Beruflich Dokumente
Kultur Dokumente
- Error recovery (TCP only): - Flow control using windowing (TCP only):
Three-tier:
- Uses less switch ports and cables
- Uses a hybrid design
- Core tier uses partial mesh and aggregates (clusters together) distribution switches
Partial mesh:
- For any set of network nodes, a design that connects a link between some pairs
of nodes, but not all; some nodes connect to each other
1.5.c Hybrid
- Combination of different topologies in one network
WAN links
- WAN links use serial cables, T1 etc.
- Router connects to CSU/DSU by using RJ-48 connector on a serial cable
- Simulated serial links use V.35 DTE and V.35 DCE cables and router with DCE cable needs
to provide clock rate
- WAN links can use DSL with phone cables or cable Internet with CATV cables
Console line
VTY line
- Telnet: All data sent in clear-text, TCP port 23
- SSH: All data sent encrypted, TCP port 22
Subnet mask:
- Company can use a single mask for every subnet or VLSM
- Binary mask, DDN mask, prefix mask conversion:
- Binary <=> DDN: Convert each binary octet to decimal and vice versa
- DDN <=> prefix: Convert prefix to binary, and then convert back to DDN mask
- Binary <=> prefix: Write P bits of 1s, and 32 - P bits of 0s
- Comprises of 32 bits divided into:
- Network and host bits for unsubnetted network
- Prefix (network + subnet) and host bits for subnets
- Prefix bits - classful network bits = subnet bits
- CIDR network bits can be any value and ignores classful rules
Network:
- Network bits depend on the classful network that is being subnetted (A=8, B=16, C=24)
and stay locked
Subnet:
- No. of subnets in network = 2S (only works when a single mask is used)
- When using a single mask, S must support the number of subnets required
Host:
- No. of hosts in subnet = 2H - 2
- Every address between subnet ID and subnet broadcast address
- When using a single mask, H needs to support the largest host/subnet
- Address can be statically assigned or learned using DHCP
172.171.170.169
255.255.248.0
Prefix mask /21 If octet is 255, add 8
8+8+5+0 If octet is 0, add 0
23 = 256 - octet, 8 - 3 = 5 If octet is in between, find 8 - X in 2x = 256 -
octet
Class Class B Class A: 1.0.0.0 - 126.0.0.0
Class B: 128.0.0.0 - 191.255.0.0
Class C: 192.0.0.0 - 223.255.255.0
Network bits 16 bits Class A: 8 bits
Class B: 16 bits
Class C: 24 bits
Subnet bits 5 bits Prefix bits - network bits
21 - 16 = 5
Host bits 11 bits 32 - prefix bits
32 - 21 = 11
Hosts/subnet 211 - 2 = 2046 2H - 2
Subnets in 25 = 32 2S
network
Subnet ID 172.171.168.0 If the mask octet = 255, copy decimal IP address
If the mask octet = 0, write a decimal 0
If neither, closest multiple of [256 - mask octet]
to the IP address octet
Subnet 172.171.175.255 If the mask octet = 255, copy decimal IP address
broadcast If the mask octet = 0, write a decimal 255
address If neither, subnet ID + [256 - mask octet - 1]
First usable 172.171.168.1 Subnet ID + 0.0.0.1
address
Last usable 172.171.175.254 Subnet broadcast address - 0.0.0.1
address
Choosing the subnet mask:
- Smallest value of S in 2S >= required number of subnets
- Smallest value of H in 2H - 2 >= largest number of hosts in one subnet
- Invalid subnet: minimum number of subnet bits and host bits required does not fit
- One mask meets requirement: if N + S + H = exactly 32
- If multiple masks meet the need:
- Shortest prefix mask maximises number of hosts/subnet
- Longest prefix mask maximises number of possible subnets
- Any range of prefix masks between the two can be used
- First subnet ID is called subnet zero or zero subnet and is equal to classful network ID
- ip subnet-zero (default) allows configuration of addresses in the zero subnet
- no ip subnet-zero prevents configuration of addresses in the zero subnet (router
rejects use of address with "Bad mask /P for address X.X.X.X"
- Number of subnets in network = 256 / {256 - interesting octet}
- Finding all subnets with 8 or less subnet bits:
- Add {256 - interesting octet} to previous subnet number or zero subnet
- All subnets with exactly 8 subnet bits have increasing subnet IDs by 1
- Finding all subnets with more than 8 subnet bits:
- Find all subnet IDs for the interesting octet
- Add 1 to the just-left octet for each time the interesting octet hits the limit
- Stop when you create a block with the just-left octet of 255
- Finding all subnets with 17 or more subnet bits:
- Only Class A network can be subnetted in this way
- Create subnet blocks within subnet blocks to list all subnet IDs
VLSM:
- Using more than one mask in a single classful network
- VLSM creates less wasted IP addresses in public networks
- To support VLSM, routing protocol must be classless and send mask in routing updates
- Range: FC00::/7 (RFC 4193 requires eighth bit to be set to 1 => FD00::/8 in use)
- Unique local IPv6 address = private IPv4 address
- IPv6 NAT/PAT is used to assign unique local addresses to hosts
- Multiple organisations can use the exact same addresses, and with no
requirement for registering with any numbering authority
- For a real network, global routing prefixes should be chosen at random, so that it
is globally unique, to help the merging of two enterprise networks to become
much easier, as no two addresses overlap
- Unique local address rules:
- Use FD as the first two hex digits
- Choose a unique 40-bit global ID
- Append the global ID to FD to create a 48-bit prefix, used as the prefix for all your
addresses
- Use the next 16 bits as a subnet field
- Note that the structure leaves a convenient 64-bit interface ID field
Configuration:
To configure full, 128-bit address:
- ipv6 address address/prefix-length
To configure first 64 bits of the address and use EUI-64 to derive the rest:
- ipv6 address address/prefix-length eui-64
1.14.c Link local
- Range: FE80::/10 (but RFC says the next 54 bits should be binary 0, so link-local
addresses should always start with FE80::/64
- Purposes of link-local addresses:
- Not used for normal IPv6 packet flows, but by overhead protocols and for routing
- IPv6 protocols such as NDP that need to send messages inside a single subnet
typically uses link-local addresses
- Routers use link-local addresses as the next-hop IPv6 addresses in IPv6 routes
- Hosts use default router's link-local address
- Key facts about link-local addresses:
- Link-local addresses represent a single host (unicast)
- Forwarding scope is the local ink only (packets are not forwarded)
- Automatically generated; every IPv6 host interface (and router interface) can
create its own link-local address automatically, solving some initialisation
problems for hosts before they learn a dynamically learned global unicast
address
- Link-local addresses can be created:
- With EUI-64 format (Cisco routers)
- By random (Microsoft OS)
- With static configuration
- IOS creates link-local addresses for any interface that has configured at least one
other unicast address with ipv6 address (global unicast, unique local)
- Unicast and link-local addresses have same interface IDs if using EUI-64
- Two routers on a WAN link do not need global unicast addresses, whereas hosts
on each LAN need global unicast address
Configuration:
- ipv6 address address link-local OR
- IOS calculates link-local address with EUI-64 rules
- ipv6 enable enables IPv6 and router creates a link-local address
1.14.d Multicast
- Range: FF00::/8
- FF02::/16 = link-local scope multicast
- Router will not forward these packets outside the local subnet
- FF08::/16 = organisation-scope multicast
- Packets are forwarded throughout the organisation but not out the Internet
- Key IPv6 local-scope multicast addresses:
Short name Multicast Meaning IPv4 Equivalent
Address
All-nodes FF02::1 All interfaces that use IPv6 Subnet broadcast
that are on the link address
All-routers FF02::2 All IPv6 router interfaces on -
the link
All-OSPF, FF02::5 All OSPF routers 224.0.0.5
All-OSPF-DR FF02::6 All OSPF-designated routers 224.0.0.6
RIPng Routers FF02::9 All RIPng routers 224.0.0.9
EIGRPv6 FF02::A All routers using EIGRPv6 224.0.0.10
Routers
DHCP Relay FF02::1:2 All routers acting as a -
Agent DHCPv6 relay agent
- Solicited-node multicast address:
- Range: FF02::1:FF/104
- Full duplex: node can send and receive at the same time: no collisions
- Half duplex: node can only send or receive at any given time: CSMA/CD with
backoff should be used, but collisions still occur naturally
Switch forwarding logic:
Known unicast:
- Switches compare destination MAC address to MAC address table
- The matched table entry tells the switch to forward the frame out a port
- The switch filters on all other ports
Unknown unicast and broadcast:
- Switches flood unknown unicasts and broadcasts
- show interfaces int-id counters: lists number of unicast, multicast, and broadcast
frames received/sent by the port
- show interfaces status
Switch forwarding path:
- Is interface on up/up state?
- No: port cannot send/receive frames
- show interfaces (line/protocol), show interfaces status (state)
- Is port security configured?
- Yes: apply port security logic to filter frames as appropriate
- show port-security interface, show port-security, show mac address-table
{static | secure}
- Is the port an access port?
- Yes: determine interface's access VLAN
- No: determine the frame's tagged VLAN
- show interfaces switchport (administrative/operational modes), show
interfaces trunk (allowed VLANs)
- Is the frame a (A) known unicast? (B) unknown unicast? (C) broadcast?
- A: forward frame out only matched address table entry
- B,C: flood frame out all other access ports except incoming port in same VLAN
and allowed trunks
- show mac address-table {dynamic}
2.1.c Frame flooding
- Flooding: Forwarding the frame out all interfaces except the incoming interface
- Switches flood unknown unicasts and LAN broadcast frames (FFFF.FFFF.FFFF)
STP:
- STP prevents loops and broadcast storms
- STP states:
- Blocking state: interface can't forward or receive data frames
- Forwarding state: interface can send and receive data frames
- Other states: listening state, learning state, disabled state
- STP is enabled by default
2.1.d MAC address table
- show mac address-table: lists all known MAC addresses in the MAC address table
- show mac address-table dynamic: lists all dynamically learned MAC addresses
- VLAN: the VLAN in which the
switch will forward
- MAC address
- Type: dynamic or static
- Ports: outgoing port
- show mac address-table dynamic address addr: shows a specific dynamic MAC
address entry in the MAC address table
- show mac address-table dynamic interface int-id: shows a dynamically learned
MAC address entries from a particular port in the MAC address table
- show mac address-table dynamic vlan vlan-id: shows dynamic MAC address table
entries for one VLAN
2.3 Troubleshoot interface and cable issues (collisions, errors, duplex, speed)
- duplex {auto | full | half}: configures duplex of interface, default is auto
- speed {auto | 10 | 100 | 1000}: configures speed of interface, default is auto
- [no] shutdown: enables/disables interface
- show interfaces status: displays port status, duplex, speed and type
- no duplex | speed: sets interface speed/duplex to default configuration (auto)
- Autonegotiation: uses top speed and full duplex of both ports
- In case of autonegotiation failure:
- Sense the speed: if speed is 10 or 100, use half duplex; otherwise use full duplex
- If sensing speed fails: use IEEE default of slowest supported speed
- Duplex mismatch will cause 'late collision' errors
- Devices connected to hubs must use IEEE default settings (often 10 Half)
Duplex mismatch:
- show interfaces status shows if duplex was autonegotiated or statically configured
- show interfaces int-id shows duplex is enabled, but does not state whether it was
autonegotiated or statically configured
Interface status:
- Duplex mismatch: two devices use different duplexes
- Switch with half duplex and using CSMA/CD will experience collisions
- Administratively down/down (disabled): the shutdown command is configured
- Down/down (notconnect): no cable; bad cable; wrong cable pinouts; speed mismatch;
neighbouring device is powered off, shutdown or err-disabled
- Down/down (err-disabled): port security has disabled the interface
- Up/up (connected): the interface is working
Interface counters:
- Runts: frames that did not meet the minimum frame size requirement (64 bytes)
- Giants: frames that exceed the maximum frame size requirement (1518 bytes)
- Input errors: total of runts/giants/no buffer/CRC/frame/overrun/ignored counts etc.
- CRC: received frames that did not pass the FCS math
- Frame: received frames that have an illegal format (e.g. ending with partial byte)
- Packets output: total number of packets forwarded out interface
- Output errors: total number of packets that switch port tried to transmit, but for which
some problem occurred
- Collisions: counter of all collisions that occur when the interface is transmitting a frame
- Late collisions: the subset of all collisions that happen after the 64th byte of the frame
Collisions:
- Increasing runts, input errors, CRC, frame errors, collisions counter
Duplex mismatch:
- Increasing late collisions counter (and runts, input errors, CRC, collisions)
Cable interference:
- Increasing CRC counter but not increasing collisions counter
Collision domains:
- All ports in a LAN hub is in a single collision domain
- Each port in a LAN bridge is in a separate collision domain
- Each port in a LAN switch is in a separate collision domain
- Each LAN port in a router is in a separate collision domain (the term collision domain
does not apply to WAN interfaces, which use non-Ethernet protocols, e.g. serial, ATM)
- LAN switches/routers with full duplex on each link would have no collisions at all
Broadcast domains:
- Each VLAN is a broadcast domain created through configuration
- Routers create separate broadcast domains off their separate Ethernet interfaces
2.4 Configure, verify, and troubleshoot VLANs (normal range) spanning multiple switches
2.4.a Access ports (data and voice)
- Normal-range VLANs: 1 - 1005 (legacy/reserved: 1002 - 1005)
- Extended-range VLANs: 1006 - 4094
- Same VLAN = same subnet = same broadcast domain
- VTP servers can configure VLANs in the standard range only
Configure access VLAN:
- Step 1: Configure a new VLAN (can also be configured at step 2B):
A. vlan vlan-id -- creates the VLAN and moves user to VLAN config mode
B. (opt) name vlan-name -- lists a name for the VLAN (default VLANXXXX)
- Step 2: For each access (nontrunking) interface:
A. interface int-id -- move to interface config mode for each desired interface
B. switchport access vlan id-number -- specifies the VLAN number associated
with that interface
C. (opt) switchport mode access -- makes the port always operate in access mode
Configure VTP:
- vtp mode transparent sets switch to use VTP transparent mode
- vtp mode off sets switch to disable VTP
Configure data and voice VLAN:
- CDP must be enabled for voice VLANs
- PC => IP phone embedded switch => Ethernet switch
- Port is not listed in the list of operational trunks in show interfaces trunk
- switchport access vlan vlan-id -- defines the data VLAN
switchport mode access -- makes the port always operate in access mode
switchport voice vlan vlan-id -- sets the voice VLAN ID
Verify:
- show vlan brief lists name, status and ports in VLANs
- show vlan {id vlan-id} lists detailed information about VLANs
- show vtp status shows the VTP status
Troubleshooting VLANs:
- Identify all access interfaces and their assigned access VLANs and reassign into
the correct VLANs as needed
show interfaces switchport
switchport access vlan x
- Determine whether the VLANs both exist (configured or learned with VTP) and
are active on each switch. If not, configure and activate the VLANs to resolve
problems as needed
show vlan {brief | id x}
vlan x OR switchport access vlan x
no shutdown vlan x
- Check the allowed VLAN lists, on the switches on both ends of the trunk, and
ensure that the lists of allowed VLANs are the same
show interfaces trunk
- Check for incorrect configuration settings that result in one switch operating as
a trunk, with the neighbouring switch not operating as a trunk
show interfaces switchport
- Disabled VLANs:
- Active: VLAN is operational and active
- Act/lshut: VLAN is shut down, switch will not forward frames in that VLAN
- [no] shutdown vlan x or [no] shutdown in VLAN config mode disables/enables
VLAN
2.4.b Default VLAN
- Default native VLAN is VLAN 1
- All ports are put in VLAN 1 by default
2.5.b 802.1Q
- 802.1Q inserts an extra 4-byte 802.1Q header, with VLAN ID field
- Newer switches use 802.1Q by default
2.5.c Native VLAN
- 802.1Q does not add 802.1Q header to frames in native VLAN
- Default native VLAN is VLAN 1
2.6 Configure and verify Layer 2 protocols
2.6.a Cisco Discovery Protocol
- CDP is a Cisco-proprietary protocol
- CDP discovers information about neighbouring devices by listening for the
advertisements sent by other devices
- CDP discovers:
- Device identifier: typically the hostname
- Address list: network and data link addresses
- Port identifier: the interface on the remote router/switch on the other end of the
link that sent the CDP advertisement
- Capabilities list: information on what type of device it is (e.g. router or switch)
- Platform: the model and OS level running on the device
- Cisco IP phones use CDP to learn data and voice VLAN IDs on the access switch
- Any switchport connected to another switch, a router, or to an IP phone should
use CDP
- CDP creates a security exposure, so Cisco recommends CDP being disabled on
unnecessary interfaces
Configuration:
- [no] cdp run enables/disables CDP globally (enabled by default)
- [no] cdp enable enables disables CDP on interfaces (enabled by default)
Verification:
- show cdp neighbors [type number] lists one summary line of information about
each neighbour or just the neighbour found on a specific interface if listed
- Lists device ID
- Lists local interface
- Lists holdtime (amount of time device holds info until discarding, default 180)
- Lists Capability (router or switch)
- Lists platform (short model name of device)
- Lists port ID (neighbouring device interface)
- show cdp neighbors detail lists one large set of information (approx. 15 lines),
one set for every neighbour
- Lists device ID, (full) platform, capabilities, interface, port ID
- Lists IP address
- Lists IOS version
- Lists VLAN information
- show cdp entry name lists the same information as show cdp neighbors detail,
but only for the named neighbour
- show cdp states whether CDP is enabled globally, and lists the default update
and holdtime timers
- show cdp interface [type number] states whether CDP is enabled on each
interface, or a single interface if the interface is listed, and states update and
holdtime timers on those interfaces
- show cdp traffic lists global statistics for the number of CDP advertisements sent
and received
2.6.b LLDP
- IEEE-standard (802.1ab) protocol
- CDP and LLDP have similar command syntax:
- show lldp run enables LLDP globally
- no lldp transmit configures LLDP to only receive
- no lldp receive configures LLDP to only send
- Default: both are enabled
- show lldp neighbors
- show lldp entry name
Verification:
- show ip route output:
3.1.c Frame rewrite
Router:
- Frame rewrite happens at every Layer 3 device a packet passes through
- Routers discard the original frame after checking the FCS and destination MAC
address and encapsulate it in a new frame according to the outgoing interface:
Connected 0
Static 1
EIGRP 90
OSPF 110
RIP 120
DHCP-learned default route 254
Unknown 255
3.2.f Metric
- Metric is the priority of a route as defined by a protocol (lower = better)
- RIP uses hop counts based on the number of next-hop routers
- OSPF uses cost based on bandwidth
- EIGRP uses cost based on bandwidth + delay
3.2.g Gateway of last resort
- Gateway of last resort is the default route, used when packets do not match any
other more specific entries in the routing table
3.3 Describe how a routing table is populated by different routing information sources
3.3.a Admin distance
- Routing information source with lower administrative distance = better
- Default administrative distances:
Connected 0
Static 1
EIGRP 90
OSPF 110
RIP 120
DHCP-learned default route 254
Unknown 255
3.4 Configure, verify, and troubleshoot inter-VLAN routing
3.4.a Router on a stick
ROAS:
- interface type number.subint -- creates a unique subinterface for each VLAN
- encapsulation [dot1q | isl] vlan-id -- enables 802.1Q or ISL and associates one
specific VLAN with the subinterface
- To configure interface to use native VLAN, use encapsulation...native instead
- ip address addr mask -- configures IP settings (address and mask)
- Configuring a PHYSICAL interface with ip address command without
encapsulation command is considered to be using the native VLAN
Verify:
- show running-config lists configuration commands
- show ip route lists connected and local routes for each subinterface
- show vlans lists subinterface VLAN ID and native VLAN for that subinterface
Layer 3 Switch:
- sdm prefer lanbase-routing -- enables hardware support for IPv4 routing; switch
must be reloaded after
- ip routing -- enables IPv4 routing on the switch
- interface vlan vlan-id -- creates SVI (VLAN interface) for each VLAN to be routed
- ip address addr mask -- configures IP address and mask on SVI, enabling IPv4 on
that SVI
- no shutdown -- enables the SVI
3.5 Compare and contrast static routing and dynamic routing
- IGP: exchanging routing updates within an autonomous system (AS)
- EGP: exchanging routing updates between autonomous systems (AS)
Distance-vector Link-state
RIPv1, RIPv2, IGRP, EIGRP (hybrid) OSPF
Distance: routing protocol metric, e.g. hop count Link: directly connected link
Vector: link and next-hop router to use as part of State: state of those links
that route
Sends periodic updates Sends incremental updates (updates only
when there are changes)
Has larger routing tables Converges more quickly and is less prone
to routing loops
Uses UDP messages Requires more CPU and memory
Sends out its entire routing table
3.6 Configure, verify, and troubleshoot IPv4 and IPv6 static routing
- Checklist for adding route to IP routing table:
- Are there any competing routes?
- For ip route with outgoing interface, is the interface in an up/up state?
- For ip route with next-hop IP address, does the local router have a route to reach that IP
address?
IPv6 routes:
- If interface is up/up and ipv6 address is configured, router adds:
- A connected route for the subnet
- A local route (/128 prefix length) for the router IPv6 address
- Routers do not create routes based on the link-local addresses associated with the
interface, not even local routes
- Routers remove the connected and local routes for an interface if the interface fails, and
they re-add these routes when the interface is again in a working (up/up) state
- IPv6 routing table adds a local route for each interface + one local route for all multicast
addresses (FF00::/8)
Verification:
- show ip route displays routing table
- show ipv6 route displays IPv6 routing table
- show ipv6 route connected displays all IPv6 connected routes
- show ipv6 route static displays all IPv6 static routes
- Lists both interface and link-local address for routes that specify them
- show ipv6 route local displays all IPv6 local routes
- ping and traceroute checks connectivity to the host using that route
- show ipv6 route addr displays the route the router uses to forward to the host address
Troubleshooting:
Route is in the routing table but is incorrect
- Is there a subnetting math error in the subnet ID and mask?
- Is the next-hop IP address correct, and referencing an IP address on a neighbouring
router?
- Is the outgoing interface correct, and referencing an interface on the local route (that
is, the same router where the static route is configured)?
Route is added to running/startup-config but not in the routing table because:
- Outgoing interface listed in the ip route command is not up/up
- The next-hop router IP address listed in the ip route command is not reachable (no
route that matches the next-hop address)
- A better competing route exists, and that competing route has a better AD
- If command syntax is correct, ip[v6] route command is placed into running-config,
then, if no other problem exists, IOS puts route into IP routing table
Route is in the routing table, and is correct, but the packets do not arrive
- ip route command with permanent keyword with an outgoing interface needs to have
the interface in an up/up state
- ip route command with permanent keyword with a next-hop IP address needs to have
a route to reach that next-hop address
Checking for mistakes in ipv6 route command syntax:
- Does the ipv6 route command reference the correct prefix and prefix length?
- If using a next-hop IPv6 address that is a link-local address:
- Is the link-local address and address on the correct neighbouring router?
- Does ipv6 route also refer to the correct outgoing interface on the local router?
- If using a next-hop IPv6 address that is a global unicast or unique local address, is the
address the correct unicast address of the neighbouring router?
- If referencing an outgoing interface, does the ipv6 route command reference the
interface on the local router?
- IOS rejects command if outgoing interface is omitted when using link-local next-hop
router address
IOS checklist for adding routes to the IPv6 routing table:
- For ipv6 route that lists an outgoing interface, that interface must be in an up/up state
- For ipv6 route that lists a global unicast or unique local next-hop IP address, the local
router must have a route to reach that next-hop address
- If another IPv6 route exists for that exact same prefix/prefix-length, the static route
must have a better (lower) administrative distance
3.6.a Default route
- Default route is used if packet does not match any other more specific route
IPv4 default route:
- ip route 0.0.0.0 0.0.0.0 {addr | int-id} -- configures a default route
- with permanent keyword: default route stays in the routing table even if
interface goes down
( - ip address dhcp can learn gateway of last resort address)
( - DHCP learned routes are shown as static but have an AD of 254)
IPv6 default route:
- ipv6 route ::/0 {addr | int-id | int-id link-local} -- configures the default route
- IPv6 routing logic:
- With no default route, router discards the IPv6 packet
- With default route, router forwards the IPv6 packet based on the default route
- Branch routers (stub routers) with one WAN link use default routes
- IPv6 default route = ::/0 (matching all addresses)
- IPv6 default routes don't have candidates (*) and are simply added
3.6.b Network route
IPv4 network route:
- ip route prefix mask {addr | int-id} -- configures a static network route
- ip route prefix mask {addr | int-id} permanent -- configures a static network
route that ignores router's basic checks and is put straight into the routing table
IPv6 network route:
- ipv6 route prefix/prefix-length int-id adds an IPv6 route, listing the local outgoing
interface
- ipv6 route prefix/prefix-length addr adds an IPv6 route, listing the global unicast
or unique local address of the next-hop router
- ipv6 route prefix/prefix-length int-id link-local-addr adds an IPv6 route, listing the
outgoing interface and the link-local address of the next-hop router
3.6.c Host route
- Host routes match a single IP address (a single host)
IPv4 host route:
- ip route host-addr 255.255.255.255 {addr | int-id} -- configures a host route
- with permanent keyword: configures a host route that ignores router's basic
checks and is put straight into the routing table, and stays there permanently
even if interface fails
IPv6 host route:
- ipv6 route addr/128 {addr | int-id | int-id link-local} -- defines the host route
3.6.d Floating static
- Floating static routes are static routes with the administrative distance modified
so it "floats" in and out of the routing table
IPv4 floating static route:
- ip route prefix mask {addr | int-id} distance -- overwrites the default
administrative distance (1) and adds a 'floating' static route
- with permanent keyword: adds a permanent floating static route
IPv6 floating static route:
- ipv6 route prefix/prefix-length {addr | int-id | int-id link-local} distance -- defines
a floating static route, with its default AD value overridden
- NDP-learned routes have a default AD of 2
3.7 Configure, verify, and troubleshoot RIPv2 for IPv4 (excluding authentication, filtering,
manual summarization, redistribution)
- Split horizon: omits routes that the receiving router would already know of
- Route poisoning: advertises failed routes with metric value 16 (infinity), receiving router
removes or marks the route as unusable and 15 is the largest hop count
- Update RIP timer measures how long it has been since the router has last heard about
this route in a periodic RIP update
Configuration:
- router rip -- moves user into RIP configuration mode
- version 2 -- tells router to use RIPv2 exclusively
- network net-number -- enables RIP to (a) send routing updates out the interface, (b),
listen for and process incoming updates on the interface (c) advertise about the subnet
connected to the interface
- [no] auto-summary -- enables/disables automatic summarisation (default: enabled)
(should not be enabled for discontiguous networks)
- maximum-paths number -- there can be up to X routes with the same metric; equal-cost
load balancing (default: 4) (setting value to 1 disables feature)
- [no] passive-interface int-id -- stops all RIPv2 updates from being sent out the interface
but RIP still processes received updates and advertises about the connected subnet
- passive-interface default -- makes all interfaces passive by default
- default-information originate -- if the IPv4 routing table has a default route in it,
advertise a default route with RIP, with this local router as the eventual destination of
those default routes
- distance dist -- sets a custom administrative distance for RIP routes
Verification:
- show ip route [rip] -- lists all IPv4 routes, or RIP-learned routes only but you cannot tell
which interfaces have RIP enabled
- show ip protocols -- lists information about RIP configuration and identifies interfaces
on which RIP is enabled but doesn't show RIP-learned routes
- show ip rip database -- lists prefix/length of all best routes known to RIP on this router,
including routes learned from neighbours and connected routes for RIP-enabled
interfaces; lists both learned routes and connected routes
- show running-config -- lists RIP configurations
Troubleshooting:
- Router does not advertise about subnets and does not exchange routing information
with other routers on those interface
=> Missing network command
- One router receives RIP updates but the other does not, and therefore doesn't learn
routes
=> Passive interface connected to active interface
- Half of packets not arriving at correct destination host
=> auto-summary in a discontiguous network
- RIP only operates on working interfaces (up/up state)
- RIP requires that all neighbours on a link be in the same subnet; if routers are in
different subnets, routers ignore RIP update
- ACLs could filter and discard RIP messages
4.0 Infrastructure Services
4.1 Describe DNS lookup operation
- Host sends a DNS query for IP address of DNS server/s (learnt by DHCP or static),
containing the hostname that needs to be resolved
- DNS server/s send a DNS reply, containing the IP address of the hostname
- Host sends an IP packet (with SYN bit) for the resolved IP address according to the first
DNS reply it got
- Routers and switches forward the DNS messages like any normal frame/packet
- All destination IP addresses are known unicast addresses, so router/switch action is not
required to support DNS
4.2 Troubleshoot client connectivity issues involving DNS
- ping can use hostnames, which allows testing of DNS process:
- If ping of hostname fails but the ping of the IP address works, the problem
usually is to do with DNS
- A user host has an incorrect setting for the DNS server IP address(es) or
=> Change host setting if it is statically configured
=> Change DHCP server configuration (dns-server) if using DHCP
- An IP connectivity problem between the user's host and the correct DNS server
- DNS client and DNS server must have IP connectivity
- Host DNS setting should match the IP addresses of actual DNS servers
- Router must have ip name-server dns-ip1 2... and ip domain-lookup (default)
4.3 Configure and verify DHCP on a router (excluding static reservations)
- Discover: Sent by DHCP client to find a willing DHCP server (0.0.0.0 => 255.255.255.255)
- Offer: Sent by DHCP server to offer to lease to that client a specific IP address etc. (DHCP
server => 255.255.255.255)
- Request: Sent by the DHCP client to ask the server to lease the IPv4 address listed in Offer
(0.0.0.0 => 255.255.255.255)
- Acknowledgement: Sent by DHCP server to assign the address, mask, default router and
DNS server IP addresses (DNCP server => 255.255.255.255)
4.3.a Server
- DHCP server stores stateful information to give to clients
- Allocation modes:
- Dynamic allocation: DHCP dynamically leases IP addresses
- Automatic allocation: hands out permanent IP addresses with infinite lease time
- Static allocation: manually preconfigured IP address is sent to client by server
- ip dhcp excluded-address first [last] -- lists addresses that should not be leased
- ip dhcp pool name -- creates a DHCP pool for a subnet
- network subnet-ID {mask | prefix-length} -- defines the subnet for this pool
- default-router address1 2... -- defines default router IP addresses in that subnet
- dns-server address1 2... -- defines list of DNS server IP addresses used by hosts in
this subnet
- lease days hours mins -- defines the length of lease, in days, hours, and minutes
- domain-name name -- defines the DNS domain name
- next-server ip-address -- defines the TFTP server IP address used by any hosts
(e.g. IP phones that need a TFTP server)
Verification:
- show ip dhcp binding lists state information about each IP address currently
leased to a client
- show ip dhcp pool [poolname] lists the configured range of IP addresses, plus
statistics for the number of currently leased addresses and the high-water mark
for leases from each pool
- show ip dhcp server statistics lists DHCP server statistics
4.3.b Relay
- DHCP relay agents change the packet's source IP address to router's incoming
interface IP address and destination IP address to DHCP server's address
- DHCP relay agent must be configured in order for DHCP messages to reach outside
the local subnet
- ip helper-address server-ip -- needs to be configured on the LAN interface to
enable DHCP relay to the DHCP server
Verification:
- show ip interface int-id shows ip helper-address settings on interface
4.3.c Client
- ipconfig /all or ifconfig or GUI windows list DHCP status and IPv4 settings
- netstat -rn displays the host routing table, with default router IP address as
default route
(- arp -a shows host's ARP table)
(- show arp shows router's ARP table)
4.3.d TFTP, DNS, and gateway options
- next-server ip-address -- defines the IP address of TFTP server
- IP phones need the TFTP server address to load configurations
- dns-server address1 2... -- defines IP address of DNS servers
- Hosts need the DNS server to resolve hostnames into IP addresses
- default router address1 2... -- defines IP address of default router in that subnet
- Hosts need the default router to send packets outside the local subnet
- Routers can learn default routes (gateway of last resort) with DHCP
- Verification:
- show interfaces and show protocols lists IP address and mask of the interface
- show ip interface brief lists IP address of interface
- show running-config
- show interfaces status lists VLAN assignments for each interface
- show vlan lists VLAN configurations
- show interfaces switchport lists VLAN trunking status
4.7.a Static
- IP addresses are statically one-to-one mapped to each other
- Configuration:
- Step 1: Use ip nat inside to configure interfaces to be in inside part of NAT design
- Step 2: Use ip nat outside to configure interfaces to be in the outside part of the
NAT design
- Step 3: Use ip nat inside source static inside-local inside-global to configure the
static mappings
4.7.b Pool
- One-to-one mapping inside local address to inside global address happens
dynamically
- Router creates NAT table entry after user traffic occurs
- NAT table lists inside local and inside global addresses
- clear ip nat translation *: clears entire NAT table
- If inside global address pool is all allocated, packet is discarded
- Address can be reallocated if timed out
Configuration:
- Step 1: Use ip nat inside to configure interfaces to be in inside part of NAT design
- Step 2: Use ip nat outside to configure interfaces to be in the outside part of the
NAT design
- Step 3: Configure an ACL that matches the packets entering inside interfaces for
which NAT should be performed
- Step 4: Use ip nat pool name first-addr last-addr netmask subnet-mask to
configure the pool of public registered IP addresses
- ip nat pool configures address ranges for first-addr to last-addr inclusive
- netmask checks if both lowest and highest addresses are in the same subnet
- If netmask doesn't match, IOS rejects the command
- Step 5: Use ip nat inside source list ACL-no. pool poolname to enable dynamic
NAT by referring to the configured ACL and pool
Verification:
- Before user traffic happens, NAT table is empty, with show ip nat statistics listing
0 active translations
- After user traffic happens, show ip nat statistics lists:
- 1 active translation (1 dynamic)
- 1 miss (host tried to find NAT entry, but couldn't find one)
- 69 hits (dynamic NAT created entry, and host can now be translated)
- 1 pool member allocated, 50% of the pool are currently in use
4.7.c PAT
- PAT translates ports and addresses
- PAT can support more than 65000 port numbers to addresses and ports
Configuration:
- PAT is enabled on one interface, and uses one inside global IP address OR
- PAT uses a pool of inside global IP addresses
- PAT configuration = dynamic NAT configuration, except overload keyword
- Step 1: Use ip nat inside to configure interfaces to be in inside part of NAT design
- Step 2: Use ip nat outside to configure interfaces to be in the outside part of the
NAT design
- Step 3: Configure an ACL that matches the packets entering inside interfaces for
which NAT should be performed
- (Step 3.5: Use ip nat pool name first-addr last-addr netmask subnet-mask to
configure the pool of public registered IP addresses)
- Step 4: Configure the ip nat inside source list ACL-no. {interface int-id | pool
poolname} overload
Verification:
- Lists total active translations of X, with "X dynamic; X extended"
- First packet of host is a "miss", and then PAT creates a NAT table entry
- banner command:
- banner command default is motd (configures MOTD banner)
- banner command uses 'beginning delimiter character' to start and end a banner,
and can be any character
- banner login command configures the Login banner
- banner exec command configures the Exec banner
5.5 Perform device maintenance
5.5.a Cisco IOS upgrades and recovery (SCP, FTP, TFTP, and MD5 verify)
- Steps to upgrade an IOS image into flash memory:
1. Obtain the IOS image from Cisco by downloading the image from cisco.com
2. Place the IOS image someplace that the router can reach (e.g. TFTP/FTP servers, USB)
3. Issue copy command from router, copying the file into the flash memory
- TFTP:
- Not encrypted; router acts as a client
- copy tftp flash copies file from TFTP server to flash memory:
- Router asks for address or name of TFTP server,
- Source filename, and
- Destination filename
- FTP:
- Not encrypted; router acts as a client
- copy ftp://username:password@server-ip/filename flash
- To not include username and password in copy command:
- ip ftp username name
- ip ftp password pass
- SCP:
- Encrypted; router acts as the SCP server
- SSH must be enabled
- username name privilege 15 password pass gives the SSH user direct access to
privileged mode (highest privilege level)
- ip scp server enable enables the SCP server
- SCP client command:
- scp filename username@router-ip:fs:filename
- User must reload the router to start using the new IOS copied into a local IFS
Verification:
- show flash shows files in the flash memory - check for IOS image
- dir flash0: shows contents in flash0:, with similar information as show flash
- verify /md5 ios-image hash checks for code integrity within the IOS image
- hash parameter is copy-pasted hash value for IOS image as published by Cisco
Components of a filename:
C1900-universalk9-mz.SPA.152-4.M3.bin
C1900 The hardware this image runs on (e.g. router model)
universalk9 States that this image is a universal IOS image, and contains strong
encryption which can only be used in some countries
m Where the image runs (e.g. RAM)
z Compression format (e.g. zip)
SPA Digital signature indicator - file is signed by Cisco
15 Major release
2 Minor release
4 Maintenance release
M Extended maintenance release
3 Maintenance rebuild
.bin Binary executable file
- ARP worked on R2 and host B and they have matching ARP table entries
- SW2 learned MAC addresses for its MAC address table
- Extended ping allows use of router's LAN interface as source IP address
- ping with guided options or ping dest-ip source source-ip
- Standard ping across a serial WAN link to test WAN neighbours confirms:
- Both router's serial interfaces are in an up/up state
- The Layer 1 and Layer 2 features of the link work
- The routers believe that the neighbouring router's IP address is in the same
subnet
- Inbound ACLs on both routers and R2's outbound ACL do not filter the
incoming packets
- The remote router is configured with the expected IP address
- ping does not confirm:
- Routes for subnets on LANs
- Host's ACL issues
- ping can use hostnames, which allows testing of DNS process:
- If ping of hostname fails but the ping of the IP address works, the problem
usually is to do with DNS
Traceroute:
- traceroute uses ICMP Time-to-Live Exceeded (TTL Exceeded) message
- Router sets initial TTL value, each forwarding router decreases TTL by 1 and
packet is discarded if TTL = 0 and sending host is notified with TTL Exceeded
- Extended traceroute lets user choose source address
- Windows: tracert, pathping Linux/Mac OS X: traceroute
- Cisco IOS traceroute creates IP packets with a UDP header
- Where to look next to isolate problem:
- Connect to CLI of the last router listed, to look at forward route issues
- Connect to CLI of the next router that should have been listed, to look for
reverse route issues
- Failure of listing of R4 confirms:
- R3's problem with forward route to 5.5.5.5 OR
- R4's problem with reverse route to 1.1.1.1
Troubleshooting: