Sie sind auf Seite 1von 120
1 Cisco DEVICE AND IOS BASICS

1

Cisco DEVICE AND IOS BASICS

2
2

Device connectivity Basics

The series of diagrams below reveal the cable types used for various device connectivity.

  • I. Console Connectivity to configure a switch using management host

  • a. PC serial port to Switch Console port

Catalyst Switch

2 Device connectivity Basics The series of diagrams below reveal the cable types used for various
2 Device connectivity Basics The series of diagrams below reveal the cable types used for various
2 Device connectivity Basics The series of diagrams below reveal the cable types used for various

Rollover cable is being used

Management Console

  • b. For remote Configuration through Auxiliary interface

Internet cloud
Internet cloud
2 Device connectivity Basics The series of diagrams below reveal the cable types used for various
2 Device connectivity Basics The series of diagrams below reveal the cable types used for various
2 Device connectivity Basics The series of diagrams below reveal the cable types used for various

Modem

2 Device connectivity Basics The series of diagrams below reveal the cable types used for various

Modem

Aux 0

Remote computer

3 II. Network Connection a. To cascade same type of device use Cross-Over cable. b. For

3

II. Network Connection

a. To cascade same type of device use Cross-Over cable.

3 II. Network Connection a. To cascade same type of device use Cross-Over cable. b. For

b. For HUB/SWICH to PC/ROUTER straight through cable is used & Cross- over cable is used between PC Router & Hub Switch.

3 II. Network Connection a. To cascade same type of device use Cross-Over cable. b. For

Cross Over cable

3 II. Network Connection a. To cascade same type of device use Cross-Over cable. b. For

Host

Router

3 II. Network Connection a. To cascade same type of device use Cross-Over cable. b. For

Switch

3 II. Network Connection a. To cascade same type of device use Cross-Over cable. b. For

Cross Over cable

Straight Through cable

HUB

3 II. Network Connection a. To cascade same type of device use Cross-Over cable. b. For

Setting up the Management Console (windows environment):

First let’s setup the Hyperterminal from windows – for interfacing with the Cisco Devices and issue commands. Here we go…

4
4

Path to trigger the emulation software from your Desktop Click start Programs Accessories Communications Hyper Terminal

4 Path to trigger the emulation software from your Desktop Click start  Programs  Accessories

We’ll name our Session My_Lab. The next screen requires us to configure

the COM port to which we are going to connect our Cisco Device.

5
5

Next, choose the default settings, else communication will be a problem !

5 Next, choose the default settings, else communication will be a problem ! On clicking OK,

On clicking OK, we’ll see the below screen & we are ready to talk to

our CISCO Switch/Router !

6
6

IOS BASICS

Pressing the RETURN key takes us to the USER EXEC mode.

Switch con0 is now available

Press RETURN to get started.

Switch>

The “>” prompt denotes user exec mode. To move into Privilege mode, we use the “enable” command.

Switch>enable

Switch#

Privilege mode is identified with the “#” symbol. “configure terminal” command takes us into the global configuration mode where we can configure global parameters like hostname etc for the entire device.

Switch#configure terminal Switch(config)#

To get into any specific interface mode we have use the “interface” command with relevant interface number. To configure parameters specific to interface 1 of module 0, we issue the command as shown below.

7 Switch(config)#interface fastethernet 0/1 Switch(config-if)# This is the sequence with which we change modes in the

7

Switch(config)#interface fastethernet 0/1 Switch(config-if)#

This is the sequence with which we change modes in the forward

direction. Let’s now move backwards now.

Switch(config-if)#exit

Switch(config)#

To go one step backward we have to use the command “exit”

Switch(config)#exit

Switch#

However, we must use the command “disable” to move from privilege to

user exec mode. If we use “exit”, it’ll log us out (and we’ll again see

the first message

Switch con0 is now available

Press RETURN to get started)

Switch#disable

Switch>

To logout, we use the “exit” command again.

Switch>exit

Switch con0 is now available

Press RETURN to get started

NOTE : We can use ^Z to directly move backward 2 steps from interface mode to privilege mode.

Config-if# ^Z

Switch#

Also note that we can use “?” whenever we want to see the various commands available in a particular mode or want to find out what commands begin with a certain letter etc. This can be easily observed in the below case.

Router#? Exec commands:

access-enable

access-profile

Create a temporary Access-List entry Apply user-profile to interface

access-template Create a temporary Access-List entry

archive cd <output omitted>

manage archive files Change current directory

Router#s? (displays all commands beginning with “s”) *s=show send setup slip squeeze start-chat systat

8

8 If we typed a wrong spelling & try to use help the output will display

If we typed a wrong spelling & try to use help the output will display

as “Unrecognized command”. The same message is displayed even if we try

to use help when no further arguments are possible (or wrong arguments

used). Look at the below examples ...

Router#show router ? % unrecognized command

Router#show ip a % Ambiguous command:

"show ip a"

Router#show ? access-expression List access expression

access-lists accounting aliases arp <output omitted>

List access lists Accounting data for active sessions Display alias commands ARP table

Another interesting aspect is that we don’t have to type the entire

command. We can just type the first few letters of a command (to the extent that only one command begins with the typed letters) and press

tab – the command is completed for us! (Even if we don’t complete the command, it’ll accept!)

Using tab key

Let‟s just type “sh” and use the tab key tab key

Router#sh (tab) Router#show

There are some shortcut keys that’ll help us to work with IOS faster.

Their description & use is given below.

Shortcut keys to access your CLI mode

CTRL-A

Moves the cursor to the beginning of the line

CTRL-E

Moves the cursor to the end of the line

ESC-B

Moves the cursor back one word at a time

ESC-F

Moves the cursor forward one word at a time

CTRL-B

Moves the cursor back one character at a time

LEFT ARROW

Moves the cursor back one character at a time

CTRL-F

Moves the cursor forward one character at a

RIGHT ARROW

time Moves the cursor forward one character at a

CTRL-P

time Recalls the last command

UP ARROW

Recalls the last command

CTRL-N

Recalls the most previously executed command

DOWN ARROW

Recalls the most previously executed command

CTRL-D

Deletes the character the cursor is under

BACKSPACE

Deletes the character preceding the cursor

CTRL-R

Redisplays the current line

CTRL-U

Erases the line completely

9 CTRL-W Erases the word the cursor is under CTRL-Z Takes you from Configuration mode back

9

CTRL-W

Erases the word the cursor is under

CTRL-Z

Takes you from Configuration mode back to Privilege EXEC mode

TAB

Once you enter a few characters and hit the TAB key, the IOS device completes the word, assuming that you typed in enough characters to make the command or parameter unique

$

When this appears at the beginning of a command line, it indicates that there are more characters to the right of the $.

10

10 Switching Labs

Switching Labs

11 General Experiments with Basic Switch Commands Assume we are on a Switch console and the

11

General Experiments with Basic Switch Commands

Assume we are on a Switch console and the switch’s ready – we see the below message

Switch con0 is now available

Press RETURN to get started.

(press the return key)

Switch> this is our user exec mode

To get into privilege mode use the command enable

Switch>enable

Switch# The prompt has changed from “>” to #”. if you see #after the hostname you are in Privilege mode

To get back from privilege mode to user exec mode use the command

disable

Switch#disable

Switch>

To get into global configuration mode use the following commands

Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# This prompt indicates global configuration mode

To get into specific interface mode use the following commands

Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface Fastethernet 0/1 Switch(config-if)#

Lets add some description to the interface fastethernet 0/1 indicating that Host1 is connected to this interface. We do this from the specific interface mode

Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface Fastethernet 0/1 Switch(config-if)#description Host1

Check out this description in running configuration using the command

“show running configuration”

Switch#show running-config Building configuration ...

12

12 Current configuration : 130 bytes ! interface FastEthernet0/1 description Host1 no ip address end (irrelevant

Current configuration : 130 bytes ! interface FastEthernet0/1

description Host1

no ip address end

(irrelevant output omitted)

Let’s see some more basic show commands. (All show commands work only in privilege mode)

To view details of interfaces/particular interface use “show interfaces” (or) “show interfaces <interface type interface id> e.g.

Switch#show interfaces Fa 0/1 FastEthernet0/1 is down, line protocol is down Hardware is FastEthernet,address is 000d.ed5b.49c1(bia 000d.ed5b.49c1) MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set <output omitted>

We can also observe that it’s sufficient to use the first few letters of the keyword Fastethernet once these letters identify the unique command, the balance letters needn’t be typed !

Switch#show interface vlan 1 Vlan1 is administratively down, line protocol is down Hardware is CPUInterface,address is 000d.ed5b.49c0(bia 000d.ed5b.49c0) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set <output omitted>

Switch#Show spanning-tree No spanning tree instances exist.

Following is the command to see the current device configuration which is in the RAM.

Switch#show running-config Building configuration ... Current configuration : 866 by version 12.1 ! hostname Switch ! interface FastEthernet0/1 description Host1 no ip address <output omitted> ! interface FastEthernet0/12 no ip address

! interface Vlan1 no ip address no ip route-cache

13 shutdown ! line con 0 line vty 5 15 ! End Switch#Show startup-config Building configuration

13

shutdown

! line con 0 line vty 5 15 ! End

Switch#Show startup-config Building configuration ... Current configuration : 866 bytes ! version 12.1 ! hostname Switch ! ! interface FastEthernet0/1 description Host1 no ip address

! ! interface FastEthernet0/12 no ip address

! interface Vlan1 no ip address no ip route-cache shutdown

! line con 0 line vty 5 15 ! end

 

Another interesting command to view the connectivity status of various

interfaces is “show interface status”

 

Switch#show interface status

 

Port

Name

Status

Vlan

Duplex Speed Type

Fa0/1

Host1

connected

1

a-half

a-10 10/100BaseTX

Fa0/2

notconnect

1

auto

auto 10/100BaseTX

Fa0/3

notconnect

1

auto

auto 10/100BaseTX

Fa0/4

notconnect

1

auto

auto 10/100BaseTX

Fa0/5

notconnect

1

auto

auto 10/100BaseTX

Fa0/6

notconnect

1

auto

auto 10/100BaseTX

Fa0/7

notconnect

1

auto

auto 10/100BaseTX

Fa0/8

notconnect

1

auto

auto 10/100BaseTX

Fa0/9

notconnect

1

auto

auto 10/100BaseTX

Fa0/10

notconnect

1

auto

auto 10/100BaseTX

Fa0/11

notconnect

1

auto

auto 10/100BaseTX

Fa0/12

notconnect

1

auto

auto 10/100BaseTX

Now, let’s see the content of the mac-address-table of our switch after disconnecting all connected computers (no devices connected to any interface of the switch) – using the “show mac-address-table” command

-

14

14 Switch#show mac-address-table Mac Address Table ------------------------------------------ Vlan Mac Address Type Ports ---- ----------- ---- -----

Switch#show mac-address-table

Mac Address Table

------------------------------------------

Vlan

Mac Address

Type

Ports

----

-----------

----

-----

No entries are seen! Let’s connect a host (computer) to port no. 1 and

generate some traffic from it.

As soon as we connect the host to the switch in the port 1 the

following message can be observed on the screen

02:18:06:%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

02:18:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface

FastEthernet0/1, changed state to up

To generate traffic (for the switch to learn from source address of

frame) we’ll ping from the host to some IP address & then execute the

show mac-address-table command again.

Switch2950#sh mac-address-table

Mac Address Table

------------------------------------------

Vlan

Mac Address

Type

Ports

----

-----------

----

-----

1

0040.33a0.4bc7

Dynamic

Fa0/1

Total Mac Addresses for this criterion: 1

The above table reveals the mac address of the host connected to

interface fa0/1. It also reveals that this is a dynamically learnt

entry.

If 2 switches are interconnected directly to each other (cascading)

let’s see what happens. We shall use this simple diagram for better

understanding.

F0/12

F0/12

Switch A
Switch A

F0/2

Switch B
Switch B
14 Switch#show mac-address-table Mac Address Table ------------------------------------------ Vlan Mac Address Type Ports ---- ----------- ---- -----

F0/1

14 Switch#show mac-address-table Mac Address Table ------------------------------------------ Vlan Mac Address Type Ports ---- ----------- ---- -----

F0/2

F0/1
F0/1
14 Switch#show mac-address-table Mac Address Table ------------------------------------------ Vlan Mac Address Type Ports ---- ----------- ---- -----

0000.0000.0002 0000.0000.0002

0000.0000.0001

0000.0000.000A

0000.0000.000B

15 Now we see Switch A’s mac address table as below SwitchA#sh mac-address-table Mac Address Table

15

Now we see Switch A’s mac address table as below

SwitchA#sh mac-address-table

Mac Address Table

------------------------------------------

Vlan

Mac Address

Type

Ports

----

-----------

----

-----

1

0000.0000.0002

Dynamic

Fa0/1

1

0000.0000.0001

Dynamic

Fa0/2

1

0000.0000.000A

Dynamic

Fa0/12

1

0000.0000.000B

Dynamic

Fa0/12

1

0000.0000.00B1

Dynamic

Fa0/12

1

0000.0000.00B2

Dynamic

Fa0/12

Total Mac Addresses for this criterion: 6

We observe that this switch reveals the cascaded switch B’s connected

host mac addresses and switch B’s Base Mac address (0000.0000.00B1) &

switch B’s cascade interface Fa0/12 Mac address (0000.0000.00B2) also.

A similar output would be seen for switch B’s mac table (shown below).

The base Mac Address is common for the entire switch while every

interface of the switch has a unique Mac address of its own also.

SwitchB#sh mac-address-table

 
 

Mac Address Table

------------------------------------------

 

Vlan

Mac Address

Type

Ports

----

-----------

----

-----

1

0000.0000.000A

Dynamic

Fa0/1

1

0000.0000.000B

Dynamic

Fa0/2

1

0000.0000.0001

Dynamic

Fa0/12

1

0000.0000.0002

Dynamic

Fa0/12

1

0000.0000.00A1

Dynamic

Fa0/12

1

0000.0000.00A2

Dynamic

Fa0/12

Total Mac Addresses for this criterion: 4

Let’s see what “show interface status” command reveals

SwitchA#show interface status

Port

Name

Status

Vlan

Duplex

Speed Type

<output omitted>

 

Fa0/9

notconnect

1

auto

auto 10/100BaseTX

Fa0/10

notconnect

1

auto

auto 10/100BaseTX

Fa0/11

notconnect

1

auto

auto 10/100BaseTX

Fa0/12

Trunk

1

auto

auto 10/100BaseTX

SwitchB#show interface status

 

Port

Name

Status

Vlan

Duplex

Speed Type

<output omitted>

 

Fa0/9

notconnect

1

auto

auto 10/100BaseTX

Fa0/10

notconnect

1

auto

auto 10/100BaseTX

Fa0/11

notconnect

1

auto

auto 10/100BaseTX

Fa0/12

Trunk

1

auto

auto 10/100BaseTX

It displays the cascade link as TRUNK.

Another interesting command to view various details regarding the

switch’s configuration is “show version”

16

16 Switch#show version Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1 ,

Switch#show version

Cisco Internetwork Operating System Software

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1, RELEASE

SOFTWARE (fc1)

Copyright (c) 1986-2002 by cisco Systems, Inc.

Compiled Sun 24-Nov-02 23:31 by antonino

Image text-base: 0x80010000, data-base: 0x80562000

ROM: Bootstrap program is CALHOUN boot loader

Switch uptime is 4 hours, 33 minutes

System returned to ROM by power-on

System image file is "flash:/c2950-i6q4l2-mz.121-12c.EA1.bin"

cisco WS-C2950-12 (RC32300) processor (revision K0) with 21002K bytes

of memory.

Processor board ID FOC0739W1K0

Last reset from system-reset

Running Standard Image

12 FastEthernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:0D:ED:5B:49:C0

Motherboard assembly number: 73-5782-12

Power supply part number: 34-0965-01

Motherboard serial number: FOC07391MM3

Power supply serial number: PHI073402LD

Model revision number: K0

Motherboard revision number: A0

Model number: WS-C2950-12

System serial number: FOC0739W1K0

Configuration register is 0xF

To save our current configuration from RAM to NVRAM (startup

configuration) we use the command copy running-configuration startup-

configuration (Alternately the “write” command may also be used)

Switch#copy running-config startup-config

Destination filename [startup-config]?

Building configuration ...

[OK]

If we want to restart the switch use the following command

Switch#Reload (used to warm boot the switch)

To clear all the contents of the mac table, use the below command (this

will remove only dynamic entries. Static/Permanent entries will not be

removed).

Switch#clear mac-address-table *

To delete the startup configuration, use

Switch#erase startup-config

To change our switch name to “Switch2950”

17 Switch(config)#hostname Switch2950 Switch2950(config)# To configure secret (encrypted) password for privilege mode (password is set as

17

Switch(config)#hostname Switch2950

Switch2950(config)#

To configure secret (encrypted) password for privilege mode (password

is set as “cisco1” in the below example)

Switch2950(config)#enable secret cisco1

After configuring the secret password let see the output in show

running-config command

Switch2950#show run

Building configuration ...

Current configuration : 939 bytes

<output omitted>

hostname Switch2950

!

enable secret 5 $1$z9ZE$mO/4D6DgtZcTrmzmyX3Ys/ (this is how the

encrypted password is seen)

!

<output omitted>

End

To configure enable password for privilege mode

Switch2950(config)#enable password cisco (to configure enable password

for privilege mode)

Switch2950#sh run

Building configuration ...

Current configuration : 939 bytes

<output omitted>

hostname Switch2950

!

enable password cisco (our password is in clear text which is in

readable format)

!

<output omitted>

end

To configure the console password, the following is the sequence.

Switch2950(config)#line console 0

Switch2950(config-line)#login

% Login disabled on line 0, until 'password' is set

Switch2950(config-line)#password cisco

show running-config reveals

Switch#show running-config

!

line con 0

password cisco

login

!

<Out put omitted>

18

18 If we restart / relogin into the switch, it asks for the password in the

If we restart / relogin into the switch, it asks for the password in

the beginning itself

Switch2950 con0 is now available

Press RETURN to get started.

User Access Verification

Password: (here we have to supply the console 0 password to get into

user exec mode)

Let’s observe the whole running-config output

Switch# show running-config

Building configuration ...

Current configuration : 1154 bytes

!

version 12.1

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Switch

!

enable secret 5 $1$z9ZE$mO/4D6DgtZcTrmzmyX3Ys/

enable password cisco

!

ip subnet-zero

!

!

interface FastEthernet0/1

description Host1

no ip address

!

interface FastEthernet0/2

no ip address

!

interface FastEthernet0/3

no ip address

!

interface FastEthernet0/4

no ip address

!

interface FastEthernet0/5

no ip address

!

interface FastEthernet0/6

no ip address

!

interface FastEthernet0/7

no ip address

!

interface FastEthernet0/8

19 no ip address ! interface FastEthernet0/9 no ip address ! interface FastEthernet0/10 no ip address

19

no ip address

!

interface FastEthernet0/9

no ip address

!

interface FastEthernet0/10

no ip address

!

interface FastEthernet0/11

no ip address

!

interface FastEthernet0/12

!

interface Vlan1

no ip address

shutdown

!

ip http server

!

!

line con 0

password cisco

login

line vty 0 4

line vty 5 15

!

End

Note: if both secret and enable passwords exist, only secret will be

used to get into privilege mode.

Let’s say we have some remote administrators who’ll logon into this

switch remotely. (They can do so because Cisco switches run terminal

services). However, setting the vty password is a must for telnet

access & this is how we do it.

Lets start configuring the VTY sessions

Switch2950(config)#line vty 0 15

Switch2950(config-line)#login

% Login disabled on line 1, until 'password' is set

% Login disabled on line 2, until 'password' is set

% Login disabled on line 3, until 'password' is set

% Login disabled on line 4, until 'password' is set

% Login disabled on line 5, until 'password' is set

% Login disabled on line 6, until 'password' is set

% Login disabled on line 7, until 'password' is set

% Login disabled on line 8, until 'password' is set

% Login disabled on line 9, until 'password' is set

% Login disabled on line 10, until 'password' is set

% Login disabled on line 11, until 'password' is set

% Login disabled on line 12, until 'password' is set

% Login disabled on line 13, until 'password' is set

% Login disabled on line 14, until 'password' is set

% Login disabled on line 15, until 'password' is set

% Login disabled on line 16, until 'password' is set

20

20 This reveals that 16 simultaneous telnet sessions are possible! we have to configure the password

This reveals that 16 simultaneous telnet sessions are possible! we have

to configure the password to enable all these 16 sessions

Switch2950(config-line)#password cisco

Switch2950(config-line)#

This config alone is not sufficient for telnetting. We need to define

an IP address to the switch and only then telnet is possible. Where do

we configure an IP address in the switch ?

Switch2950>enable

Switch2950#configure terminal

Switch2950(config)#interface vlan 1

Switch2950(config-if)#ip address 1.1.1.1 255.0.0.0 (this is the command

to configure ip address for an interface).

So, we configure the IP address to VLAN1 (we’ll learn more about vlan

later).

Switch2950(config-if)#no shutdown (after assigning the ip address we

have enable the interface using the NO SHUTDOWNcommand). We will be

able to see the below message.

01:33:27: %LINK-3-UPDOWN: Interface Vlan1, changed state to up

01:33:29: %LINK-3-UPDOWN: Interface Vlan1, Line Protocol changed state

to up

Let’s now see how we can control the speed & Duplex operation of the

switch

Switch2950(config)#interface fastethernet 0/1

Switch2950(config-if)#duplex half

Note : Duplex will not be set until speed is set to non-auto value

Switch2950(config-if)#speed 10

Switch2950(config-if)#duplex half

Now check the out put in show interface status command

Switch#show interface status

Port

Name

Status

Vlan

Duplex Speed Type

Fa0/1

Host1

connected

1

half

10 10/100BaseTX

Fa0/2

notconnect

1

auto

auto 10/100BaseTX

Fa0/3

notconnect

1

auto

auto 10/100BaseTX

Fa0/4

notconnect

1

auto

auto 10/100BaseTX

Fa0/5

notconnect

1

auto

auto 10/100BaseTX

Fa0/6

notconnect

1

auto

auto 10/100BaseTX

Fa0/7

notconnect

1

auto

auto 10/100BaseTX

Fa0/8

notconnect

1

auto

auto 10/100BaseTX

Fa0/9

notconnect

1

auto

auto 10/100BaseTX

Fa0/10

notconnect

1

auto

auto 10/100BaseTX

Fa0/11

notconnect

1

auto

auto 10/100BaseTX

Fa0/12

notconnect

1

auto

auto 10/100BaseTX

21 Had the switch auto negotiated, the output would have been Port Name Status Vlan Duplex

21

Had the switch auto negotiated, the output would have been

Port

Name

Status

Vlan

Duplex Speed Type

Fa0/1

Host1

connected

1

a-half

a-10 10/100BaseTX

Fa0/2

notconnect

1

auto

auto 10/100BaseTX

Fa0/3

notconnect

1

auto

auto 10/100BaseTX

Fa0/4

notconnect

1

auto

auto 10/100BaseTX

Fa0/5

notconnect

1

auto

auto 10/100BaseTX

Fa0/6

notconnect

1

auto

auto 10/100BaseTX

Fa0/7

notconnect

1

auto

auto 10/100BaseTX

Fa0/8

notconnect

1

auto

auto 10/100BaseTX

Fa0/9

notconnect

1

auto

auto 10/100BaseTX

Fa0/10

notconnect

1

auto

auto 10/100BaseTX

Fa0/11

notconnect

1

auto

auto 10/100BaseTX

Fa0/12

notconnect

1

auto

auto 10/100BaseTX

a-half

a-10 means auto negotiated with connected device to half

duplex & 10 Mbps.

PORT SECURITY : Let’s now learn how switch interfaces can be configured

to allow connectivity only for pre-defined hosts (based on their Mac-

Addresses). This is done on a per interface basis.

Before configuring port security for the interfaces, let’s see the

output of “show port-security” command

Switch#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count)

(Count)

(Count)

-----------------------------------------------------------------------

-----------------------------------------------------------------------

Total Addresses in System : 0

Max Addresses limit in System : 1024

Now let’s configure port security for interface Fa 0/1 – only system

with mac id 0000.0000.a111 should be allowed connectivity any other

device connection to this interface should result in the interface

shutting down.

Manual port security

Switch2950(config)#interface fastethernet 0/1

Switch2950(config-if)#switchport mode access

Switch2950(config-if)#switchport port-security

Switch2950(config-if)#switchport port-security mac-address

0000.0000.A111

See the output in show running-config & show port-security

Switch2950#sh run

Building configuration ...

Current configuration : 1089 bytes

!

hostname Switch2950

!

enable secret 5 $1$z9ZE$mO/4D6DgtZcTrmzmyX3Ys/

enable password cisco

!

!

22

22 interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security mac-address 0000.0000.A111 no ip address duplex

interface FastEthernet0/1

switchport mode access

switchport port-security

switchport port-security mac-address 0000.0000.A111

no ip address

duplex half

speed 10

<output omitted>

Switch2950#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

 

(Count)

(Count)

(Count)

-----------------------------------------------------------------------

Fa0/1

1

1

0

Shutdown

-----------------------------------------------------------------------

Total Addresses in System : 0

Max Addresses limit in System : 1024

We can also ask the switch to auto-learn the mac address of the

connected host using the keyword “sticky”

Switch2950(config)#interface fastethernet 0/2

Switch2950(config-if)#switchport mode access

Switch2950(config-if)#switchport port-security

Switch2950(config-if)#switchport port-security mac-address sticky

After configuring sticky if any traffic comes to the interface

fastethernet 0/2 of the switch will learn the mac-address and secure

it.

Switch2950#show running-config

Building configuration ...

Current configuration : 1089 bytes

!

hostname Switch2950

!

enable secret 5 $1$z9ZE$mO/4D6DgtZcTrmzmyX3Ys/

enable password cisco

!

!

interface FastEthernet0/2

switchport mode access

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address 0000.0000.A112

no ip address

<output ommitted>

Switch2950#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

 

(Count)

(Count)

(Count)

-----------------------------------------------------------------------

Fa0/1

1

1

0

Shutdown

Fa0/2

1

1

0

Shutdown

-----------------------------------------------------------------------

Total Addresses in System : 0

Max Addresses limit in System : 1024

23 By default, only one mac-address will be locked to the interface – this can be

23

By default, only one mac-address will be locked to the interface this

can be changed as demonstrated below.

Increasing the maximum count of mac-address secured for the interface

Switch2950(config)#interface fastethernet 0/3

Switch2950(config-if)#switchport mode access

Switch2950(config-if)#switchport port-security

Switch2950(config-if)#switchport port-security maximum 4 <0-132>

Switch2950#sh run

Building configuration ...

Current configuration : 1089 bytes

!

hostname Switch2950

!

enable secret 5 $1$z9ZE$mO/4D6DgtZcTrmzmyX3Ys/

enable password cisco

!

interface FastEthernet0/3

switchport mode access

switchport port-security

switchport port-security maximum 4

no ip address

<output omitted>

Switch2950#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

 

(Count)

(Count)

(Count)

-----------------------------------------------------------------------

Fa0/1

1

1

0

Shutdown

Fa0/2

1

1

0

Shutdown

Fa0/3

4

0

0

Shutdown

-----------------------------------------------------------------------

Total Addresses in System : 0

Max Addresses limit in System : 1024

The security action is shutdown by default & we can change this among

one of 3 modes.

Shutdown (default) - if violation happens interface will shutdown

automatically

Protect (don’t log) - if violation happens interface won’t shutdown,

won’t allow for communication, won’t log any error

Restrict (do log) - if violation happens interface won’t shutdown but

no communication will be allowed & an alert would be sent / SNMP trap

sent.

The configuration may be done as shown below.

Switch2950(config)#interface fastethernet 0/4

Switch2950(config-if)#switchport mode access

Switch2950(config-if)#switchport port-security

Switch2950(config-if)#switchport port-security violation shutdown /

protect / restrict

If we chose protect

24

24 Switch2950#sh run Building configuration ... Current configuration : 1089 bytes ! hostname Switch2950 ! enable

Switch2950#sh run

Building configuration ...

Current configuration : 1089 bytes

!

hostname Switch2950

!

enable secret 5 $1$z9ZE$mO/4D6DgtZcTrmzmyX3Ys/

enable password cisco

!

interface FastEthernet0/4

switchport mode access

switchport port-security

switchport port-security violation protect

switchport port-security mac-address 0000.0000.A131

no ip address

<output omitted>

Switch2950#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

 

(Count)

(Count)

(Count)

-----------------------------------------------------------------------

Fa0/1

1

1

0

Shutdown

Fa0/2

1

1

0

Shutdown

Fa0/3

4

0

0

Shutdown

Fa0/4

1

0

0

Protect

-----------------------------------------------------------------------

Total Addresses in System : 0

Max Addresses limit in System : 1024

Spanning-tree protocol - L et’s n ext d o som e b asic ob servation on S T P

F0/11

F0/11

Switch A
Switch A
Switch B
Switch B

1000.0000.000A

0000.0000.000A

With reference to the above diagram, the Root Bridge is Switch B

because it has the lowest mac-address 0000.0000.000A. Switch A will be

the non-root bridge. Let’s see the output of show spanning-tree command

now.

SwitchB#show spanning-tree

VLAN0001

Spanning tree enabled protocol ieee

Root ID

Priority

32769

Address

0000.0000.000A

 

This bridge is the root

Hello Time

2 sec

Max Age 20 sec

Forward Delay 15 sec

Bridge ID Priority

32769 (priority 32768 sys-id-ext 1)

Address 0000.0000.000A

Hello Time

2 sec

Aging Time 300

Max Age 20 sec

Forward Delay 15 sec

25 Interface Port ID Designated Port ID Name Prio.Nbr Cost Sts Cost Bridge ID Prio.Nbr ------------

25

Interface

Port ID

Designated

Port ID

Name

Prio.Nbr

Cost Sts

Cost Bridge ID

Prio.Nbr

------------ -------- --------- --- ------ --------------------------

Fa0/11

128.1

100 FWD

0 32769 1000.0000.000A 128.1

SwitchA#show spanning-tree

VLAN0001

Spanning tree enabled protocol ieee

 

Root ID

Priority

32769

Address

0000.0000.000A

 

This bridge is the root

 

Hello Time

2 sec

Max Age 20 sec

Forward Delay 15 sec

Bridge ID

Priority

32769 (priority 32768 sys-id-ext 1)

Address 1000.0000.000A

 

Hello Time

2 sec

Max Age 20 sec

Forward Delay 15 sec

Aging Time 300

Interface

Port ID

Designated

Port ID

Name

Prio.Nbr

Cost Sts

Cost Bridge ID

Prio.Nbr

----------- -------- --------- --- --------- -------------------- -----

Fa0/11

128.1

100 FWD

0 32769 0000.0000.000A 128.1

The next major topic we would like to see is VLAN.

The output of show vlancommand when no vlans are configured is

Switch2950#show vlan

VLAN Name

 

Status

Ports

---- ------------------------ --------- -------------------------------

1

default

active

Fa0/1, Fa0/2, Fa0/3, Fa0/4

 

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

1002 fddi-default

 

active

1003 token-ring-default

active

1004 fddinet-default

active

1005 trnet-default

active

VLAN Type

SAID

MTU Parent RingNo BridgeNo Stp BrdgMode Tran1 Tran2

---- ----- ------ ---- ------ ------ -------- --- -------

----- -----

1

enet

100001 1500

-

-

-

-

-

0

0

1002 fddi

101002 1500

-

-

-

-

-

0

0

1003 tr

101003 1500

-

-

-

-

srb

0

0

1004 fdnet 101004 1500

-

-

-

ieee -

0

0

1005 trnet 101005 1500

-

-

-

ibm

-

0

0

Remote SPAN VLANs

-----------------------------------------------------------------------

Primary Secondary Type

Ports

------- --------- ----------------- -----------------------------------

We can observe that all the interfaces are associated with the default

VLAN1.

Now let’s get on to creating STATIC VLANs & define port associations.

Two possibilities exist. One from the privilege mode (using VLAN

Database) & the second from global config mode.

26

26 Creating vlan using “ vlan database ” method Switch2950#vlan database Switch2950(vlan)#vlan 2 name CCNA –

Creating vlan using vlan databasemethod

Switch2950#vlan database

Switch2950(vlan)#vlan 2 name CCNA creating VLAN with id 2 & name CCNA

VLAN 2 added:

Name: CCNA

Switch2950(vlan)#apply to save the configuration

APPLY completed.

Switch2950(vlan)#exit implicit save & exit

APPLY completed.

Exiting ....

Using “^Z” will not save the config & we will also exit from vlan

database.

After Vlan is created see the output of show vlancommand

Switch2950#show vlan

VLAN Name

Status

Ports

---- -------------------------------- --------- -------------------------------

1

default

active

Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12

2

CCNA

active

1002

fddi-default

active

1003

token-ring-default

active

1004

fddinet-default

active

1005

trnet-default

active

<output omitted>

Assigning vlan membership – let’s make interface fa0/4 a member of Vlan

2

Switch2950(config)#int fastEthernet 0/4

 

Switch2950(config-if)#switchport mode access

Switch2950(config-if)#switchport access vlan 2

Switch2950(config-if)# ^z

 

Interface 4 is now assigned to vlan 2

 

Switch2950#show vlan VLAN Name

Status

Ports

---- -------------------------------- --------- -------------------------------

1

default

active

Fa0/1, Fa0/2, Fa0/3, Fa0/5

 

Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12

2

CCNA

active

Fa0/4

  • 1002 fddi-default

active

  • 1003 token-ring-default

active

  • 1004 fddinet-default

active

  • 1005 trnet-default

active

<output omitted>

You are seeing the output from show run command after assigning the

membership for the interface 4

Switch2950#show run

Building configuration ...

27 ! Current configuration : 98 bytes ! interface FastEthernet0/4 switchport access vlan 2 switchport mode

27

!

Current configuration : 98 bytes

!

interface FastEthernet0/4

switchport access vlan 2

switchport mode access

no ip address

end

Let’s repeat the above using the second method - Creating vlan using

global configuration mode

Switch2950#configure terminal

Switch2950(config)#vlan 3

Switch2950(config-vlan)#name CCNP

Switch2950(config-vlan)#exit

Output of show vlan command after creating vlan 3 in global

configuration mode

Switch2950#sh vlan VLAN Name

Status

Ports

---- -------------------------------- --------- -------------------------------

  • 1 default

active

Fa0/1, Fa0/2, Fa0/3, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12

  • 2 CCNA

active

Fa0/4

  • 3 CCNP

active

  • 1002 fddi-default

active

  • 1003 token-ring-default

active

  • 1004 fddinet-default

active

  • 1005 trnet-default

active

We can see that the outcome is the same wherever we create the VLAN

from.

If we wanted to know the VTP Domain name, version used, VTP switch

mode, we use the command “show vtp status”

Switch2950#show vtp status

VTP Version

:

2

Configuration Revision

:

1

Maximum VLANs supported locally : 64

Number of existing VLANs

:

6

VTP Operating Mode

: Server

VTP Domain Name

: Null

VTP Pruning Mode

: Disabled

VTP V2 Mode

: Disabled

VTP Traps Generation

: Disabled

Let’s change the switch mode to CLIENT.

Switch2950#vlan database

Switch2950(vlan)#vtp client

Setting device to VTP CLIENT mode.

The same task using global configuration mode -

Switch2950#configure terminal

28

28 Switch2950(config)#vtp mode Server / Client / Transparent Switch2950#show vtp status VTP Version : 2 Configuration

Switch2950(config)#vtp mode Server / Client / Transparent

Switch2950#show vtp status

VTP Version

:

2

Configuration Revision

:

1

Maximum VLANs supported locally : 64

Number of existing VLANs

:

6

VTP Operating Mode

: Client

VTP Domain Name

: Null

VTP Pruning Mode

: Disabled

VTP V2 Mode

: Disabled

VTP Traps Generation

: Disabled

Now we are going to change vtp domain name from Nullto Ciscousing

vlan database method

Switch2950#vlan database

Switch2950(vlan)#vtp domain Cisco

Changing VTP domain name from Null to Cisco

Switch2950(vlan)#exit

APPLY completed.

Exiting ....

Same task using global configuration mode

Switch2950#configure terminal

Switch(config)#vtp domain Cisco

Changing VTP domain name from Null to Cisco

Switch2950#show vtp status

VTP Version

:

2

Configuration Revision

:

0

Maximum VLANs supported locally : 64

Number of existing VLANs

:

6

VTP Operating Mode

: Server

VTP Domain Name

: Cisco

VTP Pruning Mode

: Disabled

VTP V2 Mode

: Disabled

VTP Traps Generation

: Disabled

29 Let’s see how mac address table reflects the vlan configuration in the below case. F0/12

29

Let’s see how mac address table reflects the vlan configuration in the

below case.

F0/12 F0/12 Switch A Switch B F0/1 F0/2 F0/1 F0/2 0000.0000.000B 0000.0000.0002 0000.0000.0001 0000.0000.000A
F0/12
F0/12
Switch A
Switch B
F0/1
F0/2
F0/1
F0/2
0000.0000.000B
0000.0000.0002
0000.0000.0001
0000.0000.000A
  • Vlan 1

Vlan

2

Switch A & B’s mac address table & interface status reveal -

SwitchA#sh mac-address-table

Mac Address Table

------------------------------------------

Vlan

Mac Address

Type

Ports

----

-----------

----

-----

1

0000.0000.0002

Dynamic

Fa0/1

2

0000.0000.0001

Dynamic

Fa0/2

1

0000.0000.000A

Dynamic

Fa0/12

2

0000.0000.000B

Dynamic

Fa0/12

<other entries omitted>

 

SwitchB#sh mac-address-table

 

Mac Address Table

------------------------------------------

Vlan

Mac Address

Type

Ports

----

-----------

----

-----

1

0000.0000.000A

Dynamic

Fa0/1

2

0000.0000.000B

Dynamic

Fa0/2

1

0000.0000.0001

Dynamic

Fa0/12

1

0000.0000.0002

Dynamic

Fa0/12

<other entries omitted>

30

30 SwitchA#show interface status Port Name Status Vlan Duplex Speed Type Fa0/1 connected 1 full 100

SwitchA#show interface status

Port

Name

Status

Vlan

Duplex Speed Type

Fa0/1

connected

1

full

100 10/100BaseTX

Fa0/2

connected

2

full

100 10/100BaseTX

Fa0/3

notconnect

1

auto

auto 10/100BaseTX

Fa0/4

notconnect

1

auto

auto 10/100BaseTX

Fa0/5

notconnect

1

auto

auto 10/100BaseTX

Fa0/6

notconnect

1

auto

auto 10/100BaseTX

Fa0/7

notconnect

1

auto

auto 10/100BaseTX

Fa0/8

notconnect

1

auto

auto 10/100BaseTX

Fa0/9

notconnect

1

auto

auto 10/100BaseTX

Fa0/10

notconnect

1

auto

auto 10/100BaseTX

Fa0/11

notconnect

1

auto

auto 10/100BaseTX

Fa0/12

Trunk

1

auto

auto 10/100BaseTX

SwitchB#show interface status

 

Port

Name

Status

Vlan

Duplex Speed Type

Fa0/1

connected

1

full

100 10/100BaseTX

Fa0/2

connected

2

full

100 10/100BaseTX

Fa0/3

notconnect

1

auto

auto 10/100BaseTX

Fa0/4

notconnect

1

auto

auto 10/100BaseTX

Fa0/5

notconnect

1

auto

auto 10/100BaseTX

Fa0/6

notconnect

1

auto

auto 10/100BaseTX

Fa0/7

notconnect

1

auto

auto 10/100BaseTX

Fa0/8

notconnect

1

auto

auto 10/100BaseTX

Fa0/9

notconnect

1

auto

auto 10/100BaseTX

Fa0/10

notconnect

1

auto

auto 10/100BaseTX

Fa0/11

notconnect

1

auto

auto 10/100BaseTX

Fa0/12

Trunk

1

auto

auto 10/100BaseTX

To view trunk details we use the commands “show interface <interface

id> trunk” & “show interface <interface id> switchport”

SwitchA#show interface fastethernet 0/12 switchport

Name: Fa0/12

Switchport: Enabled

Administrative Mode: dynamic desirable

Operational Mode: dynamic

Administrative Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

We can even configure the mac-address statically. The following command

is used.

SwitchA(config)#mac-address static 0000.0000.AAAA vlan 3 interface

fastEthernet 0/11

Then our mac-address table looks like this

SwitchA#sh mac-address-table

Mac Address Table

------------------------------------------

Vlan

Mac Address

Type

Ports

----

-----------

----

-----

  • 1 0000.0000.000A

Dynamic

Fa0/1

  • 2 0000.0000.000B

Dynamic

Fa0/2

  • 3 0000.0000.AAAA

Static

Fa0/11

  • 1 0000.0000.0001

Dynamic

Fa0/12

31 1 0000.0000.0002 Dynamic Fa0/12 Total Mac Addresses for this criterion: 5

31

1

0000.0000.0002

Dynamic

Fa0/12

Total Mac Addresses for this criterion: 5

32

32 Routing

Routing

33 Static Routes There are actually two ways that a router can learn a static route.

33

Static Routes

There are actually two ways that a router can learn a static route.

First,

a

router will

look

at

its active interfaces, examine the

addresses configured on the interfaces and determine the corresponding

network numbers, and populate the routing table with this information.

This is commonly called a connected route.

The following example shows

the

routing

table

of

a

Router whose

Ethernet 0 interface has been configured with an IP Address 10.0.0.1 &

Serial 0 with 192.168.1.1. To view the Routing table, use the command

“show ip route”

Router_1#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B

BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter

area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external

type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E

EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-

IS inter area * - candidate default, U - per-user static route,

o ODR P - periodic downloaded static route

Gateway of last resort is not set

  • C 10.0.0.0/8 is directly connected, Ethernet0

  • C 192.168.1.0/24 is directly connected, Serial0

Explanation of the Routing Table Entries :

The top portion of the display for this command has a table of codes.

These codes, which describe a type of route that may appear in the

routing table, are shown in the first column at the bottom part of the

display.

“C” represents that it’s a directly connected network.

This is followed by Network ID & to which interface that network is

connected.

In 10.0.0.0/8, the “/8” represents the subnet mask – 255.0.0.0

Note : If we hadn’t configured any IP address on the router, there

would be no entries in the routing table it would have been empty.

34

34 The second way is when we manually configure it. A static route is a manually

The second way is when we manually configure it. A static route is a

manually configured route on the router. Consider the below network

with IP addresses configured as shown.

192.168.1.1 172.16.0.1 172.16.0.2 S0 S0 192.168.1.2 S1 S1 R1 R2 R3 E0 E0 E0 10.0.0.1 20.0.0.1
192.168.1.1
172.16.0.1
172.16.0.2
S0
S0
192.168.1.2
S1
S1
R1
R2
R3
E0
E0
E0
10.0.0.1
20.0.0.1
30.0.0.1

Static Route Configuration

To configure a static route for IP, use one of these two commands:

Router(config)#ip route <Dest_Net_ID><subnet_mask><next_hop IP_address>

-or-

Router(config)#ip route <Dest_Net_ID>< subnet_mask>< interface_to_exit>

The first parameter that you must specify is the destination network

number.

After the subnet mask parameter, you have two ways to specify how to

reach the destination network:

(i)By specifying the next hop neighbor’s IP address

(safe to use this

as this is suitable for all environments)

or

(ii)The

router’s

specific exit

interface

to

reach

a destination

network. (Use this method if it is a point-to-point link only). In this

instance, you must specify the name of the interface on the router,

like serial0.

 

Here

below

is the configuration

of Router

R1

with

the

next

hop

neighbor’s IP address.

 
 

R1#sh run

Building configuration ...

Current configuration : 908 bytes

version 12.2

(irrelevant output omitted)

35 interface Ethernet0 ip address 10.0.0.1 255.0.0.0 ! interface Serial0 ip address 192.168.1.1 255.255.255.0 no fair-queue

35

interface Ethernet0

ip address 10.0.0.1 255.0.0.0

!

interface Serial0

ip address 192.168.1.1 255.255.255.0

no fair-queue

clockrate 64000

!

ip route 20.0.0.0 255.0.0.0 192.168.1.2

ip route 30.0.0.0 255.0.0.0 192.168.1.2

ip route 172.16.0.0 255.255.0.0 192.168.1.2

ip http server

!

line con 0

transport input none

line aux 0

!

end

The following shows the routing table of a Router (R1 the leftmost

Router) with Static Routes configured.

R1#sh ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B

BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter

area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external

type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E

EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-

IS inter area * - candidate default, U - per-user static route,

o ODR P - periodic downloaded static route

Gateway of last resort is not set

S

20.0.0.0/8 [1/0] via 192.168.1.2

S

172.16.0.0/16 [1/0] via 192.168.1.2

C

10.0.0.0/8 is directly connected, Ethernet0

C

192.168.1.0/24 is directly connected, Serial0

S

30.0.0.0/8 [1/0] via 192.168.1.2

This shows additional entries (configuration discussed next) with “S” –

representing manually configured static routes.

Consider the entry - S 20.0.0.0/8 [1/0] via 192.168.1.2

Two values in “[1 / 0]” represent the Administrative Distance (AD) &

Metric value respectively (details discussed in separate section).

Suffice to remember that the first value is the AD value and its

default value is “1” for a static route. The next value indicates the

metric & the default value of a statically configured route is always

“0”.

via 192.168.1.2 represents the gateway address, i.e. the next router’s

interface IP address this is the interface through which the data has

to travel from R1 to reach destination Network 20.0.0.0 (which is

connected to router R2).

36

36 Here below is the configuration of Router R2 with the exit interface configuration. R2#sh run

Here below is the configuration of Router R2 with the exit interface

configuration.

R2#sh run

Building configuration ...

Current configuration : 654 bytes

(irrelevant output omitted)

!

interface Ethernet0

ip address 20.0.0.1 255.0.0.0

!

interface Serial0

ip address 172.16.0.1 255.255.0.0

clockrate 64000

!

interface Serial1

ip address 192.168.1.2 255.255.255.0

!

no ip http server

ip classless

ip route 10.0.0.0 255.0.0.0 Serial1

ip route 30.0.0.0 255.0.0.0 172.16.0.2

!

line con 0

line aux 0

line vty 0 4

password cisco

login

!

!

end

The following table shows the routing table of R2

R2#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

  • D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

  • i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS

level-2 ia - IS-IS inter area, * - candidate default, U - per-

user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C

20.0.0.0/8 is directly connected, Ethernet0

C

172.16.0.0/16 is directly connected, Serial0

S

10.0.0.0/8 is directly connected, Serial1

C

192.168.1.0/24 is directly connected, Serial1

S

30.0.0.0/8 [1/0] via 172.16.0.2

In this example, there are three connected

routes, and two static

routes. The static route (10.0.0.0) is treated as a directly connected

route, since it was created by specifying the interface to exit the

router – “SERIAL1”.

37 BACKUP ROUTE While configuring static route, optionally you can change the administrative distance of a

37

BACKUP ROUTE

While configuring static

route,

optionally

you

can

change

the

administrative distance of a static route. If you omit this value, it

will have one of two defaults, depending on the configuration of the

previous parameter. If

you specified

the

next

hop neighbor’s

IP

address, then the administrative distance

defaults

to

1.

If

you

specified the interface on the router

it should use to reach the

destination, the router treats the route as a connected route and

assigns an administrative distance of 0 to it.

Please note that you can create multiple static routes to the same

destination. For instance, you might have primary and backup paths to

the destination. For the primary path, use the default administrative

distance value. For the backup path, use a number higher than this,

such as 2. Once you have configured a backup path, the router will use

the primary path, and if the interface on the router fails for the

primary path, the router will use the backup route.

The configuration of Router R3 with the interface the router should

exit to reach the destination network with a administrative distance

value of 2 and also with the next hop neighbor’s IP address pointing to

Router R2.

192.168.1.1 172.16.0.2 S0 172.16.0.1 S0 192.168.1.2 S1 S1 R2 S1 R3 200.0.0.1 S0 E0 E0 E0
192.168.1.1
172.16.0.2
S0
172.16.0.1
S0
192.168.1.2
S1
S1
R2
S1
R3
200.0.0.1
S0
E0
E0
E0
200.0.0.2
10.0.0.1
20.0.0.1
30.0.0.1

R3#sh run

Building configuration ...

Current configuration : 725 bytes

!

version 12.2

!

enable password cisco

(irrelevant output omitted)

!

interface Ethernet0

ip address 30.0.0.1 255.0.0.0

duplex auto

speed auto

!

interface Serial0

ip address 172.16.0.2 255.255.0.0

!

interface Serial1

ip address 200.0.0.2 255.255.255.0

38

38 ! ip route 20.0.0.0 255.0.0.0 172.16.0.1 ip route 20.0.0.0 255.0.0.0 Serial0 2 ip http server

!

ip route 20.0.0.0 255.0.0.0 172.16.0.1

ip route 20.0.0.0 255.0.0.0 Serial0 2

ip http server

!

!

line con 0

logging synchronous

line aux 0

line vty 0 4

password cisco

login

!

end

The following example shows the routing table of R3

R3#sh ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B -

BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter

area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external

type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E

EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-

IS inter area * - candidate default, U - per-user static route,

o ODR P - periodic downloaded static route

Gateway of last resort is not set

S

20.0.0.0/8 [1/0] via 172.16.0.1

C

172.16.0.0/16 is directly connected, Serial1

C

200.0.0.0/24 is directly connected, Serial0

C

30.0.0.0/8 is directly connected, Ethernet0

Mark here that even though we have configured 20.0.0.0 network with the

outgoing interface Serial0 , it has not been populated

in the routing

table because of higher Administrative Distance number.

172.16.0.2 172.16.0.1 S0 S1 R2 R3 E0 E0 20.0.0.1 30.0.0.1
172.16.0.2
172.16.0.1
S0
S1
R2
R3
E0
E0
20.0.0.1
30.0.0.1

Default Route Configuration

A default route is a special type of static route. Where a static route

specifies a path a router should use to reach a specific destination, a

default route specifies a path the router should use if it