4 Transport Host-to-Host TCP SYN SEQ=1, SYN-ACK: SYN

11/6/13 CCNA & IP Networking Overview

julesbartow.com/CCNA/_CCNA.htm 1/29

Layer 4. Transport (TCP) Guaranteed Delivery 3-way-handshake steps:1. Synchronize the sequence numbers2. Synchronize-Acknowledge3. Acknowledge

DoD Stack: Application Presentation + Session → Transport (Layer 4 UDP) Segments → Network/Internet Packets→ Layer 2 Frames

OSI TCP/IP DOD Services Applications PDU

7 Application message type, syntax, semantics HTTP, SMTP, POP3, VoIP

6 Presentation

5 Session BGMP, DNS, LDAP, ISAKMP/IKE

4 Transport Host-to-Host TCP(SYN SEQ=1, SYN-ACK: SYN

SEQ=300 ACK=2, ACK=301 SEQ=2) error

correction

UDP IPSEC

Segments

3 NETwork InterNET Routing: address & encap

End-to-end communications

IP (connectionless, best-effort delivery, medium

independent), DHCP,ICMP,IGMP,RIP

Packets

2

Data Link

Layer

802.2↑ Network

Interface/

Access↓

Switching

Media Access

PPP, HDLC, Frame Relay [DLCI], ATM, Ethernet[MAC],

CSMA/CA, ARP/RARP, CDP, RS-232, v.35, Token Ring

Frames

1 Physical802.3, 802.11

Copper, Fiber, Radio (2.4GHz) Bits

Exam CCNA ICND2 640-816Pearson Cred MgtCisco # CSCO11788763

http://www.9tut.com/category/practice-ccna-gns3-labs

http://www.integral7.com/

http://www.cisco.com/go/certifications/login



MaskAdd.bit

Value

CIDR/Bits

SubnetsHosts /Subnet

Subnet ID Host Range Broadcast

0 + 0 0 20 = 1 28 - 2 = 254 192.168.0.0 192.168.0.1 — 192.168.0.254 192.168.0.255

128 + 128 1 21 = 2 27 - 2 = 126 192.168.0.0192.168.0.128

192.168.0.1 — 192.168.0.126192.168.0.129 — 192.168.0.254

192.168.0.127192.168.0.255

192 + 64 2 22 = 4 26 - 2 = 62 192.168.0.0192.168.0.64192.168.0.128192.168.0.192

192.168.0.1 — 192.168.0.62192.168.0.65 — 192.168.0.126192.168.0.129 — 192.168.0.190192.168.0.193 — 192.168.0.254

192.168.0.63192.168.0.127192.168.0.191192.168.0.255

224 + 32 3 23 = 8 30

240 + 16 4 24 = 16 14

248 + 8 5 25 = 32 6

252 + 4 6 26 = 64 2

254 + 2 7 27 = 128 0

255 + 1 8 28 = 256 0

255 + 1 9 29 = 512 0

255 + 1 10 210 = 1024 0

Setup

Don't forget to set default-gateway or static route to next-hop address on every device to allow routing - except when using DHCP client; it does it for you.Gateway of last resort →

ip default-gateway 170.170.3.4 to next-hop address when ip routing is disabledip default-network 170.170.3.4 to next-hop address classfulstatic route ip route 0.0.0.0 0.0.0.0 170.170.3.4 (all 0s for IP and Mask for default when no route known) then next-hop address classful - useful for remotenetworks not in the routing table & keeps routing table small.show ip route S = static * = default

R0#clock set 05:30:00 FEB 07 2011 some routers only let you set the clock in enable (privileged exec) modeR0(config)#no ip domain-lookup turn off auto-DNSR2651(config)#clock timezone EST -5 -5 hours from Greenwich Mean Time (GMT)R2651(config)#clock summer-time DST recurring standard daylight savings timeR2651(config)#clock set 23:59:59 31 12 2010 on old equipment the backup battery is probably dead, software setting doesn't work on my R2651R2651(config)#clock read-calendar the calendar is the “hardware clock” copy it to the software clock, not on R2651 default stuck at Sun Feb 28 1993R2651(config)#ntp peer 64.236.96.53 source fastEthernet 0/0 version 1 prefer connect to Network Time Protocol (NTP) server in RestonR2651#show ntp associationsR2651#show ntp status

Subnetting, CIDR, VLSM Examples from http://www.subnetting.org/

After calculating in your head, on paper, using a Subnet Cheat Sheet Table or a subnet calculator, click on the question to see if you were correct.

How many subnets and host per subnet can you get from the network 172.21.0.0/23? How many subnets and hosts per subnet can you get from the network 192.168.0.0 255.255.255.240? What is the broadcast address of the network 192.168.24.64 255.255.255.248? What is the last valid host on the subnet that host 192.168.62.26/28 belongs to? How many subnets and hosts per subnet can you get from the network 172.31.0.0/19? What subnet mask would you use to divide the 192.168.14.0 network into 15 subnets? Divide the 172.24.0.0 network into 600 subnets with 50 hosts per subnet. What subnet mask should you use? What is the broadcast address of the subnet that host 172.18.182.245/23 is a part of? How many subnets and hosts per subnet can you get from the network 172.31.0.0/19? Given IP address 172.21.45.143/22. What is the first valid host address on this subnet? What subnet does host 192.168.5.57/27 belong to? What is the last valid host on the subnet that host 192.168.62.26/28 belongs to? Network 172.16.0.0 needs to be divided into 60 subnets, while keeping as many usable hosts in each subnet as possible. What mask should be used? What is the broadcast address of network 172.17.44.0/23? What is the valid host range for subnet 192.168.15.48/28? How many subnets and hosts per subnet can you get from the network 192.168.200.0/29? What subnet does host 192.168.5.57/27 belong to? What subnet mask would you use to divide the 192.168.14.0 network into 15 subnets? What is the first valid host address on the subnet that host 172.18.41.16/23 belongs to? What is the last valid host address on the subnet 172.23.72.0 255.255.252.0? What valid host range is IP address 192.168.25.148 255.255.255.240 part of? What is the broadcast address of the subnet that host 172.18.182.245/23 is a part of? You need to assign your router the first valid host address on the 4th subnet of network 192.168.74.0/27. What address would you assign? What is the first valid host address on the subnet that host 192.168.15.54/26 belongs to? What is the last valid host address on the subnet 172.23.72.0 255.255.252.0? What is the broadcast address of network 172.17.44.0/23? Network 192.168.10.0 needs to be divided into 6 subnets, with at least 25 hosts in each subnet. What is the subnet mask? What valid host range is the IP address 192.168.14.74/27 a part of? Given the 172.16.0.0 network. To create 250 subnets allowing up to 254 hosts each. What's the subnet mask?

http://www.subnetting.org/

http://julesbartow.com/CCNA/subnet_cheat_sheet.htm



Pin Name Description EIA/TIA 568AEIA/TIA 568B

or AT&T 258A cable colors

1 TX+ Transmit Data+ White with green stripe White with orange stripe

2 TX- Transmit Data- Green Orange

3 RX+ Receive Data+ White with orange stripe White with green stripe

4 n/c Not connected Blue Blue

5 n/c Not connected White with blue stripe White with blue stripe

6 RX- Receive Data- Orange Green

7 n/c Not connected White with brown stripe White with brown stripe

8 n/c Not connected Brown Brown

CAT-5 (100Mhz), 5e, and 6 (200Mhz) cableruns should not exceed 100 meters.

Use crossover cable (568B on one end and568A on the other) for PC to Router, PC to PC,Switch-to-Switch (trunk) unless auto-MDI/MDIX. A single pair is used for pins 1 and2; 3 and 6. All 4-pairs used for GigE.

8 pin RJ45 (8P8C) female connector

8 pin RJ45 (8P8C) male connector

PCs & routers use Medium DependentInterface (MDI). Switches & hubs useCrossover MDI (MDIX). All 1 GigE and 10 GigEdevices use Auto-MDI/MDIX eliminating theneed for crossover cables.

The baby blue console "rollover" cable is aserial null modem cable; not Ethernet.Connect it to a COM port or USB (with a USBto serial adaptor) .

DHCP Client

done at the router interface --can't if the interface is a default gateway for other devicesR2651(config)#interface fastethernet 0/1R2651(config-if)#ip address dhcpR2651(config-if)#no shutdown Ctrl-Z

*Mar 1 02:16:11.390: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up*Mar 1 02:16:21.058: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to upR2651(config-if)#do show ip interface briefInterface IP-Address OK? Method Status ProtocolFastEthernet0/0 192.168.2.1 YES NVRAM up upFastEthernet0/1 unassigned YES DHCP up upR2651(config-if)#do show ip interface brief !wait !wait !bingo Interface IP-Address OK? Method Status ProtocolFastEthernet0/0 192.168.2.1 YES NVRAM up upFastEthernet0/1 192.168.3.13 YES DHCP up up

DHCP Server

R2651(config)#service dhcp enable DHCP on the routerR2651(config)#no ip dhcp conflict logging or ip dhcp database url if using a FTP, TFTP, or rcp server to keep track of bindings (IP address, subnets,default gateway, and DNS leases for MAC addresses)R2651(config)#ip dhcp excluded-address low-address [high-address] use a range 192.168.2.1 192.168.2.5 for IP addresses already assigned to servers &router/switch (VLAN1) interfacesR2651(config)#ip dhcp pool name

R2651(dhcp-config)#import all ?



R2651(dhcp-config)#network network-number /CIDRR2651(dhcp-config)#domain-name JulesBartow.comR2651(dhcp-config)#dns-server address1 address2 ...8R2651(dhcp-config)#default-router addressR2651(dhcp-config)#lease days

R2651#debug ip dhcp server packet | events | linkage to see the client identifierR2651#show ip dhcp binding | conflict | database to see the client identifierR2651#show ip dhcp server statisticsR2651#show ip route dhcp show automatic additions to the routing table by the DHCP server

802.1Q VLAN Tagging (Cisco Trunking)

Dynamic Trunking Protocol (DTP)Cisco proprietary

switchport mode access | dynamic desirable | dynamic auto | trunk (can daisy-chain up to 7-trunks)

switchport nonegotiate do not generate DTP framesCisco Inter-Switch Link (ISL): old Cisco proprietary trunking protocol on Catalyst 19xx switches. Although it encapsulates frames it

doesn'tsupport default VLAN. Not available on the newer 29xx switches. Option on 3550s.Spanning Tree Protocol (STP) 802.1D turns redundant switch trunks on an off.VLAN Trunk Protocol (VTP)only distributes new VLANs to local VLAN databases in the domain --nothing more.

Cisco proprietaryNew switches should have blank domain name and be set to Transparent mode then changed to Client or Server to avoid higher config revisionnumber taking over

S1(config)#vtp mode Server | Client | Transparent

S1(config)#vtp version # 1 | 2 | 3S1(config)#vtp domain <name> Case SensitiveS1(config)#vtp password <password> MD5. If not set, hacker tool Yersinia can be used to send out higher config revision numberS1(config)#vtp pruning Flood unknown unicasts and broadcasts in the VLAN, but not to switches outside the VLAN. On VTP server, sets pruning inVTP clientsS1(config)#set vtp pruning enable Flood unknown unicasts and broadcasts in the VLAN, but not to switches outside the VLAN.S0(config)#vlan 10

S0(config-vlan)#name SALESS0(config-vlan)#vlan 20S0(config-vlan)#name MARKETING

S1()#show vtp status verifyS1()#show interface trunk list switch ports with trunks, the management domain [vtp domain name], and if VLAN(s) pruned [not in forwardingstate]Extended VLANs (1006 to 4094) are not saved in the VLAN database (flash:vlan.dat) and only work in vtp mode transparent (i.e. switch can't be aclient or a server)

VTP - clear it outS1#vlan database % Warning: configure VLAN from config mode, as VLAN database mode is being deprecated.

S1(vlan)#vlan 10 name SALES when in vlan mode. Preferably S0(config)#vlan 10 ↵ S0(config-vlan)#name SALESS1(vlan)#vtp transparent passes VLANS, but doesn't store them or S1(config)#vtp mode transparentS1(vlan)#no vlan xxx do for every VLAN in the databaseS1(vlan)#applyS1(vlan)#exitS1#delete flash:vlan.datS1#copy run start or writeS1#reload reset the switch/router, equivalent to unplugging or turn power off and on

Packet Internet Groper (Ping), ICMP, TraceRoute, Powershell netsh

C:\netsh firewall show configC:\netsh firewall set icmpsetting 8 enable | disable Enable ICMP Replies by turning off the firewall blocking pings in Windows VistaC:\ping 192.168.1.1 -t the -t means don't stop; a continual ping, used to see how long spanning tree takes to activateR0(config)#boot system tftp IOS_Image_Name.bin 192.168.1.4 When your flash memory isn't large enough to hold the IOS with the features you need.ICMP Echo Request (Type 8), Echo Reply (Type 0), and Destination Unreachable (Type 3) with Code (1-5): ICMP Echo results = "Unroutable" = code 0then local router has no match in its routing table for the IP address.ICMP Type 3, code 1 - host unreachable finds the remote network, but not the specific hostICMP Type 3, code 3 - port unreachable finds the specific host, but port assosciated with the specific application (http:80, ftp:20) wasn't operable

Cisco Express Forwarding (CEF)

Layer 3 Switching tool for fast switching using the route cache (rather than process switched using the routing table), load balancing & Modular

Quality of Service (MQoS)R0(config)#ip cef enable globallyR0(config-if)#ip route-cache cef enable on an interfaceCEF route cache = Forwarding Information Base (FIB) [next hops - multiple for load balancing] + Adjacency Tables [pre-pend L2 addresses]

Usernames, Passwords, Logins, Line, PPP Authentication, AAA, Login Local

User Access VerificationR0> User Mode, use Enable to get into privilege exec modeR0# Privileged User or Execute mode use Configure Terminal or conf t to get into configure modeR0(config)#Ctrl-Z or exit to get out of global config modeR0(config-line)#end to get out of line config mode

http://www.yersinia.net/



R0(config)#service password-encryption convert clear text passwords into Cisco type 7 encryptionR0(config)#ip subnet-zero use 1st and last sub-netsR0(config)#ip classless allow VLSMR0(config)#line con 0

R0(config-line)#no motd-banner get right to it, no opportunity for configuration hints & reminders thoughR0(config-line)#no exec-bannerR0(config-line)#exec-timeout 0 0 minutes & seconds 0 means don't timeoutR0(config-line)#no logging console turn off annoying announcementsR0(config-line)#logging synchronous level 7 rewrite your commands instead of clobbering them in the middle

R0(config)#alias exec rt show ip route type rt to enter user exec mode to list IP routes show aliasR0(config)#enable password cisco no enable password | secret allows you on console, but no ENABLE on telnet line VTY unless login local setR0(config)#enable secret level 15 ciscoR0(config)#username a privilege 15 nopassword lets you login at the privilege exec already set with no passwordR0(config)#line vty 0 4

R0(config-line)#password cisco no password creates error "Password required, but none set" when telnet password not set. You can't usesecret to set the password.R0(config-line)#login requires password login local requires username & password & can go straight into enable if priv 15, even if no enable no login takes you straight to the R1> prompt with no password required, but can't Enable w/out a password

R0(config-line)#transport input all | telnet | ssh | noneR0(config)#username admin privilege 15 password ciscoR0(config)#login local if priv 15, logs telnet/VTY user straight into privileged exec/enable modeR0#show users list people logged onto telnet lines

R0(config)#aaa new-model use local username & password in absence of other authentication, authorization and accounting (AAA) statements.Or, use login localR0(config)#crypto key generate rsa needed for SSH Secure Shell & https. IOS Image must be a K9 version.R0(config)#ip ssh time-out 60 SSH delay in seconds untR0(config)#ip ssh authentication-retries 2 2-attempts allowedR0(config)#ssh -l cisco -c 3des 10.13.1.99 version 1 SSH triple-DESR0(config)#ssh -v 2 -c aes256-cbc -m hmac-sha1-160 -l cisco 10.31.1.99 version 2 SSH AESbanner login and banner motd displayed before telnet login. motd is displayed after SSH login.

Password Recovery, Start Up, Configuration Register

Alt-B to send Break key in TerraTerm to get into ROMMON mode during power up

rommon 1 >confreg 0x2142 causes router NOT to load start-up configrommon 2 >resetWould you like to enter the initial configuration dialog? [yes/no]: noRouter>enableR0#dir list the files in flash (IOS & VLANs) partition 1R0#show flash list the files in all partitions --there can be a startup command to use a second IOS in another partitionR0#show startup-config copy the output to a text file and save, write down the username and passwordR0#copy startup-config running-config if you want to see it runRO#configure terminalR0(config)#config−register 0x2102 then reloador if in rommon x > mode then use confreg then resetRO#(config)username Iforget privilege 15 nopassword so you can get in next time —unsecure!R0#erase flash deletes the IOS - good luck getting a new IOS in using the slow console port with Xmodem!R0#erase startup-configR0(config)#boot-start-markertftp server & file name of IOS to load into flash.boot system flash c3745-is-mz.123-15.ZJ3.binR0(config)#boot-end-markerR0(config)#boot system tftp IOS_Image_Name.bin 192.168.1.4 When your flash memory isn't large enough to hold the IOS with the features you need.

Flash NVRAM iomem

IOS image startup-config

Memory cards

R0(config)#config-register range from 0x0 to 0xFFFF0x2100 ROM monitor (Rommon) mode0x2101 enter into BOOT mode: required to upgrade 2500 router flash, then >o/r 0x2101 and >i initialize

0x2102 factory-DEFAULT boot from the first 1st image in flash memory —alphabetical0x2142 boots from flash without using NVRAM (start-config), for password recovery.0x2141 boots from boot prom and ignores NVRAM contents0x010F load from image stored in flash as specified in system:startup-config (stored in NVRAM)

boot system flash c1841-adventerprisek9-mz.124-10a.bin0x141 disables the Break key, ignores the NVRAM configuration, and boots the default system image from ROM.

R0#show debug list what debugs are runningR0#u all or undebug all to turn off every running debugS* S means Statically configured route. * means default route.

Control Plane vs. Data Plane

IANA Well Known Ports



R2651(config)#access-list 151 permit tcp any any eq ? for a list of ports and names known by IOS; doesn't tell if UDP, TCP, or ICMP

Port UDP/TCP Application Notes

20 TCP FTP-Data

21 TCP FTP-Control uses telnet

22 both SSH line VTY

SFTPS replaced SCP, Secure FTP tunneled via SSH (scp2)

23 TCP Telnet line VTY

24 both Private Mail

25 TCP SMTP - sending Simple Mail Transport Protocol, 465 for secure port

53 both DNS Domain Name Service - given a host name find gets the IP address,

69 UDP TFTP

80 TCP HTTP / WWW

110 TCP POP3 Post Office Protocol v3 is being replaced by IMAP (port 993) to get mail from a server

119 both NNTP Network News Transfer Protocol - Usenet, Really Simple Syndication (RSS) feeds

123 UDP NTP Network Time Protocol -

143 TCP IMAP Internet Message Access Protocol version 4

161 UDP SNMP

443 TCP HTTPS / SSL

465 TCP Secure SMTP e-mail (SSL)

521 UDP RIPng IPv6

546 UDP DHCP - Client Listens

547 UDP DHCP - Server Listens

587 TCP SMTP outgoing (TLS) Secure SMTP e-mail (Transport Layer Security - layer 4)

989 TCP FTPS Data FTP with Transport Layer Security (TLS) authentication

990 TCP FTPS Control FTP with Transport Layer Security (TLS) authentication

993 TCP IMAP

3389 TCP RDP Remote Desktop Protocol for Microsoft Terminal Server ms-wbt-server

5004 UDP RTP Real-Time Protocol @ Application Layer

5005 UDP RTCP Real-Time Control Protocol @ Application Layer

Figure 51: Mapping of Multicast IP Addresses to IEEE 802 Multicast MAC Addresses

IP multicast addresses consist of the bit string “1110” followed by a 28-bit multicast group address. To create a 48-bit multicast IEEE 802(Ethernet) address, the top 24 bits are filled in with the IANA’s multicast OUI, 01-00-5E, the 25th bit is zero, and the bottom 23 bits of themulticast group are put into the bottom 23 bits of the MAC address. This leaves 5 bits (shown in pink) that are not mapped to the MAC

address, meaning that 32 different IP addresses may have the same mapped multicast MAC address.

Some well known Ethernet multicast addresses[9]

Ethernet multicast address Type Field Usage

01-00-0C-CC-CC-CC 0x0802 CDP (Cisco Discovery Protocol), VTP (VLAN Trunking Protocol)

01-00-0C-CC-CC-CD 0x0802 Cisco Shared Spanning Tree Protocol Address

01-80-C2-00-00-00 0x0802 Spanning Tree Protocol (for bridges) IEEE 802.1D

01-80-C2-00-00-08 0x0802 Spanning Tree Protocol (for provider bridges) IEEE 802.1AD

01-80-C2-00-00-02 0x0809 Ethernet OAM Protocol IEEE 802.3ah

01-00-5E-xx-xx-xx 0x0800 IPv4 Multicast (RFC 1112)

33-33-xx-xx-xx-xx 0x86DD IPv6 Multicast (RFC 2464)

PC Commands

http://julesbartow.com/wiki/Ethernet

http://julesbartow.com/wiki/Cisco_Discovery_Protocol

http://julesbartow.com/wiki/IEEE_802.1D

http://en.wikipedia.org/wiki/Ethernet_in_the_first_mile

http://tools.ietf.org/html/rfc1112




169.254.xxx.xxx = default IP address when PC can't find a DHCP serverC:\arp -a show MAC address - IP Address table including multi-cast C:\arp -d delete arp table on a PCC:\netsh interface ip show config same as using ipconfig /allC:\netsh -c interface dump > c:'location1.txt export NIC settingsC:\netsh interface ip set address name="LAN_Wired" static 192.168.1.1 255.255.255.0 192.168.1.1 set ip address, subnet mask & default gatewayC:\netsh interface ip set address "Local Area Connection" dhcp use DHCP, if no DHCP server autoconfigures to 169.254.66.126C:\netsh interface ip set dns "LAN_Wired" dhcp Domain Name ServersCreate a shortcut to an FTP site as if it were another directory or drive: %windir%\explorer.exe ftp://[email protected] → Run → cmd → netsh → interface → ipv6

IPv6 Reset to IPv4 Errors

set prefix ::1/128 50 0set prefix ::/0 40 1set prefix 2002::/16 30 1set prefix ::/96 20 3set prefix ::ffff:0/96 10 4set prefix 2001::/32 5 5

set prefix ::1/128 50 0set prefix ::/0 40 1set prefix 2002::/16 30 2set prefix ::/96 20 3set prefix ::ffff:0/96 10 4set prefix 2001::/32 5 5

Ok.Element not found.Element not found.Element not found.Element not found.Element not found.

C:\netsh interface ipv6 show neighbors ARP equivalent for IPV6 = Neighbor Discovery Protocol (NDP)ff02: / IPv6 multicast starts with ff 11111111C:\tracert -d do not resolve IP address into name on a PC (Vista)C:\tracert -6 IPv6 Trace RouteC:\netsh firewall set icmpsetting 8 enable | disable Enable ICMP Replies by turning off the firewall blocking pings to the Windows VistaC:\netsh interface ipv6 show interface Windows XP SP 1C:\netsh interface ipv6 show route Vista & Win 7 lists a whole bunch of IPv6 addresses:C:\netsh interface ipv6 show address Vista & Win 7 lists a whole bunch of IPv6 addresses:::1/128 loopback --similar to 127.0.0.1fe80::5efe:192.168.1.101/128 Link-Local Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) %ZoneIDLinkfe80::100:7f:fffe/128 link-local without the latter half of the MAC address?MAC Address 00-24-2B-86-A8-642002::5efe:192.168.1.101/128 global unicast using ISATAP ?192.168.1.101 decimal → → c0a8:0165 hexFEC0: site-local 1111 1110 1100 0000 /10FD00::/7 = FC00::/7 & 8th bit set to 1 when locally defined unique-local address (ULA) replaced the site-localFE80: link-local 1111 1110 1000 0000 /10C:\ping -6 ping using IPv6C:\ping 192.168.1.1 -t the -t means don't stop; a continual ping, used to see how long spanning tree takes to activatehttp://[2010:836B:4179::836B:4179]/ put square brackets around an IPv6 URL address

RIP

Bellman-Ford algorithm

Configuration

R0(config)#ip subnet zero allow use of first and last (broadcast) subnets (legacy)R0(config)#router ripR0(config-router)#version 2 allow advertising of subnetsR0(config-router)#network 10.0.0.0 advertise & turn on routing for Class A networkR0(config-router)#network 172.16.0.0 advertise & turn on routing for Class B networkR0(config-router)#network 192.168.2.0 advertise & turn on routing for Class C networkR0(config-router)#network 192.168.3.0R0(config-router)#passive-interface FastEthernet 4 prevent RIP update advertisements from specific interfacesR0(config-router)#no auto-summary disable auto-summarization when there are disconnected subnets —no effect on V1 interfaces255.255.255.255 broadcast destination address for RIPv1 updates224.0.0.9 multicast destination for RIPv2 updatesR0#show ip protocols

How to tell which advertisements are added to the routing table...

R0#debug ip rip

003314: *Dec 19 18:15:33.381 EST: RIP: sending v2 update to 224.0.0.9 via BVI1 (10.10.10.1)003315: *Dec 19 18:15:33.381 EST: RIP: build update entries003316: *Dec 19 18:15:33.381 EST: 192.168.1.0/24 via 0.0.0.0, metric 1, tag 0851W#003317: *Dec 19 18:15:40.941 EST: RIP: received v2 update from 10.10.10.29 on BVI1003318: *Dec 19 18:15:40.941 EST: 172.16.0.0/24 via 0.0.0.0 in 1 hops

Unlike RIP and OSPF, which cannot be enabled simultaneously, EIGRP and RIP or EIGRP and OSPF can be.

Getting Route From/To Outside of Domain/Segment - Originate & Redistribute

With default route enter R1(config)default-information originate to advertise the single default route to neighbors (OSPF, EIGRP, RIPv2)R1(config)#router ripR1(config-router)#redistribute static metric 5 to advertise multiple routes to neighbors

class="tit">851W Integrated Switch Router (ISR) with Wireless



This is low end Cisco, lacking in capabilities that will frustrate a budding CCNA trying to use it in their lab. Get the 871W, if you can afford it, so you cando trunking, STP, and VLANs. Even though there is a switchport mode trunk command you can't actually set the 851W switchports to trunk to 2950,

2960, or 3550 switches. It kind of does it out of the box with no trunk settings indicating switchport mode dynamic desirable is running an shouldjust be left alone.

interface FastEthernet0

switchport mode trunk

It locks up as soon as it gets a bridge protocol data unit

851W(config-if)#no spanning-tree portfast851W(config-if)#end851W#000150: *Dec 22 17:14:05.639 EST: %SYS-5-CONFIG_I: Configured from console by admin on console851W#000151: *Dec 22 17:14:28.295 EST: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk FastEthernet1 VLAN1.000152: *Dec 22 17:14:28.295 EST: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking FastEthernet1 on VLAN1. Inconsistent port type.PVST+: restarted the forward delay timer for FastEthernet1

Router-on-a-Stick

Router-on-a-Stick is used to allow traffic to traverse between VLANS using a trunk, but instead of between two switches, the trunk is between theswitch, a router, and back to the switch. A Fast Ethernet (100Mbps) port on the router is required (old 2500 routers won't work) in order to createmultiple sub-interface based IP addresses (similar to sub-interfaces used in Frame Relay) connected to a single switch port configured in trunk mode.Note: just because you're trunking doesn't mean the router-switch connection uses a crossover-cable like switch-to-switch connections do. Use astraight-thru cable as you would for any normal router-switch Ethernet or Fast Ethernet connections. (GigE has MDI/MDIX built in, in which case you canuse straight through or crossover.)

Packet Tracer Example (.rar compressed)The Switch uses 3-switchports (1 to router - a trunk, and an access port for each PC)

S2950_1#vlan database - old styleS2950_1(vlan)#vlan 10S2950_1(vlan)#vlan 20S2950_1(vlan)#apply or exit or end or ctrl-Z

S2950_1(config)#int fa0/3 switchport connected to router interface FastEthernet 0/0, fa0/0.1 & fa0/0.2S2950_1(config-if)#switchport trunk encapsulation dot1q won't work on a 2950 or 2960 because 802.1Q only capability on a 2950S2950_1(config-if)#switchport mode trunk

S2950_1(config-if)#switchport portfast trunk - avoid the blocking, listening & learning delay

S2950_1(config)#int range fa0/1 - 4S2950_1(config-if)#spanning-tree portfast - avoid the blocking, listening & learning delayS2950_1(config-if)#switchport mode access

S2950_1(config-if)#switchport access vlan 30

S2950_1(config)#int fa0/5S2950_1(config-if)#spanning-tree portfast - avoid the blocking, listening & learning delayS2950_1(config-if)#switchport mode access


S2950_1(config)#int fa0/6S2950_1(config-if)#spanning-tree portfastS2950_1(config-if)#switchport mode access


The PCs should not be able to ping each other because they are in separate VLANsEven when router-on-a-stick is configured, if the default-gateway on each PC is not configured for the sub-interface's IPaddress, the PCs won't be able to ping each other.

R0(config)#int fa0/0 use just one router interface (with two sub-interfaces)R0(config-if)#no ip addressR0(config-if)#speed 100R0(config-if)#duplex fullR0(config-if)#no shut

R0(config)#int fa0/0.1 add a dot number for the sub-interface

R0(config-if)#encapsulation dot1q 10 set sub-interface as a TRUNK (for VLAN 10) in order to assign an IP address to a sub-interface

R0(config-if)#ip address 192.168.10.1 255.255.255.0R0(config-if)#exit

R0(config)#int fa0/0.2 add a dot number for the sub-interface

R0(config-if)#encapsulation dot1q 20 set sub-interface as a TRUNK (for VLAN 20) in order to assign an IP address to a sub-interface

R0(config-if)#ip address 192.168.20.1 255.255.255.0

Logging

logging buffered 64000 2-3 days saved in memorylogging IP AddressPC running kiwi syslog daemon (bought by Solarwinds)show loglogging terminal show annoying announcements normally sent to console in VTY (telnet) session

Equipment Capability & Configuration Summary

Dev#show version display memory and config-registerDev#show flash display IOS(s) stored in flash memoryDev#show inventory list S/NDev#show diagnostics what's installed in the slots

http://julesbartow.com/downloads/mac-address-table_static.rar



Dev#show tech-support list everything#show running-config | include ip route configuration currently in RAM

Switches

Flood, Forward, Filter → building the Content Addressable Memory (CAM) table

Forwarding happens when the switch has an entry for the destination MAC address in it's MAC address table and forwards the frame out asingle port.Flooding broadcast when the switch doesn't have an entry for the destination MAC address in the CAM (i.e. an unknown unicast frame).The frame (layer 2) sent out every port on the switch except for the one it came in on.Filtering source and destination MAC address on the same port/segment — discard, assuming the destination has already received theframe.

#show mac-address-table dynamic so you don't see all the static portsS3550(config)#mac-address-table static 0000.00aa.aaaa vlan 10 interface fa0/1 - normally don't need to set

Speed vs. error checking in Forward & Flood:

Store-and-Forward compare FCS before sending, slowest

Fragment-Free check 1st 64-bytes, medium speedCut-Through real-time, fastest, no FCS. Relies on upper layer services for error checking

#show port

Address Resolution Protocol (ARP)

#show arp is a neighbor's IP address and Mac Address in the ARP table? ARP has a 4-hour aging time.

The mac-address-table (CAM/forward/filter table (5-minute/300 second aging time) doesn't map IP to MAC.)

ARP broadcasts include 48-bit MAC Sender Hardware Address (SHA) and Target Hardware Address (THA), and 32-bit IP address fields for thecorresponding Sender and Target Protocol Addresses (SPA and TPA).Gratuitous ARP broadcasts SHA and SPA in the TPA field and THA = 0 so other machines on the LAN know it is there quickly.

Inverse ARP (InARP) — get IP address from a Frame Relay DLCI (~the DLCI is equivalent MAC) for the interface on the other side of the WAN. —address mapping of an IP address to a physical machine address

Reverse Address Resolution Protocol (RARP) is obsolete (similar to Inverse ARP except the response to a RARP request is the protocol address ofthe requesting station) for a host machine that doesn't know its IP addres → replaced by BOOTP → superseded by DHCP.

Connecting PCs to the Switch - Spanning-Tree options & setting VLANs

(config-if)#switchport mode access turns off trunk negotiation versus trunk, dyanmic desirable (default 2950, 3550), or desirable auto(default 2960, 3560)(config-if)#spanning-tree portfast skip the delay from listening for BPDUs → and learning MAC addresses(config-if)#spanning-tree bpdufilter enable stop BPDUs from going out the port (used when connected to a server). If used, it occurs beforebpduguard, pre-empting an err-disabled switchport shutdown.(config-if)#spanning-tree bpduguard enable keep inadvertant trunks on portfast ports from creating switch loops -shutsdown the port moresecure than bpdufilter(config-if)#spanning-tree guard loop ???(config-if)#switchport access vlan 10 set VLAN on port. [trunks don't end up in VLANs, they carry multi-VLAN traffic].S3550(config)#vlan 10 create VLAN and configure it [or update the vlan name].

S3550(config-vlan)#name SALESS3550(config-vlan)#state active | suspend

(config)#udld enable shutdown interface when UniDirectional Link Detection (UDLD): traffic transmitted from the neighbor is not received by thelocal device. Layer 2 protocol, auto complements autonegotiation on fiber interfaces. Normally not used [auto off] because of extra UDLD packetssent on copper.(config-if)#no udld enable don't use UDLD on copper switchports(config-if)#udld disable turn UDLD off on fiber interfaces(config-if)#udld reset turn switchports back on after UDLD shut them down

Port Security

(config-if)#switchport port-security security maximum

(config-if)#switchport port-security mac-address mac-address | sticky

interface FastEthernet0/4 switchport mode access switchport port-security switchport port-security mac-address sticky

switchport port-security mac-address sticky 0200.4444.4444 added to running-config upon 1st traffic

(config-if)#switchport port-security violation

protect poof—no record, just silently drops incoming packets. Still sends outgoing packets

restrict read & run, SecurityViolation counter increments. Still sends outgoing packets.

shutdown err-disabled (manually shut & no shut to start again)

SW2#show port-security interface fa0/4

Port Security : EnabledPort Status : Secure-up

Violation Mode : Shutdown (default)Aging Time : 0 minsAging Type : AbsoluteSecureStatic Address Aging : DisabledMaximum MAC Addresses : 1



Total MAC Addresses : 1Configured MAC Addresses : 0Sticky MAC Addresses : 1Last Source Address:Vlan : 0200.4444.4444:1Security Violation Count : 0

Port Status : Secure-shutdown

Violation Mode : Shutdown (default)Last Source Address:Vlan : 0200.1111.1112:1Security Violation Count : 1

SW2#show interfaces fa0/1FastEthernet0/1 is down, line protocol is down (err-disabled)SW2#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count)-------------------------------------------------------------------- Fa0/3 1 1 0 Protect Fa0/4 1 1 0 Shutdown----------------------------------------------------------------------

S3550_2(config)#int fa1/0S3550_2(config-if)#spanning-tree ? bpdufilter Don't send or receive BPDUs on this interface bpduguard Don't accept BPDUs on this interface cost Change an interface's spanning tree port path cost guard Change an interface's spanning tree guard mode link-type Specify a link type for spanning tree protocol use mst Multiple spanning tree port-priority Change an interface's spanning tree port priority portfast Enable an interface to move directly to forwarding on link up stack-port Enable stack port vlan VLAN Switch Spanning Tree

Tagging/Trunking

(config-if)#switchport trunk encapsulation dot1q | isl set encap before mode. No ISL on Cat 2950/2960.

(config-if)#switchport mode trunk versus access with no trunking

(config-if)#switchport nonegotiate for interfaces like routers that don't support dynamic trunking protocol. Won't work (conflict) if port indynamic desirable/auto and not in access mode(config-if)#do show int fa0/7 switchport#show interfaces switching lists # of frames for each protocol on each port#show spanning-tree active detail#show spanning-tree vlan 1 brief

#show spanning-tree interface interface detail

hello time = 2 seconds : how often BPDU multi-casts are sentMax Age = 20 seconds: how long w/out BPDUs before STP recalculates pathssys-id-ext = VLAN number: 1 (default) added to bridge priority 32768 (default) for overall priorityPVSTP - Cisco Per VLAN Spanning Tree Protocol - or Rapid spanning-tree mode rapid-pvst

Root Bridge - king of the network, no root ports (ALL designated), voted on 1st

Bridge ID = Priority.MACPriority - 32768 by default (lower is better - more likely to voted as ROOT bridge)MAC Address

Designated Port (DP) - the one port that forwards in a link/segment between switches), the other switch (one with highest Bridge ID)blocks.Link Costs (10Gbps = 2, 1Gbps = 4, 100mbps = 19, 10mbps = 100)S0#(config)spanning-tree vlan 1 root primary automatically makes this switch the root (changes the priority from 32768 to somethinglower)or S1(config)#spanning-tree vlan 1 priority 4096 increments of 4096 starting with 0

ALTN is the "blocked port" using Rapid Per VLAN spanning tree

blocking → listening (15 seconds of FWD_DEL) → learning (15 seconds of FWD_DEL) → forwardingS1(config)#spanning-tree portfast turn off STP, only on access ports or else problems!S1(config)#spanning-tree mode rapid-pvst → rstp | pvst 802.1D → ieee, every switch has rapid set or will default back to original. Turn onPortFast on the PC and Router portsSwitch#show spanning-tree

VLAN0001 Spanning tree enabled protocol ieee | rstp Root ID Priority 32769 Address 0060.70AA.8778 Cost 4 Port 25(GigabitEthernet1/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1 VLAN ID) Address 00D0.FF92.2167 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20

Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------Gi1/1 Root FWD 4 128.25 P2pFa0/1 Desg FWD 19 128.1 P2p

#show cdp neighbor f0/48 detail



#show cdp neighbor detailSW1(config)#no cdp run turn off CDP for the entire switch(can't for VoIP)/routerSW1(config-if)#no cdp enable turn off CDP for just the interfaceDev(config)#ip name-server 172.16.1.111 4.2.2.2 DNS host addresses. Can use VRFDev(config)#ip domain-lookup use the DNS server --slows things way down

Dev(config)#ip domain-name JulesBartow.com used for SSH RSA security crypto key generate rsa

username fred password hopeline vty 0 4 login localtransport input telnet sshDev(config)#ip domain timeout 2 quit using DNS after 2-secondsDev(config)#ip domain retry retry the DNS 2-times

VPNs - Virtual Private Networks

3 Vital Functions:1. Data Origin Authentication2. Encryption - ensures confidentiality3. Integrity recipient guaranteed that data didn't change4. Anti-replay protection malicious repeat or delay, intruder copies another user's proof of identity

Use one-time tokens to protect againstUse sequence numbers to protect against

Tunneling protocols:Generic Routing Encapsulation (GRE) no encryption, Layer 2Layer 2 Tunneling Protocol (L2TP) no encryption, hybrid of Microsoft & Cisco Layer 2 Forwarding, acts like L2 protocol, but a session layer protocolusing UDP port 1701Internet Protocol Security (IPSec) see below, has encryptionPoint to Point Tunneling Protocol (PPTP) uses GRE to encapsulate PPP, Windows adds Auth & Encryp, proposed IETF RFC 2637 in 1999 —neverratified.Secure Sockets Layer (SSL) Services runs at Transport Layer 4SSH & S/MIME runs at Application Layer 7

VRF - VPN Routing and Forwarding

Wide Area Networks

VPN, PPP, HDLC, and Frame Relay (no ATM, FDDI, or Tunnels in CCNA)

WANs generally don't use the Ethernet (LAN) ports (except VPNs, Tunnels, PPPoE).Serial interfaces using HDLC and PPP don't have MAC addressesHDLC is default encapsulation on Cisco serial interfaces. PPP encapsulation on one router and HDLC on the other router shows as Up/Down in the showip int br commandHDLC is proprietary to CiscoHDLC has no authenticationHDLC has no error detection

R0#show run | include username list username and passwordsR0(config-if)#clock rate 128000 create DCE Data Communications Equipment side of DCE/DTE segment/linkR0(config-if)#bandwidth 128 clock rate is a CSU/DSU thing so set the bandwidth for best route routing decisions (not in RIP).

R0(config-if)#ppp authentication chap | eap Challenge Handshake Authentication Protocol or Extensible Authentication Protocol. Don't use PAP.R0(config-if)#show controllers serial 1 | include V.35 buffer size 1524 HD unit 1, V.35 DCE cable, clockrate 38400R0(config-if)#show interfaces serial 0 | include Encapsulation Encapsulation HDLC, loopback not setPoint to Point Protocol pluses over HDLC

R0(config)#username peer_host_name password same_password_as_peer used for ppp CHAP authentication

R0(config-if)#encapsulation ppp point-to-point (p2p) or multipoint managed my LCP ~ session layerAuthentication —don't use PAP

R0(config-if)#ppp authentication chap username Other_Router_Name password Common_PasswordR0(config-if)#debug ppp authentication display Challenge HandshakeR0(config-if)#ppp authentication EAP Extensible Authentication Protocol, IEEE 802.1x

Compression: Stacker | PredictorCallback: reduced ISDN dial-up toll chargesError Detection: Quality and Magic Number ensure a reliable, loop-free data linkNot Cisco proprietary like HDLC is

IPSEC —used in VPNs and IPv6

NegotiationAH Authentication HeaderESPESP+AH

EncryptionDES Data Encryption Standard from 1976, 56-bit size key3DES Triple DES - replaced by AES, 3 different 56-bit size key = 168 bits (really only 112 bits)AES Advanced Encryption Standard; FIPS 197 (2001); 128, 192 & 256 bit symmetric key (same key used for encrypt/decrypt), Rijndael algorithm

Authentication - Use Cain & Abel network sniffing & decryption tool to brute-force break the HASH passwordMD5 128-bit (16-byte) subject to collision and rainbow table attacksSHA-1 160-bit (20-byte)value (SHA-256 and SHA-512 not yet available on Cisco?)

Protection Diffie-Hillman (exponential key agreement): Asymetric Keys (1 public—cert'd by CA against root key & 1 private), initially used to encryptpassword over non-secure connection. Built around certificate authority (CA) validating public key.


http://julesbartow.com/CCNA/High-Level%20Data%20Link%20Control

http://en.wikipedia.org/wiki/Point-to-point_protocol



loopback 0 - similar to PC address 127.0.0.1, always Up/Up so highest # used to create Router ID for OSPF.R0(config)#interface loopback 0 Create a network to propagate to routing tables for testing. Automatically up/up. No no shutdown requiredR0(config-if)#ip address 10.1.1.1 255.0.0.0

Frame Relay

inexpensive & reliable: replaced by Ethernet VPNs

Committed Information Rate (CIR) available to a customer

Emulate Frame Relay Switch using a Router with multiple serial interfaces (2522, NM-4T)

Developed in the International Telecommunication Union Telecommunication Standardization Sector (ITU-T)Global Addressing scheme - Devices uniquely identified by their assigned DLCIs: 992 possible = 1024 - 32 reserved

R1(config)#interface Serial 0R1(config-if)#no shutdownR1(config-if)#no ip addressR1(config-if)#encapsulation frame-relayR1(config-if)#logging event subif-link-statusR1(config-if)#logging event dlci-status-changeR1(config-if)#frame-relay intf-type dce normally a serial interface just becomes Data Commun. Equip. setting the clock rate.R1(config-if)#clock rate 64000R1(config-if)#no frame-relay inverse-arp turn off default DLCI mapping protocol (Layer 3 to Layer 2 lookup) before opening the interface

R1(config-if)#frame-relay route inbound_DLCI interface outbound serial outbound_DLCIR1(config-if)#frame-relay route 122 interface serial2 221R1(config-if)#frame-relay route 123 interface serial3 321R1(config-if)#no ip split-horizon be very careful turning split horizon off. It keeps routing loops from occuring.R1(config)#connect R1-R2 Serial0/1 102 Serial0/2 201 connect is a newer command to set DLCI routing at global config instead of 2 separate commandsunder each I/FR1#show frame routeDLCI to serial interface list

NBMA - non-broadcast multi-access (no OSPF hello multicast 224.0.0.6 packets for keepalive neighbor adjaceny unless broadcast part of frame map)full-mesh - every router has a VC to every other routerframe-relay lmi-type - status keepalives from DCE to DTE + PVC status: (IN)ACTIVE, CISCO autosenses:

1. cisco default2. ansi3. q933a4. autosense - router sends out each of the above

R0#no keepalive disable LMI messagesR0#show frame-relay pvc sh fr p "Permanent Virtual Circuit"

PVC Statistics for interface Serial2/0 (Frame Relay DTE)DLCI = 102, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial2/0.102input pkts 14055 output pkts 32795 in bytes 1096228out bytes 6216155 dropped pkts 0 in FECN pkts 0in BECN pkts 0 out FECN pkts 0 out BECN pkts 0in DE pkts 0 out DE pkts 0out bcast pkts 32795 out bcast bytes 6216155

R0#show frame lmi sh frame lmi

LMI Statistics for interface Serial2/0 (Frame Relay DTE) LMI TYPE = CISCO Num Status Enq. Sent 1674 Num Status msgs Rcvd 1673 Num Update Status Rcvd 0 Num Status Timeouts 16LMI Statistics for interface Serial2/0.102 (Frame Relay DTE) LMI TYPE = CISCO Num Status Enq. Sent 0 Num Status msgs Rcvd 0 Num Update Status Rcvd 0 Num Status Timeouts 16

R0#clear countersThere is a DLCI (16 to 1007) for each connection to another router - DLCIs are never advertised

R1(config-if)#encapsulation frame-relay ←←on device's interface connecting to the switch

R1(config-if)#no shutdownFECN-tells receiver to expect delay / BECN-sender back off (Forward /Backwards Error Congestion Notification)Static Mapping - turn off inverse ARP, for each remote router attached to frame relay set its IP address for the local DLCI

R1(config-if)#no frame-relay inverse-arp re-enable inverse ARP to automatically assign IP addresses to DLCIs

R1(config-if)#frame-relay map ip remoteIP localDLSI broadcast cisco | ietfPings returnedNo routing updates sent

Frame Relay Initial Encapsulation typeR1(config-if)#CiscoR1(config-if)#IETF if doing frame-relay with non-Cisco equipment, Internet Engineering Task Force (IETF)

clear frame-relay-inarp Inverse ARP resetframe-relay intf-type DCE switch, or DTE router, or NNI Network-to-Network I/F (switch-switch)

Frame Relay > Multi-Point Configuration

R1(config-if)#frame-relay ip map 172.14.5.6 213 broadcast

Frame Relay > Point-to-Point (p2p) Configuration

No frame-relay map .1 subinterfaces only on hub for hub-spoke in p2p, but use subIFs for all in case want to go full/partial mesh later.



R1(config-if)#no shutdownR1(config-if)#int s0/0.1 point-to-pointR1(config-subif)#ip address 192.168.100.2 255.255.255.252R1(config-subif)#do show frame-relay pvc statistics | mapR1(config-subif)#frame-relay interface-dlci 202 this would beR1(config-fr-dlci)#^ZR1#show frame-relay map Serial0(up): ip 200.1.1.12 dlci 122, static, broadcast, CISCO, status defined, activeinterface, destination IP address, logical DLCI, static | dynamic, CISCO | IETF encapsulation, TCP/IP Header CompressionR1#show frame-relay pvcR1#show frame-relay lmiR1#debug frame-relay lmi DTE downOSPF over Frame-Relay in Packet Tracer doesn't work. Neighbor relationships don't come up because ip ospf network type

NBMANon-Broadcast Multi-Access isn't an option. neighbor ip−address [priority number] [poll−interval seconds] needs to be statically configured for NBMA (notavailable in Packet Tracer).

Debug

R0#show ip osfp neighbor statically set in NBMAR0#debug ip ripR0#debug ip eigrp<

Network Address Translation (NAT)

Dynamic NAT - DNS server allows two organizations with the same IP addresses to talk to each otherPort Address Translation (PAT) / Overload NAT

R0(config)#access-list 1 remark SDM_ACL Category=2R0(config)#access-list 1 permit 192.168.1.0 0.0.0.255 remember, ACLs are use wild cards

Inside Outside

Local

R0(config)#int FastEthernet 0/1R0(config-if)#ip address 192.168.2.1 DHCP server defaultgatewayR0(config-if)#ip nat insideR0(config-if)#no ip route-cache

R0(config)# int FastEthernet 0/0R0(config-if)#ip address dhcp when connecting to cable modemR0(config-if)#ip nat outsideR0(config-if)#no ip route-cacheR0(config-if)#no cdp enable

GlobalThe address of the internet facing interface ↑ + → the IP address of the web browser connected to over the

internet

R0(config)#ip nat inside source list 1 int FastEthernet 0/0 overload overload means translate > 1 host using PATR0#ip route 0.0.0.0 0.0.0.0 66.108.112.1 next hop address from ISPR0#show ip nat translationsStatic NAT

Used to connect directly to an inside server (web, e-mail, ftp) from the outside of your networkR0(config-if)#ip nat inside source static 192.168.1.1 12.150.146.100

Cone NAT - fixes potential address and port discovery transversal issuesR0#ip nat pool net-208 171.69.233.208 171.69.233.223 netmask 255.255.255.240 netmask checks range specified withing subnet range (prefix-length28)ip nat inside source list 1 pool net-208

Do not buy a Cisco 851W for CCNA labs. VLANs aren't available on the Cisco 851W wireless router. The 871 does support VLANs. No OSPF or EIGRP either —just RIP (really only needed for SOHO)

Access Control Lists (ACL) Standard, Extended, Named, Wild Card Masks

ACL → R0(config)#access-list implicit deny all @ end of list - place deny as close to out i/f towards destination

Wild Cards 1 = wild (don't care) = 255.255.255.255 - subnet maskStandard - Permit or Deny based on Source Address only IP: [1-99], [1300-1999]

Place closest to source — applied before the routing engine processes them.R0(config)#access-list 1 deny 192.58.5.100 + optional wild card 0.0.0.0 all 0s = 1 host onlyR0(config)#access-list 1 deny host 192.58.5.100 no wild card for single hostR0(config)#access-list remark THIS IS INITIAL STANDARD ACL (not extended, CBAC) like “description”R0(config)#access-list 1 permit 192.58.1.0 0.0.0.255R0(config)#access-list 1 permit any or 0.0.0.0 255.255.255.255R0#show access-listsR0(config)#int fa0/0R0(config-if)#description This interface connects to ... becauseR0(config-if)#ip access-group 1 in only allow 192.58.1.??? except .100 through into fa0/0R0(config-if)#no ip access-group 1 in turn off access list on fa0/0R0(config)#line vty 0 4 limit telnet logons to specific ip addressesR0(config-line)#access-class 1 in choose in 99.99%, using out causes problemsR0(config-line)#no ip access-class 1 in turn off the access-class on telnetR0#show access-list shows counter match

Extended - protocol, source & destination ip addresses and ports IP: [100-199], [2000-2069]access-list <100-199> <permit | deny> <ip |tcp | udp | icmp> <source> <w/c mask> <eq | gt | lt | any> <port | application> <destination ip><destination port>R0(config)#access-list 10 permit ip any any allow everything throughR0(config-if)#ip access-group 10 in only one access-list per interface inR0(config-if)#ip access-group 10 out only one access-list per interface outR0(config)#ip access-list extended DENY_HOSTA create a named access control list

http://peenkcity.blogspot.com/2012/01/ospf-and-frame-relay.html



Network Equipment & Software Manufacturers

acquired by HP in 2010

HQ Ontario, Bought enterprise VoIP division of Ericsson

HQ in France w/ ops in 130+ countries

HQ in Beitou District, Taipei, Taiwan, makes the 802.11b/g/n with print server & USB hard drive interface, 1/3 of PCssold worldwide have their motherboard

formerly Lucent Business Comms in 2000

is a fabless chip maker for the iPhone, Wii, …

Silicon Valley maker of 10 million Silkworm SAN Fibre Channel switch ports & Bloom directors

Taiwanese, 127 sales offices in 64 countries, captured 33% of SOHO SMB Wi-Fi market worldwideDell

HQ in Seattle, Big IP load balancing & application delivery for Citrix & VMWare

FORE Systems, maker of ATM, acquired by GEC/Marconi, now owned by

acquired by Brocade Communications in 2008, maker of __Iron high end enterprise & service provider equip.

ProCurve switches (ProVision & Comware 5 ~IOSes), TippingPoint Security Appliances,

华为技术有限公司 HQ Guangdong, largest Chinese electronics Co.

acquisition 2003, WRT54G router Linux 4mb or 2mb running microsoft VxWorks

HQ in Yeouido, Seoul, South Korea. 75 subsidiaries worldwide for televisions, home appliances, and telecommunications devicesincluding NAS. Owns Zenith.

Microsoft Lync Unified Office Communications Server

33% U.S. & ½ UK market, ReadyNAS for home & enterprise, ProSafe Switches, Security Appliances, NeoTV

, HQ in Ontario, Canada, was divided up and sold in 2009 to Ericsson, Avaya, Hitachi, & LG

R0(config-ext-nacl)#<seq #> permit ip any host 4.2.2.2 don't have to type access-list in the NACL mode, and can edit/modify using the sequencenumber from do show access-list

Established / Reflexive - permit back in based on the request that went out. If no initial session don't let in.R0(config)#ip access-list extended DEMO_ESTABLISHED to get into reflexive use NACLR0(config-ext-nacl)#<seq #> permit ip any any established same as others, but with established

Dynamic - i.e., create a permit in an access list for 30-minutes then denyTime based - CCNPContext-based Access Control (CBAC) / IOS Firewall - CCSP: inspect packets like a PIX or ASA

Network Modules for 3640NM-2FE2W EOS 2003, EOL 2008 $75.00 +NM-4A/S ($52) or NM-8A/S ($65) asynchronous terminal serverNM-4T serial synchronous --use to emulate Frame Relay instead of a separate 5220 or 5222 routerWIC

VoIP

1. CME - Call Manager Express2. 3.

IP Header

4 8 16 32 bits

Ver. IHL Type of service Total length

Identification Flags Fragment offset

http://www.juniper.net/us/en/

http://julesbartow.com/CCNA/_CCNA.htm


http://en.wikipedia.org/wiki/Asus








http://h17007.www1.hp.com/us/en/

http://www.huawei.com/

http://www.lg.com/us/index.jsp

http://www.microsoft.com/en-us/lync/default.aspx

http://www.netgear.com/

http://en.wikipedia.org/wiki/Nortel



Time to live Protocol Header checksum

Source address

Destination address

Option + Padding

Data <Segments to/from Network Layer>

IP header structure

Subnetted Loopbacks

851w#show ip interface brief | include L !just list Loopbacks Loopback0 10.0.0.1 YES manual up upLoopback1 10.0.0.129 YES manual up upLoopback2 10.1.0.1 YES manual up upLoopback3 10.2.0.1 YES manual up upLoopback4 10.3.0.1 YES manual up upLoopback5 10.1.128.1 YES manual up upLoopback6 10.4.0.1 YES manual up upLoopback7 10.4.0.5 YES manual up upLoopback8 10.4.0.254 YES manual up upLoopback9 10.4.1.253 YES manual up up851w#show ip route | include 10 10.0.0.0/8 is variably subnetted, 10 subnets, 4 masksC 10.2.0.0/16 is directly connected, Loopback3C 10.3.0.0/17 is directly connected, Loopback4C 10.4.0.4/30 is directly connected, Loopback7C 10.0.0.0/25 is directly connected, Loopback0C 10.1.0.0/17 is directly connected, Loopback2

C 10.4.0.0/30 is directly connected, Loopback6C 10.0.0.128/25 is directly connected, Loopback1C 10.1.128.0/17 is directly connected, Loopback5C 10.4.0.252/30 is directly connected, Loopback8C 10.4.1.252/30 is directly connected, Loopback9

IPv6

Router(config)#ipv6 unicast-routing Tell router to use IPv6Router(config)#ipv6 cef Cisco Express Forwarding - route quickerRouter(config)#interface int fa0/1 each i/f gets an ipv6 address too, just like IPv4

Router(config-if)#ipv6 address enable automatically create Link-local address - less DHCP needed!However, no global unicast address is configuredRouter(config-if)#ipv6 address 2001:0410:0:1::/64 eui-64 create aggregatable Global Unicast IPv6 address based on MAC address of interfaceRouter(config-if)#ipv6 rip RIP enable use the RIPng routing protocol, advertise this network without using the old version 2 network command. RIPthe router process name or tag

Router(config)#ipv6 router rip RIP RIP is the router process name or tag, once RIP is enabled on an interface its enabled for the router so this command iskind of redundant.

Router(config-rtr)#maximum-paths 3 Router#show ipv6 int fa0/1 similar to show ip int fa0/1Router#ping ipv6 2001:~~ ping port configured with IPv6 address

R2651#show ipv6 interfaces briefFastEthernet0/0 [up/up] FE80::209:B7FF:FEE7:3540FastEthernet0/1 [up/up] FE80::209:B7FF:FEE7:3541

R2651#show ipv6 routeIPv6 Routing Table - 2 entriesCodes: C - Connected, L - Local, S - Static, R - RIP, B - BGP I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interareaTimers: Uptime/Expires

L FE80::/10 [0/0] via ::, Null0, 01:17:29/neverL FF00::/8 [0/0] via ::, Null0, 01:17:29/never

C:\Windows\system32>ipconfig

Ethernet adapter LAN_Wired:

Connection-specific DNS Suffix . : JulesBartow.com Link-local IPv6 Address . . . . . : fe80::44e2:f3b2:9361:427e%10 <include the PC's zone ID IPv4 Address. . . . . . . . . . . : 192.168.2.27 Subnet Mask . . . . . . . . . . . : 255.255.255.192 Default Gateway . . . . . . . . . : fe80::209:b7ff:fee7:3541%10 192.168.2.1

C:\Windows\system32>ping fe80::209:b7ff:fee7:3541%10...



Reply from fe80::209:b7ff:fee7:3541%10: time<1ms

Ping statistics for fe80::209:b7ff:fee7:3541%10: → include the zone when on a PC

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

IPv6 offers two kinds of local addresses: link-local and unique-local. Site-local was deprecated in 2004. Unique-local addresses allow devices in the sameorganization, or site, to exchange data. Unique-local addresses (fe80:) are IPv6's equivalent to RFC 1918 IPv4's private address classes (10.0.0.0/8,172.16.0.0/12, 192.168.0.9/16) since hosts using them are able to communicate with each other throughout the organization, but these addresses cannot beused to reach Internet hosts.

EUI-64 = 48-bit MAC address to 64-bit IPv61234-56-78-9A-BCsplit MAC down middle 3-bytes← →3-bytes, insert FFFE, & flip 7th bit: 1034:56FF:EE78:9ABC

ID IPv6 addresses by their initial bits:

Init Hex Initial BitsLeading 0

CompressionGlobal Address Full Hex

00:00 0000 0000 : 0000 0000 : ::192.168.0.1 IPv4-compatible First 96 bits set to 0

00:00 0000 0000 : 0000 0000 : ::1 Loopback equivalent of127.0.0.1

0000:0000:0000:0000:0000:0000:0000:0001

3FFF:FFFF::/32 0011 1111 : 1111 1111 : Examples/Documentation 3FFF:FFFF:____:____:____:____:____:____

FF:00/8 1111 1111 : 0000 0000 : Multicast

FC:00/7 1111 1110 : 0000 0000 : Unique Local FC:00/8 andFD:00/8

FE:C0/10 1111 1110 : 1100 0000 : Site Local

FE:80/10 1111 1110 : 1000 0000 : FE80, FE90,FEA0, FEB0

Link Local -for use duringauto-configuration andfor when no routers arepresent.

private, not routable on internet

20:00/3 0010 0000 : 0000 0000 : 0000 : 0000 :0000 : 0001

Global Unicast 20:00:00:00:00:00:00:00 3FFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF/128

2002:/16 0010 0000 : 0000 0010 : 2002: 6to4, which is differentthan 6in4, transmits IPv6packets over IPv4 using aspecial anycast address(RFC3068) 192.88.99.1 = 2002:C058:6301::/128(really 2002:/16 +IP→Hex/32 & a bunch(80) of -0s) to nearestRelay Router, protocol41. Tunnel2002: IPv6

interface Tunnel2002 description 6to4 tunnel to 6bone ISP no ip address no ip redirects ipv6 address 2002:C0A8:6301::1/128 tunnel source ethernet0 tunnel mode ipv6ip 6to4

ipv6 route 2002::/16 Tunnel2002ipv6 route ::/0 2002:C0A8:2101::1

::/96 +::ffff::0/96

0010 0000 : 0000 0010 : 20:2: IPv4 compatibility

2001::/32 0010 0001 : 0000 0000 : 0000 0000 : 20:2: Teredo tunnel

FF::/8 1111 1111 : : FF: MultiCast

FF02: link-local multicast 1111 1111 0000 0010 /10 ff02::2 ICMPv6 Router Solicitation sent to all-router multicast groupFF05: site-local multicast 1111 1111 0000 0101 /10

001 - Global Unicast address

(first 96 bits set to zero) - IPv4-compatible address

any address that begins with "0000 0000" is an IPv6 reserved address. One of these is the IPv6 loopback address

IP v6 Loopback: 0000:0000:0000:0000:0000:0000:0000:0001

Using Leading Zero Compression Only: 0:0:0:0:0:0:0:1

Combining Leading Zero and Zero Compression: ::1

use all the leading zero compression you want, but zero compression ("double-colon") can only be used once in a single address.

0:0:0:0:0:0:0:0 Equals ::. This is the equivalent of IPv4’s 0.0.0.0, and is typically the source address of a host when you’re using stateful configuration.0:0:0:0:0:0:0:1 Equals ::1. The equivalent of the loopback address 127.0.0.1 in IPv4.0:0:0:0:0:0:192.168.100.1 This is how an IPv4 address would be written in a mixed IPv6/IPv4 network environment.2000::/3 The global unicast address range.FD00::/7 = FC00::/7 with the "L" 8th bit set to 1 = the Unique-local unicast range.FE80::/10 The Link-local unicast range.FF00::/8 The multicast range.3FFF:FFFF::/32 Reserved for examples and documentation.2001:0DB8::/32 Also reserved for examples and documentation.2002:IPv4→Hex:/48 6to4 IPv6, 6to4 is simpler than Teredo, which works with NAT —hosts automatically disable 6to4 if they have a rfc1918 address.



In 6to4, to obtain an IPv6 address the client computer takes it's IPv4 address, converts it to hex, and maps it into a /48 subnet in 2002::/16 (e.g. host144.92.67.161 in dotted decimal notation is converted to hexadecimal translated to 2002:905c:43a1::).

2002:C058:6301::/128 = 192.88.99.1 = IPv4 globally announced Anycast address of the "nearest" 6to4 Relay-Router, the 6to4 default gateway forencapsulation and decapsulation. IPv4 protocol 41. 6bone test IPv6 network

Multicast & Timers

ProtocolBroadcast

/ Muticast AddressPurpose Frequency Metric Notes

STP BPDUs 2-seconds Prevent switchingloops by shuttingdown redundantpaths

RIP v1 255.255.255.255 Broadcast entire route table 30-seconds Hop Countmax-16

Split Horizon &Route Poisoningdefault send & (v2also) receive

AllHosts /Nodes

224.0.0.1 169.254.255.255 ff02::1

AllRouters

224.0.0.2

OSPF 224.0.0.5 v2 FF02::5 v3… .6 for DRsnever travel morethan one hop.

Multi-cast Flooding to DRs/BDRsDR elected based on priorityR0(config-if)#ip osfp priority 2 &ties broken by highest up/up I/F #

hello-time 10-seconds multi-casthello-time 30-sec NBMAdead-time - 4x then drop adjacencylink-state refresh time = 30 min (1,800 sec)

Cost =∑(108th/

bandwidth)

Process ID, Area 0or 0.0.0.0 in IPv4 &6 Wild card -requiredToo fast for splithorizon to occurdefault i/f priority= 1Highest Up/UpLoopback = RID Router Priority = 1by default, can setto 0

show ip osfp interface serial 0 to display network types: DR (broadcast & non-broadcast) & non-DR (point-to-point and point-to-multipoint)

Neighbor (adjacency = link state tables synchronized) formed by common hello and dead times + stub flag: NOT processID

Hub must be DR (no BDRs) which is the central point for advertising LSAs & requires neighbor statements. Spokes must have R0(config-if)#ip ospfpriority 0

RIP v2 224.0.0.9 Multi-cast ip rip send version 2 no auto-summary

RIPng ff02::9 Multi-cast UPD Port 521 keeps trackof the nexthop usinglink-localaddress, notthe global-unicast.

no networkcommand in RIPng

EIGRP 224.0.0.10ff02::a

Multi-cast to maintainadjacency

hello-time 2-seconds multi-casthello-time 30-second NBMA dead-time - 4x then drop adjacency

(107/Slowest

Bandwidth +∑Delay)*256

AutonomousSystem #Wild card -optionalActive State =RecomputingFeasible Successor(backup routes)No Hierarchicalrequirement likeOSPF Unlike RIP andOSPF, whichcannot be enabledsimultaneously,EIGRP and RIP orEIGRP and OSPFcan be.

FrameRelay

DLCILAPF - Link Access Procedure FrameBearer Services Layer 2 Packet

PPP L2 encapsulation with

http://www.cisco.com/en/US/tech/tk872/technologies_configuration_example09186a00801f3b4f.shtml



Terminal Server or Access Server - reverse Telnet

Router with Asynchronous interfaces (2509 or 2511) or NM-16A or NM-32A

installed in a 2610, 2611, 2612, and 2613 + Octal cable(s) Plug (flat blue Cisco) rollover cable from PC into console port of 2509. Plug octal cablesinto console ports of other devicesCtrl-Shift-6 then X to return to original session or Enter to go back to previous session. R2509#show sessions list the reverse telnet connections alias exec ss show sessions R2509#disconnect 3 end session 3 R2509#show line list all "lines" (CTY [console], TTY [Terminal Controller], Aux, and VTY [Virtual Terminal telnet/ssh]), R2509#clear line 1 repeat for line 2, 3, ... in case you can't use itR2509(config)#interface loopback0R2509(config-if)#ip address 172.21.1.1 255.255.255.255

R2509#show hosts

ip host S2950-1 2001 172.21.1.1ip host R3640 2002 172.21.1.1ip host R3640FR 2003 172.21.1.1ip host R3660 2004 172.21.1.1ip host S2950-2 2005 172.21.1.1ip host 851w 2006 172.21.1.1!ip host R36 2007 172.21.1.1!ip host R1 2008 172.21.1.1

R2509(config)#line 1 8 9 16 for 16 octal cableR2509(config-line)#no exec prevent rogue exec sessions (don't forget to put this in!!)R2509(config-line)#transport input all Ctrl-Z

R2509(config)#alias exec h show hosts like ss to see the line connection numbers, just type h to list the hostsR2509#S2950-1 telnet to the host S2950-1 on telnet port 2001

Cisco Aironet 350 Access Point - 802.11b 2.4GHz Cisco 851W wireless ISR / switch: The Cisco 800 Series ISRs provide HTML GUI access and configuration for the wireless device. First, establish awireless configuration session to the access wireless device, and then you can access the HTML GUI through a browser using the IP address of the BVIinterface 10.. This HTML GUI is based on Cisco Aironet 1250 Access Point's GUI and reflects the same features and functionality except:Repeater mode is not supported, therefore 'Repeater' has been removed from the GUI.

802.11a 802.11b 802.11g 802.11n

5 GHz 2.4 GHz uwave ovens & cordless phones 2.4 GHz b/wards compat w/ .b

54 Mbps 11 Mbps 54 Mbps

1.authentication 2.encryption 3.call-back 4.compression 5.Multi-LinkLoad balancing

HDLC Default L2 encapsulation on serialI/Fs

BGP pass routinginformationbetweenautonomoussystems

MPLS

GRE

Teredo

IS-IS 224.0.0.19 - 21 Popular Link state protocol with ISPsin BSCI(CCNP), not CCNA

Route SourceDefault Administrative

Distance

Connected interface 0

Static route 1

Enhanced Interior Gateway Routing Protocol (EIGRP)summary route

5

External Border Gateway Protocol (BGP) 20

Internal EIGRP 90

IGRP 100

OSPF 110

Intermediate System-to-Intermediate System (IS-IS) 115

Routing Information Protocol (RIP) 120

Exterior Gateway Protocol (EGP) 140

On Demand Routing (ODR) 160

External EIGRP 170

Internal BGP 200

Unknown* 255

http://www.cisco.com/web/CA/events/pdfs/Intro_to_mpls.pdf



Orthogonal Frequency Division Multiplexing (OFDM) DSSS OFDM

~2000 1999 2003

12 separate, non-overlapping channels three non-overlapping channels (1,6,11)

100-feet longer range @ lower rate

Wireless Security

WEP - Wired Equivalent PrivacyWPA - Wi-Fi Protected AccessWPA2 - Wi-Fi Protected Access 2, IEEE 802.11i [uses Advanced Encryption Standard (AES)] & Extensible Authentication Protocol (EAP), 802.1x for Port-based Network Access Control (PNAC)MS CHAP -

Layer-3 InterVLAN Switches

Cisco 4006 Switch - Supervisor II & Cisco WS-X4232-L3 4000 Series L3 Gigabit Routing Module or Cisco 4006 with Supervisor 3/4 does Layer 3 routing inherently

Catalyst 3550-24 and 3550-48 switches are available with a Layer 2–only Standard Multilayer Image (SMI) IOS or with a Layer 3–switching Enhanced

Multilayer Image (EMI) IOSS3550(config)#ip routing to determine if the IOS in the switch supports Layer 3 commands.If no error then you can use the switch instead of adding a router in a Router-on-a-Stick for interVLAN switching

S3550(config)#ip default−gatewaydon't

use because ip routing was enabledEnd device should set default−gateway to the 3550S3550(config)#do show vlan see what VLANs are on the switchS3550(config)#do vlan database to add VLANs to the switch if they're missing (not set by VTP)S3550(vlan)#vlan 2 create a new VLANS3550(config)#int vlan 2S3550(config-if)#ip address 10.1.2.1 255.255.255.0 set each VLAN interface on the switchS3550(config)#int S0/0S3550(config-if)#no switchport make the interface Layer-3 CompatibleS3550(config-if)#if)#ip address 200.1.1.1 255.255.255.0

Switching

Three-Layered Hierarchical ModelCoreDistributionAccess - to PCs

Spanning Tree Protocol 802.1d (Later 802.1T)

Initial Three Steps:

1. Elect a root switcha. Lowest bridge ID wins

i. Original BPDU included 2-byte priority + MAC address (used as tiebreaker

ii. Revised BPDU includes 4-bit priority + system ID comprising of VLAN ID + MAC address

2. Determine each non-root switch's root porta. This is the port with the least cost to the root switch

3. Determine the designated port for each LAN segment

http://rbcciequest.wordpress.com/



a. This is determined by the least cost hello

Step 1.

1. All switches send STP hello BPDU claiming to be roota. Default priority is 32768

2. When a switch receives a superior hello (lower ID) it stops sending on that interface and relays the superior BPDU on

Step 2.

1. The root switch sends a hello every 2 seconds (default)

2. Each switch receives anda. Changes the costb. Changes the forwarding switch IDc. Changes the forwarders port priorityd. Changes the forwarders port number (ID)e. Forwards the hello

3. Hello's aren't sent out of ports that don't leave the blocking state (stabilized in blocking - see step 1)

4. Least cost to the root switch = RPa. Tiebreak decided by

i. Lowest switch ID (switch level decision)

ii. Lowest neighbour port priority, default is 128 (port level decision)

iii. Lowest neighbour port number (port level decision)

Speed Default cost (old)

10Mbps 100 (100)

100Mbps 19 (10)

1Gbps 4 (1)

10Gbps 2 (1)

Step 3.

1. Switches send hello's onto segment, the lowest 'advertised' cost elects the DP2. Inferior hello's cease3. Tiebreak decided the same as RP

Any port that isn't RP or DP stabilize in blocking state

STP Re-Convergence

Normal operation:



1. Root switch continues to send hello BPDU's regularly (2 secs default)2. Non-root switches receive the root's BPDU's on their RP3. Hello BPDU updates and forwarded out of local DP's by switches4. Blocking ports on segments continue to receive the BPDU sourced from a segments DP

Something changes:

1. SW2 no longer sees BPDU's on its RP2. SW2 isn't receiving any other BPDU's so it begins a new root election by claiming to be root and floods hello's out of every port3. SW4 receives the BPDU implying that SW2 is now the root

a. Because SW2 is sending them it's RP stays the same for nowb. It forwards the BPDU to SW3 (after updating)

4. SW3 receives the hello but it is inferior to the one its still receiving from SW1a. SW3's port then becomes DP because its BPDU's are superior

i. The superior BPDU is then forwarded down the 'tree' to SW4 and then SW2

BPDU's

1. Configuration BPDU (CBPDU)a. Used for computationb. Used for hello's except when TCN is sent

i. TCA is simply a change in the 'type' byte

2. Topology Change Notification (TCN BPDU)a. Announces changes

i. TCN sent by switch experiencing port change out RP to root switch every hello time until TCA

ii. Neighbour switch sends back TCA (hello with bit change)

iii. Neighbour switch forwards the TCN out its own RP towards DP on neighbour's neighbour and waits for TCA

1. This repeats until root is reached

iv. When the root receives the TCN it sends the next 'few' hello's with the TCA bit changed

1. All switches should then receive the notification

b. Topology change notification acknowledgements (TCA) are a response to this (bit change)

The TCA bit change tells switches to time out their Content Addressable Memory (CAM) entries (using forward delay time, default is 15 secs)This makes sure invalid MAC address entries are flushed and re-learned on the correct port

A switch sends a BPDU using the unique MAC address of the port itself as a source address, and a destination address of the STP multicast address01:80:C2:00:00:00

Format:

2 1 1 1 8 4 8 2 2 2 2 2

ProtocolID

Version Type Flags RootID

RootPathCost

SenderBridgeID

SenderPort ID

MessageAge

MaxAge

HelloTime

ForwardDelay



Protocol IDAlways 0

VersionAlways 0

TypeCBPDU = 1, TCN BPDU = 2 (see above)

FlagsTCN flags

Port ID1/1 = 0x8001, 1/2 = 0x8002......

Forward DelayTime spent in listening and learning states

STP Timers

Name What it does Configuration

Hello Time between each BPDU sent on aport. Default is 2 seconds, can be 1 to10 secs.

spanning-tree vlan 'no.'hello-time 'secs'

ForwardDelay

Used for 'listening' and 'learning'states. Used for short CAM timeout. Default is 15 secs, can be 4 to 30 secs.

spanning-tree vlan 'no.'forward-time 'secs'

Max Age Max length of time before port CBPDUis saved and neighbour is presumed'dead'. Default is 20 secs, can be 6 to40 secs

spanning-tree vlan 'no.' max-age 'secs'

Message Age Time since BPDU was sent by rootswitch. Increments by one so givesdistance. Deducted from max age time.

Blocking to forwarding

If a port was not a DP or RP (blocking) and needs to transition to DP or RP it goes into the 'listening' state first for the forward delay time. After the forwarddelay timer has run down it moves in to the 'learning' state for the forward delay time. It then moves into 'forwarding' state.

Full process using default timer values =

Max-age time of 20 secs to realise neighbour is 'dead' +

15 secs listening forward delay time +

15 secs learning forward delay time

20 + 15 + 15 = 50 Seconds

Forwarding to blocking is instant.

STP States

State Forwards? Learns? Stable? Extra info

Blocking No No Yes If blocking ports are forwarding itwould cause a loop. No data orBPDU's are sent. BPDU's are stillreceived.

Listening No No No Starts to process BPDU's and waitsfor notification to return to blockingstate

Learning No Yes No Starts to learn MAC locations andputs them in the CAM

Forwarding Yes Yes Yes Forwards data and BPDU's. Alsowaits for notification to return toblocking state



Port Roles:

Root port

Designated portAlternate port

Rapid Spanning Tree Protocol (802.1w – now part of 802.1D-2004)

Overview3 missed hello’s = reaction (not max-age time)New states

‘Discarding’ (‘blocking’)Transitions straight to ‘learning’ (no ‘listening’)

Listening isn’t needed because of active querying of neighboursPortfast, Uplinkfast, and Backbonefast standardizedNew backup DP feature (same shared segment)TC’s are now flooded by all switches via DP’s and RP’s

Not to root switch firstUndefined 802.1d bits used

e.g. Hello option equivalent to RLQ BPDU

Port Categorization

Link type Description Configuration

Point-to-point Switch to switch. Automatic whenFDX + hello’s.

spanning-tree link-type point-to-point

Shared Switch to hub (are other switchesreachable?)

spanning-tree link-type shared

Edge Switch to end-user device. If BPDUis received fallback to normal STPrules.

spanning-tree portfast

Note to self – Twoswitchesconnectedtogether (link-typepoint-to-point) àone switch stopsreceiving hello’sfrom the other àhow long does ittake to move theport into DP



Closest port to root (based on best BPDU) Sends best BPDU onto segmentAlternate path to root (equivalent of uplinkfast)

Backup port

Backup DP (same switch & same segment)

OSPF: ProcessID & Areas (ABRs), DRs, Bandwidth

Hierarchical Design —contiguous sub-nets within the same area tosummarize routesOSPF Router Types

1. Internal (< 50 routers per area recommended by Cisco), each withsame route

2. Backbone (Core Area 0.0.0.0) - at least one I/F in Area O (note: areaID= 32-bits, but not an IP address)

ABR - Area Border Router (beefier) - does route summarizationbetween areas

does route summarization between Area 0 and otherinternal Areas

ASBR - Autonomous System Border Routerdoes route summarization between Area 0 and externalnetworkmanual route re-distribution from another routing protocolR0(config-router)#default-information originate publishdefault route to the internet to all other OSPF routers

state? à 3 xHello time(configured atroot) + learningstate forwarddelay time(configured atroot) à Default =21 secs

Configuration

To enable (shouldbe on all switches

if possible):

spanning-tree mode rapid-pvst

Majority of commands the same as Cisco PVST+

New BPDU Format

(type 2, version 2 – no legacy device support) – ‘Flags’ Byte

0 1 2 3 4 5 6 7

0. Topology Change1. Proposal2. Port rolea. First bit

3. Port rolea. Second bit

i. 00 = Unknown

ii. 01 = Alternative/Backup

iii. 10 = Root

iv. 11 = Designated

4. Learning5. Forwarding6. Agreement7. Topology Change Ack

BPDU Handling

BPDU sent every hello by all switchesNot just when received/relayed

BPDU ‘keepalives’ (x 3 miss) are used for backbonefast equivalentIf a switch receives an ‘I am the new root’ from a neighbour that has lost its hello’s on RP and the local switch can still see them on its RP it willtell the neighbour that it can still see the root

No electionForwarding straight away for neighbour on previously blocked interface

Cisco's Comprehensive Tutorial RSTP: Rapid Spanning Tree (802.1w) and MST (802.1s) in Campus Networks

http://julesbartow.com/CCNA/RapidSpanningTree(802.1w)Tutorial.pdf



creates O*E2 (OSFP external type 2) route (CCNP topic) onASBR—requires NAT to reach internet

Each router has same topology table, but different route table(like EIGRP)Hierarchical design uses multiple areas that all connect to Area0 backbone

Neighbor Relationships - Hello MessagesRouters become neighbors as soon as they see themselves listed inthe neighbor's Hello packet.

Area-ID, & subnetAuthenticationhello-interval & dead-intervalStub area flags

Designated Router (DR) & backup DR (BDR) ElectionHighest priority:1 by default, set using R0(config-if)#ip osfppriority 2DROTHER ~ priority = 0Ties based on highest up/up interface

Adjacency - Routers have exact same link-state database. States:DownAttemptInitTwo-wayExstartExchangeLoadingFull

R0#show ip osfp interface serial 0 check to make sure interface is incorrect area.Frequency

Broadcast Point-to-Point: 10 secondsNBMA - Non-Broadcast Multi-Access: 30 seconds

ContentRouter ID

1. R0(config-router)#router-id 192.168.0.1 (dotted.decimal32-bit number)

2. else Highest Up/Up Loopback Address3. else Highest Up/Up interface IP Address

TimersHello

Keepalive & elect DR on multi-access segmentsR0(config)#ip ospf hello-interval seconds

Deadtime interval router's Hello packets have not beenseen before neighbors declare the OSPF routerdownR0(config)#ip ospf dead-interval seconds

Area IDR0(config-router)#area 1 range 128.1.0.0255.255.0.0 turn inter-area route summarization onfor area advertisements. Don't let subnet overlapother area's subnets.R0(config-router)#summary-address 128.2.0.0255.255.0.0 use on ASBRR0(config-router)#area 1 stub [no-summary] onlyuse intra-area routes (O) . Don't read external (OE2) or inter-area routes (O IA) into this area.Routing w/in the area entirely using a “defaultroute”R0(config-if)#ip ospf cost value force different costthan the default 100,000,000/bandwidth

Authentication Password & MD-5R0(config-router)#area 0 authenticationR0(config-if)#ip ospf authentication-keymypassword< lame, easy to sniffR0(config-router)#area area-id authenticationmessage-digest (used under “router ospf <process-id>” )R0(config-if)#ip ospf message-digest-key keyidmd5 key(used under the interface)

R0(config)#router ospf 1 turn on OSPF routing with Process ID = 1 --no"area" turning OSPF onR0(config-router)#log-adjacency-changesR0(config-router)#network 192.168.2.1 0.0.7.255 area 0turn on advertising host/sub-net & sending Hello packets —no process #do set area in network command



R1(config-router)#network 0.0.0.0 255.255.255.255 area 0 match allinterfacesR2(config-router)#area 1 range 172.30.0.0 255.255.248.0 /21 use the subnetmask, NOT wildcard mask for rangeR2(config-router)#neighbor ip-address [priority number] [poll-intervalseconds] needed for NBMA. Unlike point-to-point where adjacencies alwaysformed without DR or BDR. Can use sub-interfaces (> 1 subnet vs. cloud ofone subnet) to make cloud appear as P2P

R2(config-router)#ip ospf network broadcast | non-broadcast | point-

to-multipoint needed for NBMA. Unlike point-to-point where adjacencies

always formed without DR or BDR. Can use sub-interfaces (> 1 subnet vs.cloud of one subnet) to make cloud appear as P2PR0#show ip protocols —display Router ID (RID), routing protocol & versionson interfaces, networks being routed, autosummarization, variance (loadbalancing)R0#show ip route O means intra-area route & IA means OSPF inter-arearouteR0#debug ip ospf list Router IDR0#show ip ospf neighbor | database list router IDs | interfaces viewtimers

HQ#show ip ospf interface FastEthernet0/0 is up, line protocol is up Internet address is 128.0.6.142/28, Area 0 Process ID 1, Router ID 1.1.0.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State WAITING, Priority 1 No designated router on this network No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:06

R0#debug ip ospf adj display the neighbor process - do not spell outadjacency

no routes advertised (metrics = cost), Link State Announcements (LSAs)packaged into LSUs for Djikstra (SPF) algorithm every 10 seconds by defaulton broadcast networks & 30-seconds on NBMADesignated Router (DR) [generates Network LSAs] & Backup DesignatedRouter (BDR) — not needed for serial link point-to-point (P2P) and P2M

R0#show ip ospf adjacency Neighbor ID, Priority, State, Dead Time,Address, Interface → FULL/DROTHER = device that is NOT a DR orBDRMulti-Access Segment election to minimize info exchange

R0(config)#clear ip ospf process | reboot the router when router ID ischanged

Router EIGRP [Autonomous System (no ProcID or Areas)]

Classful by default. Change to classless using no auto-summaryR0#show int s6/0 don't use ip to see the bandwidth

Serial6/0 is up, line protocol is up (connected) Hardware is HD64570 Internet address is 10.1.6.1/25 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set, keepalive set (10 sec)

1. NeighborDiscovery/Recoverymulticast keepalives viaperiodic Hello packets(similar to OSPF).Acknowledgements unicastwith Ack #.

2. Reliable TransportProtocol (RTP), somemulticast with noreply/acknowledgement.Most updates requireacknowledgements usingsequence numbers for theneighbor table

3. Diffusing UpdateAlgorithm (DUAL) FiniteState Machine (FSM)tracks all routes advertised

Neighbor TableMaintains copy ofneighbor's route table.Holdtimes. RTP ContainsSuccessors (e.g. bestroute).Topology Table -ACTIVE (recomputingwhen no feasiblesuccessor) or PASSIVE(this is good → alldestinations advertisedby neighbors w/ metrics)

BandwidthDelayReliabilityLoad

EIGRP Metric = 256*((K1*Bw) +

(K2*Bw)/(256-Load) +

(K3*Delay)*



Small Form Factor (SFF) hot Pluggable (SFP) or Mini-GBIC transceivers (LC)and multi-fiber connectors (e.g., MTP) are replacing the traditional SCconnectors that plug into an edge-card socket (like GBICs) in order to packmore connectors on the overcrowded faceplate. Coarse wavelength-division multiplexing (CWDM) uses uses standardized frequencies; Dense(DWDM) uses mutiplexes signals within the 1550nm band. A plain SFFtransceiver is soldered to the host board.

by all neighbors. Insertsfeasible successors fromtopology table into routingtable. Feasible Successor =Advertised Distance <Feasible Distance (FD) ofSuccessor. Successor:neighboring router used forpacket forwarding withleast cost path to adestination guaranteed notpart of a routing loop

4. Protocol DependentModules i.e. IP

(K5/(Reliability + K4))) =

FD when the best route

The default values forweights are:

K1 - 1

K2 - 0

K3 - 1

K4 - 0

K5 - 0

Contains FeasibleSuccessors - move toRoute Table whenSuccessor no longeravailable; rapidconvergenceForwarding/RouteTable ContainsSuccessors.

Configure a routing process and which networks the protocol should run over. The ProcessID is synonymous to the Autonomous Area inOSPF & can define organizational boundaries using multiple ProcessIDs.

Cisco proprietary, classless, supports VLSM (wildcards recommended but optional)1. Specify interfaces w/in subnet2. Advertises subnet3. Listens for messages to subnet

Adjacency: send Hello packet to the multicast address 224.0.0.10, Neighbors respond with their routes (less split horizon), Agree onAS and metrics weights. Hello & deadtime agreement only for OSPF.R0(config)#router eigrp 11 = Autonomous System (AS)R0(config-router)#no auto-summary change to classless & requires manual summarization, summary sentR0(config-router)#network 172.22.0.0 classful (no wild cards?) send hellos every 5-seconds, holdtime=3xR0(config-router)#passive e0 send no EIGRP hello packets out this interfaceR0(config-router)#distribute-list 101 out e0 static filter EIGRP from sending updates out this interface using access-list 101R0(config-router)#distribute-list 102 in e1 filter EIGRP from receiving updates out this interfaceR0(config-router)#metric weights 0 1 1 1 1 1R0(config-router)#variance 1 equal cost load path balancing when default = variance 1R0(config-router)#variance 7 unequal cost load path balancing, include routes with a minimum metric of 7 times the minimumR0(config-if)#ip summary-address eigrp 101 100.0.0.0 252.0.0.0 summarization not under EIGRP, but under the interfaceR0#show ip protocols lists variance & source of routes (neighbors)R0#show ip eigrp neighbors don't bother troubleshooting routes if neighbors don't show up - all weights must be the same.If the Reported Distance of the router (the metric after the slash) is less than the feasible distance (FD), the feasibility condition ismet and that path is a feasible successor."R0#show ip eigrp traffic list hello packets, updates, ACKs and repliesR0#show ip eigrp topology

Uses Split Horizon and Poison Reverse

Troubleshooting

1. Has this worked before?2. When did it stop working?

IEEE Standards

Number Title

802.2 Logical Link Control top sublayer in the data link layer

802.3 Medium Access Control (MAC)/Physical both bottom sublayer of the data link layer & physical layer

802.3u 100mbps Fast Ethernet

802.3z GigE over Fiber-Optic

802.3ab GigE over twisted pair copper

802.3ae 10 GigE over Fiber-Optic

802.3af Power over Ethernet

802.11

Fiber Optics

850 nm 550m Multi-Mode Fiber (MMF) (SX) short length; LEDs instead of Lasers; cheaper



CCNA

1. Exam Registration Comprehensive 640-802 or (ICND1 640-822 + ICND2 640-816)2. Voice 640-460 IIUC, Implementing Cisco IOS Unified Communications (IIUC) - commercial

642-436 CVOICE, Cisco Voice over IP - enterprise3. Security 640-553, Implementing Cisco IOS Network Security (IINS)4. Wireless 640-721, Implementing Cisco Unified Wireless Networking Essentials (IUWNE)

CCIE

CCDA

- Design Associate 640-863 (DESGN)

CCNP Network Professional

1. 642-902 ROUTE, Implementing Cisco IP Routing2. 642-813 SWITCH, Implementing Cisco Switched Networks3. 642-832 TSHOOT, Troubleshooting and Maintaining Cisco IP Networks

CCVP Voice Professional

1310 nm 10 km Single Mode Fiber (SMF) (LX) near-infrared (NIR) long wavelength used in 100Base-FX(2km; MMF; duplex SC or ST)1550 nm [40 km (XD), 80 km (ZX), 120 km (EX or EZX)] -BX uses 1310nm and 1550nm over one fiber.DWDM

Cable Jacket - The outermost layer of the fiber cable.

Strengthening fibers - The strengthening fibers that help protect the core against damage during installation or from beingcrushed.

Coating - This layer of thicker plastic surrounds the cladding and helps protect the fiber core.

Cladding - The layer that protects the core and causes the neccessary reflection to allow light to travel through the fiber-core segment.

Core - The physical component that transports the optical data signal, made up of a continuous strand of glass. The core'sdiameter is measured in microns.

Restriction of Use of Hazardous Substances (RoHS) bans or limits lead, cadmium, polybrominated biphenyl (PBB), mercury, hexavalent chromium, andpolybrominated diphenyl ether (PBDE) flame retardants.

Amit N. Bhagat's Cisco Zone @ Google Sites

Links

Simulations & Test/Certification ToolsGNS3 - Open Source, included JunOS

WinPCapDynamips

Sans InstituteCisco Packet Tracer

AuthorsTodd Lamle - SybexWendell Odom - Cisco PressJeremy Cioara -CBT NuggetsSteve McQuerryValentine & Whittaker

Useful Sites9Tut.comDigitalTut.cominfo-it.netTrain SignalChris BryantPaul Browning's HowToNetwork.netFreeCCNAworkbook.com/

https://www2.pearsonvue.com/Dispatcher?v=W2L&application=Login&embedApp=RegSched&frame=top&postLoginApp=WrapCandSignIn&clientCode=CISCOTESTING&action=actStartApp&layer=Login&bfp=top&appFramePath=top&bfpapp=top&org.springframework.web.context.request.RequestContextListener.REQUEST_ATTRIBUTES=org.apache.catalina.connector.RequestFacade%40456e58c7

http://sites.google.com/site/amitsciscozone/

http://www.gns3.net/

http://www.boson.com/

http://www.cisco.com/web/learning/netacad/course_catalog/PacketTracer.html

http://www.cbtnuggets.com/lander/cisco



http://www.9tut.com/

http://www.digitaltut.com/

http://www.info-it.net/

http://www.trainsignal.com/Cisco-Training.aspx

http://www.thebryantadvantage.com/

http://www.howtonetwork.net/public/department140.cfm

http://www.freeccnaworkbook.com/



Networking NewbieVisual Cert Exam (VCE) SuiteBrian McGahanBoss CBT TVPacket Life Labs

CISSP, DoD 8570.01-M, CISA, CISM, SSCP, SECURITY+, Ethical HackingShon HarrisSans InstituteInformation Assurance Workforce Improvement Program

Acronyms

RADIUS

Remote Authentication Dial-In User Services

RSVP

receiver intitiated signaling protocol for establishing a guaranteed QoS path between a sender and (a) receiver(s).

http://networking-newbie.blogspot.com/2008/11/configuring-wpa-and-wpa2-on-cisco.html

http://www.visualcertexam.com/

http://www.ine.com/

http://www.bosscbt.tv/icnd2/

http://packetlife.net/lab/

http://www.logicalsecurity.com/

http://www.sans.org/

http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf

Documents

4 Transport Host-to-Host TCP SYN SEQ=1, SYN-ACK: SYN