figure 33 – Network Topology for PPP and CHAP Configuration R1 hostname R1 username R2 password cisco ! int serial 0/1 ip address 10.255.0.1. End with CNTL/Z.255.0. The hostname on one router must match the username that other router has configured. Union of Myanmar 190/200 .2 255. RouterA(config)#int s0 RouterA(config-if)#ppp authentication chap pap RouterA(config-if)#^Z RouterA# Example : PPP and CHAP Configuration Figure 33 shows an example of CHAP configuration on two routers.0.255. a two-way challenge occurs.255. The passwords must also match.1.0 ip address 10.0 encapsulation ppp clockrate 64000 ppp authentication chap R2 hostname R2 S-AN-A-1.255.

0 underruns S-AN-A-1.5. 0 abort 3052 packets output. line protocol is up Hardware is PowerQUICC Serial Internet address is 10.2 255. 143088 bytes.ucss@gmail. 0 overrun.1. R1#sh int s0/1 Serial0/1 is up. 43816 bytes.0. This copy of textbook is granted only for: Chan Myae (shweyoe. 10 packets/sec 917 packets input.5.5 Verifying PPP 7.0. 0 ignored. 0 throttles 1 input errors. 1 frame.04 Network Technologies – ICTTI. rxload 1/255 Encapsulation PPP. IPCP. LCP Open Open: CDPCP. DLY 20000 usec. BW 1544 Kbit. 0 no buffer Received 0 broadcasts.1. reliability 255/255. output hang never Last clearing of "show interface" counters 00:48:47 Input queue: 0/75/0/0 (size/max/drops/flushes).1 Verifying PPP Encapsulation Configuration Use the show interface command to verify proper configuration. output 00:00:00.1/24 MTU 1500 bytes.com) Cisco Routing & Switching 7/9/2012 WAN <Day 10> PPP Encapsulation username R1 password cisco ! int serial 0/1 ip address 10.255.0 encapsulation ppp ppp authentication chap 7. 0 CRC. txload 1/255. Union of Myanmar 191/200 . Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/2/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 1158 kilobits/sec 5 minute input rate 0 bits/sec. 0 giants. loopback not set Last input 00:00:00. The following outputs show that PPP encapsulation has been configured and LCP has established a connection.255. as indicated by “LCP Open” in the command output. 2 packets/sec 5 minute output rate 4000 bits/sec. 0 runts.5.

0 ignored. 0 giants. 0 throttles 0 input errors. 0 packets/sec 55 packets input.1. line protocol is up Hardware is PowerQUICC Serial Internet address is 10. 0 abort 57 packets output. output 00:00:09. 2 interface resets 0 output buffer failures. 0 output buffers swapped out 1 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up S-AN-A-1.com) Cisco Routing & Switching 7/9/2012 WAN <Day 10> PPP Encapsulation 0 output errors. 0 collisions. 3177 bytes. 0 output buffers swapped out 30 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up R2 R2#sh int s0/1 Serial0/1 is up. 0 underruns 0 output errors. 0 overrun. Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 1158 kilobits/sec 5 minute input rate 0 bits/sec. BW 1544 Kbit. 0 frame. This copy of textbook is granted only for: Chan Myae (shweyoe. output hang never Last clearing of "show interface" counters 00:05:37 Input queue: 0/75/0/0 (size/max/drops/flushes).2/24 MTU 1500 bytes. txload 1/255. Union of Myanmar 192/200 . 15 interface resets 0 output buffer failures. 1 packets/sec 5 minute output rate 0 bits/sec. 0 collisions. loopback not set Keepalive set (10 sec) LCP Open Open: IPCP. CDPCP Last input 00:00:09. 0 runts.04 Network Technologies – ICTTI. reliability 255/255. 3252 bytes.0. rxload 1/255 Encapsulation PPP. DLY 20000 usec.ucss@gmail. 0 no buffer Received 0 broadcasts. 0 CRC.

760: Se0/0 PPP: Sent LCP AUTHOR Request *Mar 1 05:51:54.760: Se0/0 LCP: Received AAA AUTHOR Response PASS *Mar 1 05:51:54.764: Se0/0 IPCP: Received AAA AUTHOR Response PASS *Mar 1 05:51:54. then the debug ppp authentication command will display an output that looks like this: Debug ppp authentication Mar 1 05:51:54.752: Se0/0 CHAP: O RESPONSE id 1 len 23 from "R1" *Mar 1 05:51:54.765: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0.731: Se0/0 PPP: Using default call direction *Mar 1 05:51:54. changed state to up S-AN-A-1.731: Se0/0 PPP: Treating connection as a dedicated line *Mar 1 05:51:54. changed state to up *Mar 1 05:51:54.747: Se0/0 CHAP: Using password from AAA *Mar 1 05:51:54. Union of Myanmar 193/200 . This copy of textbook is granted only for: Chan Myae (shweyoe.747: Se0/0 CHAP: I CHALLENGE id 1 len 23 from "R2" *Mar 1 05:51:54. If your PPP encapsulation and authentication are set up correctly on both routers.747: Se0/0 CHAP: Using hostname from unknown source *Mar 1 05:51:54.04 Network Technologies – ICTTI.760: Se0/0 PPP: Sent IPCP AUTHOR Request *Mar 1 05:51:54.com) Cisco Routing & Switching 7/9/2012 WAN <Day 10> PPP Encapsulation 7. just use the command debug ppp authentication.735: Se0/0 PPP: Authorization required *Mar 1 05:51:54.768: Se0/0 PPP: Sent CDPCP AUTHOR Request *Mar 1 05:51:54.768: Se0/0 PPP: Sent IPCP AUTHOR Request *Mar 1 05:51:55.768: Se0/0 CDPCP: Received AAA AUTHOR Response PASS *Mar 1 05:51:54.ucss@gmail.756: Se0/0 PPP: Sent CHAP LOGIN Request *Mar 1 05:51:54.756: Se0/0 PPP: Received LOGIN Response PASS *Mar 1 05:51:54.703: %LINK-3-UPDOWN: Interface Serial0/0.5.756: Se0/0 CHAP: I RESPONSE id 1 len 23 from "R2" *Mar 1 05:51:54.764: Se0/0 CHAP: I SUCCESS id 1 len 4 *Mar 1 05:51:54.743: Se0/0 CHAP: O CHALLENGE id 1 len 23 from "R1" *Mar 1 05:51:54.6 Verifying PPP Authentication To display the CHAP authentication process as it occurs between two routers in the network.764: Se0/0 CHAP: O SUCCESS id 1 len 4 *Mar 1 05:51:54. and your usernames and passwords are all good.

Union of Myanmar 194/200 .2 Mismatched IP Addresses In figure 37. DLY 20000 usec. S0/1 S0/1 R1 R2 hostname R1 hostname R2 username R2 password cisco username R1 password cisco ! ! int serial 0/1 int serial 0/1 ip address 10. you configure the PPP encapsulation on the serial interface on router R2. the link will never come up.0. reliability 255/255.6 Troubleshooting 7.04 Network Technologies – ICTTI.2/24. BW 1544 Kbit.0.1. the two routers are connected with different subnets—router R1 with 10.2 255.1. S-AN-A-1.1.1/24 and router R2 with 10.255.com) Cisco Routing & Switching 7/9/2012 WAN <Day 10> Troubleshooting 7.1 255.0.2/24 MTU 1500 bytes.0. line protocol is down Hardware is PowerQUICC Serial Internet address is 10.255. loopback not set The serial interface is down and LCP is sending requests but will never receive any responses because router R2 is using the HDLC encapsulation.0 ip address 10. rxload 1/255 Encapsulation HDLC.ucss@gmail. This copy of textbook is granted only for: Chan Myae (shweyoe. To fix this problem.1 Mismatched WAN Encapsulations If you have a point-to-point link but the encapsulations aren’t the same.255. 7.6.1.255. Figure 36 shows one link with PPP and one with HDLC.1.6. txload 1/255.2.0 encapsulation ppp encapsulation hdlc ppp authentication chap ppp authentication chap Figure 34 – Mismatched WAN Encapsulations R2#sh int s0/1 Serial0/1 is up.

1. you can use the show running-config or the show interfaces command on each router.255. but you can’t use IP across this link since it’s misconfigured.1 255.0 ip address 10.com) Cisco Routing & Switching 7/9/2012 WAN <Day 10> Troubleshooting S0/1 S0/1 R1 R2 hostname R1 hostname R2 username R2 password cisco username R1 password cisco ! ! int serial 0/1 int serial 0/1 ip address 10.ucss@gmail. line protocol is up Hardware is PowerQUICC Serial Internet address is 10. Union of Myanmar 195/200 . loopback not set Keepalive set (10 sec) LCP Open Open: IPCP. DLY 20000 usec. is a layer 2 WAN encapsulation and doesn’t care about IP addresses at all. reliability 255/255.2 255.255.0 encapsulation ppp encapsulation hdlc ppp authentication chap ppp authentication chap Figure 35 – Mismatched IP Addresses R2#sh int s0/1 Serial0/1 is up. rxload 1/255 Encapsulation PPP. or you can use the show cdp neighbors detail command: R2 R2# sh cdp neighbors detail ------------------------- Device ID: R1 Entry address(es): IP address: 10. This is because PPP.0. Capabilities: Router S-AN-A-1.2/24 MTU 1500 bytes.1. CDPCP The IP addresses between the routers are wrong but the link looks like it’s working fine. BW 1544 Kbit. So yes. like HDLC and Frame Relay.04 Network Technologies – ICTTI.0. To find and fix this problem.2.1. the link is up.1 Platform: cisco 2611XM.1.2.255. txload 1/255. This copy of textbook is granted only for: Chan Myae (shweyoe.255.

Capabilities: Router Interface: Serial0/1.com) Cisco Routing & Switching 7/9/2012 WAN <Day 10> Troubleshooting Interface: Serial0/1.3(6c). Version 12.1. Port ID (outgoing port): Serial0/1 Holdtime : 129 sec Version : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-I-M). This copy of textbook is granted only for: Chan Myae (shweyoe.04 Network Technologies – ICTTI. RELEASE SOFTWARE (fc2) Copyright (c) 1986-2004 by cisco Systems.ucss@gmail. Inc.2(21b). S-AN-A-1. Compiled Wed 31-Mar-04 16:47 by pwade advertisement version: 2 You can view and verify the directly connected neighbor’s IP address and then solve your problem. Port ID (outgoing port): Serial0/1 Holdtime : 169 sec Version : Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-I-M). Inc. Version 12. Union of Myanmar 196/200 . Compiled Tue 20-Jul-04 05:25 by kellythw advertisement version: 2 R1 R1#sh cdp neighbors detail ------------------------- Device ID: R2 Entry address(es): IP address: 10.2. RELEASE SOFTWARE (fc1) Copyright (c) 1986-2004 by cisco Systems.2 Platform: cisco 2611XM.

Union of Myanmar 197/200 .techtarget. T.com/ GNS3. Ccna intro: introduction to cisco networking technologies study guide. http://en.ucss@gmail.wikipedia.org/wiki/Virtual_LAN http://www.gns3.cisco.packettracerdownload. This copy of textbook is granted only for: Chan Myae (shweyoe. http://www.net/ Packet Tracer.htm http://itknowledgeexchange. (2006).com/itanswers/show-interface-command-output/ S-AN-A-1. http://www. Sybex.com) Cisco Routing & Switching 7/9/2012 References Bibliography References Bibliography Lammle.04 Network Technologies – ICTTI. Inc. http://www.cisco. ISBN: 0470068507 External Links Cisco Systems.com/warp/cpropub/45/tutorial.com/ VLAN.

........................................................................................................................................ This copy of textbook is granted only for: Chan Myae (shweyoe..................... 11 Figure 2 – Cisco Router Series and the sites for which they are Suited .................................................................. Union of Myanmar 198/200 ................ 165 Figure 23 – Static NAT Address Mapping ..........................Port Security Configuration Example ................................................................................................................................. 125 Figure 13 ...... 167 Figure 24 – ICMP Redirect Example .......................04 Network Technologies – ICTTI...........Flat Network Structure .......................................... 124 Figure 11 .............. 62 Figure 7 ..............................................................STP Configuration ................................................................ 133 Figure 17 – Router on a Stick .............................................................................................................. 118 Figure 10 .................................................................................... 18 Figure 4 – Command Mode Transition .................................................. 171 Figure 26 – Anti Spoofing by ACL.....................................................................Example of Identifying VLANs by Ports .....Benefit of Switched Network ......Linked Types ................................................................................ 135 Figure 18 – VTP Domain on Router........................................................ 168 Figure 25 – VLAN with NAT ........................Concept of Virtual LANs .................................................................... 125 Figure 12................................................................................... 113 Figure 9 – Three-Switch Network .......... 160 Figure 22 – Port Address Translation .................... 150 Figure 21 – NAT Sample Network .................. 129 Figure 14 .........com) Cisco Routing & Switching 7/9/2012 Tables and Figures Figures Tables and Figures Figures Figure 1 – Router’s component............................................. 173 Figure 27 – Mapping the OSI Model to WAN Protocols ....................... and show command ...................................... 183 S-AN-A-1...................................................... 182 Figure 28 – WAN Connection Types .................. 105 Figure 8 – Two-Switch Network ... 131 Figure 16 .................................................................Distinguish between Tagged Frames and Untagged Frames ...............ucss@gmail........................................................................................ 130 Figure 15 ............... 13 Figure 3 – Example of a Cisco IOS Software Image Name ............................................................................ 139 Figure 19............................................................................ 21 Figure 5 – CDP Neighbor Information ............................................ 44 Figure 6 – Lab Network Diagram for IP routing .............. 146 Figure 20 – DHCP Relay Agent .........................VTP Operation .......................

....................................................................................... 30 Table 9 – CDP information ............... 110 Table 12 – Access List Number Range ...............................techtarget.cisco...................... 188 Figure 33 – Network Topology for PPP and CHAP Configuration ................... 45 Table 10 – STP: Reasons for Forwarding or Blocking ......................................................... 161 References 1................. 195 Tables Table 1 – Router’s memories .................. http://itknowledgeexchange................................................................................................................................................. 187 Figure 32 – PAP and CHAP Authentication.......................................................ucss@gmail.............................................................................. 186 Figure 30 – Overview of PPP Components ................................................................com/itanswers/show-interface-command-out put/ S-AN-A-1........... 108 Table 11 – STP Path Cost .................................................................. 11 Table 2 – Remote Access Options for each Series of Router ... 17 Table 4 – Distribution and Core Layer Switches................ Union of Myanmar 199/200 ................ 19 Table 7 – Major Commands and Subcommands ....... 17 Table 5 – Types of Trains ......................... 190 Figure 34 – Mismatched WAN Encapsulations ................................................................................ http://www....................htm 2......................................................... 22 Table 8 – Summary of Hot Keys .......................................................................................... 186 Figure 31 – PPP Session Establishment ................................... 15 Table 3 – Access Layer Switches ..................................................................... 194 Figure 35 – Mismatched IP Addresses ....................... 153 Table 13 – NAT Sample Network Information .....com) Cisco Routing & Switching 7/9/2012 Tables and Figures Tables Figure 29 – Point-to-Point Protocol Stack .............................................................................com/warp/cpropub/45/tutorial.................................... 18 Table 6 – Summary of Command Mode ....04 Network Technologies – ICTTI............ This copy of textbook is granted only for: Chan Myae (shweyoe.....................................................................................................

18. 81 S-AN-A-1.com) Cisco Routing & Switching 7/9/2012 Indexes Keywords Indexes Keywords A N ACL. 78 O C Open Shortest Path First (OSPF). 10 Autonomous System (AS). 29. 26. 133 L Link State Advertisements (LSA). 78 V Erasable Programmable Read Only Memory variable length subnet masks (VLSM). 30. 27.ucss@gmail. 43. 124 VTP clients. 133 VTP pruning. 30. 10. 78 CDP. Union of Myanmar 200/200 . 151 non-volatile RAM (NVRAM).04 Network Technologies – ICTTI. 189 R Routing Information Protocol (RIP). 131 flat network topology. 126 F VLAN Trunking Protocol (VTP). 10 virtual LAN (VLAN). 133 IOS. 173. This copy of textbook is granted only for: Chan Myae (shweyoe. 196 VTP transparent. 124 Enhanced Interior Gateway Routing Protocol (EIGRP). 127 S Static VLANs. 49 CLI. 125 VLAN membership. 126 E switched networks. 133 I VTP server mode. 71 D Dynamic VLANs. 11. 77 (EPROM). 31. 29. 14.