Table of Contents -...

Table of ContentsPreface

Using the Book

Connecting to the Cisco Device

For Windows

For Linux

PART I - Routing

Learning the Basics

Command Modes

Saving Configurations

Show Commands for Information Gathering

Setting Hostname

Configuring an Ethernet Interface

Assigning an IP Address

Interface Speed and Duplex

Subinterfaces

Remote Management

Enabling Telnet

Enabling SSH

Annoying IOS Features

Asynchronous Logging

IP Domain-lookup

User Accounts and Banners

Creating a Local User Account

Service Password-Encryption

Setting Enable Secret

Creating Login and MOTD Banners

Static Routing

Next-hop Method

Exit Interface Method

Assigning IP Default Gateway

Show Commands

RIP

Starting RIP Routing Instance

Announcing Networks

Optional Tweaks

Show Commands

Debugging

What to Keep in Mind

RIP Configuration Sample

OSPF

Starting OSPF Routing Instance

Announcing Networks

Optional Tweaks

Show Commands

Debugging


OSPF Configuration Sample

EIGRP

Starting EIGRP Routing Instance

Announcing Networks

Optional Tweaks

Show Commands

Debugging


EIGRP Configuration Sample

IP Access Control List

Creating and Applying a Standard ACL

Creating and Applying an Extended ACL

Removing Specific Rules in an ACL

Show Commands

Address Translation (NAT)

PAT

Static NAT

Dynamic NAT

Show Commands

Debugging

Connecting to WAN

Configuring a Serial Interface

HDLC

PPP

Frame Relay

DHCP

Enabling DHCP Service

Defining a DHCP Pool

Excluding IP Addresses From the Leased Range

Show Commands

Debugging

Managing Configurations and Software

Backing Up Configuration

Restoring Configuration

Upgrading IOS Software

Activating IOS Software

Resetting Configuration to Factory Defaults

PART II – Switching

It’s The Same as on Routers

VLAN

Creating VLANs

Configuring an Access Interface

Show Commands

VLAN Configuration Sample

Assigning a Management IP Address

MAC Address Table

Clearing MAC Address Entries

Static MAC Address

Show Commands

Port Security

Limiting Permitted MAC Address Entries

Show Commands

IEEE 802.1q Trunk Encapsulation

Setting Interface Trunk Encapsulation Method

Setting Interface Operation Mode to Trunk

Native VLAN (Untagged)

Limiting Permitted VLANs

IEEE 802.1q Configuration Sample

VLAN Trunking Protocol (VTP)

VTP Domain

Operation Modes

VTP Pruning

Show Commands

VTP Configuration Sample

Dynamic Trunking Protocol (DTP)

EtherChannel

EtherChannel Interface Modes and Protocols

Static EtherChannel

LACP

PAgP

Show Commands

Debugging

EtherChannel Configuration Sample

Spanning-Tree Protocol (STP)

Enabling and Disabling Spanning-Tree

Primary Root

Secondary Root

Port Priority

Portfast

Uplinkfast

BPDU Guard

Spanning-Tree Operation Mode

Show Commands

Debugging

Spanning-Tree Configuration Sample

Inter VLAN Routing

Configuring Router Subinterfaces

Configuring a Switch Uplink Interface

Inter VLAN Routing Configuration Sample

PrefaceMy primary concern in writing this book has been to get you started with Cisco routers andswitches in the fastest time possible. It is a simple and practical foundation, from which youcan begin to explore further if you wish to become a network engineer.

Actual network management skills can be obtained by troubleshooting or configuring.There’s not much you can do with your knowledge of networking concepts if you are notcomfortable with the command line interface.

What can you expect of this book?

1. Easy to follow configuration instructions.

2. No pages dedicated to theory.

3. Nothing beyond what you must know for the CCNA 200-120 R&S exam.

Using the BookThe purpose of this section is to let you know how to read and use the book to your bestadvantage.

1. It’s a reference, not a novel. You’ll be given samples of configurations that you needto adjust to meet the needs of your network.

2. All commands that need to be typed into the terminal are formatted like this:

Router(config)# hostname gateway

3. Below each command is a line explaining what it does:

Router(config)# hostname gatewaySets router hostname to "gateway".

4. Notes are used to explain default characteristics of Cisco IOS in a given scenario, orto give you useful hints:

Note: “Administratively down” is the default state of all Ethernet and Serial interfaceson Cisco routers.

5. Quotes under chapter titles are only there for entertainment. Don’t take themseriously.

6. This book does not cover theory, and has a heavy focus on configuration. If you everget stuck with what a term means, just Google it!

Connecting to the Cisco DeviceMost of the Cisco enterprise-class network equipment doesn’t ship with a default IPaddress. The easiest way to apply initial configuration is to connect to your device using theConsole port. Depending on the particular device model, it may be located on the front orback side.

What will you need?

1. A serial cable.2. (Windows) Virtual terminal software, such as Putty.3. (Linux) A program called “cu”, which you can run inside the Linux terminal.

For Windows

This sample covers connecting to a Cisco device using Windows 7.

Step 1: Install Putty (free software)

1. Download software at http://www.putty.org/2. Execute installer and follow instructions

Step 2: Identify COM port number

1. Go to Device Manager2. Select "View" from the upper menu, then click on "Show Hidden Devices"3. Now expand the COM ports section. You will see the list of all active COM ports.

http://www.putty.org/

Step 3: Connect to your device

In my case, the relevant COM port number was 3, and the full port label is "COM3".

1. Open Putty2. Select “Serial” as the connection type3. Enter your COM port number in the “Serial line” field4. Click “open”

You’re done!

Would you like to enter the initial configuration dialog? [yes/no]: noRouter>

For Linux

This sample covers connecting to a Cisco device using Debian-based Linux distributions,such as Ubuntu.

Step 1: Install cu (free software)

user@linux~# sudo apt-get install cuDownloads and prompts to install “cu”, a common program.

Step 2: Identify TTY number

If you are using a serial-to-USB adapter:

user@linux~# cd /dev/ | ls –l | grep ttyUSBNavigates to the /dev/ directory and lists all teletype terminals (TTY) that have “ttyUSB”included in the name.

If you are using an old-fashioned COM port:

user@linux~# cd /dev/ | ls –l | grep ttySNavigates to the /dev/ directory and lists all teletype terminals (TTY) that have “ttyS”included in the name.

Step 3: Connect to your device

In my case, the relevant TTY number was 0, and the full TTY label was “ttyUSB0”.

user@linux~# cu /dev/ttyUSB0 –s 9600Cu starts emulating a Cisco terminal inside your Linux terminal. The parameter –sspecifies the line speed; 9600 is supported by most devices, and you really don’t needmore to apply the initial configuration.

You’re done!

Would you like to enter the initial configuration dialog? [yes/no]: noRouter>

Note to VirtualBox users:

You might be unable to identify your COM/TTY number, because the VirtualBox host hasownership of the serial cable hardware. For instance, serial-to-USB adapters can’t beshared by the host and guest systems at the same time. You can give the hardwareownership to the VirtualBox guest from the “Devices” submenu.

Part IRouting

Learning the Basics

“Would you like to enter the initial configuration dialog? [yes/no]:”

- Where am I?

Command Modes

Cisco IOS has three main command modes – user EXEC, privileged EXEC and globalconfiguration. Each command mode has its own set of commands for specificpurposes.You’ll start at user EXEC mode.

User execution mode

Some verification and troubleshooting commands are available. Often used by 1st levelhelpdesk personnel.

You can identify user execution mode by the following prompt:

Router>

There’s not much to do in this command mode for a network administrator, elevate to next

command mode by typing in enable command:

Router> enable

Moves to privileged execution mode.

Privileged execution mode

All verification and troubleshooting commands are available. Used by networkadministrators.

The “greater than” prompt changes to hash:

Router#

If you are looking to verify or troubleshoot something, you’ll find all the necessarycommands available in this command mode. If you are looking to apply a configurationchange, then elevate to the global configuration mode.

Router# configure terminal

Moves to global configuration mode.

Global configuration mode

Majority of configuration changes are applied here. Entering this command mode requiresuser to be in privileged execution mode, there are no shortcuts.

You can easily tell if you are in global configuration mode by the following prompt:

Router(config)#

This concludes the three main command modes of Cisco IOS. Type in “exit” or “end”, tomove back to privileged execution mode:

Router(config)# exit

Moves back to privileged EXEC mode.

Saving Configurations

When you make a configuration change it’s only the “running-config” (contents of DRAM)that gets updated. All configuration changes are lost in case of power outages or systemreboots unless changes were also written to “startup-config” (NVRAM).

For saving configurations navigate to privileged execution mode and use one of thecommands below:

Router# write memoryBuilding configuration...[OK]

Or

Router# copy running-config startup-configBuilding configuration...

[OK]

Both of these commands copy contents of “running-config” to NVRAM. There’s no functionaldifference.

Show Commands for Information Gathering

Show commands help you verify configurations and troubleshoot. Some of them are listedbelow.

Router> enable

Navigates to privileged execution mode.

Router# show interfaces description

Lists all interfaces and their descriptions.

Router# show interfaces summary

Shows counter summary on all interfaces.

Router# show ip interface brief

Lists all interfaces and IP address information.

Router# show interface gigabitEthernet 0/1

Shows counter summary and status of the interface specified.

Router# show running-config interface gigabitEthernet 0/1

Shows configuration of the interface specified.

Router# show version

Shows brief system hardware information, including IOS version and configuration register

value.

Router# show cdp neighbors detail

Shows detailed information of neighboring devices that have Cisco Discovery Protocolenabled.

Setting Hostname

Let’s take a look at how you can apply your very first configuration change. You can changethe router hostname in global configuration mode.

Router> enable

Navigates to privileged execution mode.


Navigates to global configuration mode.

Router(config)# hostname CupOfTea

Sets router hostname to “CupOfTea”.

Terminal prompt will change:

CupOfTea(config)#

Starting to feel like a network engineer already? Don’t forget to save the configuration!

CupOfTea(config)# exit

Navigates back to privileged execution mode.

CupOfTea# write memory

Saves changes to NVRAM.

Configuring an Ethernet Interface“Easy! Just use the ‘no shut’ command.

If the interface still doesn’t come up – try to reboot the router.”

Assigning an IP AddressRouter# show ip interface brief

Lists all available interfaces on the router. In this sample we’re going to modify configurationof the gigabitEthernet 0/0 interface.



Router(config)# interface gigabitEthernet 0/0

Moves to interface configuration mode.

Router(config-if)# ip address 192.168.101.1 255.255.255.0

Sets IPv4 address and network mask.

Router(config-if)# ipv6 address 2001:0db8:3c4d:0015:0011:0000:abcd:ed1a/64


Router(config-if)# no shutdown

Enables the interface.

Note: “Administratively down” is the default state of all Ethernet interfaces on Cisco routers.

Interface Speed and Duplex

According to best practice it’s recommended to only change interface speed and duplexsettings if you suspect that there might be a problem with auto negotiation. By default allEthernet interfaces are configured with auto negotiation setting for interface speed andduplex.

Router# show interface gigabitEthernet 0/0

Shows interface speed and duplex settings.





Router(config-if)# speed auto

Enables speed auto-negotiation. This is default setting.

Router(config-if)# speed 1000

Forces interface into 1000Mbit/s operation mode.

Router(config-if)# speed 100

Forces interface into 100Mbit/s operation mode.

Router(config-if)# duplex auto

Enables duplex auto-negotiation. This is default setting.

Router(config-if)# duplex full

Forces interface into full duplex operation mode.

Router(config-if)# duplex half

Forces interface into half duplex operation mode.

Subinterfaces

One physical interface can be divided into multiple virtual interfaces.

Router# show ip interface brief

Lists all available interfaces on your router (including subinterfaces).



Router(config)# interface gigabitEthernet 0/0.1

Creates subinterface (.1) on gigabitEthernet 0/0 and moves to subinterface configurationmode.

Router(config-subif)# ip address 192.168.1.1 255.255.255.0

Assigns IPv4 address and network mask.

Router(config-subif)# encapsulation dot1q 1

Assigns subinterface to VLAN1 broadcast domain. Sets VLAN encapsulation method todot1q.

Router(config-subif)# exit

Moves back to global configuration mode.


Creates another subinterface (.2) on gigabitEthernet 0/0 and moves to subinterfaceconfiguration mode.




Assigns subinterface to VLAN2 broadcast domain. Sets VLAN encapsulation method todot1q.

Remote ManagementThis chapter teaches you how to enable Telnet and SSH protocols.

Enabling Telnet

Telnet enables you to remotely manage router. It’s unencrypted and not very secure; thereason it’s still being used is that not all devices support SSH.

Note: Telnet sessions are prohibited by default. Without vty password configured you’llnotice a following message, when you attempt to log in to your router, using Telnet:

“Password required, but none set.”

Configuring vty password:

Router(config)# line vty 0 4

Enters into vty line configuration mode for lines 0 - 4.

Router(config-line)# password cookie

Sets password to “cookie” on vty lines 0,1,2,3 and 4.

Router(config-line)# login

Enables vty password authentication.

Enabling SSH

If your device also supports SSH it’s recommended that you use it instead of Telnet forremote management.

As a first step you must create RSA crypto key pairs.

Note: RSA crypto keys are non-exportable on Cisco routers and switches.

Router(config)# crypto key generate rsaThe name for the keys: MyRSA-KeysHow many bits in the modulus: 1024

Generates RSA crypto key pairs. These will be used for SSH encryption.

Router(config)# ip ssh version 2

Enables SSH version 2.



Router(config-line)# password cookie

Sets password to “cookie” on vty lines 0,1,2,3 and 4.

Router(config-line)# login

Enables vty password authentication.

Optional: Prohibit Telnet and permit only SSH



Router(config-line)# transport input ssh

Permits remote management over vty lines 0 – 4 only via SSH protocol.

Annoying IOS Features“What? Nothing about Cisco IOS is annoying!”

Asynchronous Logging

Log messages are informative, but by default they come with an annoying flaw. If log eventoccurs it generates a new line in the command prompt, but doesn’t include an ending linebreak after the message itself. Refer to the examples below.

Let’s say you’re working on something and the command you’re trying to execute is “writememory”. While at the middle of typing a log event occurs.

Log event with asynchronous logging:

Router# write me%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0,changed state to upmory

- Notice the last 4 letters (“mory”) of your command are now at the end of log eventmessage.

Log event without asynchronous logging:

Router# write me%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0,changed state to upRouter# write memory

- Your input remains on the same line.

Configuring synchronous logging:


Enters into line configuration mode for VTY lines 0 - 4.

Router(config-line)# logging synchronous

Forces a line break after log event.

Router(config-line)# exit


Router(config)# line console 0

Enters into line configuration mode for console line 0.

Router(config-line)# logging synchronous

Forces a line break after log event.

IP Domain-lookup

If you make a mistake when typing in commands IOS first tries to resolve input as ahostname. This causes excessive delays and makes you wonder if the router is havingperformance issues.

Router(config)# no ip domain-lookup

Disables IP domain-lookup feature.

User Accounts and Banners“

Welcome! This is the primary router: rtr-01.

You can log in with password Cisco.

Password:

“

Creating a Local User AccountRouter(config)# username joe privilege 15 secret joe

Creates a local user “joe” with full rights to all command modes. Users’ secret password isset to “joe”.

Router(config)# username joe privilege 15 password joe

Same as above but password is saved to configuration in plain-text, unless password-encryption feature is globally enabled.

Privilege level: Valid values are from 0 to 15. Higher value means more access.

Service Password-EncryptionRouter(config)# service password-encryption

Encrypts all system passwords.

Password-encryption feature: Globally encrypts all the passwords that would otherwise beadded to configuration files in plain-text.

Setting Enable SecretRouter(config)# enable secret cookie

Protects access to privileged exec mode with secret passphrase “cookie”.

Creating Login and MOTD Banners

Banners serve informational purpose. You can send out a warning to all unauthorized folksattempting to access your device by configuring a login banner. With a MOTD banner youcan share operational information with your colleagues.

Router(config)# banner login * This router belongs to company X. Unauthorizeduse is strictly prohibited. *

Sets a login message that is displayed before user authentication.

Router(config)# banner motd * Due to service migrations please do not applyany changes from 25.th to 27.th July. *

Sets a welcome message that is displayed after successful user authentication.

Message separator:

You may use any special character as a message separator instead of asterisk (*).Requirement is that the same special character must not be used inside the message itself.

Static RoutingThis chapter teaches you how to create static routes. There are 2 methods for creating astatic route – “next-hop” or “exit interface”. Use the method you prefer.

Next-hop MethodRouter(config)# ip route 10.10.20.0 255.255.255.0 192.168.1.1

Specifies that to get to 10.10.20.0/24 network next-hop to take is 192.168.1.1.

Router(config)# ipv6 route 2001:0db8:3c4d::/642001:0db8:3c99:1111:2222:3333:4444:aaa1/64

Specifies that to get to 2001:0db8:3c4d::/64 network next-hop to take is2001:0db8:3c99:1111:2222:3333:4444:aaa1/64

Exit Interface MethodRouter(config)# ip route 10.10.20.0 255.255.255.0 gigabitEthernet 0/0

Specifies that to get to 10.10.20.0/24 network packets must be sent out of thegigabitEthernet 0/0 interface.

Router(config)# ipv6 route 2001:0db8:3c4d::/64 gigabitEthernet 0/0

Specifies that to get to 2001:0db8:3c4d::/64 network packets must be sent out of thegigabitEthernet 0/0 interface.

Assigning IP Default Gateway

IP packets with destinations that don’t match any of the specified static or dynamicallylearned routes will be forwarded to default gateway. Destination address of a default routeis 0.0.0.0/0 in IPv4 and ::/0 in IPv6.

Router(config)# ip default-gateway 33.33.33.33

Sets IPv4 default gateway to 33.33.33.33.

Router(config)# ipv6 route ::/0 2001:0db8:3c99:1111:2222::1/64

Sets IPv6 default gateway to 2001:0db8:3c99:1111:2222::1/64

Show CommandsRouter# show ip route static

Shows all IPv4 static routes.

Router# show ip route

Shows full IPv4 routing table.

Router# show ipv6 static

Shows all IPv6 static routes.

Router# show ipv6 route

Shows full IPv6 routing table.

RIPThis chapter teaches you how to configure RIP protocol.

Starting RIP Routing InstanceRouter(config)# router rip

Starts RIP routing instance and moves to RIP configuration mode.

Router(config-router)# version 2

Sets RIP version to 2.

Note: Try to avoid using RIPv1 whenever possible.

Announcing NetworksRouter(config)# router rip

Starts RIP routing instance and moves to RIP configuration mode.

Router(config-router)# version 2


Router(config-router)# network 192.168.1.0

Announces network 192.168.1.0 as directly connected.

Note: By default all the RIP-announced networks are summarized to their classfulboundaries. In this case our network 192.168.1.0 will be seen as a /24 (class C) network.But what if we wanted to announce 192.168.1.0/25 instead?

To announce more specific networks via RIP protocol this auto-summarization process mustbe stopped.

Router(config-router)# no auto-summary

Disables auto summarization. Although this command also works in RIPv1 it only hasintended effect in RIPv2.

Note: With auto-summary feature disabled RIP subnet masks are based on the interfaceconfigurations.







Note: At this point the RIP announcement of 192.168.1.0/25 network should work asexpected.

Optional TweaksRouter(router-config)# distance 90

Adjusts administrative distance from 120 (default) to 90. Possible values are from 1 to 255.

Router(config-router)# no auto-summary

Disables auto summarization to classful boundaries (enabled by default).

Router(config-router)# auto-summary

Enables auto summarization.

Router(config-router)# no ip split-horizon

Disables IP split-horizon (enabled by default).

Router(config-router)# ip split-horizon

Re enables IP split-horizon.

Router(config-router)# passive interface gigabitEthernet 0/0

Sets interface Gi0/0 into passive state. RIP announcements will not be sent out of thisinterface anymore.

Show CommandsRouter# show ip rip

Shows brief overview of RIP routing processes.

Router# show ip route rip

Shows all routes learned from RIP protocol.

Router# show ip rip neighbors

Shows all RIP neighbors and their states.

Router# show ip rip database

Shows IPv4 RIP database

DebuggingRouter# debug ip rip events

Displays all RIP events.

Router# debug ip rip database

Displays RIP database events.

Router# debug ip rip bfd

Displays RIP bfd events.

Router# undebug all

Stops all debugging events.


RIP has default administrative distance of 120.

RIP is a distance-vector routing protocol.

RIP maximum hop count is 15.

RIP Configuration Sample

Objective

Configure RIP routings so that all routers know about all the networks.

Step 1: Configure the interfaces

#R-one

R-one(config)# interface gigabitEthernet 0/0


R-one(config-if)# ip address 192.168.1.1 255.255.255.252


R-one(config-if)# no shutdown


#R-two

R-two(config)# interface gigabitEthernet 0/0


R-two(config-if)# ip address 192.168.1.2 255.255.255.252


R-two(config-if)# no shutdown








#R-three

R-three(config)# interface gigabitEthernet 0/0


R-three(config-if)# ip address 192.168.1.6 255.255.255.252


R-three(config-if)# no shutdown


Step 2: Configure RIP

#R-one

R-one(config)# router rip

Starts RIP routing instance. Moves to RIP configuration mode.

R-one(config-router)# version 2


R-one(config-router)# no auto-summary

Disables auto summarization.

R-one(config-router)# network 192.168.1.0

Announces network 192.168.1.0/30 as directly connected.

#R-two

R-two(config)# router rip


R-two(config-router)# version 2


R-two(config-router)# no auto-summary


R-two(config-router)# network 192.168.1.0


R-two(config-router)# network 192.168.1.4


#R-three

R-three(config)# router rip


R-three(config-router)# version 2


R-three(config-router)# no auto-summary


R-three(config-router)# network 192.168.1.4


OSPF“Better than EIGRP, because it’s not Cisco proprietary.”

Starting OSPF Routing Instance

Every routing instance of OSPF must be assigned the process ID number.

The process ID number is only locally significant and nothing happens if other routers usedifferent process ID numbers.

Router(config)# router ospf 1

Starts OSPF routing instance with process ID set to 1. Moves to OSPF configuration mode.

Announcing Networks

In OSPF the announced network must be associated with an area type. We’re just going tostick to area 0, which represents the “core” or “backbone” area. Unlike regular subnet maskthe network size of announced networks in OSPF must be defined by wildcard mask(reverse bits).

Router(config)# router ospf 1


Router(config-router)# network 10.0.0.0 0.255.255.255 area 0

Announces network 10.0.0.0/8 as directly connected in OSPF area 0.

Router(config-router)# network 192.168.0.0 0.0.255.255 area 0


Optional TweaksRouter(router-config)# distance 100

Sets administrative distance to 100. Possible values are from 1 to 255.

Router(router-config)# event-log size 100

Sets event log cap to 100.

Router(router-config)# neighbor 99.99.99.99

Manually sets 99.99.99.99 as an OSPF neighbor.


Prevents OSPF updates to be sent out of Gi0/0 interface.

Show CommandsRouter# show ip ospf

Shows brief overview of OSPF routing processes.

Router# show ip route ospf

Shows all routes learned from OSPF protocol.

Router# show ip ospf neighbor

Shows all OSPF neighbors and their states.

Router# show ip ospf interface gigabitEthernet 0/0

Shows ospf information on Gi0/0 interface.

DebuggingRouter# debug ip ospf events

Displays all OSPF events.

Router# debug ip ospf adj

Displays OSPF adjacency and neighbor state changes.

Router# debug ip ospf hello

Displays all OSPF hello messages.

Router# undebug all



OSPF default administrative distance is 110.

OSPF is a link-state routing protocol that operates within a single AS.

OSPF area 0 is also known as the core area.

OSPF Configuration Sample

Objective

Configure OSPF routings so that all routers know about all the networks.


#Router1

Router1(config)# interface gigabitEthernet 0/0


Router1(config-if)# ip address 88.88.88.5 255.255.255.252


Router1(config-if)# no shutdown


Router1(config-if)# exit








#Router2















#Router3















Step 2: Configure OSPF

#Router1

Router1(config)# router ospf 1


Router1(config-router)# network 88.88.88.4 0.0.0.3 area 0




#Router2







#Router3







EIGRP“It’s exactly like IGRP, only the letter E is different.”

Starting EIGRP Routing Instance

Routing instances of EIGRP are started within a specified autonomous system. If you onlyuse EIGRP internally you can make up any AS number you want for yourself.

Router(config)# router eigrp 100

Starts EIGRP routing instance with the specified autonomous system number of 100.Moves to EIGRP configuration mode.

Announcing Networks

To announce networks via EIGRP wildcard mask must be used instead of subnet mask.

Router(config)# router eigrp 100

Starts EIGRP routing instance with the specified autonomous system number. Moves toEIGRP configuration mode.

Router(config-router)# network 55.55.55.0 0.0.0.3

Announces network 55.55.55.0/30 as directly connected in AS100.

Optional TweaksRouter(config-router)# no auto-summary

Disables auto summarization to classful boundaries. By default this setting is alreadydisabled on newer IOS versions.

Router(config-router)# auto-summary

Enables auto summarization.

Router(config-router)# distance 60

Sets administrative distance to 60. Possible values range from 1 to 255.

Router(router-config)# neighbor 99.99.99.99

Manually sets 99.99.99.99 as a neighbor.


Prevents EIGRP updates to be sent out of Gi0/0 interface.

Show CommandsRouter# show ip eigrp

Shows brief overview of EIGRP routing processes.

Router# show ip route eigrp

Shows all routes learned from EIGRP protocol.

Router# show ip eigrp neighbors

Shows all EIGRP neighbors and their states.

Router# show ip eigrp interface gigabitEthernet 0/0

Shows EIGRP information on Gi0/0 interface.

DebuggingRouter# debug ip eigrp notifications

Displays all EIGRP events.

Router# debug ip eigrp summary

Displays EIGRP summary route processing events.

Router# undebug all



EIGRP default administrative distance is 90.

EIGRP is a distance-vector routing protocol.

It’s Cisco proprietary.

EIGRP Configuration Sample

Objective

Configure EIGRP routings so that all routers know about all the networks.


#R-one







R-one(config-if)# exit








#R-two







R-two(config-if)# exit








#R-three







R-three(config-if)# exit








Step 2: Configure EIGRP

#R-one

R-one(config)# router eigrp 10

Starts EIGRP routing instance with the specified autonomous system number of 10. Movesto EIGRP configuration mode.

R-one (config-router)# network 33.33.33.0 0.0.0.3

Announces network 33.33.33.0/30 as directly connected in AS area 10.

R-one(config-router)# network 11.11.11.0 0.0.0.3


#R-two

R-two(config)# router eigrp 10


R-two (config-router)# network 22.22.22.0 0.0.0.3


R-two(config-router)# network 33.33.33.0 0.0.0.3


#R-three

R-three(config)# router eigrp 10


R-three (config-router)# network 22.22.22.0 0.0.0.3


R-three(config-router)# network 11.11.11.0 0.0.0.3


IP Access Control List“Can I use it to prevent my sister from accessing the internet?”

Creating and Applying a Standard ACL

IP standard access list

Filtering decisions are made based on source IP only.

Numbers 1-99 and 1300-1999 are used to define IP standard ACLs.

Router(config)# access-list 1 permit 192.168.10.0 0.0.0.255

Creates access list 1 and adds a rule that permits all packets originating from192.168.10.0/24 network.

Note: At this point our ACL has no effect because it’s not yet applied to any of theinterfaces.

--

Meanings behind the commands

Access-list: defines that we want to create or modify an ACL. 1: access list ID number which also defines that we are working with standard type ofACLs. Permit: packets that match all rule statements will be permitted.

192.168.10.0: source network address criteria. 0.0.0.255: source network wildcard mask for a /24 network.

--


Adds another permitting rule to ACL 1 that permits packets originating from192.168.20.0/24 network.

Note:

Packets originating from 192.168.10.0/24 and 192.168.20.0/24 will be permitted regardlessof service port used. All other packets that don’t match this criteria will be dropped,because of implicit deny rule at the end of every ACL.



Router(config-if)# ip access-group 1 out

Applies ACL 1 to Gi0/0 interface. Every packet that goes out of Gi0/0 interface will beinvestigated.

Creating and Applying an Extended ACL

IP extended access list

Filtering decisions are made based on source IP, destination IP, service port number and IPprotocol.

Numbers 100–199 and 2000-2699 are used to define IP extended ACLs.

Router(config)# access-list 100 permit tcp 192.168.20.0 0.0.0.255 192.168.30.00.0.0.255 eq 443

Creates an extended ACL 100, and adds a permitting rule with the following criteria:

1. Source IP is inside 192.168.20.0/24 network

2. Destination IP is inside 192.168.30.0/24 network

3. Destination service port is TCP 443 (HTTPS)

--

Meanings behind the commands

Access-list: defines that we want to create or modify an ACL. 100: access list ID number which also defines that we are working with extended typeof ACLs. Permit: packets that match rule statements will be permitted. Tcp: protocol criteria. 192.168.20.0: source network address. 0.0.0.255: source network wildcard mask for a /24 network. 192.168.30.0: destination network address. 0.0.0.255: destination network wildcard mask for a /24 network. Eq: destination port number must be “equal to”. 443: destination port number must be 443.

--

Router(config)# access-list 100 permit tcp host 192.168.20.5 host 192.168.30.6eq 80

Adds another permitting rule to extended ACL 100. This permitting rule is only for singlehost addresses.



Router(config-if)# ip access-group 100 in

Applies ACL 100 to Gi0/0 interface. Every packet that comes in from Gi0/0 will beinvestigated.

Removing Specific Rules in an ACLRouter(config)# ip access-list standard 1

Moves to ACL1 configuration mode.

Router(config-std-nacl)# no 10

Removes first rule from ACL 1.

Note: ACL rules/lines are numbered in increments of 10. First rule is nr.10, second nr.20and so on.

Show CommandsRouter# show access-lists

Shows all ACLs, rules and rule numbers.

Router# show access-list 1

Shows all ACL 1 information.

Address Translation (NAT)“NAT usually indicates a firewall in network diagrams.”

PAT

This is the most widely used NAT method. It enables multiple internal hosts to be hiddenbehind the same external IP address when communication in the public internet.

Step 1: Create NAT pool

Router(config)# ip nat pool public 20.20.20.1 20.20.20.1 netmask 255.255.255.255

Creates a NAT pool named “public” and defines an external IP address used inside thepool. IOS Syntax requires “from – to” specification for the IP addresses even if we onlywant to use single IP in the whole pool.

--

Meanings behind the commands:

Ip nat pool: defines that we want to create a NAT pool. Public: name of the NAT pool. This can be anything you prefer. 20.20.20.1: first IP address of the NAT pool. 20.20.20.1: last IP address of the NAT pool. Netmask: keyword to specify a subnet mask.

255.255.255.255: subnet mask.

--

Step 2: Create ACL


Creates ACL where we define our internal network that we want to use in addresstranslations. Network size is defined by wildcard mask.

Step 3: Specify NAT mapping

Router(config)# ip nat inside source list 1 pool public overload

Creates a NAT rule which says that outbound connections initiated from our internal network192.168.10.0/24 will be used in NAT translations. External IP will be taken from pool named“public”.

Overload subcommand

Allows NAT to translate multiple inside devices to the single address in the pool.

Step 4: Specify internal and external interfaces



Router(config-if)# ip nat inside

Defines that Gi0/0 interface leads to our private network (192.168.10.0/24).

Router(config-if)# exit

Moves back to global config mode.



Router(config-if)# ip nat outside

Defines that Gi0/1 interface leads to public internet.

Static NAT

With this method one internal host will permanently get a dedicated external IP. This iswidely used to make self-hosted web and mail servers publicly accessible.


Router(config)# ip nat inside source static 192.168.10.1 20.20.20.1

Creates a NAT rule which says that outbound connections initiated by 192.168.10.1 willalways be hidden behind 20.20.20.1.












Dynamic NAT

With this method each internal host will get a temporary external IP from a predefined pooluntil all the public connections are closed or timed out. For example if you have 8 external IPaddresses to use then only 8 internal hosts are able to concurrently browse the publicinternet.

There aren’t many business situations where this NAT method would suit the best. In shortit’s a waste of public IP addresses.

Step 1: Create NAT pool

Router(config)# ip nat pool public 20.20.20.1 20.20.20.254 netmask 255.255.255.0

Creates NAT pool named “public” and defines external IP addresses that will be used tohide outbound connections. IP addresses from 20.20.20.1 to 20.20.20.254 are used to hideoutbound connections.

Step 2: Create ACL


Creates ACL where we define our internal network that we want to use in addresstranslations. Network size is defined by wildcard mask.


Router(config)# ip nat inside source list 1 pool public

Creates a NAT rule which says that outbound connections initiated from our internal network192.168.10.0/24 will be used in NAT translations. External IP will be taken from pool named“public”.












Show Commands

Router# show ip nat translations

Shows all NAT translations.

DebuggingRouter# debug ip nat

Real-time display of all translated packets.

Router# undebug all


Connecting to WAN“Easy! I just have to plug a cable into my PC.”

Configuring a Serial Interface

Serial interfaces are typically used to interconnect client and ISP equipment.

Router(config)# interface serial 0/0/0




Router(config-if)# clock rate 64000

Sets interface clock rate to 64Kbit/s.


Enables interface.

Clock rate

If your device is DTE (client-side) you don’t need to specify clock rate. Clock rate must bespecified on DCE (service provider) equipment.

HDLC

For serial interface to work you need to specify encapsulation method, either HDLC or PPP.If you don’t specify an encapsulation method then HDLC will be used.



Router(config-if)# encapsulation hdlc

Sets encapsulation to HDLC.

Encapsulation

HDLC encapsulation is already default setting on synchronous serial interfaces and you onlyneed to use this command if you want to return to HDLC from another encapsulationmethod. Alternative encapsulation method for serial links is PPP.

PPP

PPP is an alternative to HDLC as an encapsulation method on serial links. You should use itwhen you are concerned about security. In other cases default HDLC works fine. Thisprotocol has optional authentication capabilities – PAP (Password Authentication Protocol)and CHAP (Challenge Handshake Authentication Protocol).

#Configuring PPP encapsulation method:



Router(config-if)# encapsulation ppp

Sets encapsulation method to PPP.

Optional Tweaks:

Router(config-if)# ppp quality 90

Periodically checks PPP link for quality and sets quality threshold to 90%. If link qualitygoes below 90% link will shut down. This command is useful if you have a backup linkavailable. This percentage threshold can be anything you prefer from 1 to 100.

Router(config-if)# compress mppc

Enables “mppc” compression algorithm. This reduces total traffic overhead on your seriallink. Alternative compression algorithms for PPP are “predictor” and “stac”.

#Configuring PAP (Password Authentication):

Step 1: Create a dummy user for authentication:

RouterOne(config)# username RouterTwo password PAP

Creates user “RouterTwo” with case-sensitive password set to “PAP”. This is required toverify PAP authentication with peer.

Important: It’s required that username equals hostname of the peering router and thepassword must be exactly the same for both dummy users.

RouterTwo(config)# username RouterOne password PAP

Creates user “RouterOne” with case-sensitive password set to “PAP”.

Step 2: Configure serial interface for PAP authentication:

RouterOne(config)# interface serial 0/0/0


RouterOne(config-if)# ppp authentication pap

Enables PAP authentication protocol.

RouterOne(config-if)# ppp pap sent-username RouterTwo password PAP

Sets user credentials for PAP authentication.

RouterTwo(config)# interface serial 0/0/0


RouterTwo(config-if)# ppp authentication pap

Enables PAP authentication protocol.

RouterTwo(config-if)# ppp pap sent-username RouterOne password PAP

Sets user credentials for PAP authentication.

Note: Unfortunately PAP does not encrypt user credentials when exchanging authenticationdetails. For security reasons it’s recommended to use CHAP protocol instead.

#CHAP (Challenge Handshake Authentication):

Step 1: Create a dummy user for authentication.

RouterOne(config)# username RouterTwo password PAP

Creates user “RouterTwo” with case-sensitive password set to “PAP”. This is required toverify PAP authentication with peer.

RouterTwo(config)# username RouterOne password PAP

Creates user “RouterOne” with case-sensitive password set to “PAP”.

Step 2: Configure serial interface for CHAP authentication:

RouterOne(config)# interface serial 0/0/0


RouterOne(config-if)# ppp authentication chap

Enables CHAP authentication protocol.

RouterTwo(config)# interface serial 0/0/0


RouterTwo(config-if)# ppp authentication chap

Enables CHAP authentication protocol.

Frame Relay

Frame relay is a legacy technology that is mostly replaced by MPLS today. There are nomore multipoint frame-relay clouds in modern service provider networks, but it’s quitecommon to see it configured between a service provider and client devices.

#Configuring Frame Relay:

This example covers setting up PVC 100 and 101 on separate subinterfaces. Bothsubinterfaces are configured on the same s0/0/0 physical interface.



Router(config-if)# encapsulation frame-relay ietf

Sets frame relay encapsulation type to IETF. This also affects all the subinterfaces.

Router(config-if)# frame-relay lmi-type ansi

Sets LMI type to ANSI.


Enables interface.



Router(config)# interface serial 0/0/0.100 point-to-point

Creates a point-to-point subinterface .100 on s0/0/0 and moves to subinterfaceconfiguration mode.


Sets IP address and network mask to the subinterface.

Router(config-subif)# frame-relay interface-dlci 100

Sets DLCI 100 to the subinterface.

#If you need to add another PVC just keep creating new subinterfaces:

Router(config)# interface serial 0/0/0.101 point-to-point

Creates a point-to-point subinterface .101 on s0/0/0 and moves to subinterfaceconfiguration mode.


Sets IP address and network mask to the subinterface.

Router(config-subif)# frame-relay interface-dlci 101

Sets DLCI 101 to the subinterface.

#Show commands:

Router# show frame-relay pvc

Shows status of all PVCs configured.

Router# show frame-relay map

Shows DLCI map entries.

Router# show frame-relay lmi

Shows LMI stats.

DHCPThis chapter teaches you how to configure your router as a DHCP server.

Enabling DHCP ServiceRouter(config)# service dhcp

Enables DHCP server and relay services. By default DHCP services are already enabled.

To disable DHCP:

Router(config)# no service dhcp

Disables DHCP server and relay services.

Defining a DHCP PoolRouter(config)# ip dhcp pool water

Creates a DHCP pool named “water” and moves to DHCP configuration mode. Pool namecan be anything you want.

Router(dhcp-config)# network 192.168.1.0 255.255.255.0

Specifies the range of IP addresses to be leased.

Router(dhcp-config)# default-router 192.168.1.1

Specifies the default router for the DHCP client.

Router(dhcp-config)# dns-server 192.168.1.2

Specifies the DNS server IP address.

Router(dhcp-config)# lease 2 0 0

Adjusts DHCP lease time to 2 days, 0 hours and 0 minutes. Default setting is 1 day, 0hours, 0 minutes.

Excluding IP Addresses From The Leased RangeRouter(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.100

Specifies that IP addresses from 192.168.1.1 to 192.168.1.100 must not be leased viaDHCP.

Show CommandsRouter# show ip dhcp binding

Shows all DHCP bindings.

Router# show ip dhcp conflict

Lists all IP conflicts learned by DHCP server.

DebuggingRouter# debug ip dhcp server events

Real-time display of all DHCP server events.

Managing Configurations and Software“I started copying the IOS image about 10 minutes ago.

How long will it take?”

Backing Up Configuration

TFTP protocol is used to copy files between a Cisco device and a server. With appropriatesoftware any regular PC is able to act as a TFTP server.

Note: TFTP protocol uses UDP port 69.

Copying configuration to TFTP server:

Router# copy running-config tftp:Address or name of remote host []? 192.168.100.100Destination filename [Router-config]? running-config_backup

Copies “running-config” to TFTP server 192.168.100.100 and names it “running-config_backup”.

Restoring ConfigurationRouter# copy tftp: running-configAddress or name of remote host []? 192.168.100.100Source filename []? running-config_backupDestination filename [running-config]? [ENTER] key

Copies a file named “running-config_backup” from TFTP server 192.168.100.100 to routerand loads its contents into “running-config”.

Alternatively you can copy the configuration file to NVRAM so that changes won’t becomeactive before system reboot.

Router# copy tftp: startup-config… same as the above

Upgrading IOS Software

Step 1: Copy new IOS image from TFTP server to router

Router# copy tftp flash:>Address or name of remote host? 192.168.100.100>source filename? /etc/ios_images/c3800-universalk9-mz.150-1.bin>Destination filename? c3800-universalk9-mz.150-1.bin

Fetches new IOS image from TFTP server to flash memory.

Step 2: Update system boot sector

Router(config)# boot system flash: c3800-universalk9-mz.150-1.bin

Instructs system to load from the new software image after next reboot.

Step 3: Save configuration and reboot router

Router# write memory

Saves configuration to startup-config (NVRAM).

Router# reload

Reboots the system.

Step 4 (optional): Delete old software image

Router# dir flash:

Lists all contents on flash memory. Software images have “.bin” file extension.

Router# delete flash:c3800-lanbase-mz.150-0.bin

Deletes old software image that is no longer needed.

Activating IOS Software

Below is the standard procedure of IOS software activation.

Step 1 of 5: Obtain PAK

This is provided to you when you purchase a software image or additional feature set.Check your E-Mail inbox or delivery notes.

Step 2 of 5: Obtain UDI

Switch# show license udi

Displays UDI values that can be licensed.

Step 3 of 5: Generate License

Go to: http://www.cisco.com/go/license

Follow instructions and generate license. PAK and UDI are required for this step. Copyreceived license file to TFTP server.

Step 4 of 5: Install License

Switch# license install tftp://srv/ios_licenses/29a.lic

Installs license from “29a.lic” file located on TFTP server.

Step 5 of 5: Reboot the system

Switch# reload

After next reboot system will load with the new feature set enabled.

Resetting Configuration to Factory DefaultsRouter# erase startup-config

Removes statup-config file on NVRAM.

Router# reload

Reboots router. Do not save changes to NVRAM at this point.

If everything is done correctly you will see the prompt indicating the system loaded fromdefault configuration file:

http://www.cisco.com/go/license

Would you like to enter the initial configuration dialog? [yes/no]:

I’m sure you already know what the right answer to this question is.

Resetting a switch configuration to factory defaults requires you to type in one additionalcommand:

Switch# delete flash:vlan.dat

Removes VLAN database (vlan.dat file) on flash memory.

Part IISwitching

It’s The Same as on RoutersDidn’t find the chapter you were looking for in “Part II – Switching”? Please refer tochapters in “Part I – Routing”.

Many aspects about configuring a switch are exactly the same as on routers.

VLANThis chapter teaches you how to configure isolated broadcast domains (VLANs).

Creating VLANsSwitch(config)# vlan 2

Creates VLAN2 broadcast domain and moves to VLAN configuration mode.

Switch(config-vlan)# name “Network Administrators”

Sets optional VLAN name.

Configuring an Access InterfaceSwitch(config)# interface range gigabitEthernet 0/1

Enters into interface configuration mode.

Switch(config-if)# switchport mode access

Sets interface to access mode. This prevents all trunk negotiations and permits operation ofa single VLAN on the interface.

Switch(config-if)# switchport access vlan 2

Assigns interface to VLAN2 broadcast domain.

Show CommandsSwitch# show vlan brief

Lists all VLANs and the interfaces they are currently active on.

Switch# show vlan id 5

Shows information about a particular VLAN.

Switch# show running-config interface vlan 5

Shows running-config of a particular virtual VLAN interface.

VLAN Configuration Sample

Objective

Configure VLANs and switch interfaces as in network diagram.

Step 1: Create VLANs

L2Switch(config)# vlan 5


L2Switch(config-vlan)# name “Business Management”


L2Switch(config-vlan)# vlan 10


L2Switch(config-vlan)# name “Network Administrators”




L2Switch(config-vlan)# name “Software Developers”




L2Switch(config-vlan)# name “Wireless Users”



Note: We’re using the “interface range” command to concurrently apply identicalconfigurations to multiple interfaces.

L2Switch(config)# interface range gigabitEthernet 0/1 — 32

Enters into interface range configuration mode.

L2Switch(config-if-range)# switchport mode access

Sets interfaces to access mode.

L2Switch(config-if-range)# exit


#Business management



L2Switch(config-if-range)# switchport access vlan 5

Assigns interfaces to VLAN5 broadcast domain.


Navigates back to global config mode.

#Network administrators







#Software developers







#Wireless users







Assigning a Management IP Address“Switches can’t have IP addresses because they are layer 2 devices.”

Assigning a management IP address:

Switch(config)# vlan 10

Creates regular VLAN10 broadcast domain and moves to VLAN configuration mode.

Switch(config-vlan)# name “Dedicated Management VLAN”

Sets an optional VLAN name.

Switch(config-vlan)# exit


Switch(config)# interface vlan 10

Creates virtual VLAN interface 10 and moves to VLAN interface configuration mode.

Switch(config-if)# description “Management interface”

Sets optional interface description.

Switch(config-if)# ip address 192.168.10.15 255.255.255.0


Note: To remotely manage a switch via Telnet or SSH you must also configure the vty lines.Please refer to “Remote Management” chapter in Part I – Routing.

MAC Address TableVerifying MAC address entries is usually the first thing administrator does to troubleshootany potential layer-2 issues.

This chapter teaches you a couple of things related to MAC addresses.

Clearing MAC Address EntriesSwitch# clear mac address-table

Clears all MAC address entries.

Switch# clear mac address-table dynamic

Clears MAC address entries that are dynamically learned by switch. Static MAC addressesentered by network administrator will remain in the table.

Static MAC AddressSwitch(config)# mac address-table static aa:bb:aa:bb:aa:bb vlan 10 interfacegigabitEthernet 0/10

Enters a static MAC address entry to Gi0/10 interface.

Switch(config)# no mac address-table static aa:bb:aa:bb:aa:bb vlan 10 interfacegigabitEthernet 0/10

Removes static MAC address entry from Gi0/10 interface.

Show CommandsSwitch# show mac address-table

Shows all MAC address entries.

Switch# show mac address-table interface gigabitEthernet 0/1

Shows MAC address entries on a specific interface.

Switch# show mac address-table address aa:bb:cc:00:11:22

Shows an interface that has learned MAC address “aa:bb:cc:00:11:22”.

Port SecurityPort security features help to secure network from unauthorized access. All of thesefeatures are optional and not required.

Limiting Permitted MAC Address EntriesSwitch(config)# interface gigabitEthernet 0/10


Switch(config-if)# switchport port-security

Enables port security on the interface.

Switch(config-if)# switchport port-security maximum 1

Limits allowed MAC address entries to maximum of 1 on the port.

Switch(config-if)# switchport port-security mac-address aa:bb:cc:dd:00:11

Sets a static secure MAC address entry into MAC address table.

Switch(config-if)# switchport port-security violation protect

Configures port to drop frames of unauthorized MAC addresses. Authorized MACaddresses can still send and receive frames.

Switch(config-if)# switchport port-security violation shutdown

Configures port to err-disable itself if a violation occurs. This also affects frames ofauthorized MAC address.

Show CommandsSwitch# show port-security

Shows all port security information on all interfaces.

Switch# show port-security interface gigabitEthernet 0/10

Shows port security information on gigabitEthernet 0/10 port.

IEEE 802.1q Trunk Encapsulation

“Trunk is the word you can use to describe me on Fridays and Saturdays.

I’ve tried IEEE 802.1q just once, it burns like hell!”

Setting Interface Trunk Encapsulation MethodSwitch(config)# interface gigabitEthernet 0/1

Enters to interface configuration mode.

Switch(config-if)# switchport trunk encapsulation dot1q

Sets trunk encapsulation method to dot1q.

Setting Interface Operation Mode to TrunkSwitch(config-if)# switchport mode trunk

Sets interface operation mode to trunk.

Native VLAN (Untagged)

By default all VLANs on a trunk link are tagged except for VLAN1. In more complicatednetwork setups it’s often required to have another VLAN as untagged. This can beaccomplished by setting another VLAN as the native VLAN.

Switch(config-if)# switchport trunk native vlan 10

Sets VLAN10 as native VLAN. Frames belonging to VLAN10 broadcast domain will beuntagged.

Note: Native VLAN must be the same on both ends of the trunk link. In case of native VLANmismatch the trunk link will fail.

Limiting Permitted VLANs

All VLANs are permitted on trunk interfaces by default. In production networks it’s not themost optimal setting due to security reasons.

Switch(config-if)# switchport trunk allowed vlan 10,20

Permits VLANs 10 and 20. All the other VLANs are now prohibited.

Restoring a situation where all VLANs are permitted:

Switch(config-ig)# switchport trunk allowed vlan all

Permits all VLANs on a trunk interface. This is also the default setting.

Adding and removing permitted VLANs:

Switch(config-if)# switchport trunk allowed vlan add 30

Adds VLAN30 to the list of permitted VLANs.

Switch(config-if)# switchport trunk allowed vlan remove 30

Removes VLAN30 from the list of permitted VLANs.

IEEE 802.1q Configuration Sample

Objective

Configure interface Gi0/1 as in network diagram. Restrict permitted VLANs to only thosethat are required. Also note that the frames of VLAN99 broadcast domain must beuntagged.

Step 1: Configure interface operation mode and encapsulation method

L2Switch(config)# interface gigabitEthernet 0/1

Enters to interface configuration mode.

L2Switch(config-if)# switchport trunk encapsulation dot1q


L2Switch(config-if)# switchport mode trunk

Sets interface operation mode to trunk.

Step 2: Specify native (untagged) VLAN

L2Switch(config-if)# switchport trunk native vlan 99

Sets native VLAN to 99.

Step 3: Prohibit unrequired VLANs

L2Switch(config-if)# switchport trunk allowed vlan 11,12,13,99

Permits VLANs 11, 12, 13 and 99. All the other VLANs are now prohibited.

VLAN Trunking Protocol (VTP)“This protocol converts VLANs into trunks.”

VTP DomainSwitch(config)# vtp domain vtp-domain.com

Assigns switch to VTP domain named “vtp-domain.com”.

Switch(config)# vtp password coffee

Sets VTP domain password to “coffee”.

Note: VTP password is an optional security feature.

Operation Modes

There are 3 VTP operation modes - server, transparent and client. Below is a briefdescription regarding the behavior of the switch, assuming all of the switches are configuredin the same VTP domain.

VTP Server

Propagates own VLAN database to neighboring switches.

VTP Transparent

Shares propagations of VTP server with neighboring switches and updates own VLANdatabase.

VTP Client

Updates own VLAN database only. VTP server propagations are not shared withneighboring switches.

Switch(config)# vtp mode server

Sets VTP operation mode to server. This is also default setting on all Cisco switches.

Switch (config)# vtp mode transparent

Sets VTP operation mode to transparent.

Switch(config)# vtp mode client

Sets VTP operation mode to client.

Note: There’s no command to disable VTP globally. However, if you don’t want to use VTPyou can set VTP operation mode to “transparent” on all the switches in your network, andrefrain from configuring any VTP domains.

VTP Pruning

VTP Pruning is an optional performance tweak. VTP pruning reduces bandwidthconsumption by restricting flooded traffic only to those trunk links that must be used toreach the destination.

Switch(config)# vtp pruning

Enables VTP pruning (disabled by default).

Note: VTP pruning only needs to be configured on the VTP server switch.

Show CommandsSwitch# show vtp status

Shows VTP mode and VTP domain information.

Switch# show vtp password

Used to verify if VTP administrative domain is protected by a password.

VTP Configuration Sample

Objective

Configure VTP for standard hierarchy – core (VTP server), distribution (VTP transparent)and access (VTP client).

All interfaces operate in trunk mode with dot1q encapsulation.

Step 1: Configure VTP server switch

Coral(config)# vtp mode server

Sets VTP operation mode to server.

Coral(config)# vtp domain vtp-domain.com


Step 2: Configure VTP transparent switch

Amber(config)# vtp mode transparent

Sets VTP operation mode to transparent.

Amber(config)# vtp domain vtp-domain.com


Step 3: Configure VTP client switches

Opal(config)# vtp mode client

Sets VTP operation mode to client.

Opal(config)# vtp domain vtp-domain.com


Jade(config)# vtp mode client

Sets VTP mode to client.

Jade(config)# vtp domain vtp-domain.com


Dynamic Trunking Protocol (DTP)“l usually configure DTP in case I want to increase

network complexity for no reason.“

Configuring DTP:

Switch(config)# interface gigabitEthernet 0/1


Switch(config-if)# switchport mode dynamic desirable

Makes interface attempt to establish a trunk link. Interface generates DTP frames andresponds to them if received.

Note: Trunk link is established if a neighboring interface is set to desirable, auto or trunk.

Switch(config-if)# switchport mode dynamic auto

Makes interface able to establish a trunk link. Interface won’t generate DTP frames butresponds to them if received.

Note: Trunk link is established if neighboring a interface is set to desirable or trunk.

Switch(config-if)# switchport nonegotiate

Prevents interface from participating in DTP negotiations.

EtherChannelEtherChannel technology allows grouping of 2-8 physical Ethernet interfaces to create onelogical interface for the purpose of providing high-speed interconnect links.

EtherChannel Interface Modes and ProtocolsMode ON / No Protocol

Forces interface into EtherChannel without negotiation.

Mode Desirable / PAgP Protocol

Initiates EtherChannel negotiation.

Mode Auto / PAgP Protocol

Does not initiate EtherChannel negotiation, but responds to PAgP frames.

Mode Active / LACP Protocol

Initiates EtherChannel negotiation.

Mode Passive / LACP Protocol

Does not initiate EtherChannel negotiation, but responds to LACP frames.

Static EtherChannelSwitch(config)# interface range gigabitEthernet 0/1 – 2

Moves into interface-range configuration mode.

Switch(config-if-range)# channel-group 1 mode on

Assigns interfaces into EtherChannel group 1. Forces interfaces into EtherChannel withoutnegotiation.

Note: For EtherChannel to be established both ends of the connection must have channel-group mode set to “on”.

LACPSwitch(config)# interface range gigabitEthernet 0/1 – 2


Switch(config-if-range)# channel-group 1 mode active

Assigns interfaces into EtherChannel group 1. Sets slave interfaces into negotiation initiatingstate and forces use of LACP protocol.

Switch(config-if-range)# channel-group 1 mode passive

Assigns interfaces into EtherChannel group 1. Sets slave interfaces into passive negotiationstate and forces use of LACP protocol.

Note: For EtherChannel to be established at least one end of the connection must havechannel-group mode set to “active”, while the other end must be set to “passive” or “active”.

PAgPSwitch(config)# interface range gigabitEthernet 0/1 – 2


Switch(config-if-range)# channel-group 1 mode desirable

Assigns interfaces into EtherChannel group 1. Sets slave interfaces into negotiation initiatingstate and forces use of PAgP protocol.

Switch(config-if-range)# channel-group 1 mode auto

Assigns interfaces into EtherChannel group 1. Sets slave interfaces into passive negotiationstate and forces use of PAgP protocol.

Note: For EtherChannel to be established one or both ends of the connection must havechannel-group mode set to “desirable”, while the other end must be set to “desirable” or“auto”.

Show CommandsSwitch# show etherchannel summary

Shows all EtherChannels and assigned slave interfaces.

Switch# show interfaces port-channel 1

Shows EtherChannel1 status and counters.

Switch# show running-config interface port-channel 1

Shows configuration of EtherChannel1.

Switch# show etherchannel detail

Shows detailed information of all EtherChannels.

DebuggingSwitch# debug etherchannel all

Real-time display of all EtherChannel events.

Switch# debug lacp all

Real-time display of all LACP events.

Switch# debug pagp all

Real-time display of all PAgP events.

Switch# undebug all


EtherChannel Configuration Sample

Objective

Configure some 2-port EtherChannels as shown in network diagram. Dynamic EtherChannelnegotiations should only be initiated by Distribution switch.

All the switch interfaces shown in diagram operate as IEEE 802.1q encapsulated trunks.

Step 1: Configure LACP EtherChannel

Distribution(config)# interface range gigabitEthernet 0/47 – 48


Distribution(config-if-range)# channel-group 1 mode active

Assigns interfaces gi0/47 and gi0/48 into EtherChannel group 1. Sets slave interfaces intonegotiation initiating state and forces use of LACP protocol.

Access1(config)# interface range gigabitEthernet 0/47 – 48


Access1(config-if-range)# channel-group 1 mode passive

Assigns interfaces gi0/47 and gi0/48 into EtherChannel group 1.

Sets slave interfaces into passive negotiation state and forces use of LACP protocol.

Step 2: Configure PAgP EtherChannel



Distribution(config-if-range)# channel-group 2 mode desirable

Assigns interfaces gi0/45 and gi0/46 into EtherChannel group 2. Sets slave interfaces intonegotiation initiating state and forces use of PAgP protocol.



Access2(config-if-range)# channel-group 2 mode auto

Assigns interfaces gi0/45 and gi0/46 into EtherChannel group 2.

Sets slave interfaces into passive negotiation state and forces use of PAgP protocol.

Step 3: Configure Static EtherChannel



Distribution(config-if-range)# channel-group 3 mode on

Assigns interfaces gi0/43 and gi0/44 into EtherChannel group 3. Forces interfaces intoEtherChannel without negotiation.



Access3(config-if-range)# channel-group 3 mode on

Assigns interfaces gi0/43 and gi0/44 into EtherChannel group 3. Forces interfaces intoEtherChannel without negotiation.

Spanning-Tree Protocol (STP)This chapter teaches you how to configure STP and its optional features.

Enabling and Disabling Spanning-Tree

Most Cisco switches come with STP enabled by default. Default operation mode isPVST/PVST+ (one instance per VLAN). It means is that most likely you don’t have toenable spanning-tree yourself; it’s already operational out of the box.

Enabling Spanning-Tree:

Switch(config)# spanning-tree vlan 1

Enables STP on VLAN1.

Disabling Spanning-Tree:

Switch(config)# no spanning-tree vlan 1

Disables STP on VLAN1.

Switch(config)# no spanning-tree vlan all

Disables STP on all VLANs.

Primary RootSwitch(config)# spanning-tree vlan 1 root primary

Alters switch bridge priority for VLAN1, allowing it to become primary root for VLAN1.

Secondary RootSwitch(config)# spanning-tree vlan 1 root secondary

Alters switch bridge priority for VLAN1, allowing it to become secondary root for VLAN1.

Port Priority

I highly recommended that you only configure spanning-tree topology using “root primary”and “root secondary” commands. However, these 2 commands alone don’t alwaysguarantee the results you want.

Configuring port priority is one way of ensuring that a particular interface will be put intoforwarding or blocking state.



Switch(config-if)# spanning-tree vlan 1 port-priority 32

Sets port-priority value to 32.

Note: Port-priority can be set in increments of 16 from 0 to 240. Lower number means theinterface is more likely to be put into forwarding state. This parameter must be configuredon an interface that is closer to the root switch.

Portfast

Normal STP convergence time is 50 seconds and the end user traffic is blocked untildesignated port reaches the forwarding state.

The STP “portfast” command can be used to speed up convergence on ports that areconnected to workstations or servers.

Switch(config-if)# spanning-tree portfast

Applies STP portfast configuration on an access port.

Switch(config-if)# spanning-tree portfast trunk

Applies STP portfast configuration on a trunk port.

Uplinkfast

STP Uplinkfast configuration allows the switch to quickly failover to secondary root port if itdetects a failure on the primary root port.

This parameter should only be configured on the uplink ports.

Switch(config-if)# spanning-tree uplinkfast

Applies STP uplinkfast configuration.

Note: With STP uplinkfast configuration the secondary root port moves from blocking stateto forwarding in less than 5 seconds.

BPDU Guard

As an optional security feature BPDU guard can be configured to prevent end user devicesfrom affecting the STP topology. It should not be applied to ports that are connected toother switches as it prevents incoming STP frames.

Switch(config)# spanning-tree portfast bpduguard default

Globally enables BPDU guard on all interfaces that have portfast configuration (disabled bydefault).

Switch(config)# errdisable recovery cause bpduguard

Allows error-disabled interface to re-enable itself after recovery interval has been reached(300 seconds by default).

Switch# show spanning-tree summary totals

Used to verify if BDPU guard is enabled or disabled.

Spanning-Tree Operation ModeSwitch(config)# spanning-tree mode pvst

Sets STP mode to PVST/PVST+ (creates separate STP instance per each VLAN).

Note: PVST/PVST+ is default spanning-tree operation mode on Cisco switches. PVST+mode extends regular PVST so that IEEE 802.1q encapsulation can be utilized. RegularPVST only worked if trunk links were ISL encapsulated.

Rapid-PVST mode:

Switch(config)# spanning-tree mode rapid-pvst

Sets STP mode to rapid-pvst.

For Rapid-PVST mode to work you need to set interface link-type to either point-to-point orshared.



Switch(config-if)# spanning-tree link-type point-to-point

Sets STP link-type to point-to-point.

Or Switch(config-if)# spanning-tree link-type shared

Sets STP link-type to shared.

Show CommandsSwitch# show spanning-tree

Shows general STP information.

Switch# show spanning-tree brief

Shows brief overview of STP.

Switch# show spanning-tree vlan 10

Shows STP information on VLAN10 instance.

Switch# show spanning-tree detail

Shows detailed STP information.

DebuggingSwitch# debug spanning-tree all

Real-time display of all STP events.

Switch# debug spanning-tree switch state

Real-time display of STP interface state changes.

Switch# debug spanning-tree uplinkfast

Real-time display of STP UplinkFast events.

Switch# undebug all


Spanning-Tree Configuration Sample

Objective

Configure spanning-tree protocol as in network diagram. See detailed description below.

Data Core switch:

a) Primary root for VLAN5.

b) Secondary root for VLAN10.

c) Gi0/46 – 48: Dot1q trunk ports connected to other switches.

Voice Core switch:

a) Primary root for VLAN10.

b) Secondary root for VLAN5.

c) Gi0/46 – 48: Dot1q trunk ports connected to other switches.

Floor1 Access switch:a) Gi0/11 – 20: Access ports connected to user PCs.

b) Gi0/21 – 30: Access ports connected to user IP phones.

c) Gi0/47: Forwards VLAN10 frames; blocks VLAN5 frames. Is standby as a failover linkfor VLAN5. Dot1q trunk port connected to other switch.

d) Gi0/48: Forwards VLAN5 frames; blocks VLAN10 frames. Is standby as a failover linkfor VLAN10. Dot1q trunk port connected to other switch.

Floor2 Access switch:a) Gi0/11 – 20: Access ports connected to user PCs.

b) Gi0/21 – 30: Access ports connected to user IP phones.

c) Gi0/47: Forwards VLAN5 frames; blocks VLAN10 frames. Is standby as a failover linkfor VLAN10. Dot1q trunk port connected to other switch.

d) Gi0/48: Forwards VLAN10 frames; blocks VLAN5 frames. Is standby as a failover linkfor VLAN5. Dot1q trunk port connected to other switch.

Step 1: Configure Data Core switch

#Create VLANs

Data Core(config)# vlan 5

Creates VLAN5 and moves to VLAN configuration mode.

Data Core(config-vlan)# name “PC Data”

Sets a VLAN name.

Data Core(config-vlan)# vlan 10


Data Core(config-vlan)# name “Voice”

Sets a VLAN name.

Data Core(config-vlan)# exit


# Adjust switch bridge priority

Data Core(config)# spanning-tree vlan 5 root primary

Adjusts switch bridge priority for VLAN5, allowing it to become the primary root for VLAN5.

Data Core(config)# spanning-tree vlan 10 root secondary

Adjusts switch bridge priority for VLAN10, allowing it to become the secondary root forVLAN10.

#Configure trunk interfaces

Data Core(config)# interface range gigabitEthernet 0/46 - 48


Data Core(config-if)# switchport trunk encapsulation dot1q


Data Core(config-if)# switchport mode trunk

Forces interface into trunk mode.

Data Core(config-if)# exit


Step 2: Configure Voice Core switch

#Create VLANs


Voice Core(config-vlan)# name “PC Data”

Sets a VLAN name.

Voice Core(config-vlan)# vlan 10


Voice Core(config-vlan)# name “Voice”

Sets a VLAN name.

Voice Core(config-vlan)# exit


# Adjust switch bridge priority

Voice Core(config)# spanning-tree vlan 10 root primary

Alters switch bridge priority for VLAN10, allowing it to become the primary root for VLAN10.

Voice Core(config)# spanning-tree vlan 5 root secondary

Alters switch bridge priority for VLAN5, allowing it to become secondary root for VLAN5.


Voice Core(config)# interface range gigabitEthernet 0/46 - 48

Moves to interface configuration mode

Voice Core(config-if)# switchport trunk encapsulation dot1q


Voice Core(config-if)# switchport mode trunk


Voice Core(config-if)# exit


Step 3: Configure Floor1/Floor2 Access switch

#Create VLANs

Access Switch(config)# vlan 5


Access Switch(config-vlan)# name “PC Data”

Sets a VLAN name.

Access Switch(config-vlan)# vlan 10


Access Switch(config-vlan)# name “Voice”

Sets a VLAN name.

Access Switch(config-vlan)# exit



Access Switch(config)# interface range gigabitEthernet 0/47 - 48


Access Switch(config-if)# switchport trunk encapsulation dot1q


Access Switch(config-if)# switchport mode trunk


Access Switch(config-if)# spanning-tree uplinkfast

Applies STP uplinkfast configuration.

Access Switch(config-if)# exit


#Configure access interfaces


Moves to interface range configuration mode.

Access Switch(config-if)# switchport mode access

Forces interface into access mode.

Access Switch(config-if)# switchport access vlan 5


Access Switch(config-if)# spanning-tree portfast

Applies STP portfast configuration.




Moves to interface range configuration mode.






Applies STP portfast configuration.



Inter VLAN RoutingThis chapter teaches you how to make cross-VLAN communication possible.

Configuring Router Subinterfaces

# Enable the physical interface:



Router(config-if)#no shutdown


Router(config-if)#exit


# Create 1 subinterface per-VLAN:


Creates subinterface (.1) on gigabitEthernet 0/0 and moves to subinterface configurationmode.




Assigns VLAN1 to subinterface. Sets VLAN encapsulation method to dot1q.

Router(config-subif)# exit



Creates another subinterface (.2) on gigabitEthernet 0/0 and moves to subinterfaceconfiguration mode.





Configuring a Switch Uplink Interface

A switch interface connected to a router must be configured as IEEE 802.1q encapsulatedtrunk.



Switch(config-if)# switchport trunk encapsulation dot1q


Switch(config-if)# switchport mode trunk


Inter VLAN Routing Configuration Sample

Objective

Configure VLANs and switch interfaces as in network diagram. Configure interVLAN routing using a router to make communication between 192.168.6.0/24and 192.168.7.0/24 networks possible.

Step 1: Configure Gateway Router

#Enable the physical interface

Gateway Router(config)# interface gigabitEthernet 0/0


Gateway Router(config-if)# no shutdown

Enables interface.

Gateway Router(config-if)# exit


#Configure virtual subinterfaces

Gateway Router(config)# interface gigabitEthernet 0/0.6

Creates subinterface .6 on gigabitEthernet 0/0 and moves to subinterface configurationmode.

Gateway Router(config-subif)# ip address 192.168.6.1 255.255.255.0


Gateway Router(config-subif)# encapsulation dot1q 6


Gateway Router(config-subif)# exit







Assigns VLAN 7 to subinterface. Sets VLAN encapsulation method to dot1q.

Gateway Router(config-subif)# exit







Assigns VLAN 50 to subinterface. Sets VLAN encapsulation method to dot1q.

Step 2: Configure Access Switch

#Create VLANs



Access Switch(config-vlan)# name “Webserver Network”

Sets a VLAN name.





Access Switch(config-vlan)# name “Database Network”

Sets a VLAN name.





Access Switch(config-vlan)# name “Management Network”

Sets a VLAN name.



#Assign a management IP address and default gateway

Access Switch(config)# interface vlan 50

Creates virtual VLAN interface 10 and moves to VLAN interface configuration mode.

Access Switch(config-if)# description “Management interface”

Sets optional interface description.

Access Switch(config-if)# ip address 192.168.50.6 255.255.255.0




Access Switch(config)# ip default-gateway 192.168.50.1

Assign IP default-gateway.

#Configure the trunk interface

Access Switch(config)# interface gigabitEthernet 0/48


Access Switch(config-if)# switchport trunk encapsulation dot1q


Access Switch(config-if)# switchport mode trunk




#Configure access interfaces








Applies STP portfast configuration for fast recovery.










Applies STP portfast configuration for fast recovery.


With Best Wishes, And Many ThanksReferences

If you don't have real Cisco equipment to practice on, I recommend that you start withnetwork simulation software, such as GNS3 or Packet Tracer.

Network simulation software GNS3, Cisco IOS emulator Dynamips

www.gns3.net

Cisco networking academy, Packet Tracer software

www.netacad.net

--

Contact

Want to ask something or give feedback? Please send me an Email.

[email protected]

Wish you all the best!

Hannes Rapp

http://www.netacad.net

mailto:ConfGuide%40gmail.com

Table of Contents -...

Documents

Transcript of Table of Contents -...