CCNAX| Interconnecting Cisco Networking Devices: Accelerated Student Guide Volume 2 Version 3.0 Part Number: 97-3837-03]‘Americas Headquarters ‘Asia Paci Headquarters Europe Headquarters (isco Systems, ne (Ceo Syst (USA) Pte Led Cisco Systane intrnationl BY Sanose, CA Singapore Kreterdam, ‘Ths Netherlands Cisco has more than 200 offices ordvde, Adresses, phone numbers, and fax numbers ae listed onthe Cisco Website at enti comigetmces Cisco andthe Cisco logo are rademars or roger ademas of isco andlor is silts in he US. and other curtis. To aa It of Caco vademarks, go fo fis URL; vnv.cisc.comgoiradsarks. Third-party vademarks tat are error ae the Proper of har rspecave ones. Theuse othe word pare doesnot imply a parinersisretonship betwen Cisco a ay her oomeary. (11108). DISCLAIMER WARRANTY: THS CONTENT IS BEING PROVIDED“AS IS" AND AS SUCH MAY INCLUDE TYPOGRAPHICAL, GRAPHICS, OR FORMATTING ERRORS, CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WT TH CONTENT PROVIDED HEREUNDER EXPRESS IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT ‘GR.CCMMUNICATION BETWWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPUED WARRANTIES, INCLUDING INARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND ETTNESS FOR A PARTICULAR PURPOSE, (GRARISING FROW A COURSE OF DEALING. USAGE OR TRADE PRACTICE. Tic lemirg product may conan ay rlaze content, and whic Cisco Geleves to be accurate, falssubjet ote disclaimer above (©2017 Cisco Systems, ne.Table of Contents Internet Connect ‘Lesson 9: Enabling Intemet Connectivity Z Demarcation Point... - Provider-Assigned IP Addresses. . Public vs. Private IPv4 Addresses Discovery 12: Configure a Provider-Assigned IP Address. - - 4 Introducing NAT... - - - - - 20 ‘Types of Addresses in NAT... - - . - 2 ‘Types of NAT... - - - - . 23 Understanding Static NAT .... - - - . 24 Configuring and Verifying Static NAT - - - . 25 Discovery 13: Configure Static NAT : . : . 28 Understanding Dynamic NAT : - : - 38 Configuring and Verifying Dynamic NAT....... - : - 40 Understanding PAT.. - : - : - 43 Configuring and Verifying PAT. - : - 45 Discovery 14: Configure Dynamic NAT and PAT - : - 48 Troubleshooting NAT... : - : - 55 Discovery 15: Troubleshoot NAT. : - : - 60 Challenge.. Answer Key... Module 3: Summary Challeng ‘Lesson 4: Establish interet Connectivity Challenge. . . Answer Key. Lesson 2: Troubleshoot internet Connectivity. Challenge. . - Answer Key. Module 4: Implementing Scalable Medium-Sized Networks. ‘Lesson 4: Implementing and Troubleshooting VLANs and Trunks - 79 Enterprise Network Design ... . . - - 79 Issues in a Poorly Designed Network - - - - 84. ‘VLAN Introduction... - . - . - 85 Creating a VLAN... - - - - 87 Assigning a Port to a VLAN... - - - - 89 Trunking with 802.10... - - - - 2 Configuring an 802.10 Trunk. - - . - 5 Discovery 16: Configure VLAN and Trunk... - . - 7 Dynamic Trunking Protocol... - - - - 108 ‘VLAN Trunking Protocol... - - - 110 Discovery 17: Troubleshoot VLAN and Trunk Issues... . - 114 ‘VLAN Design Consideration .. - - - - 126 Challenge. - - - - - - 128, Answer Key. - - = - - - 129Lesson 2: Building Redundant Switched Topoloaies: 131 Physical Redundancy in @ LAN... . - 134 Issues in Redundant Topologies... - - 134 Loop Resolution with STP... - - 135 ‘Spanning-Tree Operation... - - 136 ‘Spanning-Tree Operation Example - - 138 ‘Types of Spanning-Tree Protocols - - 142 Comparison of Spanning-Tree Protocols. - - 143 Per VLAN Spanning Tree Plus ... - - 145 PVST+ Extended Bridge ID... 146 Discovery 18: Configure Root Bridge and Analyze STP Topology 148 PortFast and BDU Guard ..... - - 161 Configuring PortFast and BPDU Guard - - 164 Discovery 19: Troubleshoot STP Issues, - - 168 Challenge. - - - - 176 Answer Key. . - 117 Lesson 3: Improving Redundant Switched Topologies with EtherChannel 179 Introducing EtherChannel...... . - 179 EtherChannel Protocols. : - 183 Discovery 20: Configure and Verify EtherChannel . - 187 Challenge. . - - - 204 Answer Key : - 203 Lesson 4- Routing Between VLANS. 205 Purpose of Inter-VLAN Routing... - - 205 Opiions for nter-VLAN Routing .. - - 207 Discovery 21: Configure a Router on a Stick....... - 210 Challenge. . - - - 223 Answer Key 224 Lesson 5: Using a Cisco IOS Network Device as a DHCP Server 208 Need for a DHCP Server. - - 225 Understanding DHCP... - - - 27 Configuring a DHCP Server........ Z 229, Discovery 22: Configure a Cisco Router as a DHCP Server... 231 Understanding DNS... - - 245 Discovery 23: Troubleshoot DHCP Issues - - 246 Challenge. - - - - 254 ‘Answer Key . - 256 Lesson 6: Understanding Laver 3 Redundancy =. 257 Need for Default Gateway Redundancy - . 257 Understanding FHRP ..... - - - 259 Understanding HSRP..... - - 261 Discovery 24: Configure and Verify HSRP - - 263 Discovery 25: Troubleshoot HSRP_ - - 274 Challenge. - . - - 282 ‘Answer Key - : - 283 Lesson 7: Implementing RIPV2_ 285 ‘Overview of Routing Protocols... - 285 Distance Vector and Link-State Routing Protocols . - 288 Understanding RIPV2..... . - - 290Configure RIPV2. - - - 201 ‘Verity RIPv2. - - 293 Discovery 26: Configure and Verity RIPW2 - - 296 Discovery 27: Troubleshoot RIPV2 - 7 308 Challenge - - - 319 Answer Key. - - - 321 Module 5: Introducing IPv6. ‘Lesson 1: Introducing Basic IPv6. 7 7 325 IPv4 Address Exhaustion Workarounds 7 7 325 IPv6 Features. . 7 7 328 IPv6 Addresses. 7 7 330 IPvé Address Scopes and Prefixes - 7 332 IPv6 Address Allocation... 7 7 338 Challenge - - - 340 Answer Key. - - at Lesson 2: Understanding IPv6 Operation _ _ 343 Comparison of IPv4 and IPV6 Headers. 7 7 343 Intemet Control Message Protocol Version 6. - 7 a7 Neighbor Discovery. - - 349 Stateless Address Autoconfiguration - - 352 Discovery 28: Configure Basic IPvé Connectivity - - 355 Challenge - - - 386 Answer Key. - - 367 Lesson 3: Configuring IPv6 Static Routes _ _ 369 Routing for IPv6 - - 360 Configuring IPv6 Static Routes - 7 a7 Discovery 29: Configure IPv6 Static Routes. - 7 374 Challenge - - - 381 Answer Key. - - - 382 Glossaryjevoas:Accaloratad (CCNA (© 2017 Cisco Systems neModule 2: Establishing Internet ConnectivityInteconnactng isco Networking Davies: Accslerated (CCNA) (© 2017 Cisco Systems neLesson 9: Enabling Internet Connectivity Introduction ‘Your boss dedicates you to the project with a customer who wants to comectto the Intemet. The customer is going through the process of obtaining public IP addresses. They are asking about differences between ‘manual IP address assignment and DHCP. Your focus is only to explain to them how DHCP can be used for address assignment by an ISP and whet is needed on the customer side. The customer also wants to know about NAT and PAT im case they experience problems with public IP addressing. You should explain to them static and dynamic NAT configuration examples. Demarcation Point Although fimctions within the service provider network are not usually of conver to customers, there are some tems and concepts that you should be familiar with, ©2017 Gace Systems, ne Teterconn Demarcation PointService providers install a comnection point (usually in the form of an RJ-45 jack) that physically connects 2 circuit to their nearest switching office. This link is known as the dlmareation potnt, and it represents the point at which the responsibility of the service provider is said to end. In other words, the service provider ensures that the lik functions correctiy up to that point. The other end of this Link: comnects to the service provider network. These links are part of what is known asthe local oop or last mile. The local loop may consist of various technologies, including DSL. cable, fiber optics, traditional twisted-pair wiring, and others. ‘The customer side of the demarcation point is the location of the CPE, The tenn CPE is often used quite loosely, but it traditionally refers to equipment that is owned and managed by the customer for commecting ‘to the service provider network. However, many companies lease CPE from their service providers, and this equipment is still considered to be CPE. Before physically connecting to a service provider network, a company needs to determine the type of WAN service or connectivity that it requires. Note The exect demarcation pont is diferent from country to country. The exemple tat is Gascibed is forthe United States. Internet Connectivity ‘There are three common methods of connecting a small office tothe Internet: copper medium, optical cable, | or wireless connection. In wired connections the medium is either copper, which carries electrical signals, or optical fiber, which carries signals in ight. For wireless connections, the medium isthe etmorphere of Earth, and radio ffequencies cary the signals. “F__Inteconnacing isco Networking Davis: Accalerated (CCNA) 2017 Gio Systems, ne Internet Connectivity come scores hora22026 sRVI peteuttgsteway horo2s 00 NetoDevice |characteristio. Value srve Hostname seve srve — l2os.0.212.20026 sRv2 Default gsteway l2oa.0.113.1 swi Hostname swt swi VLAN 1 IP eddress 10:10.1.424 sw JDetaut gateway 10:10. sw lEtrerneto10 description Linscto Ra sw lEthernetort description Lincto PA swe Hostname swe swe VLAN 1 IP address 10:10.2.424 swe Detaut gstoway 10-102, swe Etherneto10 description Link to Re swe lEtnerneto/t description Linseto Po swe Hostname swe swe VLAN 1 IP acéress l2os.0.212.4124 swe Detaut gsteway l2os.0.212.11 swe lEtrerneto10 description Linscto R3 swe lEtherneto!t description insets Sev2 RI Hostname Ri RI Etherneto10 description Lines to swt RI lEtherneto10 IF address 10:10.3.1724 RI lEthernetort description Linseto swe RI lEtherneto IP access 10:10.2.1724 RI lEtrernetora description Linscto Re RI lEthernetO IP address 108.51.100.2:28Device |characteristio lvaiue R2 Hostname ko R2 thereto" description link to swe Ra Ethere010 I aeiass frosc.r1a.1r04 R2 Etnemes012 description into Ret Fa etree I acess je.51.100.128 ‘The PC and SRVs in the virtual lab environment are simulated as routers, o you should use Cisco 10S commands to configure them or make verifications. Global IP Address Networks ‘Adress Block Host starting lost Ending Adcress |Broadeast Address [Subnet Mask laces 19202028 jreaoz lteao2254 je20.2.256 lass-256-255.0 ve8.51.100028 lies sit0o+ | 460 51.100256 08.51 100.265 loss-2se-255.0 2080.11.04 [20s 0112.4 [20s 212.258 l2030.+19.256 lass.26.255.0 Task 1: Configure a Provider-Assigned IP Address Activity Step 1 To provide some insight into the fimetioning of a DHCP eerver, you will configure DHCP server| services on R2, which is acting as the ISP router. On R2, access the global configuration with the configure terminal command. (On R2, enter the following command: Rat cone & Ra(cenfig)? ~ ~ ‘The most commonly used commands are abbreviated in this guided discovery. For example, en is used for enable and eonf tis used for configure terminal. If there is any confusion, you can perform tab completion ofthe commands to see the full commands during the discovery execution. For example, entab> would expand to enable and conf t would expand to configure terminal. Step 2 Define a DHCP adetress pool for the subnet 198.51.100.0°24, specifying the interface (198.51.100.1) of 2 as the default gateway and an address lease length of 7 days. DHCP pools are identified with a name. NetworkingStep 3 Step 4 Step 5 (On R2, enter the following commands: RZ (config)? sp dhep pool Clients By default, the Cisco IOS DHCP server will serve all IP addresses within the eubnet of a defined pool. Limit the assignable addresses fiom 198.51. 100.101 to 198.51.100.254 by excluding the first 100 addresses in the subnet range. Then, leave the configuration mode-on R2. On R2, enter the following commands: RZ (configh? Sp dhep excluded-addres 193-51 .100.2 198-51.100.100 RE config)? end Re Ri is curently configured with a static IP address on Ethemnet0/3. Verify this ict. Access the console of R1 and examine the current IP configuration on Ethemet0)3. Rif ch dp int brie Interface OR? Method Seatus EchernetO/t YES IWRAM up up Eohernes0/2 YES MVEA Sdministracively down YES VIAN Sdninisteatively down YES WEAN administestively dove Routing has not been configured on RU. Verify that only local and connected routes appear in the RL routing table and that there is no default route configured (Oni, enter the following command:Step 6 Step 7 Step & Gateway of last zesort is not 10.0.0.0/ yy sobreteed, of2i is directay connec: A/32 is dizectly connec: 0/24 is variably subnets Reconfigure the interface Ethemet0) to obtain its IP address and default gateway via DHCP. On Ri, enter the following commands: Wait up to 30 seconds. Verify that R1 displays a syslog message indicating that ithas been assigned an IP address via DHCP. ‘Os 20 14:47:21.912: 4DHCP-¢-ADURESS ASSIGN: Interface Verify that the IP address is assigned to the interface Ethemet0/3, On Ri, enter the following command: NetworkingStep 9 Step 10 Rif chow Sp ant biee Interface Ue-Rddeess OK? Methed Searus Eehernee0/2 Echernev0/s 88.52 -100.102 YES DEC we we YES VIAN Saministestively dove YE WVRAM administratively down YES WVRAM administratively down ‘Verify that there is now a default route on Ri, using R2 (198.51.100.1) asthe default route On RI, enter the following command: si, Eeharnat0/0 i, 2 subnets, Verify connectivity from Rl to the publie IP address side of the topology by pi (208.0.113.30). OnR1, enter the following command: Sending §, 100-byte ICMP Echos to 203.0.119.90, timeout Success rate is 0 percent (4/5), round-osip min/arg/max This isthe end ofthe discovery lab.Introducing NAT ‘Small networks are commonly implemented using private IP addressing as defined in RFC 1918. Private addressing gives enterprises considerable dexbility in a network design. This addressing enzbles operationally and administratively convenient addressing schemes and easier growth. However, y route private addresses over the Intemet, and there are not enough public addresses to allow all organizations to provide a private address to al their hosts. Therefore, network administrators need a mechanism to translate private addresses to public addresses (and back) atthe edge of their network. ‘NAT provides this mechanism, Before NAT, a host with a private address could not access the Internet ‘Using NAT, companies can provide some of or all their hosts with private addresses and provide address translation to allow access to the Internet. su cannot, Introducing NAT NAT allows private users to access the Internet by sharing one or more public IP addresses. a as = ‘NAT is like the receptionist in a lange office. Assume that you have lef instructions with the receptionist not to forvard any calls to you unless you request it. Later, yoit call a potential client and leave a message asking the client to call you back. You tell the receptionist that you are expecting a call from this client, and you ask the receptionist to put the call through to you. The client cals the main number to your office, ‘which is the only mumber thatthe client knows. When the caller gives the receptionist your name, the receptionist checks a lookup table that matches your name to your extension. The receptionist Inows that yourequested this call and forwards the caller to your extension, Usually, NAT connects two networks and translates the private (inside local) addresses in the intemal network to public (inside global) addresses before packets are forwarded to another network. You can configure NAT to advertise only one address for the entire network to the outside world, Advertising only one adress effectively hides the internal network, providing additional security as a side benefit. ‘The NAT process of swapping one address for another is separate from the convention that is used to determine what is public and private, and devices must be configured to recognize which IP networks should be translated. This requirement is one ofthe reasons why NAT can also be deployed intemally when there is a clash of private IP addresses—such as, for example, when two companies merge. 17 Cisco yet (isco Networking Davies:‘The benefits of NAT include the following: + NATeliminates the need to readdess all hosts that require extemal access, saving time and money + NAT conserves addresses through application port-level multiplexing. With PAT, multiple intemal hhosts can share a single registered IP address forall external communication. In this type of ‘configuration, relatively few extemal addresses are required to support many internal hosts. This characteristic conserves IPvd addresses. + NAT protects network security. Because private networks do not advertise their addresses or intemal ‘topology, they remain reasonably secure when they gain controlled external access with NAT. ‘The disadvantages of NAT include the following: + Many IP addresses and applications depend on end-to-end fimetionality, with unmodified packets ‘forwarded from the source to the destination. By changing end-to-end addresses, NAT blocks some ‘applications that use IP addressing. For example, some security applications, such as digital signatures, ‘all because the source IP address changes. Applications that use physical addresses instead of ‘qualified domain name do not reach destinations that are translated across the NAT router. Sometimes, ‘you can avoid this problem by implementing static NAT mappings. + Enclto-end IP tracesbilty is also lost. It becomes much more difficult to trace packets that undergo mumerous packet address changes over multiple NAT hops, so troubleshooting is challenging. On the ‘ther hand, hackers who want fo determine the source of a packet find it difficult to trace or obtain the ‘original soures or destination address. + Using NAT also complicates tunneling protocols, such as IPsec, because NAT modifies the values in the headers. This behavior interferes with the integrity checks that IPsec and other tunneling protocols perform. + Services that require the initiation of TCP connections from the outside network, or stateless protocols ‘such as those using UDP, can be disrupted, Unless the NAT router makes a specific effort to support ‘such protocols, incoming packets cat reach their destination. Some protocols can accommodate one ‘instance of NAT between participating hosts (passive mode FTP, for example) but fail when NAT ‘separates both systems from the Internet. + NAT increases switching delays because translation of each IP address within the packet headers takes time. The first packet is process-switched, meaning that it always goes through the slower path. The router must look at each packet to decide whether it needs translation. The router needs to alter the [P| hheader and possibly alter the TCP or UDP header. Remaining packets go through the fast-switched path ‘fa cache entry exists; otherwise, they also are delayed.Types of Addresses in NAT Types of Addresses in NAT ‘These are the most important types of addresses in NAT: Inside local: Host address on the insige network + Inside global: Translated inside local address In NAT terminology, the inside network isthe set of networks that are subject to translation. The outside network refers to all other addresses. Usually, these other addresses are valid addresses that are located on the Intemet Cisco defines these NAT terms: + Inside local address: The TPv4 address that is assigned to a host on the inside netwark. The inside local addvess is likely not an IP address that the network information center or service provider assigns. ‘+ Inside global address: The translated inside local adress. It is typically a public [Pv addlress, + Outside global address: The [Pv address that the host owner assigms to a host on the outside network. ‘The outside global adress is allocated from a globally routable address or network space| + Outside local address: The IPv4 address of an outside host as it appears to the inside network, Not necessarily public, the outside local address is allocated fiom a routable address space on the inside. ‘A good way to remember what is local and what global isto add the word visible. An address that is locally visible normally implies a private IP address, and an address that is globally visible normally implies public IP address. The restis simple, aside means internal to your network, and outsice means extemal to your network. So, for example, an inside global adévess means that the device is physically inside your network and has an address that is visible from the Intemet. It could be a web server, for instance. (conan Cisco SystemsTypes of NAT (Ona Cisco IOS router, NAT canbe divided into three distinct categories, each having aclear usecase Types of NAT Here are the types of NAT: + Statle NAT: One-to-one address mapping + Dynamic NAT: Many-to-many address mapping + PAT: Manytto-one address mapping ‘NAT can work in these way: + Static NAT: Maps a private IPvd address to a public [Pvt address (one to om), Static NAT is ‘particularly usefil when 2 device must be accessible from outside the network. This type of NAT is ‘wed when a company has a server for which it needs 2 static IP address + Dynamic NAT: Maps a private IP address to @ public IP. addres from a group of public [Pvt ‘addresses. This type of NAT is used, for example, when two companies that ae using the same private address space merge. With the use of dynamic NAT readdressing, using the entire address space is avoided or at least postponed] + PAT: PAT maps multiple private [Pv addresses to a single public IP addlress (many to one) by using ‘different ports. PAT is also known as NAT overloading. itis a form of dynamic NAT and is the most ‘common use of NAT. Itis used every day in your place of business or your home. Multiple users of PCs, tablets, and phones are able to access the Intemet, even though only one public IP address is available for that LAN,Understanding Static NAT ‘You can translate your own [Pv addresses into globally unique [Pvt addresses when you are communicating outside your network. Understanding Static NAT zz ‘The figure illustrates a router that is translating a source adress inside a network into a source address outside the network. The following are the steps for translating an inside source address: 1. The user at host 10.1.1.101 wants to open a comnection to Host B (IP address 209.165.202.131) 2. ‘The first packet thatthe router receives on its NAT inside-enabled interface from host 10.1.1.101 causes the router to check its NAT table. ‘The router replaces the inside local source address of host 10.1.1.101 with the translated inside global | address (209.165 201.5) and forwards the packet. 4. Host B receives the packet and responds to host 10.1.1.101, using the inside global [Pv destination address 209,165.201.5 5. When the router receives the packet on its NAT outside-enabled interface with the inside global TP address of 209.165.201.5, the router performs a NAT table lockup using the inside global address as a key. The router then translates the address back to the inside local address of host 10.1.1.101 and forwards the packet to host 10.1.1.101. 6. Host 10.1.1.101 receives the packet and continues the conversation. The router perfomms Steps 2 through 5 for each packet. 24 —_Interconnectng Cisco Networking Davies: Acoeerated (CCNA) 2017 Cisco Systems, neConfiguring and Ve ig Static NAT Configuring Static NAT Remember that static NAT is a one-to-one mapping between an inside address and an outside address. Static ‘NAT allows extemal devices to initiate comections to intemal devices, For instance, you may want to map am inside global adress to a specific inside local address that is assigned to your web server. In the following example, you can see how to configure static NAT. Configuring Static NAT Configuring static NAT translations is 2 simple task. You need to define the addresses to translate and then configure NAT on the appropriate interfaces. Packets that arrive on an inside interface ftom the identified IP address are subject to translation. Packets that arrive on an outside interface that are addressed to the| identified IP address are also subject to translation. The figure shows examples of commands forthe steps. You enter static translations directly into the configuration. Unlike dynamic translations, these translations are always in the NAT table ‘Command Description ‘interface interface | species an interface and enters the interac |senfigursion mode sp address adress subnet_mask [sets the IP across and mask ofthe device sp mat inside lars the interface es connected tothe inside network sp mat outside arcs the interface es-connected tothe Joutsige network(Command. Description ip nat inside source static inside_acizhecs outside adress _|Estabishes static translation between an insi¢e local and inside global eciress Configuring Static NAT (Cont.) Verifying Static NAT Configuration Verifying Static NAT Configuration fo NaF easton = 28 Inteconnactng isco Networking Davies: Accalerated (CCNA)‘Commanct [Description ‘show ip nat translations Displays active NAT transations For more details about the ip nat inside, ip nat pool, show ip nat translations, and related commands, check the Cisco 10S IP Adtérecsing Services Commend Reference at bttp:/hwww.cisco.com/c/en/us/td/decs/ios-xmal/ios/ipaddr/command /ipaddr-cr-book htralDiscovery 13: Configure Static NAT Introduction This discovery lab will guide you through the aspects of connecting a small network to the Intemet. NAT is avery important concept for Intemet connectivity. The private IP addresses that are used on most intemal networks are not routable on the public Intemet. Because they are not routable, the private IP addresses rust be translated to assigned public IP addresses atthe border to the Intemet ‘The lab is prepared with the devices that are represented in the topology diagram. All the devices have their basie configurations in place, ineluding hostnames and IP addresses. Router R1 receives the default route from R2 via DHCP, but NAT has not been implemented. Implementing NAT will be your job during this discovery lab. You will implement a static NAT translation for SRV. Static NAT, which can maintain persistent IP addresses for servers, facilitates inbound comectvity Topology Job Device Information Information Table Device |characteristio WWatue Pet Moshame Pes Pct I sdaross ho10..1024 Pot Detautt gateway toro1.4Device |characteristio. Value sRv Hostname sev sRv — 10:10.220724 sRv Default gsteway 10.102, sRv2 Hostname sRv2 sRv2 Ip sasress l208.0.119.0002¢ srve JDetaut gateway laos.o.212.1 sw Hostname sw sw VLAN 1 IP acéress 10:10.2.424 sw Detaut gsteway 10:10. swt EthernetO10 description Linketo Ra swi lEtherneto!t description Linkcto PC swe Hostname swe swe VLAN 1 IP acéress 10.10.2424 swe Detaut gsteway 10102, swe lEtrerneto10 description Linscto Re swe lEthernetort description Linseto Po swe Hostname swe swe VLAN 1 IP address l203.0.113.4104 swe Detaut gstoway j2oa.0.113.1 swe Etherneto10 description Lins to Ra swe lEtnerneto/t description Linscto sev2 RI Hostname Ra RI lEtrerneto10 description Linseto swvs RI lEtherneto10 IF address 10:10.3.1724 RI EthernetO!t description Lindeto sw2Device |characterstic Wvatue Ri themetot I accross horo.2.108 Ri lEthemeto description lin to Re RA Ethemeto I sderess j108.61.100.228 R2 HHosinome Ro Ra Ethemetovo description insta Swe R2 ethemeto I accross faos.0.113.108 R2 lEthemeto description linet Ret R2 thereto I accross j19851.100.1728 ‘The PC and SRVs in the virtual lab environment are simulated as routers, so you should use Cisco IOS commands to configure them or make verifications. Global IP Address Networks ‘Address Block Host starting |elost Ending Adcress |Broadoast Address [Subnet Mask lrdcress 1202028 jie202 jie2.02264 02.02.266 loss286.285.0 teast.10002 lessitoar | ree.61-100284 /e8.81.100.286 lesszse2s.0 280.1130 fzos 0112.1 f2os 0219.25 l2030.+19.256 lass-256-255.0 Task 1: Configure Static NAT| Activity Step 1 While RI does have access to the public IP address space, systems within the private IP address space of the topology do not. Verify this fact. Access the console of PCI and attempt to ping: ‘SRV2. This process should fail. OnPCA, enter the following command FCLE ping 203.0.113.30 ype escape sequence £0 Suscees exte is 0 peecene (0/5)Step 2 Step 3 Step 4 Step 5 Fora ping operation to be successful, bidirectional connectivity must exist. In this case, the problem is not getting the echo requests ffom PCI to SRV2. Instead, itis a failure in getting the echo replies from SRV? back to PC1. Because NAT has not been configured, SRV? is receiving IP packets fiom the private IP address of PCI (10.10.1.10). Routers on the Intemet are not aware ofthe private IP address space within the networks that comnect to the Intemet. When SRV2 generates an echo reply to 10.10.1.10 and sends that reply to R2 for forwarding, R2 does not have 2 route to use to forward the reply, so the reply is dropped. Configure Bl interfaces for NAT. Ethemet0/0 and Ethemet0/1 are ou the inside, and Ethemet013 is on the outside On RI, enter the following commands: Rit cont Rilconfight ant 20/0 ~ (coatigrit]# ip nat anside Ent 20/4 ip nat anside Sat 20/3 ‘There wil be a significant pause in response to the first interface NAT command because RI vill have to initiate an internal NVI to support NAT. On RI, configure access list number 10 to identify adresses within 10.10.0.0/16 as NAT- eligible On RI, enter the following command: S (sonfig)# meaese-List 10 pemit 10.10.0.0 0.0.259.255 To the Ri configuration, add a NAT statement that enables PAT. Ittranslates the addresses that are permitted by access list 10 using the IP address that is assigned tothe interface Ethemet0/3.| Leave configuration mode when you are done. On RI, enter the following commands (contig)? ap nat inside source list 10 interface ¢0/3 overload (contig) # end Refum to the console of PC! and reattempt the ping operation to SRV2 (205.0.113 30). This time, it should succeed. On PCI, enter the following command: PLE ping 203.0.123.30 Type escape sequence co skort Sending 8, 100-byee IGMP Echo> vo 203.0.219.0, timeout 2 seconds Success rate is 100 percent (5/5), round-eeip min/avg/max = 1/2/2 meStep 6 Inthis step and the next few steps, you will verify the status ofthe translation that is in place Establish a Telnet session ftom PCl to SRV2. Enter the usemame admin with the password Ciscol23 (On PCI, enter the following command Foie tenet Trying 208 113.30 -. Open, Step 7 You are now comected to a vty line of SRV2 from PC1. Using this interface, view the status of the IP sockets on SRV2, noting the foreign IP address that SRV2 sees. (On SRV?2, enter the following command: SRV2> show contrel-plane host open-ports is ineaznes [servers snd established) Fest Foreign Addcoss Listen . 98.52, 100.102: 42868 ‘SRV2 sees 198.51.100.101 as the source IP address of the connection that is coming in from PCI. This address is the IP address on Ethemet0/3 that Rl obtained via DHCP. PAT is in effect Step 8 Leave the connection to SRV2 from PC! running. Access the console of SRV1 and establish a second connection to SRV2 fiom the private IP address space. (On SRV, enter the following commands} SRULE telnet 203.0.113.30 eying 202.0.112.20 --. Open Step 9 Using the connection to SRV2 from SRV1, again review the IP socket status on SRV2. (On SRV?2, enter the following command: (isco Networking Davies:Step 10 Step 11 SRV2> show control-plane host open-ports [servers and established) Tecsl sadeese Poreige Addzess oa 9284-100. r0n-21709 saa 180 84.100. 102:24028, There are now two established Telnet sessions to SRV2. One is from PCI, and the other is from SRVL But, from the perspective of SRV2, both connections are coming from 198.51.100.101 ‘The tivo connections are uniquely identified by their eouree ports. Leaving both connections to SRV2nunning, access the console of R1. Display the translation table on RI. (Oni, enter the following command: Rit chow Sp nat translations Riis also using the inside source port to uniguely identify the two translation sessions. ‘The source ports are dynamically generated so thatthe ports thet are shown inthe example will not match those ports that you see inthe lab environment. But the source ports in the RI translation table should match those inthe open-ports status for SRV2. Using the depicted example, when Ri receives a packet fom 203.0.113.30 with a source port of 23 that is destined for 198.51.100.101 and a destination port of 21299, R1 knows to translate the destination address to 10,101.10 and forward the packet to PC. On the other hand, ifthe destination port of a similar inbound packet is 34023, R1 will translate the destination address to 10.10.2.20 and forward the packet to SRV2. ‘View the naning translation statistics on R1 (Oni, enter the following command:Step 12 Step 13 Step 14 Rit chow sp net statistics [sedens: 2 (0 static, 7 dynamic; 2 extendas) 2y comuered 00:12:47 age Expired crnslavions) 4 i. Dyranie mappings. 0 incasface Echerner0/$ zefcoune 2 formal doors: 0 ‘The show ip nat statisties command display information on the current configuration of NAT (interface afsignment, ACL. specification, and so on), active translation statistics, and historic translation statistics. (One at atime, access the consoles of PC1 and SRV1. Tenminate their Telnet sessions to SRV2. ‘Terminate the PC1 Telnet session to SRV2: t Fog sien 40 209.0.219.20 ky foreign hese] ‘Terminate the SRV Telnet session to SRV2: seien te 209.0.219.90 t aRvt by foreign hese] At this point, you will start to migrate from a DHCP and PAT-based configuration to @ configuration that uses a static IP address and NAT. On R, set the IP address of Ethernet03 to 198.51.100.2/24. On Ri, enter the following command: cont & (configif]€ int 20/3 (config -if]$ ip addeecs 198.54.100.2 255.255.255.0 (sentigaf]¥ exit (config)? From the configuration, use the do command to execute the show ip interface brief command to verify the configuration on Ethernet)/3. (OnRI, enter the following command: 17 Cisco yet (isco Networking Davies:Step 15 Step 16 Step 17 Ri (contig) # do show ip int brief Interface TE-lddeees OK? Methed Searus Eeharnae0/2 YES IVRAM Gministeneively dove down YE WVRAM administratively down YES WVRAM administratively down 0.40.4. YES unset up op Statically configure Ru to use the R2 interface as its default route. (Oni, enter the following command: Ri (confight sp route 0.0.0.0 0.0.0.0 198.51.100.2 Remain in the configuration mode and verify that the default route is now in the routing table, OnR1, enter the following command: 100.1 te netwoxk 0.0.0.0 directly connected, Ethernet0/0 variably subnet? Leave the inside and outside NAT configurations on the R1. interfaces, but remove the PAT configuration statement fiom the running configuration of RL OnR1, enter the following command: Ai (configl# no ip nat inside source List 10 interface Ethernet0/3 overloadStep 18 Step 19 Step 20 Step 21 ‘Add a static NAT configuration entry that translates the SRV1 IP address (10.10.2.20) to 198.51.100.20, then leave configuration mode. (On RI, enter the following command: Ri(configh? sp nat inside cource static 10.10.2.20 198.51.100.20 Rilconfigl? end Re Display the translation table on R1 OnRi, enter the following command: Rit chow ip nat tranlat Fie Inside globe, ‘Static translations continuously remain in the translation table, regardless of their use. Access the console of SRV1 and establish a Telnet session to SRV2. (On SRV, enter the following command: SRULE telnet 2030.15.30 Trying 203.0.113.30 --. Open Usernane: oman Retum to the console of R1 and display the translation table while the session from SRVI to SRV2 is open] On Ri, enter the following command: ep 198-51. 100.20-23 307.20:22028 203.0.112.0:29 x This example shows two entries in the translation table ‘The first entry is an extended entry because it embodies more details than just an IP address that is mapping to an IP address. In this case, it specifies the protocol (TCP) and also the ports in use con bot systems ‘The second entry is a simple entry; it maps one IP address to another ‘The extended entry is due to the use of the static translation for the Telnet session fiom SRV1 to ‘SRV2. It details the characteristics of that session, ‘The simple entry’ is the persistent entry that is associated with the configured static translation (isco Networking Davies: 17 Cisco SystStep 22 Step 23, Step 24 Step 25 ‘The most common use for static NAT translations isto provide a persistent IP address that the systenas inthe public IP address space can use to communicate with specific systems in the private IP address space. Demonstrate this fimction. Access the console of SR'V2 and establish 2 ‘Telnet comection back to SRV. (On SRV2, enter the following command: SED telnet 198.51.100.20 Teying 182.51.100-20 ... Open User Access SEvi> With the two Telnet comections runing, retumn to the console of RI and view the translation table. (Oni, enter the following command: Pre Inside gem: nese Toes] Outside Local ‘There is the one simple entry that is associated with the configured static translation, and two extended entries, each astociated with an active session Access the console of SRV2 and terminate the Telnet session to SRV1 On SRV2, enter the following command: Access the console of SRV1 and terminate the Telnet session to SRV2. (On SRV1, enter the following command: aRva> exit by foreiga hosel This isthe end ofthe discovery lab.Understanding Dynamic NAT While static NAAT provides a permanent mapping between an internal address and a specific public address dynamic NAT muaps private IP addresses to public addresses. These public IP addresses come ffom a NAT pool. Dynamic NAT configuration differs from static NAT, but it also has some similarities, Like static ‘NAT, if requires the configuration to identify each interface as an inside or cutsde interface. However, rather then creating a static mep to a single IP address, a pool of inside global adresses is used. Understanding Dynamic NAT x ‘The figure illustrates a router that i translating a source address thet is inside a network into @ source address that is outside the network. The following are the steps for translating an inside source address: 1. The users at hosts 10.1.1.100 and 10.1.1.101 want to open 2 connection to Host B (TP address 209.165.202.131) 2. ‘The first packet thatthe router receives from host 10.1.1.101 causes the router to check its NAT table. If no static translation entry exists, the router determines thatthe source address 10.1.1.101 must be translated dynamically. The router then selects a legal global address from the dynamic address pool and creates a translation entry (inthis example, 209.165.2015). This type of entry is called a simple entry. For the second host, 10.1.1.100, the router selects a legal global address from the dynamic address pool and ereates a second translation entry (in this example, 209.165.2016). ‘The router replaces the inside local source address of host 10.1.1.101 with the translated inside global address and forwards the packet 4, Host B receives the packet and responds to host 209.165.201.5, using the inside global IPv4 destination address 209,165.201.5. When Host B receives the second packet, itresponds to host 209.165.2016, using the inside global [Pv destination address 209.165.2016. (isco Networking Davies:5. When the router receives the packet with the inside global [Pv address 209.165.2015, the router pperdonms a NAT table lookup using the inside global address as a key. The router then translates the ‘address back to the inside local address of host 10.1.1.101 and forwards the packet to host 10.1.1.101, ‘When the router receives the packet with the inside global [Pv address 209.165.201.6, the router performs a NAT table lookup using the inside global address as a key. The router then translates the ‘address back to the inside local adress of host 10.1.1.100 and forwards the packet to host 10.1.1.100, 6. Hosts 10-1.1.100 and 10.1.1.101 receive the packets and continue the conversation. The router performs Steps 2 tarough 5 for each packetConfiguring and Verifying Dynamic NAT Configuring Dynamic NAT Command Description interface interface |Spenties en interface and enters the interface Jconigurstion mode ip nat pool poo!_name start_ip end ip netmask netmask Defines an iP accrezs pool ip nat inside source list acl number pool pool_name Establishes © dynamic source translation by |specitying the ACL. nd the ederess poo! ip address address submet_mask sets the IF ecerass and mask ip nat inside Marks the interface as connected to the nice netwerc ip nat outside Marks the interface as connected to the outside network access-list ael_mumber permit ip_acdihess netmask [creates an eccess lt that defines the insie local ecrasses thet are eligible to be lrenslated Configuring Dynamic NAT 13.300 Cara a erconnactng Cisco Networking Devices:Note Verifying Dynamic NAT Configurat “The AGL must permit only those addresses that need to be Vanslated, Remember that there is an implct deny any statement atthe end of each ACL. An ACL thats too permissive can lead to unprediciabla resuits. Using permit any can resuitin VAT consuming too much router resources, which can cause network problems. Configuring Dynamic NAT (Cont) IST Sekced'Soestee 20.1 ass 200 20s 240 1 amertace sombimearn 0/9 ‘Commanct ‘show ip nat translations Description! Displays active NAT transationsVerifying Dynamic NAT Configuration 913309 Wea irene ch thon ig met temmalatione For more details about the ip nat inside, ip nat pool, show ip nat translations, and related commends, check the Cisco JOS IP Acdhessing Services Command Reference at Iitp://ww.cisco.com/clen/us'td/docs ios-xml/iosipaddr/command/ipaddr-cr-book ha. Interconnectng Cisco Networking Devios: Accserted (CCNA) 2017 Cisco Systems, neUnderstanding PAT One of the main forms of NAT is PAT, which is also referred to as overload in Cisco TOS configuration. Several inside local addresses can be translated using NAT into just one or a few inside global addresses by using PAT. Most home routers operate in this manner. Your ISP assigns one address to your router, yet several members of your family can simultaneously surf the Intemet Understanding PAT tes Sot sors Top soit sora7z3 zonvesani saree aoe e5an0 19123 With NAT overload, multiple addresses can be mapped to one or a few addresses because a TCP or UDP port number tracks each private address. When a client opens 2 TCP{P session, the NAT router assigns a port number to its source adress. NAT overload ensures that clients use a different TCP or UDP port ‘number for each client session with a server on the Intemet. When a response comes back from the server, the source port mumber (which becomes the destination port mumier on the retum trip) determines the client to which the router routes the packets. It lso validates that the incoming packets were requested, which adds a degree of security to the session| + PAT uses unique source port mumbers on the inside global [Pv address to distinguish between, ‘translations. Because the port umber is encoded in 16 bits, the total number of intemal addresses that ‘NAT can translate into one extemal address is, theoretically, as many as 65,536. + PAT attempts to preserve the original source port. Ifthe source port is already allocated, PAT atterapts 4 find the first available port mumber. It starts from the beginning of the appropriate port group, 0 to SIL, 512 to 1023, or 1024 to 65535, IFPAT does not find an available port from the appropriate port ‘goup and if more than one external [Pv address is configured, PAT moves to the next IP address ‘and tries to allocate the original source port again. PAT continues trying to allocate the original source port unt itrns out of available ports and external [Pv addresses ‘NAT generally translates IP addvesses ouly as 1:1 correspondence between publicly exposed IP addresses and privately held IP addresses. NAT overload modifies the private IP address and potentially the port number of the sender. NAT overload chooses the port mumbers that hosts see on the public network.‘NAT routes incoming packets to their inside destination by referring tothe incoming destination IP address thats given by the host on the public network, With NAT overload, there is generally only one publicly exposed IP address (or avery few). Incoming packets from the public network are routed to their destinations on the private network by referring to a table inthe NAT overioad device that tracks public and private port pars. This mechanism is called connection tracking. ‘The figure illustrates a PAT operation when one inside global address represents multiple inside local addresses. The TCP port mumbers act as differentiators. Both Hosts B and C think that they are talking to a single host a the address 209,165.201.5. They are actually taking to different hosts, andthe port number is the differentiator. In fact, many inside hosts could share the inside global IPv address by using many port numbers. ‘The router performs this process when it overloads inside global addresses: 1. The user at host 10.1.1.100-opens 2 conection to Host B. A second user at host 10.1.1.101 opens a comnection to Hosts B and C. 2. The first packet thatthe router receives from host 10.1.1.100 causes the router to check its NAT table. If no translation entry exists, the router determines that adress 10.1.1.100 must be translated and sets up a translation of the inside local address 10.1.1.100 into am inside global address. If overloading is enabled and another translation is activ, the router reuses the inside global address from that translation and saves enough information to be able to translate back. This type of entry is called an extended entry. ‘The router replaces the inside local source address 10.1.1.100 with the selected inside global address 209.165.2015 and forwards the packet 4. Host B receives the packet and responds to host L0.1.1.100, using the inside global [Pv adress 209.165 .201.5. Host C receives a packet with the same inside global address, even though the packet originated from host 10.1.1.101 5. When the router receives the packet with the inside global TPvd address, the router performs a NAT table lookup. Using the inside global address and port and outside global address and port as a key, the router translates the address back into the correct inside local address, 10.1.1.100, and forwards the packet to host 10.1.1.100. 6. Host 10.1.1.100 receives the packet and continues the conversation. The router performs Steps 2 through 5 for each packet (isco Networking Davies:Configuring and Verifying PAT Configuring PAT ‘Command Description interface interface |specifes an interface and enters the intertoce loons guration mode sp address adress subnet_ mark [sets the IP sdeross and mask ‘ip nat inside lars the interface es connected tothe inside never ‘ip nat outside Marks the interface 9s connected tothe outside network 4p mat inside source list access-lst-mumBer interface interface [Establishes dynamic source translation, ‘overload Jsecitng the Ack access-list ae!_mumber permit ip_addhecs netmask [creates an ACL that defines the inside local ~ s Jeceresses tht are ebgibe tobe tansiated Configuring PAT 11309 a Mpltcieses tet tt aia t95.255,0Configuring PAT (Cont.) Siganientnaenat 0/3 Verifying PAT Configuration ‘Command. Description show ip nat translations Disploys active NAT translations Verifying PAT Configuration tacFor more details about the ip nat inside, ip nat pool, show ip nat translations, and related commands, check the Cisco JOS IP Addressing Services Command Reference at http:/emnw.cisco.com/e/en/us'tdoes/ios-zmos/ipaddr/command /ipadr-cr-book htmDiscovery 14: Configure Dynamic NAT and PAT Introduction Inthis discovery lab, you will implement a dynamie NAT pool that other systems on the intemal network can share for outbound connectivity Topology Job Device Information Device Information Table| Device |characterstic Wvatue Pot Hostname pct Pot IP address ho10.s.r028 Pot Detauttgstowsy fora. SRV Hostname jsrva sRVI > scores hoso22026 sRVI peteuttgsteway horo2s ”Device |characteristio. Value srve Hostname seve srve — l2os.0.212.20026 sRv2 Default gsteway l2oa.0.113.1 swi Hostname swt swi VLAN 1 IP eddress 10:10.1.424 sw JDetaut gateway 10:10. sw lEtrerneto10 description Linscto Ra sw lEthernetort description Lincto PA swe Hostname swe swe VLAN 1 IP address 10:10.2.424 swe Detaut gstoway 10-102, swe Etherneto10 description Link to Re swe lEtnerneto/t description Linseto Po swe Hostname swe swe VLAN 1 IP acéress l2os.0.212.4124 swe Detaut gsteway l2os.0.212.11 swe lEtrerneto10 description Linscto R3 swe lEtherneto!t description insets Sev2 RI Hostname Ri RI Etherneto10 description Lines to swt RI lEtherneto10 IF address 10:10.3.1724 RI lEthernetort description Linseto swe RI lEtherneto IP access 10:10.2.1724 RI lEtrernetora description Linscto Re RI lEthernetO IP address 108.51.100.2:28Device |characteristio lvaiue R2 Hostname ko R2 thereto" description link to swe Ra Ethere010 I aeiass frosc.r1a.1r04 R2 Etnemes012 description into Ret Fa etree I acess je.51.100.128 ‘The PC and SRVs in the virtual lab environment are simulated as routers, o you should use Cisco 10S commands to configure them or make verifications. Global IP Address Networks ‘Adress Block Host starting lost Ending Adcress |Broadeast Address [Subnet Mask laces 19202028 jreaoz lteao2254 je20.2.256 lass-256-255.0 ve8.51.100028 lies sit0o+ | 460 51.100256 08.51 100.265 loss-2se-255.0 2080.11.04 [20s 0112.4 [20s 212.258 l2030.+19.256 lass.26.255.0 Task 1: Configure Dynamic NAT and PAT Activity Step 1 ‘The static NAT configuration is in place. It is now time to explore dynamic NAT translation by | using a pool of IP addresses. First, access the console of PCI and verify that it cannot ping SRV2 (On PCI, enter the following command FCLE ping 203-0.213.30 Sending 5, 100-byre TOP Echos to 202 Salcees rate de 0 percent (0/5) ‘The failure of the ping process is not a failure om the delivery of the echo requests from PCI to ‘SRVD; it is a failure on the retum of the echo replies from SRV2 to PCI. Because there is no. ‘translation that is configured for PC1, SRV2 receives the echo requests that come from 10.10.1.10. When SRV? ties to reply to 10.10.1.10 from within the public IP address space, R2 does not have a route that it can use to get tothe private IP address space. On RI, define a pool of NAT addresses named "NatPoo!” by specifying the address range from 198.51.100.100 to 198.51. 100.149. NetworkingStep 3 Step 4 Step 5 On RI, enter the following command: Rit cont Ri (config)? ip nat pool NatPool 198-51.100 400 198.51.100.449 netmask 255.255.255.0 ‘Verify that access list 10 is still in place, permitting addresses ftom 10.10.0.0/16. (Oni, enter the following command: Ri lconfigh? do show access-list 10 Seandard IP access List 10 110 pexniz 20.20.0.0, widdzard Bice 0.0.255.255 On RI, verify which interfaces are NAT inside and NAT outside. Ri (configl? do show ip nat statistics f) cocurred 00:08:10 ago Dynamic mappings: Normal dears: 0 Gueued Packets: 0 Define a dynamic translation rule that specifies access list 10 as the source and that uses addresses from the pool NetPool, then leave configuration mode| On RI, enter the following commands: (config)? Sp nat inside source list 10 pool HatFool (contig) # end ‘Verify that there is now bidirectional comnectivity between PCI and SRVV2. Access the console of PC! and send a ping to SRV2. On PCI, enter the following command: POLE ping 203.0.123.30 Sending §, 100-nyte TO Echos es 202. 123.20, eémacue 2 seconde: Success rate is 100 percent (5/5), round Access the console of R and view the current translation table,Step 7 Step & OnRI, enter the following command: 382.81.100.100 10-1.10 Ifyou proceeded quickly enough, three translations will be inthe table. ‘The extended translation that is associated with the ICMP session is short-lived and may have timed out. Ifit did, you can resend the ping from PC! and display the translation table again. ‘There is @ simple entry in the table that is associated with the assignment of an address from the pool fo PC! By default, dynamic translations that are assigned from a NAT pool have 2 24-hour inactivity timeout. o, the translation for PCI to 198.541.100.100 will persist as long as it is used atleast once per day ‘The third entry that is translating 10.10.2.20 to 198.51.100.20 is the static entry One at atime, access the consoles of PCI, SWI, and SW2. From PCI, execute a Telnet session to SRV). From SW and SW2, send pings to SRV2. (On PCI, enter the following command: FOLE telnet 203.0.113.30 Taping 209.0.112.30 -_- Open On SW1, enter the following command: Sm1g ping 203-0.213.30 Success rate dz 100 percent (5/5), ranch (On SW2, enter the following command: S828 ping 203-0.213.30 Success rate ds 100 percent (5/5), raunch-erip min/avg/max = 1/20/1008 ms Retum to the console of R1 and view the translation table. (On RI, enter the following command: (isco Networking Davies:Step 9 Step 10 Step 11 Pes Inside giezs) jeide Ieee) Outside Local 100. 100 10 - - ‘The extended ICMP entries that are associated with the ping activity are short-lived. You can always try to resend the ping and redisplay the translation table. ‘SWI (10.10.1.4) and SW2 (10.10.2.4) have been assigned IP addresses from the NAT pool. ‘Again, there is a 24-hour inactivity timeout on these dynamic entries by default Display the translation statistics on RI. On RI, enter the following command: Rif ch ip nat ctatictice ated packet: a"Tnside Source (ai 1] aceesevlist 10 pool MatPool segcount 4 sic, total addresses 50, allocated 3 (6%), misses 0 12, CEE Funsed packets: 0 Kemal doses: 0] eeued Packers ‘The statistics that are displayed in the ab environment will likely differ from the example. But, in any case, statistics include the current status such as the current active translation count, historical statistics such asthe largest number of translations that are seen on RU, and configuration information such as the details of the NAT pools. Retum to the console of PC! and terminate the Telnet session to SRV2. On PCI, enter the following command: sRv2> exit by foreign hazelStep 12 OnRI, enter the following command: Rit cleae ip nat translation * Display the translation table, verifying the removal ofthe dynamic entries. On RI, enter the following command: show ip nat translation ‘The dynamic entries have been removed, but the statically configured entry for SRV1 remains Feel ftee to continue with independent exploration of NAT concepts within the lab environment ‘This isthe end ofthe discovery ib, NetworkingTroubleshooting NAT When you have [Pt comectivty problems ina NAT environment, it is often difficult to detenmine the cause of the problem, NAT is often blamed, whem in reality there is an underlying problem. When you are ‘tying to determine the cause of an IPv-4 connectivity problem, it helps to eliminate NAT as the problem, Troubleshooting NAT sei Lemke Follow these steps to verify that NAT is operating as expected: 1. Verify that translations are occuring: — Use the show ip nat translations command to determine if translations exist in the translation table. — Verify that the translation actually is occurring by using the show ip nat statisties and debug ip nat commands — Use the show access-list command to verify thatthe ACI. that is associated with the NAT] ‘command is permitting all necessary networks. — Use the show ip nat statistics command to verify thatthe router interfaces are appropriately defined as NAT inside or NAT outside. — Ifsome devices have connectivity but others do not, the NAT pool might be out of addresses. 2. Iftranslations are occurring but there is no connectivity, use the show ip route command to verify that ‘there is a return route to the translated address. (Cisco Systems, Ine Intrconnectng isco Networking Devioes: Accelerated (CCNATroubleshooting NAT (Cont.) Are Addresses Being Translated? © Monitor NAT statistics Verify that the NAT ACL is permitting all nesessary networks: Ina simple network environment, itis usefal to monitor NAT statistics with the show ip nat statisties command. The show ip nat statistics command displays information about the total number of active translations, NAT configuration parameters, the number of addresses inthe pool, and the mumbers that have been allocated. However, in amore complex NAT environment, with several translations taking place, this show command may not clearly identify the issue. Itmay be necessary to run debug commands on the router. Note Youcen use the clear ip nat translation * cornmand fo clear all dynamic aderess renslation entries. By dlefauit translation enries ime out after 24 hours. When testing the NAT configuration. itoan be useful fo lear transistors, (isco Networking Davies:Troubleshooting NAT (Cont) To display detailed dynamic data and events, you can use debug ‘commands, * Adebug command can intensively use device resources. Use carefully on production equipment, = After troublesheating, always tun off debug with the no debug all command, Display information about every packet that the router transtated: 1 eg sp mat Note The debug command, espacial the debug all command, shoud be used sparingly These commands cant cisrut router operations, The debug commands are useful when configuring or troubleshooting = network, However, they oan make intensive use of CPU and memory rescurces. is reoammended that you run as {few dabug processes as necessary and csable them immediately when they sre no longer needed. On, production networks, you shouls use the debug commands with caution because thay can affect the performance ofthe devioe ‘The debug ip nat command display’ information about every packet thatthe router translates, which helps you to verify NAT operation. The debug ip mat detailed command generates @ description of each packet that is considered for translation. This command also provides information about certain erors or exception conditions, such 2s the failure to allocate a global address. The debug ip mat detailed command generates, more overhead than the debug ip nat command, but it can provide the detail that you need to troubleshoot the NAT problem. Always remember to tum off debugging when finished. ‘The example shows a sample debug ip nat output. Inthe output, you can see thatthe inside host 10.1.1.100| initiated traffic to the outside host 209.165.202.131 and has been translated to the address 209.165.201.1 For decoding the debug output, note what the following syiubols and values indicate: ‘The asterisk next to "NAT" indicates thet the translation is occurring in the fast-switched path. The frst ppackst in a conversation is always process-switched, which is slower. The remaining packets go through ‘the fast-switched path if cache entry exists Refers to the source IP address. + abedowxyz Indicates that source adiress abcd is translated to wxy-zee Refers to the destination IP adress. + fexxx] ‘The value in brackets is the IP identification mumber. This information may be useful for debugging because it enables comelation with other packet traces ffom protocol analyzers. Finally, you should make sue that the ACL that the NAT command references is permitting all the necessary networks. Notice that ACLs use wildcard masks and not subnet masls. Iftranslations are occurring but there is no connectivity, verify that the remote router has a route to the translated address, Troubleshooting NAT (Cont.) If translations are occurring but a ping to the remote network still fils, the seue might be a missing route] back to the translated address. This problem can arise in NAT between a headquarters and branch office. It is usually not an issue when comnecting to an ISP, because the service provider takes care of routing all the necessary trafic back to the customer. 58 lnteroonneding Cisco Networking Devices: Acca 1d (CONAN 2017 Cisco Systems, neTroubleshooting NAT (Cont.) (©2017 Cisco Systems, ne Intrconnectng isco Networking Devioes: Accelerated (CCNADiscovery 15: Troubleshoot NAT Introduction Job Device Information Device Information Table| Device |characteristio lvaiue Pct Hostname pcr Pet Ip adios ho10.4.2028 Pot Deteuttasteway jor0.4.4 Poe hostname poe Poe lp sderass hora.r2024 Poe eteut goteway foros. SRV Hostname lsrwDevice |characteristio. Value SRV lp aacrass l2os.0.212.20026 SRV Detaut gateway l2os.0.r13.1 Swi Hostname lew Swi [VLAN 1 IF darose ro.10.3.4726 Swi Detaut getensay roto. sw lEtharnet010 description Linscto Ra sw lEthernetot description Lincto PA sw lEtherneto description Linseto Po RI Hostname Ra RI [EthernetO0 description Linke to swt RI lEthernet010 IF eddies ro.t0.3.1128 RI lEtherneto description Link to Re RI lEthernetor IP address 98.51.1022 Re Hostname Re Re lEtherneto description Linseto SRV Re lEtherneto10 IF address J20s.0.213.1104 Re lEthernetora description Linscto Ra Ra lEthernetor IP ederess 08.81.100.1128 ‘The PCs and SRY in the virtual lab environment ae simulated as router, so you should use Cisco 10S commands to configure them or make verifications. Task 1: Troubleshoot NAT Activity Step1 PC! and SRV are mable to ping after a new NAT configuration is put in placecz Step 2 etnovt ‘Swit etnov2 ‘The figure shows that PCI (10.10.1.10) cannot ping SRV (203.0.113.30). Router Ri has a default gateway set to 198.51.100.1. ‘The ping from PCI to SRV will fail FOIE ping 203-0.213.30 ‘Type escape sequence to abort. Sending 5, 100-byre IGMP Echos to 202.0.112.90, taneous is 2 seconde Saicees cate de 0 percent (0/8) ‘Verify the relevant part of the configuration on RL RIP chow xunning-config <.-- outpur emeted o> interface Etheme=0/0 Sp ddeess 10-10.1.1 255.258 .255.0 Sp nav cusside eta iouepes emteed -.> incerface Echeme:/2 description Link ro 52 ip nat inside source dist 20 invertace Stherner0/2 overload setess-List 20 pammie 0.0.0.0 255.285.285.0 Seve SutpUE emitted «=. ‘To troubleshoot the problem, use the show ip nat translations command to see if any translations are curently inthe table. On RI, enter the following command: Rig show ip nat translations Re (isco Networking Davies:Step3 Step 4 Step 5 ‘Translations are not occurring, Next, you must determine whether any translations have ever taken place and identify the interfices between which translation should be occurring. Use the show ip nat statist command. On Ri, enter the following command: RIE chow Sp nat ctatictioe 20 (@ static, 0 dynamic; 0 exvended) Javed packer: Expired transiavions a "Tnside Source | CEE Puneed packer: nec0/ xefeount 0 Appl doore: @ Normal doors: 0 Gueed Packer ‘The NAT counters are at 0, verifying that no translation has occurred. The Ri router interfaces are incorrectly defined as NAT inside and NAT outside. Fix the Ri router configuration, Oni, enter the following command: Rif cont Bo ip nat outride Ep nat aneide ster Eth0/3 bo Sp nat inside Sp nat outside Verify comectivity between PC1 and SRV. The ping from PC! to SRV will fail again FCLE ping 203.0.123.30 Type escape sequence to Success rate is 0 percent (0/5) Verify thatthe access lst is correct. (Oni, enter the following command: RIP chow gecere-Lict Seandard IP access 1i: 10 permit 9.0.0. 20Step 6 Step 7 Pca ‘The access list has the wrong wildcard mask. The wildcard mask is matching on the fourth octet only. You will need to invert the wildcard mask and define the comrect network part of the access ist (On Ri, fix the access list OnRi, enter the following commands: RIE cone & Enter configuration comunds, one per Line. End with GWIE/Z. Rilconfig)? po accece-iist 20 Rilconfig)? access-list 20 pexmst 20.10.1.0 0.0.0.255 After you have corrected the wildcard mask, generate another ping ftom PCL to SRV. The connectivity testis mow a suocess. Verify that translations are occurring and that you have connectivity to the remote network, Etnovt (On PCI, enter the following command FCLE ping 203-0.213.30 Sending §, 100-byte ICMP Echos to 202.0.119.90, timeout is 2 seconde Surcess rate de 100 percent (5/5), rownc-rsip min/arg/max = 1/2/2 me On RI, enter the following command: Rit ch ip nat translations £ 1.100.2:22 26.404.20/12 208.0.129.20:12 202.0.82.20.12 ‘hiss the and ofthe ciccovery lab, (isco Networking Davies:Challenge 1 Which option is the customer side of the demarcation point? A OPE B. CIE C. CRE ‘The following are methods that are used to comnect small offices tothe intemet. Which method would ‘you use if you had an environment filled with EMI and RFT? Which statement is true regarding the show ip nat translations command? A. The show ip nat translations command displays which interfaces are enabled for NAT configuration in the router B. The show ip nat translations command displays the active NAT connections on a router. C. The show ip nat translations command display inside translations only containing the specified ‘elobal-ip and local-ip addresses. Which two options are eliminated with the use of NAT? (Choose two.) A. the need to readdress all hosts thet require external access BL [Paddress conservation C. the revealing of private addresses outside of the network D. performance problems and switching delays Which option is the [Pv address of an outside host as it appears to the inside network? A. inside local address B. inside global address C. outside elobal address D. outside local address What is the difference between static NAT and dynamic NAT? A. Static NAT maps one-to-one, and dynamic NAT maps one-to-many B Static NAT maps one-to-many, and dynamic NAT maps many-to- ©. Static NAT maps one-to-one, and dynamic NAT maps many-to-many. Which translation technology would most likely be used at ome, especially for comecting devices such as tablets, phones, and PC's through the DSL. Intemet connection? AL static NAT B. dynamic NAT c. PATAnswer Key Challenge OUPModule 3: Summary Challenge Introduction ‘This module chellenges you to use the Imowledge and sil thet you have obtained related in the Building a Simple Network and Establishing Internet Comectivity modules(28 —_Interconnectng Cisco Networking Davies: Accelerated (OCNANY (© 2017 Cisco Systems neLesson 1: Establish Internet Connectivity Introduction Inthis lesson, you are required to implement and establish Intemet connectivity Challenge 1. router needs which four options to allow the users inside its network to comnect tothe Tntemet? (Choose four.) A. adefauit route tothe ISP router 2 static route to the ISP router a static NAT statement 2 PAT statement using an ACL ‘the interface that is facing the Internet to be designated as "NAT Outside" ‘the interface that is facing the Internet to be designated as "NAT Inside” an ACL pemmitting the users who need to be connected to the Internet an ACL pemmitting the IP addresses on the Internet thet need to be accessed 2. Ifyou want to allow specific servers on the network to be accessible from the Intemet, which option ‘would youneed"| AL static NAT B. dymamic NAT c. PAT ‘You need to create an ACL that will allow only users from the marketing VLAN to access certain servers om the Internet, If you had to use a numbered ACL, which option would you use? Mommy ow Ad Bo 45 c. 99 D. 199 E1399 4, When implementing static routing to enable Intemet access, which option is the most suitable solution?” A. All devices have a default route to the border router; the border router has a default route to the ISP router. B._All devices have a static route to the border router: the border router has a default route to the ISP_4. When implementing static routing to enable Intemet access, which option isthe most suitable solution?” A. Allldevices have a default route to the border router, the border router has a default route to the ISP router. B. All devices have a static route to the border router; the border router has a default route to the ISP router. All devices have a default route to the border router, the border router has a static route to the ISP router. D. Alldeviees have a static route tothe border router; the border router has a static route to the ISP router. 5. Your company has only one uplink connection to a single ISP. When specifying the next hop in 2 default route to the ISP network, which option can you use? A. only the IP address of the ISP router B only the interface that is comnected to the ISP router C. only the IP address ofthe interface thet is conected to the ISP router D._ either the IP address ofthe ISP router or the interface that is connected to the ISP router 6. Youhave created an ACL named "Public ACL" to deny a set of public IP addresses, and another ACL named "Intemet_ACL" to permit the user network to go out tothe Internet. Your manager has asked you to apply both ACLs on the interface that is facing the user network. How would you do it? A Which two commands ensure the IP addres that will be received by a DHCP client? (Choose tw.) ip dhcp pool name utilization mark high percentage.number network network-number mask] | fprefx-length} domain-name domain dns-server address [address 2. address8} default-router address faddress2.addvess 8] lease {{specifie time] | infinite} anmuam» (isco Networking Davies:Answer Key Challenge ADEG (ConA n2017 Cisco Systems, neLesson 2: Troubleshoot Internet Connectivity Introduction In this lesson, you are required to troubleshoot Internet comnectivity Challenge 1. You are troubleshooting the following ACL, which is supposed to permit 192.168.1231 and 192.168.123.2 but not the rest of the 192.168.123.0/24 subnet. Which option would be 2 solution to ‘making the ACL work? ip accerslict 12 20 permit Host 292.160.223.1 20 peenit host 192.160.323.2 somp ‘Change ACL line 40 to deny any. ‘Change ACL line 30 to permit 192,168.123.0 255.285.258.0,| ‘Change ACL line 30 to permit 192.168.123.0 255.2550. ‘Change ACL line 30 to deny 192.168.123.0 0.0.0.285. 2. Refer to the static route configuration on Router A. Which statement about interface serial0/0/0 is comect? Router§(config)# ip route 172.16.1.0 255.256.285.0 serial0/0/0 A B, ‘The interface serial0/0/0 thet is configured inthe static route configuration is the outbound interface ofthe local router, Router A. ‘The interface serial0/00 thet is configured in the static route configuration is the inbound interface on the remote router that is connected to Router A. “You can use either the outbound interface of the local router Router A or the inbound interface of the remote router that is comnected to Router A. ‘The static route configuration is incorrect; usage of the exit interface is not accepted in IPvs static route configuration. 3. Which command would you issue on a Cisco router if you are looking for a device based on its MAC address?Which command would you issue on a Cisco router if you are locking for a device based om its MAC address? AL traceroute Bo tracert CC. showip arp D. arp-a You have applied the following outbound ACL to the interface that connects your organization to the Intemet. Why is this causing an issue for your users? list 10% deny 10.40.1.1 0.0.0.255 AL It prevents devices on the 10.10.1.0 network from accessing your network. B. It prevents devices on the 10.10.1.0 network from accessing the Internet. C. Itprevents all trafic ffom accessing the Intemet D._ It has no affect on your network ‘You see the following configuration on a router. What would you do to fix the working of the NAT? cnet 0/0 82.162. 1.1 295.255.295.0 inside inside source static 192.162.1.2 interface GigsbitEtheret 0/1 A Interface Gigabitéthemet 0/1 needs to be changed from ip nat inside to ip nat outside. B. Interface GigabitEthemet 0/0 needs to be changed from ip nat outside to ip nat inside. c. ‘The NAT statement needs to be changed so that it uses an ACL to identify the source IP address that will be translated, D, The NAT statement needs tobe changed so that itis ip nat outside source static 192.168.1.2 interface gigabitethernet 0/1 (isco Networking Davies:6. Inspect the following configuration. Which statement is correct? Routexhf Show edp neighbors Capability Codes: R- Router, T ~ TransBridge, 5 ~ Source Route Beddge Router’ a7 Ret peu RouterA# show run interface £0/0 jchernet 0/0 RoutexAf show run interface 0/1 chemnet 0/1 492.168.4.1 255.255.255.0 RouterAf show run invert = 20/0/0 RoutexAf show accessvlise Lise 10 pemiz any A. From the Cisco Discovery Protocol table, itis clear from the "platform information thatthe device with hostname SwitehA is actually a router. B. The connection to Switch is incorrectly appearing on the Ciseo Discovery Protocol neighbor table C. Access list 10 is preventing any connectivity to SwitchA D. The connection to SwitchA is through FO\0. However, its FO/I that is configured with an IP address and not FO‘0) 7. Inspect the following configuration and explain why the interface on the router isnot able to reesive 2 ‘DHCP-assigned IP address from the neighbor router. RouterA# show run invert Echernet 0/0 fe Ethernet 0/0 ‘The interface already has an IP address statically assigned. ‘The interface is probably going to get an IP address from a dynamic routing protocol. ‘The interface has a no ip address command configured. Itneeds the ip address dhep command instead, 1D. The interface is shat down, It needs to be issued with the no shutdown command, PepAnswer Key Challenge D auroorModule 4: Implementing Scalable Medium-Sized Networks Introduction When you understand how a switch and router operate, and how they communicate, you can move on to fanding an expanded network. This module shows how to "virtualize" your LAN using VLANs and how to configure Layer 3 connectivity between these VLANs. Then it describes how to decrease the administrative burden of assigning IP addresses by using DHCP. You wil also learn how to configure and troubleshoot RIPY2.78 Interconnectng isco Networking Davies: Accelerated (CCNA) (© 2017 Cisco Systems neLesson 1: Implementing and Troubleshooting VLANs and Trunks Introduction ‘Your boss sends you to your customer to add 2 VLAN into their network for theirIT department. You need to understand the common issues in a poorly designed local network, such as large broadcast, failure domain, limited security control, and so on. You need to understand the VLAN operation along with rum encapsulation. Before going tothe customer premise, you will need to design VLANs, IP addressing, VLANs for special traffic types, and VLAN secunty practice. You will also explain the configuration steps to the customer IT department and inform them about the role of the DTP and VTP. Enterprise Network De: Each layer—access, distribution, and core—prowides different functionality and capability to the networl Enterprise Network Design hierarchical LAN desian.Ablierarchical LAN design includes the following thrae layers: © Access layer: Provides one ‘endpoints and users with direct ‘access to the network Distribution layer: Aggregates ‘scvess layers and provides ‘connectiviy to services + Core layor: Provides connectivity batwoen distribution layers for large LAN environments Depending on the characteristics of the deployment site, you might need one, two, or all three layers. For example, a site that occupies a single building might only require the access and distribution layers, while a campus of multiple buildings will most likely require all three layers. Access Layer ‘The access layer is where user-controlled devices, user-accessible devices, and other endpoint devices are connected to the network. The access layer provides both wired and wireless connectivity and contains features and services that ensure security and resiliency for the entire network. Access Layer Vie re The access layer provides: * Device connectivity + Resiliency and secuity services * Voice and video support 20 lteroannating Gece Networking Devices Acca 1d (CONAN 2017 Gio Systems, ne + Device connectivity: The access layer provides high-bandwidth device connectivity. To help make the network a transparent part of the day-to-day job of an end user, the access layer must support bursts of high-bandwidth traffic when users perform routine tasks. Common routine tasks include sending large ‘emails or opening a file from an internal web page. Because many types of end-user devices comnect at ‘the access layer—PCs, IP phones, WAPs, and IP video surveillance cameras—the access layer can support many logieal networks, delivering benefits for performance, management, and security.+ Device connectivity: The access layer provides high-bandwidth device connectivity. To help make the network a transparent part of the day-to-day job of an end user, the access layer must support bursts of high-bandwidth traffic when users perform routine tasks. Common routine tasks include sending large ‘emails or opening file from an infernal web page. Because many types of end-user devices comnect at ‘the access layer—PCs, IP phones, WAPs, and IP video surveillance cameras—the access layer can ‘support many logical networks, delivering benefits for performance, management, and securit + Resiliency and security services: The access layer design must ensure thatthe network is available for all users who need it, whenever they need it. As the comection point between the network and client devices, the access layer must help protect the network from human errors and from malicious attacks. ‘This protection includes ensuring that users have access only to authorized services and preventing end- ‘user devices from taking over the role of other devices on the network. When possible, this protection ‘mechanism should also verify that each end-user device is allowed on the network + Advanced technology capabilities: The access layer provides a set of uetivork services that support ‘advanced technologies, such as voice and video. The access layer must provide specialized access for ‘devices using advanced technologies to ensure thet trafic from these devices is not impaired by traffic ‘fom other devices. The access layer must also ensure efficient delivery of traffic that many devices in ‘the networkneed. Distribution Layer ‘The distribution layer supports many important services. Ina network where connectivity needs to traverse the LAN end to end, whether between different access layer devices or from an access layer device to the WAN, the distribution layer facilitates this comectivity Distribution Layer The distribution layer provides: Routing and packet manipulation = Scalability+ Routing and packet manipulation: The distribution layer is the layer that provides policy-based comectivity. In tenus of IP routing, the distribution layer represents a redistribution point between routing domains or the demarcation between the static and dynamic routing protocols. The distribution layer can also be the point at which tasks such as controlled routing decisions and filtering occur. + Scalability: At any site with more than two or three access layer devices, it is impractical to interconnect all access switches. The distribution layer serves as an aggregation point for multiple access layer switches. The distribution layer can lower operating costs by making the network more efficient. Eficiency can be accomplished by requiring less memory, creating fault domains that compartmentalize failures or network changes, and by processing resources for devices elsewhere in the network. The distribution layer also increases network availability by containing failures to smaller domains. Core Layer Ina large LAN environment, you often need to have multiple distribution layer switches. One reason for this is that when access layer switches are located in multiple, geographically dispersed buildings, you can save potentially costly, fiber-optic runs between buildings by locating a distribution layer switch in each of | these buildings. As networks grow beyond thee distribution layers ina single location, you should use a core layer to optimize the design. Core Layer ‘The core layer provides: © 2lshour connectivity + High-speed forwarcing betwoen diferent distribution modules + You should imploment as few policies as possible Another reason to use multiple distribution layer switches is when the mumber of access layer switches Connecting to a single distribution layer exceeds the performance limits ofthe distribution switches. In 2 modular and scalable design, you can colocate distribution layers for the data center, WAN connectivity, or Intemet edge services. In environments where multiple distribution layer switches exist in proximity, and where fiber optics provide the ability for high-banduidth intercomnect, a core layer reduces the network as the example shows, (isco Networking Davies:The core layer ofthe LAN is a critical pat ofa scalable network, and yet itis one of the simplest by design. ‘The distribution layer provides fault domains, andthe core represents 24-hour comnectvity between them, ‘which organizations must have in the modem business environment where comectivity to resources is critical.Issues in a Poorly Designed Network A poorly designed network has increased support costs, reduced service availability, and limited support for new applications and solutions. A less-than-optimal performance directly affects end users and their access to central resources, Issues in a Poorly Designed Network These issues are often found in poorly designed networks: Large broadcast domains Management and support challenges Possible security vulnerabilities Failure domains oS = ea z + Large broadcast domains: Broadcasts exist in every network. Many applications and network operations use broadcasts to fumetion property. Therefore, you cannot eliminate them completely. In the same way that avoiding failure domaine involves clealy defining boundaries, broadcast domains should also have clear boundaries. They should also include an optimal number of devices to minimize the negative effect of broadcasts + Management and support difficulties: A poorly designed network may be disorganized, poorly documented, and lack easily identified traffic flows. These issues can make support, maintenance, and problem resolution time consuming and difficult + Possible security vulnerabilities: A switched network that has been designed with litle attention to security requirements at the access layer can compromise the integrity of the entire network. + Failure domains: One of the reasons to implement an effective network design is to minimize the extent of problems when they occur. When you do not clearly define Layer 2 and Layer 3 boundaries, 2 {lure in one nefwvork area can have a far-reaching effect A poorly designed network always has a negative effect. It becomes 2 support burden and a cost burden for ‘any organization.VLAN Introduction To understand VLANS (or virtual LAN®) its important that you have a solid understanding of LANs. A LAN is a group of devices that share a common broadcast domain. When a device on the LAN sends broadcast messages, all ofthe other devices on the LAN receive them. You can think ofa LAN and 2 broadcast domain 23 being basicaly the same thing. Without VLANs, a switch considers all ofits interfaces tobe in the same broadeast domain. In others words, all connected devices are inthe same LAN. With VLANs, a switch can put some interfaces into one broadcast domain and some into another. The individual broadcast domains that are created by the snitch are called VLANs. VLAN Introduction + AVLAN isa witual LAN, + VLAN = broadcast domain = VLAN = logical network (subnet) + VUANS address these needs: Segmentation ~ Seeusty Network esity LANs improve network performance by separating large broadcast domains into smaller segments. A. VLAN allows a network administrator to create logical groups of network: devices. These devices act like they are in their own independent network, even if they share a common infrastructure with other VLANs. | AVLANis a logical broadcast domain that can span multiple physical LAN segments. Within the switched intemetwork, VLANs provide segmentation and organizational flexibility. You can design a VLAN structure that lets you group stations that are segmented logically by fictions, project teams, and applications without regard to the physical location of the users. VLANs allow you to implement access and security policies to particular groups of users. You can assign each switch port fo only one VLAN, which adds 2 layer of security (ifthe port is operating as an access port). Ports in the same VLAN share broadcasts. Ports in different VLANs do not share broadcasts. Containing broadcasts within a VLAN improves the overall performance of the network: ‘A VLAN can exist ona single switch or span multiple switches. VLANs can include stations in a single building or multiple buildings. VLANs can also connect across WANS. The process of forwarding network traffic ffom one VLAN to auother VLAN using a router is called inter-VLAN routing. VLANs are associated with unique IP subnets on the network. This subnet configuration facilitates the routing process ina multi-VLAN environment. When you use a router to facilitate inter-VLAN routing, you can comnect the router interfaces to separate VLANs. The devices on these VLANs send trafic through the router to reach, other VLANs. Usually, the subnets are chosen according to which VLANs they are associated with. The fleure shows that VLAN duses subnet 10.0.2.0/24, VLAN'S uses 10.0.3.0/24, and VLAN 4 uses 10.0.4.0/24. In this example, the third octet clearly identifies the VLAN that the device belongs to. ® 17 Cisco Systems, Inc Intrconnectng Cisco ring Devices: Aoelaratd (CCNAX)Fach VLAN in a switched network comesponds to an TP network. Therefore, a VLAN design must take into consideration the implementation of a hierarchical, network: addressing scheme. (isco Networking Davies:Creating a VLAN For many Cisco Catalyst switches, you can use the vlan global configuration command to create 2 VLAN and enter the VLAN configuration mode. Use the no form of this command to delete the VLAN. The example shows how to add VLAN J to the VLAN database and how to name it "Sales." Creating a VLAN Create VIAN2 VY Add VLAN 2 and name it "Sales." Fes ‘The following table lists the commands to use when adding a VLAN. ‘Command and Variable Description vlan vlen-id [re ID ofthe VLAN that you want to ede and oanigure. Do not enter leading zeros Jvoucan enter single VID, a series of VIDs that ae separated by commas, ors ange of Vids thet are Separated by hyphens. name vlan-name |Optianal) Spestfes the: VLAN name, which is an ASCII string fram 1 to 22] [characters that must be unique within the administrative domain. Toadd a VLAN to the VLAN database, assign a number and name to the VLAN. VLAN 1 isthe factory default VLAN. Nonmal-range VLANs are identified with a mumber between 1 and 1001. The VLAN rmumbers 1002 throuzh 1005 are reserved for Token Ring and FDDI VLANs. VIDs 1 and 1002 to 1005 are automatically created, and you cannot remove them. ‘The configurations for VIDs 1 to 1005 are written to the vlan dat file (VLAN database). You can display the VLANs by entering the show vlan privileged EXEC command. The vian dat file is stored in lash memory To add an Ethemet VLAN, you must specify at least a VLAN mumber. If you do not enter a mame for the VLAN, the default is to append the VLAN number to the vlan command. For example, VLANO0O4 would be the default name for VLAN 4 if you dant specify a name. For more details about the vian (VLAN configuration mode) command, see the Cisco JOS LAN Switching Command Reference at hitp:/wunn.cisco.com/c/en/ust/docs/ios/lanswitch/command/reference/isw_book htmCreating a VLAN (Cont.) Vety VLAN 2. After you configure the VLAN, validate the parameters for this VLAN. Use the show vlam id vian._mnder or the show vlan name viar-namie command to display information about a particular VLAN, The figure shows an example of using the show vlan command to display the contents ofthe vlan dat file. The "Sales" VLAN, which is VLAN 2, is highlighted in the example. Use the show vlan command to display information on all configured VLANs. The show vlan command displays the switch ports that are assigned to each VLAN, Fox more details about the show vlan command, see the Cisco JOS LAN Switching Command Reference at http: Awww.cisco.com/c/en‘us'td/docs/ios lanswitch/command/reference/Isw_book- html. 28 —_lnteroonnecing Cisco Networking Devices: Acca 1d (CONAN 2017 Cisco Systems, neAssigning a Port to a VLAN ‘When you connect an end system to a switch port, ou should associate it with a VLAN im accordance with the network design. To associate a device with a VLAN, assign the switch port to which the device comects toa single-data VLAN. The switch port, therefore, becomes an access port. Assigning a Port toa VLAN ‘Assign Fastethernet013 to VLAN 2 Y Feo The table lists the commands to use when assizning a port to a VLAN. ‘Command and Variable Description ‘interface interface Enters the intertace conigurstion mode ‘switchport access vian [Seis e norirunking, untagged, single VLAN Layer ?interfacd ‘vlan rumber ‘After creating a VLAN, you can manually assign a port or many ports to this VLAN. & port can belong to only one VLAN ata time Note By defaut al ports are members of VLAN 1Assigning a Port to a VLAN (Cont) Verity that port FastEthernet0/3 was assigned to VLAN 2. Assigning a Port toa VLAN (Cont.) Verity VLAN membership on the FastéthernetO/ interface “ch show Antertace Tasettarnet#/2 evLtetpoct Use the show vlan privileged EXEC command to display the VLAN assignment and membership type for all swatch ports. The show vlan command displays one Iie for each VLAN. The output for each VLAN includes the VLAN name, status, and switch ports. For more details about the show vlan command, see the Cisco JOS LAN Switching Command Reference at http: www.cisco.com/c/en‘us'td/docsios lanswitch command/reference/Isw_book- html. Altematively, use the show interfaces switchport privileged EXEC command to display the VLAN information for a particular interface. The output in the example shows the information about the FastEthemet0/3 interface, where VLAN 2, which is named "Sales,” is assigned. 60 lnteroonnecing Cisco Networking Devices: Acalratedl (CCNAX} 2017 Cisco Systems, neFor more details about the show interfaces switchport command, see the Cisco JOS LAN Switching Command Reference at hitp:/wunn.cisco.com/c/en/ust/docs/ios/lanswitch/command/reference/lsw_book htmTrunking with 802.1Q Rumning many VLANs between switches would require the same number of interconnecting links. Trunking with 802.10 Ifevery port belongs to one VLAN, and you have several VLANs that are configured on switches, interoomnecting these VLANs would require one physical cable per VLAN. When the munber of VLANs increases, so does the number of required interconnecting links. Ports are then used for interswitch, connectivity instead of attaching end devices, Trunking with 802.1@ (Cont.) = Combining many VLANS on the same ports called trunking, + trunk allows the transportation of frames from different VLANS, + Each frame has a tag that specifies the VLAN that belongs to. = The device forwards the frames to the corresponding VLAN based on the {ag information, 2 Interconnectng Cisco Networking Davies: Acoserated (CCNA) 2017 Cisco Systems, neVLAN Tagging For VLANs in networks that have multiple interconnected switches, the switches must use VLAN trunking on the segments between the switches. VLAN trunking causes the switches to use a process called PLAN" togging so thatthe sending switch adds another header tothe frame before sending it over the tumk. This entra VLAN header includes 2 VID (VID field) so that the sending switch can listthe VLAN ID and the receiving switch can identify the VLAN that each frame belongs to. The figure shows the basic idea. VLAN Tagging Trmking allows switches to pass frames from multiple VLANs overa single physical conection. For example, the figure shows Switch I receiving a broadcast frame on the FaQ/1 interface, which is a member of VLAN 1. Ina broadeast, the frame must be forwarded to all ports in VLAN 1. Because there are ports on ‘Switch 2 that are members of the VLAN 1 switch, the frame must be forwarded to Switch 2. Before forwarding the frame, Switch 1 adds a header that identifies the frame 2s belonging to VLAN 1. This header | tells Switch 2 thatthe frame should be forwarded to the VLAN 1 ports, Switch 2 removes the header and then forwards the frame for all ports that are part of VLAN 1. ‘As another example, the device on the Switch 1 Fa0)S interface sends a broadcast. Switeh 1 sends the broadcast out of port Fa0/6 (because this por is in VLAN 2) and out Fa0/23 (because itis a unk, meaning that it supports multiple VLANs). Switch 1 adds a trunking header to the frame, listing a VLAN ID of 2 ‘Switch 2 strips off the trunking header because the frame is part of VLAN 2, so Switch 2 knows to forward the frame out of only ports Fa0/5 and Fa0"6 and not ports Fa0/1 and FaQ2. (Cisco Systems, Ine Intrconnectng Cisco Networking Devioes: Accolerated (CCNA) 0SIEEE 802.1Q ‘The JFEE $02.10 inserts an extra 4-byte VLAN header into the Ethemet header ofthe original frame. As a result, the frame stil has the original source and destination MAC addresses. Also, because the original header has been expanded, 802.10 encapsulation forces a recalculation of the original FCS field in the Ethemet trailer because the FCS is based on the content of the entire frame. The figure shows the 802.1Q header and framing ofthe revised Ethemet header. IEEE 802.10 [[ieentasees TT seonasen Teme [eee [res] [Cot acerees Tsouce assess] = [evtive Tous Tres] Tipe bm OF) Pranyem) | _Featieo | wawocree Tag fields follow: ‘Type or tag protocol identifier is set toa value of 0x8100 in order to identify the frame as an IEEE 802.10-tagged frame. Priority indicates the frame priority level that can be used for the prioritization of traffic If flagis 1, the MAC address isin noncanonical format. If flag is 0, the MAC address is in canonical format ‘VLAN ID uniquely identifies the VLAN to which the frame belongs. Inteconnactng isco Networking Davies: Accslerated (CCNA) 2017 Cisco Systems, neConfiguring an 802.1Q Trunk Configuring an 802.1@ Trunk How do you configure an 802.10 trunk? 1. Enter tho interface configuration mode, 2, Configure the: FaQ/11 interface as @ VLAN trunk, 3. Change the native VLAN from 1 10 99. Configure the interface as a trunk. Fant F006 ‘Command and Variable Description ‘interface interface Enters tne intertve configurstion mod, sswitchport mode trunk sets the interiace type. The trunk keyword species trunking VLAN Layer? fmertace ‘switchport trunk native vlan [Sets the native VLAN forthe truniin the ‘vlan_pumber Q tring mece| ‘The example configures the FastEthemet0/11 port on Switch X as a trunk port. Use the switchport mode interface configuration command to set a Fast Ethernet port to trunk mode, Many Cisco Catalyst awitches support DTP, wich manages automatic trunk negotiation. DTP isa Cisco proprietary protocol. Switches from other vendors do not support DTP. DTP is automatically enabled on a switch port when certain trunking modes are configured on the switch port. DTP manages trunk negotiation only ifthe port on the other switch is configured in a trunk mode that supports DTP. ‘The example shows the configuration of interface FastEthemet)/I1. The switchport trunk mode command sets the FastEthernet0/11 port to the tuk mode, The example shows the reconfiguration of the native VLAN. VLAN99 is configured as the native VLAN. Therefore, the device will send the traffic from VLAN 99 untagged ‘Make sure thatthe other end of the trunk link (Switeh Y) is configured for trunking and with the native VLAN that is changed to 99.Note Fordetais cn all ofthe parameters thet are assccited withthe switchport mode interace command. vist tp: hun: cizo0.comlen/USidoceiicelmelalelescemelll, hem Configuring an 802.1 Trunk (Cont) Verity a trunk on the FastEthernet0/11 interface, To verify a trunk configuration on a switch, use the show interfaces switchport and show interfaces trunk commands. These two commands display the trunk parameters and VLAN information of the port, For more details about the show interfaces switehport and show interfaces trunk commands, see the Cisco 10S interface and Harchware Component Command Reference at bntp:/‘wwvw.cisco.com/en/US/docs/ios xml ios interface/commandlir-s5 hal. Configuring an 802.10 Trunk (Cont.) | 36 —_lnteroonnecing Cisco Networking Devices: Acslrated (CCNAX} 2017 Cisco Systems, neDiscovery 16: Configure VLAN and Trunk Introduction This discovery lab will guide you through several expects of VLAN operations, including the management of VLANs, and using trunks to camry multiple VLANs across a single physical link. The devices are configured as pictured in the topology diagram. Currently, all devices have IP addresses in the 10.10.1.0°24 subnet. Only the defeuit VLAN, VLAN 1, exists initially. You will start by migrating this configuration to one that uses two VLANs. Topology Job Aids| Device Information Device Information Table Deviee \charseterstic Wvalue Pct Hostname pct Pot le adress Ho.t0.1.1074 poz Hostname pce poz > adores jo.10.1.2024 Pca Hostname pcs (Cisco Systems, Ine Intrconnectng isco Networking Devioes: Accolerated (CCNA) 7Device lcharacterstic value Pc2 lr eaerese fora 204 Pos osname roa Poa lr edorase foro aoe sw osiname [ews swt [yuan 1 iF Aaerese horas ae sw meretn0 description unc to swe sw lEternet 10 session lunctoror sw lEteenetit Session linc to Poo swe osname [ewe we [vias Padiress fotos 524 swe Etheenet00 descinton Linc to swt swe Ethernet 0 descrinton ink a Poa swe memati description luncto Pos PCs in the virtual lab environment are simulated as routers, so you should use Cisco IOS commands to configure them or make verifications. Device Information Table (Changes) Device lcharacterstic value pce [vias lp Poe lr eaerese jo102.20%4 Pos jvuars lp Pca lr ediress fo102.404 Task 1: Configure VLAN and Trunk Activity Step 1 Startby demonstrating that there is full connectivity between the devices in VLAN | om the 10.10.1.0/24 subnet. Avcess the console of PCI and pi the IP addresses of the other devices. NetoStep 2 Step 3 Enter the following commands to PCI: POLE ping 10.10.1.20 Sending §, 100-byte ICMP Echo> to 10.10.1.20, timeout is 2 mee 2 “ PCL? ping 10.10.1.30 Type tecape sequence to abort Sending §, 100-nyee TO@ Echos vo 10 2.20, timeour is 2 Success rave is ¢0 percent (4/5 PCL? ping 10.10.1.40 Type escape sequence to = Success mate is 0 percent (4 Pel? ping 10.40.44 sip min/arg/ma Success rate is €0 percent (4/5), PCL? ping 10.20.15 Type escape sequence 20 Sending 5, 100-byte ICMP Echos to Success rate is 100 percent (5/5), round imeout is 2 seconds: Now access the console of PC2 and change ite IP address to 10.10.2.20 on the 10.10.2.024 subnet. ‘The most commonly used commands are abbreviated in this guided discovery. For example, conf tis used for configure terminal. If there is any confusion, You can attempt tab completion to expand the full command syztax. For example, conf tab ¢ tab would expand to configure terminal, Enter the following commands to PC2: Fo2t cont Encer configuration comands, one per line. Fad wich GITL/Z] Fete: 20/0 ip address 10.10.2.20 255.255.255.0 At this point, PC? is still in VLAN 1, so itis inthe same broadcast domain 2s all of the other hosts. But ts IP address is configured fora different IP subnet. PC? will nt attempt ARP resolution for hosts on the 10.10.1.0/24 submet. It must use a gateway to reach the 10.10.1.0°24 subnet; however, this gateway does not even exist. PC? is curently isolated by the IP configuration Access the console of PC4 and reconfigure its IP address to be 10.10.2.40 on the 10.10.2.0/24 subnet. Enter the following commands to the PC4:Step 4 Step 5 Step 6 FCHE cont Enear sonfiguestion comands, ons per line. End with CHTE/2 ECE (config)? ant 0/0 $ ip addvese 10.10.2.40 255.255.2550 3 ena Now both PC2 and PC4 are configured for the 1¢.10.2.0/24 submet, while the rest of the hosts are configured for the 10.10.1.0/24 subnets. They are all inthe same broadcast domain (VLAN 1), but they are isolated by the IP configuration ‘Verify that PC4 can communicate with PC2 because they are both configured for the 10.10.2.0/24 submet. Attempt to ping 10,102.20. The ping should succeed. Enter the following commands to PCA: FC#E ping 10.10.2.20 Type eeeaps sequanes to chert Sending ©, 10G-zyse TOW Echos vo 40.10.2.20, timeout iz 2 seconds: -_ Success rate de $0 percent (4/5), souns-orip nin/arg/maxe = 1/1/2 m2 Access the console of SWI and verify that the only Ethemet VLAN is the default VLAN, VLAN 1 Enter the following corumand to the SW switch: SUE show vlan qouozasog == a) o - - ° a Besides VLAN 1, which is the default Ethemet VLAN, there are four other VLANs that exist by default. VLANs 1002 to 1005 exist to support the legacy Token Ring and FDDI technology rarely used in networks today. Create VLAN 2 and assign "Engineering" ss its mame Enter the following commands to the SW1 switelx (isco Networking Davies:Step7 Step & Step 9 swig cone Enear conftguestion comands, one per line End vith CITL/2 Verify that the VLAN has been created and is active. Enter the following command to the SW! switch: sWifchow vlan brief O/t. Booz, ty Beaa, ‘You can compare the output of the show vlan brief command to the output of the show vlan ccominiand that was used previously. With the brief argument, the characteristics that are only appropriate to Token Ring and FDDI networks (such as parent and ring number) are hidden from the display Although V Look closer atthe status of VLAN? by specifying its ID with the show vlan command. AN is active, no active ports appear to be using VLAN 2. Enter the following command to the SW! switch: sWLe show vlan ia 2 ‘When you show all VLANs, only the access mode ports are displayed. When you show a particular VLAN, the trank ports that carry the VLAN are also displayed. Ethemet0/0 is the trunk port connecting SW1 and SW2. View the switch port status of the Ethemet0/0 interface, Enter the following command to the SWI switch:Step 10 SHE show int 60/0 switehport Mame: 20/0 erative Mede: dymandis/dessrabis onal Mode; S86 eestive Trunking Encapsulation: negseiate jonal Trumting Ent 2 Mode VEN: 4 (defssis) ing Nevive Mode Via: 1 (defauls) Administrative Native VIAN sagging: enabled Mininistrative pe: Raninisteative p Admini seeacive p Raninisteative p ‘The default administrative trunking mode on a switch port is “dynamic desirable,” If this default is maintained, the connection between two switches will automatically become an operational tmunk, ‘The default administrative trunking mode varies between switch models. ‘The SW! default trumking encepsulation method is IS. This characteristic is model-dependent. ISL is an older, Cisco proprietary trunking protocol. [EEE $00.10 is much more commen in networks today, and some switch models no longer support IST. While the trunking status was automatically negotiated between the switches, the best practice is, to explictty configure the trunking status on switch ports. Also itis best practice to assien a| native VLAN to $02.10 trunks that is not used by any endpoint hosts ou the network. Begin this explicit configuration by defining VLAN 256 and assigning it te "NoHosts” name. Enter the following commands to the SWI switch: am cont Enver configuration comands, ig) vlan 256 fe per Line. End with QMTL/Z While it makes no difference tothe switch which IP subnet you implement on which VLAN, for ease of network management, itis common to use the value ofthe third octet ofthe IP network as the VLAN ID. when possible. For example, you would pair VLAN 1 with 10.10.1.024 and pair VLAN 2 with 10.10.2.024 ‘The mumber 256 isnot a valid Pv octet, The X-Y.256 Z addresses are invalid [Pv addresses, Therefore, 256 can be an effective VID to use for a VLAN that intentionally services no hosts and is used for the native VLAN on 802.10 trunks. 17 Cisco yet waxy (isco Networking Davies:Step 11 Step 12 Step 13, Now, explicitly configure Ethemet0i0 as 802.10 trunks using VLAN 256 as the native VLAN. Enter the following commands to the SWI switch: git int etno/o weitchport trank encepzulation dot Beitchport trank native vlan 256 Before changing the native VLAN on SW?2, you will see on the SWI console the %CDP-4- NATIVE_VEAN MISMATCH message every 60 seconds. sPeb 2 12:04:09,712: acDP-S-4METVE, (IOUMTCH: Native VIAN mismatch discovered on EthernetO/0 (256), with S42 Bthernes0/0 (1) ‘You must configure SW2 to be synchronized with the configuration operations that you just performed on SW1. Access the console of SW2, configure VLAN 2 and VLAN 256, and configure Ethemet00 explicitly as the 802.10 trmk with VLAN 256 as the native VLAN, Enter the following commands to the SW switch: 5428 cont t switchport trunk encapsulation dotiq ond Verify the trunk status of Ethernet0/0 on SUW2. Enter the following commands to the SW2 switch:S028 show int 0/0 aeitehport Mana: 00/0 postive Mose: 55% fonal Mode: SSG postive Trunking Encapsulation: SSSI fonal Trunting Eat Mode VERN: 2 (ae Mininistrative p Raninisteative p Admini seeacive p Raninisteative p Both adhinistrtive and operational modes are the 802.1Q trunk. Optionally, you may repeat this verification on SWI. Step 14 VLAN 2isnoweady on both switches, and the trunk link is configured between the two switches. Explicitly define the PC4 switch port as an access port that is assigned to VLAN 2. Enter the following commands to the SW2 switch: S028 cont t Enver configuration comunde, one per Line. End with CNTE/Z felt £)} aeitehport access vlan 2 3 switehport mode ecoess 3 ena Step 15 Verify the status of the Ethemetl/1 switch port configuration Enter the following command to the SW2 switch: NetworkingStep 16 Step 17 S128 show int e1/2 awitchport aprulatien: negotiate Teunking Natave Mode VLaN? 2 (defauls) Administrative ative WAN tagging: enabled Administrative pe: Baministravive p Administrative pe: Lation: daclg Baministravive p normal Vals: none Verify the interface status of the trunk link (Ethemet0/0) and the ports thet are supporting PC3 and PCA. Enter the following command to the SW'2 switch: s42f ah int states a — Dept trend Bye Eo Saint? t SORE SES Eel/O Link to FCS conmected © 2 auto. auto unknown Ewa caecra fe nave snisonn Now PC4 and PC2 are on different VLANs, so although they are configured for the same IP subnet, they should no longer be able to communicate. Verify this status by attempting to ping 10.10.20 from PC4. This ping should fail. Enter the following command to PC4: POE ping 10.10.2.20 Type tecape dequence to -_ Suzcess rate is 0 pessent (0/5)Step 18 Access the SWI console. Configure the PC2 switch port to be an access port that is assigned to VLAN 2. Enter the following commands to the SWI switch: Bad with CNTL/Z Step 19 Verify the switch port status of Ethemet!/1 Enter the following corumand to the SW switch: SLE show int 01/1 awitebport Bane: Bei Admini sersive Mode: SESSiSUaEeess Cyerstionsl Mede: SESRS=aEee== MMininistestive Trunking Encapsulation: negotiate fp facive Mede Vint Voice VAR: none Aininistrative privatecvlan Admini seracdve Raninisteanive Capture Mode Disabled Gepeure VIAN Allowed: ALL Step 20 Verify the interface of the SWI trunk ports and the links to the PCs. Enter the following corumand to the SW switch: Networking Systems, InStep 24 Step 22 SWLE show int status Fore Mame seacus van Duplex Speed Type senneceed 1 wes sues unknown Eci/O Link to PCL connected © 1 =u ato unknown Hip Sek se “sma f auts sats untae FC) and PC are now both configured for the 10.10:2.0/24 subnet and are in the same broadcast domain (VLAN 2), Access the PC4 console and verify that it can once again ping PC2. Enter the following command to PCS: FOE ping 10.20.2.20 = Suscess rate is 100 percent (5/8), round sp min/avg/nan = 1/2/ me At this point, there is no routing configured. PC2 and PC4 are isolated from the other hosts that are in VLAN 1. Demonstrate that PC4 canst ping PCL. Enter the following command to PCS: FCAE ping 10.10.1.10 Type escape sequence to abort = Success rate is 0 percent (0/5) “This is the end of the discowery lab» |Dynamic Trunking Protocol Many Cisco Catalyst switches support DTP, a Cisco proprietary protocol that manages automatic trunk negotiation. Switches from other vendors do not support DTP. Dynamic Trunking Protocol ‘Switchport mode interactions: Manual configuration is recommanced. * Contigure me port as unk or access on both switches The command switehport nonegotiate cisables negotiation DTP is automatically enabled on a switch port when certain ranking modes are configured on the switch port DTP manages trunk: negotiation only if the port on the other switch is configured in a mode that supports DTP, ‘You should configure trunk links statically whenever possible. However, Cisco switch ports can rm DTP, which can automatically negotiate a trunk link. This protocol can determine an operational trunking mode and protocol on a switch port when itis connected to another device that is also capable of dynamic trunk negotiation. | ‘The default DTP mode depends on the Cisco IOS Software version and on the platform. To determine the current DTP mode, issue the show dtp interface command. S82 show dtp intexface FastEthernst0/t DIP infomation for Fastichernet0/1: 08/Tas/Ta: {TROME/DESTRABLE,/TRONE ror/Tar/ma7. s02.19/202-10/202-10 Neighbor addcess oooaneen000 Hells tinar axpization (sec/sesea) + 17/RONNING Access timer expiration (sec/scate) 267/R0NNING ‘You can configure the DTP mode to tum off the protocol or instruct it to negotiate a trunk link only under certain conditions, as described in the table 108 _lnterconnecting Cisco Networking Devices: Acca 1d (CONAN 2017 Cisco Systems, ne‘Commanct Function ‘switchport mode dynamic auto |crestes the trunk based on the DTP request fom the neighboring switch ‘switchport mode dynamic ‘desirable |Communicstes to the neighboring swith via DTP thatthe interface is Jattempling to become a tunk ifthe neighboring sutch interface is able to become 2 unk, ‘switchport mode trunk [automatically enables trunking regarcless ofthe state ofthe neighboring sich Jand regardless of any DTP requests thatthe neighboring switen sends ‘switchport mode access [Trunking not slowed on this port regardless ofthe siste ofthe neighboring Jsutch interface and regerdless of any DTP requests thet the neighboring lswitch sends, ‘switchport nonegotiate Prevents the interface from generating DP ‘eames. This command can be luses only when the interlace switch port mode is access or unk. You must Jmanuslly configure the neighboring interface as a runk interface to establish» frank tine. The switchport nonegotiate interface command specifies that DTP negotiation packets are not sent. The switch does not engage in DTP negotiation on this interface. This command is valid omly when the interface switchport mode is access or trunk (configured by using the switehport mode access or the switchport ‘mode trunk interface configuration commands). This command retums an error if you attempt to execute it in dynamic (auto or desirable) mode. Use the no form of this command to return to the default setting ‘When you configure « port with the switchport nonegotiate command, the port trunks only ifthe other end of the link is specifically set to rm. The switchport nonegotiate command does not form a trunk link ‘with ports in ether dynamic desirable or éynamic auto mode. Note A general best practice i to cet the interface fo trunk and nonagotiate when a trunk inks required. On links where runking is net intended, you should tum off OTP. Ideally, Inks that are nat intend to oe trunks shouldbe set to access mode and placed in en unused VLAN,VLAN Trunking Protocol ‘To minimize misconfiguration and configuration inconsistencies of VLANs in your network, use VTP. VIP isa data link layer (Layer 2) protocol that facilitates the manazement of VLANs across several switches in a network, Using VIP, you do not need to log into each switch to create and name each VLAN manually. Managing ‘VLANs manually on each switeh in your network works well fora few switches, but VIP is a better solution in large networks, Note You still need io assign ports to each VLAN either manually or automatically. VLAN Trunking Protocol VIP seve AVVIP domain consists of one switch or several interconnected switches sharing the same VIP environment. A switch can belong to only ome domain. By default, a Cisco Catalyst switch is in the no-management-domain state until it receives an advertisement for adomain over a trunk link or until you configure a management domain. The configurations that you make toa VIP server are propagated across trunk links to all the connected switches in the network. Note VIP advertisements ccd treaughout the management domain, VTP advertisements are cant avery 6 minutes or wiveneverthereis a change in VLAN configurations ‘The default VTP version that is enabled on a Cisco switch is version 1. However, three different VTP versions exist 1, 2, and 3. You can change the switch to nun VIP version 2 or 3, but these versions are not compatible. You need to configure the same VIP version om every switch in the domain,Note Because version 1 and version 2 do not propagate configuration information for edendechrange VLANs. you must configure evtandac-range VLANs manually VTP Modes VIP operates in one of three modes: server, trausparent, or client. You can complete various tasks depending on the VIP operation mode. ‘VTP Modes + Server Creates, modifies, and deletes VLANS -_ Symehronizes VLAN configuration * Client Cannot eovto, molly, oF dato VLANS = Symchronizes VLAN configuration + Transparent Creates, modifies, and deletes local VLANs only ~ Does not synchronize VLAN configuration ‘The following are the characteristics of the three VIP modes. ‘+ Server: The default VTP mode is server mode, However, VLANs are not propagated over the network| ‘until a management domain name is specified or leamed. When you change (create, modify, or delete) the VLAN configuration on a VIP server, the change is propagated to all switches in the VIP domain. ‘VIP messages are transmitted out all the trunk connections. A'VTP server synchronizes its VLAN ‘database file with other VIP servers and clients, Use the vip mode server Cisco 10S command to ‘configure a switch tobe a VIP server. + Transparent: When you change the VLAN configuration in VTP transparent mode, the change affects ‘only the local switch and does not propagate to oir switches in the WTP domain. VTP transparent ‘mode forwards VIP advertisements that it receives within the domain. A VTP transparent device does not synchronize its database with any other device. Use the vtp mode transparent Cisco IOS ‘command to configure a switch to be transparent, + Client: You cannot change the VLAN configuration when in VIP client mode. However, a VIP client ‘can send any VLANs that are currently listed in its database to other VTP switches. VIP advertisements are forwarded in VTP client mode, A VTP client synchronizes its database with other VIP servers and ‘clients. You can use the vtp mode client Cisco TOS command to configure a switch to be a VTP clientVTP Configuration ‘When cresting VLANs, you must decide whether to use VIP in your network. With VTP, you cam make configuration changes on one or more switches, and those changes are automatically communicated to all other switches in the same VTP domain Default VIP configuration walues depend on the switch model and the software version. The following are the default values for Cisco Catalyst switches: + VIP domain name: Null + VIP pruning: Enabled or disabled (operating system version-specific) + VIP versio Version 1 NoteWhen the VIP pruning option i enabledin a VTP domain. VIP ollent itches recaive VIP update frames ‘only for VLANs that are enabled on esch switch. Thus, VT pruning saves some Dendvicth on trunk ports {and on switches by limiting the number ef VTP update ranemissions. You should always prune the VLAN from suitches where the VLANs are not used ‘The VIP domain name can be specified or learned. By default, the domain name is not set. You can set @ password for the VIP management domain. However, if you do not assign the same password for each switch in the domain, VIP does not function properiy VIP pruning eligibility is one VLAN parameter that the VIP protocol advertises. Enabling or disabling VIP pruning on a VTP server propagates the change throughout the management domain. Use the vtp_ global configuration command to modify the VTP configuration, domain name, interface, and mode: Sestcht configure terminal Erizch (config) vip mode [server | client | transparent] Svitek (eongigt vep domain domsinnnsme | Swivch config)? vip pasword password Seavch (contig? vep prening Use the mo form of this command to remove the filename or to return to the default setings. When the VIP mode is transparent, you can save the VIP configuration in the switch configuration file by entering the copy running-config startup-config privileged EXEC command, ‘The following example demonstrates how to configure VIP and display VIP status. (isco Networking Davies:VTP Configuration ‘Set the switch in the transparent VTP mode and VTP domain name to ICND. Note Inthe output of the show vip status command, "VTP Version capable” dentifes the version of VTP the itch is capable of running, "VTP version running’ indicates whieh VTP version is being used. On switches that are configured in VIP client or VIP server mode, you camact see any configuration related to VLANs or VIP in the runing configuration. To verify VIP configuration, you have to use show ‘vip status and show vtp password commands. To verify configured VLANs, you should use show vlan command. VTP Configuration (Cont.) Vetty the VTP status, Pruning should be disabled 17 Cisco Systems, Inc Intrconnectng Cisco ring Devices Aosslaratad (CCNAX) 119Discovery 17: Troubleshoot VLAN and Trunk Issues Introduction ‘This discovery will guide you through a scenario involving VLAN configuration, Layer 2 comnectvity, and IP comectivity. The topology diagram is intentionally vague and there is no comectivity table. Imagine you are on your first day at a news job as a network engineer. You are not yet familiar with the network of your organization. A member ofthe security team comes to you because the intrusion prevention system has agged malicious traffic from the IP adress 10.10.10.182. You are asked to help in isolating this system and removing it fom the network. This discovery will also guide you through the IP connectivity issue between two hosts. Topology Topology - = Pc2 ~~ = Pca 7 ae = | —= Job Aids ‘There are no job aids available for this lab exercise, because one of the objectives of the lab is to map the connectivity within an unfamiliar network, Note POs inthe vival la environment are simulated as routers, so you Should use Cisco 1S commends to configure them or make verfiosbons. Task 1: Troubleshoot VLAN Issues The following figure shows the flow for troubleshooting VLANs. (conan Cisco SystemsTroubleshoot VLAN Issues. To troubleshoot VLAN issues when you have no comection between PCs that belong tothe same VLAN, follow these high-level steps: 1. Usethe show vlan command to check whether the port belongs to the expected VLAN. Ifthe port is assigned to the wrong VLAN, ue the switchport access vlan command to correct the VLAN ‘membership. Use the show mac address-table command to check which addresses were leamed ona ‘particular port of the switch and to which VLAN that port is assigned. 2. Ifthe VLAN to which the port is assigmed is deleted, the port becomes inactive. Use the show vlan or show interfaces switchport command to verify that the VLAN is present in the VLAN database — Also mote that you can shut the VLAN using shutdown command, so you may need to verify that the VLAN isnot disabled using the show vlan command, (Cisco Systems, Ine Intrconnectng isco Networking Devioes: Accelerated (CCNAMAC Address Table Verification To display the MAC address table, use the show mae address-table command in privileged EXEC mode as shown in the following example. This command displays the MAC address table for the switch. You can define specific views by using the optional keywords and arguments. The example shows MAC addresses that were leamed on the FastEthemet(1 interface. As you can see, MAC address 000c.296a.221¢ was leamed on the interface FastEthemet0/1 in VLAN 10. If this mumber isnot the expected VLAN number, change the port VLAN membership using the switchport access vlan command. SWE show mac addvezs—table interface Ethernet0/t Troubleshooting Missing VLANs Each port on a switch belongs to a VLAN. Ifthe VLAN to which the port belongs is deleted, the port becomes inactive. All ports belonging to the VLAN that was deleted are unable fo communicate with the rest of the network. As shown in the following example, use the command show interfaceinterface switchport to check Whether the portis inactive. Ifthe portis inactive, it will not be fumctional until you create the missing VLAN using the vlan vian_id command or until you assign the port to a valid VLAN. SWLE show intenfaces Ethernet0/1 avitchport Mode VIAN: 10 (ERSEESI=) Trunking Native Mode VIAN: 1 tded: Voice VIAN: none Activity Complete the following steps: Step 1 Your task in this discovery isto find the system using the IP address 10,10.10.182 and to disconnect it from the network. You might assume that VLANs were configured by a logical pattem. Access the console of SW and display the VLAN configuration to show how incomect that ‘assumption is. erconnactng Cisco Networking Devices:Step2 Step 3 Sixeytwe Ee0/2, B0/3 ouput omitted -..> This disorganized set of VLANs demonstrates why it can be beneficial to seta standard. For example, you can have the VLAN ID match the third octet of the IP network running on that VLAN. To determine which VLAN supports the network to which 10.10.10.182 belongs, access the console of R1 and display the brief summary status ofits IP interfaces ‘When the display output pauses with the -More~ prompt, you can use the space bar to display the next page of the output. Rif show Sp interface briet Echernes0/0 YES manual up wp Eohernes0/0.21 wes manual wp uw dove Eohernes0/2 YES WWM adninistracively down down YES WEAN administratively YES WVRAM administratively down ‘The IP adress of Ethemet00.134 is 10.10.10.1, Ifyou configure it with a 24-bit submet mack, it would be on the same subnet as 10.10.10.182. Ifits subinterface ID matches the VLAN ID, the VLAN would be 134. Display the ruming configuration that is associated with this interface to determine if ether ofthese values are true ‘Verify the runing configuration on the RI router:show wun interface Etheret0/0.134 fing confagueseicn Bul interface Echeretd) easpeedation detig 2 26 ‘The mask is indeed 24 bits. This interface is on the same subnet as 10,10.10.182, ‘The VLAN, as set by the encapsulation command, is actually 62, not 134. Step 4 The security team member gave you the IP address. Determine the system MAC address by first pinging it ftom R1 and then finding the entry in the R1 ARP cache, ping 10.10.10.182 Festocol Midress Age fi Taverner HOELOSIDENSE ‘The system that you are locking for has the MAC address aabb.cc00.5300. Note: The MAC address that you will see in your output can be different. Further in the lab, refer to the MAC address determined in your output Step 5 Access the console of SW1 and view its MAC address table to find the port that is connecting to ‘aabb.cc00,5300, or whatever your MAC address is. ‘You must search for the MAC adress that you discovered in the previous step. SULE show mac adders—table paue 1 aabb.cc00 62 aan co00 Daewre 62 asbb.ce00.8400 OMUMIC 0/2 Toral Maz Adieessee for this ariverion: 5 Interface Ethemet0/2 is where the offending system is cormected, Step 6 Since there were few addresses in the MAC address table, it was easy to select the appropriate entry. Ifthere are thousands of entries in the table, you would want to filter down the output. Try displaying the MAC address table using the include filter to only include addresses that have 15300, or Whatever the last 4 digits of your MAC address are, as part oftheir address, 17 Cisco yet (isco Networking Davies:Step 7 Step & Step 9 Step 10 Ina larger environment, you might find thatthe port with the offending MAC address is actually alink to another switch, In this case, you would have to go to that switch and view its MAC address table. It might again be on a link to a third switch. You would have to continue the process until you reached a switch with the address on an end-host port S01 show mac addeess-table | include 5300 Display the interface status summary on SWI to observe the status of Ethemnet0/2. One thing that was sensibly configured in this environment is the description on the switch ports. PCS is the offending system, S41 show interface state ‘Verify that the offending system, PC3, has access to the network, Attempt to ping R1 (10.10.10.19 from PC3, Ping should be successful FOS¢ ping 10.10.10.1 Success ate is ¢0 percent (4/5), round-osip min/arg/max = 1/1/2 me Disable interface Ethemet0'2 on SW1. On SWI, enter the following commands SFIE conf Enter configuration comands, one per Line. End with GVTL/Z ig) interface Ethernet0/2 “Sep 47 07:22:54,292: QLINE-S-CHANGED: Inverface Evhernet0/2, chat Evharnat0/2, changed state co dom yea etave to The offending system is PC3. Access the console of PC3 and verify that it has been isolated from the network. Attempt to ping Rl (1010.10.1) ‘The atterapt should fail,FOE ping 10.20.20.1 ‘Type secape sequence to abort. Sending &) 100-nyee TOM Echos to 10.20.10.1, timeout is 2 seconds: Suscess cate d2 0 percent (0/5) Task 2: Troubleshoot Trunk Issues ‘The figure shows the flow for troubleshooting trunks. Troubleshoot Trunk Issues To troubleshoot trunk issues when the trunk is not established, follow these high-level steps} 1. Use the show interfaces trunk command to check whether the local and peer native VLANs match. IF thenative VLAN does not match on both sides, VLAN leaking occurs 2. Use the show interfaces trunk command to check whether a trunk has been established between switches. You should statically configure trunk links whenever possible. However, Cisco Catalyst switch ports by default rm DTP, wich tries to negotiate @ trunk link. 3. Use the show interface trunk command to check whether the desired VLANs have been allowed on both the sides of the tran link. 20 _lnterconnecng Cisco Networking Devices: Accelerated (CONAN) 2017 Cisco Systems, neVerify Trunk Establishment To display the status of the trunk and native VLAN that is used on a trunk link and to verify trunk establishment, use the show interface trunk command in privileged EXEC mode, The following example shows thet the native VLAN on one side ofthe trunk link was changed to VLAN 2. If one end of the trunk is configured as mative VLAN 1 and the other end is configured as mative VLAN 2, a frame that is sent from VLAN I om one side is received by VLAN 2 on the other. VLAN 1 “leaks” into the VLAN 2 segment. This behavior would never be required, and connectivity issues occur in the network ifa native VLAN mismatch exists. Change the native VLAN to the same VLAN on both sides of the VLAN to avoid this behavior. STLE show interfaces Ethernet 0/3 trunk Pa Ee Meds Native vlan 3 auto 4 not-erunking 2 <¢.cceueput omitted.» Cisco Discovery Protocol notifies you of a native VLAN mismatch on a trunk ink with this message aug 24: 48.714: $COP-E-HATIVE VLAN MISMATCH: Navive VLAN misuas ‘You should statically configure trunk links whenever possible. Cisco Catalyst switch ports by default mun DIP. DIP can determine the operational trunking mode and protocol on a switch port when itis connected to another device that is also capable of dynamic trunk negotiation. Remember that if both ends of a trumke are set to dynamic auto trunk mode, a trunk will not be established. The example shows the status ofthe link as "not-trunking.” Activity Complete the following steps: Step 1 User that is using PC1 is reporting that PCI can reach PC2 (1010.10.20), but cannot reach PC4| (10.10.10.40). Help the user find the issue and resolve it Access PCI and verify IP connectivity to PC2 and PC4 to exclude an IP connectivity issue. FCLE ping 10.10.10.20 Type escape sequence to = rip min/avg/max = 1/1/1 me Success rate is 100 percent (5/3), round Pei? ping 10.10.10.40 Suzcess rate is 0 percent (0/5: ‘You should find that there is an IP connectivity issue between PC1 and PCA. Step 2 Access the SW2 switch and check which VLAN is set on the interface that PC! is connected to. First, you need to use Cisco Discovery Protocol to verify which port PC1 is comected to.Note: With real PCsPGiwould not be seen as the Cisco Discovery Protocol neighbor, s0 you ‘would need to use the same approach that you used in the fist procedure of this discovery, S828 show edp neighbors Capability Codes: R~ Router, T ~ Trans Bridge, 5 ~ Source Rouce Sesdge S = Sviceh, H = Hose, I~ IGMP, © - Rapestar, P- Phone, Do Rencee; ¢ - GVEA, if - Tro-port Mac Relay, oz 133 R Linux Uni Ech 0/0 SE Linwe Uni Eek 0/1 ‘You will find out that PC1 is connected to EthernetO/1 and that itis placed into active VLAN 62. Step 3. Access the SW switch and check which VLAN is set on the interface that PCA is connected to. First, you need to use Cisco Discovery Protocol to verify which port PC is connected to. Note: With real PCs, PO would not be seen as the Cisco Discovery Protocol neighbor, so you ‘would need to use the same approach that you used in the first procedure of this discovery SULE show edp neighbors Capability Codes: R~ Roucer, 7 - Trans Bridge, 5 - Source Rouce Seidge H- Hose, 1 - JGR, r- Repeater, F - Fhone, © - GVEA, M - Sworport Mac Rely Holdene Capabilicy Pacfore Post 1D 370 SE Linwe Uns Beh 0/0 362 Line Uni Beh 0/ ‘You will find out that both PCI and PC4 are in the same VLAN, Step 4 While troubleshooting, you first noticed the following message on the SW console: sep 17 09209221594: SCDP-E-NATIVE_VIAN MISMATCH: Native VLAN mi smcch discovered on Eshernet0/1 (2), wish 3N2 Eshernet0/0 (2) 17 Cisco yet (isco Networking Davies:Step 5 Step 6 Step7 ‘This message indicates that SW1 and SW have different native VLANs configured. (On SWI, check which VLAN is used as native on EthernetO/1 SWE chow interfaces trunk cue. ourpar emitted ..-> (On SW2, check which VLAN is used as native on Ethernet01 S12$ show interfaces trunk cue. ourpar emitted -.-> Change the native VLAN configuration on the SW2 switch. (On SW2, enter the following commands: 528 cont t Enter configuration comands, one per line. End wich GITL/2 seface Ethernet0/0 peitchport Crank native vlan t Messages to the console stopped. ‘Verify if native VLAN was the reason for broken connectivity between PC1 and PC4. Access PC1 and verify IP comectivity to PCA. fit ping 10.10.10.40 Wr ubiloyes 1Oiw Eanes eo 10.10.20.40, edenoue £2 2 seconds| Suzcess rate is 0 percent (0/5: PCI still has no comectivty to PCA, s0 you need to investigate futher. ‘You have determined that PCI and PC4 are both in VLAN 62. Now, you will verify trunk Jink: between SW and SWW2,S028 show interfaces trunk flame allewed on trunk ieee “ ° = VLAN 62 is comectly allowed on the link to SW. SULE chow interfaces trunk le seunking I 1 1 VLAN 62 is missing from the allowed VLANs on the link toward SW2. Step 8 On SWI, verify the interface Etnemet0/1 configuration, Here, you can confirm that VLAN 62 is excluded from the allowed VLAN list] sme show interface Ethernet0/1 Cursent configuration : 172 bytes incerface Ethemet0/1 Geseription Link to SR seirehscr: trunk encapsulation dovig Step 9 Onthe SIV interface Ethemet0/'l, add VLAN 62 into trank, (On SW1, enter the following commands: (isco Networking Davies:Step 10 swig cone Enear configuestion comands, one per line. End vith CWTL/2 ig)? intextace Ethernet0/1 From PCI, verify thatthe IP comectivity isue to the PC‘ is resolved. Ping should be successfil: FCLf ping 10.10.10.40 Success rate is €0 percent (4 round-trip min/a Jia me Note: It may take a while forthe ping to work. This isthe end ofthe discovery lab.VLAN Design Consideration ‘VLANs create boundaries that can isolate nodes or traffic, so you should design a multi-VLAN topology thoughtfully. The general question that you should ask yourselfis the following: "Who is talking to wom, and what are they trying to get done?” Here are some considerations that you need to take into account before implementing VLANS. VLAN Design Considerations + The maximum number of VLANS is switch-dependent, + VLAN 1 isthe factory default Ethernet VLAN, + Ruse-dedicated VLAN is fr the Cisco switch management IP address, ~ Keep management ratfc in a separate VLAN. = Change the native VLAN to something other then VLAN 1 ‘Typically, access layer Cisco switches support up to 64, 256, or 1024 VLANs. The maximum number of VANS is sviteh-dependent. Cisco switches have a factory default configuration in which various default VLANs are preconfigured to support various media and protocol types. The default Ethemet VLAN is VLAN 1. Cisco Discovery Protocol advertisements are sent on VLAN 1. A good security practice isto separate management and user date traffic because you do not want users to be able to establish Telnet sessions to the switch. Ifyou want to communicate with 2 Cisco switch remotely for management purposes, the switch must have | an P address, This IP address must be in the management VLAN, which is VLAN 1 by default. ‘A good security practice isto change the native VLAN to something other than VLAN 1 (for example, ‘VLAN 90) and therefore tag the VLAN 1 traffic.VLAN Design Considerations (Cont.) ‘When configuring a trunk link, consider the folowing: = Make sure that the native VLAN for an 802.10 trunk isthe same on both fends of the trunk link, ‘DTP manages trunk negotiatons between Cisco switches. Make sure that the native VLAN for an JEFE. $02.10 trunks the same on both ends of the trunk link. I the ends are different, spanning-tree loops might result. IF EEE 802.10 trunk configuration is not the same on both ends, Cisco IOS Software will report error messages. Also make sure that native VLAN frames are untagged. DIP helps to automatically negotiate whether the port should be put into the access or trunk mode and ‘which trimking protocol (802.1Q or ISL) should be used. The individual DTP modes are dhramic auto (the port will negotiate the mode automatically; however, it prefers to be an access port) and djnamic desirable (the port will negotiate the mode automatically; however, it prefers to be a trmk port). If you do not want the switch to negotiate, use the switchport nonegotiate command, For details on all of the parameters that are associated with the switchport mode interface command, go to hitp:/ewonw-cisco.com/en/US/docslios‘me/allreleasemeVall_15 html ring Devices: Aoelaratd (CCNAX) 17 Cisco Systems, Inc Intrconnectng CiscoChallenge 1. In which one of these three layers in hierarchical LAN design would you implement routing and packet ‘manipulation? AL Access B. Distribution C. Core 2. A poorly designed network includes (or is associated with) which two ofthe following? (Choose two) A. large broadcast domains BL small broadcast domains C. several security vulnerabilities: D. proper documentation E. ease of management and support VLANs improve network performance by doing which ofthe following: separating large broadcast domains into smaller segments creating large broadcast domains out of smaller segments creating one large virtual suitch out of many physical switches, allowing users to connect over radio frequency 4, How can traffic from one VLAN reach another VLAN ona Layer 2 switch? A. The switch needs 802.10 encapsulation configured B. Theprocess of forwarding network traffic from one VLAN to another VLAN requires inter- ‘VLAN routing. ©. Imorder for one VLAN to reach another VLAN, an additional Ethemet switch between the two VLANs is required. 5. How does 802.10 incorporate VLAN information onto a packet? AL It creates a 4 byte header and a 26-byte tag: B. It creates 2 4-byte header only C. It changes the frame body to mention the VLAN information D._Itreroutes the ftame through the VLAN interface, causing a different source address, 6. Which ofthe following must you ensure when configuring tivo ends of an $02.1Q trunk? A. Thenative VLAN must be tazzed| B. Thenative VLAN must be the same. ©. DTP must be disabled D._ DTP modes om both ends must be the same Which one of the following is correct? A. STPbilocks certain ports to increase efficiency and only allow the ports that are utilized to be "Up B. STP blocks certain ports to ensure that loops do not occur C. STPis disabled by default on Ciseo switches D._Ifthere is problem with connectivity, STP alerts the administrator so that the issue can be rectified. vow erconnactng Cisco Networking Devices:Answer Key Challenge B AC A woo (ConA2017 Cisco Systems, neLesson 2: Building Redundant Switched Topologies Introduction ‘The law firm's cient calls CCS complaining that employees in its international and constitutional law departments are unable to communicate digitally or share resources on the intranet. Bob has already determined thatthe cause of the problem is the failure ofa single switch. The law fim has agreed to let CCS implement and troubleshoot a redundant switched topology and optimize network reliability by implementing PVST+. Bob wants to know if you are ready to go to the law fim to implement and troubleshoot the zedundant switched topology, or if you need some time to prepare. Physical Redundancy in a LAN Loops may occur in the network as part of a design strategy for redundancy. Adding switches to LANs can add the benefit of redundancy. Connecting two switches to the same network segments ensures continuous | operation if there are problems with one of the segments. Redundancy can ensure the constant availability of the network, However, when switches are used for redundancy in a network, loops are a potential problem. When a host on one network sezment transmits data to a host on another network segment, and the two are connected by tho or more switches, each switch receives the data frames, looks up the location of the receiving device, and forwards the frame. Because each switch forwards the frame, each frame is duplicated. As atesult, a loop occurs, and the frame circulates between the two paths without being removed from the network. The MAC addres tables may also be updated with incorrect address information, resulting in inaccurate varding. In the topology that is shown in the figure, suppose that host A sends a frame to host B. Host A resides on network segment A, and host B resides on network segment B. Redundant connections between hosts ‘ensure continuous operation ifa segment fails, For this example, itis assumed that none of the switches have leamed the address of host BPhysical Redundancy in a LAN Switch 1 receives the frame thats destined for host B and floods it out to switches 2 and 3. Switch 2 and switch 3 both receive the frame from host A (via switeh 1) and comectiy lear that host Ais on segment 1 and 2. Each switch forwards the frame to switch 4 Switch 4 receives two copies of the frame from host A, one copy through stitch 2 and one copy through switch 3. Assume that the frame from switch 2 arrives frst. Switch 4 leans that host A resides on segment 3. Because switch 4 does not know where host B is connected, it forwards the frame to all its ports (except the incoming port) and therefore to host B and switch 3. When the frame from stitcl 3 arrives at swatc 4, switch 4 plates its table to indicate that host A resides on segment 4 It then forwards the tame to host B and switch 2 Switches 2 and 3 now change their internal tables to indicate that host A is on segment 3 and 4. 1f the initial fame from host A was a broadcast frame, both switches forward the frames endlessly. They would use all available network bandwidth aad block transmission of other packets on both seements, This situation is 22 Inerconnasing Cisco Networking Devices Aalst (©CNAX) 2017 Cisco Systems, nePhysical Redundancy in a LAN (Cont.) ‘The solution to loops is STP, which manages the physical paths to given network segments. STP provides physical path redundancy while preventing the undesirable effects Of active loops in the network. By default, STP is tured on in Cisco Catalyst switches. STP behaves as follows: + STP forees certain ports into a standby state so that they do not listen to, forward, or flood data frames. ‘The overall effect is that there is only one path to each network segment that is active at any time. + Tfthere is a problem with connectivity to any of the segments within the network, STP re-establishes, ‘comnectivity by automatically activating 2 previously active path, if one exists 17 Cisco Systems, Inc Intrconnectng Cisco ring Devices: Aoelaratd (CCNAX) 3Issues in Redundant Topologies Enterprise voice and data networks are designed with physical component redundancy to eliminate the possibility of any single point of failure causing a loss of fiction for an entire switched network. However, redundant OSI Layer 2 switch topologies require planning and configuration to operate without introducing loops. OSI Layer 2 LAN protocols, such as Ethernet, lack a mechanism for recognizing and eliminating endlessly Jooping frames, as lustrated in the figure. Issues in Redundant Topologies + Aredundant topology eliminates single points of fare * Aredundent switch topology causes broadcast storms, multiple frame ‘copies, and MAC address lable instablly problems. + Aloop-avoldance mechanism is required Inthe absence of a protocol to monitor link forwarding states, a redundant switch topology is vulnerable to the following conditions: + Broadcast storms: Without some loop-avoidance process, each switch floods broadcests endlessly. This situation is commonly called a broadcast storm | + Multiple frame transmission: Multiple copies of unicast frames may be delivered to destination stations. Many protocols expect to receive only a single copy of each transmission. Multiple copies of the same frame can cause unrecoverable errors. + MAC database instability: Instability m the content of the MAC adress table results from the fact that different ports of the switch receive copies of the same frame. Data forwarding can be impaired when the switch consumes the resources that are coping with instability in the MAC address table. Layer 2 LAN protocols, such as Ethernet, do not have a mechanism for recognizing and eliminating endlessly looping frames. Some Layer 3 protocols implement a TTI. mechanism that limits the mumber of times that a Layer 3 networking device can retransmit a packet. Lacking such a mechanism, Layer 2 devices continue to retransmit looping traffic indefinitely A loop-avoidance mechanism solves these problems. STP was developed to address them.Loop Resolution with STP ‘STP provides loop resolution by managing the physical paths to given network segments. STP allows physical path redundancy while preventing the undesirable effects of active loops inthe network. STP is an IEEE committee standard, which is defined as 80.10. Loop Resolution with STP’ + Provides a loop-free redundant natvork topology by placing certain ports into a biocking state. + Published in the IEEE 802.10 spesification. STP behaves as follows: STP uses BPDUs for communication between switches STP forces certain ports into a blocked state so that they do not listen to, forward, or flood data ames “The overall effects that only one path to each network segment is active at any time “there is a problem with comectvity to any of the segments within the network, STP re-establishes | ‘connectivity by automatically activating a previously snactive path, if one exists (changing blocked port +o forwarding state). 17 Cisco Systems, Inc Intrconnectng isco Networking Devioes: Accelerated (CCNASpanning-Tree Operation ‘and its successor protocols provide loop resolution by managing the physical paths to given network segments. STP allows physical path redundancy while preventing the undesirable effects of active loops in ‘the network. STP forces certain ports into a blocking state. These blocking ports do not forward data frames. ‘The overall effect is that only one path to each network segment is active at any time. If there isa problem with connectivity to any of the segments within the network, STP re-establishes connectivity by automatically activating 2 previously inactive path, if one exists Spanning-Tree Operation The spanning-tree algorithm follows these steps: 1 Blcts root be Elects a rot por for each nonoot switch Elects. designated por for each segment Ports transition to forwarding or blocking state Range: 0.65535, neque for every deve Dette 32768 The following are the steps of the spanning-tree algorithen: 1. Elects a root bridge. The root bridge becomes the switch with the lowest BID. You can have only one root bridge per network. The BID is a combination of bridge priority and the MAC address of the| switch. Bridge priority isa mumber between 0 and 65535 in increments of 4096, and the default is 32768. [fone or more bridges have equally lowest bridge priorities, then the bridge with the lowest ‘MAC address wil be elected the root bridge. 2. Elects a root port for each nonroot switch based on the lowest root path cost. The root bridge does not have root ports. Each nonroot switch has one root port. The roct port shows the direction of the best path to the root bridge. 3. Elects a designated port for each segment based on the lowest root path cost. Each link will have one designated port 4. The root ports and designated ports transition to the forwarding state, and the other ports stay in the blocking state ‘STP path cost depends on the speed of the link. The table shows STP link costs. Data rate |sTP cost (a02.10-1998) |STP cost (g02 10-2004) 4 Mbps l2s0 [5.000.000 188 _lnterconnecng Cisco Networking Devices: Acalrated (CONAN) 2017 Cisco Systems, neDatarate STP Cost (202.10-1998) |stP Cost e02-10-2008) toMbes soo [2200.000 toMtes lez 250.000 oO Megs ho [200.000 16tps Is [22.000 2¢tps ls hoo 10.Gope 5 [zoce STP Port Roles PortRole |Description octet [iris port exists on narrac bridges. isthe uth port with the bet path tothe root bilge. Root pods forward trafic toward the rect bridge and the source MAC sdcress ofthe frames received on the rect port that is capsbie of populating the MAC table. Only ene rect ports allowed per bridge Designsted pon [This port exists on roct and nor~oot bridges. For root bridges, all switch ports are designsted ports. For nen-teet bridges, @ designated pert isthe switch por thet will recive and forward frames toward line roctbrige as needed. Only one designated pot is allowed per segment. If muliple switches exist Jon tne same segment a elaction prooess determines the designated suite, and the coresponding lenitch por begins forwarding frames forthe segment. Designated ports are capable of populating the Ac tle Noncesignsted |The nondesignsted port is a snitch port thats not forwercing (blocking) dete frames snd is not port populating he IAC sccress table with the source adsresses of ames that ere seen an that segment Dissbled per [The disabled ports suitch post thet is shut down,Spanning-Tree Operation Example ‘The frst step in the spanning-tre algorithm is the election of a root bridge. Initially, all switches assume that they are the root. They start transmitting BPDUs with the Root ID field containing the same value as the bridge ID field. Thus, each switch essentially claims that tis the root bridge on the network, Spanning-Tree Operation Example ‘Stop 1: Elect a root bridge. * Decision based on lowest 1D. se BAe Se ea oe ‘When the switches start receiving BPDUs from the other switches, each switch compares the root ID in the received BPDUs against the value that it currently has recorded as the root ID. Ifthe received value is lower than the recorded value (which was originally the BID of that switch), the switch replaces the recorded value With the received Value and starts transmitting this value in the Root ID field in its own BPDUs. Eventually, all switches learn and record the BID of the switch that has the lowest BID. The switches all transmit this ID in the Root ID field of their BPDUs. Inthe example, Switch B becomes the root bridge because it has the lowest BID. Switch A and switch B| have the samie prioity, but switch B has a lower MAC value‘Spanning-Tree Operation Example (Cont.) ‘Step 2: Elect a root port for each non-root switch. ‘Decision based on lowest root path cos = necessary tos are broken by upstream BID and port ID values. = When a switch recognizes that it is not the root (because it s receiving BPDUs that have aroot ID value that is lower than its own BID), it marks the port on which its receiving those BPDUs a its root port. A switch could receive BPDUs on multiple ports. In this case, the switch elects the port that has the lowest- ‘cost path to the root as its root port. Iftwo ports have an equal path cost to the root, the switch looks at the BID values in the received BPDUs to make a decision (where the lowest BID is considered best, similar to root bridge election). Ifthe roct path cost and the BID in both BPDUs are the same because both ports are ccomnected to the same upstream Switch, the switch looks at the Port ID field in the BPDUs and selects its root port based om the lowest value in that field By default, the cost that is associated with each port is related to its speed (the higher the interface bandwidth, the lower the cost), but the cost can be manually changed. Switches A, C, and D mark the ports that are directly connected to switch B (which is the oot bridge) as the root port. These directly connected ports on switches A, C, and D have the lowest cost tothe root bridge. | 17 Cisco Systems, Inc Intrconnectng Cisco ring Devices Aosalaatad (CCNA) 100Spanning-Tree Operation Example (Cont.) ‘Stop 3: Elect a designated port for each segment. * Decision is based on the lowest root path cost + Hfnecessary, ties are broken by upstream BID and por I. After electing the root bridge and root ports, the switches determine which switch will become the designated bridge for each Ethemet segment. This proces is similar to the root bridge and root port elections. Each switch that is comected to a segment sends BPDUs out of the port that is connected to that segment, claiming to be the designated bridge for that segment. At this point, t considers its port to be a designated por. When a switch stars receiving BPDUs from other switches on that segment, it compares the received values ofthe root path cost, BID, and port ID fields (in that order) against the values in the BPDUs thet its sending out its ow port. The switch stops transmitting BPDUs on the port and marks it as a nondesignated. port ifthe other switch has lower values Inthe example, all ports on the roct bridge (switch B) are desigmated ports. The ports on switch A that are connecting fo switch C and switch D become designated ports, because they have lower root path costs on. each sezment| 140_lnterconnecng Cisco Networking Devices: Acca 1d (CONAN 2017 Cisco Systems, ne‘Spanning-Tree Operation Example (Cont.) ‘Step 4: The ports transition to the forwarding or blacking state “Root ports and designated ports transition tothe forwarding state, = Other ports stay in the blocking state ea To prevent bridging loops while STP needs to execute its algoritima, all ports start out in the blocking state ‘When STP marks a port as either a root port or a designated port, the algorithm starts to transition this port to the forwarding state (Classic (802.11)-1998) and rapid (802. yy and 802.1D-2004) versions of STP both execute the same algoritam in the decision-making process. However, in the transition of a port from the blocking (or discarding, in rapid spanning-tree terms) to the forwarding state, there isa big difference between those two spamning-tree versions, Classic 802.1D would simply take 30 seconds to transition the port to forwarding, ‘The rapid spanning tre algorithm can leverage additional mechanisms to transition the port to forwarding in less than a second, Although the order of the steps that are liste in the diagrams suggests that STP goes through them ina coordinated, sequential manne, that is not actualy the case. Ifyou look back at the description of each step in the process, you see that each switch is going through these Steps in @ parallel lin, Also, each switch might adapt its selection of root bridge, root ports, and designated ports as it receives new BPDUs. As the| BPDUs are propagated through the network, all switches eventually have a consistent view of the topology of the network. When this stable state is reached, BPDUs are transmitted only by designated ports. ‘There are two loops in the sample topology, meaning that two ports should be im the blocking state to break bot loops. The port on Switch C that is not directly comected to Switch B (root bridge) is blocked, becanse itis anondesignated port. The port on Switch D that is not directly comnected to-Switch B (root bridge) is also blocked, because itis a nondesignated port.Types of Spanning-Tree Protocols ‘The STP is a network protocol that ensures a loop-fiee topology. Several varieties of spanning-tree protocols exist. Types of Spanning-Tree Protocols Spanning-tree standards: + IEEE 802.10: The logacy standard for bridging and STP ST: Assumes one spanning eo instance fr he ene bridged network, regardless ofthe number of VLANS + PVST#: A Cisco enhancement of STP that provides a separate 802.1D spanningstree instance for each VLAN that is configured inthe: network * 602.18 (MSTP): Maps multiple VLANS to the same spanning-ree * 802.1w (RSTP}: improves convergence over 1996 STP by adding roles to ports and enhancing BPDU exchanges + Rapid PVST#: A Cisco enhancement of RSTP using PYST+ + STP EEE 802.1D) provides a loop-free topology in a network with redundant links. ~ CST.assumes one spanning-tree instance forthe entire b WLANs. + PYST+isa Cisco enhancement of STP thet provides a separate 802.1D spanning.tree instance for each ‘VLAN that is configured in the networic| + MSTP, or IEEE 802,15, is an IEEE standard that is inspired by the earlier Cisco proprietary MISTP. ‘implementation, MSTP maps multiple VLANs int the same spanning-tree instance. + RST, or IEEE §02.1v, isan evolution of STP thet provides faster convergence of STP. It redefines port roles and link costs, + Rapid PVST* isa Cisco enhancement of RSTP that uses PVST+. Rapid PVST~ provides a separate instance of 802.1w per VLAN. network, regardless of the mumber of Note When Cisco documentston and tis course refer to implementing RETR; they are refering ta the Cisco RSTP implamentation—Raped PST* 12 lnterconnecting Cisco Networking Devices: Acca 1d (CONAN 2017 Cisco Systems, neComparison of Spanning-Tree Protocols The following are characteristics of various spanning-tree protocols: Comparison of Spanning-Tree Protocols Raps PYST? ioe Verynign Fast (ne or every wan st? eo2.ts ecm oth Fast ne for mute + STP assumes one 802.10 spanning-tree instance forthe entire bridged network, regardless of the number of VLANs. Because only one instance exists, the CPU and memory requirements for this ‘version are lower than forthe other protocols. However, because of only one instance, there is only one root bridge and one tree. Traffic for all VLANs flows over the same patch, which ean lead to suboptimal traffic flows, Because of the limitations of 802.1D, this version is slow to converge. + PYST+is @ Cisco enhancement of STP that provides 2 separate 802.1 spanning-tree instance for each ‘VLAN thatis configured in the network. The separate instance supports PortFast, UplinkFast, BackboneFast, BPDU guard, BPDU filter, root guard, and loop guard. Creating an instance for each | ‘VLAN inereases the CPU and memory requirements but allows for per-VLAN toot bridges. This desiem allows the STP tree to be optimized forthe traffic of each VLAN. Convergence of this version is similar to the convergence of 802.1D. However, convergence is per-VLAN. + RSTP, or IEEE $02.1, is an evolution of STP thet provides faster STP convergence. This version addresses many convergence issues, but because it still provides 2 single instance of STP, it does not address the suboptimal trafic flow issues. To support that faster convergence, the CPU usage and ‘memory requirements ofthis version are slightly higher than the requirements of CST but lower than. those of RSTPY. (Cisco Systems, Ine Intrconnectng Cisco Networking Devioes: Accoleated (CCNA) 14S+ Rapid PVSTS is a Cisco enhancement of RSTP that uses PVST+-. It provides a separate instance of 802.1 per VLAN. This version addresses both the convergence issues and the suboptimal traffic flow issues. However, this version kas the largest CPU and memory requirements, + MSTPis an IEEE standard that i inspired by the earlier Cisco proprietary MISTP implementation. To reduce the number of required STP instances, MSTP maps multiple VLANS that have the same traffic flow requirements into the same spanning-tree instance. The Cisco implementation of MSTP is MST. ‘MST provides up to 16 instances of RSTP (802.1) and combines many VLANs with the same physical and logical topology into 2 common RSTP instance. Fach instance supports PortFast, BPDU guard, BPDU filter, root guard, and loop guard, The CPU and memory requirements of this version are lower than the requirements of Rapid PVST+ but are higher than those of RSTP. Default Spanning- Tree Configurat Default Spanning-Tree Configuration The default spanning tree configuration for Cisco Catalyst switches: + Pyste * Enabled on all ports in VLAN 1 + Siower convergence after topology change than with RST ‘The default spamning-tree mode for Cisco Catalyst switches is PVST+, which is enabled om all ports. PVST+ has much slower convergence after a topology change than the Rapid PVST but requires less control plane CPU and memory resources to compute the shortest path tree upon topology changes. (isco Networking Davies:Per VLAN Spanning Tree Plus ‘The §02.1D standard defines a CST that assumes only one spanning-tree instance for the entire switched network, regardless of the number of VLANs. A network that is running CST has these characteristics: + No load sharing is posible. One uplink must block forall VLAN. + The CPU is spared_Only one instance of spanning tree must be computed. Per VLAN Spanning Tree Plus Forarang Pot to VLAN 1 Forwaring Post AVANT PGRWANZ PYST+ defines a spanning-tree protocol that has several spamning-tree instances running forthe network: (Gne instance of STP per VLAN}. Networks that are runing several spanning-tree instances have these characterstice| + Optinrum load sharing can occur. Ina Cisco PVST+ environment, you can tune the spanning tree parameters so that half the VLANs forward on each uplink trunk. The configuration must define a ‘different root bridge for eacl half of the VLANs. Providing different STP root switches per VLAN ‘creates amore redundant network. * One spanning-tree instance for each VLAN maintained can mean a considerable waste of CPU cycles for all the switches inthe network (in addition to the banciwath that is used for each instance to send its ‘ov BPDUs). This situation would only be problematic if many VLANs are configured. Rapid PVST+is the Cisco proprietary version of RSTP. It creates spanning tree for each VLAN, just like PVST.PVST+ Extended Bridge ID Spanning-tree operation requires thet each switch has @ unique BID. Inthe original $02.1D standard, the BID consisted of the bridge priority and the MAC address of the switch, and a CST represented all VLANs. PVST+ requires that a separate instance of spanning tree that is rn for each VLAN and the BID field must carry (VID information. This fmetionalty is accomplished by reusing a portion of the Priority field as the extended system ID to camy’a VID. PVST+ Extended Bridge ID System ID = VLAN +—— ridge 1D = 8 Bytes ——— Bridge Prionty Bridge ID without the Extended System I MAC Address Extended Bridge ID ‘with System 1D = VLAN Bridge | _ Extend Pronty | System io | MAC Address “Tes "aes ots To accommodate the extended system ID, the original $02.1D 16-bit bridge priority field is split into two fields. The BID includes the following fields + Bridge priority: A 4-bit field that is still used to carry bridge priority. The priority is conveyed in discrete values in increments of 4096 rather than discrete values in increments of 1, because only the | four most significant bits are available ftom the 16.bit field. In other words, in binary, the following applies: pririty 0 = [0000|

You might also like

• The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life

  

  From Everand

  The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life

  Mark Manson

  Rating: 4 out of 5 stars

  4/5 (5820)
• The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are

  

  From Everand

  The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are

  Brene Brown

  Rating: 4 out of 5 stars

  4/5 (1093)
• Never Split the Difference: Negotiating As If Your Life Depended On It

  

  From Everand

  Never Split the Difference: Negotiating As If Your Life Depended On It

  Chris Voss

  Rating: 4.5 out of 5 stars

  4.5/5 (845)
• • Magazines
  • Podcasts
  • Sheet music
• Principles: Life and Work

  

  From Everand

  Principles: Life and Work

  Ray Dalio

  Rating: 4 out of 5 stars

  4/5 (609)
• The Glass Castle: A Memoir

  

  From Everand

  The Glass Castle: A Memoir

  Jeannette Walls

  Rating: 4.5 out of 5 stars

  4.5/5 (1717)
• Grit: The Power of Passion and Perseverance

  

  From Everand

  Grit: The Power of Passion and Perseverance

  Angela Duckworth

  Rating: 4 out of 5 stars

  4/5 (590)
• Sing, Unburied, Sing: A Novel

  

  From Everand

  Sing, Unburied, Sing: A Novel

  Jesmyn Ward

  Rating: 4 out of 5 stars

  4/5 (1104)
• Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race

  

  From Everand

  Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race

  Margot Lee Shetterly

  Rating: 4 out of 5 stars

  4/5 (897)
• Shoe Dog: A Memoir by the Creator of Nike

  

  From Everand

  Shoe Dog: A Memoir by the Creator of Nike

  Phil Knight

  Rating: 4.5 out of 5 stars

  4.5/5 (540)
• The Perks of Being a Wallflower

  

  From Everand

  The Perks of Being a Wallflower

  Stephen Chbosky

  Rating: 4.5 out of 5 stars

  4.5/5 (2104)
• The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers

  

  From Everand

  The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers

  Ben Horowitz

  Rating: 4.5 out of 5 stars

  4.5/5 (348)
• Bad Feminist: Essays

  

  From Everand

  Bad Feminist: Essays

  Roxane Gay

  Rating: 4 out of 5 stars

  4/5 (1018)
• Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future

  

  From Everand

  Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future

  Ashlee Vance

  Rating: 4.5 out of 5 stars

  4.5/5 (474)
• Her Body and Other Parties: Stories

  

  From Everand

  Her Body and Other Parties: Stories

  Carmen Maria Machado

  Rating: 4 out of 5 stars

  4/5 (822)
• The Outsider: A Novel

  

  From Everand

  The Outsider: A Novel

  Stephen King

  Rating: 4 out of 5 stars

  4/5 (1866)
• The Emperor of All Maladies: A Biography of Cancer

  

  From Everand

  The Emperor of All Maladies: A Biography of Cancer

  Siddhartha Mukherjee

  Rating: 4.5 out of 5 stars

  4.5/5 (271)
• The Sympathizer: A Novel (Pulitzer Prize for Fiction)

  

  From Everand

  The Sympathizer: A Novel (Pulitzer Prize for Fiction)

  Viet Thanh Nguyen

  Rating: 4.5 out of 5 stars

  4.5/5 (122)
• Angela's Ashes: A Memoir

  

  From Everand

  Angela's Ashes: A Memoir

  Frank McCourt

  Rating: 4.5 out of 5 stars

  4.5/5 (441)
• Brooklyn: A Novel

  

  From Everand

  Brooklyn: A Novel

  Colm Tóibín

  Rating: 3.5 out of 5 stars

  3.5/5 (1947)
• The Little Book of Hygge: Danish Secrets to Happy Living

  

  From Everand

  The Little Book of Hygge: Danish Secrets to Happy Living

  Meik Wiking

  Rating: 3.5 out of 5 stars

  3.5/5 (401)
• A Man Called Ove: A Novel

  

  From Everand

  A Man Called Ove: A Novel

  Fredrik Backman

  Rating: 4.5 out of 5 stars

  4.5/5 (4771)
• The World Is Flat 3.0: A Brief History of the Twenty-first Century

  

  From Everand

  The World Is Flat 3.0: A Brief History of the Twenty-first Century

  Thomas L. Friedman

  Rating: 3.5 out of 5 stars

  3.5/5 (2259)
• Steve Jobs

  

  From Everand

  Steve Jobs

  Walter Isaacson

  Rating: 4.5 out of 5 stars

  4.5/5 (808)
• The Yellow House: A Memoir (2019 National Book Award Winner)

  

  From Everand

  The Yellow House: A Memoir (2019 National Book Award Winner)

  Sarah M. Broom

  Rating: 4 out of 5 stars

  4/5 (98)
• Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America

  

  From Everand

  Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America

  Gilbert King

  Rating: 4.5 out of 5 stars

  4.5/5 (266)
• The Art of Racing in the Rain: A Novel

  

  From Everand

  The Art of Racing in the Rain: A Novel

  Garth Stein

  Rating: 4 out of 5 stars

  4/5 (4208)
• A Tree Grows in Brooklyn

  

  From Everand

  A Tree Grows in Brooklyn

  Betty Smith

  Rating: 4.5 out of 5 stars

  4.5/5 (1929)
• A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story

  

  From Everand

  A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story

  Dave Eggers

  Rating: 3.5 out of 5 stars

  3.5/5 (231)
• Yes Please

  

  From Everand

  Yes Please

  Amy Poehler

  Rating: 4 out of 5 stars

  4/5 (1903)
• Team of Rivals: The Political Genius of Abraham Lincoln

  

  From Everand

  Team of Rivals: The Political Genius of Abraham Lincoln

  Doris Kearns Goodwin

  Rating: 4.5 out of 5 stars

  4.5/5 (234)
• The Woman in Cabin 10

  

  From Everand

  The Woman in Cabin 10

  Ruth Ware

  Rating: 3.5 out of 5 stars

  3.5/5 (2522)
• Fear: Trump in the White House

  

  From Everand

  Fear: Trump in the White House

  Bob Woodward

  Rating: 3.5 out of 5 stars

  3.5/5 (738)
• Wolf Hall: A Novel

  

  From Everand

  Wolf Hall: A Novel

  Hilary Mantel

  Rating: 4 out of 5 stars

  4/5 (3811)
• John Adams

  

  From Everand

  John Adams

  David McCullough

  Rating: 4.5 out of 5 stars

  4.5/5 (2409)
• On Fire: The (Burning) Case for a Green New Deal

  

  From Everand

  On Fire: The (Burning) Case for a Green New Deal

  Naomi Klein

  Rating: 4 out of 5 stars

  4/5 (74)
• The Light Between Oceans: A Novel

  

  From Everand

  The Light Between Oceans: A Novel

  M.L. Stedman

  Rating: 4.5 out of 5 stars

  4.5/5 (789)
• Manhattan Beach: A Novel

  

  From Everand

  Manhattan Beach: A Novel

  Jennifer Egan

  Rating: 3.5 out of 5 stars

  3.5/5 (792)
• The Constant Gardener: A Novel

  

  From Everand

  The Constant Gardener: A Novel

  John le Carré

  Rating: 3.5 out of 5 stars

  3.5/5 (104)
• The Unwinding: An Inner History of the New America

  

  From Everand

  The Unwinding: An Inner History of the New America

  George Packer

  Rating: 4 out of 5 stars

  4/5 (45)
• CCNAX SG Vol 1

  

  Document396 pages

  CCNAX SG Vol 1

  andrei7radu1159

  No ratings yet
• Rise of ISIS: A Threat We Can't Ignore

  

  From Everand

  Rise of ISIS: A Threat We Can't Ignore

  Jay Sekulow

  Rating: 3.5 out of 5 stars

  3.5/5 (137)
• Little Women

  

  From Everand

  Little Women

  Louisa May Alcott

  Rating: 4 out of 5 stars

  4/5 (104)
• CCNAX SG Vol 4

  

  Document244 pages

  CCNAX SG Vol 4

  andrei7radu1159

  No ratings yet
• CCNAX SG Vol 3

  

  Document392 pages

  CCNAX SG Vol 3

  andrei7radu1159

  No ratings yet
• CCNAX Cag

  

  Document130 pages

  CCNAX Cag

  andrei7radu1159

  No ratings yet
• Vk4105G Series: Gas Controls For Combined Valve and Ignition Modulating System

  

  Document18 pages

  Vk4105G Series: Gas Controls For Combined Valve and Ignition Modulating System

  andrei7radu1159

  No ratings yet
• Catalog Italimex

  

  Document54 pages

  Catalog Italimex

  andrei7radu1159

  No ratings yet