CCNA - · PDF fileCisco Certified Network Associate Welcome to our Cisco CCNA® training course. This course will help you better understand how networking is defined,

.

.Cisco CCNA Training Curriculum

Course Outsource© 2008 - All Rights Reserved. ..

1

© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.

Welcome to our version of the:

CCNA®

Cisco Certified Network Associate

Welcome to our Cisco CCNA® training course. This course will help you better understand how networking is defined, implemented and supported in the real world. More precisely, this course will give you a Cisco-specific network perspective.

CCIP, CCIE, CCDA, CCDP, CCENT, CCNP, CCNA, CCVO, VLANDirector, TrafficDirector, CiscoWorks 2000, ONS 15454 Secure PIX Firewall, Secure Virtual Private Networks, Cisco, Cisco Systems, Cisco Systems Logo, Catalyst, EtherChannel, IOS and LightStream are registered trademarks of Cisco Systems, Inc. or its affiliates in the US and certain other countries.

.



2


IntroductionIntroduction

• This is a 5 day hands-on course which covers the following exam objectives.

CCNA 3.0 (640-802)

• Another exam option this course covers:

ICND1 (640-822)

ICND2 (641-816)

This course was also written to help you understand the objectives for the Cisco 640-801 exam; however the ICND and Intro exams are also covered. We do not suggest that you take the two test option as it is not easier than the one test method. Of course, that is up to you and we are confident this course will prepare you whichever way you decide to go.

Now, let’s start with this Course book itself….

Each page of this course book will consist of slides from the instructor’s slide-deck and the accompanying information to explain the content of the slide. Some slides are markers (i.e. chapter headings, outlines, intro’s, etc.) and require no additional information. In this case you will see the next corresponding slide immediately following. For example, look at the next few pages which outline the class and the exam.

.



3


CCNA ExamCCNA Exam

• Around 50-60 items

• Around 850 out of 1000 to pass

• The amount of questions and percent to pass varies on each exam

• About 90 minutes

• Cannot return to questions

• Simulated, testlets, multiple choice, fill-in-the-blank, and drag n’ drop questions

.



4


CCNACCNA Course OutlineCourse Outline

Chapter 1: The Cisco Router and Switch Interface

• Cisco IOS• Cisco CLI• Administrative Functions• Configuring Interfaces• Introduction to Cisco Catalyst Switches

.



5


CCNA Course OutlineCCNA Course Outline

Chapter 2: Managing a Cisco Internetwork• Copying and saving the IOS and configuration

• Troubleshooting Cisco networks

Chapter 3: TCP/IP Addressing and Subnetting• IP Addressing

• Class C Subnetting

.



6



Chapter 4: IP Routing • Basic IP routing• Static Routing• RIPv1 and RIPv2• EIGRP• OSPF

.



7



Chapter 5: Advanced TCP/IP• Class C subnetting review

• Class B subnetting

• VLSM design and implementation

• Discontiguous Networks

• Summarization

Chapter 6: Security• Introduction to Security

• Standard Access Lists

• Extended Access Lists

• Named Access Lists

.



8



Chapter 7: Network Address Translation• Static NAT

• Dynamic NAT Pools

• Port Address Translation (PAT)

Chapter 8: Switching• Virtual LAN’s (VLAN’s)

• Spanning Tree Protocol (STP)

.



9



Chapter 9: Wireless LAN’s- 802.11

- Basic Service Sets (BSS)

Chapter 10: Introduction to IPV6- IPv6 Addressing

- Implementing IPv6

.



10



Chapter 11: Cisco WAN Support• Basic WAN

• HDLC

• PPP

• Frame Relay

.



11


PrefacePreface

Course Conventions

.



12


LocalLocal--Area and WideArea and Wide--Area Network Area Network Symbols KeySymbols Key

Router Bridge Ethernet SwitchATM Switch

Hub MAUConcentrator Server

Comm Server CSU/DSUWAN Cloud

Serial LineEthernet

.



13


Syntax ConventionsSyntax Conventions

Router prompts are in BLACK as follows:

R1#

Router commands to be entered by the user are in GREEN as follows:

R1(config)# interface serial 0R1(config-if)# shutdown

.



14


The Cisco Router and Switch InterfaceThe Cisco Router and Switch Interface

Chapter 1

In this chapter we will discuss the basics and a glaze over a few advanced topics with regard to interfaces, configurations, registries and the like. We will review switch interfaces at the end of the chapter.

.



15


Router PowerRouter Power--On/Bootup SequenceOn/Bootup Sequence

1. Perform Power-On Self Test (POST)2. Load and run bootstrap code3. Look in NVRAM for config-register setting4. Load the Cisco IOS software5. Find the configuration (if none, run Setup)6. If found, load the configuration in RAM

When you first bring up a Cisco router, it will run a Power-On Self-Test (POST), and if that passes, it will then look for and load the Cisco IOS from Flash memory—if a file is present. In case you don’t know, flash memory is an electronically erasable programmable Read-Only Memory (ROM)—an EEPROM. The IOS then proceeds to load and then look for a validconfiguration—the startup-config—that’s stored by default in nonvolatile RAM, or NVRAM.

ROMContains microcode for basic functionsRuns postLoads bootstrapHas Mini-IOSProvides ROM-Monitor mode

.



16


Router InterfacesRouter Interfaces

Router interfaces can be GigabitEthernet, FastEthernet, Ethernet, Token Ring and various other LAN physical technologies, like FDDI.

The serial ports can be used for a WAN T1, for example, or PPP or Frame Relay.

Miscellaneous ports can include BRI for ISDN

The Console port is a serial connection that allows out-of-band signaling

The Aux port is a console port that allows modem commands so you can dial into the router out-of-band if a remote router goes down and you need to configure it through the console connection.

.



17


User ModeLimited examination of switch or router

Command prompt on the device: Router>

Cisco IOS Software EXECCisco IOS Software EXEC

Privileged (or enable) ModeDetailed examination of switch or router

Enables configuration and debugging

Prerequisite for other configuration modes

Command prompt on the device: Router#

.



18


Router con0 is now availablePress RETURN to get started.

Logging into the RouterLogging into the Router

Router>Router> enableRouter#Router# disableRouter> quit

User mode prompt User mode prompt

Privileged mode prompt Privileged mode prompt

After the interface status messages appear and you press Enter, the Router> prompt will appear. This is called User mode and is mostly used to view statistics.

There are two primary EXEC modes for entering commands on a Cisco router. These are User and Privilege modes. User mode is used to verify status, and run basic show commands. You can only view and change the configuration of a Cisco router in Privileged mode, which you get into with the “enable”command.

.



19


Router ContextRouter Context--Sensitive HelpSensitive Help

Router# clokTranslating "CLOK"% Unknown command or computer name, or unable to find computer address

Router# cl?clear clock

Router# clock% Incomplete command.

Router# clock ?set Set the time and date

Router# clock set 19:56:00 04 8^

% Invalid input detected at the '^' marker

Note: The command “help” does not give you help on a command.

You can use the Cisco advanced editing features to help you configure your router. If you type in a question mark (?) at any prompt, you’ll be given the list of all the commands available from that prompt.

You can press the “spacebar” to get another page of information, or you can press “Enter” to go one command at a time.

Once you have enough characters for a non-ambiguous command, the “Tab”key can be pressed to complete the syntax, and then the “?” key can be entered to obtain additional help if needed. If a command is ambiguous, you will need to enter more characters or “?” to determine the specific syntax to use for the desired command.

The “^ “ character is used to identify where syntax errors or invalid input was detected.

.



20


Automatic scrolling of long lines gives you $ and moves your text ten spaces to the left

<Ctrl-A> Move to the beginning of the command line.

<Ctrl-E> Move to the end of the command line.

<Esc-B> Move back one word.

<Ctrl-F> Move forward one character.

<Ctrl-B> Move back one character.

<Esc-F> Move forward one word.

Using Enhanced EditingUsing Enhanced EditingUsing Enhanced Editing

<Ctrl-D> Delete a single character.

tab Finishes typing a command for you

Displays previous/next command from the history buffer

up/down arrows

This slides shows the list of the enhanced editing commands available on a Cisco router.

The most common enhanced editing features used are the up/down arrows. On some terminal emulators, you may need to do a <Ctrl-P> or a <Ctrl-N> if the up/down arrows do not function.

.



21


Ctrl-P or Up arrow Last (previous) command recall

Ctrl-N or Down arrow More recent command recall

Router> show history Show command buffer contents

Router> terminal history size lines Set session command buffer size

Router Command HistoryRouter Command History

You can review the router-command history with the commands shown in this slide. This is very helpful and will save you from re-typing things over and over and over…..

.



22


Break SequencesBreak Sequences

• <CTRL>+z

• <CTRL>+c

• <CTRL>+<SHIFT>+’6’ then X

• <CTRL>+Break or <CTRL>+<SHIFT>+’6’ then B

during the router boot cycle allows you to access

ROM Monitor mode. One purpose is to perform

password recovery.

This slide shows some basic break sequences you can use on a Cisco router.

The <Ctrl>+<Shift>+6 then X is used to break out of a command. This is especially helpful on traceroute where the traceroute is to a network not in the routing table. By default the command would continue for 30 hops, with each waiting for the TTL to expire. This can save a lot of time by breaking out of the command. <Ctrl>+<Shift>+6 then B is very helpful if you are performing a password recovery and your PC configuration does not have a “break” key or if the <Ctrl>+[Break key] is not stopping the cycle of the reboot.

.



23


Router Components

Console

Auxiliary

Interfaces

RAM[Running-Config]routing table, arp

cache,packet buffers

NVRAM[Startup-Config][config-register]

Flash[IOS]

ROM[POST]

[Bootstrap][Skeleton IOS]

Router# show interfacesRouter# show interfacesRouter# show mem

Router# show ip routeRouter# show mem

Router# show ip route

Router# show flashRouter# show flash

Router# show startup-configRouter# show startup-configRouter# show running-configRouter# show running-config

Router# show process cpuRouter# show protocols

Router# show process cpuRouter# show protocols

Router# show versionRouter# show version

Router# show lineRouter# show line

show flash: shows all files in flash.show startup-config: shows the backup configuration stored in NVRAM.show running-config: shows the configuration the router is using at the moment.show interfaces: shows the status of all interfaces. You can type show interface s0 to see just the statistics of serial 0.show line: shows you all the available lines that can be configured on a router. The default lines are aux, console and vty.show version: covered in the next slide…

.



24


show versionshow version CommandCommand

Router# show versionCisco Internetwork Operating System Software IOS (tm) 2600 Software (C2600-JS-L), Version 12.0(8), RELEASE SOFTWARE (fc1)Copyright (c) 1986-1999 by cisco Systems, Inc.Compiled Mon 08-Feb-99 18:18 by phanguyeImage text-base: 0x03050C84, data-base: 0x00001000

ROM: System Bootstrap, Version 11.0(10c), SOFTWAREBOOTFLASH:3000 Bootstrap Software (IGS-BOOT-R),Version 11.0(10c), RELEASE SOFTWARE(fc1)

R1 uptime is 22 minutesSystem restarted by reloadSystem image file is "flash:c2600-js-l_120-8.bin"(output cut)

Displays system hardware config info, software version, and thenames and sources of config files and boot images on a router

The “show version” command will provide basic configuration for the system hardware as well as the software version, the names and sources of configuration files, and the boot images.The last information given from this command is the value of theconfiguration register. In this example, the value is 0x2102—the default setting. The configuration register setting of 0x2102 tells the router to look in NVRAM for the boot sequence. By manipulating the configuration register, you can perform actions such as password recovery, or determine the boot sequence, or where to boot from.

.



25


show versionshow version Command cont.Command cont.

…cisco 2610 (MPC860) processor (revision 0x202) with 45056K/4096K bytes of memory.Processor board ID JAB032008NM (3952172322)M860 processor: part number 0, mask 49Bridging software.X.25 software, Version 3.0.0.SuperLAT software (copyright 1990 by Meridian Technology Corp).TN3270 Emulation software.1 Ethernet/IEEE 802.3 interface(s)1 Serial network interface(s)2 Serial(sync/async) network interface(s)32K bytes of non-volatile configuration memory.16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

Note: The above router has 48 Meg of RAM and 16 Meg of System Flash

The above router has 48 meg of RAM, 32K of NVRAM and 16 meg of Flash memory. The IOS size for this router is limited to a maximum size of 16 megs.The last information given from this command is the value of theconfiguration register. In this example, the value is 0x2102—the default setting. The configuration register setting of 0x2102 tells the router to look in NVRAM for the boot sequence.

.



26


ConfigurationConfiguration--RegisterRegister

• 0x2102=load IOS from flash and then the configuration from NVRAM. The router looks in NVRAM for the boot sequence

• 0x2100=Load ROM Monitor Mode

• 0x2101=load Mini-IOS from ROM

• 0x2142=Load IOS from Flash and do not load startup-config

Router#config t

Router(config)#config-register 0x2102

All Cisco routers have a 16-bit software register that’s written into NVRAM. By default, the configuration register is set to load the Cisco IOS from flash memory and to look for and load the startup-config file from NVRAM.You can change the configuration register by using the config-register command.

Router# config tRouter(config)# config-register 0x2102

On newer routers, this can also be carried out from ROMMON mode using the ‘confreg’ command.

.



27


When this router is rebooted, why does it When this router is rebooted, why does it lose itlose it’’s configuration?s configuration?

…cisco 2610 (MPC860) processor (revision 0x202) with 16384/2084kbytes of memory.Processor board ID JAB03040BPS (3406519245)M860 processor: part number 0, mask 49Bridging software.X.25 software, Version 3.0.0.SuperLAT software (copyright 1990 by Meridian Technology Corp).TN3270 Emulation software.1 Ethernet/IEEE 802.3 interface(s)1 Serial network interface(s)2 Serial(sync/async) network interface(s)32K bytes of non-volatile configuration memory.16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2142

It doesn’t lose the configuration, it just never loads the configuration from NVRAM because the configuration register is set to bypass the startup-config in NVRAM.The configuration register should be 0x2102

.



28


Viewing the ConfigurationViewing the Configuration

show startup-configAllows you to display the

backup configuration

show running-configDisplays the active

configuration

Config

NVRAM

IOS

Config

RAM

You can view the configuration files on a router by typing show running-config or show startup-config from privileged mode. The main difference is that the running-config is what is actually active on the router, where the startup-config is what is saved in NVRAM. By performing a “copy running-config startup-config”, it saves the running-config into NVRAM.

A best practice commonly used in various industries is to keep several versions of the router’s configuration on a TFTP server, and to regularly save the running-config after changes are made and successfully tested. This canprovide an audit trail of when changes were introduced, and can aid in troubleshooting problems brought on as a result of changes.

.



29


Setup ModeSetup Mode

• When you erase the configuration on a router and reboot, you will be in Setup mode

• You can type “setup” from privilege mode to enter setup mode

• Square brackets indicate default or current settings• Enable password and Enable secret password are

configured during setup mode. The enable secret password cannot be seen as clear text when viewing the configuration

• If both the Enable password and Enable secret passwords are set, the router will utilize the Enable secret password as it is more secure.

Once the IOS is loaded, up and running, a valid configuration will be loaded from NVRAM.However, if there isn’t a configuration stored in NVRAM, the router will go into setup mode—a step-by-step process to help you configure the router. You can also enter setup mode at any time from the command line by typing the command setup from privileged mode.The Enable password and Enable secret password are configured during setup mode. The enable secret password cannot be seen as clear text when viewing the configuration. For this reason, it should be used wherever possible because it can protect against someone using router configurations to gain unauthorized access to the routers. It displays in the router configuration as an MD5 hash, and in many cases is used as a last resort password if TACACS or RADIUS fails.

.



30


Configuring the RouterConfiguring the Router

Router#configure

Configuring from terminal, memory, or network [terminal]?

• Terminal: Configures information into RAM (changes

the running-config)

• Memory: Configures information from NVRAM into

running-config

• Network: Configures information from a file stored

on a TFTP host into running-config

To configure from a CLI, you can make global changes to the router by typing configure terminal (or config t for short), which puts you in global configuration mode and changes what’s known as the running-config. A global command (commands run from global config) is one that is set once and affects the entire router.You can type config from the privileged-mode prompt and then just press <Enter> to take the default of terminal.

You would use the memory or network option to upload a configuration file from either memory or a TFTP server on the network. In many cases, this is used to pre-stage changes, migrations, or to facilitate review processes.

.



31


Router Modes Router Modes

User EXEC Mode: Limited to basic monitoring commands

Provides access to all other router commands

Commands that effect theentire system

Commands that affectinterfaces/processes only

Interactive configuration dialogSetup Mode:

Specific Configuration Mode:

Global Configuration Mode:

Privileged EXEC mode:

This slide shows a summary of the various router modes used on a router.

.



32


Router(config)#

Router> enable

Router# configure terminal

<ctrl>-z (end)

User EXEC mode:

Privileged EXEC mode:

Global configuration mode:

Configuration Mode PromptInterface Router(config-if)#Subinterface Router(config-subif)#Line Router(config-line)#Router Router(config-router)#

Router Modes ExampleRouter Modes Example

It’s really important that you understand the different prompts you can find when configuring a router. Knowing these well will help you navigate and recognize where you are at any time within configuration mode.

.



33


Saving ConfigurationsSaving Configurations

Copy the current configuration to NVRAM

Router# copy running-config startup-configDestination filename [startup-config]? <enter>Building configuration…

You can manually save the file from DRAM to NVRAM by using the copy running-config startup-config command. You can use the shortcut copy run start also. You can also save to other files on NVRAM or a TFTP server in addition to the startup config.

.



34


Restoring ConfigurationsRestoring Configurations

Copy the saved configuration to DRAM

Router# copy startup-config running-configDestination filename [running-config]? <enter>Building configuration…

Configures information into RAM on a router Retrieves a routers configuration file from NVRAM

Building configuration…

The copy startup-config running-config will append the startup-config file into RAM. This is one way of backing out of changes made that may not have been successful.

.



35


Administrative FunctionsAdministrative Functions

Administrative Functions help you

administer your internetwork.

This includes:

• Hostnames

• Banners

• Interface Descriptions

• Passwords

This next section will teach you how to configure administrative functions on a router.

.



36


Router NameRouter(config)# hostname R1R1(config)#

Message of the Day BannerR1(config)# banner motd #MIS meeting at 13:00 Everyone that has attended this classgets a 50% raise.#

Configuring Router IdentificationConfiguring Router Identification

You can set the identity of the router with the “hostname” command. This is only locally significant, which means it has no bearing on how the router performs name lookups, but is used by Cisco MIBs to identify the router. A good naming standard should be able to provide some functional and geographical information. Unique naming is an important best practice as it will aid in troubleshooting and prevent confusion over duplicate names.

A good reason for having a banner is to add a security notice to users remotely accessing your internetwork.

You can set a banner on a Cisco router so that when either a user logs into the router or an administrator telnets into the router, the banner will give them the information you want them to have. As another best practice, the banner can be used to identify the revision of the standard configuration template used, and should not contain proprietary or confidential information since it will be seen by users prior to authentication.

.



37


Interface Description

R1(config)# interface fastethernet 0/1R1(config-if)# description Finance LAN

R1(config-if)# interface serial 0/0R1(config-if)# description WAN to Miami

View descriptions with the following commands:

R1# show running-configR1# show interface

Configuring Interface DescriptionConfiguring Interface Description

Setting descriptions on an interface is helpful to the administrator and support staff. This is a helpful command because you can use it to keep track of circuit numbers, for example. If configurations are stored offline, this information can be accessed to create circuit databases, or assist in creation of port maps and network diagrams. Standardizing on the format provides a consistent format in which to create a script to pull the information together into a database, spreadsheet or network drawing.

.



38


R1(config)# do show runR1(config-if)# do show interface

For newer routers running 12.3 and above,you can use the:

Do the Do the ““dodo””

.



39


R1(config)# line console 0R1(config-line)# password toddR1(config-line)# login

Console and Auxiliary Password

Console/Aux Password ConfigurationConsole/Aux Password Configuration

R1(config-line)# line aux 0R1(config-line)# password lammleR1(config-line)# login

Consoleconnection

No Access!

To set the console password, use the “line console 0” command. Same for the aux port.You need to enable the “login” command, or the router will not prompt for the password.

Use caution if line passwords are the same as enable secret. Please keep in mind that these will be shown in clear text within the router configuration unless the “service password-encryption” command is utilized.

.



40


Other Console Line CommandsOther Console Line Commands

R1(config)# line console 0R1(config-line)# exec-timeout 0 0

R1(config)# line console 0R1(config-line)# logging synchronous

Prevent console session timeout

Redisplays interrupted console input

Consoleconnection

For one, the exec-timeout 0 0 command sets the timeout for the console EXEC session to zero, which basically means to never time out.

Logging synchronous is a very cool command, and it should be a default command, but it’s not. It’s basically stops annoying console messages from popping up and disrupting the input you’re trying to type.

.



41


Telnet VTY PasswordTelnet VTY Password

Virtual Terminal PasswordR1(config)# line vty 0 4R1(config-line)# password toddR1(config-line)# login (or no login)R1(config-line)#

Telnetconnection

NOTE: no vty password – no telnet accessCisco supports 5 simultaneous Telnet sessions by default: 0-4 – although your router may support more.

To set the user-mode password for Telnet access into the router, use the “line vty” command. Routers that aren’t running the Enterprise edition of the Cisco IOS default to five VTY lines— 0 through 4. But if you have the Enterprise edition, you’ll have significantly more. The best way to find out how many lines you have is to use that question mark:Router(config-line)#line vty 0 ?<1-4> Last Line Number<cr>You can use the “no login” option so that you can telnet into a router and not be prompted for a password (not recommended!).

An access-class can be used on the VTY lines to further restrict access.

**Note ** If the password is not set, and TACACS or RADIUS is not configured, you will get “Password not set” when attempting to telnet to the router, and be logged off.

.



42


• Telnet• Most common access method• Insecure

• SSH • Encrypted• IP domain must be defined • key must be generated

Telnet versus SSH AccessTelnet versus SSH Access

!--- The username command create the username and password for the SSH sessionusername cisco password 0 cisco

ip domain-name mydomain.com

crypto key generate rsa

ip ssh version 2

line vty 0 4login localtransport input ssh

SSH Server The SSH Server feature enables a SSH client to make a secure, encrypted connection to a Cisco router. This connection provides functionality that is similar to that of an inbound Telnet connection. Before SSH, security was limited to Telnet security. SSH allows a strong encryption to be used with the Cisco IOS software authentication. The SSH server in Cisco IOS software will work with publicly and commercially available SSH clients. SSH Integrated Client The SSH Integrated Client feature is an application running over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco router to make a secure, encrypted connection to another Cisco router or to any other device running the SSH server. This connection provides functionality that is similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network. The SSH client in the Cisco IOS software works with publicly and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard (DES), Triple DES (3DES), and password authentication. User authentication is performed like that in the Telnet session to the router. The user authentication mechanisms supported for SSH are RADIUS, TACACS+ and the use of locally stored user names and passwords.

.



43


Secure ShellSecure Shell

Here are the minimum commands needed to

configure SSH on your router or switch:

R1# config t

R1(config)# username Todd password Lammle

R1(config)# ip domain-name lammle.com

R1(config)# crypto key generate rsa

R1(config)# line vty 0 4

R1(config-line)# login local

R1(config-line)# transport input ssh

(Optional: transport input ssh telnet)

You must remember the command:

transport input ssh

This enables SSH under the VTY lines.

.



44


Verifying SSHVerifying SSH

To verify that the SSH server is enabled and

view the version and configuration data for

your SSH connection:

R1# show ip ssh

To verify the status of your SSH server

connections:

R1# show ssh

.



45


Enable PasswordsEnable Passwords

Enable Password Router(config)# enable password lammle

Enable Secret PasswordRouter(config)# enable secret fido

No Access!

The enable secret is encrypted by default andsupersedes the enable password if set

Setting the Enable password prompts you for a password when you enter the “enable” command.

The “Enable Secret” password is encrypted by default and supersedes the enable password. As a best practice, it is recommended to use the Enable Secret since it is encrypted within the configuration using an MD5 hash. Other means of encrypting the password (level 7) can be easily cracked using shareware programs. This is especially of concern if the configuration files were accessed. Use of Enable Secret password is therefore recommended.

.



46


Encrypting your PasswordsEncrypting your Passwords

Router(config)# service password-encryptionRouter(config)# exit *Router# show running-config

Router(config)# no service password-encryption

Encrypts your enable password and line passwords

*You need to perform a “show run” if you configureyour passwords before you enable the encryption service

Router# config t

The service password-encryption encrypts passwords in the plain text configuration file

Remember that you can see all the passwords except the Enable Secret when performing a show running-config on a router.

To manually encrypt your passwords, use the “service password-encryption”global configuration command.

.



47


Draw a line from the left to the Draw a line from the left to the answer on the rightanswer on the right

.



48


Chapter 1 LabChapter 1 Lab

Hands-on Lab 1.1

Open your lab books and complete hands-on lab 2.3

.



49


Chapter 1 ContinuedChapter 1 Continued

Configuring Router Interfaces


.



50


R1(config)# interface type number

R2(config)# interface type slot/port

R1(config)# interface ethernet 0

R2(config)# interface fastethernet 0/1

Choosing an interface

Examples of choosing an interface

e0 fa0

Configuring an InterfaceConfiguring an Interface

e0/0 fa0/1

R1

R2

Some of the configurations used to configure an interface are Network layer addresses, media type, bandwidth, and other administrator commands.Different routers use different methods to choose the interfaces used on them.

Most of today’s routers are modular, the configuration would be “interface type slot/port”.

.



51


Adding IP Addresses continuedAdding IP Addresses continued

R1(config-if)# ip address 11.1.1.2 255.255.255.0

R1(config-if)# interface e0


R1(config)# interface serial 0

R1# config t

Interfaces on fixed series routers

Even though you don’t have to use IP on your routers, it’s most often what people use. To configure IP addresses on an interface, use the ip address command from interface configuration mode.

Note: The command “ip address address mask” starts the IP processing on the interface

.



52




R1(config-if)# int fa0/0


R1(config)# interface serial 0/0

R1# config t

Interfaces on modular series routers

This slide demonstrates how to configure an IP address on 2600 router interfaces.

Notice the syntax for both of the different interfaces (serial & ethernet) is the same though the configuration command to access the interfaces are different. Don’t forget which interface you are programming….

.



53




R1(config-if)# int fa0/0


R1(config)# interface serial 0/0/0

R1# config t

Interfaces on ISR series routers

This slide demonstrates how to configure an IP address on 2600 router interfaces.

Notice the syntax for both of the different interfaces (serial & ethernet) is the same though the configuration command to access the interfaces are different. Don’t forget which interface you are programming….

.



54



R1(config-if)# ip address 11.1.1.2 255.255.255.0R1(config-if)# ip address 11.1.2.2 255.255.255.0 secondary

R1(config)# interface Ethernet 0R1# config t

Secondary Addresses (not advised)

Note: Different subnets/broadcast domains on same interface

E0

This slide shows how two hosts on the same LAN would need to go through a router to communicate because the hosts think they are on different subnets!

If you type another IP address and press Enter on a router interface, it will replace the existing IP address and mask. This is definitely a most excellent feature of the Cisco IOS.

However, if you want to add a second subnet address to an interface, you have to use the secondary command.

I really wouldn’t recommend having multiple IP addresses on an interface because it’s inefficient.

.



55


Serial Interface ClockingSerial Interface Clocking

CSU/DSUCSU/DSU

DTE

DCE DTE

Clocking typically provided by DCE network to routers.

In non-production environments,A DCE network is not always present

Serial interfaces will usually be attached to a CSU/DSU type of device that provides clocking for the line.

But if you have a back-to-back configuration (for example, one that’s used in a lab/classroom environment), on one end—the data communication equipment (DCE) end of the cable—must provide clocking.

The type of cable plugged into the serial interface can be verified by performing ‘show controller’ command. The clock present is representative of the cable plugged in (DTE or DCE). If it’s DCE, the clockrate command will be needed in a back to back configuration.

.



56


R1(config-if)# clock rate 64000R1(config)# interface serial 0R1# config t

R1(config-if)# bandwidth 64R1(config-if)# exitR1(config)# exit

Set clock rate if needed

Set interface bandwidth

DCE

DTE

DCE side determined by cableAdd clocking to DCE side only

Configuring a Serial InterfaceConfiguring a Serial Interface

Note: show controllers will show the cable connection typeISR routers auto-detect cable type and set clock rate to 2,000,000 by default

By default, Cisco routers are all data terminal equipment (DTE) devices, so you must tell an interface to provide clocking if you need it to act like a DCE device. You configure a DCE serial interface with the clock rate command.

The show controllers command displays information about the physical interface itself. It’ll also give you the type of serial cable plugged into a serial port. Usually, this will only be a DTE cable that plugs into a type of data service unit (DSU).R1# show controllers serial 0Hd unit 0, idb = 0x121c04, driver structure at 0x127078Buffer size 1524, hd unit 0, v.35 DCE cable

The bandwidth and delay of an interface is used by routing protocols such as IGRP, EIGRP, and OSPF to calculate the best cost (path) to a remote network. So if you’re using RIP routing, then the bandwidth or delay setting of an interface is irrelevant, since RIP uses only hop count to determine that.

.



57


Disabling or Enabling an InterfaceDisabling or Enabling an Interface

R1# configure terminalR1(config)# interface serial 0R1(config-if)# no shutdown%LINK-3-UPDOWN: Interface Seria0, changed state to up%LINEPROTO-5-UPDOWN: Line Protocol on Interface Serial0, changed state to up

R1# configure terminalR1(config)# interface serial 0R1(config-if)# shutdown%LINK-5-CHANGED: Interface Serial0, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down

Disable an interface

Enable an interface

You can turn an interface off with the interface “shutdown” command, and turn it on with the “no shutdown” command. If an interface is shut down, it will display administratively down when using the “show interface”command.

REMEMBER TO DO A “NO SHUTDOWN” COMMAND WHEN YOU HAVE CONFIGURED A DEVICE….THIS TRIPS UP MANY STUDENTS ON THE SIMULATION PORTION OF THE EXAM.

.



58


R1# show interface serial 0Serial0 is up, line protocol is up

Hardware is HD64570Internet address is 11.1.1.2/24 100% Reliable No LoadMTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255Encapsulation HDLC, loopback not set, keepalive set (10 sec)Last input 00:00:09, output 00:00:04, output hang neverLast clearing of "show interface" counters neverInput queue: 0/75/0 (size/max/drops); Total output drops: 0Queueing strategy: weighted fairOutput queue: 0/1000/64/0 (size/max total/threshold/drops)

Conversations 0/1/256 (active/max active/max total)Reserved Conversations 0/0 (allocated/max allocated)

5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/sec

(output cut)

Verifying Your ChangesVerifying Your ChangesVerifying Your Changes

The command “show interface” reveals to us the hardware address (if a LAN interface), logical address, and encapsulation method, as well as statistics.Maximum Transmission Unit (MTU) shows how many bytes of data can be sent in each encapsulated packet. BW is 1.544kbps by default on serial interfaces, Delay is 20,000 microseconds.If the link is 100% reliable, the “rely 255/255” will be shown. If the link is basically at no load , the “load 1/255” will be displayed. The encapsulation on a serial interface is HDLC by default. The loopback can be set to test the link and the keepalive is 10 seconds by default. This is a Data Link layer keepalive that is sent between routers. If the timers are not exactly the same, the Data Link layer will not come up.

.



59


R1# show interfaces serial 1

Serial1 is up, line protocol is up

Operational..................Connection problem...Interface problem........Disabled ......................

Serial1 is up, line protocol is upSerial1 is up, line protocol is downSerial1 is down, line protocol is downSerial1 is administratively down, line protocol is down

KeepalivesCarrier Detect

Interpreting Interface StatusInterpreting Interface Status

(Physical) (Data Link)

The most important statistic of the show interface command is the output of the line and data-link protocol status. If the output reveals that serial 1 is up and the line protocol is up, then the interface is up and running.

The first listed “up” in this example, shows carrier detect from the CSU/DSU. The second “up” in this example shows keepalives from the remote router.

Another thing to confirm is the state of the signals. This is shown at the bottom of the output, and on most serial interfaces can also be seen on the router’s serial interface as a series of green lights. Usually when the router interface is up and normal, all of the signals will show to be up.

.



60


Show ip interface briefShow ip interface brief

R1# show ip interface briefInterface IP-Address OK? Method Status ProtocolFastEthernet0/0 192.168.10.1 YES manual up upFastEthernet0/1 10.1.1.2 YES DHCP up upSerial0/0/0 172.1.1.12 YES manual up upSerial0/0/1 unassigned YES unset administratively down down

This command is used to get a quick view of the status of all interfaces configured on the router. The status and protocol fields are quick indicators as to the state of the interface. When you are troubleshooting if you see the status as administratively down, you need to perform a “no shutdown” on the interface to mark it administratively up.

.



61


Which issue on the left corresponds Which issue on the left corresponds to the router output on the right?to the router output on the right?

Layer 1 problem

Layer 2 problem

Layer 3 problem

Port operational

Port disabled

Serial 0/1 is up, line protocol is up

Serial 0/1 is up, line protocol is down

Serial 0/1 is down, line protocol is down

Serial 0/1 is administratively down, line protocol is down

.



62


Erasing NVRAM on a RouterErasing NVRAM on a Router

R1(config)# exitR1# erase startup-configErasing the nvram will remove all the files! Continue?OKErase of nvram complete

Erasing a router configuration

You can delete the startup-config file by using the “erase startup-config”command.

This command would be recommended if the router was being re-deployed or decommissioned, and you wanted to make sure none of the old configuration elements were present when it either comes back online, or is decommissioned. Once the configuration is erased, the user will be prompted to enter setup commands as if the router had come from the factory.

The “write earase” command is another command that performs the same function.

.



63


Draw a line from the left to the Draw a line from the left to the answer on the rightanswer on the right……..

# configure term

(config-if)# ip address 192.168.3.3/24

(config-if)# ip address 10.8.26.0 255.255.248.0

(config)# ip address 172.16.10.1 255.255.255.0

(config)# interface fa0/0

(config-if)# no shutdown

(config-if)# enable interface

# enable

> enable

Enter privileged EXEC mode

Enter global config mode

Enter interface config mode

Configure the interface IP address

Enable the interface

.



64



Hands-on Lab 1.2

Open your lab book and complete hands-on lab 2.4

.



65


Introduction to CiscoIntroduction to CiscoCatalyst SwitchesCatalyst Switches

Chapter 1 Continued

This section will introduce you to Cisco Catalyst IOS Switches and how to set an IP address on the switch so it can be managed in-band.

When Cisco’s talking about switching, they really mean layer-2 switching unless they say otherwise. Layer-2 switching is the process of using the hardware address of devices on a LAN to segment a network.

Switching will be explained in detail in a later chapter.

.



66


Catalyst Switches Catalyst Switches

If POST completes successfully, the system LED turns green.If POST fails, the system LED turns amber. This is typically fatal.

The 2950 comes in a bunch of flavors, and runs 10Mbps all the way up to 1Gbps switched ports, with either twisted-pair or fiber. It can be a layer 3 switch, and runs what is known as Catalyst IOS. This operating system is very similar to Cisco IOS running on a router, and all ports are treated as interfaces.

The 3550 and 3750 switches can provide layer 3 services, the 2950 cannot.

.



67


Hubs (Physical)Hubs (Physical)

A B C D

• All devices in the same collision domain• All devices in the same broadcast domain• Devices share the same bandwidth

Hubs just connect network segments together.

.



68


Switches/Bridges (Layer 2)Switches/Bridges (Layer 2)

Each segment has its own collision domainAll segments are in the same broadcast domainDedicated bandwidth when only one host connected to switch port

1 2 3 4

Crossover cableStraight-through cable

Switches/Bridges break up collision domains, but create one large broadcast domain by default.

.



69


Switches Supersede BridgesSwitches Supersede Bridges

Operate at Layer 2 of the OSI modelForward, filter, or flood framesHave many portsBridges/Switches learn MAC addresses by examining the source MACaddress of each frame received

Internet

Hub Switch Hub

Segment 1 Segment 2

Layer-2 switching is hardware based, which means it uses the MAC address from the host’s NIC cards to filter the network. Unlike bridges that use software to create and manage a filter table, switches use application-specific integrated circuits (ASICs) to build and maintain their filter tables. But it’s still okay to think of a layer-2 switch as a multiportbridge because their basic reason for being is the same: to break up collision domains.Layer-2 switches and bridges are faster than routers because they don’t take up time looking at the Network layer header information. Instead, they look at the frame’s hardware addresses before deciding to either forward the frame or drop it.Switches create private dedicated domains and don’t share bandwidth like a hub would.

.



70


LAN Switch FeaturesLAN Switch Features

Dedicated Communication Between Devices

Multiple Simultaneous Conversations

Full-Duplex Communication

Media-Rate Adaptation

100 MB 10 MB

LAN Switches provide many features including dedicated connections between an end node and the switch allowing for a much smaller collision domain and the capability to run at full duplex.

.



71


Three Switch FunctionsThree Switch Functions

• Address learning

• Forward/filter decision

• Loop avoidance

There are three distinct functions of layer-2 switching: address learning, forward/filter decisions, and loop avoidance.

.



72


Learning Host LocationsLearning Host Locations

• Initial MAC address table is empty

MAC address table

0260.8c01.1111

0260.8c01.2222

0260.8c01.3333

0260.8c01.4444

E0 E1

E2 E3

A B

C D

When a switch is first powered on, the MAC forward/filter table is empty.When a device transmits and an interface receives a frame, the switch places the frame’s source address in the MAC forward/filter table, allowing it to remember which interface the sending device is located on. The switch then has no choice but to flood the network with this frame because it has no idea where the destination device is actually located.

.



73


How Switches Filter FramesHow Switches Filter Frames

Station A sends a frame to station CDestination is known, frame is not flooded

E0: 0260.8c01.1111E2: 0260.8c01.2222E1: 0260.8c01.3333E3: 0260.8c01.4444

0260.8c01.1111

0260.8c01.2222

0260.8c01.3333

0260.8c01.4444

E0 E1

E2 E3

XXXX DC

A B

MAC address table

When the switch is powered on, it has nothing in its MAC address forward/filter table.But when the hosts start communicating, the switch places the source hardware address of each frame in the table along with which port the frame’s address corresponds.

.



74


Broadcast and Multicast Frames

• Station D sends a broadcast or multicast frame

• Broadcast and multicast frames are flooded to all ports other than the originating port

0260.8c01.1111

0260.8c01.2222

0260.8c01.3333

0260.8c01.4444

E0 E1

E2 E3 DC

A B

E0: 0260.8c01.1111E2: 0260.8c01.2222E1: 0260.8c01.3333E3: 0260.8c01.4444

MAC address table

When a frame arrives at a switch interface, the destination hardware address is compared to the forward/filter MAC database. If the destination hardware address is known and listed in the database, the frame is only sent out the correct exit interface. The switch doesn’t transmit the frame out any interface except for the destination interface. This preserves bandwidth on the other network segments and is called frame filtering.But if the destination hardware address isn’t listed in the MAC database, then the frame is broadcast out all active interfaces except the interface the frame was received on. If a device answers the broadcast, the MAC database is updated with the device’s location (interface).If a host or server sends a broadcast on the LAN, the switch will broadcast the frame out all active ports by default. Remember, the switch only creates smaller collision domains, but it’s still one large broadcast domain by default.

.



75


show macshow mac--addressaddress--tabletable

S1 needs to forward a frame with an address of 00b0.d056.efa4.

What will the switch do with this frame?

Switch-1# show mac address-table

Dynamic Addresses Count: 3Secure Addresses (User-defined) Count: 0Static Addresses (User-defined) Count: 0System Self Addresses Count: 41Total Mac Addresses: 50

Non-static Address Table:

Destination Address Address Type VLAN Destination Port0010.0de0.e289 Dynamic 1 FastEthernet0/10010.7b00.1540 Dynamic 2 FastEthernet0/30010.7b00.1545 Dynamic 2 FastEthernet0/2

What would the switch do if it received a frame and the source address was 00b0.d056.efa4?

It would place the address in the MAC Address Table with the destination port being the source port the packet was received on.

.



76


Connecting Switches togetherConnecting Switches together

When connecting a cable into a switch, at first the link lights are orange, then turn green indicating normal operation. Why?

Crossover cable

You would use a crossover cable to connect switches together. A crossover cable has the following pins crossed:1 to 32 to 63 to 16 to 2

The lights turn orange for 50 seconds because of the Spanning-Tree Protocol (STP), which is covered later in this course. This behavior does depend on the type of switches being interconnected, their speed and duplex settings, and their spanning tree configuration. Care and caution should be exercised when interconnecting switches, as not to introduce loops in the network topology, as well as to limit the broadcast domain and not to substantially oversubscribe the uplink ports. STP is covered in detail later in the course.

.



77


Do switches need an IP Address?Do switches need an IP Address?

Which type of Ethernet cable is used to

connect the hubs to the switch?

Crossover cable

Hub Hub Hub

Switch Switch

No, switches do not need an IP address. We would add an IP address to a switch only for management purposes and it is configured under the VLAN 1 interface, or the management VLAN – NOT on an interface. This can also take the form of an Sc0 interface in the case of switches running Catalyst OS.

To connect a hub to a switch, you would use a crossover cable. Why not a straight-through?

.



78


What is the default gateway address What is the default gateway address for the hosts?for the hosts?

Both the hosts and the switch would use a

default gateway address of 192.168.10.1

E0: 192.168.10.1

192.168.10.2

The default gateway address of the hosts (which allows them to send packets out of the local network) is always set to a router or layer 3 network address. The layer 2 switch usually does not perform any routing functions, and would not be able to route the packet if directed to it’s IP address.

The switch, when sending packets out of the local network for management purposes only, needs a default gateway address set to the router as well – just like a host would.

Remember, the IP address and default gateway set on the switch have nothing to do with a host sending packets out of the local network. Think of the switch’s configuration in the same way as any host that does not route traffic. The switch simply breaks up collision domains for the local network and the router is used to connect networks together.

.



79


Switch(config)# interface vlan 1Switch(config-if)# ip address 192.168.10.2 255.255.255.0Switch(config-if)# no shutdownSwitch(config-if)# exit

Configures an IP address and subnet mask for the switch

Configuring the Switch IP AddressConfiguring the Switch IP Address

Switch(config)#ip default-gateway 192.168.10.1

• The rest of the commands are similar to a routers IOS• i.e. copy run start, erase start, show run, passwords…, etc…

Configures the default gateway for the switch

The IP address is configured differently on the Catalyst switches than it is on any router—you actually configure it under the VLAN1 interface.Remember that every port on every switch is a member of VLAN1 by default. This really confuses a lot of people—you’d think that you would set an IP address under a switch interface—but no, that’s not where it goes! Remember that you set an IP address “for” the switch so you can mange the switch in-band (through the network). You set the “ip default-gateway”command so that you can manage the switch from outside the local network. Remember to also perform a “no shut” under the VLAN interface.

.



80


Testing your understanding

As is true on routers, both the 2950’s and 3550’s configurations are stored in NVRAM.

You save the configuration with the “copy running-config startup-config”command, and you can erase the contents of NVRAM with the “erase startup-config” command.

On a Catalyst OS switch:Switch (enable)>clear config allSwitch (enable)>reset

.



81


show runningshow running--configconfig

Switch# sh running-configBuilding configuration...[output cut]!interface Vlan1ip address 172.16.10.3 255.255.255.0!ip default-gateway 172.16.10.2!

The “show running-config” command displays the active configuration.

.



82



Hands-On Lab 1.3 & 1.4

Open your lab books and complete labs 2.5 and 2.6

.



83


Chapter 1 SummaryChapter 1 Summary

• Cisco routers provide a command line interface (CLI)• There are two modes

• User EXEC• Privileged EXEC

• The enable command is used to enter Privileged EXEC mode from User EXEC mode

• Routers contain four types of memory:• RAM (Random Access Memory)• ROM (Read Only Memory)• Flash• NVRAM (NonVolatile RAM)

• Learned CTRL and ESC sequences to manipulate the command line.

• Learned the startup sequence of the router.

.



84


Chapter 1 Summary (cont.)Chapter 1 Summary (cont.)

• Learned how to manipulate / store / restore the router configuration file.

• There are several passwords on a Cisco router that control access. Examples are as follows:

• enable

• enable secret

• line VTY # (telnet access)

• console

• auxiliary

• Unencrypted passwords can be encrypted in the configuration file so they are not seen as clear text.

• Banners can be used to display messages

• Default configuration register setting is 0x2102 (0x2142 is usedfor password recovery)

.



333


SecuritySecurity

Chapter 6

The proper use and configuration of access lists is a vital part of router configuration because access lists are such versatile networking accessories. Contributing mightily to the efficiency and operation of your network, access lists give network managers a huge amount of control over traffic flow throughout the enterprise. With access lists, managers can gather basic statistics on packet flow and security policies can be implemented. Sensitive devices can also be protected from unauthorized access.

.



334


Common Threats to Physical InstallationsCommon Threats to Physical Installations

• Hardware threats

• Environmental threats

• Electrical threats

• Maintenance threats

What should be part of a comprehensive network security plan?*Physically secure network equipment from potential access by unauthorized individuals.

.



335


Common AttacksCommon Attacks

• Denial of Service (DoS): a flood of packets

that are requesting a TCP connection to a

server

lammle.com

Bad Guy

Internet

65,000 timesSY N

SY NSY N

ACKACK

…CRASH!

.



336


Security AppliancesSecurity Appliances

• IDSAn intrusion detection system is used to detect several types of

malicious behaviors that can compromise the security and trust of a

computer system. This includes network attacks against vulnerable

services, data driven attacks on applications, host based attacks such

as privilege escalation, unauthorized logins and access to sensitive

files, and malware (viruses, trojan horses and worms).

• IPSAn intrusion prevention system is a computer security device that

monitors network and/or system activities for malicious or unwanted

behavior and can react, in real-time, to block or prevent those

activities. Network-based IPS, for example, will operate in-line to

monitor all network traffic for malicious code or attacks. When an

attack is detected, it can drop the offending packets while still

allowing all other traffic to pass.

.



337


Why Use Why Use ACLsACLs??

Filtering: Manage IP traffic by filtering packets passing through a routerClassification: Identify traffic for special handling

An access list is a mechanism for identifying particular traffic. One application of an access list is for filtering traffic into or out of a router interface.

.



338


ACL Applications: FilteringACL Applications: Filtering

Permit or deny packets moving through the router.Permit or deny vty access to or from the router.Without ACLs, all packets could be transmitted to all parts of your network.

This figure illustrates common uses for IP access lists.While this chapter focuses on IP access lists, the concept of access lists as mechanisms to control traffic in a network applies to all protocols.An improved security solution is the lock-and-key access feature, which is available only with IP extended access lists. Lock-and-key access allows you to set up dynamic access lists that grant access per user to a specific source/destination host through a user authentication process. You can allow user access through a firewall dynamically, without compromising security restrictions.

.



339


Types of IP Types of IP ACLsACLs

Standard ACL

• Checks source address

• Generally permits or denies entire protocol suite

Extended ACL

• Checks source and destination address

• Generally permits or denies specific protocols and

applications

Two methods used to identify standard and

extended ACLs:

• Numbered ACLs use a number for identification

• Named ACLs use a descriptive name or number for

identification

.



340


How to Identify How to Identify ACLsACLs

Numbered standard IPv4 lists (1–99) test conditions of all IP packets for source addresses. Expanded range (1300–1999).Numbered extended IPv4 lists (100–199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports. Expanded range (2000–2699).Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name).

With Cisco IOS 12.0, the IP access-lists range has been expanded to also include:<1300-1999> IP standard access list (expanded range)<2000-2699> IP extended access list (expanded range)

.



341


IP Access List Entry Sequence NumberingIP Access List Entry Sequence Numbering

• Requires Cisco IOS Release 12.3

• Allows you to edit the order of ACL statements using sequence

numbers

• In software earlier than Cisco IOS Release 12.3, a text editor

is used to create ACL statements, then the statements are

copied into the router in the correct order.

• Allows you to remove a single ACL statement from the list using a

sequence number

• With named ACLs in software earlier than Cisco IOS Release

12.3, you must use no {deny | permit} protocol source

source-wildcard destination destination-wildcard to

remove an individual statement.

• With numbered ACLs in software earlier than Cisco IOS

Release 12.3, you must remove the entire ACL to remove a

single ACL statement.

.



342


ACL Configuration GuidelinesACL Configuration Guidelines

• Standard or extended indicates what can be filtered.• Only one ACL per interface, per protocol, and per

direction is allowed.• The order of ACL statements controls testing,

therefore, the most specific statements go at the top of the list.

• The last ACL test is always an implicit deny everything else statement, so every list needs at least one permit statement.

• ACLs are created globally and then applied to interfaces for inbound or outbound traffic.

• An ACL can filter traffic going through the router, or traffic to and from the router, depending on how it is applied.

• When placing ACLs in the network:• Place extended ACLs close to the source• Place standard ACLs close to the destination

.



343


Dynamic Dynamic ACLsACLs

Dynamic ACLs (lock-and-key): Users that want to traverse the router are blocked until they use Telnet to connect to the router and areauthenticated.

Use Telnet to connect to router and authenticate.

Use FTP, HTTP, etc. to connect to the server.

.



344


Reflexive Reflexive ACLsACLs

Reflexive ACLs: Used to allow outbound traffic and limit inbound traffic in response to sessions that originate inside the router

Inbound Traffic Initiated Outside

Inbound Traffic Initiated Inside

S0

.



345


TimeTime--Based Based ACLsACLs

Time-based ACLs: Allow for access control based on the time of day and week

.



346


Access List ApplicationsAccess List Applications

Typical uses for Access lists:

• Permit or deny packets moving through the router

• Permit or deny vty access to or from the router

• Stop basic user data. Without access lists all packets

could be transmitted onto all parts of your network

Advanced uses for Access-lists:

• Priority and custom queuing

• Dial-on-Demand Routing (DDR)

• Route table filtering

• Classify network traffic

This figure illustrates common uses for IP access lists.

While this chapter focuses on IP access lists, the concept of access lists as mechanisms to control traffic in a network applies to all protocols.An improved security solution is the lock-and-key access feature, which is available only with IP extended access lists. Lock-and-key access allows you to set up dynamic access lists that grant access per user to a specific source/destination host through a user authentication process. You can allow user access through a firewall dynamically, without compromising security restrictions.

Access lists can be used to permit or deny packets moving through the router, permit or deny Telnet (VTY) access to or from a router, and create dial-on-demand interesting traffic that triggers dialing to a remote location.

.



347


172.16.16.29 0.0.0.0 specifies this host

192.168.10.0 0.0.0.255 specifies this network

You must remember your block sizes:

128, 64, 32, 16, 8 and 4

Wildcards ReviewWildcards Review

OutgoingPacketE0

S0IncomingPacket

Wildcards are used with access lists to specify an individual host, a network, or a certain range of a network or networks.

To understand a wildcard, you need to understand what a block size is; they’re used to specify a range of addresses. Some of the different block sizes available are 64, 32, 16, 8, and 4.

.



348


Wildcard MasksWildcard Masks

The wildcard is always one less then the block size.

Subnet Mask

172.16.10.32/27 0.0.0.31

172.16.10.4/30 0.0.0.3

172.16.10.128/26 0.0.0.63

172.16.10.32/28 0.0.0.15

172.16.10.8/29 0.0.0.7

172.16.16.0/20 0.0.15.255

This is a review of wildcard masks, as first discussed when configuring OSPF.

You really need to know these!!

.



349


Access List Command OverviewAccess List Command Overview

Standard IP Access List Commands

Router(config)# access-list 10 permit host 172.16.10.1Router(config)# access-list 10 permit 172.16.10.2Router(config)# access-list 10 permit 172.16.10.3 0.0.0.0Router(config)# int e0Router(config-if)# ip access-group 10 in

Router(config)#

{ protocol } access-group access-list-number {in | out}Router(config-if)#

access-list access-list-number {permit | deny} {test conditions}

Example Standard IP Access List Commands

This slides demonstrates a “basic” standard access-list. Each of the three test statements say the same thing. It is showing three different ways to specify a host.

.



350


Wildcard Example 1Wildcard Example 1

Internet

E0 E1

S0

172.16.10.0/24 172.16.20.0/24access-list 10 deny 172.16.10.0 0.0.0.255access-list 10 permit anyint e1

ip access-group 10 out

This example will deny anyone on network 172.16.10.0 from exiting interface E1

.



351



Internet

E0 E1S0

access-list 10 deny 172.16.10.2 0.0.0.0access-list 10 permit anyint e1


172.16.20.0/24172.16.10.2/24

This example stops only host 172.16.10.2 from existing interface E1.

.



352



Internet

E0 E1S0

access-list 10 deny 192.168.10.128 0.0.0.63access-list 10 permit anyint e1


192.168.10.64/26192.168.10.128/26

This example will deny anyone on subnet 192.168.10.128 from exiting interface E1.

.



353


Wildcard QuestionWildcard Question

You have the following four test statements:

access-list 10 permit 172.16.16.0 0.0.0.255




What one statement can replace these four?

Answer:


.



354


Applying Access lists to a VTY LineApplying Access lists to a VTY Line

0 1 2 3 4

Virtual ports (typically vty 0 through 4)

Physical port (e0) (Telnet)

Setup IP address filter with standard access list

statement

Use line configuration mode to filter access with the

access-class command

You should set identical restrictions on all vty lines

Router#

e0

When you apply an access to the VTY lines, you don’t need to specify the telnet protocol since access to the VTY implies terminal access.

You also don’t need to specify a destination address, since it really doesn’t matter which interface address the user used as a target for the telnet session.

You really only need to control where the user is coming from—their source IP address. Nice!

.



355


Virtual Terminal Access ExampleVirtual Terminal Access Example

The above example permits only hosts in

network 192.89.55.0 to connect to the router’s

vtys

Router(config)#access-list 10 permit 192.89.55.0 0.0.0.255

Router(config)# line vty 0 4

Router(config-line)# access-class 10 in

Create the access-list

Apply it to all VTY lines

The above example permits only hosts in network 192.89.55.0 to connect to the router’s VTY lines

.



356



Hands-on Lab 6.1 & 6.2

Open your lab books and complete labs 6.1 and 6.2

.



357


Standard versus Extended Access ListStandard versus Extended Access List

Standard Extended

Filters Based onSource.

Filters Based onSource and destination.

Permit or deny entire TCP/IP protocol suite.

Specifies a specific IP protocol and port number.

Range is 100 – 199 and 2000 - 2699.

Range is 1 – 99 and 1300 - 1999.

Standard access listsThese use only the source IP address in an IP packet as the condition test. All decisions are made based on source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They don’t distinguish between any of the many types of IP traffic such as WWW, telnet, UDP, etc. Extended access listsExtended access lists can evaluate many of the other fields in the layer 3 and layer 4 header of an IP packet.

IP Source AddressIP Destination AddressProtocol Field in Network Layer PacketPort number in Transport Layer Segment

.



358


172.16.3.0 172.16.4.0

172.16.4.13E0S0

E1

Non-172.16.0.0

Extended Access List ExampleExtended Access List Example

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21


This slide shows an example of an extended IP access list.It denies FTP (port 21 is FTP and port 20 is FTP data) from subnet 172.16.4.0 to 172.16.3.0. Actually since there is an implicit DENY at the end of each access list, this access list denies all packets since there is NOT a permit statement. Note: If access list 101 were applied to an interface, all traffic wither inbound or outbound (depending on how the ACL was applied) would be denied.

.



359



172.16.3.0 172.16.4.0

172.16.4.13E0S0

E1

Non-172.16.0.0



access-list 101 permit ip any any

(access-list 101 deny ip any any)

Don’t forget to include the permit statement to permit all other IP traffic. Access list 101 could be applied inbound to interface E1 or outbound to interface E0.

.



360





interface ethernet 1

ip access-group 101 in


172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0

.



361



172.16.3.0 172.16.4.0

172.16.4.13E0S0

E1

Non-172.16.0.0

access-list 101 deny tcp 172.16.3.0 0.0.0.255 host 172.16.4.13 eq 23




This slide demonstrates an extended access-list that will stop anyone from network 171.16.3.0 telnetting to host 172.16.4.13

.



362


Extended Access List Example

172.16.3.0 172.16.4.0

172.16.4.13E0

S0E1

Non-172.16.0.0

access-list 101 deny tcp 172.16.3.0 0.0.0.255 any eq www log

access-list 101 permit ip 0.0.0.0 255.255.255.255 any



This slide demonstrates an extended access-list that will stop anyone from network 172.16.3.0 using HTTP to any destination.

.



363



• You want to stop users from the Sales LAN entering the Marketing LAN. What access-list would you create, and to what interface will you apply it?

S0 (DCE)S1

E0 E0LAN_A LAN_B

Host C Host D Host E Host F

Sales LAN192.168.11.0

255.255.255.0

Marketing LAN192.168.12.0255.255.255.0

192.168.10.1/24

Extended:On the LAN_A routeraccess-list 110 deny ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255access-list 110 permit ip any anyint e0ip access-group 110 in

OR

Standard:On the LAN_B routeraccess-list 10 deny 192.168.11.0 0.0.0.255access-list 10 permit any int e0ip access-group 10 out

.



364


Access List Configuration GuidelinesAccess List Configuration Guidelines

• The order of ACL statements is crucial.• Recommended: Use a text editor on a PC to create the

ACL statements, then cut and paste them into the router.• Top-down processing is important.• Place the more specific test statements first.

• Statements cannot be rearranged or removed.• Use the no access-list number command to remove the

entire ACL.• Exception: Named ACLs permit removal of individual

statements.• Implicit deny any will be applied to all packets

that do not match any ACL statement unless the ACL ends with an explicit permit any statement.

GuidelinesAccess list numbers indicate which protocol is filtered.One access list per interface, per protocol, per direction is allowed.The order of access list statements controls testing. Place the most restrictive statements at the top of list.There is an implicit deny any statement as the last access list test. Every list needs at least one permit statement.Create access lists before applying them to interfaces.Access lists filter traffic going through the router; they do not apply to traffic originating from the router.

.



365


Named Access ListsNamed Access Lists

• Instead of using numbers, you can use

names to configure your access-lists.

Here is an example:

ip access-list standard Lammle

permit host 1.1.1.1


ip access-group Lammle in

Named access lists are just another way to create standard and extended access lists. In medium to large enterprises, management of access lists can become, well, a real hassle over time.

For example, when you need to make a change to an access list, a frequent practice is to copy the access list to a text editor, change the number, edit the list, then paste the new list back into the router.

Named access lists allow you to use names to both create and apply either standard or extended access lists.

There is nothing new or different about these access lists aside from being able to refer to them in a way that makes sense to humans.

However, you do not need to delete the named access-list in order to make changes. This is one of the best benefits of named access-lists.

.



366


Named Standard ACL ExampleNamed Standard ACL Example

Deny a specific host

RouterX(config)#ip access-list standard troublemakerRouterX(config-std-nacl)#deny host 172.16.4.13RouterX(config-std-nacl)#permit 172.16.4.0 0.0.0.255RouterX(config-std-nacl)#interface e0RouterX(config-if)#ip access-group troublemaker out

All hosts on subnet 172.16.4.0 are blocked from going out on E0 to subnet 172.16.3.0.The arrow represent the access list is applied as an outbound access list.

.



367


Named Extended ACL ExampleNamed Extended ACL Example

Deny Telnet from a specific subnet

RouterX(config)#ip access-list extended badgroupRouterX(config-ext-nacl)#deny tcp 172.16.4.0 0.0.0.255 any eq 23RouterX(config-ext-nacl)#permit ip any anyRouterX(config-ext-nacl)#interface e0RouterX(config-if)#ip access-group badgroup out

All hosts telnet requests initiating on subnet 172.16.4.0 are blocked going out on E0 to subnet 172.16.3.0.

.



368


Commenting ACL StatementsCommenting ACL Statements

access-list access-list-number remark remark

ip access-list {standard|extended} name

Creates a named ACL comment

Creates a numbered ACL comment

RouterX(config {std- | ext-}nacl)#

RouterX(config)#

remark remark

RouterX(config)#

Creates a named ACL

Or

.



369


Monitoring ACL StatementsMonitoring ACL Statements

RouterX# show access-lists {access-list number|name}

RouterX# show access-lists Standard IP access list SALES

10 deny 10.1.1.0, wildcard bits 0.0.0.25520 permit 10.3.3.130 permit 10.4.4.140 permit 10.5.5.1

Extended IP access list ENG10 permit tcp host 10.22.22.1 any eq telnet (25 matches)20 permit tcp host 10.33.33.1 any eq ftp30 permit tcp host 10.44.44.1 any eq ftp-data

Displays all access lists

This is the most consolidated method for seeing several access lists. The implicit deny all statement is not displayed unless it is explicitly entered in the access list.

.



370


Todd#show ip int e0Ethernet0 is up, line protocol is up

Internet address is 10.1.1.11/24Broadcast address is 255.255.255.255Address determined by setup commandMTU is 1500 bytesHelper address is not setDirected broadcast forwarding is disabledOutgoing access list is not setInbound access list is 1Proxy ARP is enabledSecurity level is defaultSplit horizon is enabledICMP redirects are always sentICMP unreachables are always sentICMP mask replies are never sentIP fast switching is enabled

<output cut>

Verifying Access ListsVerifying Access Lists

Lists IP interface information. Indicates whether outgoing and/or inbound access lists are set.

Review the output of the “show ip interface” command. The highlighted text shows details about access list settings in the show command output.

.



371


Monitoring Access List StatementsMonitoring Access List Statements

Todd# show access-listsStandard IP access list 1

permit 10.2.2.1permit 10.3.3.1permit 10.4.4.1permit 10.5.5.1

Extended IP access list 101permit tcp host 10.22.22.1 any eq telnetpermit tcp host 10.33.33.1 any eq ftppermit tcp host 10.44.44.1 any eq ftp-data

Todd# show {protocol} access-list {access-list number}

Todd# show access-lists {access-list number}

show access-list: Displays all access lists and their parameters configured on the router. This command does not show you which interface the list is set on.

show access-list 110: Shows only the parameters for the access list 110. This command does not show you the interface the list is set on.

show ip access-list: Shows only the IP access lists configured on the router.

show ip interface: Shows which interfaces have access lists set.

show running-config: Shows the access lists and which interfaces have access lists set.

.



372


Remember!Remember!

To view the contents of all access-lists

use the command:

show access-lists

To see which interface has an access list set, which displays the placement and direction of an IP access list on a router:

show ip interface

.



373


Match the following:Match the following:

.



374


Access List QuestionAccess List Question

• The access control list shown in the figure has been applied to the

Ethernet interface of R1 using the ip access-group 101 in command.

• Which telnet sessions will be blocked by this ACL?

The following telnet session will be blocked by the ACL:Any host with an address between 5.1.1.8 and 5.1.1.11 on R1 will not be able to telnet to network 5.1.3.0

.



375


AccessAccess--List QuestionList Question

Write an access-list that will block all

telnet connections to 10.0.1.0/24

.



376



Hands-on Lab 6.3


.



377


Chapter 6 SummaryChapter 6 Summary

• There are two kinds of IP access lists:

• Standard - Controls traffic based on source address only

• Extended - Controls traffic based on both source and destination addresses as well as protocol and in some cases port numbers

• Named access lists were added at IOS version 11.2.

• Port number ranges were added at IOS version 11.3.

• Access lists serve several purposes. Some of which are as follows:

• Act as a firewall

• Control routing updates

• Identify interesting traffic for DDR

• They can never have a DENY without a PERMIT. If so everything is denied.

• Every access-list contains an “IMPLICIT DENY ALL” at the end.

• If a packet does not match any condition, it is discarded

.



378


Chapter 6 Summary (cont.)Chapter 6 Summary (cont.)

• Access lists should be defined from most specific to least specific.

• Standard IP access lists should be placed close to the destination.

• Extended IP access lists should be placed close to the source.

• There can only be one inbound and one outbound access list per

protocol per interface.

• Standard IP access lists are in the range of 1-99 and 1399–1999.

• Extended IP access lists are in the range of 100-199 and 2000-

2699.

• Extended IP access lists can specify certain protocols in the

TCP/IP suite.

Documents

CCNA - · PDF fileCisco Certified Network Associate Welcome to our Cisco CCNA® training course. This course will help you better understand how networking is defined,