THE MOST IMPORTANT ACTION: SAVE TO STARTUP CONFIGURATION Figure 7.6 on page 128 is wrong.

Cross check with textbook Mark last paragraph on page 220/ first on page 221, last line of second para of page 221 Intrusion Detection/Protection Sys Structured Wireless aware network (SWAN) Cisco recommends that CDP be disabled on all interfaces that do not need it. Interfaces that do are those connected to other routers and switches on IP Phones Manually configuring Speed or Duplex Settings on a Router or switch disables autonegotiation on that Interface Of all interface status commands, its only the show Interface Status that shows how Speed and Duplex was configured. Cross: When autonegotiation is supported by both devices, the faster speed and full duplex supported by both is chosen. If autonegotiation disabled, the device that supports autonegotiation chooses the settings Jabber: Ethernet rules are ignored. Frame after frame is transmitted without break An incrementing late collision counter means one of two things Duplex mismatch Interface is connected to a collision domain whose cabling exceeds the Ethernet Standard Integrated Service Routers: Routers with multiple features integrated into one router. The IOS of a Router accepts the clock rate (bps) interface command from the device that already has a DCE cable installed or no device is installed. It will not act on the clock rate command if given from a DTE device (no error message will be returned) The bandwidth interface command, tells the router the speed of the link in kilobits/sec, regardless on whether the router is supplying clocking or not, its configuration does not affect the rate at which data is transmitted on the link. EIGRP and OSPF use the bandwidth setting for its metric determination. Default BW settings when BW command is not configured Serial: 1544 kbps Ethernet: defaults to the current speed of that interface. Manually configuring BW overrides the default Console and Aux ports are both configured as DTE While in setup mode, some IOS versions will prompt the user to respond to whether he wants auto secure. Answering yes disables CDP globally. Extended Ping When configuring RIP-2, the IOS actually accepts parameters other than classfull parameters, returning no error message. It will automatically change it to its classfull equivalent as reflected in it routing table. Backup static routes are configured so that static routes are used if the router fails to learn a route. These backups are assigned administrative distances much higher than that of the configured routing protocol RIP v2 sends routing updates to 224.0.0.9 (Multicast) and v1 sends updates to 255.255.255.255 (broadcast). Before using the debug command, check CPU Utilization using the Show Process enable command. With anything above 30 40 % caution is advised when enabling the command To allow routers display timestamps with debug messages, configure the service timestamps global configuration command

Configuring WANs with the software, configure the clock rate on each DCE interface else the protocol line status will remain down even if the IP address and no shutdown commands have been configured The show ip arp command on a router displays the arp table associated with that router. The Age heading lists the amount of time the router last received a packet via that interface as against an arp request/reply. A dash indicates that that IP address is associated with that router. A router determines the subnet number and mask for each connected route based on the ip address configured on each respective interface WAN CCTs: CSU/DSU - Synchronous ccts. CSU/DSUs at both ends attempt to run at the same speed and adjust their own speeds to match that of the other MODEMS Asynchronous cct. Modems at both ends attempt to match each others speed but do not adjust their clock rates to match that of the others. Disadvantages of MODEMs Their speeds offerings are very low even with compression techniques Simultaneous voice and data traffic is not supported An increase in the number of users do not degrade DSL Service ATM vs. Frame Relay ATM Supports much higher speeds Forwards cells of fixed length: 53 byte long. 48 payload, 5 header. VCI and VPI Segmentation and reassembly (SAR) Cell switching service FR Forwards packets of variable length Metropolitan Ethernet: Ethernet as a WAN service. The service provider provides an Ethernet cable (fiber) from its facility to the customers premises Packet switching is a layer 2 service while circuit switching is a layer 1 service. When configuring a router using SDM (Security device manager) or Cisco Device Manager (CDM), the router or switch respectively must first have an IP address configured on its local facing interface via CLI THE MOST IMPORTANT ACTION: SAVE TO STARTUP CONFIGURATION The show dhcp server exec command displays the ip address of the DNS server as well as the domain name. This ip address was learned by the router using dhcp client services. Dhcp pool refers to a the range of ip addresses that can be assigned using dhcp Check the host networking commands in chapter 15 Additional show commands Show dhcp binding: this displays the assigned ip addresses to different hosts in the LAN by the dhcp server function Show ip nat translation: displays entries in the nat table Clear ip nat translation: usually necessary to clear the nat table before certain hosts with previous routing difficulties to function. Clearing this table tho, may impact on certain applications

Port Address translation (PAT) is also known as NAT overloading Static NAT is known as one to one NAT, and is used to map a single IP address to a single registered IP address. It is often used for servers that need to be accessed via the internet. CIDR and VLSM Variable Length Subnet Mask (VLSM): using more than one subnet on a single classful network For routing protocols to support vlsm, the routing protocol must advertize the subnet number along with its mask. Also these protocols must include the masks in its updates to support route summation For the exam, the zero subnet should be avoided if (a) The question implies the use of classful routing protocols or (b) The routers are configured with the no ip subnetzero global configuration command. Otherwise, assume that the zero subnet can be used. Loopback address 127.0.0.: reserved for the loopback interface of a machine. The loopback interface is the interface on a device that allows for the testing of an IP software without worrying about a broken or corrupt driver.

Route summarization works much better when the network was designed with route summarization in mind. Default routes special static routes. These routes can be configured using two different commands.(global configuration commands) IP route 0.0.0.0 0.0.0.0 <next hop ip> IP default network <Classful network number>: This command is most useful when the engineer wants to use the default route to reach networks besides the networks used inside that enterprise. When a router only matches a packet with the default route, that router uses the forwarding details listed in the gateway of last resort line. Classless routing: When a packets destination only matches a routers default route, and does not match any other routes, forward the packet using that default route. Classful routing: When a packets destination only matches a routers default route, and does not match any other routes, only use the default route if this router does not know any routes in the classful network in which the destination IP address resides. Toggle between classless and classful routing using the ip classless/classful global config command What is the default setting? The response of a router to an incoming packet is as follows: 1. For each received frame, use the data-link trailer frame check sequence (FCS) field to ensure that the frame had no errors; if errors occurred, discard the frame (and do not continue to the next step). 2. Check the frames destination data link layer address, and process only if addressed to this router or to a broadcast/multicast address. 3. Discard the incoming frames old data-link header and trailer, leaving the IP packet. 4. Compare the packets destination IP address to the routing table, and find the route that matches the destination address. This route identifies the outgoing interface of the router, and possibly the next-hop router. 5. Determine the destination data-link address used for forwarding packets to the next router or destination host (as directed in the routing table). 6. Encapsulate the IP packet inside a new data-link header and trailer, appropriate for the outgoing interface, and forward the frame out that interface.

N/B: check page 168 9 of ICND2 When a particular destination IP address has more than one route in a Routers routing table, choose the route with the longest mask prefix that is the most specific route The show ip route ip-address command. This command lists detailed information about the route that the router matches for the IP address listed in the command. If multiple routes are matched for the IP address, this command lists the best route: the route with the longest prefix. DNS, ICMP, DHCP, and ARP 1. If not known yet, the host uses DHCP to learn its IP address, subnet mask, DNS IP addresses, and default gateway IP address. If already known, the host skips this step. 2. If the user references a host name not currently held in the hosts name cache, the host makes a DNS request to resolve the name into its corresponding IP address. Otherwise, the host skips this step. 3. If the user issued the ping command, the IP packet contains an ICMP Echo Request; if the user instead used a typical TCP/IP application, it uses protocols appropriate to that application. 4. To build the Ethernet frame, the host uses the ARP caches entry for the next-hop deviceeither the default gateway (when sending to a host on another subnet) or the true destination host (when sending to a host on the same subnet). If the ARP cache does not hold that entry, the host uses ARP to learn the information. Two configuration commands can be used to change the IP MTU size on an interface: the mtu interface subcommand and the ip mtu interface subcommand. The mtu command sets the MTU for all Layer 3 protocols; unless a need exists to vary the setting per Layer 3 protocol, this command is preferred. If a different setting is desired for IP, the ip mtu command sets the value used for IP. If both are configured on an interface, the IP MTU setting takes precedence on that interface. However, if the mtu command is configured after ip mtu is configured, the ip mtu value is reset to the same value as that of the mtu command. Use care when changing these values. Having multiple subnets on a single medium Secondary ip addressing. The router interface common to these subnets must be configured with that many number of ip addresses The zero subnet (or subnet zero) is the one subnet in each classful network that has all binary 0s in the subnet part of the binary version of the subnet number. In decimal, the zero subnet happens to be the same number as the classful network number. The no ip subnet-zero command on one router does not affect other routers, and it does not prevent a router from learning about a zero subnet through a routing protocol. It simply prevents the router from configuring an interface to be in a zero subnet. The Cisco ping command uses, by default, the output interfaces IP address as the packets source address, unless otherwise specified in an extended ping. Route Summarization works best if it was initially considered during the planning stage Route summarizations Manual: ip summary-address protocol <summary ip and mask> Use the following steps to find the best summary ip address and mask: List all to-be-summarized subnet numbers in binary. Find the first N bits of the subnet numbers for which every subnet has the same value, moving from left to right. (For our purposes, consider this first part the in-common part.) To find the summary routers subnet number, write down the in-common bits from Step 2 and binary 0s for the remaining bits. Convert back to decimal, 8 bits at a time, when finished. To find the summary routes subnet mask, write down N binary 1s, with N being the number of in-common bits found at Step 2. Complete the subnet mask with all binary 0s. Convert back to decimal, 8 bits at a time, when finished.

Check your work by calculating the range of valid IP addresses implied by the new summary route, comparing the range to the summarized subnets. The new summary should encompass all IP addresses in the summarized subnets.

With Classful routing protocols, the router uses the mask configured on the receiving interface to process the IP Packet, usually the default for that class Contiguous network: A classful network in which packets sent between every pair of subnets can pass only through subnets of that same classful network, without having to pass through subnets of any other classful network. Discontiguous network: A classful network in which packets sent between at least one pair of subnets must pass through subnets of a different classful network. Autosummarization prevents an internetwork with a discontiguous network from working properly. The Extended ACL looks @ both the source and destination IP fields as well as the source and destination port fields are checked, while the Standard ACL looks at only the Source IP fields Wildcard masks are used to tell the router which part of an IP address to compare with the ACL 0: Compare 1: Dont care In most cases, all hosts in a particular subnet must match The number range for a standard IP ACL is 1-99 and 1300-1999 The default action if the packet does not match any ACL command is to deny the packet. Enable the ACL on the chosen router interface, in the correct direction, using the ip access-group number {in | out} interface subcommand. The access-list commands, under which the matching and action logic are defined, are global configuration commands. access-list 1 remark command to the ACL. This command allows the addition of a text comment, or remark, so that you can track the purpose of the ACL. The remark only shows up in the configuration; it is not listed in show command output. When considering any exam question that involves TCP or UDP ports, keep the following key points in mind: The access-list command must use protocol keyword tcp to be able to match TCP ports and the udp keyword to be able to match UDP ports. The ip keyword does not allow for matching the port numbers. The source port and destination port parameters on the access-list command are positional. In other words, their location in the command determines if the parameter examines the source or destination port. Remember that ACLs can match packets sent to a server by comparing the destination port to the wellknown port number. However, ACLs need to match the source port for packets sent by the server. It is useful to memorize the most popular TCP and UDP applications, and their wellknown ports, as listed in Table 6-5, as shown later in this chapter. Extended Access list: Extended ACLs should be placed as close as possible to the source of the packets to be filtered, because extended ACLs can be configured so that they do not discard packets that should not be discarded. So filtering close to the source of the packets saves some bandwidth. All fields in one access-list command must match a packet for the packet to be considered to match that access-list statement. The extended access-list command uses numbers between 100199 and 20002699, with no number being inherently better than another. With the named ACL statements can be deleted by line as against the whole access list which is the case with numbered ACL When deleting the ACL, it is important to disable the ACL from all interfaces, and then delete it, reconfigure it, and enable it on the interface. Otherwise, during the reconfiguration process, before all the

statements have been reconfigured, the ACL will not perform all the checks it should, sometimes causing problems, or exposing the network to various attacks. NOTE: You can use the do command to tell IOS to issue the show ip access-list EXEC command from configuration mode. The use of the access-class 3 out command, particularly the out keyword, is one of those rare cases in which a standard IP ACL actually looks at the destination IP address and not the source. Try with Simulator Cisco makes the following general recommendations in the courses on which the CCNA exams are based: Create your ACLs using a text editor outside the router, and copy and paste the configurations into the router. (Even with the ability to delete and insert lines into an ACL, creating the commands in an editor will still likely be an easier process.) Place extended ACLs as close as possible to the source of the packet to discard the packets quickly. Place standard ACLs as close as possible to the packets destination, because standard ACLs often discard packets that you do not want discarded when they are placed close to the source. Place more-specific statements early in the ACL. Disable an ACL from its interface (using the no ip access-group command) before making changes to the ACL. If you create all your ACLs in a text editor, it may be useful to begin each file with the no access-list number command, followed by the configuration commands in the ACL. Then, each time you edit the text file to change the ACL, all you have to do is copy/paste the entire files contents, with the first line deleting the entire existing ACL, and the rest of the statements re-creating the new ACL. Reflexive ACLs, also called IP session filtering, provide a way to prevent a class of security attacks by permitting each allowed TCP or UDP session on an individual basis. Dynamic ACLs, also called Lock-and-Key Security, solve a different problem that also cannot be easily solved using traditional ACLs. by tying the ACL to a user authentication process. Instead of starting by trying to connect to the server, the users must be told to first telnet to a router. The router asks for a username/password combination. If it is authentic, the router dynamically changes its ACL, permitting traffic from the IP address of the host that just sent the authentication packets. After a period of inactivity, the router removes the dynamic entry in the ACL, closing the potential security hole. Time based ACLs Traceroute (three packets by default are sent by this command) The packets are IP packets, with a UDP transport layer, and with the TTL set to 1. When the packets arrive at the next router, the router decrements the TTL to 0 in each packet, discards the packet, and sends a Time Exceeded message back to the host that sent the discarded packet. The traceroute command looks at the first routers source IP address in the received Time Exceeded packet. Next, the traceroute command sends another set of three IP packets, this time with TTL =2. The first router decrements TTL to 1 and forwards the packets, and the second router decrements the TTL to 0 and discards the packets. This second router sends Time Exceeded messages back to the router where the traceroute command was used, and the traceroute command now knows the second router in the route. The traceroute command knows when the test packets arrive at the destination host because the host sends back an ICMP Port Unreachable message. The original packets sent by the IOS traceroute command use a destination UDP port number that is very unlikely to be used on the destination host, so as soon as the TTL is large enough to allow the packet to arrive at the destination host, the host notices that it does not have an application listening at that particular UDP port. So, the destination host returns a Port Unreachable message, which tells the traceroute command that the complete route has been found, and the command can stop.

Each router chooses its OSPF RID when OSPF is initialized. Initialization happens during the initial load of IOS. So, if OSPF comes up, and later other interfaces come up that happen to have higher IP addresses, the OSPF RID does not change until the OSPF process is restarted. OSPF can be restarted with the clear ip ospf process command as well, but depending on circumstances, IOS still may not change its OSPF RID until the next IOS reload. A mismatch of the Hello and Dead time interval settings can cause two potentials neighbors to never be neighbors and never reach a two way state. To configure the Hello and Dead intervals, you can use the ip ospf hello-interval value and ip ospf dead-interval value interface subcommands. Interestingly, if the Hello interval is configured, IOS automatically reconfigures the interface's dead interval to be 4 times the Hello interval. Note that IOS processes ACLs before NAT for packets entering an interface, and after translating the addresses for packets exiting an interface. Cisco recommends several actions for better security beyond simply physically securing the router to prevent access from the switch console. In particular, passwords should be configured, and for remote access, Secure Shell (SSH) should be used instead of Telnet, if possible. The HTTP service should also be disabled, and banners should be configured to warn potential attackers away. Additionally, each switchs syslog messages should be monitored for any messages relating to various types of attacks ISL and 802.1Q both support a separate instance of Spanning Tree Protocol (STP) for each VLAN, but with different implementation details, as explained in Chapter 2. For campus LANs with redundant links, using only one instance of STP means that some links sit idle under normal operations, with those links only being used when another link fails. By supporting multiple instances of STP, engineers can tune the STP parameters so that under normal operations, some VLANs traffic uses one set of links and other VLANs traffic uses other links, taking advantage of all the links in the network. To use VTP, an engineer sets some switches to use server mode and the rest to use client mode. Then, VLAN configuration can be added on the servers, with all other servers and clients learning about the changes to the VLAN database. Clients cannot be used to configure VLAN information. Cisco switches cannot disable VTP. The closest option is to use transparent mode, which causes a switch to ignore VTP, other than to forward VTP messages so that any other clients or servers can receive a copy. Switches in transparent mode store VLAN configuration in both the running-config file as well as the vlan.dat file in flash. The running-config can be saved to the startup-config as well. VLANs can be created and named in configuration mode or by using a configuration tool called VLAN database mode. The VLAN database mode is not covered for other Cisco exams. Cisco switches also support a dynamic method of assigning devices to VLANs, based on the devices MAC addresses, using a tool called the VLAN Management Policy Server (VMPS). This tool is seldom if ever used. In addition to the allowed VLAN list, a switch has three other reasons to prevent a particular VLANs traffic from crossing a trunk. A VLAN does not exist, or is not active, in the switchs VLAN database (as seen with the show vlan command). A VLAN has been automatically pruned by VTP. A VLANs STP instance has placed the trunk interface into a state other than a Forwarding State. A VLAN can be administratively shut down on any switch by using the shutdown vlan vlan-id global configuration command, which also causes the switch to no longer forward frames in that VLAN, even over trunks. So, switches do not forward frames in a nonexistent or shutdown VLAN over any of the switchs trunks. Cisco recommends that the negotiation of trunking be disabled on all in-use access interfaces, with all trunks being manually configured to trunk.

"Recursive lookup - Method of consulting the routing table to locate the actual physical next hop for a route when the supplied next hop is not directly connected." An example to understand it Say we have router with following routing table: s 199.199.199.0/24[1/0]via 199.199.198.1 c 199.199.198.0/24 is directly connected s0 Suppose the router receives a packet destined to 199.199.199.12 Now the router looks at the destination (199.199.199.12) in the Ip header. It checks its routing table and finds the following entry: s 199.199.199.0/24 [1/0] via 199.199.198.1 Router determines that in order to forward this packet to its destination 199.199.199.12, it must find out how to reach next hop 199.199.198.1 Router again consults the routing table, this time to find the match for 199.199.198.1 Router finds an entry" 199.199.198.0/24 directly connected s0" Now the router will forward the packet, having found how to reach next hop (199.199.198.1) This is called recursive look up Review how to discover routing loops in a routing table A level 1 route with no children could be a Level 1 ultimate route, but would not be considered a parent since it does not have children routes. A Level 1 route with no children would not necessarily be an ultimate route, however, since you can set a static route to not have a specific exit interface, only a next hop IP address

0, 3, 4, 5, 8, 11, and 12 which represent echo reply, destination unreachable, source quench, redirect, echo request, time exceeded, and parameter problem respectively.