CCENT Notes v3

CCENT Notes v3
1.0 Network Fundamentals

1.1 Compare and Contrast OSI TCP/IP models
OSI Layer Functional Description TCP/IP

Application Provides an interface from the application to
the network by supplying a protocol with
actions meaningful to the application (e.g. "get
web page object"
Presentation Negotiates data formats, such as ASCII text, or
image types like JPEG
Session Provides methods to group multiple Application
bidirectional messages into a workflow for
easier management and easier backout of work
that happened if the entire workflow fails
Transport Focuses on data delivery between two endpoint Transport
hosts (e.g. error recovery)
Network Defines logical addressing, routing, and routing Network
protocols used to learn routes
Data Link Defines the protocols for delivering data over a Data Link
particular single type of physical network (e.g.
Ethernet protocols etc.)
Physical Defines the physical characteristics of the Physical
transmission medium (e.g. pins, electrical
currents etc.)
- Encapsulation terminology for OSI and TCP/IP model:
- Device and protocols examples:
- Same-layer, adjacent-layer interaction (e.g. TCP to HTTP, TCP to TCP etc.)
1.2 Compare and contrast TCP and UDP protocols

TCP UDP
Pros Connection-oriented Connectionless
- Multiplexing using port - Multiplexing using port
numbers numbers
- Error recovery with ACK - Smaller header
and SEQ - Less bandwidth
- Flow control using - Less processing cycles
windowing - Less overhead bytes
- Connection establishment - Faster speed
and termination with SYN,
ACK and FIN
- Ordered data transfer and
segmentation with SEQ and
windowing
Cons - Bigger header - No error recovery
- More bandwidth - No windowing
- More processing cycles - No connection
- More overhead bytes establishment/termination
- Slower speed - No ordered data transfer
- Multiplexing using port numbers (TCP and - Connection establishment and

UDP): termination (TCP only):
- Error recovery (TCP only): - Flow control using windowing (TCP only):
* At the end, web browser can send bytes

4000-7999
- TCP forward acknowledgment: acknowledging by listing next expected byte
1.3 Describe the impact of infrastructure components in an enterprise network

1.3.a Firewall
- Firewalls sit in the forwarding path of all packets so that firewall can protect the
whole network
- Firewall's logic to discard/allow a packet:
- Like ACLs, match the source and destination IP address
- Like ACLs, identify applications by matching static well-known TCP/UDP ports
- Know what additional TCP/UDP ports are used by a particular flow
- Match the text in the URI of an HTTP request and match patterns to decide
whether to allow or deny the download of the web page identified by that URI
- Keep state information by storing information about each packet, and make
decisions about filtering future packets based on the historic state information
(a.k.a. stateful inspection/stateful firewall) (mitigates DoS attacks)
- Security zones:
- Security zones define which hosts can initiate new connections
- DMZ:
- Firewall security zone used to place servers that need to be available for use by
users in the public Internet
1.3.b Access points
Autonomous wireless APs:
- Communicates with wireless devices with 802.11 and radio waves
- Converts header formats between 802.11 and 802.3
- Performs control and management features e.g. authentication of new devices,
definition of name of WLAN (SSID) etc.
LWAPs:
- Forwards data between wired and wireless LAN; allows roaming
- Forwards data specifically through WLC with protocol e.g. CAPWAP
1.3.c Wireless controllers
- Provides centralised control/management functions and allows roaming
1.4 Compare and contrast collapsed core and three-tier architectures

Collapsed core:
- Instead of core tier, distribution switches can be cabled together with full/partial mesh
- Access layer:
- Connects directly to end users and sends traffic to and from distribution switches
- Often has 2+ uplinks to distribution switches (redundancy)
- Uses star topology
- Distribution layer:
- Provides a path through which the access switches can forward traffic to each other
Three-tier:
- Uses less switch ports and cables
- Uses a hybrid design
- Core tier uses partial mesh and aggregates (clusters together) distribution switches
1.5 Compare and contrast network topologies

1.5.a Star
- A design in which one central device connects to several others
1.5.b Mesh
Full mesh:
- For any set of network nodes, a design that connects a link between
each pair of nodes; every node connects to each other
- Requires many links and many switch ports
Partial mesh:
- For any set of network nodes, a design that connects a link between some pairs
of nodes, but not all; some nodes connect to each other
1.5.c Hybrid
- Combination of different topologies in one network
1.6. Select the appropriate cabling type based on implementation requirements

- Ethernet link has RJ-45 connectors and SFP+ for 10 Gbps
- Crossover cable: if the endpoints transmit on the same pin pair

- Straight-through cable: if the endpoints transmit on different pairs
- 1000BASE-T uses (1,2) (3,6) (4,5) (7,8)
- 1000BASE-T straight-trough: (1,2) to (1,2) | (3,6) to (3,6) etc.
- 1000BASE-T crossover: (1,2) to (3,6) | (4,5) to (7,8) and vice versa for both
WAN links
- WAN links use serial cables, T1 etc.
- Router connects to CSU/DSU by using RJ-48 connector on a serial cable
- Simulated serial links use V.35 DTE and V.35 DCE cables and router with DCE cable needs
to provide clock rate
- WAN links can use DSL with phone cables or cable Internet with CATV cables
Console line
Terminal settings for console access:

- 9600 bits/second console speed
- No hardware flow control
- 8-bit ASCII
- No parity bits
- 1 stop bit
VTY line
- Telnet: All data sent in clear-text, TCP port 23
- SSH: All data sent encrypted, TCP port 22
1.7. Apply troubleshooting methodologies to resolve problems

1.7.a Perform fault isolation and document
- Process of taking what you know about a possible issue, confirming that there is a
problem, and determining which devices and cables could be part of the problem,
and which are not. The step also works best when the person troubleshooting the
problem documents what they find, typically in a problem tracking system
- Uncovers the root cause of the problem that needs to be fixed
1.7.b Resolve or escalate
- Resolving the problem: finding the root cause of the problem and fixing it
- Escalating the problem: if you cannot find the root cause or fix the root cause
once found, escalate the problem according to the defined escalation process,
with different levels of technical support and management support
1.7.c Verify and monitor resolution
- Verifying: verifying that the fix worked by issuing show commands
- Monitoring: keeping an eye on the fix over a period of time, especially when you
do not know what caused the root problem in the first place
1.8 Configure, verify, and troubleshoot IPv4 addressing and subnetting
IP Addressing:
- ip address addr mask defines the IP address and mask for that interface
- ip address command creates a local route for the interface
- ip address command creates a connected route for the connected subnet
- One subnet for each:

- VLAN
- Point-to-point serial link
- Ethernet emulation WAN link (EoMPLS)
- Organising subnets by geographic location allows route summarisation
Classful network:
- Finding out classful information about a single IP address
183.2.85.47
Class Class B Class A: 1.0.0.0 - 126.0.0.0
Class B: 128.0.0.0 - 191.255.0.0
Class C: 192.0.0.0 - 223.255.255.0
Default mask 255.255.0.0 (/16) Class A: 255.0.0.0 (/8)
Class B: 255.255.0.0 (/16)
Class C: 255.255.255.0 (/24)
Number of network 2 octets, 16 bits Class A: 1 octet, 8 bits
octets/bits Class B: 2 octets, 16 bits
Class C: 3 octets, 24 bits
Number of host octets/bits 2 octets, 16 bits Class A: 3 octets, 24 bits
Class B: 2 octets, 16 bits
Class C: 1 octet, 8 bits
Number of host addresses 16
2 - 2 = 65534 2(host bits) - 2
in the network
Network ID 183.2.0.0 Change all host octets to 0
Network broadcast address 183.2.255.255 Change all host octets to 255
First usable address in the 183.2.0.1 Network ID + 1
network
Last usable address in the 183.2.255.254 Network broadcast address + 1
network
Subnet mask:
- Company can use a single mask for every subnet or VLSM
- Binary mask, DDN mask, prefix mask conversion:
- Binary <=> DDN: Convert each binary octet to decimal and vice versa
- DDN <=> prefix: Convert prefix to binary, and then convert back to DDN mask
- Binary <=> prefix: Write P bits of 1s, and 32 - P bits of 0s
- Comprises of 32 bits divided into:
- Network and host bits for unsubnetted network
- Prefix (network + subnet) and host bits for subnets
- Prefix bits - classful network bits = subnet bits
- CIDR network bits can be any value and ignores classful rules
Network:
- Network bits depend on the classful network that is being subnetted (A=8, B=16, C=24)
and stay locked
Subnet:
- No. of subnets in network = 2S (only works when a single mask is used)
- When using a single mask, S must support the number of subnets required
Host:
- No. of hosts in subnet = 2H - 2
- Every address between subnet ID and subnet broadcast address
- When using a single mask, H needs to support the largest host/subnet
- Address can be statically assigned or learned using DHCP
172.171.170.169
255.255.248.0
Prefix mask /21 If octet is 255, add 8
8+8+5+0 If octet is 0, add 0
23 = 256 - octet, 8 - 3 = 5 If octet is in between, find 8 - X in 2x = 256 -
octet
Class Class B Class A: 1.0.0.0 - 126.0.0.0
Class B: 128.0.0.0 - 191.255.0.0
Class C: 192.0.0.0 - 223.255.255.0
Network bits 16 bits Class A: 8 bits
Class B: 16 bits
Class C: 24 bits
Subnet bits 5 bits Prefix bits - network bits
21 - 16 = 5
Host bits 11 bits 32 - prefix bits
32 - 21 = 11
Hosts/subnet 211 - 2 = 2046 2H - 2
Subnets in 25 = 32 2S
network
Subnet ID 172.171.168.0 If the mask octet = 255, copy decimal IP address
If the mask octet = 0, write a decimal 0
If neither, closest multiple of [256 - mask octet]
to the IP address octet
Subnet 172.171.175.255 If the mask octet = 255, copy decimal IP address
broadcast If the mask octet = 0, write a decimal 255
address If neither, subnet ID + [256 - mask octet - 1]
First usable 172.171.168.1 Subnet ID + 0.0.0.1
address
Last usable 172.171.175.254 Subnet broadcast address - 0.0.0.1
address
Choosing the subnet mask:
- Smallest value of S in 2S >= required number of subnets
- Smallest value of H in 2H - 2 >= largest number of hosts in one subnet
- Invalid subnet: minimum number of subnet bits and host bits required does not fit
- One mask meets requirement: if N + S + H = exactly 32
- If multiple masks meet the need:
- Shortest prefix mask maximises number of hosts/subnet
- Longest prefix mask maximises number of possible subnets
- Any range of prefix masks between the two can be used
- First subnet ID is called subnet zero or zero subnet and is equal to classful network ID
- ip subnet-zero (default) allows configuration of addresses in the zero subnet
- no ip subnet-zero prevents configuration of addresses in the zero subnet (router
rejects use of address with "Bad mask /P for address X.X.X.X"
- Number of subnets in network = 256 / {256 - interesting octet}
- Finding all subnets with 8 or less subnet bits:
- Add {256 - interesting octet} to previous subnet number or zero subnet
- All subnets with exactly 8 subnet bits have increasing subnet IDs by 1
- Finding all subnets with more than 8 subnet bits:
- Find all subnet IDs for the interesting octet
- Add 1 to the just-left octet for each time the interesting octet hits the limit
- Stop when you create a block with the just-left octet of 255
- Finding all subnets with 17 or more subnet bits:
- Only Class A network can be subnetted in this way
- Create subnet blocks within subnet blocks to list all subnet IDs
VLSM:
- Using more than one mask in a single classful network
- VLSM creates less wasted IP addresses in public networks
- To support VLSM, routing protocol must be classless and send mask in routing updates
- VLSM is a side effect of ip address command

- To find VLSM overlaps:
- Calculate the subnet ID and subnet broadcast of each subnet (range of addresses)
- List the subnet IDs in numerical order (along with their subnet broadcast addresses)
- Compare each pair of adjacent entries to see whether their range of addresses overlaps
- Adding a new VLSM subnet:
- Pick the subnet mask for the new subnet, based on the design requirements
- Calculate all possible subnet numbers of the classful network using the mask, along
with the subnet broadcast address
- Make a list of existing subnet IDs and matching subnet broadcast addresses
- Compare the existing subnets to the candidate new subnets to rule out overlapping
new subnets
- Choose the new subnet ID from the remaining subnets at Step 4, paying attention to
whether the question asks for the numerically lowest or highest subnet ID
- Zero subnet should be avoided if:
- Question implies use of classful routing protocols
- The routers are configured with the no ip subnet-zero command
- Overlaps when using a single mask:
- Subnets will have exact same subnet ID, exact same address range
- Overlaps when using VLSM:
- Subnets will have parts of their addresses overlapped
- Problems occur for some destinations within the overlapped ranges
- ping commands fail, traceroute commands complete for only certain hosts
- IOS overlap recognition:
- IOS detects the overlap when the ip address command implies an overlap with
another ip address command on the same router
- IOS cannot detect an overlap when an ip address command overlaps with an ip
address command on another router
- IOS does not perform the subnet overlap check for shutdown interfaces
- When no shutdown is issued, interface is shut down until overlap has been resolved
Verification:
- show ip interface brief lists IP address
- show interface int-id, show running-config and show protocols lists IP address and mask
- show ip route lists IP address/mask of interface and routes with outgoing
interface/next-hop router address, lists VLSMs
Troubleshooting:
- Failed ping commands:
- VLSM overlaps cause routers to not route packets correctly
- VLSM overlaps cause some hosts to not be able to communicate outside their subnets
- Neighbouring interfaces have IP addresses in different subnets
1.9 Compare and contrast IPv4 address types
1.9.a Unicast
- Unicast IPv4 addresses are assigned to a single interface
- Class A, B, C addresses:
- 1.0.0.0 - 126.0.0.0/8 (last assignable address = 126.255.255.254)
- Public IPv4 addresses:
- Publicly registered and globally unique addresses used to connect to the Internet
- Private IPv4 addresses:
- Reserved and unregistered addresses that save IPv4 addresses
- 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
1.9.b Broadcast
- Local broadcast address:
- 255.255.255.255
- Used to send a broadcast packet on a local subnet
- Routers will not forward the packet as-is
- Also called a limited broadcast
- Subnet broadcast address:
- Numerically highest number in the subnet
- Can be routed to the router connected to that subnet, and then sent as a data
link broadcast to all hosts in that one subnet
- Also called an all-hosts broadcast and a directed broadcast
- Network broadcast address:
- Numerically highest number in the network
- Used to send one packet to all hosts in that one network
- Also called an all-subnets broadcast
- Security vulnerability: ping to subnet broadcast address causes many hosts to
reply => default: no ip directed-broadcast (disables forwarding of subnet
broadcasts to connected subnet)
- Broadcast addresses can only be used as destination addresses
1.9.c Multicast
- Class D addresses: 224.0.0.0 - 239.0.0.0/8 (last address 239.255.255.255)
- Used for applications e.g. send 1 packet to subnet, gets copied 10 times and
delivered to all 10 hosts in subnet
- Host uses unicast IP address for normal traffic, and multicast IP address for
multicast application
- Host registers to local router to notify to receive packets with multicast
destination address
- Multicast packets are only routed to routers which have listening hosts
- Can only be used as destination address
- MAC address is formed by 25-bit prefix 01.00.5E + last 23 bits of IP address
- There can be more than one matching multicast IP address for MAC address
- Switch multicast frame forwarding logic:
- The switch floods the multicast frame as if it was a broadcast OR
- The switch uses other Ethernet multicast features that flood the frame only to
those same devices that registered to receive a copy
1.10 Describe the need for private IPv4 addressing
- Private addresses were used to solve IPv4 address exhaustion
- Short-term solution (with CIDR and NAT, long-term: IPv6)
- RFC 1918
- Private IP addresses must be translated to public IP addresses using NAT to connect to
the Internet
- Private addresses are assigned to hosts inside an organisation that:
- Need to connect to the Internet (via NAT)
- Never need to connect to the Internet
- Private address range:
- 10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
- 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
- 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
- Private addresses cannot be advertised using a routing protocol on the Internet
- CIDR's main goals according to RFC 4632:
- 1. Defines a way to assign public IP addresses
- 2. Allows route aggregation or route summarisation
- Reduces wasted addresses by assigning subnets (CIDR blocks)
1.11 Identify the appropriate IPv6 addressing scheme to satisfy addressing requirements in
a LAN/WAN environment
- Migration strategies:
- Dual stack
- 6to4 tunnelling
- 4to6 tunnelling
1.12 Configure, verify and troubleshoot IPv6 addressing
- IPv6 will be the replacement protocol for IPv4
- One specific protocol called IPv6 defines the new 128-bit IPv6 address
- Theoretically around 340 undecillion addresses => solves IPv4 address exhaustion
problem
- Private IPv4 addresses, NAT/PAT, CIDR defers need for IPv6
Protocol migrations:
- OSPFv2 => OSPFv3 (supports advertising of both IPv4 and IPv6 routes)
- ICMP => ICMPv6 (includes all NDP messages)
- ARP => NDP (Neighbour Discovery Protocol)
- RIPv2 => RIPng (RIP next generation)
- EIGRP => EIGRPv6
- BGP-4 => MP BGP-4 (Multiprotocol BGP version 4)
IPv6 addressing:
- 128 bits, 32 hexadecimal digits, 8 quartets
IPv6 address abbreviation:
1. Inside each quartet of four hex digits, remove the leading 0s in the three positions on
the left
2. Find any string of two or more consecutive quartets of all hex 0s, and replace that set
of quartets with a double colon (::). You can only use :: once in a single address
- Routers and computers use the shortest abbreviation, even if you type all 32 hex digits
IPv6 address expansion:
1. In each quartet, add leading 0s as needed until the quartet has four hex digits
2. If a double colon (::) exists, count the quartets currently shown; replace the :: with
multiple quartets of 0000 so that eight total quartets exist
IPv6 prefix length:
- IPv6 prefix length = IPv4 subnet mask
- Uses slash notation
- Cisco routers may require configuration of either:
- No space between address and prefix length
- Space between address and prefix length
- Can vary from /0 to /128
IPv6 prefix:
- IPv6 prefix = IPv4 subnet ID
- To find IPv6 prefix:
- Copy the first P (prefix length) bits
- Change the rest of the bits to 0
- If prefix length is a multiple of 16, copy entire quartets
- If prefix length is a multiple of 4, copy entire hexadecimal digits
- If prefix length isn't a multiple of 4, work in binary to form new hex digit
- Each of the following need a separate subnet:
- VLAN
- Point-to-point serial link
- Ethernet emulation WAN link (EoMPLS)
- Global routing prefix:
- Reserved block of IPv6 addresses that are allocated to companies
- Internet routers can have one route that refers to all the addresses in the block
- Host IPv6 settings:
- IPv6 address
- IPv6 prefix length
- Default router IPv6 address
- DNS server IPv6 addresses
- Host can have their configuration statically set or dynamically learnt using:
- NDP and Stateful DHCPv6 or
- NDP, Stateless DHCPv6, and SLAAC (Stateless Address Autoconfiguration)
- Miscellaneous IPv6 addresses that all IPv6 hosts can use:
- The unknown (unspecified) IPv6 address, ::, or all 0s
- Used when its own IPv6 address is not yet known, or wonders if its own IPv6 address
might have problems (e.g. dynamic IPv6 address configuration)
- The loopback IPv6 address, ::1, or 127 binary 0s with a single 1
- Used as a loopback address to test its own protocol stack (down to IPv6 and back up
to application)
Neighbour Discovery Protocol (NDP):
- ICMPv6 includes all the NDP messages
- NDP purposes:
- When using SLAAC, host uses NDP messages to learn the first part of its address, plus
the prefix length
- Hosts learn the IPv6 addresses of the available IPv6 routers in the same subnet
- Duplicate Address Detection (DAD) works with NDP messages
- NDP replaces IPv4's ARP, allowing a host to learn the MAC addresses of other hosts in
the same subnet
- NDP neighbour table:
- Host looks in its NDP neighbour table to find MAC address of target
- NDP Router Solicitation (RS):
- Sent to the "all-IPv6-routers" local-scope multicast address of FF02::2
- Message asks all routers, on the local link only, to identify themselves
- NDP Router Advertisement (RA):
- If solicited, sent to the unicast address of the host that sent the RS, or to the all-
IPv6-hosts link-local scope multicast address of FF02::1
- If unsolicited, sent to the all-IPv6-hosts local-scope multicast address of FF02::1
- Lists many facts, including the link-local IPv6 address of the router, global unicast
IPv6 address of the router (=> prefix that the host is in, prefix length etc.)
- SLAAC uses prefix/prefix length info from NDP RS/RA
- NDP Neighbour Solicitation (NS):
- Sent to the solicited-node multicast address associated with the target address
- Asks a host with a particular IPv6 address to send back an NA with its MAC address
- NDP Neighbour Advertisement (NA):
- If solicited, sent to the unicast address of sender of NS
- If unsolicited, sent to the all-IPv6-hosts local-scope multicast address FF02::1
- Lists the MAC address of the host
- Duplicate Address Detection (DAD):
- IPv6 uses DAD before using unicast address (global unicast, unique local, link-local)
- If another host already uses that address, first host doesn't use the address until
problem is resolved
- DAD sends an NS for its own unicast address:
- If host receives an NA => duplicate address exists
- If host doesn't receive an NA => no duplicate address exists
Dynamic Configuration of Host IPv6 Settings:

- Stateful DHCPv6 similarities with IPv4 DHCP:
- DHCP clients on a LAN send messages that flow only on the local LAN, hoping to find a
DHCP server
- If the DHCP server sits on the same LAN as the client, the client and server can
exchange DHCP messages directly, without needing help from a router
- If the DHCP server sits on another link compared to the client, the client and server
relay on a router to forward the DHCP messages
- The router that forwards messages from one link to a server in a remote subnet must
be configured as DHCP Relay Agent, with knowledge of the DHCP server's IPv6 address
- Servers have configuration that lists pools of addresses for each subnet from which the
server allocates addresses
- Servers offer a lease of an IP address to a client, from the pool of addresses for the
client's subnet; the lease lasts a set time period (usually days or weeks)
- The server tracks state information, specifically a client identifier (often based on the
MAC address), along with the address that is currently leased to that client
- Stateful DHCPv6 host IPv6 settings configuration:
Stateful DHCPv6 NDP
Unicast address
Prefix length
Default router
DNS servers
- Stateful DHCPv6 messages:
- Solicit: client searches for IPv6 address of DHCPv6 server
- Source: client's link-local address
- Destination: all-DHCP-agents link-local scope multicast address FF02::1:2
- Advertise: server advertises an address and other configuration settings for client to
possibly use
- Request: client asks to lease the address
- Reply: server confirms the lease
- ipv6 dhcp relay destination server-ip enables DHCP relay
Configuration:
- ipv6 unicast-routing enables IPv6 routing
- ipv6 address enables IPv6 on an interface
- Router must both enable IPv6 globally and enable IPv6 on the interface to route
packets
- If only ipv6 address is configured, the router acts like an IPv6 host and does not route
IPv6 packets
- ipv6 enable enables IPv6 and router creates a link-local address
- After configuration of ipv6 unicast-routing and unicast IPv6 address on an interface,

the router:
- Gives the interface a unicast IPv6 address
- Enables the routing of IPv6 packets in/out that interface
- Defines the IPv6 prefix (subnet) that exists off that interface
- Tells the router to add a connected IPv6 route for that prefix, to the IPv6 routing
table, when that interface is up/up
Verification:
- show ipv6 interface brief:
- Gives interface IPv6 address information, but not prefix length information
- Lists link-local address
- Does not identify anycast addresses
- show ipv6 interface:
- Gives details of IPv6 interface settings
- Lists both address and prefix length and the subnet that interface is in
- Lists link-local address
- Lists joined multicast address(es)
- Identifies anycast addresses as anycast
- show ipv6 neighbor shows neighbour MAC addresses and verifies host connectivity to a
neighbour in the table
- clear ipv6 neighbor clears the IPv6 neighbour table
- Pinging a host with no neighbour table:
- Router sends NDP NS
- Host needs to send NDP NA back
- If host MAC address shows in neighbour table, host replied with NDP NA
- show ipv6 routers lists any other routers in the local subnet
- Cisco routers watch for (unsolicited) RA messages received from other routers
- Does not list MAC addresses
- interface ipv6 show neighbors (Windows) lists NDP neighbour table
- ip -6 neighbor show (Linux) lists NDP neighbour table
- ndp -an (Mac OS) lists NDP neighbour table
- ipconfig /all or ifconfig examines IPv6 settings
- ping (ping6), traceroute (traceroute6) checks host connectivity
- Standard ping and traceroute command work on Cisco routers for IPv6
- Extended ping and traceroute requires ipv6 keyword in Protocol parameter
1.13 Configure and verify IPv6 Stateless Address Auto Configuration
Configure:
- ipv6 address autoconfig enables SLAAC on an interface
- ipv6 address autoconfig default enables SLAAC and dynamic default route learning
(using NDP RS/RA) on an interface
- When router receives NDP RA:
- It builds its own interface IPv6 address using SLAAC and prefix learned from RA
- It adds a local (/128) route for the address
- It adds a connected route for prefix learned from RA
- It adds a default route (::/0) with next-hop address of the sender of RA, as learned in
the RA
- Routing code "ND" = NDP-learned default route
- Routing code "NDp" = NDP-learned prefix (connected route)
Verification:
- Router: show ipv6 interface shows interface IPv6 settings
- Host: ipconfig /all shows addresses and prefix lengths
1.14 Compare and contrast IPv6 address types
1.14.a Global unicast
- Range: 2000:/3 (all not otherwise reserved)
- Global unicast IPv6 address = public IPv4 address
- Organisation asks for a registered IPv6 address block, as a global routing prefix,
and only that organisation uses the addresses inside that block of addresses; that
is, the addresses that begin with the assigned prefix
- Most everyone uses /64 because dynamic IPv6 address assignment works better
- IPv6 subnetted addresses:
- Global routing prefix; as set by IANA, RIR, or ISP (often between /32 and /48-/56)
- Subnet part; as set by the local engineer (128 - Interface ID - GRP)
- Interface ID; as set by the local engineer (often 64 bits)
- Rules to find all prefix IDs:
- All subnet IDs begin with the global routing prefix
- Use a different value in the subnet field to identify each different subnet
- All subnet IDs have all 0s in the interface ID
- IPv6 subnet ID is formally called the subnet router anycast address, is reserved,
and should not be used as an IPv6 address for any host
Configuration:
To configure full, 128-bit address:
- ipv6 address address/prefix-length
To configure first 64 bits of the address and use EUI-64 to derive the rest:
- ipv6 address address/prefix-length eui-64
1.14.b Unique local
- Range: FC00::/7 (RFC 4193 requires eighth bit to be set to 1 => FD00::/8 in use)
- Unique local IPv6 address = private IPv4 address
- IPv6 NAT/PAT is used to assign unique local addresses to hosts
- Multiple organisations can use the exact same addresses, and with no
requirement for registering with any numbering authority
- For a real network, global routing prefixes should be chosen at random, so that it
is globally unique, to help the merging of two enterprise networks to become
much easier, as no two addresses overlap
- Unique local address rules:
- Use FD as the first two hex digits
- Choose a unique 40-bit global ID
- Append the global ID to FD to create a 48-bit prefix, used as the prefix for all your
addresses
- Use the next 16 bits as a subnet field
- Note that the structure leaves a convenient 64-bit interface ID field
Configuration:
To configure full, 128-bit address:
- ipv6 address address/prefix-length
To configure first 64 bits of the address and use EUI-64 to derive the rest:
1.14.c Link local
- Range: FE80::/10 (but RFC says the next 54 bits should be binary 0, so link-local
addresses should always start with FE80::/64
- Purposes of link-local addresses:
- Not used for normal IPv6 packet flows, but by overhead protocols and for routing
- IPv6 protocols such as NDP that need to send messages inside a single subnet
typically uses link-local addresses
- Routers use link-local addresses as the next-hop IPv6 addresses in IPv6 routes
- Hosts use default router's link-local address
- Key facts about link-local addresses:
- Link-local addresses represent a single host (unicast)
- Forwarding scope is the local ink only (packets are not forwarded)
- Automatically generated; every IPv6 host interface (and router interface) can
create its own link-local address automatically, solving some initialisation
problems for hosts before they learn a dynamically learned global unicast
address
- Link-local addresses can be created:
- With EUI-64 format (Cisco routers)
- By random (Microsoft OS)
- With static configuration
- IOS creates link-local addresses for any interface that has configured at least one
other unicast address with ipv6 address (global unicast, unique local)
- Unicast and link-local addresses have same interface IDs if using EUI-64
- Two routers on a WAN link do not need global unicast addresses, whereas hosts
on each LAN need global unicast address
Configuration:
- ipv6 address address link-local OR
- IOS calculates link-local address with EUI-64 rules
- ipv6 enable enables IPv6 and router creates a link-local address
1.14.d Multicast
- Range: FF00::/8
- FF02::/16 = link-local scope multicast
- Router will not forward these packets outside the local subnet
- FF08::/16 = organisation-scope multicast
- Packets are forwarded throughout the organisation but not out the Internet
- Key IPv6 local-scope multicast addresses:
Short name Multicast Meaning IPv4 Equivalent
Address
All-nodes FF02::1 All interfaces that use IPv6 Subnet broadcast
that are on the link address
All-routers FF02::2 All IPv6 router interfaces on -
the link
All-OSPF, FF02::5 All OSPF routers 224.0.0.5
All-OSPF-DR FF02::6 All OSPF-designated routers 224.0.0.6
RIPng Routers FF02::9 All RIPng routers 224.0.0.9
EIGRPv6 FF02::A All routers using EIGRPv6 224.0.0.10
Routers
DHCP Relay FF02::1:2 All routers acting as a -
Agent DHCPv6 relay agent
- Solicited-node multicast address:
- Range: FF02::1:FF/104
- FF02::1:FF + last 6 hex digits of unicast address

- Every interface with unicast addresses has a solicited-node multicast address for
each unicast address (global unicast, unique local)
- More than one host can have the same solicited-node multicast address
1.14.e Modified EUI 64
- Rules for creating interface IDs (last 64 bits):

1. Split the 6-byte (12 hex digit) MAC address in two halves (6 hex digits each)
2. Insert FFFE in between the two, making the interface ID now have a total of 16
hex digits (64bits)
3. Invert the seventh bit of the interface ID
- Serial interfaces DO NOT have associated MAC addresses
=> Router chooses the MAC address of the lowest-numbered router interface that
does have a MAC address
Configuration:
- If you mistakenly type the full address and use the eui-64 keyword, IOS accepts
the command and converts the address to the matching prefix before putting the
command into the running-config file
1.14.f Autoconfiguration
- SLAAC IPv6 settings configuration:
SLAAC NDP Stateless DHCPv6
Unicast address Prefix
Prefix length
Default router
DNS servers
- SLAAC IPv6 address choice process:
1. Learn the IPv6 prefix used on the link, from any router, using NDP RS/RA
messages
2. Choose its own IPv6 address by making up the interface ID value to follow the
just-learned IPv6 prefix
3. Before using the address, first use DAD to make sure that no other host is
already using the same address
- Stateless DHCPv6 server:
- Needs simple configuration only; small number of DNS server addresses
- Needs no per-subnet configuration; no lists, pools, excluded addresses etc.
- Does not need to track state information about DHCP leases because it does not
lease any addresses to any clients
1.14.g Anycast
- Packets sent to this address is sent to the nearest device that supports the address
- Anycast addresses are configured and advertised with /128 prefix, as a host route
- Subnet router anycast addresses is reserved for use by routers as a way to send a
packet to any router on the subnet and has the same value as the subnet ID
Configuration:
- ipv6 address address/128 anycast
2.0 LAN Switching Fundamentals

2.1 Describe and verify switching concepts
2.1.a MAC learning and aging
Learning:
- Switch adds unknown source MAC address from frame to MAC address table as a
dynamic entry
Aging:
- Switches remove entries that have not been used for a defined aging time
(default 300 seconds)
- Switches reset inactivity timer to 0 for entry if incoming frame has source MAC
address of entry
- To add a new table entry, switches time out the oldest table entry if table is full
- show mac address-table aging-time: shows aging time of MAC address
- show mac address-table count: shows amount of dynamic/static MAC addresses
in the MAC address table and space available
- clear mac address-table dynamic: removes dynamic entries from the MAC
address table
2.1.b Frame switching
- Full duplex: node can send and receive at the same time: no collisions
- Half duplex: node can only send or receive at any given time: CSMA/CD with
backoff should be used, but collisions still occur naturally
Switch forwarding logic:
Known unicast:
- Switches compare destination MAC address to MAC address table
- The matched table entry tells the switch to forward the frame out a port
- The switch filters on all other ports
Unknown unicast and broadcast:
- Switches flood unknown unicasts and broadcasts
- show interfaces int-id counters: lists number of unicast, multicast, and broadcast
frames received/sent by the port
- show interfaces status
Switch forwarding path:
- Is interface on up/up state?
- No: port cannot send/receive frames
- show interfaces (line/protocol), show interfaces status (state)
- Is port security configured?
- Yes: apply port security logic to filter frames as appropriate
- show port-security interface, show port-security, show mac address-table
{static | secure}
- Is the port an access port?
- Yes: determine interface's access VLAN
- No: determine the frame's tagged VLAN
- show interfaces switchport (administrative/operational modes), show
interfaces trunk (allowed VLANs)
- Is the frame a (A) known unicast? (B) unknown unicast? (C) broadcast?
- A: forward frame out only matched address table entry
- B,C: flood frame out all other access ports except incoming port in same VLAN
and allowed trunks
- show mac address-table {dynamic}
2.1.c Frame flooding
- Flooding: Forwarding the frame out all interfaces except the incoming interface
- Switches flood unknown unicasts and LAN broadcast frames (FFFF.FFFF.FFFF)
STP:
- STP prevents loops and broadcast storms
- STP states:
- Blocking state: interface can't forward or receive data frames
- Forwarding state: interface can send and receive data frames
- Other states: listening state, learning state, disabled state
- STP is enabled by default
2.1.d MAC address table
- show mac address-table: lists all known MAC addresses in the MAC address table
- show mac address-table dynamic: lists all dynamically learned MAC addresses
- VLAN: the VLAN in which the
switch will forward
- MAC address
- Type: dynamic or static
- Ports: outgoing port
- show mac address-table dynamic address addr: shows a specific dynamic MAC
address entry in the MAC address table
- show mac address-table dynamic interface int-id: shows a dynamically learned
MAC address entries from a particular port in the MAC address table
- show mac address-table dynamic vlan vlan-id: shows dynamic MAC address table
entries for one VLAN
2.2 Interpret Ethernet frame format
2.3 Troubleshoot interface and cable issues (collisions, errors, duplex, speed)
- duplex {auto | full | half}: configures duplex of interface, default is auto
- speed {auto | 10 | 100 | 1000}: configures speed of interface, default is auto
- [no] shutdown: enables/disables interface
- show interfaces status: displays port status, duplex, speed and type
- no duplex | speed: sets interface speed/duplex to default configuration (auto)
- Autonegotiation: uses top speed and full duplex of both ports
- In case of autonegotiation failure:
- Sense the speed: if speed is 10 or 100, use half duplex; otherwise use full duplex
- If sensing speed fails: use IEEE default of slowest supported speed
- Duplex mismatch will cause 'late collision' errors
- Devices connected to hubs must use IEEE default settings (often 10 Half)
Duplex mismatch:
- show interfaces status shows if duplex was autonegotiated or statically configured
- show interfaces int-id shows duplex is enabled, but does not state whether it was
autonegotiated or statically configured
Interface status:
- Duplex mismatch: two devices use different duplexes
- Switch with half duplex and using CSMA/CD will experience collisions
- Administratively down/down (disabled): the shutdown command is configured
- Down/down (notconnect): no cable; bad cable; wrong cable pinouts; speed mismatch;
neighbouring device is powered off, shutdown or err-disabled
- Down/down (err-disabled): port security has disabled the interface
- Up/up (connected): the interface is working
Interface counters:
- Runts: frames that did not meet the minimum frame size requirement (64 bytes)
- Giants: frames that exceed the maximum frame size requirement (1518 bytes)
- Input errors: total of runts/giants/no buffer/CRC/frame/overrun/ignored counts etc.
- CRC: received frames that did not pass the FCS math
- Frame: received frames that have an illegal format (e.g. ending with partial byte)
- Packets output: total number of packets forwarded out interface
- Output errors: total number of packets that switch port tried to transmit, but for which
some problem occurred
- Collisions: counter of all collisions that occur when the interface is transmitting a frame
- Late collisions: the subset of all collisions that happen after the 64th byte of the frame
Collisions:
- Increasing runts, input errors, CRC, frame errors, collisions counter
Duplex mismatch:
- Increasing late collisions counter (and runts, input errors, CRC, collisions)
Cable interference:
- Increasing CRC counter but not increasing collisions counter
Collision domains:
- All ports in a LAN hub is in a single collision domain
- Each port in a LAN bridge is in a separate collision domain
- Each port in a LAN switch is in a separate collision domain
- Each LAN port in a router is in a separate collision domain (the term collision domain
does not apply to WAN interfaces, which use non-Ethernet protocols, e.g. serial, ATM)
- LAN switches/routers with full duplex on each link would have no collisions at all
Broadcast domains:
- Each VLAN is a broadcast domain created through configuration
- Routers create separate broadcast domains off their separate Ethernet interfaces
2.4 Configure, verify, and troubleshoot VLANs (normal range) spanning multiple switches
2.4.a Access ports (data and voice)
- Normal-range VLANs: 1 - 1005 (legacy/reserved: 1002 - 1005)
- Extended-range VLANs: 1006 - 4094
- Same VLAN = same subnet = same broadcast domain
- VTP servers can configure VLANs in the standard range only
Configure access VLAN:
- Step 1: Configure a new VLAN (can also be configured at step 2B):
A. vlan vlan-id -- creates the VLAN and moves user to VLAN config mode
B. (opt) name vlan-name -- lists a name for the VLAN (default VLANXXXX)
- Step 2: For each access (nontrunking) interface:
A. interface int-id -- move to interface config mode for each desired interface
B. switchport access vlan id-number -- specifies the VLAN number associated
with that interface
C. (opt) switchport mode access -- makes the port always operate in access mode
Configure VTP:
- vtp mode transparent sets switch to use VTP transparent mode
- vtp mode off sets switch to disable VTP
Configure data and voice VLAN:
- CDP must be enabled for voice VLANs
- PC => IP phone embedded switch => Ethernet switch
- Port is not listed in the list of operational trunks in show interfaces trunk
- switchport access vlan vlan-id -- defines the data VLAN
switchport mode access -- makes the port always operate in access mode
switchport voice vlan vlan-id -- sets the voice VLAN ID
Verify:
- show vlan brief lists name, status and ports in VLANs
- show vlan {id vlan-id} lists detailed information about VLANs
- show vtp status shows the VTP status
Troubleshooting VLANs:
- Identify all access interfaces and their assigned access VLANs and reassign into
the correct VLANs as needed
show interfaces switchport
switchport access vlan x
- Determine whether the VLANs both exist (configured or learned with VTP) and
are active on each switch. If not, configure and activate the VLANs to resolve
problems as needed
show vlan {brief | id x}
vlan x OR switchport access vlan x
no shutdown vlan x
- Check the allowed VLAN lists, on the switches on both ends of the trunk, and
ensure that the lists of allowed VLANs are the same
show interfaces trunk
- Check for incorrect configuration settings that result in one switch operating as
a trunk, with the neighbouring switch not operating as a trunk
show interfaces switchport
- Disabled VLANs:
- Active: VLAN is operational and active
- Act/lshut: VLAN is shut down, switch will not forward frames in that VLAN
- [no] shutdown vlan x or [no] shutdown in VLAN config mode disables/enables
VLAN
2.4.b Default VLAN
- Default native VLAN is VLAN 1
- All ports are put in VLAN 1 by default
2.5 Configure, verify, and troubleshoot interswitch connectivity

2.5.a Trunk ports
- Switches treat VLAN trunk links as part of all VLANs
- Router-on-a-stick uses a single trunk link from a switch to a router
Configure VLAN trunking:
- switchport mode trunk or switchport mode access (to enable/disable trunking,
provides better security)
- switchport mode dynamic {auto | desirable} either initiates negotiation or
passively waits to receive trunk negotiation
- switchport nonegotiate disables DTP negotiations
- switchport trunk encapsulation {dot1q | isl | negotiate} configures 802.1Q, ISL

or let DTP negotiate it (if both switches use both protocols, they use ISL,
otherwise, they use protocol that both support) (newer switches use 802.1Q by
default and doesn't support this command)
Verify:
- show interfaces {int-id} switchport lists administrative/operational modes of
trunking and trunking protocols, voice VLAN status and trunk settings
- show interfaces {int-id} trunk lists all currently operation trunk interfaces
Troubleshooting:
- Mismatched trunking operational states:
- When both switches use switchport mode dynamic auto, both will passively
wait for negotiation messages
- When one switch uses operational state "trunk" and other uses operational
state of "static access", both statuses will be up/up, traffic in native VLAN will
cross successfully, traffic in all other VLANs will not, as all frames received that
has an 802.1Q header is discarded
- Check both operational states using show interfaces trunk and show
interfaces switchport and re-configure if necessary
- switchport mode trunk does not disable DTP negotiations; switchport
nonegotiate is required to disable DTP negotiations
2.5.b 802.1Q
- 802.1Q inserts an extra 4-byte 802.1Q header, with VLAN ID field
- Newer switches use 802.1Q by default
2.5.c Native VLAN
- 802.1Q does not add 802.1Q header to frames in native VLAN
- Default native VLAN is VLAN 1
2.6 Configure and verify Layer 2 protocols
2.6.a Cisco Discovery Protocol
- CDP is a Cisco-proprietary protocol
- CDP discovers information about neighbouring devices by listening for the
advertisements sent by other devices
- CDP discovers:
- Device identifier: typically the hostname
- Address list: network and data link addresses
- Port identifier: the interface on the remote router/switch on the other end of the
link that sent the CDP advertisement
- Capabilities list: information on what type of device it is (e.g. router or switch)
- Platform: the model and OS level running on the device
- Cisco IP phones use CDP to learn data and voice VLAN IDs on the access switch
- Any switchport connected to another switch, a router, or to an IP phone should
use CDP
- CDP creates a security exposure, so Cisco recommends CDP being disabled on
unnecessary interfaces
Configuration:
- [no] cdp run enables/disables CDP globally (enabled by default)
- [no] cdp enable enables disables CDP on interfaces (enabled by default)
Verification:
- show cdp neighbors [type number] lists one summary line of information about
each neighbour or just the neighbour found on a specific interface if listed
- Lists device ID
- Lists local interface
- Lists holdtime (amount of time device holds info until discarding, default 180)
- Lists Capability (router or switch)
- Lists platform (short model name of device)
- Lists port ID (neighbouring device interface)
- show cdp neighbors detail lists one large set of information (approx. 15 lines),
one set for every neighbour
- Lists device ID, (full) platform, capabilities, interface, port ID
- Lists IP address
- Lists IOS version
- Lists VLAN information
- show cdp entry name lists the same information as show cdp neighbors detail,
but only for the named neighbour
- show cdp states whether CDP is enabled globally, and lists the default update
and holdtime timers
- show cdp interface [type number] states whether CDP is enabled on each
interface, or a single interface if the interface is listed, and states update and
holdtime timers on those interfaces
- show cdp traffic lists global statistics for the number of CDP advertisements sent
and received
2.6.b LLDP
- IEEE-standard (802.1ab) protocol
- CDP and LLDP have similar command syntax:
- show lldp run enables LLDP globally
- no lldp transmit configures LLDP to only receive
- no lldp receive configures LLDP to only send
- Default: both are enabled
- show lldp neighbors
- show lldp entry name
2.7 Configure, verify, and troubleshoot port security

Verifying Port Security
- show port-security interface int-id: lists configuration settings for port security on an
interface (port status, violation mode, maximum MAC addresses, sticky MAC addresses,
last source address etc.)
- show mac address-table secure: lists MAC addresses associated with ports that use port
security
- show mac address-table static: lists MAC addresses associated with port that use port-
security, as well as any other statically defined MAC addresses
Troubleshooting port security:
Common problems:
- Low maximum number of MAC addresses
- Misconfiguration of MAC addresses
- Indications: increasing violation counters, syslog messages, secure-down (for
shutdown)
2.7.a Static
- Predefines any allowed source MAC addresses for the interface
- switchport mode access | trunk
switchport port-security
switchport port-security mac-address mac-address
2.7.b Dynamic
- Switch dynamically learns MAC addresses with sticky learning
2.7.c Sticky
- Sticky secure MAC address: port security learns MAC address off each port and
stores them in port security configuration (running-config file) as secure
switchport port-security mac-address sticky
switchport port-security mac-address sticky mac-address -- adds a MAC address
to sticky learned MAC addresses
2.7.d Max MAC addresses
- Override default maximum number of allowed MAC addresses (1)
switchport port-security maximum number
2.7.e Violation actions
- Override the default action to take upon a security violation (shutdown)
- Secure-shutdown: violation, no traffic allowed, shutdown mode is configured
- Look at last source address to identify the MAC address of error

switchport port-security violation {protect | restrict | shutdown}
2.7.f Err-disable recovery
- IOS displays err-disabled state instead of no shutdown
- shutdown & no shutdown recovers interface from err-disabled state, resets the
violation counter to 0
- errdisable recovery cause psecure-violation enables automatic recovery from a
port-security violation
- errdisable recovery interval {30 - 86400} configures the amount of time after the
violation goes down and the port is enabled again
3.0 Routing Fundamentals

3.1 Describe the routing concepts
3.1.a Packet handling along the path through a network
- Switch:
- Switches do NOT rewrite frames since they only look at the Layer 2 details
- Router:
3.1.b Forwarding decision based on route lookup

- Host logic:
- If destination is in the same LAN:
- Find the host's MAC address using ARP table entry, or use ARP messages
- Encapsulate the IP packet in a data-link frame, with destination address of
destination host and send directly to that address
- If destination is not in the same LAN:
- Find the default router's MAC address using ARP table entry, or ARP messages
- Encapsulate the IP packet in a data-link frame, with destination address of the
default gateway and send to the default router
- Router logic:
1A. Use FCS field to check frame for errors:
- If error: discard the frame (no error recovery)
1B. Check destination MAC address to decide whether the frame is intended for
the router:
- If it is not for the router: ignore the frame
2. Discard the original frame's data-link header and trailer
3. Compare destination IP address to routing table and decide which interface is to
be used:
- Find the longest match for the subnet/network in which the destination IP
address resides in
- If there is no match, send to the gateway of last resort (default route)
- If there is no default route, drop the packet
4. Encapsulate the packet in a new Ethernet (using ARP table or send ARP
messages) or HDLC frame
- R3 adds a connected route to 150.150.4.0

- R3 sends a routing update to R2
- R2 adds a route to 150.150.4.0 with next-
hop router R3
- R2 sends a routing update to R1
- R1 adds a route to 150.150.4.0 with next-
hop router R2
Verification:
- show ip route output:
3.1.c Frame rewrite
Router:
- Frame rewrite happens at every Layer 3 device a packet passes through
- Routers discard the original frame after checking the FCS and destination MAC
address and encapsulate it in a new frame according to the outgoing interface:
- Ethernet frame => HDLC frame => Ethernet frame
- Ethernet frame => Ethernet frame => Ethernet frame

Switch:
- Switches do NOT rewrite frames as they don't need to check the packet details
3.2 Interpret the components of routing table

Code Prefix/Network-
mask [AD/metric] via Next-hop
3.2.a Prefix
- Prefix is the destination subnet ID of the route
3.2.b Network mask
- Network mask is the subnet mask of the destination subnet of the route
3.2.c Next hop
- Next-hop router's neighbouring interface's IP address
3.2.d Routing protocol code
- Lists abbreviated code for route types:
L Local
C Connected
S Static
R RIP
D EIGRP
O OSPF
* Candidate default
3.2.e Administrative distance
- Administrative distances (AD) prioritises certain types of routes
- Default AD:
Connected 0
Static 1
EIGRP 90
OSPF 110
RIP 120
DHCP-learned default route 254
Unknown 255
3.2.f Metric
- Metric is the priority of a route as defined by a protocol (lower = better)
- RIP uses hop counts based on the number of next-hop routers
- OSPF uses cost based on bandwidth
- EIGRP uses cost based on bandwidth + delay
3.2.g Gateway of last resort
- Gateway of last resort is the default route, used when packets do not match any
other more specific entries in the routing table
3.3 Describe how a routing table is populated by different routing information sources
3.3.a Admin distance
- Routing information source with lower administrative distance = better
- Default administrative distances:
Connected 0
Static 1
EIGRP 90
OSPF 110
RIP 120
DHCP-learned default route 254
Unknown 255
3.4 Configure, verify, and troubleshoot inter-VLAN routing
3.4.a Router on a stick
ROAS:
- interface type number.subint -- creates a unique subinterface for each VLAN
- encapsulation [dot1q | isl] vlan-id -- enables 802.1Q or ISL and associates one
specific VLAN with the subinterface
- To configure interface to use native VLAN, use encapsulation...native instead
- ip address addr mask -- configures IP settings (address and mask)
- Configuring a PHYSICAL interface with ip address command without
encapsulation command is considered to be using the native VLAN
Verify:
- show running-config lists configuration commands
- show ip route lists connected and local routes for each subinterface
- show vlans lists subinterface VLAN ID and native VLAN for that subinterface
Layer 3 Switch:
- sdm prefer lanbase-routing -- enables hardware support for IPv4 routing; switch
must be reloaded after
- ip routing -- enables IPv4 routing on the switch
- interface vlan vlan-id -- creates SVI (VLAN interface) for each VLAN to be routed
- ip address addr mask -- configures IP address and mask on SVI, enabling IPv4 on
that SVI
- no shutdown -- enables the SVI
3.5 Compare and contrast static routing and dynamic routing
- IGP: exchanging routing updates within an autonomous system (AS)
- EGP: exchanging routing updates between autonomous systems (AS)
Distance-vector Link-state
RIPv1, RIPv2, IGRP, EIGRP (hybrid) OSPF
Distance: routing protocol metric, e.g. hop count Link: directly connected link
Vector: link and next-hop router to use as part of State: state of those links
that route
Sends periodic updates Sends incremental updates (updates only
when there are changes)
Has larger routing tables Converges more quickly and is less prone
to routing loops
Uses UDP messages Requires more CPU and memory
Sends out its entire routing table
3.6 Configure, verify, and troubleshoot IPv4 and IPv6 static routing
- Checklist for adding route to IP routing table:
- Are there any competing routes?
- For ip route with outgoing interface, is the interface in an up/up state?
- For ip route with next-hop IP address, does the local router have a route to reach that IP
address?
IPv6 routes:
- If interface is up/up and ipv6 address is configured, router adds:
- A connected route for the subnet
- A local route (/128 prefix length) for the router IPv6 address
- Routers do not create routes based on the link-local addresses associated with the
interface, not even local routes
- Routers remove the connected and local routes for an interface if the interface fails, and
they re-add these routes when the interface is again in a working (up/up) state
- IPv6 routing table adds a local route for each interface + one local route for all multicast
addresses (FF00::/8)
Verification:
- show ip route displays routing table
- show ipv6 route displays IPv6 routing table
- show ipv6 route connected displays all IPv6 connected routes
- show ipv6 route static displays all IPv6 static routes
- Lists both interface and link-local address for routes that specify them
- show ipv6 route local displays all IPv6 local routes
- ping and traceroute checks connectivity to the host using that route
- show ipv6 route addr displays the route the router uses to forward to the host address
Troubleshooting:
Route is in the routing table but is incorrect
- Is there a subnetting math error in the subnet ID and mask?
- Is the next-hop IP address correct, and referencing an IP address on a neighbouring
router?
- Is the outgoing interface correct, and referencing an interface on the local route (that
is, the same router where the static route is configured)?
Route is added to running/startup-config but not in the routing table because:
- Outgoing interface listed in the ip route command is not up/up
- The next-hop router IP address listed in the ip route command is not reachable (no
route that matches the next-hop address)
- A better competing route exists, and that competing route has a better AD
- If command syntax is correct, ip[v6] route command is placed into running-config,
then, if no other problem exists, IOS puts route into IP routing table
Route is in the routing table, and is correct, but the packets do not arrive
- ip route command with permanent keyword with an outgoing interface needs to have
the interface in an up/up state
- ip route command with permanent keyword with a next-hop IP address needs to have
a route to reach that next-hop address
Checking for mistakes in ipv6 route command syntax:
- Does the ipv6 route command reference the correct prefix and prefix length?
- If using a next-hop IPv6 address that is a link-local address:
- Is the link-local address and address on the correct neighbouring router?
- Does ipv6 route also refer to the correct outgoing interface on the local router?
- If using a next-hop IPv6 address that is a global unicast or unique local address, is the
address the correct unicast address of the neighbouring router?
- If referencing an outgoing interface, does the ipv6 route command reference the
interface on the local router?
- IOS rejects command if outgoing interface is omitted when using link-local next-hop
router address
IOS checklist for adding routes to the IPv6 routing table:
- For ipv6 route that lists an outgoing interface, that interface must be in an up/up state
- For ipv6 route that lists a global unicast or unique local next-hop IP address, the local
router must have a route to reach that next-hop address
- If another IPv6 route exists for that exact same prefix/prefix-length, the static route
must have a better (lower) administrative distance
3.6.a Default route
- Default route is used if packet does not match any other more specific route
IPv4 default route:
- ip route 0.0.0.0 0.0.0.0 {addr | int-id} -- configures a default route
- with permanent keyword: default route stays in the routing table even if
interface goes down
( - ip address dhcp can learn gateway of last resort address)
( - DHCP learned routes are shown as static but have an AD of 254)
IPv6 default route:
- ipv6 route ::/0 {addr | int-id | int-id link-local} -- configures the default route
- IPv6 routing logic:
- With no default route, router discards the IPv6 packet
- With default route, router forwards the IPv6 packet based on the default route
- Branch routers (stub routers) with one WAN link use default routes
- IPv6 default route = ::/0 (matching all addresses)
- IPv6 default routes don't have candidates (*) and are simply added
3.6.b Network route
IPv4 network route:
- ip route prefix mask {addr | int-id} -- configures a static network route
- ip route prefix mask {addr | int-id} permanent -- configures a static network
route that ignores router's basic checks and is put straight into the routing table
IPv6 network route:
- ipv6 route prefix/prefix-length int-id adds an IPv6 route, listing the local outgoing
interface
- ipv6 route prefix/prefix-length addr adds an IPv6 route, listing the global unicast
or unique local address of the next-hop router
- ipv6 route prefix/prefix-length int-id link-local-addr adds an IPv6 route, listing the
outgoing interface and the link-local address of the next-hop router
3.6.c Host route
- Host routes match a single IP address (a single host)
IPv4 host route:
- ip route host-addr 255.255.255.255 {addr | int-id} -- configures a host route
- with permanent keyword: configures a host route that ignores router's basic
checks and is put straight into the routing table, and stays there permanently
even if interface fails
IPv6 host route:
- ipv6 route addr/128 {addr | int-id | int-id link-local} -- defines the host route
3.6.d Floating static
- Floating static routes are static routes with the administrative distance modified
so it "floats" in and out of the routing table
IPv4 floating static route:
- ip route prefix mask {addr | int-id} distance -- overwrites the default
administrative distance (1) and adds a 'floating' static route
- with permanent keyword: adds a permanent floating static route
IPv6 floating static route:
- ipv6 route prefix/prefix-length {addr | int-id | int-id link-local} distance -- defines
a floating static route, with its default AD value overridden
- NDP-learned routes have a default AD of 2
3.7 Configure, verify, and troubleshoot RIPv2 for IPv4 (excluding authentication, filtering,
manual summarization, redistribution)
- Split horizon: omits routes that the receiving router would already know of
- Route poisoning: advertises failed routes with metric value 16 (infinity), receiving router
removes or marks the route as unusable and 15 is the largest hop count
- Update RIP timer measures how long it has been since the router has last heard about
this route in a periodic RIP update
Configuration:
- router rip -- moves user into RIP configuration mode
- version 2 -- tells router to use RIPv2 exclusively
- network net-number -- enables RIP to (a) send routing updates out the interface, (b),
listen for and process incoming updates on the interface (c) advertise about the subnet
connected to the interface
- [no] auto-summary -- enables/disables automatic summarisation (default: enabled)
(should not be enabled for discontiguous networks)
- maximum-paths number -- there can be up to X routes with the same metric; equal-cost
load balancing (default: 4) (setting value to 1 disables feature)
- [no] passive-interface int-id -- stops all RIPv2 updates from being sent out the interface
but RIP still processes received updates and advertises about the connected subnet
- passive-interface default -- makes all interfaces passive by default
- default-information originate -- if the IPv4 routing table has a default route in it,
advertise a default route with RIP, with this local router as the eventual destination of
those default routes
- distance dist -- sets a custom administrative distance for RIP routes
Verification:
- show ip route [rip] -- lists all IPv4 routes, or RIP-learned routes only but you cannot tell
which interfaces have RIP enabled
- show ip protocols -- lists information about RIP configuration and identifies interfaces
on which RIP is enabled but doesn't show RIP-learned routes
- show ip rip database -- lists prefix/length of all best routes known to RIP on this router,
including routes learned from neighbours and connected routes for RIP-enabled
interfaces; lists both learned routes and connected routes
- show running-config -- lists RIP configurations
Troubleshooting:
- Router does not advertise about subnets and does not exchange routing information
with other routers on those interface
=> Missing network command
- One router receives RIP updates but the other does not, and therefore doesn't learn
routes
=> Passive interface connected to active interface
- Half of packets not arriving at correct destination host
=> auto-summary in a discontiguous network
- RIP only operates on working interfaces (up/up state)
- RIP requires that all neighbours on a link be in the same subnet; if routers are in
different subnets, routers ignore RIP update
- ACLs could filter and discard RIP messages
4.0 Infrastructure Services
4.1 Describe DNS lookup operation
- Host sends a DNS query for IP address of DNS server/s (learnt by DHCP or static),
containing the hostname that needs to be resolved
- DNS server/s send a DNS reply, containing the IP address of the hostname
- Host sends an IP packet (with SYN bit) for the resolved IP address according to the first
DNS reply it got
- Routers and switches forward the DNS messages like any normal frame/packet
- All destination IP addresses are known unicast addresses, so router/switch action is not
required to support DNS
4.2 Troubleshoot client connectivity issues involving DNS
- ping can use hostnames, which allows testing of DNS process:
- If ping of hostname fails but the ping of the IP address works, the problem
usually is to do with DNS
- A user host has an incorrect setting for the DNS server IP address(es) or
=> Change host setting if it is statically configured
=> Change DHCP server configuration (dns-server) if using DHCP
- An IP connectivity problem between the user's host and the correct DNS server
- DNS client and DNS server must have IP connectivity
- Host DNS setting should match the IP addresses of actual DNS servers
- Router must have ip name-server dns-ip1 2... and ip domain-lookup (default)
4.3 Configure and verify DHCP on a router (excluding static reservations)
- Discover: Sent by DHCP client to find a willing DHCP server (0.0.0.0 => 255.255.255.255)
- Offer: Sent by DHCP server to offer to lease to that client a specific IP address etc. (DHCP
server => 255.255.255.255)
- Request: Sent by the DHCP client to ask the server to lease the IPv4 address listed in Offer
(0.0.0.0 => 255.255.255.255)
- Acknowledgement: Sent by DHCP server to assign the address, mask, default router and
DNS server IP addresses (DNCP server => 255.255.255.255)
4.3.a Server
- DHCP server stores stateful information to give to clients
- Allocation modes:
- Dynamic allocation: DHCP dynamically leases IP addresses
- Automatic allocation: hands out permanent IP addresses with infinite lease time
- Static allocation: manually preconfigured IP address is sent to client by server
- ip dhcp excluded-address first [last] -- lists addresses that should not be leased
- ip dhcp pool name -- creates a DHCP pool for a subnet
- network subnet-ID {mask | prefix-length} -- defines the subnet for this pool
- default-router address1 2... -- defines default router IP addresses in that subnet
- dns-server address1 2... -- defines list of DNS server IP addresses used by hosts in
this subnet
- lease days hours mins -- defines the length of lease, in days, hours, and minutes
- domain-name name -- defines the DNS domain name
- next-server ip-address -- defines the TFTP server IP address used by any hosts
(e.g. IP phones that need a TFTP server)
Verification:
- show ip dhcp binding lists state information about each IP address currently
leased to a client
- show ip dhcp pool [poolname] lists the configured range of IP addresses, plus
statistics for the number of currently leased addresses and the high-water mark
for leases from each pool
- show ip dhcp server statistics lists DHCP server statistics
4.3.b Relay
- DHCP relay agents change the packet's source IP address to router's incoming
interface IP address and destination IP address to DHCP server's address
- DHCP relay agent must be configured in order for DHCP messages to reach outside
the local subnet
- ip helper-address server-ip -- needs to be configured on the LAN interface to
enable DHCP relay to the DHCP server
Verification:
- show ip interface int-id shows ip helper-address settings on interface
4.3.c Client
- ipconfig /all or ifconfig or GUI windows list DHCP status and IPv4 settings
- netstat -rn displays the host routing table, with default router IP address as
default route
(- arp -a shows host's ARP table)
(- show arp shows router's ARP table)
4.3.d TFTP, DNS, and gateway options
- next-server ip-address -- defines the IP address of TFTP server
- IP phones need the TFTP server address to load configurations
- dns-server address1 2... -- defines IP address of DNS servers
- Hosts need the DNS server to resolve hostnames into IP addresses
- default router address1 2... -- defines IP address of default router in that subnet
- Hosts need the default router to send packets outside the local subnet
- Routers can learn default routes (gateway of last resort) with DHCP
- Verification:
- show interfaces and show protocols lists IP address and mask of the interface
- show ip interface brief lists IP address of interface
- show running-config
- show interfaces status lists VLAN assignments for each interface
- show vlan lists VLAN configurations
- show interfaces switchport lists VLAN trunking status
4.4 Troubleshoot client- and router-based DHCP connectivity issues

- Router does not attempt to forward DHCP messages at all or is not sent to the server
=> Missing configuration or omission of ip helper-address on DHCP relay agents
- In ROAS configurations, subinterfaces require ip helper-address commands
- ip helper-address command must be configured on the LAN interface
- DHCP server doesn't reply at all
=> Source IP address is not in the range of addresses implied by network command
- Hosts are failing to resolve hostnames to IP addresses
=> DNS server IP addresses are incorrectly configured or omitted
- ping hostname can determine this issue
- Hosts cannot communicate outside the local subnet
=> Default router IP address is incorrectly configured or omitted
- ping to address outside the local subnet can determine this issue
- IP phone is failing to correctly load its configuration
=> TFTP server IP address is incorrectly configured or omitted
- DHCP relay agent and DHCP server should have IP connectivity
- DHCP client and the DHCP relay agent should have LAN connectivity
- DHCP conflicts:
- DHCP server pings an address before offering a new IP address to a client:
- If DHCP server receives a response to the ping, some other host must already be using
the address => conflict
- DHCP does not offer the address and is removed from leasable addresses
- DHCP client sends a gratuitous ARP request for the address offered by DHCP:
- If another host replies, there is a conflict
- Client sends a DHCP message back to the server, rejecting the use of offered address
- show ip dhcp conflict lists conflicted IP address, method in which it was added to the
conflict list (gratuitous ARP by client or ping by server)
- Server avoids offering conflicted address until clear ip dhcp conflict clears the list
- Default router checklist:
- Host link to LAN and default router link to LAN must be in the same VLAN (subnet)
- Host and default router IP addresses must be in the same subnet
- The host default router setting must refer to same IP address configured on the router
- The LAN switches must not discard the frame because of port security
- If using a centralised DHCP server, at least one router on each remote subnet that has
DHCP clients must act as DHCP relay agent, and have a correctly configured ip helper-
address addr subcommand on the LAN interface
- Troubleshoot for any IP connectivity issues between the DHCP relay agent and the DHCP
server, using the relay agent interface IP address and the server IP address as the source
and destination of the packets
- Whether using a local DHCP server or centralised server, troubleshoot for any LAN issues
between the DHCP client and the DHCP relay agent
- Troubleshoot incorrect server configuration
- For ROAS, each subinterface needs to be configured with ip helper-address
- Testing connectivity between DHCP relay agent and the DHCP server, use extended ping
or traceroute, with source address of incoming interface and destination address of the
DHCP server
4.5 Configure and verify NTP operating in client/server mode
- NTP synchronises device's time-of-day clocks
- Setting the date/time with clock commands:
- clock timezone name UTC sets the timezone of the clock
- name can be any meaningful value (e.g. AEST)
- UTC is the +/- UTC value (e.g. +10)
- clock summer-time name recurring configures daylight savings
- name can be any meaningful value (e.g. EDT)
- recurring tells router to automatically apply daylight saving
- clock set h:m:s date month year sets the 24-hour clock and date
- Configuring NTP clients/servers:
- ntp server addr | hostname
- Tells router to act as an NTP client, referencing the NTP server's IP address or hostname
- Tells router to also act as an NTP server after that router has synchronised its time with
some reliable source (e.g. NTP server)
- ntp master stratum
- Tells router to act as NTP server and trust its internal clock as a good clock source
- Stratum level is a measure of how trustworthy a server is (lower = better)
- ntp source loopback number
- NTP clients can reference a loopback interface address in order to still be able to send
packets to loopback interface when physical interface is down
Verification:
- show clock lists current time
- show ntp associations lists server address, reference clock, etc.
- show ntp status lists if clock is synchronised (never for servers), stratum level, reference
address, reference time etc.
- show ntp status lists "unsynchronised" until client synchronises with at least one server
4.6 Configure, verify, and troubleshoot IPv4 standard numbered and named access list
for routed interfaces
- Inbound ACL: before router makes its forwarding decision
- Outbound ACL: after router makes its forwarding decision and determined exit interface
- ACL command logic: look for these values in the packet header, and if found,
discard/allow the packet
- deny: discard packet
- permit: allow packet as if ACL did not exist (used for NAT)
- Types of IP ACLs:
- Standard numbered ACLs (1-99)
- Matching source IP
- Looks at IPv4 header
- Extended numbered ACLs (100-199)
- Matching source & destination IP, source & destination port etc.
- Looks at IP, TCP, UDP etc. header
- Additional ACL numbers (1300-1999 standard, 2000-2699 extended)
- Named ACLs
- ACL uses first-match logic. Once a packet matches one line in the ACL, the router takes
the action listed in that line of the ACL, and stops looking further in the ACL
- If packet doesn't match any items in ACL, packet is discarded (default: deny any)
- Place more specific statements early in the ACL
- Disable an ACL from its interface (using no ip access-group) before making changes to
the ACL
- If an entire ACL is deleted (no access-list) while ACL is enabled on interface, IOS does not
filter any packets (as is the case with disabling an ACL on interface)
- As soon as one statement is added to enabled ACL, IOS filters packets based on that ACL,
and the implicit deny any (deny ip any any) is activated
Configure:
Standard numbered ACLs:
- access-list {1-99} {permit | deny} source-ip [wildcard-mask] [log]
- To match exact, entire source host IP address, use access-list ACL-no. {permit | deny}
host-address
- access-list 1 permit host 10.1.1.1 is accepted, but IOS removes keyword
- Wildcard mask:
- Decimal 0: router must compare this octet as normal
- Decimal 255: router ignores this octet, considering it to already match
- IOS will specify a source address to be 0 for parts that will be ignored, even if nonzero
values were configured (e.g. 10.1.2.3 0.255.255.255 => 10.0.0.0 0.255.255.255)
- To match a subnet:
- Use subnet number as the source value in the access-list command
- Use wildcard mask found by subtracting subnet mask from 255.255.255.255
- Matching any/all addresses: permit any, deny any
- permit any overrides default deny any
- access-list ACL-no. remark text leaves text documentation that stays with ACL
- Router does not filter packets that the router itself creates with an outbound ACL
- IOS could change commands before placing command into running-config file
- Standard numbered ACL configuration:
- Step 1: Plan location (router and interface) and direction (in or out) on that interface
- Standard ACLs should be placed near to the destination so that they do not
unintentionally discard packets that should not be discarded
- Because standard ACLs can only match a packet's source IP address, identify the
source IP address of packets as they go in the direction that the ACL is examining
- Step 2: Configure one or more access-list commands to create the ACL:
- The list is searched sequentially, using first-match logic
- The default action, if a packet does not match any of the access-list commands, is to
deny (discard) the packet
- Step 3: Enable the ACL on the chosen router interface, in the correct direction, using
ip access-group number {in | out}
Extended numbered ACLs:
- ACL number range 100 - 199, 2000 - 2699
- Extended ACLs can compare:
- Protocol type
- Source IP address (or address range with wildcard mask)
- Source port (or range of ports)
- Destination IP address (or address range with wildcard mask)
- Destination port (or range of ports)
- TOS byte (for QoS)
- Extended ACL access-list commands MUST use host keyword for source/destination IPs
- Extended ACL port keyword (eq _ (equal to), lt _ (less than), ne _ (not equal to), gt _
(greater than), range _ _ (range from x to y))
- Source port of client is going to be greater than 1023 (dynamically assignable ports)
- access-list ACL-no. {deny | permit} protocol source-ip source-wildcard dest-ip dest-

wildcard [log | log-input]
- log-input lists more detailed information (e.g. ingress interface, MAC address) in log
- access-list ACL-no. {deny | permit} {tcp | udp} source-ip source-wildcard [operator
port] dest-ip dest-wildcard [operator port] [established] [log]
- established matches all packets except the first packet in the three-way handshake,
which has the ACK bit turned off
- Place extended ACLs as close as possible to the source of the packets that will be
filtered, to save some bandwidth
- If eq 80 is configured, the configuration shows eq www
- To ensure routing protocol packets would be permitted, you can include:

- permit udp any any eq 520
- permit ospf any any
- permit eigrp any any
Named ACLs and ACL Editing:
- Named ACLs use names instead of numbers to identify the ACL
- Named ACLs use ACL subcommands, not global commands, to define action and
matching parameters
- Named ACLs use ACL editing features that allow the CLI user to delete individual lines
from the ACL and insert new lines
- ip access-list {standard | extended} {name | number} to enter ACL configuration mode
- Subcommands can omit access-list ACL-no. parameters
- no command command deletes a single line from the ACL
- no sequence-number deletes a single line from the ACL
- sequence-number command adds a line to the ACL with a sequence number
- IOS adds sequence numbers to commands as you configure them automatically
Verification:
- show ip access-lists lists details about IPv4 ACLs only
- show access-lists lists details about IPv4 ACLs plus other types of ACLs
- IP access list name/number
- Sequence number
- Permit or deny command
- Remark
- show running-config lists the ACL configuration commands
- IOS always stores numbered ACLs as global access-list commands, even if it was
configured in ACL configuration mode
- show ip interface int-id lists details about inbound/outbound ACL configurations
- access-list 1 permit 10.0.0.0 0.0.0.255 log makes IOS issue log messages with
triggered statistics about matches of that particular line of ACL (log-input lists more
detailed log messages)
- ping S1 from R1 => filter on ACL B, C, D

- ping R2 from R1 => filter on ACL B, D
- Router self-ping of a serial interface:
- Router sends ICMP echo request out the point-to-point serial link to other router
- Neighbouring router receives and ROUTES the packet to the original router
- ACL B, C, D can filter
- Self-ping tests parts of point-to-point serial link:
- The link must work at Layers 1, 2, and 3
- Both routers have a working (up/up) serial interface, with correct IPv4 addresses
- ACLs B, C, and D must permit the ICMP echo request and reply packets
- Router self-ping of an Ethernet interface:
- ICMP messages are examined down and up the protocol stack
- Self-ping of an Ethernet interface:
- Tests status of local router interface (up/up)
- Does not test security features on neighbouring devices (port security or ACL), since
ICMP messages are not physically forwarded out the interface
- Inbound IP ACL on local router processes router self-ping
Troubleshooting:
- Check interface on which the ACL is enabled and direction of packet flow
- ping and traceroute might work fine (matching ICMP) but other end-user packets may
be matched with a deny command
- Steps on analysing ACLs:
- Step 1: Determine on which interfaces ACLs are enabled, and in which direction
- show running-config, show ip interfaces
- Step 2: Find the configuration of each ACL
- show access-lists, show ip access-lists, show running-config
- Step 3: Analyse the ACLs to predict which packets should match the ACL
A. Misordered ACLs: Look for misordered ACL statements. IOS uses first-match logic
when searching an ACL
B. Reversed source/destination addresses: Make sure the source IP address field could
match packets with that source IP address, rather than the destination and vice versa
C. Reversed source/destination ports: Ensure that ACL statements match the correct
source/destination port depending on whether the server sent or will receive the
packet
D. Syntax: Extended ACL commands must use the tcp and udp keywords if the
command needs to check the port numbers
E. Syntax: Note that ICMP packets do not use UDP or TCP (matches icmp keyword)
F. Explicit deny any: Instead of using implicit deny any at the end, use an explicit
configuration command to make the counters increment when that action is taken
G. Dangerous inbound ACLs: Inbound ACLs, especially with deny all logic at the end
may discard incoming overhead protocols, like routing protocol messages
H. Standard ACL location: Standard ACLs enabled close to the source of matched
addresses can discard packets that should be allowed through
- show commands can list counters for number of packets that have matched each line
in the ACL
- Not increasing counter may mean:
- Packets are not matching that line in that ACL
- Packets are matching an earlier line in the same ACL
- Packets are not reaching that router for some reason
- Outbound ACL can discard forwarded packets, but not generated packets
- Inbound ACL can discard routing protocol updates
- Local router would never learn routes from neighbouring router
- Neighbouring router could still learn routes from local router
4.7 Configure, verify, and troubleshoot inside source NAT
- Terminology:
- Inside local addresses: Addresses used by host before NAT (private)
- Inside global addresses: Addresses used by host after NAT (public)
- Outside local addresses: Addresses used by destination before NAT
- Outside global addresses: Addresses used by destination after NAT
Verification:
- show ip nat translations lists NAT table
- show ip nat statistics lists statistics on NAT, such as number of hits and misses, active
translations etc.
- First "misses" indicates number of times a new packet does not find a NAT entry, at
which point, dynamic NAT reacts and builds an entry
- Second "misses" indicates number of times dynamic NAT tries to allocate a new NAT
table entry and finds no available addresses, probably resulting in a discard
- debug ip nat issues a message every time a packet has its address translated for NAT
- show running-config: Lists NAT configuration commands
Troubleshooting:
- Reversed inside and outside: Ensure that ip nat inside and ip nat outside are
configured, at the correct router interfaces
- Static NAT: Check ip nat inside source static command to ensure it lists the inside local
address first, and the inside global IP address second
- Dynamic NAT (ACL): Ensure that the ACL configured matches the inside host's packets,
with the inside local address (before NAT)
- Dynamic NAT (pool): Ensure the pool has enough IP addresses
- A large or growing value in the second "misses" counter in the show ip nat statistics
command can indicate this problem
- Compare configured pool to the list of addresses in the NAT translation table (show ip
nat translations)
- If the pool is small, the problem may be that the configuration intended to use PAT, and
is missing the overload keyword
- PAT: PAT configuration is identical to a dynamic NAT configuration with the overload
keyword
- Without overload keyword, dynamic NAT works, but pool is consumed quickly
- ACL:
- Inbound ACL => IOS processes ACLs before NAT
- Outbound ACL => IOS processes ACLs after NAT translation
- User traffic required: NAT does not create translations until some user traffic enters the
NAT router on an inside interface, otherwise, NAT does nothing
- IPv4 routing: Routing must work for destination IP address used in the packets
4.7.a Static
- IP addresses are statically one-to-one mapped to each other
- Configuration:
- Step 1: Use ip nat inside to configure interfaces to be in inside part of NAT design
- Step 2: Use ip nat outside to configure interfaces to be in the outside part of the
NAT design
- Step 3: Use ip nat inside source static inside-local inside-global to configure the
static mappings
4.7.b Pool
- One-to-one mapping inside local address to inside global address happens
dynamically
- Router creates NAT table entry after user traffic occurs
- NAT table lists inside local and inside global addresses
- clear ip nat translation *: clears entire NAT table
- If inside global address pool is all allocated, packet is discarded
- Address can be reallocated if timed out
Configuration:
NAT design
- Step 3: Configure an ACL that matches the packets entering inside interfaces for
which NAT should be performed
- Step 4: Use ip nat pool name first-addr last-addr netmask subnet-mask to
configure the pool of public registered IP addresses
- ip nat pool configures address ranges for first-addr to last-addr inclusive
- netmask checks if both lowest and highest addresses are in the same subnet
- If netmask doesn't match, IOS rejects the command
- Step 5: Use ip nat inside source list ACL-no. pool poolname to enable dynamic
NAT by referring to the configured ACL and pool
Verification:
- Before user traffic happens, NAT table is empty, with show ip nat statistics listing
0 active translations
- After user traffic happens, show ip nat statistics lists:
- 1 active translation (1 dynamic)
- 1 miss (host tried to find NAT entry, but couldn't find one)
- 69 hits (dynamic NAT created entry, and host can now be translated)
- 1 pool member allocated, 50% of the pool are currently in use
4.7.c PAT
- PAT translates ports and addresses
- PAT can support more than 65000 port numbers to addresses and ports
Configuration:
- PAT is enabled on one interface, and uses one inside global IP address OR
- PAT uses a pool of inside global IP addresses
- PAT configuration = dynamic NAT configuration, except overload keyword
NAT design
- Step 3: Configure an ACL that matches the packets entering inside interfaces for
which NAT should be performed
- (Step 3.5: Use ip nat pool name first-addr last-addr netmask subnet-mask to
configure the pool of public registered IP addresses)
- Step 4: Configure the ip nat inside source list ACL-no. {interface int-id | pool
poolname} overload
Verification:
- Lists total active translations of X, with "X dynamic; X extended"
- First packet of host is a "miss", and then PAT creates a NAT table entry
5.0 Infrastructure Maintenance

5.1 Configure and verify device-monitoring using syslog
- Default: IOS shows log messages to console users for all severity levels of messages and
discards the messages
(logging console 7)
- logging console enables sending of log messages to console users (default)
- logging monitor tells IOS to enable sending of log messages to all logged users
- terminal monitor tells IOS that this terminal session would like to receive log messages
- Both logging monitor and terminal monitor must be configured to receive log messages
- Storing log messages in RAM:
- logging buffered tells IOS to store copies of log messages in RAM
- show logging shows the old log messages in RAM to the user
- Storing log messages in a syslog server:
- logging host {addr | hostname} identifies the syslog server
- Devices use UDP to send messages to syslog server for storage
- User can connect to server (typically with GUI) and browse log messages
- Syslog message format:
- Timestamp: *Dec 18 17:10:15.079

- Facility on router that generated message: %LINE-PROTO
- Severity level: 5
- Mnemonic for message: UPDOWN
- Description: Line protocol on Interface FastEthernet0/0, changed state to down
- no service timestamps disables use of timestamps (default: on)
- service sequence-numbers allows use of log message sequence number (default: off
- Log message severity levels:
NOTE: Errata
Emergency should be 0
Alert should be 1
- no command disables service

- Debugging and log messages:
- debug remains active, even if user is logged out, until no debug command is issued
- no debug param disables debugging of particular service
- Debug options use router CPU => more CLI users = more CPU
Verification:
- show logging:
- Displays logging services (e.g. console, monitor)
- Displays severity level of logging services
- Lists log buffer at the end
- clear logging clears old syslog messages
- show processes cpu is used for monitoring the CPU
5.2 Configure and verify device management
5.2.a Backup and restore device configuration
- copy running-config usbflash1:temp-copy-of-config saves the running-config file
to the USB flash drive with filename temp-copy-of-config
- If any file is copied into the running-config file in RAM with copy, the file is added
to the old configuration, not replacing it (unless some cases)
=> ip address new command will replace the old value of address but
=> access-list commands will be added to existing ACLs, creating a defect
- In order to avoid this defect, use e.g. copy tftp startup-config and then reload
- Archives:
- archive to enter archive configuration mode
- path URI lists place to save the archive to
- time-period seconds configures the amount of time between automatic archives
- write-memory tells the router to save the archive every time running-config is
saved
- archive config writes an archive of the current configuration
- configure replace URI allows user to copy a configuration archive into the running-
config file so that it completely replaces the running-config file
- Erasing configuration files:
- write erase and erase startup-config (older)
- erase nvram: (more recent and recommended)
- To clear out the running-config file, erase the startup-config file, then reload
Verification:
- dir fs: displays content of the IFS
- show archive displays list of archives and archive filenames
5.2.b Using Cisco Discovery Protocol and LLDP for device discovery
5.2.c Licensing
Traditional IOS images:
- Cisco created each IOS image for a particular router model, version and release,
and feature set
- To move to a new release/version, you need a whole new IOS file installed
- Cisco created one image for each combination of IOS feature sets
- All images have the same IP base feature set
- Images can have different combinations of different feature sets (e.g. security,
data, voice)
- Cisco permitted anyone to download any IOS image for any Cisco router
Universal IOS images:
- Universal image has all feature sets a router model supports which can be
enabled later
- Has a new software activation process:
- Router arrives from Cisco with IP base feature set already enabled and activated
(no further action required)
- Network engineer must enable additional feature sets
- Process checks and confirms that the customer has paid for the right to use that
feature set on that router
- Feature sets with most significant set of features => technology packages
- Future: Cisco ONE licensing
Software activation:
- Cisco License Manager (CLM) automatically manages Cisco licenses
1. Find the UDI (Unique Device Identifier)
- UDI = PID (Product ID) + SN (Serial Number)
- show license udi
2. Find the PAK (Product Authorisation Key)
- PAK acts as the receipt and proof that you paid for the license
3. Obtain the license key file
- Input UDI and PAK into Cisco Product License Registration Portal
4. Place the license key file where a router can reach it
- Copy the license key file into a network server or to a USB drive
5. Install the license key file into the router
- Issue license install url | filename to install the license key file
6. Reload (reload) the router to pick up the changes
Right-to-use licenses:
- Right-to-use licenses can enable most features for a 60-day evaluation period,
after which the feature stays enabled, with no time limit
- license boot module model technology-package name adds a feature to the
router as a right-to-use license
Verification:
- show license lists long status information on feature sets, such as period left,
license type etc.
- show license feature lists one-line information per feature
- show version lists brief technology package information at the end with UDI
- show license udi lists the PID, SN and the UDI of the router
5.2.d Logging
- Refer to 5.1
5.2.e Timezone
- Refer to 4.5
5.2.f Loopback
- interface loopback number
- Interface is not tied to any physical interface
- Can be assigned an IP address, routing protocols can advertise about the subnet,
you can ping/traceroute to that address
- Loopback interfaces remain up/up as long as:
- The router remains up
- You do not issue a shutdown command on that loopback interface
- Usage of loopback interfaces for NTP at 4.5
Verification:
- show interfaces loopback number
5.3 Configure and verify initial device configuration
- Switches don't need initial configuration, only Ethernet/power cables
Router:
Cabling:
- Connect any LAN cables with RJ-45 or SFP to the LAN ports
- If using an external CSU/DSU: connect the router's serial interface to the CSU/DSU and
the CSU/DSU to the line with RJ-48 from the telco
- If using an internal CSU/DSU: connect the router's serial interface to the line with RJ-48
from the telco
- Connect the router's console port to a PC using a rollover cable with RS-45 or USB cable
to configure the router
- Connect a power cable from a power outlet to the power port on the router
- Power on the router using the on/off switch
CLI configuration:
- no shutdown to enable interfaces
- ip address addr mask to configure the IP address and mask for the interface
- If using DTE/DCE cables: clock rate command on the DCE interface to provide clocking
Initial router configuration using setup mode:
- If router boots with no initial configuration, router asks if the user wants to enter the
"initial configuration dialogue" a.k.a. setup mode
- Use setup command from privileged EXEC mode
Verification:
- show running-config lists clock rate, bandwidth, IP address, mask etc.
- show ip interface brief lists interface status, IP address etc.
- show protocols lists interface status, IP address, mask etc.
- show controllers int-id lists connected cable, clock rate etc.
- show interfaces int-id lists detailed statistics of interface including IP address, mask,
interface status, bandwidth, encapsulation and description
- Administratively down/down: interface has shutdown command
- Down/down: L1 - no/wrong cable, opposite interface is shutdown or powered off etc.
- Up/down: L2 - HDLC vs PPP on serial link
- Up/up: L1 and L2 of this interface are functioning
5.4 Configure, verify, and troubleshoot basic device hardening
- Securing unused switch interfaces:
- Administratively disable the interface using shutdown
- Prevent VLAN trunking by making the port a nontrunking interface using switchport
mode access
- Assign the port to an unused VLAN using switchport access vlan vlan-id (blackhole VLAN)
- Set the native VLAN to an unused VLAN using switchport trunk native vlan vlan-id
5.4.a Local authentication
Local username:
SW(config)# username name secret pass-value
SW(config-line)# login local
- External AAA server with RADIUS or TACACS+ may be used for external
authentication
5.4.b Secure Password
- password command stores passwords in clear-text in configuration files etc.
- service password-encryption encrypts:
- password pass (console or vty)
- username name password pass (username authentication)
- enable password pass (enable mode)
- no service password-encryption:
- Password remains encrypted until it is changed
- enable secret encrypts password with MD5 (default) and overrides enable
password if both are configured
- If neither enable secret nor enable password is configured, Telnet/SSH users are
rejected with no option to supply an enable password
- When user types in the enable password, IOS hashes the clear-text password as
typed by the user and compares it to the hashed configured password
- enable algorithm-type sha-256 secret password encrypts the enable password
with SHA-256
- enable algorithm-type scrypt secret password encrypts the enable password with
Scrypt
- Encrypting passwords for local usernames:
- username name password pass stores password in clear-text
- IOS allows only one username command for a given username (either username
password or username secret command)
- username password is needed when router needs to know the clear-text
password for performing authentication over serial links
Verification:
- show running-config lists:
- "password 0 XXXXX" for clear-text passwords
- "password 7 XXXXX" for service password-encryption encrypted passwords
- "password 5 XXXXX" for secret commands using MD5
- "password 8 XXXXX" for passwords encrypted with SHA-256
- "password 9 XXXXX" for passwords encrypted with Scrypt
5.4.c Access to device
5.4.c. (i) Source address
- IOS can apply ACL to inbound connections to filter host addresses:
- access-class ACL-no. in refers to Telnet and SSH connections into this router
- IOS can apply ACL to outbound Telnet/SSH connections:
- access-class ACL-no. out filters outbound Telnet/SSH connections, connecting
out of the local device to another device
- Standard VTY ACL for outbound connections looks at the destination IP address
5.4.c. (ii) Telnet/SSH
SSH:
SW(config)# hostname name -- set the hostname
SW(config)# ip domain-name example.com -- set the FQDN with hostname
SW(config)# crypto key generate rsa modulus mod-value -- enables SSH
SW(config)# ip ssh version 2 -- Optionally set the SSH version to 2 only
SW(config)# line vty 0 15
SW(config-line)# transport input {all | ssh} -- Enables SSH on VTY line
SSH/Telnet:
SW(config)# username name password pass-value -- Define the
username/password
SW(config)# line vty 0 15
SW(config-line)# login local -- Enable local username authentication
Client connection:
- telnet dest-ip connects to destination via Telnet
- ssh -l username dest-ip connects to destination via SSH using a username
- exit or quit logs out from Telnet/SSH connection
Verifying SSH on switch:
- show ssh lists info about each SSH client currently connected into switch
- show ip ssh lists status information about SSH server
Configuring IPv4 on a Switch:

SW(config)# interface vlan vlan-id -- Enters interface VLAN X config mode
SW(config-if)# ip address ip-address mask -- Assign IP address and mask
SW(config-if)# no shutdown -- Enables the VLAN X interface
SW(config-if)# ip default-gateway ip-address -- Configures default
gateway
SW(config-if)# ip name-server ip-address1 ... -- Optionally configures the
switch to use DNS to resolve names to IP address
Configuring switch to learn IP address with DHCP:
SW(config)# interface vlan vlan-id
SW(config-if)# ip address dhcp -- Enables DHCP on interface
Verifying IPv4 on switch:
- show running-config: checks current configuration
- show interfaces vlan x: lists IP address and mask and detailed status info
about VLAN x
- show dhcp lease: checks temporarily leased IP address
5.4.d Login banner
- Banner types and sequence:
- banner command:
- banner command default is motd (configures MOTD banner)
- banner command uses 'beginning delimiter character' to start and end a banner,
and can be any character
- banner login command configures the Login banner
- banner exec command configures the Exec banner
5.5 Perform device maintenance
5.5.a Cisco IOS upgrades and recovery (SCP, FTP, TFTP, and MD5 verify)
- Steps to upgrade an IOS image into flash memory:
1. Obtain the IOS image from Cisco by downloading the image from cisco.com
2. Place the IOS image someplace that the router can reach (e.g. TFTP/FTP servers, USB)
3. Issue copy command from router, copying the file into the flash memory
- TFTP:
- Not encrypted; router acts as a client
- copy tftp flash copies file from TFTP server to flash memory:
- Router asks for address or name of TFTP server,
- Source filename, and
- Destination filename
- FTP:
- Not encrypted; router acts as a client
- copy ftp://username:password@server-ip/filename flash
- To not include username and password in copy command:
- ip ftp username name
- ip ftp password pass
- SCP:
- Encrypted; router acts as the SCP server
- SSH must be enabled
- username name privilege 15 password pass gives the SSH user direct access to
privileged mode (highest privilege level)
- ip scp server enable enables the SCP server
- SCP client command:
- scp filename username@router-ip:fs:filename
- User must reload the router to start using the new IOS copied into a local IFS
Verification:
- show flash shows files in the flash memory - check for IOS image
- dir flash0: shows contents in flash0:, with similar information as show flash
- verify /md5 ios-image hash checks for code integrity within the IOS image
- hash parameter is copy-pasted hash value for IOS image as published by Cisco
Components of a filename:
C1900-universalk9-mz.SPA.152-4.M3.bin
C1900 The hardware this image runs on (e.g. router model)
universalk9 States that this image is a universal IOS image, and contains strong
encryption which can only be used in some countries
m Where the image runs (e.g. RAM)
z Compression format (e.g. zip)
SPA Digital signature indicator - file is signed by Cisco
15 Major release
2 Minor release
4 Maintenance release
M Extended maintenance release
3 Maintenance rebuild
.bin Binary executable file
5.5.b Password recovery and configuration register

Boot sequence:
- Configuration register finds some settings at boot time before router loads IOS and
reads the startup-config file
- Sets console speed (default 9600bps), which IOS to load etc.
- config-register 0xXXXX sets the configuration register for the next time the router is
reloaded and is automatically saved into the startup-config
- Default configuration register is 0x2102
- If boot field = 0, use the ROMMON OS
- If boot field = 1, load the first IOS file found in flash memory
- If boot field = 2 - F:
A. Try each boot system command in the startup-config file, in order, until one works
B. If none of boot system work, load the first IOS file found in flash memory
- If all other attempts fail, load ROMMON, from which you can perform further steps to
recover by copying a new IOS image into flash
- boot system points to files in flash memory, filenames, IP addresses of servers, telling
the router where to look for an IOS image to load
- boot system can be configured multiple times, and each is added to end of a list
- Router tries to load IOS images in the order of the configured boot system commands
- boot system flash: the first file from system flash memory is loaded
- boot system flash filename: IOS with the name filename is loaded from system flash
memory
- boot system tftp filename server-ip: IOS with the name filename is loaded from the
TFTP server at address server-ip
- boot system needs to point to the new IOS file if upgraded
Password Recovery:
- Configuration bit = second bit, third nibble
- If configuration bit is binary 1, router ignores startup-config next time the router is
loaded
1. Boot ROMMON, either by pressing the break key at console during boot of router, or
by removing all flash memory
2. Set the configuration register to ignore the startup-config with e.g. confreg 0x2142
3. Boot the router with an IOS. Router boots with no configuration and no password is set
4. Do copy startup-config running-config to make the router do its normal job
5. Change the forgotten password and save to startup-config
6. Change the configuration register back to original value with e.g. config-reg 0x2102
Verification:
- show version lists (in order):
1. IOS version
2. Uptime (time elapsed since last reload)
3. Reason for last reload of IOS (reload, power off/on, software failure
4. Time of last reloading of IOS (if router's clock is set)
5. Source from which router loaded the current IOS
6. Amount of RAM memory
7. Number and types of interfaces
8. Amount of NVRAM memory
9. Amount of flash memory
10. Configuration register's current and future setting (if different)
5.5.c File system management
- File system: storage including directories, structure, filenames, with associated rules
- For each physical memory device in the router, IOS creates an IFS (IOS File System)
- running-config = system:running-config
- startup-config = nvram:startup-config
- flash = default flash IFS (usually flash0:)
Verification:
- show file systems lists size, available space, type, flag and directories of file systems
- more fs:/dir/filename displays content of file /filename in directory /dir in file system fs:
5.6 Use Cisco IOS tools to troubleshoot and resolve problems
5.6.a Ping traceroute with extended option
Ping:
- ping commands test whether the IP network can deliver packets in both
directions
- ping tests connectivity by sending ICMP echo request to an IP address and "if it is
addressed to you, send an ICMP echo reply back"
- Default ping settings: five echo messages, 2 second timeout
- If timeout, a period (.) is listed
- If success, an exclamation mark (!) is listed
- Common behaviour: first ping shows one failure to start because some devices
are missing an ARP table entry
- What ping tells us of this internetwork:

- R1 can send ICMP echo request messages to host B
- R1's 172.16.4.1 interface can send ICMP echo request messages to host B
- Host B can send ICMP echo reply messages to R1's 172.16.4.1
- R1 has a route (static or dynamic) that matches host B's address
- Host B has a valid default router setting

- R2 has a route for 172.16.4.1 (connected route)
- Data link and physical layer details are working
- Serial link is working
- Router LAN/serial interfaces are up/up
- All Ethernet LAN features are working
- Switch interfaces are in a connected (up/up) state
- Port security does not filter frames sent by R2 or host B
- STP has placed right ports into forwarding state
- ACLs did not filter ICMP messages
- ARP worked on R2 and host B and they have matching ARP table entries
- SW2 learned MAC addresses for its MAC address table
- Extended ping allows use of router's LAN interface as source IP address
- ping with guided options or ping dest-ip source source-ip
- Standard and extended pings cannot test for:

- ACLs that discard packets based on host A's IP address, while that same ACL
permits packets matched on the router's IP address
- LAN switch port security that filter A's packets (based on A's MAC address)
- IP routes on routers that happen to match host A's address, with different
routes matching R1's address
- Problems with host A's default router setting
- R1 issues ping 172.16.1.51 to test LAN connectivity to confirm:

- The host with address 172.16.1.51 replied
- The LAN can pass unicast frames from R1 to host 172.16.1.51 and vice versa
- The switches learned the MAC addresses of the router and the host, adding
those to the MAC address tables
- Host A and R1 completed the ARP process and list each other in their
respective ARP tables
- Potential root causes in case of failure:
- IP addressing problem:
- Host A could be statically configured with the wrong IP address
- DHCP problems:
- Host A could be using a different IP address than 172.16.1.51
- The DHCP configuration could be wrong
- The routers may be missing the DHCP relay configuration and so host A never
got its IPv4 address lease etc.
- VLAN trunking problems:
- Router could be configured for 802.1Q trunking, when the switch is not
- LAN problems (e.g. port security)
- Extended ping to LAN host:
- If standard ping of a local LAN host works...
- But an extended ping of the same LAN host fails...
- The problem likely relates somehow to the host's default router setting
- Standard ping across a serial WAN link to test WAN neighbours confirms:
- Both router's serial interfaces are in an up/up state
- The Layer 1 and Layer 2 features of the link work
- The routers believe that the neighbouring router's IP address is in the same
subnet
- Inbound ACLs on both routers and R2's outbound ACL do not filter the
incoming packets
- The remote router is configured with the expected IP address
- ping does not confirm:
- Routes for subnets on LANs
- Host's ACL issues
- ping can use hostnames, which allows testing of DNS process:
- If ping of hostname fails but the ping of the IP address works, the problem
usually is to do with DNS
Traceroute:
- traceroute uses ICMP Time-to-Live Exceeded (TTL Exceeded) message
- Router sets initial TTL value, each forwarding router decreases TTL by 1 and
packet is discarded if TTL = 0 and sending host is notified with TTL Exceeded
- Extended traceroute lets user choose source address
- Windows: tracert, pathping Linux/Mac OS X: traceroute
- Cisco IOS traceroute creates IP packets with a UDP header
- Where to look next to isolate problem:
- Connect to CLI of the last router listed, to look at forward route issues
- Connect to CLI of the next router that should have been listed, to look for
reverse route issues
- Failure of listing of R4 confirms:
- R3's problem with forward route to 5.5.5.5 OR
- R4's problem with reverse route to 1.1.1.1
Troubleshooting:
- Host's four key IPv4 settings must correctly match:

- ipconfig /all/ifconfig shows IPv4 settings, and MAC address of host
- DNS server setting should match the addresses of actual DNS servers
- Default router setting should match router's LAN interface ip address command
- Incorrect default router setting => hosts unable to send packets to different
subnet
- Sending within LAN works because it does not require a default router
- Standard ping from router to host works, extended ping does not
- Subnet mask setting should be the same for the default router and the host
- Mismatched subnet mask causes router to not include host in connected route
- Host and router should have the same range of IP addresses
- Compare ipconfig /all with show interfaces int-id
- If host and default router can't send packets to each other:
- There may be problems that cause the router LAN interface to fail
- There may be problems with the LAN itself e.g. Ethernet cable pinouts, port
security, STP
5.6.b Terminal monitor

5.6.c Log events

CCENT Notes v3

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CCENT Notes v3

Hochgeladen von

Copyright:

Verfügbare Formate

CCENT Notes v3

1.0 Network Fundamentals

OSI Layer Functional Description TCP/IP

- Device and protocols examples:

- Same-layer, adjacent-layer interaction (e.g. TCP to HTTP, TCP to TCP etc.)

1.2 Compare and contrast TCP and UDP protocols

- Multiplexing using port numbers (TCP and - Connection establishment and

* At the end, web browser can send bytes

1.3 Describe the impact of infrastructure components in an enterprise network

1.4 Compare and contrast collapsed core and three-tier architectures

1.5 Compare and contrast network topologies

1.6. Select the appropriate cabling type based on implementation requirements

- Crossover cable: if the endpoints transmit on the same pin pair

Terminal settings for console access:

1.7. Apply troubleshooting methodologies to resolve problems

- One subnet for each:

- VLSM is a side effect of ip address command

Dynamic Configuration of Host IPv6 Settings:

- After configuration of ipv6 unicast-routing and unicast IPv6 address on an interface,

- FF02::1:FF + last 6 hex digits of unicast address

- Rules for creating interface IDs (last 64 bits):

2.0 LAN Switching Fundamentals

2.2 Interpret Ethernet frame format

2.5 Configure, verify, and troubleshoot interswitch connectivity

- switchport trunk encapsulation {dot1q | isl | negotiate} configures 802.1Q, ISL

2.7 Configure, verify, and troubleshoot port security

- switchport mode access | trunk

3.0 Routing Fundamentals

3.1.b Forwarding decision based on route lookup

- R3 adds a connected route to 150.150.4.0

- Ethernet frame => HDLC frame => Ethernet frame

- Ethernet frame => Ethernet frame => Ethernet frame

3.2 Interpret the components of routing table

4.4 Troubleshoot client- and router-based DHCP connectivity issues

- access-list ACL-no. {deny | permit} protocol source-ip source-wildcard dest-ip dest-

- To ensure routing protocol packets would be permitted, you can include:

- ping S1 from R1 => filter on ACL B, C, D

5.0 Infrastructure Maintenance

- Timestamp: *Dec 18 17:10:15.079

- no command disables service

Configuring IPv4 on a Switch:

5.5.b Password recovery and configuration register

- What ping tells us of this internetwork:

- Host B has a valid default router setting

- Standard and extended pings cannot test for:

- R1 issues ping 172.16.1.51 to test LAN connectivity to confirm:

- Host's four key IPv4 settings must correctly match:

5.6.b Terminal monitor

Das könnte Ihnen auch gefallen