Upload
ccna5net
View
33
Download
1
Embed Size (px)
DESCRIPTION
Manual de comandos de Cisco Routing and switching
Citation preview
IOSEssentialsVersion1.0.2-November16,2015byChristianBrliwww.macparc.ch/ccna
2
TableofContents1 BasicSwitchConfiguration...............................................................................................................................................62 BasicRouterConfiguration...............................................................................................................................................73 VerificationCommands......................................................................................................................................................83.1 VariousshowCommands........................................................................................................................................83.2 OutputFilters...............................................................................................................................................................84 CommandHistoryFeature................................................................................................................................................95 SwitchManagementInterfaceConfiguration...........................................................................................................95.1 ConfigureSwitchManagementInterface.........................................................................................................95.2 ConfigureSwitchDefaultGateway.....................................................................................................................95.3 VerifySwitchManagementInterfaceConfiguration...................................................................................95.4 VLANCreationandAssociationtoaSwitchPort.........................................................................................96 ConfigureSwitchPorts....................................................................................................................................................106.1 DuplexandSpeed....................................................................................................................................................106.2 Auto-MDIX..................................................................................................................................................................107 Switch&PortSecurity.....................................................................................................................................................117.1 ConfigureSSHforRemoteManagement.......................................................................................................117.2 Secure/DisableUnusedPorts............................................................................................................................127.3 DHCPSnooping.........................................................................................................................................................127.4 ConfigurePortSecurity.........................................................................................................................................137.5 ConfigureViolationMode....................................................................................................................................137.6 VerifyPortSecurity................................................................................................................................................147.7 ConfigureNetworkTimeProtocol(NTP).....................................................................................................148 VLANs......................................................................................................................................................................................158.1 CreateVLAN(s).........................................................................................................................................................158.2 AssigningPortstoVLANs....................................................................................................................................158.3 RemoveVLANAssignment..................................................................................................................................158.4 DeletingVLANs.........................................................................................................................................................158.5 DisplayVLANInformation..................................................................................................................................168.6 DisplayInterfaceVLAN(orTrunk)Configuration....................................................................................169 Trunks.....................................................................................................................................................................................179.1 TrunkConfiguration...............................................................................................................................................179.2 ResettingTrunk........................................................................................................................................................179.3 DynamicTrunkProtocol(DTP)........................................................................................................................1710 TroubleshootVLANsandTrunks................................................................................................................................1910.1 MissingVLAN............................................................................................................................................................1910.2 TroubleshootingTrunks.......................................................................................................................................2010.3 CommonProblemswithTrunks.......................................................................................................................2010.4 SecurityProtectPortswithPVLANEdge..................................................................................................2111 Inter-VLANRouting..........................................................................................................................................................2211.1 LegacyInter-VLANRouting................................................................................................................................2211.2 Router-on-a-StickInter-VLANRouting..........................................................................................................2311.3 MultilayerSwitchInter-VLANRouting..........................................................................................................2411.4 TroubleshootInter-VLANRouting...................................................................................................................2612 StaticRouting.......................................................................................................................................................................2712.1 IPv4StaticRoute......................................................................................................................................................2712.2 IPv4DefaultStaticRoute.....................................................................................................................................2812.3 IPv4SummaryStaticRoute................................................................................................................................2812.4 IPv4FloatingStaticRoute....................................................................................................................................2912.5 TroubleshootIPv4StaticRouteConfiguration...........................................................................................3012.6 IPv6StaticRoute......................................................................................................................................................3012.7 IPv6DefaultStaticRoute.....................................................................................................................................3112.8 IPv6SummaryStaticRoute................................................................................................................................31
3
13 DynamicRouting................................................................................................................................................................3213.1 CheckforDynamicRoutingProtocols............................................................................................................3213.2 EnableRIPorRIPv2(IPv4).................................................................................................................................3313.3 EnableRIPng(IPv6)...............................................................................................................................................3414 Single-AreaOSPFv2(IPv4)............................................................................................................................................3514.1 RouterID.....................................................................................................................................................................3514.2 EnableOSPFonInterfaces...................................................................................................................................3614.3 PropagatingaDefaultStaticRouteinOSPF.................................................................................................3814.4 OSPFCost....................................................................................................................................................................3914.5 SecureOSPFwithMD5Authentication..........................................................................................................4214.6 VerifyOSPF.................................................................................................................................................................4315 Single-AreaOSPFv3(IPv6)............................................................................................................................................4615.1 DifferencesbetweenOSPFv2andOSPFv3...................................................................................................4615.2 StepstoConfigureOSPFv3..................................................................................................................................4615.3 ConfigureLink-LocalAddresses.......................................................................................................................4715.4 OSPFv3RouterID....................................................................................................................................................4815.5 EnableOSPFv3onInterfaces.............................................................................................................................4915.6 ModifyOSPFv3HelloandDeadIntervals.....................................................................................................5015.7 PropagatingaDefaultStaticRouteinOSPFv3............................................................................................5115.8 VerifyOSPFv3...........................................................................................................................................................5216 MultiareaOSPF....................................................................................................................................................................5416.1 ConfigureMultiareaOSPFv2..............................................................................................................................5416.2 OSPFRouteSummarization................................................................................................................................5516.3 ConfigureMultiareaOSPFv3..............................................................................................................................5616.4 VerifyMultiareaOSPF...........................................................................................................................................5717 EIGRPforIPv4.....................................................................................................................................................................5917.1 RouterID.....................................................................................................................................................................5917.2 ThenetworkCommand........................................................................................................................................6017.3 PassiveInterfaces....................................................................................................................................................6117.4 AutomaticSummarization...................................................................................................................................6217.5 ManualSummarization.........................................................................................................................................6417.6 PropagatingaDefaultStaticRoute..................................................................................................................6517.7 Fine-tuningEIGRPInterfaces.............................................................................................................................6617.8 MD5Authentication...............................................................................................................................................6717.9 TroubleshootEIGRP...............................................................................................................................................6917.10 VerifyEIGRPforIPv4.......................................................................................................................................7018 EIGRPforIPv6.....................................................................................................................................................................7318.1 ConfigureIPv6Link-localAdresses.................................................................................................................7318.2 ConfigureEIGRPforIPv6.....................................................................................................................................7318.3 EnableEIGRPforIPv6onInterfaces...............................................................................................................7418.4 PassiveInterfaces....................................................................................................................................................7418.5 ManualSummarization.........................................................................................................................................7518.6 PropagatingaDefaultStaticRoute..................................................................................................................7618.7 Fine-tuningEIGRPInterfaces.............................................................................................................................7718.8 MD5Authentication...............................................................................................................................................7818.9 TroubleshootEIGRP...............................................................................................................................................7818.10 VerifyEIGRPforIPv6.......................................................................................................................................7919 AccessControlLists(ACLs)...........................................................................................................................................8119.1 NumberedandNamedACLs...............................................................................................................................8119.2 WildcardBitMaskAbbrevations......................................................................................................................8119.3 TheImplied"DenyAllTraffic"CriteriaStatement...................................................................................8119.4 StandardACLs(IPv4)............................................................................................................................................8219.5 ExtendedACLs(IPv4)............................................................................................................................................8719.6 IPv6ACLs....................................................................................................................................................................9119.7 VerifyACLs.................................................................................................................................................................93
4
20 DHCP........................................................................................................................................................................................9520.1 BasicDHCPv4Configuration..............................................................................................................................9520.2 VerifyDHCPv4..........................................................................................................................................................9620.3 DHCPv4Relay...........................................................................................................................................................9720.4 ConfigureaRouterasDHCPClient..................................................................................................................9720.5 VerifyDHCPv4Relay&Services.......................................................................................................................9820.6 DebugDHCPv4..........................................................................................................................................................9820.7 DHCPv6........................................................................................................................................................................9921 NATforIPv4.......................................................................................................................................................................10521.1 StaticNAT.................................................................................................................................................................10521.2 DynamicNAT...........................................................................................................................................................10721.3 PAT(NATOverload)............................................................................................................................................10921.4 PortForwarding(Tunneling)...........................................................................................................................11121.5 TroubleshootNAT.................................................................................................................................................11222 SpanningTree....................................................................................................................................................................11322.1 DefaultSwitchSTPSettings..............................................................................................................................11322.2 ConfigureandVerifytheBridgeID(BID)/Priority................................................................................11322.3 ConfigureandVerifyPortCost........................................................................................................................11422.4 PortFastandBPDUGuard..................................................................................................................................11522.5 PVST+LoadBalancing.........................................................................................................................................11622.6 RapidPVST+............................................................................................................................................................11722.7 AnalyzingtheSTPTopology.............................................................................................................................11822.8 STPStatusOverview............................................................................................................................................11822.9 FirstHopRedundancyProtocols(FHRP)...................................................................................................11923 EtherChannel.....................................................................................................................................................................12123.1 LinkAggregationControlProtocol(LACP)................................................................................................12123.2 PortAggregationProtocol(PagP)..................................................................................................................12223.3 VerifyEtherChannel.............................................................................................................................................12324 Point-to-PointConnections.........................................................................................................................................12524.1 ConfigureHDLCEncapsulation.......................................................................................................................12524.2 VerifyaSerialInterface......................................................................................................................................12524.3 ConfigurePPPEncapsulation...........................................................................................................................12724.4 VerifyPPPConfiguration/Encapsulation...................................................................................................13125 FrameRelay........................................................................................................................................................................13325.1 BasicFrameRelayConfiguration...................................................................................................................13325.2 ConfigureaStaticFrameRelayMap.............................................................................................................13425.3 ConfigurePoint-to-PointSubinterfaces.......................................................................................................13625.4 LocalManagementInterface(LMI)...............................................................................................................13725.5 VerifyFrameRelay...............................................................................................................................................13825.6 TroubleshootFrameRelay................................................................................................................................14026 PPPoEClientConfigurationforDSL.........................................................................................................................14127 VirtualPrivateNetworks(VPNs)..............................................................................................................................14227.1 GRETunnel...............................................................................................................................................................14228 MonitoringtheNetwork...............................................................................................................................................14428.1 Syslog..........................................................................................................................................................................14428.2 SimpleNetworkManagement(SNMP)........................................................................................................14828.3 NetFlow......................................................................................................................................................................15029 TroubleshootingtheNetwork....................................................................................................................................15429.1 DataCollectionforDocumentation...............................................................................................................15429.2 GatherSymptoms..................................................................................................................................................15529.3 TroubleshootingIPConnectivity....................................................................................................................15630 IOSImages&Licensing.................................................................................................................................................16330.1 DisplaytheIOSImage..........................................................................................................................................16330.2 IOSBackup...............................................................................................................................................................16430.3 SelectBootSystem................................................................................................................................................16530.4 IOSLicensing...........................................................................................................................................................166IOSShortcuts................................................................................................................................................................................172
5
6
1 BasicSwitchConfigurationSwitch> enable Switch# configure terminal Switch(config)# hostname S1 S1(config)# no ip domain-lookup S1(config)# enable secret class S1(config)# line console 0 S1(config-line)# logging synchronous S1(config-line)# password cisco S1(config-line)# login S1(config-line)# exit S1(config)# line vty 0 4 S1(config-line)# password cisco S1(config-line)# login S1(config-line)# exit S1(config)# line aux 0 S1(config-line)# password cisco S1(config-line)# login S1(config-line)# exit S1(config)# service password-encryption R1(config)# banner motd #Authorized Personnel Only!# S1(config)# interface vlan 1 S1(config-if)# description VLAN 1 S1(config-if)# ip address 172.16.5.2 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# exit S1(config)# ip default-gateway 172.16.5.1 S1(config)# end S1# write Building configuration [OK] Restoreaswitchintoitsfactorydefaultconditionwith1defaultVLANSwitch# delete flash:vlan.dat Switch# erase startup-config Switch# reload
7
2 BasicRouterConfigurationRouter> enable Router# configure terminal Router(config)# hostname R1 R1(config)# no ip domain-lookup R1(config)# enable secret class R1(config)# line console 0 R1(config-line)# logging synchronous R1(config-line)# password cisco R1(config-line)# login R1(config-line)# exit R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login R1(config-line)# exit R1(config)# line aux 0 R1(config-line)# password cisco R1(config-line)# login R1(config-line)# exit R1(config)# service password-encryption R1(config)# banner motd #Authorized Personnel Only!# R1(config)# interface g0/0 R1(config-if)# description Link to LAN 1 R1(config-if)# ip address 172.16.5.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# exit R1(config)# interface g0/1 R1(config-if)# description Link to LAN 2 R1(config-if)# ip address 192.168.5.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# exit R1(config)# interface serial 0/0/0 R1(config-if)# description Link to R2 R1(config-if)# ip address 209.10.5.1 255.255.255.0 R1(config-if)# clock rate 128000 R1(config-if)# no shutdown R1(config-if)# exit R1(config)# interface loopback 0 R1(config-if)# ip address 10.0.0.1 255.255.255.0 R1(config-if)# end R1# writeResettingRouterConfigurationRouter# erase startup-config Router# reload
8
3 VerificationCommands3.1 VariousshowCommandsDisplayinterfacestatus S1# show interfaces interface-idDisplaycurrentstartupconfiguration S1# show startup-configDisplaycurrentoperationconfiguration S1# show running-configDisplaycommandsconfiguredonaspecifiedint S1# show running-config interface interface-id Displayinformationaboutflashfilesystem S1# show flashDisplaysystemhardwareandsoftwarestatus S1# show versionDisplayhistoryofcommandsentered S1# show historyDisplayIPinformationforallinterfaces R1# show ip interface [ brief ]DisplayIPinformationaboutaninterface R1# show ip interface-idDisplaycontentsoftheIPv4routingtable(RAM) R1# show ip routeDisplaysconfiguredroutingprotocols R1# show ip protocolsDisplaysinfoaboutlearnedOSPFneighbors R1# show ip ospf neighborDisplaysinfoabouttheenabledroutedprotocol R1# show protocolsDisplaysinfoondirectlyconnecteddevices R1# show cdp neighborsDisplaytheMACaddresstable S1# show mac-address-table or S1# show mac address-table3.2 OutputFiltersToenablethefilteringcommand,enterapipe(|)characteraftertheshowcommandandthenenterafilteringparameterandafilteringexpression.Example:S1# show ip interface brief | exclude unassignedFilteringparametersthatcanbeconfiguredafterthepipe:section Showsentiresectionthatstartswiththefilteringexpressioninclude Includesalloutputlinesthatmatchthefilteringexpressionexclude Excludesalloutputlinesthatmatchthefilteringexpressionbegin Showsalltheoutputlines,startingwiththelinethatmatchesthefilteringexpression
9
4 CommandHistoryFeatureTorecallthemostrecentcommandinthehistorybuffer,pressCtrl+PortheUp Arrow key.Toreturntomorerecentcommandsinthehistorybuffer,pressCtrl+NortheDown Arrow key.Showcommandhistorybuffer: R1# show historyBydefault,commandhistoryisenabledandthesystemcapturesthelast10commandlinesinitshistorybuffer.Commandtoincreaseordecreasethesizeofthebuffer(forthecurrentterminalsession):R1# terminal history size 100
5 SwitchManagementInterfaceConfiguration5.1 ConfigureSwitchManagementInterfaceS1# configure terminal S1(config)# interface vlan 99 S1(config-if)# ip address 192.168.1.2 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# end S1# copy running-config startup-config 5.2 ConfigureSwitchDefaultGatewayS1# configure terminal S1(config)# ip default-gateway 192.168.1.1 S1(config)# end S1# copy running-config startup-config 5.3 VerifySwitchManagementInterfaceConfigurationS1# show ip interface brief 5.4 VLANCreationandAssociationtoaSwitchPortTheSVIforVLAN99willnotappearas"up/up"untilVLAN99iscreatedandthereisadeviceconnectedtoaswitchportassociatedwithVLAN99.TocreateaVLANwiththevlan_idof99,andassociateittoaninterface,usethefollowingcommands:S1# configure terminal S1(config)# vlan vlan_id S1(config-vlan)# name vlan_name S1(config-vlan)# exit S1(config)# interface interface-id S1(config-if)# switchport access vlan vlan_id
10
6 ConfigureSwitchPorts6.1 DuplexandSpeedS1# configure terminal S1(config)# interface FastEthernet 0/1 S1(config-if)# duplex full S1(config-if)# speed 100 S1(config-if)# end S1# copy running-config startup-config 6.2 Auto-MDIXS1# configure terminal S1(config)# interface FastEthernet 0/1 S1(config-if)# duplex auto S1(config-if)# speed auto S1(config-if)# mdix auto S1(config-if)# end S1# copy running-config startup-config VerifyAuto-MDIXS1# show controllers ethernet-controller fa 0/1 phy | include Auto-MDIX
11
7 Switch&PortSecurity7.1 ConfigureSSHforRemoteManagementVerifySSHsupportS1# show ip ssh ConfiguretheIPdomainS1# configure terminal S1(config)# ip domain-name cisco.com GenerateRSAkeypairsS1(config)# crypto key generate rsa The name for the keys will be S1.cisco.com How many bits in the modulus [512]: 1024 (DeletingRSAkeypairs)S1(config)# crypto key zeroize rsa ConfigureuserauthenticationS1(config)# username admin secret ccna ConfigurethevtylinesS1(config)# line vty 0 15 S1(config-line)# transport input ssh S1(config-line)# login local S1(config-line)# exit EnableSSHversion2S1(config)# ip ssh version 2 S1(config)# exit
12
7.2 Secure/DisableUnusedPortsS1(config-if)# shutdown ConfigurearangeofportsS1(config)# interface range FastEthernet0/5 24 S1(config-if-range)# shutdown 7.3 DHCPSnoopingEnableDHCPsnoopingS1(config)# ip dhcp snooping EnableDHCPsnoopingforspecificVLANsS1(config)# ip dhcp snooping vlan 10,20 DefiningthetrustedportsS1(config)# interface FastEthernet0/1 S1(config-if)# ip dhcp snooping trust LimittherateatwhichbogusDHCPrequestscancontinuallybesentthroughuntrustedportsS1(config)# interface FastEthernet0/2 S1(config-if)# ip dhcp snooping limit rate 5
13
7.4 ConfigurePortSecurity7.4.1 StaticSecureMACAddressesS1(config-if)# switchport port-security mac-address mac-address 7.4.2 DynamicSecureMACAddressesS1(config)# interface FastEthernet 0/1 S1(config-if)# switchport mode access S1(config-if)# switchport port-security 7.4.3 StickySecureMACAddressesToconvertdynamicallylearnedMACaddressestostickysecureMACaddressesS1(config)# interface FastEthernet 0/1 S1(config-if)# switchport mode access S1(config-if)# switchport port-security S1(config-if)# switchport port-security maximum 50 S1(config-if)# switchport port-security mac-address sticky ManuallydefinedstickysecureMACaddressesS1(config-if)# switchport port-security mac-address sticky mac-address DisablestickylearningS1(config-if)# no switchport port-security mac-address sticky 7.5 ConfigureViolationModeS1(config-if)# switchport port-security violation {protect | restrict | shutdown}
14
7.6 VerifyPortSecurity7.6.1 VerifyPortSecuritySettingsS1# show port-security [interface interface-id] 7.6.2 VerifystickyMACRunningConfigS1# show run | begin FastEthernet 0/5 7.6.3 VerifySecureMACAddressesS1# show port-security address 7.7 ConfigureNetworkTimeProtocol(NTP)7.7.1 ConfiguringNTPonaRouterNTPserverR1(config)# ntp master 1 NTPclientR2(config)# ntp server 10.0.0.1 7.7.2 VerifyNTPR2# show ntp associations R2# show ntp status
15
8 VLANs8.1 CreateVLAN(s)S1# configure terminal S1(config)# vlan vlan-id S1(config-vlan)# name vlan-name S1(config-vlan)# end Goodpractice,butnotnecessary:NormalRangeVLANs(11005)aresavedtovlan.dat(flashmemory).S1# copy running-config startup-config CreateaseriesofVLANIDsS1(config)# vlan 100,125,130,140-159 8.2 AssigningPortstoVLANsS1# configure terminal S1(config)# interface [range] interface-id S1(config-if)# switchport mode access S1(config-if)# switchport access vlan vlan-id S1(config-if)# end 8.3 RemoveVLANAssignmentS1# configure terminal S1(config)# interface [range] interface-id S1(config-if)# no switchport access vlan S1(config-if)# end 8.4 DeletingVLANsS1# configure terminal S1(config)# no vlan vlan-id S1(config)# end Deletingtheentirevlan.datfile(resettofactorydefaultVLANconfiguration)S1# delete flash:vlan.dat orS1# delete vlan.dat
16
8.5 DisplayVLANInformationDisplaycontentsofthevlan.datfileS1# show vlan [brief | id vlan-id | name vlan-name | summary] 8.6 DisplayInterfaceVLAN(orTrunk)ConfigurationS1# show interfaces [interface-id | vlan vlan-id | ] switchport
17
9 Trunks9.1 TrunkConfigurationS1# configure terminal S1(config)# interface interface-id S1(config-if)# switchport mode trunk S1(config-if)# switchport trunk native vlan vlan-id S1(config-if)# switchport trunk allowed vlan vlan-list S1(config-if)# end 9.2 ResettingTrunkS1# configure terminal S1(config)# interface interface-id S1(config-if)# no switchport trunk allowed vlan S1(config-if)# no switchport trunk native vlan S1(config-if)# end ReturnPorttoAccessModeS1(config-if)# switchport mode access 9.3 DynamicTrunkProtocol(DTP)9.3.1 NegotiatedInterfaceModesS1(config-if)# switchport mode access Permanentnontrunkingmode,regardlessofwhethertheneighboringinterfaceisatrunkinterface.;negotiatestoconvertthelinkintoanontrunklink.S1(config-if)# switchport mode dynamic auto DefaultswitchportmodeforallEthernetinterfaces.Theinterfaceisabletoconvertthelinktoatrunklinkiftheneighboringinterfaceissettotrunkordesirablemode.S1(config-if)# switchport mode dynamic desirable Abletoconvertthelinktoatrunklink.Theinterfacebecomesatrunkinterfaceiftheneighboringinterfaceissettotrunkordesirablemode.S1(config-if)# switchport mode trunk Permanenttrunkingmode,eveniftheneighboringinterfaceisnotatrunkinterface;negotiatestoconverttheneighboringlinkintoatrunklink.
18
9.3.2 DTPConfigurationMatrixResultsoftheDTPconfigurationoptionsonoppositeendsofatrunklink
9.3.3 DisableDTPE.g.toenabletrunkingfromaCiscoswitchtoadevicethatdoesnotsupportDTPS1(config-if)# switchport nonegotiate PreventstheinterfacefromgeneratingDTPframes.Youcanusethiscommandonlywhentheinterfaceswitchportmodeisaccessortrunk.Youmustmanuallyconfiguretheneighboringinterfaceasatrunkinterfacetoestablishatrunklink.9.3.4 DeterminetheCurrentDTPModeS1# show dtp interface interface-id
19
10 TroubleshootVLANsandTrunks10.1 MissingVLAN
Step1:Usetheshow vlancommandtocheckwhethertheportbelongstotheexpectedVLAN.IftheportisassignedtothewrongVLAN,usetheswitchport access vlancommandtocorrecttheVLANmembership.Usetheshow mac address-tablecommandtocheckwhichaddresseswerelearnedonaparticularportoftheswitchandtowhichVLANthatportisassigned.Step2:IftheVLANtowhichtheportisassignedisdeleted,theportbecomesinactive.Usetheshow vlanorshow interfaces switchportcommand.Examples:S1# show mac-address-table interface FastEthernet 0/1 S1# show interfaces FastEthernet 0/1 switchport
20
10.2 TroubleshootingTrunks
Step1:Usetheshow interfaces trunkcommandtocheckwhetherthelocalandpeernative VLANsmatch.IfthenativeVLANdoesnotmatchonbothsides,VLANleakingoccurs.Step2:Usetheshow interfaces trunkcommandtocheckwhetheratrunkhasbeen establishedbetweenswitches.Staticallyconfiguretrunklinkswheneverpossible.CiscoCatalystswitchportsuseDTPbydefaultandattempttonegotiateatrunklink.Example:S1# show interfaces FastEthernet 0/1 trunk 10.3 CommonProblemswithTrunks
21
10.4 SecurityProtectPortswithPVLANEdgeThePVLANEdgefeaturehasthefollowingcharacteristics: Aprotectedportdoesnotforwardanytraffic(unicast,multicast,orbroadcast)toanyotherportthatisalsoaprotectedport,exceptforcontroltraffic.DatatrafficcannotbeforwardedbetweenprotectedportsatLayer2. Forwardingbehaviorbetweenaprotectedportandanonprotectedportproceedsasusual. Protectedportsmustbemanuallyconfigured.10.4.1 ConfiguringthePVLANEdgeFeatureS1(config-if)# switchport protected 10.4.2 DisableProtectedPortS1(config-if)# no switchport protected 10.4.3 VerifythePVLANEdgeConfigurationS1# show interfaces interface-id switchport
22
11 Inter-VLANRouting11.1 LegacyInter-VLANRouting
11.1.1 SwitchConfigurationS1# configure terminal S1(config)# vlan 10 S1(config-vlan)# vlan 30 S1(config-vlan)# interface f0/11 S1(config-if)# switchport access vlan 10 S1(config-if)# interface f0/4 S1(config-if)# switchport access vlan 10 S1(config-if)# interface f0/6 S1(config-if)# switchport access vlan 30 S1(config-if)# interface f0/5 S1(config-if)# switchport access vlan 30 S1(config-if)# end 11.1.2 RouterConfigurationR1(config)# interface g0/0 R1(config-if)# ip address 172.17.10.1 255.255.255.0 R1(config-if)# no shutdown R1(config)# interface g0/1 R1(config-if)# ip address 172.17.30.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# end
23
11.2 Router-on-a-StickInter-VLANRouting
11.2.1 SwitchConfigurationS1(config)# vlan 10 S1(config-vlan)# vlan 30 S1(config-vlan)# interface f0/5 S1(config-if)# switchport mode trunk S1(config-if)# end 11.2.2 RouterConfigurationR1(config)# interface g0/0.10 R1(config-subif)# encapsulation dot1q 10 R1(config-subif)# ip address 172.17.10.1 255.255.255.0 R1(config-subif)# interface g0/0.30 R1(config-subif)# encapsulation dot1q 30 R1(config-subif)# ip address 172.17.30.1 255.255.255.0 R1(config-subif)# interface g0/0 R1(config-if)# no shutdown R1(config-if)# end VerifySubinterfaces: R1# show vlan R1# show ip routeVerifyRouting:PC1> ping 172.17.30.23 PC1> tracert 172.17.30.23
24
11.3 MultilayerSwitchInter-VLANRouting11.3.1 Inter-VLANRoutingwithSwitchVirtualInterfaces(SVI)S1(config)# interface vlan 10 S1(config-if)# ip address 172.17.10.1 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# exit S1(config)# interface vlan 30 S1(config-if)# ip address 172.17.30.1 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# exit S1(config)# ip routing 11.3.2 Inter-VLANRoutingwithRoutedPortsS1(config)# interface fastethernet 0/1 S1(config-if)# no switchport S1(config-if)# ip address 172.17.10.1 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# exit S1(config)# interface fastethernet 0/3 S1(config-if)# no switchport S1(config-if)# ip address 172.17.30.1 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# exit S1(config)# ip routing
25
11.3.3 StaticRoutingonaCiscoCatalyst2960Switch
ChecksettingtemplateS1(config)# show sdm prefer EnabletheroutingfunctionalityontheCisco2960Layer2switchFull-featuredmultilayerswitches(e.g.CiscoCatalyst3560Series)supporttheEIGRP,OSPF,andBGProutingprotocols.S1(config)# sdm prefer lanbase-routing S1(config)# do reload S1(config)# interface fastethernet 0/6 S1(config-if)# switchport access vlan 2 S1(config-if)# interface vlan 1 S1(config-if)# ip address 192.168.1.1 255.255.255.0 S1(config-if)# interface vlan 2 S1(config-if)# ip address 192.168.2.1 255.255.255.0 S1(config-if)# no shutdown S1(config)# ip routing ConfiguredefaultrouteS1(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.254Configureastaticroutetotheremotenetwork192.168.2.0/24(VLAN2)ontheRouterR1R1(config)# ip route 192.168.2.0 255.255.255.0 g0/1
26
11.4 TroubleshootInter-VLANRoutingTheissuescommontolegacyinter-VLANroutingandrouter-on-a-stickinter-VLANroutingarealsomanifestedinthecontextofLayer3switching.Totroubleshootissues,thefollowingitemsshouldbecheckedforaccuracy:VLANs: VLANsmustbedefinedacrossalltheswitches.VLANsmustbeenabledonthetrunk ports.PortsmustbeintherightVLANs.SVIs: SVIsmusthavethecorrectIPaddressorsubnetmask.SVIsmustbeup.SVIsmust matchwiththeVLANnumber.Routing: Routingmustbeenabled.Eachinterfaceornetworkshouldbeaddedtotherouting protocol.Hosts: HostsmusthavethecorrectIPaddressorsubnetmask.Hostsmusthaveadefault gatewayassociatedwithanSVIorroutedport.
27
12 StaticRouting12.1 IPv4StaticRouteAstaticroutecanbeconfiguredtoreachaspecificremotenetwork.R1(config)# ip route network-address subnet-mask {next-hop-ip | exit-intf
[ip-adress]} [ distance ] [ name name ] [ permanent ] [ tag tag ]
Thedistanceparameterisusedtocreateafloatingstaticroutebysettinganadministrativedistancethatishigherthanadynamicallylearnedroute.CommonExamples:Next-hopaddress: R1(config)# ip route 172.16.1.0 255.255.255.0 172.16.2.2Exitinterface: R1(config)# ip route 172.16.1.0 255.255.255.0 serial 0/0/0Fullyspecified: R1(config)# ip route 172.16.1.0 255.255.255.0 G0/1 172.16.2.2VerifyingR1# ping 192.168.2.2 R1# traceroute 192.168.2.10 R1# show ip route R1# show ip route static | begin Gateway R1# show ip route 192.168.2.1 R1# show running-config | section ip route
28
12.2 IPv4DefaultStaticRouteAdefaultstaticrouteissimilartoadefaultgatewayonahost.Thedefaultstaticroutespecifiestheexitpointtousewhentheroutingtabledoesnotcontainapathforthedestinationnetwork.R1(config)# ip route 0.0.0.0 0.0.0.0 {next-hop-ip | exit-intf}
CommonExamples:Next-hopaddress: R1(config)# ip route 0.0.0.0 0.0.0.0 192.168.6.2Exitinterface: R1(config)# ip route 0.0.0.0 0.0.0.0 serial 0/0/0Fullyspecified: R1(config)# ip route 0.0.0.0 0.0.0.0 serial 0/0/0 192.168.6.2Verifying: R1# show ip route static
12.3 IPv4SummaryStaticRouteExample:
Thefourstaticrouteentriescouldbereducedto172.20.0.0/14entry.Thefourstaticrouteentriescanberemovedandreplacedbyasummarystaticroute.R1(config)# no ip route 172.20.0.0 255.255.0.0 serial 0/0/0R1(config)# no ip route 172.21.0.0 255.255.0.0 serial 0/0/0R1(config)# no ip route 172.22.0.0 255.255.0.0 serial 0/0/0R1(config)# no ip route 172.23.0.0 255.255.0.0 serial 0/0/0 R1(config)#R1(config)# ip route 172.20.0.0 255.252.0.0 serial 0/0/0
29
12.4 IPv4FloatingStaticRouteFloatingstaticroutesarestaticroutesthathaveanadministrativedistancegreaterthantheadministrativedistanceofanotherstaticrouteordynamicroutes.Theyareveryusefulwhenprovidingabackuptoaprimarylink.
Bydefault,staticrouteshaveanadministrativedistanceof1,makingthempreferabletorouteslearnedfromdynamicroutingprotocols.Forexample,theadministrativedistancesofsomecommondynamicroutingprotocolsare: EIGRP=90 IGRP=100 OSPF=110 IS-IS=115 RIP=120Theadministrativedistanceofastaticroutecanbeincreasedtomaketheroutelessdesirablethanthatofanotherstaticrouteoraroutelearnedthroughadynamicroutingprotocol.Inthisway,thestaticroutefloatsandisnotusedwhentheroutewiththebetteradministrativedistanceisactive.
VerificationshowsthatthedefaultroutetoR2isinstalledintheroutingtable.NotethatthebackuproutetoR3isnotpresentintheroutingtable.
30
12.5 TroubleshootIPv4StaticRouteConfigurationCommonIOStroubleshootingcommandsinclude: ping target-ip-address source { ip-address | exit-intf } (extendedping) traceroute show ip route show ip interface brief show cdp neighbors [detail]
12.6 IPv6StaticRouteEnableIPv6Routing: R1(config)# ipv6 unicast-routingR1(config)# ipv6 route ipv6-prefix/prefix-length { ipv6-address | exit-intf }
Verifying: R1# show ipv6 routeCommonExamples:Next-hopaddress: R1(config)# ip route 2001:db8:acad:2::/64 2001:db8:acad:4::2Exitinterface: R1(config)# ip route 2001:db8:acad:2::/64 s0/0/0Fullyspecified: R1(config)# ip route 172.16.1.0 255.255.255.0 s0/0/0 fe80::2VerifyingR1# ping 192.168.2.2 R1# traceroute 192.168.2.10 R1# show ipv6 route R1# show ipv6 route static R1# show ipv6 route 2001:db8:acad:3:: R1# show running-config | section ipv6 route
31
12.7 IPv6DefaultStaticRouteEnableIPv6Routing: R1(config)# ipv6 unicast-routingR1(config)# ipv6 route ::/0 { ipv6-address | exit-intf }
CommonExamples:Next-hopaddress: R1(config)# ipv6 route ::/0 2001:db8:acad:4::2Exitinterface: R1(config)# ipv6 route ::/0 serial 0/0/0Verify:R1# show ipv6 route static12.8 IPv6SummaryStaticRouteExample:Thefourstaticrouteentriescouldbereducedto2001:db8:acad::/61entry.Thefourstaticrouteentriescanberemovedandreplacedbyasummarystaticroute.R1(config)# no ipv6 route 2001:db8:acad:1::/64 2001:db8:feed:1::2R1(config)# no ipv6 route 2001:db8:acad:2::/64 2001:db8:feed:1::2R1(config)# no ipv6 route 2001:db8:acad:3::/64 2001:db8:feed:1::2R1(config)# no ipv6 route 2001:db8:acad:4::/64 2001:db8:feed:1::2R1(config)#R1(config)# ipv6 route 2001:db8:acad::/61 2001:db8:feed:1::2
32
13 DynamicRouting13.1 CheckforDynamicRoutingProtocolsDeterminewhichroutingprotocolsaresupportedbytheIOSR1(config)# router ?respectivelyR1(config)# ipv6 router ?
VerifytheIPv4routingprotocolsettingscurrentlyconfiguredR1# show ip protocolsrespectivelyR1# show ipv6 protocols
33
13.2 EnableRIPorRIPv2(IPv4)R1(config)# router rip DisableandeliminateRIPR1(config)# no router rip ConfigurewhichlocallyconnectednetworksshouldbeadvertisedR1(router-config)# network network-address Example:R1(config)# router rip R1(router-config)# network 192.168.1.0 R1(router-config)# network 192.168.2.0 EnableRIPv2R1(config)# router rip R1(router-config)# version 2 DisableautomaticnetworknumbersummarizationR1(router-config)# no auto-summary (RIPv2mustbeenabledbeforeautomaticsummarizationisdisabled.)Configurepassiveinterfaces(stoproutingupdatesoutofspecifiedinterfaces)R1(router-config)# passive-interface intf Examples:R1(config)# router rip R1(router-config)# passive-interface serial 0/0/0 StoproutingupdatesoutofallinterfacesR1(router-config)# passive-interface default Re-enableroutingupdatesoutofaspecifiedinterfaceR1(router-config)# no passive-interface gigabitethernet 0/1 Propagateadefaultroute(configuredontheedgerouter)R1(config)# ip route 0.0.0.0 0.0.0.0 serial 0/0/0 192.168.6.2R1(config)# router rip R1(router-config)# default-information originate
34
13.3 EnableRIPng(IPv6)R1(config-if)# ipv6 rip domain-name enable Example:R1(config)# ipv6 unicast-routing R1(config)# R1(config)# interface g0/1 R1(config-if)# ipv6 rip RIP-AS enable R1(config-if)# no shutdown R1(config-if)# exit R1(config)# R1(config)# interface s0/0/1 R1(config-if)# ipv6 rip RIP-AS enable R1(config-if)# no shutdown Propagateadefaultroute(configuredontheedgerouter)R1(config)# ipv6 route 0::/0 2001:db8:feed:1::1R1(config)# interface s0/0/1 R1(config-if)# ipv6 rip RIP-AS default-information originate Display(only)theRIProutesfromtheIPv6routingtableR1# show ipv6 route rip
35
14 Single-AreaOSPFv2(IPv4)EnterrouterOSPFconfigurationmodeR1(config)# router ospf process-idExample: R3(config)# router ospf 10Theprocess-idvaluerepresentsanumberbetween1and65,535andisselectedbythenetworkadministrator.Theprocess-idvalueislocallysignificant,whichmeansthatitdoesnothavetobethesamevalueontheotherOSPFrouterstoestablishadjacencieswiththoseneighbors.14.1 RouterID14.1.1 Configure&VerifyRouterIDR1(config-router)# router-id rid R1# show ip protocolsExample: R3(config-router)# router-id 3.3.3.314.1.2 ModifyRouterIDModifyrouterIDbyclearingtheroutingprocess
R1# clear ip ospf process Reset ALL OSPF processes? [no]: yVerify(onlyRouterIDsection)R1# show ip protocols | section Router ID14.1.3 UsingaLoopbackInterfaceastheRouterIDR3(config)# interface loopback 0 R3(config-if)# ip address 3.3.3.3 255.255.255.255 R3(config-if)# end
36
14.2 EnableOSPFonInterfaces14.2.1 AssigningInterfacestoanOSPFAreaR1(config-router)# network network-address wildcard-mask area area-idExample: R1(config-router)# network 172.16.1.0 0.0.0.255 area 0 R1(config-router)# network 10.10.10.0 0.0.0.3 area 0 R1(config-router)# network 10.10.10.4 0.0.0.3 area 014.2.2 AssigningInterfacestoanOSPFAreawithaQuadZeroAsanalternative,OSPFv2canbeenabledusingtheinterfaceIPv4addresswithaquad0wildcardmask.R1(config-router)# network intf-ip-address 0.0.0.0 area area-idExample: R1(config-router)# network 172.16.1.1 0.0.0.0 area 0 R1(config-router)# network 10.10.10.1 0.0.0.0 area 0 R1(config-router)# network 10.10.10.5 0.0.0.0 area 0Theadvantageofspecifyingtheinterfaceisthatthewildcardmaskcalculationisnotnecessary.OSPFv2usestheinterfaceaddressandsubnetmasktodeterminethenetworktoadvertise.14.2.3 ChangetheOSPFInterfacePriorityTheOSPFDRandBDRelectiondecisionisbasedonthefollowingcriteria:Step1:TheroutersinthenetworkelecttherouterwiththehighestinterfacepriorityastheDR.The routerwiththesecondhighestinterfacepriorityiselectedastheBDR.Theprioritycanbe configuredtobeanynumberbetween0255.Thehigherthepriority,thelikeliertherouter willbeselectedastheDR.Ifthepriorityissetto0,therouterisnotcapableofbecomingthe DR.Thedefaultpriorityofmultiaccessbroadcastinterfacesis1.Therefore,unlessotherwise configured,allroutershaveanequalpriorityvalueandmustrelyonanothertiebreaking methodduringtheDR/BDRelection.Step2:Iftheinterfaceprioritiesareequal,thentherouterwiththehighestrouterIDiselectedtheDR. TherouterwiththesecondhighestrouterIDistheBDR.
37
14.2.4 ModifyOSPFv2HelloandDeadIntervalsR1(config-if)# ip ospf hello-interval seconds R1(config-if)# ip ospf dead-interval seconds
Resettodefaultvalues(Hello=10s;Dead=40s):R1(config-if)# no ip ospf hello-interval R1(config-if)# no ip ospf dead-interval VerifyOSPFintervals: R1# show ip ospf interface interface
R1# show ip ospf interface interface | include Timer
VerifyOSPFtimeractivity: R1# show ip ospf neighbor
38
14.2.5 ConfigurePassiveInterfacesR1(config-router)# passive-interface intfExample: R1(config-router)# passive-interface GigabitEthernet 0/0Allinterfacescanbemadepassive: R1(config-router)# passive-interface defaultRe-enabledinterface: R1(config-router)# no passive-interface GigabitEthernet 0/1
14.3 PropagatingaDefaultStaticRouteinOSPF
Topropagateadefaultroute,theedgerouterakatheentrance,gateway,orautonomoussystemboundaryrouter(ASBR)-mustbeconfiguredwith: Adefaultstaticrouteusingtheip route 0.0.0.0 0.0.0.0 {ip-address | exit-intf}command. Thedefault-information originaterouterconfigurationmodecommandinstructstheroutertobethesourceofthedefaultrouteinformationandpropagatethedefaultstaticrouteinOSPFupdates.
39
14.4 OSPFCost14.4.1 VerifyCostofaRoute(Metric)
14.4.2 AdjustReferenceBandwithOSPFusesareferencebandwidthof100Mb/s(cost=1)foranylinksthatareequaltoorfasterthanafastEthernetconnection.ToassistOSPFinmakingthecorrectpathdetermination,thereferencebandwidthmustbechangedtoahighervaluetoaccommodatenetworkswithlinksfasterthan100Mb/s.GigabitEthernet: R1(config-router)# auto-cost reference-bandwidth 100010GigabitEthernet: R1(config-router)# auto-cost reference-bandwidth 10000Returntodefault: R1(config-router)# auto-cost reference-bandwidth 100OSPFcostifthereferencebandwidthissettoGigabitEthernet:
40
14.4.3 VerifyLinkCost
14.4.4 AdjustInterfaceBandwithSettingUsetheshow interfacescommandtoviewtheinterfacebandwidthsetting.
OnCiscorouters,thedefaultbandwidthonmostserialinterfacesissetto1.544Mb/s.Adjusttheinterfacebandwidth:R1(config)# intf R1(config-if)# bandwidth kilobits
Restoretothedefaultvalue: R1(config-if)# no bandwidth [kilobits]
41
14.4.5 ManuallySettingtheOSPFCostAsanalternativetosettingthedefaultinterfacebandwidth,thecostcanbemanuallyconfiguredonaninterface.R1(config)# intf R1(config-if)# ip ospf cost value
Boththebandwidthinterfacecommandandtheip ospf costinterfacecommandachievethesameresult,whichistoprovideanaccuratevalueforusebyOSPFindeterminingthebestroute.Anadvantageofconfiguringacostoversettingtheinterfacebandwidthisthattherouterdoesnothavetocalculatethemetricwhenthecostismanuallyconfigured.Incontrast,whentheinterfacebandwidthisconfigured,theroutermustcalculatetheOSPFcostbasedonthebandwidth.Theip ospf costcommandisusefulinmulti-vendorenvironmentswherenon-CiscoroutersmayuseametricotherthanbandwidthtocalculatetheOSPFcosts.
42
14.5 SecureOSPFwithMD5Authentication14.5.1 EnableOSPFMD5AuthenticationGloballyR1(config)# area area-id authentication message-digest R1(config-if)# ip ospf message-digest-key key md5 password
14.5.2 EnableOSPFMD5AuthenticationonaPer-InterfacebasisR1(config-if)# ip ospf message-digest-key key md5 password R1(config-if)# ip ospf authentication message-digest
43
14.6 VerifyOSPF14.6.1 VerifyOSPFNeighborsR1# show ip ospf neighbor
FULLstatemeansthattherouteranditsneighborhaveidenticalOSPFLSDBs.OnmultiaccessnetworkssuchasEthernet,tworoutersthatareadjacentmayhavetheirstatesdisplayedas2WAY.ThedashindicatesthatnoDRorBDRisrequiredbecauseofthenetworktype.TworoutersmaynotformanOSPFadjacencyif: Thesubnetmasksdonotmatch,causingtherouterstobeonseparatenetworks. OSPFHelloorDeadTimersdonotmatch. OSPFNetworkTypesdonotmatch. ThereisamissingorincorrectOSPFnetworkcommand.14.6.2 VerifyOSPFProtocolSettingsTheshow ip protocolsisaquickwaytoverifyvitalOSPFconfigurationinformation.ThisincludestheOSPFprocessID,therouterID,networkstherouterisadvertising,theneighborstherouterisreceivingupdatesfrom,andthedefaultadministrativedistance(defaultis110forOSPF).R1# show ip protocols
44
14.6.3 VerifyOSPFProcessInformationTheshow ip ospfcommanddisplaystheOSPFareainformationandthelasttimetheSPFalgorithmwascalculated.R1# show ip ospf
45
14.6.4 VerifyOSPFInterfaceSettingsR1# show ip ospf interface [brief]
R1# show ip ospf interface interface
14.6.5 VerifytheOSPFLearnedRoutesDisplayonlytheOSPFlearnedroutesintheroutingtable.R1# show ip route ospf14.6.6 VerifyOSPFMD5authenticationR1# show ip ospf interface interfaceR1# show ip ospf interface | include Message
46
15 Single-AreaOSPFv3(IPv6)15.1 DifferencesbetweenOSPFv2andOSPFv3
15.2 StepstoConfigureOSPFv3
47
15.3 ConfigureLink-LocalAddressesUnlessconfiguredmanually,Ciscorouterscreatethelink-localaddressusingFE80::/10prefixandtheEUI-64process.EUI-64involvesusingthe48-bitEthernetMACaddress,insertingFFFEinthemiddleandflippingtheseventhbit.Forserialinterfaces,CiscousestheMACaddressofanEthernetinterface.Configuringthelink-localaddressmanuallyprovidestheabilitytocreateanaddressthatisrecognizableandeasiertoremember.Aswell,arouterwithseveralinterfacescanassignthesamelink-localaddresstoeachIPv6interface.Thisisbecausethelink-localaddressisonlyrequiredforlocalcommunications.R1(config)# interface GigabitEthernet 0/0R1(config-if)# ipv6 address FE80::1 link-localR1(config-if)# exitR1(config)# interface Serial 0/0/0R1(config-if)# ipv6 address FE80::1 link-localR1(config-if)# exitR1(config)# interface Serial 0/0/1R1(config-if)# ipv6 address FE80::1 link-localR1(config-if)# exit
48
15.4 OSPFv3RouterIDEnterrouterOSPFv3configurationmodeR1(config)# ipv6 router ospf process-idExample: R3(config)# ipv6 router ospf 1015.4.1 Configure&VerifyOSPFv3RouterIDR1(config-rtr)# router-id rid R1# show ipv6 protocolsExample:
15.4.2 ModifyOSPFv3RouterIDR1# ipv6 router ospf 10 R1(config-rtr)# router-id 1.1.1.1 R1(config-rtr)# end R1# clear ipv6 ospf process Reset ALL OSPF processes? [no]: yR1# show ipv6 protocols
49
15.5 EnableOSPFv3onInterfacesOSPFv3usesadifferentmethodtoenableaninterfaceforOSPF.Insteadofusingthenetworkrouterconfigurationmodecommandtospecifymatchinginterfaceaddresses,OSPFv3isconfigureddirectlyontheinterface.R1(config-if)# ipv6 ospf process-id area area-id
50
15.6 ModifyOSPFv3HelloandDeadIntervalsR1(config-if)# ipv6 ospf hello-interval seconds R1(config-if)# ipv6 ospf dead-interval seconds
Resettodefaultvalues(Hello=10s;Dead=40s):R1(config-if)# no ipv6 ospf hello-interval R1(config-if)# no ipv6 ospf dead-interval VerifyOSPFintervals: R1# show ipv6 ospf interface interface
R1# show ipv6 ospf interface interface | include TimerVerifyOSPFtimeractivity: R1# show ipv6 ospf neighbor
51
15.7 PropagatingaDefaultStaticRouteinOSPFv3
Topropagateadefaultroute,theedgerouterakatheentrance,gateway,orautonomoussystemboundaryrouter(ASBR)-mustbeconfiguredwith: Adefaultstaticrouteusingtheipv6 route ::/0 {ipv6-address | exit-intf}command. Thedefault-information originaterouterconfigurationmodecommandinstructstheroutertobethesourceofthedefaultrouteinformationandpropagatethedefaultstaticrouteinOSPFupdates.
52
15.8 VerifyOSPFv315.8.1 VerifyOSPFv3NeighborsR1# show ipv6 ospf neighbor
15.8.2 VerifyOSPFv3ProtocolSettingsR1# show ipv6 protocols
15.8.3 VerifyOSPFProcessInformationR1# show ipv6 ospf
53
15.8.4 VerifyOSPFv3InterfaceSettingsR1# show ipv6 ospf interface [brief]
R1# show ipv6 ospf interface serial 0/0/115.8.5 VerifytheIPv6RoutingTableR1# show ipv6 route ospf
54
16 MultiareaOSPF16.1 ConfigureMultiareaOSPFv2
AroutersimplybecomesanAreaBorderRouter(ABR)whenithastwonetworkstatementsindifferentareas.
55
16.2 OSPFRouteSummarization16.2.1 InterareaRouteSummarization
InterarearoutesummarizationoccursonAreaBorderRouters(ABRs)andappliestoroutesfromwithineacharea.ItdoesnotapplytoexternalroutesinjectedintoOSPFviaredistribution.
16.2.2 ExternalRouteSummarizationExternalroutesummarizationisspecifictoexternalroutesthatareinjectedintoOSPFviarouteredistribution.Again,itisimportanttoensurethecontiguityoftheexternaladdressrangesthatarebeingsummarized.Generally,onlyAutonomousSystemBoundaryRouters(ASBRs)summarizeexternalroutes.ExternalroutesummarizationisconfiguredonASBRsusingthesummary-address address maskrouterconfigurationmodecommand.R2(config-router)# summary-address 172.16.0.0 255.255.224.0
56
16.3 ConfigureMultiareaOSPFv3
57
16.4 VerifyMultiareaOSPFThesameverificationcommandsusedtoverifysingle-areaOSPFalsocanbeusedtoverifythemultiareaOSPFtopology: show ip ospf neighbor show ip ospf show ip ospf interface Commandsthatverifyspecificmultiareainformationinclude: show ip protocols
show ip ospf interface brief
58
show ip route ospf
show ip ospf database
Note:FortheequivalentOSPFv3command,simplysubstituteipwithipv6.
59
17 EIGRPforIPv4R1(config)# router eigrp autonomous-systemExample: R1(config)# router eigrp 1Theautonomous-systemargumentcanbeassignedtoany16-bitvaluebetweenthenumber1and65,535.AllrouterswithintheEIGRProutingdomainmustusethesameautonomoussystemnumber.RemovetheEIGRProutingprocess: no router eigrp autonomous-system17.1 RouterID17.1.1 Configure&VerifyRouterIDR1(config-router)# eigrp router-id ipv4-addressR1# show ip protocols
17.1.2 UsingaLoopbackInterfaceastheRouterIDR3(config)# interface loopback 0 R3(config-if)# ip address 3.3.3.3 255.255.255.255 R3(config-if)# end
60
17.2 ThenetworkCommand EnablesanyinterfaceonthisrouterthatmatchesthenetworkaddressinthenetworkrouterconfigurationmodecommandtosendandreceiveEIGRPupdates. ThenetworkoftheinterfacesisincludedinEIGRProutingupdates.
61
ToconfigureEIGRPtoadvertisespecificsubnetsonly,usethewildcard-maskoptionwiththenetworkcommand:R1(config-router)# network network-address [wildcard-mask]
SomeIOSversionsalsoletyouenterthesubnetmaskinsteadofawildcardmask.However,ifthesubnetmaskisused,theIOSconvertsthecommandtothewildcard-maskformatwithintheconfiguration.
17.3 PassiveInterfacesTherearetwoprimaryreasonsforenablingthepassive-interfacecommand: Tosuppressunnecessaryupdatetraffic,suchaswhenaninterfaceisaLANinterface,withnootherroutersconnected Toincreasesecuritycontrols,suchaspreventingunknownrogueroutingdevicesfromreceivingEIGRPupdatesR1(config)# router eigrp as-number R1(config-router)# passive-interface interface-type interface-number
Toconfigureallinterfacesaspassive,usethepassive-interface defaultcommand.Todisableaninterfaceaspassive,usetheno passive-interface interface-type interface-numbercommand.
62
17.4 AutomaticSummarization17.4.1 ConfigureEIGRPAutomaticSummarizationR1(config)# router eigrp as-number R1(config-router)# auto-summary
17.4.2 VerifyAuto-Summary
63
EIGRPforIPv4automaticallyincludesaNull0summaryroutewheneverthefollowingconditionsexist: ThereisatleastonesubnetthatwaslearnedviaEIGRP. TherearetwoormorenetworkEIGRProuterconfigurationmodecommands. Automaticsummarizationisenabled.TheNull0interfaceisavirtualIOSinterfacethatisaroutetonowhere,commonlyknownas"thebitbucket."PacketsthatmatcharoutewithaNull0exitinterfacearediscarded.ThepurposeoftheNull0summaryrouteistopreventroutingloopsfordestinationsthatareincludedinthesummary,butdonotactuallyexistintheroutingtable.
64
17.5 ManualSummarization17.5.1 ConfigureEIGRPManualSummarizationR1(config)# router eigrp as-number R1(config-if)# ip summary-address eigrp as-number network-address subnet-mask
Note: SummaryrouteshavetobeconfiguredonallinterfacesthatsendEIGRPpackets.17.5.2 VerifyManualSummary
65
17.6 PropagatingaDefaultStaticRoute17.6.1 ConfigureaDefaultStaticRouteinEIGRP
17.6.2 VerifyDefaultStaticRouteinEIGRP
66
17.7 Fine-tuningEIGRPInterfaces17.7.1 EIGRPBandwidthBydefault,EIGRPusesonlyupto50percentofaninterfacesbandwidthforEIGRPinformation.ThispreventstheEIGRPprocessfromover-utilizingalinkandnotallowingenoughbandwidthfortheroutingofnormaltraffic.R1(config-if)# ip bandwidth-percent eigrp as-number percent
17.7.2 HelloIntervalsandHoldTimersR1(config-if)# ip hello-interval eigrp as-number secondsR1(config-if)# ip hold-time eigrp as-number seconds
17.7.3 LoadBalancingCiscoIOS,bydefault,allowsloadbalancingusinguptofourequal-costpaths;however,thiscanbemodified-upto32equal-costroutescanbekeptintheroutingtable.R1(config-router)# maximum-paths value
67
17.8 MD5AuthenticationStep1:Createakeychainandkey
a)Inglobalconfigurationmode,createthekeychain.b)SpecifythekeyIDwhichisusedtoidentifyanauthenticationkeywithinakeychain.Therangeofkeysisfrom0to2,147,483,647.Itisrecommendedthatthekeynumberbethesameonallroutersintheconfiguration.c)Specifythekeystringforthekey.Thekeystringissimilartoapassword.Routersexchangingauthenticationkeysmustbeconfiguredusingthesamekeystring.Step2:ConfigureEIGRPauthenticationusingkeychainandkey
a)Inglobalconfigurationmode,specifytheinterfaceonwhichtoconfigureEIGRPmessageauthentication.b)EnableEIGRPmessageauthentication.Themd5keywordindicatesthattheMD5hashistobeusedforauthentication.c)Specifythekeychainthatshouldbeusedforauthentication.Thename-of-chainargumentspecifiesthekeychainthatwascreatedinStep1.
68
VerifyEIGRPMD4authentication:Adjacenciesareonlyformedwhenbothconnectingdeviceshaveauthenticationconfigured,.ToverifythatthecorrectEIGRPadjacencieswereformedafterbeingconfiguredforauthentication,usetheshow ip eigrp neighborscommandoneachrouter.
AfterEIGRPmessageauthenticationisconfiguredononerouter,anyadjacentneighborsthathavenotyetbeenconfiguredforauthenticationarenolongerEIGRPneighbors-thefollowingIOSmessageappears:%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.3.2 (Serial0/0/0) is down: authentication mode changed Whentheadjacentinterfaceisconfigured,theadjacencyisre-establishedandthefollowingIOSmessagewillbedisplayed:%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.3.2 (Serial0/0/0) is up: new adjacency
69
17.9 TroubleshootEIGRP
70
17.10 VerifyEIGRPforIPv417.10.1 ExamineNeighbors
17.10.2 ExaminetheIPv4RoutingTable
71
17.10.3 ExamineRoutingProtocolProcesses
DefaultAdministrativeDistances:
72
17.10.4 ExamineTopologyTable
Alllinkscanbedisplayedusingtheshow ip eigrp topology all-linkscommand.
73
18 EIGRPforIPv618.1 ConfigureIPv6Link-localAdresses
Verifylink-localaddresses:
18.2 ConfigureEIGRPforIPv6R1(config)# ipv6 router eigrp autonomous-systemR1(config-rtr)# eigrp router-id ipv4-addressR1(config-rtr)# no shutdown
74
18.3 EnableEIGRPforIPv6onInterfacesR1(config-if)# ipv6 eigrp autonomous-system
18.4 PassiveInterfaces
75
18.5 ManualSummarizationNote: AutosummarizationisnotavailableforEIGRPIPv6networks.18.5.1 ConfigureEIGRPManualSummarizationR1(config-if)# ipv6 summary-address eigrp as-number prefix/prefix-length
18.5.2 VerifyManualSummary
76
18.6 PropagatingaDefaultStaticRoute18.6.1 ConfigureaDefaultStaticRouteinEIGRP
18.6.2 VerifyDefaultStaticRouteinEIGRP
77
18.7 Fine-tuningEIGRPInterfaces18.7.1 EIGRPBandwidthBydefault,EIGRPusesonlyupto50percentofaninterfacesbandwidthforEIGRPinformation.R1(config-if)# ipv6 bandwidth-percent eigrp as-number percent
18.7.2 HelloIntervalsandHoldTimersR1(config-if)# ipv6 hello-interval eigrp as-number seconds R1(config-if)# ipv6 hold-time eigrp as-number seconds
78
18.8 MD5AuthenticationThealgorithmsandtheconfigurationtoauthenticateEIGRPforIPv6messagesarethesameasEIGRPforIPv4.Theonlydifferenceistheinterfaceconfigurationmodecommandsuseipv6,insteadofip.R1(config-if)# ipv6 authentication mode eigrp as-number md5 R1(config-if)# ipv6 authentication key-chain eigrp as-number name-of-chainExample:
18.9 TroubleshootEIGRPThefollowingcommandsareusedwithEIGRPforIPv6: R1# show ipv6 eigrp neighbors R1# show ipv6 route R1# show ipv6 protocols
79
18.10 VerifyEIGRPforIPv618.10.1 ExamineNeighbors
18.10.2 ExamineIPv6RoutingProtocolProcesses
80
18.10.3 ExaminetheIPv6RoutingTable
81
19 AccessControlLists(ACLs)19.1 NumberedandNamedACLs
19.2 WildcardBitMaskAbbrevationsThehostkeywordsubstitutesforthe0.0.0.0mask.ThismaskstatesthatallIPv4addressbitsmustmatchoronlyonehostismatched.Example:Insteadofentering192.168.10.10 0.0.0.0,youcanusehost 192.168.10.10.TheanyoptionsubstitutesfortheIPaddressand255.255.255.255mask.ThismasksaystoignoretheentireIPv4addressortoacceptanyaddresses.Example:Insteadofentering0.0.0.0 255.255.255.255,youcanusethekeywordany.19.3 TheImplied"DenyAllTraffic"CriteriaStatementBydefault,thereisanimplieddenyattheendofallACLsfortrafficthatwasnotmatchedtoaconfiguredentry.Asingle-entryACLwithonlyonedenyentryoranACLwithoutanyentryhastheeffectofdenyingalltraffic.AtleastonepermitACEmustbeconfiguredinanACLoralltrafficisblocked.AlthoughallACLsendwithanimplicitdenystatement,werecommendtheuseofanexplicitdenystatement.Youcandisplaythecountofpacketsdeniedbyissuingtheshow access-listcommand.Becauseonlypacketsdeniedbyexplicitdenystatementsarecounted,youwillfindoutmoreinformationaboutwhoyouraccesslistisdisallowingifanexplicitdenystatementexists.StandardACL: R1(config)# access-list 1 deny anyExtendedACL: R1(config)# access-list 100 deny ip any anyIPv6ACL: R1(config-ipv6-acl)# access-list 100 deny ip any any
82
19.4 StandardACLs(IPv4)19.4.1 ConfigureStandardACLR1(config)# access-list access-list-number { deny | permit | remark } source [ source-wildcard ][ log ]
Examples:R1(config)# access-list 1 remark Permit hosts from the 192.168.10.0 LANR1(config)# access-list 1 permit 192.168.10.0 0.0.0.255R1(config)# access-list 1 deny 192.168.0.0 0.0.255.255RemoveACL(fromrouter):R1(config)# no access-list 1
83
19.4.2 ApplyStandardACLtoInterfacesR1(config-if)# ip access-group { access-list-number | access-list-name }
{ in | out }
RemoveACL(frominterface):R1(config-if)# no ip access-group 119.4.3 NamedStandardACLR1(config)# ip access-list [standard | extended] nameR1(config-std-nacl)# [deny | permit | remark ] {source [source-wildcard]} [log] R1(config-if)# ip access-group name [in | out]Example:
84
19.4.4 CommentingACLsR1(config)# access-list access-list_number remark remarkR1(config-std-nacl)# remark remark
Removeremark:R1(config)# no access-list access-list_number remark remarkR1(config-std-nacl)# no remark remark
85
19.4.5 EditStandardNumberedACLEditNumberedACLusingatexteditor:
EditNumberedACLusingatexteditor:
86
19.4.6 EditStandardNamedACLAddalinetoanamedACL:
19.4.7 UsingaStandardACLtoSecureVTYAccessIftheCiscoIOSsoftwareonyourrouterdoesnotsupportSSH,youcanimprovethesecurityofadministrativelinesbyrestrictingVTYaccess(definewhichIPaddressesareallowedTelnetaccesstotherouter).YoucanalsousethistechniquewithSSHtofurtherimproveadministrativeaccesssecurity.
87
19.5 ExtendedACLs(IPv4)19.5.1 ConfigureExtendedACLR1(config)# access-list access-list-number {deny | permit | remark} protocol source [source-wildcard]} [operator oparand] [port port-number or name] destination [destination-wildcard] [operator oparand]
[port port-number or name] [established]
Examples:
88
Generatingportnumbers:R1(config)# access-list 100 permit tcp any any eq ?
19.5.2 ApplyExtendedACLtoInterfacesR1(config-if)# ip access-group { access-list-number | access-list-name }
{ in | out }
89
19.5.3 FilterTrafficwithExtendedACLTheexampleshowndeniesFTPtrafficfromsubnet192.168.11.0goingtosubnet192.168.10.0,butpermitsallothertraffic.FTPusesTCPports20and21;thereforetheACLrequiresbothportnamekeywordsftpandftp-datatodenyFTP.
FTPusesTCPports20and21;thereforetheACLrequiresbothportsftpandftp-datatodenyFTP.Ifusingportnumbersinsteadofportnames,thecommandswouldbewrittenas:access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 20 access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 21 TopreventtheimplieddenyanystatementattheendoftheACLfromblockingalltraffic,thepermit ip any anystatementisadded.
90
19.5.4 NamedExtendedACLR1(config)# ip access-list [standard | extended] nameR1(config-ext-nacl)# [deny | permit | remark ] {source [source-wildcard]} [log] R1(config-if)# ip access-group name [in | out]
RemoveACLfromrouter: R1(config)# no ip access-list extended nameRemoveNamedExtendedACLfrominterface: R1(config-if)# no ip access-group name19.5.5 EditExtendedACL
91
19.6 IPv6ACLs19.6.1 DefaultIPv6ACLStatementsIPv6includesanimplicit"DenyAllTraffic"statementattheendofeachACL(similartoeveryIPv4standardorextendedACL):deny ipv6 any anyThedifferenceisIPv6alsoincludestwootherimplicitstatementsbydefault:permit icmp any any nd-napermit icmp any any nd-nsThesetwostatementsallowtheroutertoparticipateintheIPv6equivalentofARPforIPv4.RecallthatARP(Layer2)isusedinIPv4toresolveLayer3addressestoLayer2MACaddresses.IPv6usesICMPNeighborDiscovery(ND,Layer3)messagestoaccomplishthesamething.NDusesNeighborSolicitation(NS)andNeighborAdvertisement(NA)messages.19.6.2 ConfigureIPv6ACL
92
Examples:R1(config)# ipv6 access-list NO-R3-LAN-ACCESSR1(config-ipv6-acl)# deny ipv6 2001:db8:cafe:30::/64 anyR1(config-ipv6-acl)# permit ipv6 any anyR1(config-ipv6-acl)# endR1(config)# ipv6 access-list NO-FTP-TO-LAN-11R1(config-ipv6-acl)# deny tcp any 2001:db8:cafe:11::/64 eq ftpR1(config-ipv6-acl)# deny tcp any 2001:db8:cafe:11::/64 eq ftp-dataR1(config-ipv6-acl)# permit ipv6 any anyR1(config-ipv6-acl)# exitR1(config)# interface g0/0R1(config-if)# ipv6 traffic-filter NO-FTP-TO-LAN-11 inR1(config-if)# end19.6.3 ApplyIPv6ACLtoInterfacesR1(config-if)# ipv6 traffic-filter access-list-name { in | out }
93
19.7 VerifyACLsR1# show access-lists
Clearcounter: R1# clear access-list counters access-list_numberR1# show ip interface interface
94
R1# show ipv6 interface interface
R1# show running-config
95
20 DHCP20.1 BasicDHCPv4ConfigurationExcludespecificaddressrange(forrouters,servers,printers,etc.):R1(config)# ip dhcp excluded-address low-address [high-address]ConfiguringaDHCPv4pool:R1(config)# ip dhcp pool pool-nameConfiguringspecifictasks(inDHCPv4configurationmode):
Example:
Re-enable(disable)DHCPR1(config)# (no) service dhcp
96
20.2 VerifyDHCPv4R1# show running-config | section dhcp
R1# show ip dhcp bindingR1# show ip dhcp server statistics
97
20.3 DHCPv4RelayR1(config-if)# ip helper-address dhcp-server-address
Bydefault,theip helper-addresscommandforwardsthefollowingeightUDPservices: Time(Port37) TACACS(Port49) DNS(Port53) DHCP/BOOTPclient(Port67) DHCP/BOOTPserver(Port68) TFTP(Port69) NetBIOSnameservice(Port137) NetBIOSdatagramservice(Port138)20.4 ConfigureaRouterasDHCPClientR1(config-if)# ip address dhcp
98
20.5 VerifyDHCPv4Relay&ServicesR1# show running-config | section interface interface-id
Inthefigure,theshow running-config | include no service dhcpcommandverifiesthattheDHCPv4serviceisenabledsincethereisnomatchforno service dhcp.Iftheservicehadbeendisabled,theno service dhcpcommandwouldbedisplayedintheoutput.20.6 DebugDHCPv4
VerifythattherouterisreceivingDHCPv4requestsfromclients.ThistroubleshootingstepinvolvesconfiguringanACLfordebuggingoutput.ThefigureshowsanextendedACLpermittingonlypacketswithUDPdestinationportsof67or68(usedbyDHCPv4clientsandservers).TheextendedACLisusedwiththedebug ip packet commandtodisplayonlyDHCPv4messages.AnotherusefulcommandfortroubleshootingDHCPv4operationisthedebug ip dhcp server eventscommandwhichreportsserverevents,likeaddressassignmentsanddatabaseupdates.ItisalsousedfordecodingDHCPv4receptionsandtransmissions.
99
20.7 DHCPv6DHCPv6messagesfromtheservertotheclientuseUDPdestinationport546.TheclientsendsDHCPv6messagestotheserverusingUDPdestinationport547.20.7.1 StatelessAddressAutoconfiguration(SLAAC)
RAmessagesareconfiguredonanindividualinterfaceofarouter.Tore-enableaninterfaceforSLAACthatmighthavebeensettoanotheroption,theMandOflagsneedtoberesettotheirinitialvaluesof0.R1(config-if)# no ipv6 nd managed-config-flagR1(config-if)# no ipv6 nd other-config-flag
100
20.7.2 StatelessDHCPv6(RouterasServer)
R1(config-if)# ipv6 nd other-config-flagExample:
20.7.3 StatelessDHCPv6(RouterasClient)R1(config-if)# ipv6 enableR1(config-if)# ipv6 address autoconfig
101
20.7.4 VerifyStatelessDHCPv6ServerR1# show ipv6 dhcp pool
R1# show ipv6 interface interface-id
R1# debug ipv6 dhcp detail
102
20.7.5 StatefulDHCPv6(RouterasServer)
R1(config-if)# ipv6 nd managed-config-flagExample:
20.7.6 StatefulDHCPv6(RouterasClient)R1(config-if)# ipv6 enableR1(config-if)# ipv6 address dhcp
103
20.7.7 VerifyStatefulDHCPv6ServerR1# show ipv6 dhcp pool
R1# show ipv6 dhcp dhcp binding
R1# show ipv6 interface interface-id
104
20.7.8 DHCPv6RelayR1(config-if)# ipv6 dhcp relay destination dhcpv6-server-address
20.7.9 Troubleshoot/VerifyDHCPv6TroubleshootingissueswithDHCPv4andDHCPv6,involvesthesametasks: Resolveaddressconflicts Verifyphysicalconnectivity TestconnectivityusingastaticIPaddress Verifyswitchportconfiguration TestoperationonthesamesubnetorVLANR1# show ipv6 dhcp conflictR1# show ipv6 interface interfaceR1# debug ipv6 dhcp detail
105
21 NATforIPv421.1 StaticNAT21.1.1 ConfigureStaticNAT
106
21.1.2 VerifyStaticNAT
107
21.2 DynamicNAT21.2.1 ConfigureDynamicNAT
Example:
108
21.2.2 VerifyDynamicNAT
109
21.3 PAT(NATOverload)21.3.1 ConfigurePATwithAddressPool
Example:
110
21.3.2 ConfigurePATwithSingleAddress
21.3.3 VerifyPAT
111
21.4 PortForwarding(Tunneling)
Example:
SimilartostaticNAT,theshow ip nat translationscommandcanbeusedtoverifytheportforwarding.
112
21.5 TroubleshootNAT
R1# debug ip nat [detailed]debug ip nat detailedgeneratesmoreoverheadthandebug ip nat,butitcanprovidethedetailthatmaybeneededtotroubleshootaNATissue.
*(asterisk)-TheasterisknexttoNATindicatesthatthetranslationisoccurringinthefast-switchedpath.Thefirstpacketinaconversationisalwaysprocess-switched,whichisslower.Theremainingpacketsgothroughthefast-switchedpathifacacheentryexists.
113
22 SpanningTree22.1 DefaultSwitchSTPSettings
22.2 ConfigureandVerifytheBridgeID(BID)/PriorityMethod1: S1(config)# spanning-tree vlan vlan-id root primary S2(config)# spanning-tree vlan vlan-id root secondary Method2: S3(config)# spanning-tree vlan vlan-id priority value
S1# show spanning-tree
114
22.3 ConfigureandVerifyPortCostDefaultPortCosts
ConfigurePortCost: S1(config)# interface interface-id S1(config-if)# spanning-tree cost value
ResetPortCost(toDefault): S1(config-if)# no spanning-tree costVerifyPortCost:
115
22.4 PortFastandBPDUGuardWhenaswitchportisconfiguredwithPortFastthatporttransitionsfromblockingtoforwardingstateimmediately,bypassingtheusual802.1DSTPtransitionstates(thelisteningandlearningstates).YoucanusePortFastonaccessportstoallowthesedevicestoconnecttothenetworkimmediately.PortFastisusefulforDHCP.WithoutPortFast,aPCcansendaDHCPrequestbeforetheportisinforwardingstate,denyingthehostfromgettingausableIPaddressandotherinformation.InavalidPortFastconfiguration,BridgeProtocolDataUnits(BPDU)shouldneverbereceived,becausethatwouldindicatethatanotherswitch(orbridge)isconnectedtotheport,potentiallycausingaspanningtreeloop.WhenBPDUguardisenabled,itputstheportinanerror-disabledstateonreceiptofaBPDU.Thiswilleffectivelyshutdowntheport.S1(config)# interface interface-idS1(config-if)# spanning-tree portfastS1(config-if)# spanning-tree bpduguard enable
EnablePortFastonallnontrunkinginterfaces:S1(config)# spanning-tree portfast defaultEnableBPDUguardonallPortFast-enabledports:S1(config)# spanning-tree portfast bpduguard defaultVerifyPortFastandBPDUGuard:
S1# show running-config | begin spanning-tree
116
22.5 PVST+LoadBalancingExample:
S3(config)# spanning-tree vlan 20 root primary S3(config)# spanning-tree vlan 10 root secondary S1(config)# spanning-tree vlan 10 root primary S1(config)# spanning-tree vlan 20 root secondary Alternatively: S3(config)# spanning-tree vlan 20 priority 4096 S3(config)# spanning-tree vlan 10 priority 8192 S1(config)# spanning-tree vlan 10 priority 4096 S1(config)# spanning-tree vlan 20 priority 8192Verify:
S1# show running-config | begin spanning-tree
117
22.6 RapidPVST+
Example:
Verify:
S1# show running-config | begin spanning-tree
118
22.7 AnalyzingtheSTPTopology
22.8 STPStatusOverviewS1# show spanning-treeS1# show spanning-tree vlan vlan_id
119
22.9 FirstHopRedundancyProtocols(FHRP)
22.9.1 HotStandbyRouterProtocol(HSRP)R1(config-if)# standby [group-number] priority priority R1(config-if)# standby [group-number] preempt [delay {minimum | reload | sync} seconds] R1(config-if)# standby [group-number] ip ip-address [secondary] ActiveRouter: R1(config-if)# standby 1 priority 150 (defaultpriorityis100) R1(config-if)# standby 1 preempt R1(config-if)# standby 1 ip 192.168.1.254 StandbyRouter: R2(config-if)# standby 1 ip 192.168.1.254DisableHSRP: R1(config-if)# no standby 1VerifyHSRP: R1# show standby [all] [brief]
R1# show standby type number [group-number | all] [brief]
120
22.9.2 GatewayLoadBalancingProtocol(GLBP)R1(config-if)# glbp [group-number] priority priority R1(config-if)# glbp [group-number] preempt [delay {minimum | reload | sync} seconds] R1(config-if)# glbp [group-number] ip ip-address [secondary] ActiveRouter: R1(config-if)# glbp 1 priority 150 (defaultpriorityis100) R1(config-if)# glbp 1 preempt R1(config-if)# glbp 1 ip 192.168.1.254 R1(config-if)# glbp 1 load-balancing round-robin StandbyRouter: R2(config-if)# glbp 1 ip 192.168.1.254 R2(config-if)# glbp 1 load-balancing round-robin DisableGLBP: R1(config-if)# no glbp [group-number] ip ip-address [secondary]VerifyGLBP: R1# show glbp [all] [brief]
121
23 EtherChannel23.1 LinkAggregationControlProtocol(LACP)
Step1:SpecifytheinterfacesthatcomposetheEtherChannelgroupS1(config)# interface range interfaceStep2:CreatetheportchannelinterfaceS1(config-if-range)# channel-group identifier mode activeExample:
122
23.2 PortAggregationProtocol(PagP)
Step1:SpecifytheinterfacesthatcomposetheEtherChannelgroup S1(config)# interface range interfaceStep2:Createtheportchannelinterface S1(config-if-range)# channel-group identifier mode desirableExample:S1(config)# interface range f0/1 - 2 S1(config-if-range)# channel-group 1 mode desirable Creating a port-channel interface Port-channel 1 S1(config-if-range)# no shut S2(config)# interface range f0/1 - 2 S2(config-if-range)# channel-group 1 mode auto Creating a port-channel interface Port-channel 1 S2(config-if-range)# no shut
123
23.3 VerifyEtherChannelS1# show etherchannel summary
S1# show etherchannel port-channel
124
S1# show interface port-channel channel-number
S1# show interfaces interface etherchannel
S1# show run | begin interface port channel
125
24 Point-to-PointConnections24.1 ConfigureHDLCEncapsulation
CiscoHDLC(cHDLC)isthedefaultencapsulationmethodusedbyCiscodevicesonsynchronousseriallines.Ifconnectingnon-Ciscodevices,usesynchronousPPP.24.2 VerifyaSerialInterface
126
127
24.3 ConfigurePPPEncapsulationR1(config)# interface serial 0/0/0 R1(config-if)# encapsulation ppp
24.3.1 PPPCompressionR1(config)# interface serial 0/0/0 R1(config-if)# encapsulation ppp R1(config-if)# compress [ predictor | stac ]
128
24.3.2 LinkQualityMonitoringR1(config)# interface serial 0/0/0 R1(config-if)# encapsulation ppp R1(config-if)# ppp quality 80
Theppp quality percentagecommandensuresthatthelinkmeetsthequalityrequirementset;otherwise,thelinkclosesdown.DisableLQM: R1(config-if)# no ppp quality
129
24.3.3 MultilinkPPPStep1:Createamultilinkbundle. Theinterface multilink numbercommandcreatesthemultilinkinterface. Ininterfaceconfigurationmode,anIPaddressisassignedtothemultilinkinterface. TheinterfaceisenabledformultilinkPPP. Theinterfaceisassignedamultilinkgroupnumber.Step2:Assigninterfacestothemultilinkbundle.Eachinterfacethatispartofthemultilinkgroup: IsenabledforPPPencapsulation. IsenabledformultilinkPPP. IsboundtothemultilinkbundleusingthemultilinkgroupnumberconfiguredinStep1.
TodisablePPPmultilink,usetheno ppp multilinkcommand.
130
24.3.4 PPPAuthenticationTospecifytheorderinwhichtheCHAPorPAPprotocolsarerequestedontheinterface,usetheppp authenticationinterfaceconfigurationcommand,asshowninthefigure.Usethenoformofthecommandtodisablethisauthentication.
PAP:
CHAP:
131
24.4 VerifyPPPConfiguration/Encapsulation
132
Turnoffdebugmode: R1# undebug all (short:un alloru all)
133
25 FrameRelay25.1 BasicFrameRelayConfiguration
Step1:SettheIPaddressontheinterface Step2:Configureencapsulation encapsulation frame-relay [cisco | ietf] TheciscoencapsulationtypeisthedefaultFrameRelayencapsulationenabledonsupported interfaces.UsethisoptionifconnectingtoanotherCiscorouter.Usetheietfencapsulationoptionifconnectingtoanon-Ciscorouter.Step3:SetthebandwidthStep4:SettheLMItype(optional)
Verifyconfiguration: show interfaces serial
134
25.2 ConfigureaStaticFrameRelayMapR1(config-if)# frame-relay map protocol protocol-address dlci [broadcast] [ietf] [cisco]
Usethekeywordietfwhenconnectingtoanon-Ciscorouter.
Verify:
135
AprimarytoolofFrameRelayisInverseAddressResolutionProtocol(ARP).WhereasARPtranslatesLayer3IPv4addressestoLayer2MACaddresses,InverseARPdoestheopposite.ThecorrespondingLayer3IPv4addressesmustbeavailablebeforeVCscanbeused.AnexampleofusingstaticaddressmappingisasituationinwhichtherouterattheothersideoftheFrameRelaynetworkdoesnotsupportdynamicInverseARPforaspecificnetworkprotocol.Toprovideconnectivity,astaticmappingisrequiredtocompletetheremotenetworklayeraddresstolocalDLCIresolution.Anotherexampleisonahub-and-spokeFrameRelaynetwork.Usestaticaddressmappingonthespokerouterstoprovidespoke-to-spokereachability.Becausethespokeroutersdonothavedirectconnectivitywitheachother,dynamicInverseARPwouldnotworkbetweenthem.DynamicInverseARPreliesonthepresenceofadirectpoint-to-pointconnectionbetweentwoends.Inthiscase,dynamicInverseARPonlyworksbetweenhubandspoke,andthespokesrequirestaticmappingtoprovidereachabilitytoeachother.
Verify:
136
25.3 ConfigurePoint-to-PointSubinterfacesSubinterfacesaddressthelimitationsofFrameRelaynetworksbyprovidingawaytosubdivideapartiallymeshedFrameRelaynetworkintoanumberofsmaller,fullymeshed,orpoint-to-point,subnetworks.Eachsubnetworkisassigneditsownnetworknumberandappearstotheprotocolsasifitwerereachablethroughaseparateinterface.
Example:
137
25.4 LocalManagementInterface(LMI)Basically,theLMIisakeepalivemechanismthatprovidesstatusinformationaboutFrameRelayconnectionsbetweentherouter(DTE)andtheFrameRelayswitch(DCE).Every10secondsorso,theenddevicepollsthenetwork,eitherrequestingadumbsequencedresponseorchannelstatusinformation.Ifthenetworkdoesnotrespondwiththerequestedinformation,theuserdevicemayconsidertheconnectiontobedown.WhenthenetworkrespondswithaFULL STATUSresponse,itincludesstatusinformationaboutDLCIsthatareallocatedtothatline.Theenddevicecanusethisinformationtodeterminewhetherthelogicalconnectionsareabletopassdata.
DisplaytheLMItype:
StartingwiththeCiscoIOSsoftwareRelease11.2,thedefaultLMIautosensefeaturedetectstheLMItypesupportedbythedirectlyconnectedFrameRelayswitch.BasedontheLMIstatusmessagesitreceivesfromtheFrameRelayswitch,therouterautomaticallyconfiguresitsinterfacewiththesupportedLMItypeacknowledgedbytheFrameRelayswitch.IfitisnecessarytosettheLMItype,usetheframe-relay lmi-type [cisco | ansi | q933a]interfaceconfigurationcommand.ConfiguringtheLMItypedisablestheautosensefe