CCNA Command Reference

Chris Bryant, CCIE #12933 - www.thebryantadvantage.com Back To Index

CCNA Command Reference

Overview Switching Frame Relay Direct Serial Connections Static And Distance Vector Routing OSPF EIGRP ACLs, NAT, And Route Summarization Passwords And DNS Behavior

All of these sections have "Hot Spots And Gotchas" sections at the end of the individual chapters to read for additional review.

LAN Switching Commands (2950): Show interface trunk

SW1#show interface trunk Port Mode Encapsulation Status Native vlan Fa0/11 desirable 802.1q trunking 1 Fa0/12 desirable 802.1q trunking 1 Port Vlans allowed on trunk Fa0/11 1-4094 Fa0/12 1-4094 Port Vlans allowed and active in management domain Fa0/11 1 Fa0/12 1 Port Vlans in spanning tree forwarding state and not pruned Fa0/11 1 Fa0/12 none

This command displays all ports that are actively trunking, their trunking mode, the encapsulation type, and the native VLAN. It also displays the VLANs that are allowed to have traffic go across the trunk. CCNA

candidates should note that this is the command that displays the trunking protocol in use either 802.1Q (dot1q) or ISL.
Show mac-address-table
SW1#show mac-address-table Mac Address Table ------------------------------------------Vlan Mac Address Type Ports ---- ----------- -------- ----All 000f.90e2.25c0 STATIC CPU All 0100.0ccc.cccc STATIC CPU All 0100.0ccc.cccd STATIC CPU All 0100.0cdd.dddd STATIC CPU 1 000b.be2c.518b DYNAMIC Fa0/11 Total Mac Addresses for this criterion: 5

This command does just what it says; it shows you the MAC address table that the switch has built. Note the dashes that connect the three words.
Show spanning-tree vlan (VLAN_NUMBER)
SW2#show spanning-tree vlan 23 VLAN0023 Spanning tree enabled protocol ieee Root ID Priority 32791 Address 000b.be2c.5180 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32791 (priority 32768 sys-id-ext 23) Address 000b.be2c.5180 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Role ---Desg Desg Desg Sts --FWD FWD FWD Cost --------100 19 19 Prio.Nbr -------128.3 128.11 128.12 Type -------------------------Shr P2p P2p

Interface ---------------Fa0/3 Fa0/11 Fa0/12

A vital LAN switching command, the command output shows if this device is the root bridge for this particular vlan (this bridge is the root), the hello, maxage, and forward delay values for this VLAN, and the status (sts) of each port. This will be listening, learning, forwarding, or blocking.
Show vlan brief
SW1#show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- --------------------------1 default active Fa0/1, Fa0/3, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9

Fa0/10 23 VLAN0023 active Fa0/2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup

Quickly learn what ports are in what VLAN with this command. Note the default VLAN is VLAN 1, which is also the native VLAN.
Show vtp status
SW2#show vtp status VTP Version : 2 Configuration Revision : 2 Maximum VLANs supported locally : 64 Number of existing VLANs : 6 VTP Operating Mode : Server VTP Domain Name : CCNA VTP Pruning Mode : Enabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xE2 0xCC 0x1A 0xB8 0x8E 0x80 0x6F 0xF4 Configuration last modified by 0.0.0.0 at 3-1-93 00:52:40 Local updater ID is 0.0.0.0 (no valid interface found)

The main concerns here is that this is the command that shows you the VTP operating mode of this device (server, client, or transparent), the VTP domain name, and whether pruning is enabled.

Spanning-tree vlan (VLAN_NUMBER) root primary

SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#spanning vlan 23 root primary SW1(config)#^Z SW1#show spanning vlan 23 VLAN0023 Spanning tree enabled protocol ieee Root ID Priority 20503 Address 000f.90e2.25c0 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

This one-line command can make a non-root bridge become the root bridge. In this example, SW1 was configured with the command. Where SW2 was the root bridge in the previous command example, SW1 is now the root bridge. Note the priority change from the default of 32768.
Vtp domain Vtp password Vtp pruning
SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#vtp domain CCNA Changing VTP domain name from NULL to CCNA SW1(config)#vtp password CISCO Setting device VLAN database password to CISCO SW1(config)#vtp pruning Pruning switched on

Setting the VTP domain name, password, and enabling pruning are done with these three commands. Note that the VTP domain name changed from NULL in this example; this means that there was no previous VTP domain membership, not that the previous VTP domain was actually named NULL.
Frame Relay Commands: Debug frame lmi
R1#debug frame lmi Frame Relay LMI debugging is on Displaying all Frame Relay LMI data R1# 01:26:40: Serial0(out): StEnq, myseq 98, yourseen 97, DTE up 01:26:40: datagramstart = 0xE47328, datagramsize = 13 01:26:40: FR encap = 0xFCF10309 01:26:40: 00 75 01 01 01 03 02 62 61 01:26:40: 01:26:40: Serial0(in): Status, myseq 98 01:26:40: RT IE 1, length 1, type 1 01:26:40: KA IE 3, length 2, yourseq 98, myseq 98 R1# 01:26:50: Serial0(out): StEnq, myseq 99, yourseen 98, DTE up 01:26:50: datagramstart = 0xE476B8, datagramsize = 13 01:26:50: FR encap = 0xFCF10309 01:26:50: 00 75 01 01 01 03 02 63 62 01:26:50: 01:26:50: Serial0(in): Status, myseq 99 01:26:50: RT IE 1, length 1, type 1 01:26:50: KA IE 3, length 2, yourseq 99, myseq 99 R1#undebug all All possible debugging has been turned off

Used to troubleshoot down frame relay connections, this debug shows you whether the DTE is up or down, and also the sequence numbers of the incoming and outgoing LMI. When theyre equal or 1 apart, thats good; any more indicates why your frame relay is down in the first place an LMI mismatch.
Encapsulation frame-relay
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface serial0 R1(config-if)#encapsulation frame-relay

The first step in configuring frame relay is enabling it on the interface. This command changes the encapsulation type to frame relay from the default of HDLC.
Frame map ip <remote_IP> <local_DLCI> <broadcast>
R1#conf t Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#int s0 R1(config-if)#encapsulation frame-relay R1(config-if)#frame map ip 172.12.123.2 122 broadcast R1(config-if)#frame map ip 172.12.123.3 123 broadcast

This command is used to create manual frame mappings, the preferred method in production networks. Frame relay must be configured first, as shown. Note that the mapping is the remote IP address to the local DLCI. Also, since broadcasts are not sent across frame relay by default, the broadcast keyword is needed to enable this.
No frame-relay inverse-arp
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface serial0 R1(config-if)#encapsulation frame-relay R1(config-if)#no frame-relay inverse-arp

By default, frame relay will use Inverse ARP to dynamically create frame maps. Using InARP can lead to incomplete frame map tables, and many production networks turn it off when using frame relay. You do so with this command. Its generally done right after enabling frame-relay.
Show frame lmi
R1#show frame lmi LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO Invalid Unnumbered info 0 Invalid Prot Disc 0 Invalid dummy Call Ref 0 Invalid Msg Type 0 Invalid Status Message 0 Invalid Lock Shift 0 Invalid Information ID 0 Invalid Report IE Len 0 Invalid Report Request 0 Invalid Keep IE Len 0 Num Status Enq. Sent 167 Num Status msgs Rcvd 168 Num Update Status Rcvd 0 Num Status Timeouts 2

There are 12 fields here, but the ones to be most concerned about are the highlighted ones. Here, 167 status messages have been sent, and 168 received. These numbers should be no more than one apart, or the line protocol is getting ready to drop. There were two timeouts earlier as well. Bonus command: To set all your router counters back to zero, run the command clear counters.
R1#clear counters Clear "show interface" counters on all interfaces [confirm] R1#show frame lmi LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO Invalid Unnumbered info 0 Invalid Prot Disc 0 Invalid dummy Call Ref 0 Invalid Msg Type 0 Invalid Status Message 0 Invalid Lock Shift 0 Invalid Information ID 0 Invalid Report IE Len 0 Invalid Report Request 0 Invalid Keep IE Len 0 Num Status Enq. Sent 0 Num Status msgs Rcvd 0 Num Update Status Rcvd 0 Num Status Timeouts 0


Show frame map
R1#show frame Serial0 (up): Serial0 (up): map ip 172.12.123.2 dlci 122(0x7A,0x1CA0), static, broadcast, CISCO, status defined, active ip 172.12.123.3 dlci 123(0x7B,0x1CB0), static, broadcast, CISCO, status defined, active

This command will show you both your dynamically and statically configured frame maps and their status. It will also show whether broadcasts have been enabled for that mapping.
Show frame pvc
R1#show frame pvc PVC Statistics for interface Serial0 (Frame Relay DTE) Active Inactive Deleted Static Local 2 0 0 0 Switched 0 0 0 0 Unused 0 0 0 0 DLCI = 122, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0 input pkts 0 output pkts 0 in bytes 0 out bytes 0 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 pvc create time 01:40:05, last time pvc status changed 00:29:52

This command shows you how many PVCs you have on your router, the DLCIs in use, their status, and the interface theyre configured on. It also shows your FECN, BECN, and DE statistics. You must know what these are before taking the CCNA exams. Check the Frame Relay section of my Ultimate CCNA Study Guide for a refresher.
DIrect Serial Connection Commands Clock rate <x>
R3#conf t R3(config)#int s1 R3(config-if)#ip address 172.12.13.2 255.255.255.252 R3(config-if)#clock rate 56000 R3(config-if)#no shut 01:47:59: %LINK-3-UPDOWN: Interface Serial1, changed state to up R3(config-if)#z 01:48:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up

Here, R3s S1 interface is directly connected to R1s S1 interface. R3s S1 interface is the DCE. When two Cisco routers are directly connected by serial interface, the DCE must supply a clock rate to the DTE. This command is configured at the interface level. Once the clock rate is entered, the line protocol will come up. To see the other values for this command, use IOS Help after the clock rate command.
Show controller serial <x>
R1#show controller serial 1 HD unit 1, idb = 0x1DBFEC, driver structure at 0x1E35D0 buffer size 1524 HD unit 1, V.35 DTE cable

I truncated about 20 lines of hexadecimal information that this command results in, because the key information is in the second line. This command tells you whether you have the DTE or DCE end of the DTE/DCE cable connected to this particular interface.
Debug ppp negotiation R1#debug ppp negotiation PPP protocol negotiation debugging is on R1#ping 172.12.12.2
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.12.2, timeout is 2 seconds: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: 02:12:01: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up BR0:1 PPP: Using dialer call direction BR0:1 PPP: Treating connection as a callout BR0:1 PPP: Phase is ESTABLISHING, Active Open [0 sess, 0 load] BR0:1 LCP: O CONFREQ [Closed] id 1 len 14 BR0:1 LCP: AuthProto PAP (0x0304C023) BR0:1 LCP: MagicNumber 0xE0974794 (0x0506E0974794) BR0:1 LCP: I CONFREQ [REQsent] id 1 len 14 BR0:1 LCP: AuthProto PAP (0x0304C023) BR0:1 LCP: MagicNumber 0xE0973A66 (0x0506E0973A66) BR0:1 LCP: O CONFACK [REQsent] id 1 len 14 BR0:1 LCP: AuthProto PAP (0x0304C023) BR0:1 LCP: MagicNumber 0xE0973A66 (0x0506E0973A66) BR0:1 LCP: I CONFACK [ACKsent] id 1 len 14 BR0:1 LCP: AuthProto PAP (0x0304C023) BR0:1 LCP: MagicNumber 0xE0974794 (0x0506E0974794) BR0:1 LCP: State is Open BR0:1 PPP: Phase is AUTHENTICATING, by both [0 sess, 0 load] BR0:1 AUTH: Started process 0 pid 66 BR0:1 PAP: O AUTH-REQ id 1 len 12 from "R1" BR0:1 PAP: I AUTH-ACK id 1 len 5 BR0:1 PAP: I AUTH-REQ id 1 len 12 from "R2" BR0:1 PAP: Authenticating peer R2 BR0:1 PAP: O AUTH-ACK id 1 len 5 BR0:1 PPP: Phase is UP [0 sess, 0 load] BR0:1 IPCP: O CONFREQ [Closed] id 1 len 10 BR0:1 IPCP: Address 172.12.12.1 (0x0306AC0C0C01) BR0:1 CDPCP: O CONFREQ [Closed] id 1 len 4 BR0:1 IPCP: I CONFREQ [REQsent] id 1 len 10 BR0:1 IPCP: Address 172.12.12.2 (0x0306AC0C0C02) BR0:1 IPCP: O CONFACK [REQsent] id 1 len 10 BR0:1 IPCP: Address 172.12.12.2 (0x0306AC0C0C02) BR0:1 CDPCP: I CONFREQ [REQsent] id 1 len 4

02:12:01: BR0:1 CDPCP: O CONFACK [REQsent] id 1 len 4 02:12:01: BR0:1 IPCP: I CONFACK [ACKsent] id 1 len 10 02:12:01: BR0:1 IPCP: Address 172.12.12.1 (0x0306AC0C0C01) 02:1.!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 36/36/36 ms R1#2:01: BR0:1 IPCP: State is Open 02:12:01: BR0:1 CDPCP: I CONFACK [ACKsent] id 1 len 4 02:12:01: BR0:1 CDPCP: State is Open 02:12:01: BR0 IPCP: Install route to 172.12.12.2 02:12:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed statto up

Speaking from experience, I can tell you that its easy to make an error when configuring PPP password authentication, either PAP or CHAP. A null space can make the entire process fail. Its kind of hard to spot a null space with the naked eye, but when theres a problem with PPP, this command will point you in the right direction. The output shown is a successful PAP authentication.
Encapsulation ppp No encapsulation ppp
R2#conf t R2(config)#interface bri0 R2(config-if)#encapsulation ppp

The default encapsulation type ofSerial interfaces is HDLC. Before you can enable PAP or CHAP authentication, you must enable PPP encapsulation with this command. To revert to the default HDLC encapsulation, run no encapsulation ppp.

Static and Distance-Vector Commands: Clear ip route *

R2#clear ip route *

This command clears your routing table of all non-static and nonconnected routes. In a lab environment, its very handy; it forces your routers running routing protocols to send and request updates, rather than waiting for the regularly scheduled updates.
Debug ip packet
R2#debug ip packet IP packet debugging is on R2#ping 172.12.123.2 R2#ping 172.12.123.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.123.2, timeout is 2 seconds: 06:10:04: IP: s=172.12.12.2 (local), d=172.12.123.2, len 100, unroutable. 06:10:06: IP: s=172.12.12.2 (local), d=172.12.123.2, len 100, unroutable.

06:10:08: IP: s=172.12.12.2 (local), d=172.12.123.2, len 100, unroutable. 06:10:10: IP: s=172.12.12.2 (local), d=172.12.123.2, len 100, unroutable. 06:10:12: IP: s=172.12.12.2 (local), d=172.12.123.2, len 100, unroutable. Success rate is 0 percent (0/5)

If you have a problem sending a ping, this command will give you a good idea where the problem is. Here, the message indicates that there is no route to the destination.
Debug ip rip
R2#debug ip rip IP protocol debugging is on R2#clear ip route * 6:14:53: RIP: received v2 update from 172.23.23.3 on Ethernet0 6:14:53: 1.0.0.0/8 via 0.0.0.0 in 16 hops (inaccessible) 6:14:53: 1.1.1.1/32 via 0.0.0.0 in 2 hops 6:14:53: 172.12.0.0/16 via 0.0.0.0 in 16 hops (inaccessible) 6:14:53: 172.12.12.2/32 via 0.0.0.0 in 2 hops 6:14:53: 172.12.13.0/30 via 0.0.0.0 in 1 hops 6:14:53: 172.12.123.0/24 via 0.0.0.0 in 1 hops 6:14:53: 172.23.0.0/16 via 0.0.0.0 in 16 hops (inaccessible)

Run debug ip rip to troubleshoot routing update problems, RIP authentication problems, and to view the routing update contents. clear ip route * was run to clear the routing table and to force a RIP update. Note thatroute poisoningis in operation. (A route that is unavailable is not just dropped from updates; it is advertised with an unreachable metric.)
Ip route <destination> <mask> <next-hop IP> OR Ip route <destination> <mask> <exit interface>
R2#conf t R2(config)#ip route 1.1.1.1 255.255.255.255 172.12.123.1 To configure a static route to a given destination IP address, use the ip route command. The destination is followed by a subnet mask, and that can be followed by either the next-hop IP address or the exit interface on the local router.

Ip route 0.0.0.0 0.0.0.0 <next-hop-IP-address> Ip route 0.0.0.0 0.0.0.0 <exit interface> R2#conf t R2(config)#ip route 0.0.0.0 0.0.0.0 172.12.123.1 OR R2(config)#ip route 0.0.0.0 0.0.0.0 ethernet0

To configure a default static route, use either of these two commands. You could have any number for the first 0.0.0.0, since the second set of zeroes is the subnet mask. This means that any destination will match

this route statement.

Maximum-paths <x>
R2#conf t R2(config)#router rip R2(config-router)#maximum-paths 5

By default, distance-vector routing protocols perform equal-cost loadbalancing over four paths. This default can be set from a minimum of 1 to a maximum of 16 with this command. Note: If you configure maximum-paths 1, you are in effect disabling equal-cost load-balancing.
No auto-summary
R2#conf t R2(config)#router rip R2(config-router)#version 2 R2(config-router)#no auto-summary

Both RIP version 2 and EIGRP perform summarization of routes when those routes are advertised across a network border. (For a complete, illustrated explanation of this concept, please check the EIGRP section of my Ultimate CCNA Study Guide.) This default behavior is generally disabled. To do so, run no auto-summary as shown.
Router rip Version 1 Version 2
R2#conf t R2(config)#router rip R2(config-router)#version 1 R2(config-router)#version 2

router rip enables RIP on your router. RIP runs two versions, 1 and 2, and you must know the differences between the two before succeeding on the CCNA exams. By default, RIP sends version 1 updates and accepts version 1 and 2 updates. To change this default to accept and send updates of only one of the two versions, configure version 1 or version 2 under the RIP routing process.
Show ip protocols
R2#show ip protocols Routing Protocol is "rip" Sending updates every 30 seconds, next due in 20 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Redistributing: rip Default version control: send version 2, receive version 2 Interface Send Recv Triggered RIP Key-chain Serial0.123 2 2 Automatic network summarization is not in effect

 Maximum path: 4 Routing for Networks: 172.12.0.0 Passive Interface(s): Routing Information Sources: Gateway Distance Last Update 172.12.12.1 120 00:00:24 Distance: (default is 120)

Show ip route
R2#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 1.0.0.0/32 is subnetted, 1 subnets S 1.1.1.1 [1/0] via 172.12.123.1 172.12.0.0/16 is variably subnetted, 4 subnets, 3 masks C 172.12.12.0/30 is directly connected, BRI0 R 172.12.13.0/30 [120/1] via 172.12.12.1, 00:00:10, BRI0 C 172.12.12.1/32 is directly connected, BRI0 R 172.12.123.0/24 [120/1] via 172.12.12.1, 00:00:10, BRI0 172.23.0.0/27 is subnetted, 1 subnets C 172.23.23.0 is directly connected, Ethernet0 S* 0.0.0.0/0 is directly connected, Ethernet0 [1/0] via 172.12.123.1

This command displays the entire routing table. To see only the routes of a given protocol, enter the protocol name at the end of this command, such as show ip route rip:
R2#show ip route rip 172.12.0.0/16 is variably subnetted, 4 subnets, 3 masks R 172.12.13.0/30 [120/1] via 172.12.12.1, 00:00:20, BRI0 R 172.12.123.0/24 [120/1] via 172.12.12.1, 00:00:20, BRI0

Exam Tip: Note that the letter indicating EIGRP routes is D. E was already taken by EGP when EIGRP came along. Variance
R3#conf t R3(config)#router igrp 1 R3(config-router)#variance 3

Variance is used to configure unequal-cost load-balancing. Variance is simply a multiplier. The metric of the best path is multiplied by the variance; any path with a lower metric than the result will be used for unequal-cost load-balancing. Example: Three paths to a destination exist, with the following metric:

Path 1: 4000 Path 2: 7500 Path 3: 8100 By default, EIGRP will use only Path 1. A variance value of 2 would result in any path with a metric of less than 8000 being used (4000 x 2), so Path 1 and Path 2 would be used. A variance of 3 would result in all three paths being used for unequal-cost load-balancing.
OSPF Commands Debug ip ospf adj
R3# debug ip ospf adjacency 09:58:43: %SYS-5-CONFIG_I: Configured from console by console R3# 09:58:48: OSPF: Rcv DBD from 2.2.2.2 on Ethernet0 seq 0xEEF opt 0x42 flag 0x7 len 32 mtu 1500 state INIT 09:58:48: OSPF: 2 Way Communication to 2.2.2.2 on Ethernet0, state 2WAY 09:58:48: OSPF: Neighbor change Event on interface Ethernet0 09:58:48: OSPF: DR/BDR election on Ethernet0 09:58:48: OSPF: Elect BDR 0.0.0.0 09:58:48: OSPF: Elect DR 172.23.23.3 09:58:48: DR: 172.23.23.3 (Id) BDR: none 09:58:48: OSPF: Send DBD to 2.2.2.2 on Ethernet0 seq 0x13F3 opt 0x42 flag 0x7 len 32 09:58:48: OSPF: First DBD and we are not SLAVE 09:58:48: OSPF: Rcv DBD from 2.2.2.2 on Ethernet0 seq 0x13F3 opt 0x42 flag 0x2 l en 132 mtu 1500 state EXSTART 09:58:48: OSPF: NBR Negotiation Done. We are the MASTER 09:58:48: OSPF: Send DBD to 2.2.2.2 on Ethernet0 seq 0x13F4 opt 0x42 flag 0x3 len 152 09:58:48: OSPF: Database request to 2.2.2.2 09:58:48: OSPF: sent LS REQ packet to 172.23.23.2, length 60 09:58:48: OSPF: Rcv DBD from 2.2.2.2 on Ethernet0 seq 0x13F4 opt 0x42 flag 0x0 len 32 R3# mtu 1500 state EXCHANGE 09:58:48: OSPF: Send DBD to 2.2.2.2 on Ethernet0 seq 0x13F5 opt 0x42 flag 0x1 len 32 09:58:48: OSPF: Rcv DBD from 2.2.2.2 on Ethernet0 seq 0x13F5 opt 0x42 flag 0x0 l en 32 mtu 1500 state EXCHANGE 09:58:48: OSPF: Exchange Done with 2.2.2.2 on Ethernet0 09:58:48: OSPF: Synchronized with 2.2.2.2 on Ethernet0, state FULL 09:58:48: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Ethernet0 from LOADING to FULL, Loading Done 09:58:48: OSPF: Build router LSA for area 23, router ID 172.23.23.3, seq 0x80000002 09:58:48: OSPF: Build network LSA for Ethernet0, router ID 172.23.23.3 09:58:53: OSPF: Neighbor change Event on interface Ethernet0 09:58:53: OSPF: DR/BDR election on Ethernet0 09:58:53: OSPF: Elect BDR 2.2.2.2 09:58:53: OSPF: Elect DR 172.23.23.3 09:58:53: DR: 172.23.23.3 (Id) BDR: 2.2.2.2 (Id)

debug ip ospf adj allows you to watch the adjacency formation process, and to spot problems preventing adjacency. In this example, you can see the stages of OSPF adjacency, and see the DR and BDR election at the end.

Ip ospf hello <x> Ip ospf dead <x>

R1#conf t R1(config)#int s0 R1(config-if)#ip ospf hello 30 R1(config-if)#ip ospf dead 100

OSPF hello and dead timers have different defaults on different network types; review the OSPF section of The Bryant Advantage Ultimate CCNA Study Guide for a refresher on these. No matter the network types, the default is that the OSPF deadtime is four times the hello time. One way to change the deadtime is to change the hello time; no matter what you set the hello time to, the dead time will change to four times the new hello value. You can also set the dead time manually, as shown. This is done on the interface level, and the timers must match on both sides of the link. If you change the timers on one side and not the other, the adjacency will drop.
Ip ospf priority 0
R2#conf t R2(config)#int s0.123 R2(config-subif)#ip ospf priority 0

OSPF hub-and-spoke networks are common, and configuration on both the hubs and the spokes.

require extra

In a hub-and-spoke configuration, the spokes cannot under any circumstances become the Designated Router (DR) or Backup Designated Router (BDR). The only way to do this is to set the spokes OSPF interface priority to zero, as shown above. Since the OSPF default interface priority is 1, configuring this on all spokes will ensure that the hub becomes the DR and that no BDR will be elected.
Ip ospf network non-broadcast
R3#conf t R3(config)#int s0.31 point-to-point R3(config-subif)#ip ospf network non-broadcast

Keep in mind that a major reason for OSPF neighbors not forming an adjacency is a mismatch in the network types. Serial interfaces default to non-broadcast, but a point-to-point interface will always default to OSPF network type point-to-point. If you have a physical serial interface on one side of a link and a point-topoint interface on the other side, the adjacency will not form You can change the OSPF network type as shown to allow the adjacency to form.

Router-id x.x.x.x
R1#conf t R1(config)#router ospf 1 R1(config-router)#router-id 11.11.11.11 Reload or use "clear ip ospf process" command, for this to take effect R1#clear ip ospf process Reset ALL OSPF processes? [no]: yes 10:22:19: OSPF: Interface Serial0 going Down 10:22:19: OSPF: 1.1.1.1 address 172.12.123.1 on Serial0 is dead, state DOWN 10:22:19: OSPF: Neighbor change Event on interface Serial0

First, what is the default OSPF Router ID (RID)? The rules are a little odd, so lets review them. If a router running OSPF has one or more loopback addresses, the numerically highest address is the OSPF RID, even if that interface is not running OSPF. If a router running OSPF has no loopback addresses, the numerically highest IP address of the physical interfaces is the OSPF RID, even if that interface is not running OSPF. I know its second nature to think the interface bearing the OSPF RID must be running OSPF, but its not true. To change the RID, use the router-id command under the OSPF process as shown. Note that to make this command take effect, the router prompts you to reload or run the clear ip ospf process command. That command is going to restart ALL your OSPF processes. In other words, dont try this at work! Also note that the prompted answer for reset ALL OSPF processes? is no. When the router default for a question is no, the routers trying to tell you youre about to do something fairly drastic. I always take a second look before I answer yes to a question like that.
Show ip ospf
R1#show ip ospf Routing Process "ospf 1" with ID 11.11.11.11 Supports only single TOS(TOS0) routes Supports opaque LSA It is an area border router SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs Number of external LSA 0. Checksum Sum 0x000000 Number of opaque AS LSA 0. Checksum Sum 0x000000 Number of DCbitless external and opaque AS LSA 0 Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 3. 3 normal 0 stub 0 nssa External flood list length 0 Area BACKBONE(0) Number of interfaces in this area is 1 Area has no authentication SPF algorithm executed 4 times Area ranges are Number of LSA 13. Checksum Sum 0x10123B

 Number of opaque link LSA 0. Checksum Sum 0x000000 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 Area 1 Number of interfaces in this area is 1 Area has no authentication SPF algorithm executed 2 times Area ranges are Number of LSA 6. Checksum Sum 0x02FD14 Number of opaque link LSA 0. Checksum Sum 0x000000 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0

Theres a lot of output to this command, but the keys for CCNA and CCNP exam success are that you see the OSPF RID here, you see the router type (this is an ABR), and you see the different areas and how many times the SPF algorithm has been executed. Since the SPF algorithm (also known as the Dijkstra algorithm) only runs on a network topology change, a constantly advancing counter here indicates a flapping link in the network one that goes up and down continually, and which will make the SPF algorithm run every time it does so.
Show ip ospf interface <interface name and number>
R1#show ip ospf interface serial0 Serial0 is up, line protocol is up Internet Address 172.12.123.1/24, Area 0 Process ID 1, Router ID 11.11.11.11, Network Type NON_BROADCAST, Cost: 64 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 11.11.11.11, Interface address 172.12.123.1 No backup designated router on this network Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 Hello due in 00:00:08 Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 6 Last flood scan time is 4 msec, maximum is 8 msec Neighbor Count is 2, Adjacent neighbor count is 2 Adjacent with neighbor 172.23.23.3 Adjacent with neighbor 2.2.2.2 Suppress hello for 0 neighbor(s)

Note that this command shows you the RID, the network type, what the state is (DR, BDR, DROTHER), the RID of the DR and BDR, and what adjacencies this interface has formed.
Show ip ospf neighbor
R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 172.23.23.3 0 FULL/DROTHER 00:01:37 172.12.123.3 Serial0 2.2.2.2 0 FULL/DROTHER 00:01:53 172.12.123.2 Serial0 172.23.23.3 1 FULL/ - 00:00:38 172.12.13.2 Serial1

A vital OSPF command, you see the RIDs of the routers OSPF neighbors, the state of the adjacency, the dead time (which in a healthy adjacency will decrement for while, then increment upon receipt of an OSPF Hello), the IP address of that neighbor, and the neighbors interface with which the adjacency has formed. Note the state DROTHER. This means that the neighbor is neither the DR nor the BDR for that segment. Note the state . This state is seen when the link is point-to-point. Since a point-to-point link by definition can only have two hosts, theres no need for a DR or BDR. There is no DR or BDR election on a point-topoint link.
EIGRP Commands Network
R3#conf t R3(config)#router eigrp 100 R3(config-router)#network 172.12.123.0 0.0.0.255

You enable EIGRP on router interfaces with the network command. Note that the network command in EIGRP includes wildcard masks, just as OSPF does, but EIGRP does NOT require the wildcard mask. OSPF does.
No ip split-horizon eigrp <AS_NUMBER>
R1#conf t R1(config)#interface serial0 R1(config-if)#no ip split-horizon eigrp 100

Split horizon is enabled by default on interfaces running EIGRP. (Remember that EIGRP is a hybrid; it has some characteristics of distance-vector protocols and some of link-state protocols. Split horizon is a distance-vector behavior.) Occasionally, you may need to turn split horizon off in a hub-and-spoke network to have full network reachability. You turn split horizon off at the interface level as shown.
Router eigrp <AS_NUMBER>
R2#conf t R2(config)#router eigrp 100

Enable EIGRP on a router with the router eigrp command. The number defined is the Autonomous System number.
Show ip eigrp neighbors
R1#show ip eigrp neighbors IP-EIGRP neighbors for process 100

H Address Interface Hold UptimeSRTT RTO Q Seq Type (sec) (ms) Cnt Num 0 172.12.123.3 Se0 13 00:01:53 52 312 0 5 1 172.12.123.2 Se0 149 00:03:18 51 306 0 2

EIGRP neighbors are shown for each EIGRP process with this single command. Note that you can also see how long each adjacency has been up.
Show ip eigrp topology
R1#show ip eigrp topology IP-EIGRP Topology Table for AS(100)/ID(1.1.1.1) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 3.3.3.3/32, 1 successors, FD is 2297856 via 172.12.123.3 (2297856/128256), Serial0 via 172.12.123.2 (2323456/409600), Serial0 P 1.1.1.1/32, 1 successors, FD is 128256 via Connected, Loopback0 P 2.2.2.0/24, 1 successors, FD is 2297856 via 172.12.123.2 (2297856/128256), Serial0 via 172.12.123.3 (2323456/409600), Serial0 P 172.23.23.0/27, 2 successors, FD is 2195456 via 172.12.123.3 (2195456/281600), Serial0 via 172.12.123.2 (2195456/281600), Serial0 P 172.12.123.0/24, 1 successors, FD is 2169856 via Connected, Serial0

To configure unequal-cost load-balancing with the variance command, you need to know the metrics of the less-desirable routes. With EIGRP, this is easy if you know where to look. All these routes are kept in the EIGRP Topology Table. The Successor (the best route) is seen here, and this is the route youll see in the routing table with show ip route. The Feasible Successor (lessdesirable, but still valid) is seen only in the topology table. Exam Tip: EIGRP has three tables; the route table, seen with show ip route; the topology table, seen with show ip eigrp topology; and the neighbor table, seen with show ip eigrp neighbor. Note that the routes in the topology table are seen as Passive, indicated by the letter P. There are no active routes. At first glance, this may not seem good, but this is actually what you want. Routes marked as Passive are not currently being calculated by DUAL (EIGRPs algorithm), and are available to carry data. Routes marked as Active are being calculated by DUAL and cannot currently be used to carry data. In a perfectly working network, routes that go into Active dont stay there very long. If you see one that stays there, the acronym used for that is SIA Stuck-In-Active.
Advanced TCP/IP Topics Command Summary

(Access-lists, NAT, Route Summarization) Standard Access List Format and Application:
R1#conf t R1(config)#access-list 5 permit 172.1.0.0 0.0.255.255 R1(config)#interface serial0 R1(config-if)#ip access-group 5 in

First, the access-list (abbreviated as ACL) is written. Second, the ACL is applied to the interface. A standard ACL is straightforward, but there are a lot of details in that little configuration. Mastery of these details will make you a CCNA and CCNP. Lets take a look at these details. Remember that every ACL ends with an implicit deny. If traffic is not explicitly permitted, it is implicitly denied. ACLs run from top to bottom; when there is a match, the ACL no longer runs. This makes the order of the ACLs lines vital. Standard ACLs can be numbered 1 99 and 1300 1399. ACLs always use wildcard masks, just as OSPF and EIGRP do. Standard ACLs consider only the source IP address.
ACLs using host, any, and remark
R1#conf t R1(config)#access-list 5 permit 172.1.13.1 0.0.0.0

OR
R1#conf t R1(config)#access-list 5 permit host 172.1.13.1

These two ACLs perform the same task. Traffic matching the single IP address 172.1.13.1 will be permitted, with all other traffic denied by the implicit deny. The word host can be used in place of the wildcard mask 0.0.0.0. Exam Tip: Note that while a wildcard mask of 0.0.0.0 follows the address, the word host precedes it.
R1#conf t R1(config)#access-list 5 permit any

OR
R1#conf t R1(config)#access-list 5 permit 172.1.13.1 255.255.255.255

These two ACLs perform the same task. All traffic will match. (You could put any address in for the source IP address as long as the wildcard mask is 255.255.255.255.) The word any can be used in place of the source IP address and wildcard mask 255.255.255.255.
R1#conf t R1(config)#access-list 5 remark This ACL blocks telnet traffic.

Use the remark command to add comments to your ACL.

Extended Access Lists Configuration and Application
R1#conf t R1(config)#access-list 105 permit ip 0.0.0.255 R1(config)#interface serial0 R1(config-if)#ip access-group 105 out 172.50.50.0 0.0.0.255 210.1.1.0

Exam Tips: Extended ACLs have numeric ranges of 100 199 and 2000 2699. Extended ACLs can match against source IP address, destination IP address, protocol type, and well-known port number (for example, port 80 to block web traffic). Extended ACLs run from top to bottom; once a match is found, the ACL stops running. Extended ACLs have an implicit deny at the end. Extended ACLs are applied in the same fashion as standard ACLs. Watch the ip that the command begins with, and that the direction of traffic this ACL will be matched against must be specified. Overall, you can have two ACLs applied on an interface one applied to inbound traffic and the other to outbound traffic. The keywords host and any can be used for the source, destination, or both. Named ACL Configuration And Application
R1#conf t R1(config)#ip access-list extended NO_WEB_TRAFFIC R1(config-ext-nacl)#deny tcp any any eq www R1(config-ext-nacl)#permit ip any any R1(config-ext-nacl)#interface ethernet0 R1(config-if)#ip access-group NO_WEB_TRAFFIC in R1(config-if)#ip access-group NO_WEB_TRAFFIC out

Named ACLs can be either standard or extended, and this is defined when the ACL is created. Here, an ACL blocking WWW traffic is created. The line permit ip any any will permit any traffic, regardless of source or destination, as long as the traffic didnt match the first line.

Named ACLs are applied to interfaces in much the same fashion as numbered ACLs. Note that this ACL was applied to both inbound and outbound traffic, which does require two separate lines; theres no both option. Limiting Telnet Access With ACLs
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#access-list 99 permit host 110.1.1.1 R1(config)#line vty 0 4 R1(config-line)#login % Login disabled on line 5, until 'password' is set % Login disabled on line 6, until 'password' is set % Login disabled on line 7, until 'password' is set % Login disabled on line 8, until 'password' is set % Login disabled on line 9, until 'password' is set R1(config-line)#password cisco R1(config-line)#access-class 99 in

ACLs can be applied to the VTY lines (used for Telnet) to limit who can telnet in to the router, regardless of whether they know the password or not. First, ACL 99 was written, and the host option is used to permit only the IP address 110.1.1.1. The implicit deny will deny all other source addresses. Login has been allowed and a password of cisco has been set. The ACL is now applied to the VTY lines with the access-class command. Note that command its different than the command used to apply an ACL to interfaces. Tip: I entered login first to show you the message youll get if you enter that command before setting the required Telnet password. As long as you set a password after enabling login, theres no problem. There is no right or wrong order to use the login and password commands.
Route Summarization Commands
R1#conf t R1(config)#interface serial0 R1(config-if)#ip summary-address rip 110.1.0.0 255.252.0.0 R1#conf t R1(config)#interface serial0 R1(config-if)#ip summary-address eigrp 100 110.1.0.0 255.252.0.0

Route summarization is covered thoroughly in my Ultimate CCNA Study Guide. Its the process of taking several network numbers and summarizing them into one single routing update statement. It must be

done carefully. If youre not familiar with the subject, please refer to Section Ten of my CCNA Study Guide, which contains several clearly illustrated examples. The command to send the summarization is a little odd. It does not go under the routing process configuration; its an interface-level command. Know how to perform this summarization before taking the CCNA exams, and be familiar with the syntax as well.
NAT Static and dynamic NAT Pre-Configuration
R1#conf t R1(config)#interface serial0 R1(config-if)#ip nat outside R1(config-if)#interface ethernet0 R1(config-if)#ip nat inside

Whether youre configuring static or dynamic NAT, youve got to define your inside and outside addresses. The inside NAT interface is the one closest to the devices using RFC 1918 addresses; usually, thats going to be an Ethernet interface. The outside NAT interface is the one facing the Internet from the organizations point of view; thats going to be a Serial interface. Exam Tip: The addresses on the inside segment, represented by RFC 1918 addresses, are referred to as inside local addresses; the address on the outside interface is the inside global address.
Static NAT configuration
R1#conf t R1(config)#interface serial0 R1(config-if)#ip nat outside R1(config-if)#interface ethernet0 R1(config-if)#ip nat inside R1#conf t R1(config)#ip nat inside source static 10.5.5.5 210.1.1.2 R1(config)#ip nat inside source static 10.5.5.6 210.1.1.3 R1(config)#ip nat inside source static 10.5.5.7 210.1.1.4

Static mappings first name an inside local address, and map that address directly to a inside global address. No other addresses will use NAT (you often hear this referred to as an address or user being natted out).
To view the mappings, run show ip nat translations .
R3#show ip nat translations Pro Inside global Inside local Outside local Outside global --- 210.1.1.2 10.5.5.5 --- ----- 210.1.1.3 10.5.5.6 --- ----- 210.1.1.4 10.5.5.7 --- ---

To view the active translations and number of static

and dynamic mappings, run show ip nat statistics.

R3#show ip nat statistics Total active translations: 3 (3 static, 0 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet0 Hits: 0 Misses: 0 Expired translations: 0

Dynamic NAT Configuration

R1#conf t R1(config)#interface serial0 R1(config-if)#ip nat outside R1(config-if)#interface ethernet0 R1(config-if)#ip nat inside R1#conf t R1(config)#ip nat inside source list 1 pool NATPOOL R1(config)#ip nat pool NATPOOL 200.1.1.2 200.1.1.5 netmask 255.255.255.0 R1(config)#access-list 1 permit 10.5.5.0 0.0.0.255

This looks like an intimidating configuration, but by taking it apart piece by piece, you will see its not really complicated. First, as with static NAT, the inside and outside addresses had to be defined. Next, the NAT inside addresses are defined by the ip nat inside source command. The next part of that command, list 1, refers to access-list 1. In this example, any inside host with an IP address in the 10.5.5.0 /24 network can use NAT. Finally, the pool of NAT addresses to be used is named the pool NATPOOL. On the next line, the pool of NAT addresses is defined. The two addresses listed are the first and last addresses in the range to be used. Here, the valid NAT outside addresses are 200.1.1.2, 200.1.1.3, 200.1.1.4, and 200.1.1.5. The subnet mask for these addresses is defined with the netmask command. Exam Tip: Take care not to include the actual IP address of the NAT outside interface in the NAT pool.
PAT Port Address Translation Configuration
R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#interface ethernet0 R3(config-if)#ip nat inside R3(config-if)#interface serial0 R3(config-if)#ip nat outside R3(config-if)#ip nat inside source list 1 interface serial0 overload R3(config)#access-list 1 permit 10.5.5.0 0.0.0.255

PAT uses a single outside IP address to allow multiple NAT session. (PAT uses port numbers to keep the conversations separate.) The configuration for PAT is almost the same as it is for dynamic NAT; the

difference is that a NAT pool is not created; instead, the outside interface is indicated and the overload keyword is added.
Telnet Password Creation
R1#conf t R1(config)#line vty 0 4 R1(config-line)#login R1(config-line)#password CCNA

You add the login command and configure a password on the VTY lines to protect Telnet with a password. Telnet connections are required to be password protected. If a user attempts to connect to a router that does not have a VTY password set, the user will receive a message that says password required, but none set. Tip: Telnet allows five simultaneous connections, not four. (The lines are 0, 1, 2, 3, and 4 thats five! Setting The Enable Password And Enable Secret
R1#conf t R1(config)#enable password cisco R1(config)#enable secret ccna

Both the enable password and enable secret protect privileged exec mode, more commonly referred to as enable mode. There are several keys to remember: The enable secret is encrypted in the running-configuration by default, where the enable password is not. If both are configured, the enable secret takes precedence over the enable password. The enable password exists primarily for backwards compatibility.

Password Protecting The Console

R1#configure terminal R1(config)#line con 0 R1(config-line)#login % Login disabled on line 0, until 'password' is set R1(config-line)#password cisco

The first line of defense (after physically securing your network, that is!) is password protecting your router console. To do so, configure login and the password on line con 0.
Encrypting All Passwords In The Running-Config

R1#show config ! enable secret 5 $1$F0NM$qmLAeyofJm/MxmeawGkEI1 enable password cisco

Notice that the enable password is in clear text. The enable secret is always encrypted.
R1(config)#service password-encryption R1#show config Using 1842 out of 32762 bytes ! enable secret 5 $1$F0NM$qmLAeyofJm/MxmeawGkEI1 enable password 7 070C285F4D06

To encrypt all passwords in the running configuration, run service password-encryption. Cisco Discovery Protocol cdp enable cdp run no cdp enable no cdp run You need to have these four commands down cold. You must know how to enable and disable CDP at the interface level as well as globally. CDP is enable globally and on all interfaces by default. Interface-level commands:
R1#conf t R1(config)#interface serial0 R1(config-if)#no cdp enable R1(config)#cdp enable Global commands: R1#conf t R1(config)#no cdp run R1(config)#cdp run R1#show cdp neighbor Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H Host, I - IGMP, r - Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID R3 Ser 1 159 R 2500 Ser 1

R1#show cdp neighbor detail ------------------------Device ID: R3 Entry address(es): IP address: 172.12.13.2 Platform: cisco 2500, Capabilities: Router Interface: Serial1, Port ID (outgoing port): Serial1 Holdtime : 154 sec

Version : Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-D-L), Version 12.2(13), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Tue 19-Nov-02 20:25 by pwade advertisement version: 2

Note that while both show the directly connected devices, only the detail command reveals the IP address of the directly connected device.
Back To Index

Copyright 2011 The Bryant Advantage. All Rights Reserved.