or Syntax checking Use the command history and editing features The following table highlights the Cisco IOS command editing features. Show history Terminal history size Terminal no editing Terminal editing Move to the beginning of the command line Move to the end of the command line Move forward one character Move back one character Backs you out of configuration mode Up arrow or last (previous) command line Down arrow or more recent command recall Entry completion Move back one word Move forward one word Show command buffer Set command buffer size Disable advanced editing features Re-enable advanced editing Examine router elements (RAM, ROM, CDP, show) Router Components RAM / DRAM Hint: Holds all running information when router is powered on, large around 8 to 32mb. Stores routing tables, ARP cache, fast switching cache, packet buffering (shared RAM), and packet hold queues. RAM also provides temporary and running memory for the router's configuration file while the router is powered on. RAM memory is cleared when the router is shutdown or reloaded. NVRAM Hint: Holds configuration file for router startup, small around 32k. Non volatile RAM stores the router's backup configuration file and retains information when the router is shutdown or reloaded. Flash - Hint: Holds IOS when router is powered down, large around 8 to 32mb. Erasable, reprogrammable ROM. Flash memory holds the operating system image and micro-code and allows the update of the IOS software without removing or replacing microchips. Flash content is retained when you power down or restart. Another note is that multiple copies of the IOS can be stored in flash memory if storage space permits. ROM Hint: Holds POST and BOOTSTRAP code when router is powering up. Contains power on diagnostics, a bootstrap program, and operating system software. Unfortunately, to upgrade one must remove and replace chips on the main board. Interfaces Hint: Where data moves in and out of the router. Network connections through which packets enter and exit the router. Interfaces are on the motherboard or on separate interface modules. Router Modes User EXEC mode A "read only" mode in that the user can view some information about the router, but cannot change anything or view specific configuration information. Privileged EXEC mode Supports the debugging and testing commands, detailed examination of the router, manipulation of configuration files, and access to configuration modes. All information is available to an administrator in this mode along with the ability to change system settings. Manage configuration files from the Privileged exec mode Configuration command summary Router configuration information can be displayed by several methods. “EXEC” mode commands can be used to configure from either a virtual terminal or a console terminal. Privileged mode commands can also be used to load a configuration from a network TFTP server meaning an administrator can maintain centralized configuration at a single site. Configure terminal Configure memory Copy tftp running config Copy run startup config Show running config Copy running config tftp Show startup config Erase startup config Configure manually from the console terminal Load configuration information from NVRAM Load configuration information from a network TFTP server. Store the current configuration in RAM into NVRAM. Display the current configuration in RAM Store the current configuration in RAM on a network TFTP server Display the saved configuration, which is the contents of NVRAM Erase the contents of NVRAM. Managing contents of NVRAM (Start Configuration) configure memory erase startup config or clear startupconfig” copy running config startup config show startup config Loads configuration information from NVRAM. Erases the contents of NVRAM Stores the current configuration in RAM into NVRAM Display the saved configuration, which is the contents of NVRAM NVRAM to RAM A current copy of the startup configuration in NVRAM can be copied to RAM using the “copy startupconfig run” command. RAM to NVRAM A current copy of the running configuration stored in RAM can be copied to NVRAM using the “copy running-config start” command. TFTP server A current copy of the configuration currently in RAM can be stored on a TFTP Server using the “copy running-config tftp” command. You can configure the router by retrieving the configuration file stored on one of your network server by entering the “copy tftp running config command. Control router passwords, identification, and banner Passwords A system can be secured by using passwords to restrict local and network access. Passwords can be established both on individual commands and for the privileged mode and through various access methods such as the console port. Enable Password Router(config)# enable password admin Secret (Encrypted) Password Router(config)# enable secret admin Virtual Terminal Password Router(config)# line vty 0 4 Router(config line)# login Router(config line)# password cisco Console Password Router(config)# line console 0 Router(config)# login Router(config line)# password cisco Router Identification The prompt is automatically changed when the hostname of the router is changed UNLESS an overridding prompt is entered. If that is the case then the configured prompt string will always display unlesss in global configuration mode or below. Router Name Router(config)# hostname Chicago Chicago# Prompt String Router(config)# prompt Enter_Command_> Router(config)#exit Enter_Command_> Login Banner Login banners come in different forms and are displayed prior to login to a router. The two most common are the “Day-to-Day” banner also referred to as the MOTD or Message of the Day, and of course the LOGIN banner which unlike the MOTD would not usually be changed on a daily basis but would instead be more static. Prior to logging in, the MOTD is displayed before the login banner. Login Banner Chicago(config)# banner login z Welcome to the Chicago router. z Message of the Day Banner Chicago(config)# banner motd z Have a nice day and don’t forget to upgrade your IOS before 12/31/99! z Interface Description Per Interface Chicago(config)# interface e0 Chicago(config if)# description Chicago Accounting Department Identify the main Cisco IOS commands for router startup Commands Relating to Startup Show start up config or show config Show running config Clear startup config Erase startup config Reload Setup Display the backup configuration files Display the active configuration files Delete the backup configuration file in NVRAM Delete the backup configuration file in NVRAM The reload command will reboot the router through the entire configuration process The last command is used to enter setup mode from the privileged EXEC prompt Initializing the Router 1. The generic bootstrap loader executes from ROM on the CPU card 2. The operating system source is determined from the boot field of the configuration register 3. The operating system image is loaded into low addressed memory 4. The saved configuration file in NVRAM is loaded into main memory and executed sequentially 5. If no valid configuration file exists in NVRAM, the operating system enters SETUP mode, a prompt driven initial configuration routine Enter an initial configuration using the setup command The SETUP command issued from EXEC mode is a prompt driven configuration utility for basic router configuration. Advanced configuration must still be done from the standard configuration interface in config mode. Brackets [ ] indicate a defaulted value for the selection. Example #1 Router# setup --- System Configuration Dialog --Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system Would you like to enter basic management setup? [yes/no]: y Configuring global parameters: Enter host name [Router]: Chicago The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration. Enter enable secret []: secret The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images. Enter enable password [password]: enable The virtual terminal password is used to protect access to the router over a network interface. Enter virtual terminal password: cisco Configure SNMP Network Management? [no]: n Current interface summary Interface IP-Address OK? Method Status Protocol BRI0 unassigned YES unset administratively down down BRI0:1 unassigned YES unset administratively down down BRI0:2 unassigned YES unset administratively down down Ethernet0 unassigned YES unset administratively down down Enter interface name used to connect to the management network from the above interface summary: Ethernet0 Configuring interface Ethernet0: Configure IP on this interface? [no]: y IP address for this interface: 192.168.1.1 Subnet mask for this interface [255.255.255.0] : 255.255.255.0 Class C network is 192.168.1.0, 24 subnet bits; mask is /24 The following configuration command script was created: hostname Chicago enable secret 5 $1$/Hw9$P3KFbyh5RGeEOD5cQFrWV/ enable password enable line vty 0 4 password cisco no snmp-server ! no ip routing ! interface BRI0 shutdown no ip address ! interface Ethernet0 no shutdown ip address 192.168.1.1 255.255.255.0 ! end [0] Go to the IOS command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration to nvram and exit. Enter your selection [2]: 2 Building configuration... 00:04:14: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down 00:04:14: %LINK-3-UPDOWN: Interface BRI0:2, changed state to down 00:04:17: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up Use the enabled mode 'configure' command to modify this configuration. Chicago# Copy and manipulate configuration files Configuration command summary Router configuration information can be displayed by several methods. Privileged mode commands can be used to configure from either a virtual terminal or a console terminal. Privileged mode commands can also be used to load a configuration from a network TFTP server allowing a network administrator to a maintain centralized configuration at a single site. Configure terminal Configure memory Copy tftp running config Configure manually from the console terminal Load configuration information from NVRAM Load configuration information from a network TFTP server. Copy run startup config Show running config Copy running config tftp Show startup config Erase startup config Store the current configuration in RAM into NVRAM. Display the current configuration in RAM Store the current configuration in RAM on a network TFTP server Display the saved configuration, which is the contents of NVRAM Erase the contents of NVRAM. Managing contents of NVRAM (Start Configuration) configure memory erase startup config or clear startupconfig” copy running config startup config show startup config Loads configuration information from NVRAM. Erases the contents of NVRAM Stores the current configuration in RAM into NVRAM Display the saved configuration, which is the contents of NVRAM NVRAM to RAM A current copy of the startup configuration in NVRAM can be copied to RAM using the “copy startupconfig run” command. RAM to NVRAM A current copy of the running configuration stored in RAM can be copied to NVRAM using the “copy running-config start” command. TFTP server A current copy of the configuration currently in RAM can be stored on a TFTP Server using the “copy running-config tftp” command. You can configure the router by retrieving the configuration file stored on one of your network server by entering the “copy tftp running config command. List the commands to load Cisco IOS software from: flash memory, a TFTP server, or ROM Registers Registers control the boot and startup processes. Uses include changing and managing the IOS image and controlling the startup process and bypassing the startup configuration. The registers can be changed with the “Router(config)# config-register #x####” command where #x#### is represented as one of the following as basic settings: Register Setting 0x2101 or 0x101 0x2102 or 0x102 0x2142 or 0x142 0x2141 or0x141 Result Boot from ROM and NOT Flash IOS, used when upgrading IOS, startup-config is still processed Normal Mode Flash IOS and startup-config processed Boot from Flash IOS, startup-config is NOT processed Boot from ROM and NOT Flash IOS, used when upgrading IOS, startup-config is also NOTl processed Specifying the Cisco IOS Software Location The “boot” commands in the NVRAM configuration are processed if there is a 2 in the first position of the register value. For example 0x2101 Router# configure terminal Router(config)# boot system flash {ios-filename} Router(config)# boot system tftp {ios-filename} {tftp-address} Router(config)# boot system rom [Ctrl Z] Router(config)# copy running config startup config The current value of the register can be viewed via the “Router#show ver” command Example: Chicago#show ver Cisco Internetwork Operating System Software IOS (tm) C800 Software (C800-G3-MW), Version 12.0(1)XB1, RELEASE SOFTWARE (fc1) TAC:Home:SW:IOS:Specials for info Copyright (c) 1986-1998 by cisco Systems, Inc. Compiled Wed 30-Dec-99 13:34 by sde Image text-base: 0x000E9000, data-base: 0x004F5000 ROM: TinyROM version 1.0(2) Chicago uptime is 3 days, 8 hours, 47 minutes System restarted by power-on System image file is "flash:c800-g3-mw.120-1.XB1" Cisco C804 (MPC850) processor (revision 1) with 43260K bytes of virtual memory. CPU part number 33 Bridging software. Basic Rate ISDN software, Version 1.1. 1 Ethernet/IEEE 802.3 interface(s) 1 ISDN Basic Rate interface(s) 4M bytes of physical memory (DRAM) 8K bytes of non-volatile configuration memory 8M bytes of flash on board (4M from flash card) Configuration register is 0x2102 Chicago# Prepare to backup, upgrade, and load a backup Cisco IOS software image Understanding the Registers (before you backup or upgrade) Registers control the boot and startup processes. Uses include changing and managing the IOS image and controlling the startup process and bypassing the startup configuration. The registers can be changed with the “Router(config)# config-register #x####” command where #x#### is represented as one of the following as basic settings: Register Result Setting 0x2101 or 0x101 0x2102 or 0x102 0x2142 or 0x142 0x2141 or0x141 Boot from ROM and NOT Flash IOS, used when upgrading IOS, startup-config is still processed Normal Mode Flash IOS and startup-config processed Boot from Flash IOS, startup-config is NOT processed Boot from ROM and NOT Flash IOS, used when upgrading IOS, startup-config is also NOTl processed The current value of the register can be viewed via the “Router#show ver” command Example: Chicago#show ver Cisco Internetwork Operating System Software IOS (tm) C800 Software (C800-G3-MW), Version 12.0(1)XB1, RELEASE SOFTWARE (fc1) TAC:Home:SW:IOS:Specials for info Copyright (c) 1986-1998 by cisco Systems, Inc. Compiled Wed 30-Dec-99 13:34 by sde Image text-base: 0x000E9000, data-base: 0x004F5000 ROM: TinyROM version 1.0(2) Chicago uptime is 3 days, 8 hours, 47 minutes System restarted by power-on System image file is "flash:c800-g3-mw.120-1.XB1" Cisco C804 (MPC850) processor (revision 1) with 43260K bytes of virtual memory. CPU part number 33 Bridging software. Basic Rate ISDN software, Version 1.1. 1 Ethernet/IEEE 802.3 interface(s) 1 ISDN Basic Rate interface(s) 4M bytes of physical memory (DRAM) 8K bytes of non-volatile configuration memory 8M bytes of flash on board (4M from flash card) Configuration register is 0x2102 Chicago# Checking your space in flash Router# show flash or show ver use these commands to show you the total amount of Flash available. 1. Show ver will also display the current IOS file name in flash, amount of RAM and register values: Router#sh ver Cisco Internetwork Operating System Software IOS (tm) C800 Software (C800-G3-MW), Version 12.0(1)XB1, RELEASE SOFTWARE (fc1) TAC:Home:SW:IOS:Specials for info Copyright (c) 1986-1998 by cisco Systems, Inc. Compiled Wed 30-Dec-99 13:34 by esd Image text-base: 0x000E9000, data-base: 0x004F5000 ROM: TinyROM version 1.0(2) Router uptime is 36 minutes System restarted by power-on System image file is "flash:c800-g3-mw.120-1.XB1" Cisco C804 (MPC850) processor (revision 1) with 43260K bytes of virtual memory. CPU part number 33 Bridging software. Basic Rate ISDN software, Version 1.1. 1 Ethernet/IEEE 802.3 interface(s) 1 ISDN Basic Rate interface(s) 4M bytes of physical memory (DRAM) 8K bytes of non-volatile configuration memory 8M bytes of flash on board (4M from flash card) Configuration register is 0x2102 2. Show flash will also display the amount of flash and IOS directory as follows: Router#sh flash Directory of flash:/ 0 ---- 49096 Nov 03 1998 01:14:21 TinyROM-1.0(2) 3 -r-x 2314996 Dec 30 1998 21:37:19 c800-g3-mw.120-1.XB1 Creating a Software Image Backup Router(boot)# copy flash tftp IP address of remote host (255.255.255.255]? 192.16.3.211 Filename to write on tftp host? C2500 Upgrading the Image from the Net Router(boot)# copy tftp flash IP address of remote host (255.255.255.255]? 192.16.3.211 Filename to write on tftp host? C2500 Cisco 2500 Series Router IOS Upgrade Steps Router# enable Router# config t Router (config)# config-register 0x2101 Router (config)# CTRL Z Router# wr mem Router# reload Router(boot)> enable {should return with: (boot)router#} Router (boot)# copy tftp flash {Enter the necessary IP number of the tftp server} {Enter the name of the upgrade file} y y y Router (boot)# config t Router (boot) (config)# config-register 0x2102 Router (boot)# CTRL Z Router (boot)# wr mem Router (boot)# reload Router #sho ver Prepare the initial configuration of your router and enable IP The SETUP command issued from Privileged mode is a prompt driven configuration utility for basic router configuration. Advanced configuration must still be done from the standard configuration interface in config mode. Brackets [ ] indicate a defaulted value for the selection. Example Router# setup --- System Configuration Dialog --Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system Would you like to enter basic management setup? [yes/no]: y Configuring global parameters: Enter host name [Router]: Chicago The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration. Enter enable secret []: secret The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images. Enter enable password [password]: enable The virtual terminal password is used to protect access to the router over a network interface. Enter virtual terminal password: cisco Configure SNMP Network Management? [no]: n Current interface summary Interface IP-Address OK? Method Status Protocol BRI0 unassigned YES unset administratively down down BRI0:1 unassigned YES unset administratively down down BRI0:2 unassigned YES unset administratively down down Ethernet0 unassigned YES unset administratively down down Enter interface name used to connect to the management network from the above interface summary: Ethernet0 Configuring interface Ethernet0: Configure IP on this interface? [no]: y IP address for this interface: 192.168.1.1 Subnet mask for this interface [255.255.255.0] : 255.255.255.0 Class C network is 192.168.1.0, 24 subnet bits; mask is /24 The following configuration command script was created: hostname Chicago enable secret 5 $1$/Hw9$P3KFbyh5RGeEOD5cQFrWV/ enable password enable line vty 0 4 password cisco no snmp-server ! no ip routing ! interface BRI0 shutdown no ip address ! interface Ethernet0 no shutdown ip address 192.168.1.1 255.255.255.0 ! end [0] Go to the IOS command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration to nvram and exit. Enter your selection [2]: 2 Building configuration... 00:04:14: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down 00:04:14: %LINK-3-UPDOWN: Interface BRI0:2, changed state to down 00:04:17: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up Use the enabled mode 'configure' command to modify this configuration. Chicago# Monitor Novell IPX operation on the router IPX Monitoring Command show ipx interface show ipx route show ipx servers show ipx traffic IP Monitoring Command show ip interface show ip route show ip traffic Shows IP status and parameters Shows Routing table contents Shows Number and type of packets Shows IPX status and parameters Shows Routing table contents Shows IPX server list Shows Number and type of packets IPX Troubleshooting Command Displays debug ipx routing activity debug ipx sap Information about RIP update packets Information about SAP update packets The debug ipx routing activity command displays information about IPX routing update packets that are transmitted or received. A router sends an update every 60 seconds. Each update packet can contain up to 50 entries. If there are more than 50 entries in the routing table, the update will include more than one packet. The debug ipx sap command displays information about IPX SAP packets that are transmitted or received. Like RIP updates, these SAP updates are sent every 60 seconds and may contain multiple packets. Each SAP packet appears as multiple line in the output, including a packet summary messages and a service detail message. SAP responses may be one of these types: 0x1----General query 0x2----General response 0x3----Get Nearest Server request 0x4----Get Nearest Server response IP Troubleshooting Command Displays debug ip routing activity Information about RIP update packets Describe the two parts of network addressing, then identify the parts in specific protocol address examples There are two general parts of a Layer 3 address: 1. Network address - Network address Path part used by the router 2. Host address - Host/Node address Specific port or device on the network. TCP/IP networks are represented by 32 bit addresses divided into a network portion and a host portion. The Internet Request For Comments (RFC) 1020 divides the network portion into classes. Classes are as follows: Class A Using 8 bits for the network, with the remaining 24 bits for host addressing Class B Using 16 bits for the network, with the remaining 16 bits for host addressing Class C Using 24 bits for the network, with the remaining 8 bits for host addressing Class D Used For IP multicast addresses TCP/IP networks can additionally be divided into sub-networks. When a TCP/IP address has been subnetted, the network part of the address is described by two elements: the network number, still assigned by the NIC, and the subnetwork number, assigned by the local network administrator. Classful TCP/IP Example: 17.20.2.1 with Class default subnet mask of 255.0.0.0: Network = 17, Node/Host = 20.2.1 SubNetted TCP/IP Example: 17.20.2.1 with subnetted mask of 255.255.0.0: Network = 17.20, Node/Host = 2.1 Novell Internet Packet Exchange (IPX) IPX uses a 48 bit hexadecimal host number usually derived automatically from the MAC address of a LAN interface to the IPX network, and a 32 bit Network number. IPX Example: adcafedd.0000.0a43.ad33 Network = adcafedd, Node/Host = 0000.0a43.ad33. AppleTalk 16 bit network numbers are assigned to physical links either individually or in ranges called cable ranges. The 8 bit AppleTalk node portion is called the host address. An Apple end station usually acquires this host address dynamically when it boots up onto the network. AppleTalk Example: 1000.11 (assume a cable range 1000 1000) Network = 1000, Node/Host = 11 Create the different classes of IP addresses [and subnetting] Standard IP Addressing and Classes With TCP/IP, addresses are comprised of a 32bit number separated into 4 octets. The important item to remember with an IP address is that that single 32bit number represents two distinct items of information, namely the SUBNET or NETWORK address and the HOST address. The subnet address is used to group TCP/IP devices into logical groups called networks. The host address is used to uniquely identify a host within a subnet. Of course the problem that arises when you represent two numbers in a single number is how to separate them. In the case of TCP/IP, the separation of the IP address into two pieces is done with an item called a subnet mask. The subnet mask also is a 32bit number. It will determine the network ID and the number of hosts in each network based on the class of the network mask. Default classes, addresses and masks are as follows: Class Class A Class B Class C Class D Class Range of Network Numbers 1.0.0.0 through 126.0.0.0 128.1.0.0 through 191.254.0.0 192.0.1.0 through 223.255.254.0 224.0.0.0 through 239.255.255.254 Research Default Subnet Mask 255.0.0.0 255.255.0.0 255.255.255.0 Used Multicast Research Number of host addresses per/network 16,777,214 65,534 254 No host range exists No host range exists E Other 127.0.0.0 255.0.0.0 Reserved to LOCALHOST and Loop back testing Example Network 1: Example Network #1 illustrates a typical network using a variety of network types and classes for example purposes. You will notice that the routers as pictured create broadcast domains that require different network definitions. This drawing does not illustrate the actual assignment of IP addresses to hosts but for network 192.168.1.0, the router at E0 would be probably be assigned IP address 192.168.1.1 with a mask of 255.255.255.0. The PC would probably be assigned 192.168.1.2 with a mask 255.255.255.0 AND a gateway of 192.168.1.1 (which is the router at E0). An important note! In any range, If the host portion is represented by ALL 0’s then that represents the NETWORK ID as in the picture. IF the host portion is represented by ALL 1’s then that represents the subnetwork broadcast ID. You must know both for the exam. Sub-network IP Addressing Sub-netting is nothing more than modifying the subnet mask to increase the number of networks and decrease the number of hosts on each network. Why you say? Lets say that you are given a Class A 10.0.0.0 network with mask 255.0.0.0. Your company has 50 networks and 250 hosts on each network. The issues here is that you really only have one network “10.0.0.0” but your company has 50 networks. Seeing that the host portion is “0.0.0” which allows over 16 million hosts we certainly do not need, we can reduce that number and at the same time increase that single 10 network into multiple “subnetted” networks. To do this we simply adjust the mask. In this case if we change the mask to 255.255.0.0, notice we did not change the 10, we are now using 10.1-254 as the networks and 0.0 as the hosts on each network. So what did that leave us with? 254 networks with 64k hosts on each network and all it took was a mask adjustment. Example Network 2: What we have here if you notice is a single Class B network of 172.16.0.0 with default mask 255.255.0.0, split into 254 networks with 254 hosts per network by changing the mask to 255.255.255.0. Of course you see we only assigned the first two networks to our design but we have lots of room to grow. BUT, what if we did not want to change the mask from 255.255.0.0 to 255.255.255.0 because we have 300 hosts on each network. Recall when we changed the mask by an entire octet we gained 254 networks but reduced our hosts from 64k to 254 per network. Well you do not have to jump an entire octet. You can most certainly move the mask 1 bit at a time. For this we need to recall a bit more about binary because our masks will be a bit different. Before we get to the masks, lets look at a simple rule for determining the number of hosts and networks calculated from changing the mask. Incremental Subnetworking Starting again with 172.16.0.0 and looking at 255.255.0.0 represented as binary 11111111.1111111.00000000.00000000, we can move the mask 1 bit at a time to the right. Each time we move a bit we can count the bits take for the network and take a power of 2 to that number –2 and get a count for the new networks. So for example, if we take 4 bits we get 2^4-2 =14 networks. What remains is the same calculation, since we took 4 bits for the networks that leaves us 12 bits for the hosts. 2^12-2 = 4092. So to recap by moving the mask over 4 bits we went from 1 network to 14 networks and from 64534 hosts to 4092 hosts per network. Now what is the MASK you say? Well if you take the modified mask result of 11111111.11111111.11110000.00000000, remember we took 4 bits for the subnetting, we end up with a mask of 255.255.240.0. That is the mask we will use when assigning all hosts. To finalize this procedure we need to summarize with three items: 1. MASK Our mask is 255.255.240.0 for all new sub networks 2. Network ID’s and network broadcast ID’s The networks can easily be determine by takeing the lowest binary value in the mask and using that as both your first network id and your network increment. So if your mask is 11111111.11111111.11110000.00000000, the lowest value is 16 or 2^4 in the third octet. The broadcast ID is calculated by placing 1’s in each portion of the host range or simply the highest number in that range. Therefore our networks are: Net ID 172.16.16.0 172.16.32.0 172.16.48.0 Broadcast ID 172.16.31.255 172.16.47.255 172.16.63.255 172.16.64.0 172.16.80.0 And so on 172.16.79.255 172.16.95.255 3. Assign host ranges for each subnetwork After determining the networks the host ranges are easy. The lowest number in the range is the host ID and the highest number in the range is the broadcast. Everything in between are the assignable host ID’s for that subnet. Net ID 172.16.16.0 172.16.32.0 172.16.48.0 172.16.64.0 172.16.80.0 And so on Broadcast ID 172.16.31.255 172.16.47.255 172.16.63.255 172.16.79.255 172.16.95.255 Host Ranges 172.16.16.1 – 172.16.31.254 172.16.32.1 – 172.16.47.254 172.16.48.1 – 172.16.63.254 172.16.64.1 – 172.16.79.254 172.16.80.1 – 172.16.95.254 Below is a chart that may assist in determining necessary subnetwork information: Configure IP addresses Configuring TCP/IP Interface Addresses IP addresses are assigned to an interface. Each interface can support 1 or more IP addresses on a single interface. Each IP address can be on the same or a different subnetwork. The syntax for assigning an IP addresses is as follows: Router(config-if)# ip address ip-address subnet-mask [secondary] Example Router(config)# interface ethernet 0 Router(config-if)# ip address 192.168.1.1 255.255.255.0 Router(config-if)# ip address 192.168.2.1 255.255.255.0 secondary Other commonly used commands Router (config)# ip host name Adds static host name entries to the ip address name mapping table. This is used if a NDS server is not configured and if the administrator would like to access other IP hosts by name instead of IP addresses. Router (config)# ip name-server Specifies the name of the DNS server for host name lookup Router (config)# ip domain-lookup enabled Enable the use of DNS server lookups from the DNS server identified in the ip name-server command Router (config)# terminal ip netmask-format Sets the display format of the network mask when seen on show commands List the required IPX address and encapsulation type When configuring IPX on a Cisco router a valid network address is required. The network ID must match the current network in place or if it is a new network it must a valid 32bit number documented entered in hex. So, how does Cisco recommend you retrieve this information if you do not already know it? Simple: Use a Cisco IOS command to check on the neighbor Cisco router using the “Router# show cdp neighbor details” command Use NetWare command to check on the NetWare file server/router. From the NetWare console, enter the “CONFIG” command. Contacting NetWare administrator would simply be the easiest way. Along with the NetWare network ID, there are several different Ethernet framing types with different variations in the fields they use. This is critical because DIFFERENT encapsulations have DIFFERENT network Ids. This is why many routers will have secondary encapsulations so they can communicate and pass all necessary IPX traffic. Novell IPX Name Ethernet_II Ethernet_8022 Ethernet_SNAP Ethemet_8023 Cisco IOS Name Arpa Sap Snap Novell ether (default) Uses TCP/IP and DECnet Used with NetWare 3.12 and greater such as 4.x and OSI routing TCP/IP and AppleTalk Used with NetWare versions 2.x and 3.x. Also referred to as RAW Ethernet Token Ring Token Ring_SNAP Token Snap IBM Token-Ring TCP/IP and Token-Ring Identify the functions of the TCP/IP transport-layer protocols Transport Layer Protocols TCP Connection based protocols for RELIABLE communications with the following attributes: Uses Sequence Numbers Breaks messages into datagrams Reassembles datagrams into messages Handshakes with receiving device Sends Acknowledgments Uses Sliding - Windowing transmission technique Suited for WAN protocols such as Frame-Relay Examples: HTTP, FTP, TELNET UDP Connection-less based protocols for UN-RELIABLE communications with the following attributes: Provides NO software checking Relies on application layer reliability Provides connectionless transmission Uses NO Windowing Suited for performance oriented application Examples: Real Audio, Streaming, Video, Sound, TFTP Enable the Novell IPX protocol and configure interfaces Where TCP/IP usually has 1 configuration step, Novell IPX configuration involves two parts: Global tasks: Router(config)# ipx routing [node] The IPX routing command enables Novell IPX routing. When no node address is specified, the Cisco router uses the MAC address of the interface. In the case that a Cisco router has only serial interfaces, an address must be specified. Router(config)# ipx maximum paths paths To Enable load sharing if appropriate for your network. Load sharing is the division of routing tasks evenly among multiple routers to balance the work and improve network performance. The ipx maximum paths command enables round robin load sharing over multiple equal metric paths with default of 1 and a maximum of 512. Interface specific task: Router (config if)# ipx network number [encapsulation encapsulation type] [secondary] Assign unique network numbers to each interface. Multiple network numbers can be assigned to an interface, allowing support of different encapsulation types. The ipx network command enables Novell IPX processing. This command additionally assigns a primary and secondary network and also assigns encapsulation. Encapsulation, which is optional, specifies the encapsulation type for the interface. It can be one of the following types: novell ether, sap, arpa, snap. Novell IPX Configuration Example Router(config)# ipx routing Router(config)# ipx maximum paths 2 Router(config)# interface ethernet 0 Router(config-if)# ipx network a8023 encapsulation novell ether Router(config-if)# ipx network a8022 encapsulation sap secondary Router(config)# interface ethernet 1 Router(config-if)# ipx network b8022 encapsulation sap Identify the functions of the TCP/IP network-layer protocols Network Layer Protocols ARP This protocol maps a KNOWN IP address to a MAC sub-layer address. ARP also consults subnet masks to determine whether nodes are on the same subnet. When sending a packet, if nodes are on the same subnet, the frame is sent directly to the receiving node. If nodes are on different subnets, the frame is sent to the default gateway (default network on a Cisco router) for forwarding. RARP uses a table entry on a server to respond to requests for mapping a KNOWN MAC address to an IP address. Example, BOOTP or DHCP servers. With a DHCP server, the client knows its IP address but must request an IP address from a server that most probably has a record stored of the IP MAC relationship. This way client’s are less likely to receive a different IP address each time communication with the DHCP server occurs. Diskless workstations also use RARP to request boot information. Provides routing information for best effort delivery. This also contains the transport layer protocol ID in the header. ICMP messages are carried in IP datagrams and are used to send error and control messages. Also used to send Destination Unreachable Messages RARP IP ICMP Identify the functions performed by ICMP All TCP/IP hosts implement the Internet Control Message Protocol (ICMP). ICMP messages are carried in IP datagrams and are used to send error and control messages. PING is an example of a utility that uses the ICMP protocols for testing. If a router receives a packet that is unable to deliver to its ultimate destination, the router sends an ICMP host unreachable message to the source. An echo reply is a successful reply to a PING command although results may also include other ICMP message replys including unreachable destinations and time outs. Some the most common functions of ICMP include: Control and message functions at the network layer Used to send Destination Unreachable Messages Used to send Error and control messages Configure IPX access lists and SAP filters to control basic Novell traffic IPX/SPX access list overview In Novell IPX/SPX addressing is an 80bit address including a (32-bit) network portion and a (48bit) node portion derived from the MAC address of the interface. Each NetWare server has an internal IPX network number and performs IPX routing. The External IPX network numbers are assigned on Cisco router and NetWare server interfaces and must be unique and consistent with the network numbers known to the other NetWare servers and routers. IPX access lists check for source address, destination address, or both. IPX standard access lists use numbers in the range 800 899. Additionally, to control the traffic from the Service Advertisement Protocol (SAP), SAP filters use numbers in the range 1000 to 1099. Several other packet and route filters are available for managing IPX overhead traffic including Get Nearest Server (GNS), Routing Information Protocol (RIP), and NetWare Link Services Protocol (NLSP). Overview for IPX Access Lists NetWare IPX addresses use a network.node and socket number Standard lists (800 to 899) can filter source and destination address Extended lists (900 to 999) allow more precise filtering conditions Access lists (1000 to 1099) are SAP filters for service types and servers on one or more networks Other access list number ranges offer more Novell software filters including GNS, RIP, NLSP IPX Standard Access Lists Configuration Standard access list uses list number in range 800 to 899 Router Router(config)# access list access list number {deny I permit} source network [.source node] [source node mask] [destination network] [.destination node] [destination node mask] Use the access list command to filter traffic in an IPX network. Using filters on the outgoing router interface allows or restricts different protocols and applications on individual networks. access list number protocol source network source node destination network destination node Access list number for an IPX filter list from 800 to 899 Number of the protocol type, can be: 0=any protocol, 1=RIP, 4=SAP, 5=SPX, 17=NCP, 20=IPX NetBIOS Source network number, expressed in eight digit hexadecimal Node number on the source network. Represented as a 48 bit value shown in a dotted triplet of 4 digit hexadecimal numbers Network number to which the packet is being sent Node on the destination network to which the packet is being sent Activates the IPX standard access list on an interface Router(config-if)# ipx access group access list number Standard Access List Example: Objective: Allow only traffic from network b8022 destined for network a8022 to be forwarded out of Ethernet 0 Router (config)# access-list 800 permit b8022 a8022 implicit deny all not visible in the list Router (config)# interface ethernet 0 Router (config-if)# ipx network a8022 Router (config-if)# ipx access group 800 Router (config)# interface ethernet 1 Router (config-if)# ipx network b8022 Router (config)# interface ethernet 2 Router (config-if)# ipx network c8022 Access List Commands 800 Permit B8022 A8022 Ipx access-group 800 Explanation Access list number Traffic that matches will be forwarded Source network Destination network Links to interface E0 IPX SAP Filters Configuration SAP filters are typically placed close to the source to ensure these SAP filters conserve bandwidth over WAN links. When a SAP advertisement arrives at the router interface, the contents are placed in the SAP table. The contents of the table are then propagated during the next SAP update. There are two types of SAP filters: When a SAP input filter is in place, the services entered into the SAP table is reduced. The propagated SAP updates represent the entire table, but contain only a subset of all services. When a SAP output filter is in place, the services propagated from the table are reduced. The propagated SAP updates represent a portion of the table contents and are a subset of all the known services. IPX input SAP filter IPX output SAP filter Router(config)# access list access list number {deny I permit} network [.node] [network mask node-mask] [service type [server name] access list number Number from 1000 to 1099, indicates a SAP filter list. Network [.node] network mask node mask service type Novell source internal network Mask to be applied to the network and node. Place ones in the positions to be masked. SAP service type to filter. Each SAP service type is identified by a hexadecimal number. Some standard used ones: 4=file servers, 7=print servers, 24=router, 98=access server Standard SAP filter Example #1: Objective: Prevent File Server advertisements from server c8022.1111.2222.3333 from being forwarded on S0. All other SAP services should be forwarded from any other source on S0. Router (config)# access-list 1000 deny c8022.1111.2222.3333 4 Router (config)# access-list 1000 permit -1 implicit deny all not visible in the list Router (config)# interface ethernet 0 Router (config-if)# ipx network c8022 Router (config)# interface ethernet 1 Router (config-if)# ipx network a8022 Router (config)# interface serial 0 Router (config-if)# ipx network z8022 Router (config-if)# ipx output-sap-filter 1000 Access List Commands 1000 Deny C8022.1111.2222.3333 4 Explanation Access list number Sap services matching will be blocked Source network of SAP advertisements Type of Sap service for File Services 1000 Permit -1 Ipx output-sap-filter 1000 Access list number Sap services matching will be forwarded Source network of –1 means ALL networks Apply access list as output Sap filter Standard SAP filter Example #2: Objective: Prevent Print server advertisements from servers on networks c8022 and a8022 from being entered into the SAP table while allowing all other SAP services from any source to be added into the SAP table. Router (config)# access-list 1001 deny 7 Router (config)# access-list 1001 permit -1 implicit deny all not visible in the list Router (config)# interface ethernet 0 Router (config-if)# ipx network c8022 Router (config)# interface ethernet 1 Router (config-if)# ipx network a8022 Router (config)# interface serial 0 Router (config-if)# ipx network z8022 Router (config-if)# ipx input-sap-filter 1001 Access List Commands 1001 Deny 7 1001 Permit -1 Explanation Access list number Sap services matching will be blocked SAP advertisement type; Print services Access list number Sap services matching will be forwarded Source network of –1 means ALL networks Ipx input-sap-filter 1001 Apply access list as input SAP filter Add the RIP routing protocol to your configuration RIP Overview The RIP protocol was originally specified in RFC 1058. A RIP table can be viewed by typing in the “show ip route” command. The following are some characteristics of RIP: It is a distance vector routing protocol Routing updates are broadcast every 30 seconds by default The maximum allowable hop count of 15 Hop count is used as the metric for path selection In newer versions of RIP load balancing RIP Configuration Router (config)# router rip Router (config router)# network network number Descriptions The router rip starts the RIP routing process The network number specifies a directly connected network Add the IGRP routing protocol to your configuration IGRP Overview IGRP is a distance vector routing protocol developed by Cisco. IGRP sends routing updates at 90 second intervals that target a particular autonomous system. The following are some key characteristics of IGRP: The IGRP routing protocol uses a combination of variables to determine a composite metric. Scalability to function in very large networks Versatility to automatically handle complex topologies Flexibility for segments having different bandwidth and delay characteristics IGRP Configuration Router (config)# router igrp autonomous system Router (config router)# network network number Descriptions The router igrp command enables the IGRP routing protocols The network command specifies any directly connected networks to be included The autonomous system identifies the IGRP router processes that will share routing information The network number specifies a directly connected network Explain the services of separate and integrated multi-protocol routing In a separated multi-protocol environment protocol processes operate totally independent of each other. In an integrated multi-protocol routing environment, several configured protocols share the results of the integrated routing algorithms. EIGRP (Enhanced IGRP) is a integrated multi-protocol example that is proprietary to Cisco. Enhanced IGRP uses a distance vector algorithm based on Cisco's IGRP and integrates support for IP, AppleTalk, and Novell IPX. Integrated multi-protocol routing has the following attributes: Enables path selection and packet switching for more than one routed protocol Conserve network and router resources Simplifies the administrative tasks Maintain routing updates that are usable by all configured routed protocols Generates and maintains separate routing tables for each of the routed protocols List problems that each routing type encounters when dealing with topological changes and describe techniques to reduce them Concept Summary Distance Vector protocols use the Bellman-Ford algorithm to calculate best route paths. Link-state protocols use the SPF algorithm to calculate best route paths. Distance Vector protocols DO NOT know the topology of the network where Link-State protocols DO know the topology of the entire network. Comparing Distance Vector routing to Link State routing Distance vector routing gets all topological data from the perspective from processing the routing table information of its neighbors. Link state routing obtains a complete understanding of the entire internetwork topology by accumulating all necessary LSPs. Distance vector routing determines the best path by incrementing the metric value it receives as tables move from router to router. Link state routing allows each router to work in tandem with other routers to calculate its own shortest path to destinations. With most distance-vector routing protocols, updates for topology changes come in periodic table updates. These tables pass incrementally from router to router, usually resulting in slower convergence. Link state routing protocols usually trigger updates through topology changes. Small LSPs passed to all other routers, or to a multicast group of routers result in a faster time to converge on an internetwork topology change. Distance Vector Overview Distance vector based routing algorithms pass periodic copies of a routing table from router to router. Each router receives a routing table from its direct neighbor only. Assume Router 1 knows about network A and B, and Router 2 knows about B and C. After the next periodic exchange, Router 1 will know about networks A, B, and C and the distance is incremented in Router 1 to get to network C because it now has to go through the neighboring router. This process occurs in all directions between direct neighbor routers. If during the next transmission, a better path exists the routing table will be updated. Distance vector algorithms do not allow a router to know the exact topology of an internetwork. Examples include RIP (Routing Information Protocols) and IGRP (Interior Gateway Routing Protocol) Benefits include: Easy to implement – It takes very little configuration to get it up and running Widely supported – Most devices support some type of Distance Vector routing protocols Potential Problems: Counting to infinity This condition continuously loops packets around the network, despite the fundamental fact that the destination network is down. While the routers are counting to infinity, the invalid information allows a routing loop to exist. Routing Loops Routing Loops can occur if the internetwork's slow convergence on a new configuration causes inconsistent routing entries. Implemented Solutions: Split Horizon If you learn a protocol's route on an interface, do not send information about that route back out that interface. Defining a Maximum Specify a maximum distance vector metric as infinity. Hold Down Timers Routers ignore network update information for some period. Route poisoning Router keeps an entry for the network down state, allowing time for other routers to recompute for the topology change. Link State Overview These are designed for larger networks and address the shortcomings of Distance Vector algorithms. This is because LSP’s map the entire network topology unlike DVP’s. A “link” can be defined as a network interface on a router. A “link-state” is the status between two router interfaces. For routing updates, each router running an LSP locates routers directly connected to it. It then sends out link-state advertisements (LSAs) in its area, listing its neighbor’s names and route cost to each neighbor. Cost is the value that indicates relative speed of the link as indicated by the bandwidth on the link. A router that receives LSAs then forwards them to neighbor routers in the network cloud. The lowest cost paths are optimal yet multiple optimal paths allow load balancing. A router running a Link-State algorithm uses a hello packet to establish a formal connection with each directly connected together. Examples include OSPF (Open Shortest Path First). Benefits include: Qu ick Convergence – Incorporates route changes into the network and performs new route computation immediately Support for VLSM – Allows multiple-level sub-networked IP addresses within a single network Increased network node access – Supports large numbers of network nodes far beyond the previous 15-hop limitation Sending of periodic routing updates – Only sends updates when there is a change in the topology Optimizing route selection – Uses composite routing methods. Potential Problems: Processing and memory required – More memory is required due to the large amount of network information that needs to be managed. Recall that each router has a complete picture of the network. Bandwidth consumed for initial link state “flood” – A lot of bandwidth is consumed during initial link-state startup. This issue is called flooding. This is caused from all routers trying to converge the network and understand the network topology. Unsynchronized updates and inconsistent path decisions – This often happens when links become unavailable and the LSP has to be reconstructed. During the calculation other links go down as other come up. This creates problems. Large network synchronization – This adds to the problems due to the complete network topology that each router contains. Larger networks will run Hybrid protocols. Implemented Solutions: Reduce the need for resources Co-ordinate link-state updates Describe the benefits of network segmentation with routers Routers segment traffic and create manageable broadcast domains at the network layer, which is at a higher level than bridges. Recall that bridges provide traffic management at the data-link layer. They provide WAN link interfacing, filtering and security through the processing and control of network information. If multiple paths exist to destinations, routers will provide path selection and determination and forwarding. Due to operation at higher levels, they come at a higher performance cost. Performance of a router may decrease throughput anywhere from 20 to 40% or greater than that of a bridge. Multiple active paths – Routers allow the use of a network topology that can use more than one path between stations. Because they operate at the network layer, routers examine protocols, destination service access point (DSAP) and source service access point (SSAP) and path metric information. They can then use that information when making path determination, forwarding or filtering decisions. Functionality Routers are available to the end stations and thus can implement mechanisms to provide flow control, error and congestion control, fragmentation and reassembling services, and explicit packet time-to-live controls. Manageability – Multiple protocols operating among routers give network administrators more overall control over path selection and network routing behavior Configure standard and extended access lists to filter IP traffic Standard access lists filter at layer 3 meaning source networks and host addresses and they can deny or permit the networks and hosts but NOT transport layer information such as protocol UDP and TCP or specific ports. When standard access lists don’t cut it for the specific filtering you need on your router, Extended Access Lists may be the answer. This type of layer 4 filtering may be required for firewall purposes and therefore extended access lists may be the answer you’re looking for. Extended IP access list statements can filter for source address and for destination address with additional control by specifying optionally the TCP or UDP protocol port number. How to associate access lists to interfaces: Place standard access lists close to the destination Place extended access lists close to the source Enabling and Disabling Standard Access Lists Router (config)# access list access list number {permit I deny} source [source mask] IP standard access lists use 1 to 99 The access list command creates an entry in a standard traffic filter list. Parameter descriptions are as follows: access list number Identifies the list to which the entry belongs; a number from 1 to 99. {permit I deny} Indicates whether this entry allows or blocks traffic from the specified address. source Identifies source IP address source mask Identifies which bits in the address field are matched. A 1 in positions indicates to leave alone and a 0 in a position indicates instructions to be followed. Router (config)#no access list access list number Removes the access list Router (config-if)#ip access group access list number {in | out} Activates the list on the interface The ip access group command links an existing access list to an outbound interface. Only one access list per port per protocol per direction is allowed. access list number Indicates the number of the access list to be linked to this Interface. {in I out} Selects whether the access list is applied to the incoming or Outgoing interface If in or out is not specified, out is the Default Router (config-if)#no ip access group access list number {in | out} De-activates the list on the interface Standard Access List Example #1: Objective: Allow all traffic from the 172.16.0.0 networks to be forwarded while blocking all non-172.16.0.0 traffic. Router (config)# access list 1 permit 172.16.0.0 0.0.255.255 implicit deny all not visible in the list access list 1 deny 0.0.0.0 255.255.255.255 Router (config)# interface ethernet 0 Router (config-if)# ip access group 1 out Router (config)# interface ethernet 1 Router (config-if)# ip access group 1 out Access List Command 1 Permit 172.16.0.0 0.0.255.255 Ip access-group 1 out Explanation Access list number Traffic that matches will be forwarded IP address used to identify the source network Wildcard mask; 0 indicates positions must match, 1s indicate not checked Applies the access list to an interface, OUT is the default Standard Access List Example #2: Objective: Block traffic from address 172.16.2.2, and allow all other traffic to be forwarded on the interface Ethernet 0 Router (config)# access list 1 deny host 172.16.2.2 Router (config)# access list 1 permit 0.0.0.0 255.255.255.255 implicit deny all not visible in the list access list 1 deny 0.0.0.0 255.255.255.255 Router (config)# interface ethernet 0 Router (config-if)# ip access group 1 out Access List Commands 1 Deny host 172.16.2.2 0.0.0.0 1 Permit 0.0.0.0 255.255.255.255 Ip access-group 1 out Explanation Access list number Traffic that matches will NOT be forwarded IP address used to identify the source host Wildcard mask; 0 indicates positions must match, 1s indicate not checked Access list number Traffic that matches will be forwarded IP address used to identify the source host Wildcard mask; 0 indicates positions must match, 1s indicate not checked Applies the access list to an interface, OUT is the default Standard Access List Example #3: Objective: Block traffic from subnet 172.16.2.0 and permit the forwarding of all other traffic Router (config)# access list 1 deny 172.16.2.0 0.0.0.255 Router (config)# access list 1 permit any implicit deny all not visible in the list access list 1 deny 0.0.0.0 255.255.255.255 Router (config)# interface ethernet 0 Router (config-if)# ip access group 1 out Access List Command 1 Deny 172.16.2.0 0.0.0.255 1 Permit Any Ip access-group 1 out Explanation Access list number Traffic that matches will NOT be forwarded IP address used to identify the source network Wildcard mask; 0 indicates positions must match, 1s indicate not checked Access list number Traffic that matches will be forwarded Abbreviation for 0.0.0.0 255.255.255.255 Applies the access list to an interface, OUT is the default Enabling and Disabling Extended Access Lists In summary, Extended Access lists (range 100-199) over Standard Access lists (range 1-99) allow on to: Check source and destination IP address Specify an optional IP protocol port number. “Well-Known” ports are listed below: Well-know ports 20 21 23 25 69 IP protocol File Transfer Protocol (FTP) data FTP Program Telnet Simple Mail Transfer Protocol (SMTP) Trivial File Transfer Protocol (TFTP) 53 80 110 119 Domain Name System (DNS) Hypertext Transport Protocol (HTTP) Post Office Protocol (POP3) Network News Transport Protocol (NNTP) Enabling and Disabling Extended Access Lists Router(config)# access list access list number {permit I deny} protocol source source mask destination destination mask [operator operand] [established] access list number IP Access List Ranges <1-99> IP standard access list <100-199> IP extended access list <1100-1199> Extended 48-bit MAC address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <700-799> 48-bit MAC address access list permit I deny protocol Allow or block the specified address <0-255> An IP protocol number ahp - Authentication Header Protocol eigrp - Cisco's EIGRP routing protocol esp - Encapsulation Security Payload gre - Cisco's GRE tunneling icmp - Internet Control Message Protocol igmp - Internet Gateway Message Protocol igrp - Cisco's IGRP routing protocol ip – Any Internet Protocol ipinip - IP in IP tunneling nos - KA9Q NOS compatible IP over IP tunneling ospf - OSPF routing protocol pcp - Payload Compression Protocol tcp – Transmission Control Protocol udp - User Datagram Protocol source and destination source mask and destination mask operator and operand Identifies source and destination IP addresses Wildcard mask; Os indicate positions that must match, Is indicate "don't care" positions Ack - Match on the ACK bit eq - Match only packets on a given port number fin - Match on the FIN bit gt - Match only packets with a greater port number log - Log matches against this entry log-input - Log matches against this entry, including input interface lt - Match only packets with a lower port number neq - Match only packets not on a given port number precedence - Match packets with given precedence value psh - Match on the PSH bit range - Match only packets in the range of port numbers rst - Match on the RST bit syn - Match on the SYN bit time-range - Specify a time-range tos - Match packets with given TOS value urg - Match on the URG bit established Match established connections Router(config-if)# ip access group access list number [in | out] access list number [in I out] Number of the access list to be linked to this interface. Access list is applied to the incoming or outgoing interface. If in or out is not specified, out is the default Extended Access List Example #1: Objective: Deny FTP for E0 and allow all other traffic from subnet 172.16.2.0 to be forwarded to all other networks or subnets via interface E0. Router (config)# access list 101 deny tcp 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 eq 21 Router (config)# access list 101 deny tcp 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 eq 20 Router (config)# access list 101 permit ip 172.16.2.0 0.0.0.255 0.0.0.0 255.255.255.255 Router (config)# implicit deny all not visible in the list Router (config)# interface ethernet 0 Router (config-if)# ip access group 101 Access List Command Explanation 101 Deny Tcp 172.16.2.0 and 0.0.0.255 172.16.1.0 and 0.0.0.255 Eq 20 Eq 21 Access list number Traffic that matches will not be forwarded Transmission Control Protocol Source address Destination address FTP FTP data Extended Access List Example #2: Objective: Allow only SMTP (Mail) from 172.16.2.0 to be sent out interface E0 and deny any other traffic Router (config)# access list 101 permit tcp 172.16.2.0 0.0.0.255 any eq 25 Router (config)# implicit deny all not visible in the list Router (config)# interface ethernet 0 Router (config-if)# ip access group 101 Access List Command 101 Permit Tcp 172.16.2.0 and 0.0.0.255 Any Eq 25 Explanation Access list number Traffic that matches will be forwarded Transmission Control Protocol Source address Destination FTP Monitor and verify selected access list operations on the router IP and IPX access can be viewed with commands: Show access-lists [interface] Show access lists on specific interfaces Show access-lists Show all access lists IP and IPX can be monitored using the following commands: Show IPX interface Show IPX traffic Show IPX servers Show IPX route Show IP interface IPX status and parameters including information on IPX addressing, SAP and SAP GNS information, RIP, and statistics. Statistics on IPX traffic, numbers relating to traffic including the quantity and type of each packet Shows the server list from the routers SAP table Shows the IPX routing table content Example Router#show ip int e0 Ethernet0 is administratively down, line protocol is down Internet address is 192.168.100.35/27 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 1 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Null turbo vector IP multicast fast switching is disabled IP multicast distributed fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled Web Cache Redirect is disabled BGP Policy Mapping is disabled Router# IP and IPX can be also monitored real-time using debug commands: Debug IPX routing activity Debug IPX SAP Debug IP routing Debug IP RIP Show RIP table information updates Shows SAP update packets Shows Routing Table events Shows IP RIP information Describe the advantages of LAN segmentation Networks can be divided into smaller segments thereby reducing the number of users per segment. This segmentation will effectively increase the bandwidth available to all users in the particular segment. Each new segment is considered a different collision domain as opposed to routers, which create new broadcast domains. The new segments will support traffic movement between network nodes without interfering with traffic patterns on other collision segments. When a user is communicating within their segment with others, they will effectively have better communication to backbone segment hosts such as servers. Another key point is that segmentation still ALLOWS non-routed protocols to communicate throughout all segments because all segments are contained in a single broadcast domain. Broad cast domains are different subnets linked via routing devices. Describe LAN segmentation using bridges Bridges segment LANs into “collision domains” by using the network device MAC addresses. The nice thing about MAC address is that the source MAC will appear in each frame so when a device sends a frame on the network, a bridge can examine the frame and effectively “learn” which MAC address are on which ports. This storage of MAC information will now allow a bridge to determine whether or not to forward a frame to another segment or whether to drop it. Of course a common drawback of bridging is that broadcast information is forwarded to all collision domains on the bridge. Some bridges will employ flooding controls and blocking algorithms to control unwanted or problematic traffic on a network. MAC address learning is defined in the IEEE 802.1 standard. Bridged networks can also have redundant bridged links when using the Spanning Tree Protocol discussed in its own objective. A Spanning Tree Enabled bridge or switch will both send out bridge protocol data units (BPDUs) and listen to BPDUs of other bridges. The BPDU configuration contains enough information so that all bridges can perform the following: Select a single bridge that will act as the "root" of the spanning tree Calculate the distance, of the shortest path from itself to the root bridge For each LAN segment, designate one of the bridges as the closest one to the root. That bridge will handle all communication from that LAN to the root bridge and will be known as the "designated bridge." Let each bridge choose one of its interfaces as its root interface, which gives the best path to the root bridge Allow each bridge to mark the root interface and any other inter faces on it that have been elected as designated bridges for the LAN to which it is connected as being included in the spanning tree Describe LAN Segmentation using routers LAN segmentation using routers is simply a router between sub-nets or networks. Each network is considered its own broadcast domain meaning broadcast messages are not forwarded across routed segments. Network segmentation is performed at layer-3 (Network layer) compared to bridging which is done at layer-2 (Data Link Layer). Routers segment traffic and create manageable broadcast domains at the network layer, which is at a higher level than bridges. Recall that bridges provide traffic management at the data-link layer. They provide WAN link interfacing, filtering and security through the processing and control of network information. If multiple paths exist to destinations, routers will provide path selection and determination and forwarding. Due to operation at higher levels, they come at a higher performance cost. Performance of a router may decrease throughput anywhere from 20 to 40% or greater than that of a bridge.
Show history Terminal history size Terminal no editing Terminal editing Move to the beginning of the command line Move to the end of the command line Move forward one character Move back one character Backs you out of configuration mode Up arrow or last (previous) command line Down arrow or more recent command recall Entry completion Move back one word Move forward one word Show command buffer Set command buffer size Disable advanced editing features Re-enable advanced editing Examine router elements (RAM, ROM, CDP, show) Router Components RAM / DRAM Hint: Holds all running information when router is powered on, large around 8 to 32mb. Stores routing tables, ARP cache, fast switching cache, packet buffering (shared RAM), and packet hold queues. RAM also provides temporary and running memory for the router's configuration file while the router is powered on. RAM memory is cleared when the router is shutdown or reloaded. NVRAM Hint: Holds configuration file for router startup, small around 32k. Non volatile RAM stores the router's backup configuration file and retains information when the router is shutdown or reloaded. Flash - Hint: Holds IOS when router is powered down, large around 8 to 32mb. Erasable, reprogrammable ROM. Flash memory holds the operating system image and micro-code and allows the update of the IOS software without removing or replacing microchips. Flash content is retained when you power down or restart. Another note is that multiple copies of the IOS can be stored in flash memory if storage space permits. ROM Hint: Holds POST and BOOTSTRAP code when router is powering up. Contains power on diagnostics, a bootstrap program, and operating system software. Unfortunately, to upgrade one must remove and replace chips on the main board. Interfaces Hint: Where data moves in and out of the router. Network connections through which packets enter and exit the router. Interfaces are on the motherboard or on separate interface modules. Router Modes User EXEC mode A "read only" mode in that the user can view some information about the router, but cannot change anything or view specific configuration information. Privileged EXEC mode Supports the debugging and testing commands, detailed examination of the router, manipulation of configuration files, and access to configuration modes. All information is available to an administrator in this mode along with the ability to change system settings. Manage configuration files from the Privileged exec mode Configuration command summary Router configuration information can be displayed by several methods. “EXEC” mode commands can be used to configure from either a virtual terminal or a console terminal. Privileged mode commands can also be used to load a configuration from a network TFTP server meaning an administrator can maintain centralized configuration at a single site. Configure terminal Configure memory Copy tftp running config Copy run startup config Show running config Copy running config tftp Show startup config Erase startup config Configure manually from the console terminal Load configuration information from NVRAM Load configuration information from a network TFTP server. Store the current configuration in RAM into NVRAM. Display the current configuration in RAM Store the current configuration in RAM on a network TFTP server Display the saved configuration, which is the contents of NVRAM Erase the contents of NVRAM. Managing contents of NVRAM (Start Configuration) configure memory erase startup config or clear startupconfig” copy running config startup config show startup config Loads configuration information from NVRAM. Erases the contents of NVRAM Stores the current configuration in RAM into NVRAM Display the saved configuration, which is the contents of NVRAM NVRAM to RAM A current copy of the startup configuration in NVRAM can be copied to RAM using the “copy startupconfig run” command. RAM to NVRAM A current copy of the running configuration stored in RAM can be copied to NVRAM using the “copy running-config start” command. TFTP server A current copy of the configuration currently in RAM can be stored on a TFTP Server using the “copy running-config tftp” command. You can configure the router by retrieving the configuration file stored on one of your network server by entering the “copy tftp running config command. Control router passwords, identification, and banner Passwords A system can be secured by using passwords to restrict local and network access. Passwords can be established both on individual commands and for the privileged mode and through various access methods such as the console port. Enable Password Router(config)# enable password admin Secret (Encrypted) Password Router(config)# enable secret admin Virtual Terminal Password Router(config)# line vty 0 4 Router(config line)# login Router(config line)# password cisco Console Password Router(config)# line console 0 Router(config)# login Router(config line)# password cisco Router Identification The prompt is automatically changed when the hostname of the router is changed UNLESS an overridding prompt is entered. If that is the case then the configured prompt string will always display unlesss in global configuration mode or below. Router Name Router(config)# hostname Chicago Chicago# Prompt String Router(config)# prompt Enter_Command_> Router(config)#exit Enter_Command_> Login Banner Login banners come in different forms and are displayed prior to login to a router. The two most common are the “Day-to-Day” banner also referred to as the MOTD or Message of the Day, and of course the LOGIN banner which unlike the MOTD would not usually be changed on a daily basis but would instead be more static. Prior to logging in, the MOTD is displayed before the login banner. Login Banner Chicago(config)# banner login z Welcome to the Chicago router. z Message of the Day Banner Chicago(config)# banner motd z Have a nice day and don’t forget to upgrade your IOS before 12/31/99! z Interface Description Per Interface Chicago(config)# interface e0 Chicago(config if)# description Chicago Accounting Department Identify the main Cisco IOS commands for router startup Commands Relating to Startup Show start up config or show config Show running config Clear startup config Erase startup config Reload Setup Display the backup configuration files Display the active configuration files Delete the backup configuration file in NVRAM Delete the backup configuration file in NVRAM The reload command will reboot the router through the entire configuration process The last command is used to enter setup mode from the privileged EXEC prompt Initializing the Router 1. The generic bootstrap loader executes from ROM on the CPU card 2. The operating system source is determined from the boot field of the configuration register 3. The operating system image is loaded into low addressed memory 4. The saved configuration file in NVRAM is loaded into main memory and executed sequentially 5. If no valid configuration file exists in NVRAM, the operating system enters SETUP mode, a prompt driven initial configuration routine Enter an initial configuration using the setup command The SETUP command issued from EXEC mode is a prompt driven configuration utility for basic router configuration. Advanced configuration must still be done from the standard configuration interface in config mode. Brackets [ ] indicate a defaulted value for the selection. Example #1 Router# setup --- System Configuration Dialog --Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system Would you like to enter basic management setup? [yes/no]: y Configuring global parameters: Enter host name [Router]: Chicago The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration. Enter enable secret []: secret The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images. Enter enable password [password]: enable The virtual terminal password is used to protect access to the router over a network interface. Enter virtual terminal password: cisco Configure SNMP Network Management? [no]: n Current interface summary Interface IP-Address OK? Method Status Protocol BRI0 unassigned YES unset administratively down down BRI0:1 unassigned YES unset administratively down down BRI0:2 unassigned YES unset administratively down down Ethernet0 unassigned YES unset administratively down down Enter interface name used to connect to the management network from the above interface summary: Ethernet0 Configuring interface Ethernet0: Configure IP on this interface? [no]: y IP address for this interface: 192.168.1.1 Subnet mask for this interface [255.255.255.0] : 255.255.255.0 Class C network is 192.168.1.0, 24 subnet bits; mask is /24 The following configuration command script was created: hostname Chicago enable secret 5 $1$/Hw9$P3KFbyh5RGeEOD5cQFrWV/ enable password enable line vty 0 4 password cisco no snmp-server ! no ip routing ! interface BRI0 shutdown no ip address ! interface Ethernet0 no shutdown ip address 192.168.1.1 255.255.255.0 ! end [0] Go to the IOS command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration to nvram and exit. Enter your selection [2]: 2 Building configuration... 00:04:14: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down 00:04:14: %LINK-3-UPDOWN: Interface BRI0:2, changed state to down 00:04:17: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up Use the enabled mode 'configure' command to modify this configuration. Chicago# Copy and manipulate configuration files Configuration command summary Router configuration information can be displayed by several methods. Privileged mode commands can be used to configure from either a virtual terminal or a console terminal. Privileged mode commands can also be used to load a configuration from a network TFTP server allowing a network administrator to a maintain centralized configuration at a single site. Configure terminal Configure memory Copy tftp running config Configure manually from the console terminal Load configuration information from NVRAM Load configuration information from a network TFTP server. Copy run startup config Show running config Copy running config tftp Show startup config Erase startup config Store the current configuration in RAM into NVRAM. Display the current configuration in RAM Store the current configuration in RAM on a network TFTP server Display the saved configuration, which is the contents of NVRAM Erase the contents of NVRAM. Managing contents of NVRAM (Start Configuration) configure memory erase startup config or clear startupconfig” copy running config startup config show startup config Loads configuration information from NVRAM. Erases the contents of NVRAM Stores the current configuration in RAM into NVRAM Display the saved configuration, which is the contents of NVRAM NVRAM to RAM A current copy of the startup configuration in NVRAM can be copied to RAM using the “copy startupconfig run” command. RAM to NVRAM A current copy of the running configuration stored in RAM can be copied to NVRAM using the “copy running-config start” command. TFTP server A current copy of the configuration currently in RAM can be stored on a TFTP Server using the “copy running-config tftp” command. You can configure the router by retrieving the configuration file stored on one of your network server by entering the “copy tftp running config command. List the commands to load Cisco IOS software from: flash memory, a TFTP server, or ROM Registers Registers control the boot and startup processes. Uses include changing and managing the IOS image and controlling the startup process and bypassing the startup configuration. The registers can be changed with the “Router(config)# config-register #x####” command where #x#### is represented as one of the following as basic settings: Register Setting 0x2101 or 0x101 0x2102 or 0x102 0x2142 or 0x142 0x2141 or0x141 Result Boot from ROM and NOT Flash IOS, used when upgrading IOS, startup-config is still processed Normal Mode Flash IOS and startup-config processed Boot from Flash IOS, startup-config is NOT processed Boot from ROM and NOT Flash IOS, used when upgrading IOS, startup-config is also NOTl processed Specifying the Cisco IOS Software Location The “boot” commands in the NVRAM configuration are processed if there is a 2 in the first position of the register value. For example 0x2101 Router# configure terminal Router(config)# boot system flash {ios-filename} Router(config)# boot system tftp {ios-filename} {tftp-address} Router(config)# boot system rom [Ctrl Z] Router(config)# copy running config startup config The current value of the register can be viewed via the “Router#show ver” command Example: Chicago#show ver Cisco Internetwork Operating System Software IOS (tm) C800 Software (C800-G3-MW), Version 12.0(1)XB1, RELEASE SOFTWARE (fc1) TAC:Home:SW:IOS:Specials for info Copyright (c) 1986-1998 by cisco Systems, Inc. Compiled Wed 30-Dec-99 13:34 by sde Image text-base: 0x000E9000, data-base: 0x004F5000 ROM: TinyROM version 1.0(2) Chicago uptime is 3 days, 8 hours, 47 minutes System restarted by power-on System image file is "flash:c800-g3-mw.120-1.XB1" Cisco C804 (MPC850) processor (revision 1) with 43260K bytes of virtual memory. CPU part number 33 Bridging software. Basic Rate ISDN software, Version 1.1. 1 Ethernet/IEEE 802.3 interface(s) 1 ISDN Basic Rate interface(s) 4M bytes of physical memory (DRAM) 8K bytes of non-volatile configuration memory 8M bytes of flash on board (4M from flash card) Configuration register is 0x2102 Chicago# Prepare to backup, upgrade, and load a backup Cisco IOS software image Understanding the Registers (before you backup or upgrade) Registers control the boot and startup processes. Uses include changing and managing the IOS image and controlling the startup process and bypassing the startup configuration. The registers can be changed with the “Router(config)# config-register #x####” command where #x#### is represented as one of the following as basic settings: Register Result Setting 0x2101 or 0x101 0x2102 or 0x102 0x2142 or 0x142 0x2141 or0x141 Boot from ROM and NOT Flash IOS, used when upgrading IOS, startup-config is still processed Normal Mode Flash IOS and startup-config processed Boot from Flash IOS, startup-config is NOT processed Boot from ROM and NOT Flash IOS, used when upgrading IOS, startup-config is also NOTl processed The current value of the register can be viewed via the “Router#show ver” command Example: Chicago#show ver Cisco Internetwork Operating System Software IOS (tm) C800 Software (C800-G3-MW), Version 12.0(1)XB1, RELEASE SOFTWARE (fc1) TAC:Home:SW:IOS:Specials for info Copyright (c) 1986-1998 by cisco Systems, Inc. Compiled Wed 30-Dec-99 13:34 by sde Image text-base: 0x000E9000, data-base: 0x004F5000 ROM: TinyROM version 1.0(2) Chicago uptime is 3 days, 8 hours, 47 minutes System restarted by power-on System image file is "flash:c800-g3-mw.120-1.XB1" Cisco C804 (MPC850) processor (revision 1) with 43260K bytes of virtual memory. CPU part number 33 Bridging software. Basic Rate ISDN software, Version 1.1. 1 Ethernet/IEEE 802.3 interface(s) 1 ISDN Basic Rate interface(s) 4M bytes of physical memory (DRAM) 8K bytes of non-volatile configuration memory 8M bytes of flash on board (4M from flash card) Configuration register is 0x2102 Chicago# Checking your space in flash Router# show flash or show ver use these commands to show you the total amount of Flash available. 1. Show ver will also display the current IOS file name in flash, amount of RAM and register values: Router#sh ver Cisco Internetwork Operating System Software IOS (tm) C800 Software (C800-G3-MW), Version 12.0(1)XB1, RELEASE SOFTWARE (fc1) TAC:Home:SW:IOS:Specials for info Copyright (c) 1986-1998 by cisco Systems, Inc. Compiled Wed 30-Dec-99 13:34 by esd Image text-base: 0x000E9000, data-base: 0x004F5000 ROM: TinyROM version 1.0(2) Router uptime is 36 minutes System restarted by power-on System image file is "flash:c800-g3-mw.120-1.XB1" Cisco C804 (MPC850) processor (revision 1) with 43260K bytes of virtual memory. CPU part number 33 Bridging software. Basic Rate ISDN software, Version 1.1. 1 Ethernet/IEEE 802.3 interface(s) 1 ISDN Basic Rate interface(s) 4M bytes of physical memory (DRAM) 8K bytes of non-volatile configuration memory 8M bytes of flash on board (4M from flash card) Configuration register is 0x2102 2. Show flash will also display the amount of flash and IOS directory as follows: Router#sh flash Directory of flash:/ 0 ---- 49096 Nov 03 1998 01:14:21 TinyROM-1.0(2) 3 -r-x 2314996 Dec 30 1998 21:37:19 c800-g3-mw.120-1.XB1 Creating a Software Image Backup Router(boot)# copy flash tftp IP address of remote host (255.255.255.255]? 192.16.3.211 Filename to write on tftp host? C2500 Upgrading the Image from the Net Router(boot)# copy tftp flash IP address of remote host (255.255.255.255]? 192.16.3.211 Filename to write on tftp host? C2500 Cisco 2500 Series Router IOS Upgrade Steps Router# enable Router# config t Router (config)# config-register 0x2101 Router (config)# CTRL Z Router# wr mem Router# reload Router(boot)> enable {should return with: (boot)router#} Router (boot)# copy tftp flash {Enter the necessary IP number of the tftp server} {Enter the name of the upgrade file} y y y Router (boot)# config t Router (boot) (config)# config-register 0x2102 Router (boot)# CTRL Z Router (boot)# wr mem Router (boot)# reload Router #sho ver Prepare the initial configuration of your router and enable IP The SETUP command issued from Privileged mode is a prompt driven configuration utility for basic router configuration. Advanced configuration must still be done from the standard configuration interface in config mode. Brackets [ ] indicate a defaulted value for the selection. Example Router# setup --- System Configuration Dialog --Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system Would you like to enter basic management setup? [yes/no]: y Configuring global parameters: Enter host name [Router]: Chicago The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration. Enter enable secret []: secret The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images. Enter enable password [password]: enable The virtual terminal password is used to protect access to the router over a network interface. Enter virtual terminal password: cisco Configure SNMP Network Management? [no]: n Current interface summary Interface IP-Address OK? Method Status Protocol BRI0 unassigned YES unset administratively down down BRI0:1 unassigned YES unset administratively down down BRI0:2 unassigned YES unset administratively down down Ethernet0 unassigned YES unset administratively down down Enter interface name used to connect to the management network from the above interface summary: Ethernet0 Configuring interface Ethernet0: Configure IP on this interface? [no]: y IP address for this interface: 192.168.1.1 Subnet mask for this interface [255.255.255.0] : 255.255.255.0 Class C network is 192.168.1.0, 24 subnet bits; mask is /24 The following configuration command script was created: hostname Chicago enable secret 5 $1$/Hw9$P3KFbyh5RGeEOD5cQFrWV/ enable password enable line vty 0 4 password cisco no snmp-server ! no ip routing ! interface BRI0 shutdown no ip address ! interface Ethernet0 no shutdown ip address 192.168.1.1 255.255.255.0 ! end [0] Go to the IOS command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration to nvram and exit. Enter your selection [2]: 2 Building configuration... 00:04:14: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down 00:04:14: %LINK-3-UPDOWN: Interface BRI0:2, changed state to down 00:04:17: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up Use the enabled mode 'configure' command to modify this configuration. Chicago# Monitor Novell IPX operation on the router IPX Monitoring Command show ipx interface show ipx route show ipx servers show ipx traffic IP Monitoring Command show ip interface show ip route show ip traffic Shows IP status and parameters Shows Routing table contents Shows Number and type of packets Shows IPX status and parameters Shows Routing table contents Shows IPX server list Shows Number and type of packets IPX Troubleshooting Command Displays debug ipx routing activity debug ipx sap Information about RIP update packets Information about SAP update packets The debug ipx routing activity command displays information about IPX routing update packets that are transmitted or received. A router sends an update every 60 seconds. Each update packet can contain up to 50 entries. If there are more than 50 entries in the routing table, the update will include more than one packet. The debug ipx sap command displays information about IPX SAP packets that are transmitted or received. Like RIP updates, these SAP updates are sent every 60 seconds and may contain multiple packets. Each SAP packet appears as multiple line in the output, including a packet summary messages and a service detail message. SAP responses may be one of these types: 0x1----General query 0x2----General response 0x3----Get Nearest Server request 0x4----Get Nearest Server response IP Troubleshooting Command Displays debug ip routing activity Information about RIP update packets Describe the two parts of network addressing, then identify the parts in specific protocol address examples There are two general parts of a Layer 3 address: 1. Network address - Network address Path part used by the router 2. Host address - Host/Node address Specific port or device on the network. TCP/IP networks are represented by 32 bit addresses divided into a network portion and a host portion. The Internet Request For Comments (RFC) 1020 divides the network portion into classes. Classes are as follows: Class A Using 8 bits for the network, with the remaining 24 bits for host addressing Class B Using 16 bits for the network, with the remaining 16 bits for host addressing Class C Using 24 bits for the network, with the remaining 8 bits for host addressing Class D Used For IP multicast addresses TCP/IP networks can additionally be divided into sub-networks. When a TCP/IP address has been subnetted, the network part of the address is described by two elements: the network number, still assigned by the NIC, and the subnetwork number, assigned by the local network administrator. Classful TCP/IP Example: 17.20.2.1 with Class default subnet mask of 255.0.0.0: Network = 17, Node/Host = 20.2.1 SubNetted TCP/IP Example: 17.20.2.1 with subnetted mask of 255.255.0.0: Network = 17.20, Node/Host = 2.1 Novell Internet Packet Exchange (IPX) IPX uses a 48 bit hexadecimal host number usually derived automatically from the MAC address of a LAN interface to the IPX network, and a 32 bit Network number. IPX Example: adcafedd.0000.0a43.ad33 Network = adcafedd, Node/Host = 0000.0a43.ad33. AppleTalk 16 bit network numbers are assigned to physical links either individually or in ranges called cable ranges. The 8 bit AppleTalk node portion is called the host address. An Apple end station usually acquires this host address dynamically when it boots up onto the network. AppleTalk Example: 1000.11 (assume a cable range 1000 1000) Network = 1000, Node/Host = 11 Create the different classes of IP addresses [and subnetting] Standard IP Addressing and Classes With TCP/IP, addresses are comprised of a 32bit number separated into 4 octets. The important item to remember with an IP address is that that single 32bit number represents two distinct items of information, namely the SUBNET or NETWORK address and the HOST address. The subnet address is used to group TCP/IP devices into logical groups called networks. The host address is used to uniquely identify a host within a subnet. Of course the problem that arises when you represent two numbers in a single number is how to separate them. In the case of TCP/IP, the separation of the IP address into two pieces is done with an item called a subnet mask. The subnet mask also is a 32bit number. It will determine the network ID and the number of hosts in each network based on the class of the network mask. Default classes, addresses and masks are as follows: Class Class A Class B Class C Class D Class Range of Network Numbers 1.0.0.0 through 126.0.0.0 128.1.0.0 through 191.254.0.0 192.0.1.0 through 223.255.254.0 224.0.0.0 through 239.255.255.254 Research Default Subnet Mask 255.0.0.0 255.255.0.0 255.255.255.0 Used Multicast Research Number of host addresses per/network 16,777,214 65,534 254 No host range exists No host range exists E Other 127.0.0.0 255.0.0.0 Reserved to LOCALHOST and Loop back testing Example Network 1: Example Network #1 illustrates a typical network using a variety of network types and classes for example purposes. You will notice that the routers as pictured create broadcast domains that require different network definitions. This drawing does not illustrate the actual assignment of IP addresses to hosts but for network 192.168.1.0, the router at E0 would be probably be assigned IP address 192.168.1.1 with a mask of 255.255.255.0. The PC would probably be assigned 192.168.1.2 with a mask 255.255.255.0 AND a gateway of 192.168.1.1 (which is the router at E0). An important note! In any range, If the host portion is represented by ALL 0’s then that represents the NETWORK ID as in the picture. IF the host portion is represented by ALL 1’s then that represents the subnetwork broadcast ID. You must know both for the exam. Sub-network IP Addressing Sub-netting is nothing more than modifying the subnet mask to increase the number of networks and decrease the number of hosts on each network. Why you say? Lets say that you are given a Class A 10.0.0.0 network with mask 255.0.0.0. Your company has 50 networks and 250 hosts on each network. The issues here is that you really only have one network “10.0.0.0” but your company has 50 networks. Seeing that the host portion is “0.0.0” which allows over 16 million hosts we certainly do not need, we can reduce that number and at the same time increase that single 10 network into multiple “subnetted” networks. To do this we simply adjust the mask. In this case if we change the mask to 255.255.0.0, notice we did not change the 10, we are now using 10.1-254 as the networks and 0.0 as the hosts on each network. So what did that leave us with? 254 networks with 64k hosts on each network and all it took was a mask adjustment. Example Network 2: What we have here if you notice is a single Class B network of 172.16.0.0 with default mask 255.255.0.0, split into 254 networks with 254 hosts per network by changing the mask to 255.255.255.0. Of course you see we only assigned the first two networks to our design but we have lots of room to grow. BUT, what if we did not want to change the mask from 255.255.0.0 to 255.255.255.0 because we have 300 hosts on each network. Recall when we changed the mask by an entire octet we gained 254 networks but reduced our hosts from 64k to 254 per network. Well you do not have to jump an entire octet. You can most certainly move the mask 1 bit at a time. For this we need to recall a bit more about binary because our masks will be a bit different. Before we get to the masks, lets look at a simple rule for determining the number of hosts and networks calculated from changing the mask. Incremental Subnetworking Starting again with 172.16.0.0 and looking at 255.255.0.0 represented as binary 11111111.1111111.00000000.00000000, we can move the mask 1 bit at a time to the right. Each time we move a bit we can count the bits take for the network and take a power of 2 to that number –2 and get a count for the new networks. So for example, if we take 4 bits we get 2^4-2 =14 networks. What remains is the same calculation, since we took 4 bits for the networks that leaves us 12 bits for the hosts. 2^12-2 = 4092. So to recap by moving the mask over 4 bits we went from 1 network to 14 networks and from 64534 hosts to 4092 hosts per network. Now what is the MASK you say? Well if you take the modified mask result of 11111111.11111111.11110000.00000000, remember we took 4 bits for the subnetting, we end up with a mask of 255.255.240.0. That is the mask we will use when assigning all hosts. To finalize this procedure we need to summarize with three items: 1. MASK Our mask is 255.255.240.0 for all new sub networks 2. Network ID’s and network broadcast ID’s The networks can easily be determine by takeing the lowest binary value in the mask and using that as both your first network id and your network increment. So if your mask is 11111111.11111111.11110000.00000000, the lowest value is 16 or 2^4 in the third octet. The broadcast ID is calculated by placing 1’s in each portion of the host range or simply the highest number in that range. Therefore our networks are: Net ID 172.16.16.0 172.16.32.0 172.16.48.0 Broadcast ID 172.16.31.255 172.16.47.255 172.16.63.255 172.16.64.0 172.16.80.0 And so on 172.16.79.255 172.16.95.255 3. Assign host ranges for each subnetwork After determining the networks the host ranges are easy. The lowest number in the range is the host ID and the highest number in the range is the broadcast. Everything in between are the assignable host ID’s for that subnet. Net ID 172.16.16.0 172.16.32.0 172.16.48.0 172.16.64.0 172.16.80.0 And so on Broadcast ID 172.16.31.255 172.16.47.255 172.16.63.255 172.16.79.255 172.16.95.255 Host Ranges 172.16.16.1 – 172.16.31.254 172.16.32.1 – 172.16.47.254 172.16.48.1 – 172.16.63.254 172.16.64.1 – 172.16.79.254 172.16.80.1 – 172.16.95.254 Below is a chart that may assist in determining necessary subnetwork information: Configure IP addresses Configuring TCP/IP Interface Addresses IP addresses are assigned to an interface. Each interface can support 1 or more IP addresses on a single interface. Each IP address can be on the same or a different subnetwork. The syntax for assigning an IP addresses is as follows: Router(config-if)# ip address ip-address subnet-mask [secondary] Example Router(config)# interface ethernet 0 Router(config-if)# ip address 192.168.1.1 255.255.255.0 Router(config-if)# ip address 192.168.2.1 255.255.255.0 secondary Other commonly used commands Router (config)# ip host name Adds static host name entries to the ip address name mapping table. This is used if a NDS server is not configured and if the administrator would like to access other IP hosts by name instead of IP addresses. Router (config)# ip name-server Specifies the name of the DNS server for host name lookup Router (config)# ip domain-lookup enabled Enable the use of DNS server lookups from the DNS server identified in the ip name-server command Router (config)# terminal ip netmask-format Sets the display format of the network mask when seen on show commands List the required IPX address and encapsulation type When configuring IPX on a Cisco router a valid network address is required. The network ID must match the current network in place or if it is a new network it must a valid 32bit number documented entered in hex. So, how does Cisco recommend you retrieve this information if you do not already know it? Simple: Use a Cisco IOS command to check on the neighbor Cisco router using the “Router# show cdp neighbor details” command Use NetWare command to check on the NetWare file server/router. From the NetWare console, enter the “CONFIG” command. Contacting NetWare administrator would simply be the easiest way. Along with the NetWare network ID, there are several different Ethernet framing types with different variations in the fields they use. This is critical because DIFFERENT encapsulations have DIFFERENT network Ids. This is why many routers will have secondary encapsulations so they can communicate and pass all necessary IPX traffic. Novell IPX Name Ethernet_II Ethernet_8022 Ethernet_SNAP Ethemet_8023 Cisco IOS Name Arpa Sap Snap Novell ether (default) Uses TCP/IP and DECnet Used with NetWare 3.12 and greater such as 4.x and OSI routing TCP/IP and AppleTalk Used with NetWare versions 2.x and 3.x. Also referred to as RAW Ethernet Token Ring Token Ring_SNAP Token Snap IBM Token-Ring TCP/IP and Token-Ring Identify the functions of the TCP/IP transport-layer protocols Transport Layer Protocols TCP Connection based protocols for RELIABLE communications with the following attributes: Uses Sequence Numbers Breaks messages into datagrams Reassembles datagrams into messages Handshakes with receiving device Sends Acknowledgments Uses Sliding - Windowing transmission technique Suited for WAN protocols such as Frame-Relay Examples: HTTP, FTP, TELNET UDP Connection-less based protocols for UN-RELIABLE communications with the following attributes: Provides NO software checking Relies on application layer reliability Provides connectionless transmission Uses NO Windowing Suited for performance oriented application Examples: Real Audio, Streaming, Video, Sound, TFTP Enable the Novell IPX protocol and configure interfaces Where TCP/IP usually has 1 configuration step, Novell IPX configuration involves two parts: Global tasks: Router(config)# ipx routing [node] The IPX routing command enables Novell IPX routing. When no node address is specified, the Cisco router uses the MAC address of the interface. In the case that a Cisco router has only serial interfaces, an address must be specified. Router(config)# ipx maximum paths paths To Enable load sharing if appropriate for your network. Load sharing is the division of routing tasks evenly among multiple routers to balance the work and improve network performance. The ipx maximum paths command enables round robin load sharing over multiple equal metric paths with default of 1 and a maximum of 512. Interface specific task: Router (config if)# ipx network number [encapsulation encapsulation type] [secondary] Assign unique network numbers to each interface. Multiple network numbers can be assigned to an interface, allowing support of different encapsulation types. The ipx network command enables Novell IPX processing. This command additionally assigns a primary and secondary network and also assigns encapsulation. Encapsulation, which is optional, specifies the encapsulation type for the interface. It can be one of the following types: novell ether, sap, arpa, snap. Novell IPX Configuration Example Router(config)# ipx routing Router(config)# ipx maximum paths 2 Router(config)# interface ethernet 0 Router(config-if)# ipx network a8023 encapsulation novell ether Router(config-if)# ipx network a8022 encapsulation sap secondary Router(config)# interface ethernet 1 Router(config-if)# ipx network b8022 encapsulation sap Identify the functions of the TCP/IP network-layer protocols Network Layer Protocols ARP This protocol maps a KNOWN IP address to a MAC sub-layer address. ARP also consults subnet masks to determine whether nodes are on the same subnet. When sending a packet, if nodes are on the same subnet, the frame is sent directly to the receiving node. If nodes are on different subnets, the frame is sent to the default gateway (default network on a Cisco router) for forwarding. RARP uses a table entry on a server to respond to requests for mapping a KNOWN MAC address to an IP address. Example, BOOTP or DHCP servers. With a DHCP server, the client knows its IP address but must request an IP address from a server that most probably has a record stored of the IP MAC relationship. This way client’s are less likely to receive a different IP address each time communication with the DHCP server occurs. Diskless workstations also use RARP to request boot information. Provides routing information for best effort delivery. This also contains the transport layer protocol ID in the header. ICMP messages are carried in IP datagrams and are used to send error and control messages. Also used to send Destination Unreachable Messages RARP IP ICMP Identify the functions performed by ICMP All TCP/IP hosts implement the Internet Control Message Protocol (ICMP). ICMP messages are carried in IP datagrams and are used to send error and control messages. PING is an example of a utility that uses the ICMP protocols for testing. If a router receives a packet that is unable to deliver to its ultimate destination, the router sends an ICMP host unreachable message to the source. An echo reply is a successful reply to a PING command although results may also include other ICMP message replys including unreachable destinations and time outs. Some the most common functions of ICMP include: Control and message functions at the network layer Used to send Destination Unreachable Messages Used to send Error and control messages Configure IPX access lists and SAP filters to control basic Novell traffic IPX/SPX access list overview In Novell IPX/SPX addressing is an 80bit address including a (32-bit) network portion and a (48bit) node portion derived from the MAC address of the interface. Each NetWare server has an internal IPX network number and performs IPX routing. The External IPX network numbers are assigned on Cisco router and NetWare server interfaces and must be unique and consistent with the network numbers known to the other NetWare servers and routers. IPX access lists check for source address, destination address, or both. IPX standard access lists use numbers in the range 800 899. Additionally, to control the traffic from the Service Advertisement Protocol (SAP), SAP filters use numbers in the range 1000 to 1099. Several other packet and route filters are available for managing IPX overhead traffic including Get Nearest Server (GNS), Routing Information Protocol (RIP), and NetWare Link Services Protocol (NLSP). Overview for IPX Access Lists NetWare IPX addresses use a network.node and socket number Standard lists (800 to 899) can filter source and destination address Extended lists (900 to 999) allow more precise filtering conditions Access lists (1000 to 1099) are SAP filters for service types and servers on one or more networks Other access list number ranges offer more Novell software filters including GNS, RIP, NLSP IPX Standard Access Lists Configuration Standard access list uses list number in range 800 to 899 Router Router(config)# access list access list number {deny I permit} source network [.source node] [source node mask] [destination network] [.destination node] [destination node mask] Use the access list command to filter traffic in an IPX network. Using filters on the outgoing router interface allows or restricts different protocols and applications on individual networks. access list number protocol source network source node destination network destination node Access list number for an IPX filter list from 800 to 899 Number of the protocol type, can be: 0=any protocol, 1=RIP, 4=SAP, 5=SPX, 17=NCP, 20=IPX NetBIOS Source network number, expressed in eight digit hexadecimal Node number on the source network. Represented as a 48 bit value shown in a dotted triplet of 4 digit hexadecimal numbers Network number to which the packet is being sent Node on the destination network to which the packet is being sent Activates the IPX standard access list on an interface Router(config-if)# ipx access group access list number Standard Access List Example: Objective: Allow only traffic from network b8022 destined for network a8022 to be forwarded out of Ethernet 0 Router (config)# access-list 800 permit b8022 a8022 implicit deny all not visible in the list Router (config)# interface ethernet 0 Router (config-if)# ipx network a8022 Router (config-if)# ipx access group 800 Router (config)# interface ethernet 1 Router (config-if)# ipx network b8022 Router (config)# interface ethernet 2 Router (config-if)# ipx network c8022 Access List Commands 800 Permit B8022 A8022 Ipx access-group 800 Explanation Access list number Traffic that matches will be forwarded Source network Destination network Links to interface E0 IPX SAP Filters Configuration SAP filters are typically placed close to the source to ensure these SAP filters conserve bandwidth over WAN links. When a SAP advertisement arrives at the router interface, the contents are placed in the SAP table. The contents of the table are then propagated during the next SAP update. There are two types of SAP filters: When a SAP input filter is in place, the services entered into the SAP table is reduced. The propagated SAP updates represent the entire table, but contain only a subset of all services. When a SAP output filter is in place, the services propagated from the table are reduced. The propagated SAP updates represent a portion of the table contents and are a subset of all the known services. IPX input SAP filter IPX output SAP filter Router(config)# access list access list number {deny I permit} network [.node] [network mask node-mask] [service type [server name] access list number Number from 1000 to 1099, indicates a SAP filter list. Network [.node] network mask node mask service type Novell source internal network Mask to be applied to the network and node. Place ones in the positions to be masked. SAP service type to filter. Each SAP service type is identified by a hexadecimal number. Some standard used ones: 4=file servers, 7=print servers, 24=router, 98=access server Standard SAP filter Example #1: Objective: Prevent File Server advertisements from server c8022.1111.2222.3333 from being forwarded on S0. All other SAP services should be forwarded from any other source on S0. Router (config)# access-list 1000 deny c8022.1111.2222.3333 4 Router (config)# access-list 1000 permit -1 implicit deny all not visible in the list Router (config)# interface ethernet 0 Router (config-if)# ipx network c8022 Router (config)# interface ethernet 1 Router (config-if)# ipx network a8022 Router (config)# interface serial 0 Router (config-if)# ipx network z8022 Router (config-if)# ipx output-sap-filter 1000 Access List Commands 1000 Deny C8022.1111.2222.3333 4 Explanation Access list number Sap services matching will be blocked Source network of SAP advertisements Type of Sap service for File Services 1000 Permit -1 Ipx output-sap-filter 1000 Access list number Sap services matching will be forwarded Source network of –1 means ALL networks Apply access list as output Sap filter Standard SAP filter Example #2: Objective: Prevent Print server advertisements from servers on networks c8022 and a8022 from being entered into the SAP table while allowing all other SAP services from any source to be added into the SAP table. Router (config)# access-list 1001 deny 7 Router (config)# access-list 1001 permit -1 implicit deny all not visible in the list Router (config)# interface ethernet 0 Router (config-if)# ipx network c8022 Router (config)# interface ethernet 1 Router (config-if)# ipx network a8022 Router (config)# interface serial 0 Router (config-if)# ipx network z8022 Router (config-if)# ipx input-sap-filter 1001 Access List Commands 1001 Deny 7 1001 Permit -1 Explanation Access list number Sap services matching will be blocked SAP advertisement type; Print services Access list number Sap services matching will be forwarded Source network of –1 means ALL networks Ipx input-sap-filter 1001 Apply access list as input SAP filter Add the RIP routing protocol to your configuration RIP Overview The RIP protocol was originally specified in RFC 1058. A RIP table can be viewed by typing in the “show ip route” command. The following are some characteristics of RIP: It is a distance vector routing protocol Routing updates are broadcast every 30 seconds by default The maximum allowable hop count of 15 Hop count is used as the metric for path selection In newer versions of RIP load balancing RIP Configuration Router (config)# router rip Router (config router)# network network number Descriptions The router rip starts the RIP routing process The network number specifies a directly connected network Add the IGRP routing protocol to your configuration IGRP Overview IGRP is a distance vector routing protocol developed by Cisco. IGRP sends routing updates at 90 second intervals that target a particular autonomous system. The following are some key characteristics of IGRP: The IGRP routing protocol uses a combination of variables to determine a composite metric. Scalability to function in very large networks Versatility to automatically handle complex topologies Flexibility for segments having different bandwidth and delay characteristics IGRP Configuration Router (config)# router igrp autonomous system Router (config router)# network network number Descriptions The router igrp command enables the IGRP routing protocols The network command specifies any directly connected networks to be included The autonomous system identifies the IGRP router processes that will share routing information The network number specifies a directly connected network Explain the services of separate and integrated multi-protocol routing In a separated multi-protocol environment protocol processes operate totally independent of each other. In an integrated multi-protocol routing environment, several configured protocols share the results of the integrated routing algorithms. EIGRP (Enhanced IGRP) is a integrated multi-protocol example that is proprietary to Cisco. Enhanced IGRP uses a distance vector algorithm based on Cisco's IGRP and integrates support for IP, AppleTalk, and Novell IPX. Integrated multi-protocol routing has the following attributes: Enables path selection and packet switching for more than one routed protocol Conserve network and router resources Simplifies the administrative tasks Maintain routing updates that are usable by all configured routed protocols Generates and maintains separate routing tables for each of the routed protocols List problems that each routing type encounters when dealing with topological changes and describe techniques to reduce them Concept Summary Distance Vector protocols use the Bellman-Ford algorithm to calculate best route paths. Link-state protocols use the SPF algorithm to calculate best route paths. Distance Vector protocols DO NOT know the topology of the network where Link-State protocols DO know the topology of the entire network. Comparing Distance Vector routing to Link State routing Distance vector routing gets all topological data from the perspective from processing the routing table information of its neighbors. Link state routing obtains a complete understanding of the entire internetwork topology by accumulating all necessary LSPs. Distance vector routing determines the best path by incrementing the metric value it receives as tables move from router to router. Link state routing allows each router to work in tandem with other routers to calculate its own shortest path to destinations. With most distance-vector routing protocols, updates for topology changes come in periodic table updates. These tables pass incrementally from router to router, usually resulting in slower convergence. Link state routing protocols usually trigger updates through topology changes. Small LSPs passed to all other routers, or to a multicast group of routers result in a faster time to converge on an internetwork topology change. Distance Vector Overview Distance vector based routing algorithms pass periodic copies of a routing table from router to router. Each router receives a routing table from its direct neighbor only. Assume Router 1 knows about network A and B, and Router 2 knows about B and C. After the next periodic exchange, Router 1 will know about networks A, B, and C and the distance is incremented in Router 1 to get to network C because it now has to go through the neighboring router. This process occurs in all directions between direct neighbor routers. If during the next transmission, a better path exists the routing table will be updated. Distance vector algorithms do not allow a router to know the exact topology of an internetwork. Examples include RIP (Routing Information Protocols) and IGRP (Interior Gateway Routing Protocol) Benefits include: Easy to implement – It takes very little configuration to get it up and running Widely supported – Most devices support some type of Distance Vector routing protocols Potential Problems: Counting to infinity This condition continuously loops packets around the network, despite the fundamental fact that the destination network is down. While the routers are counting to infinity, the invalid information allows a routing loop to exist. Routing Loops Routing Loops can occur if the internetwork's slow convergence on a new configuration causes inconsistent routing entries. Implemented Solutions: Split Horizon If you learn a protocol's route on an interface, do not send information about that route back out that interface. Defining a Maximum Specify a maximum distance vector metric as infinity. Hold Down Timers Routers ignore network update information for some period. Route poisoning Router keeps an entry for the network down state, allowing time for other routers to recompute for the topology change. Link State Overview These are designed for larger networks and address the shortcomings of Distance Vector algorithms. This is because LSP’s map the entire network topology unlike DVP’s. A “link” can be defined as a network interface on a router. A “link-state” is the status between two router interfaces. For routing updates, each router running an LSP locates routers directly connected to it. It then sends out link-state advertisements (LSAs) in its area, listing its neighbor’s names and route cost to each neighbor. Cost is the value that indicates relative speed of the link as indicated by the bandwidth on the link. A router that receives LSAs then forwards them to neighbor routers in the network cloud. The lowest cost paths are optimal yet multiple optimal paths allow load balancing. A router running a Link-State algorithm uses a hello packet to establish a formal connection with each directly connected together. Examples include OSPF (Open Shortest Path First). Benefits include: Qu ick Convergence – Incorporates route changes into the network and performs new route computation immediately Support for VLSM – Allows multiple-level sub-networked IP addresses within a single network Increased network node access – Supports large numbers of network nodes far beyond the previous 15-hop limitation Sending of periodic routing updates – Only sends updates when there is a change in the topology Optimizing route selection – Uses composite routing methods. Potential Problems: Processing and memory required – More memory is required due to the large amount of network information that needs to be managed. Recall that each router has a complete picture of the network. Bandwidth consumed for initial link state “flood” – A lot of bandwidth is consumed during initial link-state startup. This issue is called flooding. This is caused from all routers trying to converge the network and understand the network topology. Unsynchronized updates and inconsistent path decisions – This often happens when links become unavailable and the LSP has to be reconstructed. During the calculation other links go down as other come up. This creates problems. Large network synchronization – This adds to the problems due to the complete network topology that each router contains. Larger networks will run Hybrid protocols. Implemented Solutions: Reduce the need for resources Co-ordinate link-state updates Describe the benefits of network segmentation with routers Routers segment traffic and create manageable broadcast domains at the network layer, which is at a higher level than bridges. Recall that bridges provide traffic management at the data-link layer. They provide WAN link interfacing, filtering and security through the processing and control of network information. If multiple paths exist to destinations, routers will provide path selection and determination and forwarding. Due to operation at higher levels, they come at a higher performance cost. Performance of a router may decrease throughput anywhere from 20 to 40% or greater than that of a bridge. Multiple active paths – Routers allow the use of a network topology that can use more than one path between stations. Because they operate at the network layer, routers examine protocols, destination service access point (DSAP) and source service access point (SSAP) and path metric information. They can then use that information when making path determination, forwarding or filtering decisions. Functionality Routers are available to the end stations and thus can implement mechanisms to provide flow control, error and congestion control, fragmentation and reassembling services, and explicit packet time-to-live controls. Manageability – Multiple protocols operating among routers give network administrators more overall control over path selection and network routing behavior Configure standard and extended access lists to filter IP traffic Standard access lists filter at layer 3 meaning source networks and host addresses and they can deny or permit the networks and hosts but NOT transport layer information such as protocol UDP and TCP or specific ports. When standard access lists don’t cut it for the specific filtering you need on your router, Extended Access Lists may be the answer. This type of layer 4 filtering may be required for firewall purposes and therefore extended access lists may be the answer you’re looking for. Extended IP access list statements can filter for source address and for destination address with additional control by specifying optionally the TCP or UDP protocol port number. How to associate access lists to interfaces: Place standard access lists close to the destination Place extended access lists close to the source Enabling and Disabling Standard Access Lists Router (config)# access list access list number {permit I deny} source [source mask] IP standard access lists use 1 to 99 The access list command creates an entry in a standard traffic filter list. Parameter descriptions are as follows: access list number Identifies the list to which the entry belongs; a number from 1 to 99. {permit I deny} Indicates whether this entry allows or blocks traffic from the specified address. source Identifies source IP address source mask Identifies which bits in the address field are matched. A 1 in positions indicates to leave alone and a 0 in a position indicates instructions to be followed. Router (config)#no access list access list number Removes the access list Router (config-if)#ip access group access list number {in | out} Activates the list on the interface The ip access group command links an existing access list to an outbound interface. Only one access list per port per protocol per direction is allowed. access list number Indicates the number of the access list to be linked to this Interface. {in I out} Selects whether the access list is applied to the incoming or Outgoing interface If in or out is not specified, out is the Default Router (config-if)#no ip access group access list number {in | out} De-activates the list on the interface Standard Access List Example #1: Objective: Allow all traffic from the 172.16.0.0 networks to be forwarded while blocking all non-172.16.0.0 traffic. Router (config)# access list 1 permit 172.16.0.0 0.0.255.255 implicit deny all not visible in the list access list 1 deny 0.0.0.0 255.255.255.255 Router (config)# interface ethernet 0 Router (config-if)# ip access group 1 out Router (config)# interface ethernet 1 Router (config-if)# ip access group 1 out Access List Command 1 Permit 172.16.0.0 0.0.255.255 Ip access-group 1 out Explanation Access list number Traffic that matches will be forwarded IP address used to identify the source network Wildcard mask; 0 indicates positions must match, 1s indicate not checked Applies the access list to an interface, OUT is the default Standard Access List Example #2: Objective: Block traffic from address 172.16.2.2, and allow all other traffic to be forwarded on the interface Ethernet 0 Router (config)# access list 1 deny host 172.16.2.2 Router (config)# access list 1 permit 0.0.0.0 255.255.255.255 implicit deny all not visible in the list access list 1 deny 0.0.0.0 255.255.255.255 Router (config)# interface ethernet 0 Router (config-if)# ip access group 1 out Access List Commands 1 Deny host 172.16.2.2 0.0.0.0 1 Permit 0.0.0.0 255.255.255.255 Ip access-group 1 out Explanation Access list number Traffic that matches will NOT be forwarded IP address used to identify the source host Wildcard mask; 0 indicates positions must match, 1s indicate not checked Access list number Traffic that matches will be forwarded IP address used to identify the source host Wildcard mask; 0 indicates positions must match, 1s indicate not checked Applies the access list to an interface, OUT is the default Standard Access List Example #3: Objective: Block traffic from subnet 172.16.2.0 and permit the forwarding of all other traffic Router (config)# access list 1 deny 172.16.2.0 0.0.0.255 Router (config)# access list 1 permit any implicit deny all not visible in the list access list 1 deny 0.0.0.0 255.255.255.255 Router (config)# interface ethernet 0 Router (config-if)# ip access group 1 out Access List Command 1 Deny 172.16.2.0 0.0.0.255 1 Permit Any Ip access-group 1 out Explanation Access list number Traffic that matches will NOT be forwarded IP address used to identify the source network Wildcard mask; 0 indicates positions must match, 1s indicate not checked Access list number Traffic that matches will be forwarded Abbreviation for 0.0.0.0 255.255.255.255 Applies the access list to an interface, OUT is the default Enabling and Disabling Extended Access Lists In summary, Extended Access lists (range 100-199) over Standard Access lists (range 1-99) allow on to: Check source and destination IP address Specify an optional IP protocol port number. “Well-Known” ports are listed below: Well-know ports 20 21 23 25 69 IP protocol File Transfer Protocol (FTP) data FTP Program Telnet Simple Mail Transfer Protocol (SMTP) Trivial File Transfer Protocol (TFTP) 53 80 110 119 Domain Name System (DNS) Hypertext Transport Protocol (HTTP) Post Office Protocol (POP3) Network News Transport Protocol (NNTP) Enabling and Disabling Extended Access Lists Router(config)# access list access list number {permit I deny} protocol source source mask destination destination mask [operator operand] [established] access list number IP Access List Ranges <1-99> IP standard access list <100-199> IP extended access list <1100-1199> Extended 48-bit MAC address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <700-799> 48-bit MAC address access list permit I deny protocol Allow or block the specified address <0-255> An IP protocol number ahp - Authentication Header Protocol eigrp - Cisco's EIGRP routing protocol esp - Encapsulation Security Payload gre - Cisco's GRE tunneling icmp - Internet Control Message Protocol igmp - Internet Gateway Message Protocol igrp - Cisco's IGRP routing protocol ip – Any Internet Protocol ipinip - IP in IP tunneling nos - KA9Q NOS compatible IP over IP tunneling ospf - OSPF routing protocol pcp - Payload Compression Protocol tcp – Transmission Control Protocol udp - User Datagram Protocol source and destination source mask and destination mask operator and operand Identifies source and destination IP addresses Wildcard mask; Os indicate positions that must match, Is indicate "don't care" positions Ack - Match on the ACK bit eq - Match only packets on a given port number fin - Match on the FIN bit gt - Match only packets with a greater port number log - Log matches against this entry log-input - Log matches against this entry, including input interface lt - Match only packets with a lower port number neq - Match only packets not on a given port number precedence - Match packets with given precedence value psh - Match on the PSH bit range - Match only packets in the range of port numbers rst - Match on the RST bit syn - Match on the SYN bit time-range - Specify a time-range tos - Match packets with given TOS value urg - Match on the URG bit established Match established connections Router(config-if)# ip access group access list number [in | out] access list number [in I out] Number of the access list to be linked to this interface. Access list is applied to the incoming or outgoing interface. If in or out is not specified, out is the default Extended Access List Example #1: Objective: Deny FTP for E0 and allow all other traffic from subnet 172.16.2.0 to be forwarded to all other networks or subnets via interface E0. Router (config)# access list 101 deny tcp 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 eq 21 Router (config)# access list 101 deny tcp 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 eq 20 Router (config)# access list 101 permit ip 172.16.2.0 0.0.0.255 0.0.0.0 255.255.255.255 Router (config)# implicit deny all not visible in the list Router (config)# interface ethernet 0 Router (config-if)# ip access group 101 Access List Command Explanation 101 Deny Tcp 172.16.2.0 and 0.0.0.255 172.16.1.0 and 0.0.0.255 Eq 20 Eq 21 Access list number Traffic that matches will not be forwarded Transmission Control Protocol Source address Destination address FTP FTP data Extended Access List Example #2: Objective: Allow only SMTP (Mail) from 172.16.2.0 to be sent out interface E0 and deny any other traffic Router (config)# access list 101 permit tcp 172.16.2.0 0.0.0.255 any eq 25 Router (config)# implicit deny all not visible in the list Router (config)# interface ethernet 0 Router (config-if)# ip access group 101 Access List Command 101 Permit Tcp 172.16.2.0 and 0.0.0.255 Any Eq 25 Explanation Access list number Traffic that matches will be forwarded Transmission Control Protocol Source address Destination FTP Monitor and verify selected access list operations on the router IP and IPX access can be viewed with commands: Show access-lists [interface] Show access lists on specific interfaces Show access-lists Show all access lists IP and IPX can be monitored using the following commands: Show IPX interface Show IPX traffic Show IPX servers Show IPX route Show IP interface IPX status and parameters including information on IPX addressing, SAP and SAP GNS information, RIP, and statistics. Statistics on IPX traffic, numbers relating to traffic including the quantity and type of each packet Shows the server list from the routers SAP table Shows the IPX routing table content Example Router#show ip int e0 Ethernet0 is administratively down, line protocol is down Internet address is 192.168.100.35/27 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is 1 Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Null turbo vector IP multicast fast switching is disabled IP multicast distributed fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled Web Cache Redirect is disabled BGP Policy Mapping is disabled Router# IP and IPX can be also monitored real-time using debug commands: Debug IPX routing activity Debug IPX SAP Debug IP routing Debug IP RIP Show RIP table information updates Shows SAP update packets Shows Routing Table events Shows IP RIP information Describe the advantages of LAN segmentation Networks can be divided into smaller segments thereby reducing the number of users per segment. This segmentation will effectively increase the bandwidth available to all users in the particular segment. Each new segment is considered a different collision domain as opposed to routers, which create new broadcast domains. The new segments will support traffic movement between network nodes without interfering with traffic patterns on other collision segments. When a user is communicating within their segment with others, they will effectively have better communication to backbone segment hosts such as servers. Another key point is that segmentation still ALLOWS non-routed protocols to communicate throughout all segments because all segments are contained in a single broadcast domain. Broad cast domains are different subnets linked via routing devices. Describe LAN segmentation using bridges Bridges segment LANs into “collision domains” by using the network device MAC addresses. The nice thing about MAC address is that the source MAC will appear in each frame so when a device sends a frame on the network, a bridge can examine the frame and effectively “learn” which MAC address are on which ports. This storage of MAC information will now allow a bridge to determine whether or not to forward a frame to another segment or whether to drop it. Of course a common drawback of bridging is that broadcast information is forwarded to all collision domains on the bridge. Some bridges will employ flooding controls and blocking algorithms to control unwanted or problematic traffic on a network. MAC address learning is defined in the IEEE 802.1 standard. Bridged networks can also have redundant bridged links when using the Spanning Tree Protocol discussed in its own objective. A Spanning Tree Enabled bridge or switch will both send out bridge protocol data units (BPDUs) and listen to BPDUs of other bridges. The BPDU configuration contains enough information so that all bridges can perform the following: Select a single bridge that will act as the "root" of the spanning tree Calculate the distance, of the shortest path from itself to the root bridge For each LAN segment, designate one of the bridges as the closest one to the root. That bridge will handle all communication from that LAN to the root bridge and will be known as the "designated bridge." Let each bridge choose one of its interfaces as its root interface, which gives the best path to the root bridge Allow each bridge to mark the root interface and any other inter faces on it that have been elected as designated bridges for the LAN to which it is connected as being included in the spanning tree Describe LAN Segmentation using routers LAN segmentation using routers is simply a router between sub-nets or networks. Each network is considered its own broadcast domain meaning broadcast messages are not forwarded across routed segments. Network segmentation is performed at layer-3 (Network layer) compared to bridging which is done at layer-2 (Data Link Layer). Routers segment traffic and create manageable broadcast domains at the network layer, which is at a higher level than bridges. Recall that bridges provide traffic management at the data-link layer. They provide WAN link interfacing, filtering and security through the processing and control of network information. If multiple paths exist to destinations, routers will provide path selection and determination and forwarding. Due to operation at higher levels, they come at a higher performance cost. Performance of a router may decrease throughput anywhere from 20 to 40% or greater than that of a bridge.