ccna - · pdf filecisco certified network associate welcome to our cisco ccna® training...
TRANSCRIPT
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
1
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Welcome to our version of the:
CCNA®
Cisco Certified Network Associate
Welcome to our Cisco CCNA® training course. This course will help you better understand how networking is defined, implemented and supported in the real world. More precisely, this course will give you a Cisco-specific network perspective.
CCIP, CCIE, CCDA, CCDP, CCENT, CCNP, CCNA, CCVO, VLANDirector, TrafficDirector, CiscoWorks 2000, ONS 15454 Secure PIX Firewall, Secure Virtual Private Networks, Cisco, Cisco Systems, Cisco Systems Logo, Catalyst, EtherChannel, IOS and LightStream are registered trademarks of Cisco Systems, Inc. or its affiliates in the US and certain other countries.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
2
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
IntroductionIntroduction
• This is a 5 day hands-on course which covers the following exam objectives.
CCNA 3.0 (640-802)
• Another exam option this course covers:
ICND1 (640-822)
ICND2 (641-816)
This course was also written to help you understand the objectives for the Cisco 640-801 exam; however the ICND and Intro exams are also covered. We do not suggest that you take the two test option as it is not easier than the one test method. Of course, that is up to you and we are confident this course will prepare you whichever way you decide to go.
Now, let’s start with this Course book itself….
Each page of this course book will consist of slides from the instructor’s slide-deck and the accompanying information to explain the content of the slide. Some slides are markers (i.e. chapter headings, outlines, intro’s, etc.) and require no additional information. In this case you will see the next corresponding slide immediately following. For example, look at the next few pages which outline the class and the exam.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
3
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
CCNA ExamCCNA Exam
• Around 50-60 items
• Around 850 out of 1000 to pass
• The amount of questions and percent to pass varies on each exam
• About 90 minutes
• Cannot return to questions
• Simulated, testlets, multiple choice, fill-in-the-blank, and drag n’ drop questions
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
4
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
CCNACCNA Course OutlineCourse Outline
Chapter 1: The Cisco Router and Switch Interface
• Cisco IOS• Cisco CLI• Administrative Functions• Configuring Interfaces• Introduction to Cisco Catalyst Switches
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
5
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
CCNA Course OutlineCCNA Course Outline
Chapter 2: Managing a Cisco Internetwork• Copying and saving the IOS and configuration
• Troubleshooting Cisco networks
Chapter 3: TCP/IP Addressing and Subnetting• IP Addressing
• Class C Subnetting
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
6
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
CCNA Course OutlineCCNA Course Outline
Chapter 4: IP Routing • Basic IP routing• Static Routing• RIPv1 and RIPv2• EIGRP• OSPF
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
7
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
CCNA Course OutlineCCNA Course Outline
Chapter 5: Advanced TCP/IP• Class C subnetting review
• Class B subnetting
• VLSM design and implementation
• Discontiguous Networks
• Summarization
Chapter 6: Security• Introduction to Security
• Standard Access Lists
• Extended Access Lists
• Named Access Lists
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
8
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
CCNA Course OutlineCCNA Course Outline
Chapter 7: Network Address Translation• Static NAT
• Dynamic NAT Pools
• Port Address Translation (PAT)
Chapter 8: Switching• Virtual LAN’s (VLAN’s)
• Spanning Tree Protocol (STP)
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
9
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
CCNA Course OutlineCCNA Course Outline
Chapter 9: Wireless LAN’s- 802.11
- Basic Service Sets (BSS)
Chapter 10: Introduction to IPV6- IPv6 Addressing
- Implementing IPv6
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
10
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
CCNA Course OutlineCCNA Course Outline
Chapter 11: Cisco WAN Support• Basic WAN
• HDLC
• PPP
• Frame Relay
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
11
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
PrefacePreface
Course Conventions
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
12
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
LocalLocal--Area and WideArea and Wide--Area Network Area Network Symbols KeySymbols Key
Router Bridge Ethernet SwitchATM Switch
Hub MAUConcentrator Server
Comm Server CSU/DSUWAN Cloud
Serial LineEthernet
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
13
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Syntax ConventionsSyntax Conventions
Router prompts are in BLACK as follows:
R1#
Router commands to be entered by the user are in GREEN as follows:
R1(config)# interface serial 0R1(config-if)# shutdown
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
14
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
The Cisco Router and Switch InterfaceThe Cisco Router and Switch Interface
Chapter 1
In this chapter we will discuss the basics and a glaze over a few advanced topics with regard to interfaces, configurations, registries and the like. We will review switch interfaces at the end of the chapter.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
15
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Router PowerRouter Power--On/Bootup SequenceOn/Bootup Sequence
1. Perform Power-On Self Test (POST)2. Load and run bootstrap code3. Look in NVRAM for config-register setting4. Load the Cisco IOS software5. Find the configuration (if none, run Setup)6. If found, load the configuration in RAM
When you first bring up a Cisco router, it will run a Power-On Self-Test (POST), and if that passes, it will then look for and load the Cisco IOS from Flash memory—if a file is present. In case you don’t know, flash memory is an electronically erasable programmable Read-Only Memory (ROM)—an EEPROM. The IOS then proceeds to load and then look for a validconfiguration—the startup-config—that’s stored by default in nonvolatile RAM, or NVRAM.
ROMContains microcode for basic functionsRuns postLoads bootstrapHas Mini-IOSProvides ROM-Monitor mode
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
16
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Router InterfacesRouter Interfaces
Router interfaces can be GigabitEthernet, FastEthernet, Ethernet, Token Ring and various other LAN physical technologies, like FDDI.
The serial ports can be used for a WAN T1, for example, or PPP or Frame Relay.
Miscellaneous ports can include BRI for ISDN
The Console port is a serial connection that allows out-of-band signaling
The Aux port is a console port that allows modem commands so you can dial into the router out-of-band if a remote router goes down and you need to configure it through the console connection.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
17
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
User ModeLimited examination of switch or router
Command prompt on the device: Router>
Cisco IOS Software EXECCisco IOS Software EXEC
Privileged (or enable) ModeDetailed examination of switch or router
Enables configuration and debugging
Prerequisite for other configuration modes
Command prompt on the device: Router#
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
18
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Router con0 is now availablePress RETURN to get started.
Logging into the RouterLogging into the Router
Router>Router> enableRouter#Router# disableRouter> quit
User mode prompt User mode prompt
Privileged mode prompt Privileged mode prompt
After the interface status messages appear and you press Enter, the Router> prompt will appear. This is called User mode and is mostly used to view statistics.
There are two primary EXEC modes for entering commands on a Cisco router. These are User and Privilege modes. User mode is used to verify status, and run basic show commands. You can only view and change the configuration of a Cisco router in Privileged mode, which you get into with the “enable”command.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
19
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Router ContextRouter Context--Sensitive HelpSensitive Help
Router# clokTranslating "CLOK"% Unknown command or computer name, or unable to find computer address
Router# cl?clear clock
Router# clock% Incomplete command.
Router# clock ?set Set the time and date
Router# clock set 19:56:00 04 8^
% Invalid input detected at the '^' marker
Note: The command “help” does not give you help on a command.
You can use the Cisco advanced editing features to help you configure your router. If you type in a question mark (?) at any prompt, you’ll be given the list of all the commands available from that prompt.
You can press the “spacebar” to get another page of information, or you can press “Enter” to go one command at a time.
Once you have enough characters for a non-ambiguous command, the “Tab”key can be pressed to complete the syntax, and then the “?” key can be entered to obtain additional help if needed. If a command is ambiguous, you will need to enter more characters or “?” to determine the specific syntax to use for the desired command.
The “^ “ character is used to identify where syntax errors or invalid input was detected.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
20
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Automatic scrolling of long lines gives you $ and moves your text ten spaces to the left
<Ctrl-A> Move to the beginning of the command line.
<Ctrl-E> Move to the end of the command line.
<Esc-B> Move back one word.
<Ctrl-F> Move forward one character.
<Ctrl-B> Move back one character.
<Esc-F> Move forward one word.
Using Enhanced EditingUsing Enhanced EditingUsing Enhanced Editing
<Ctrl-D> Delete a single character.
tab Finishes typing a command for you
Displays previous/next command from the history buffer
up/down arrows
This slides shows the list of the enhanced editing commands available on a Cisco router.
The most common enhanced editing features used are the up/down arrows. On some terminal emulators, you may need to do a <Ctrl-P> or a <Ctrl-N> if the up/down arrows do not function.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
21
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Ctrl-P or Up arrow Last (previous) command recall
Ctrl-N or Down arrow More recent command recall
Router> show history Show command buffer contents
Router> terminal history size lines Set session command buffer size
Router Command HistoryRouter Command History
You can review the router-command history with the commands shown in this slide. This is very helpful and will save you from re-typing things over and over and over…..
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
22
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Break SequencesBreak Sequences
• <CTRL>+z
• <CTRL>+c
• <CTRL>+<SHIFT>+’6’ then X
• <CTRL>+Break or <CTRL>+<SHIFT>+’6’ then B
during the router boot cycle allows you to access
ROM Monitor mode. One purpose is to perform
password recovery.
This slide shows some basic break sequences you can use on a Cisco router.
The <Ctrl>+<Shift>+6 then X is used to break out of a command. This is especially helpful on traceroute where the traceroute is to a network not in the routing table. By default the command would continue for 30 hops, with each waiting for the TTL to expire. This can save a lot of time by breaking out of the command. <Ctrl>+<Shift>+6 then B is very helpful if you are performing a password recovery and your PC configuration does not have a “break” key or if the <Ctrl>+[Break key] is not stopping the cycle of the reboot.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
23
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Router Components
Console
Auxiliary
Interfaces
RAM[Running-Config]routing table, arp
cache,packet buffers
NVRAM[Startup-Config][config-register]
Flash[IOS]
ROM[POST]
[Bootstrap][Skeleton IOS]
Router# show interfacesRouter# show interfacesRouter# show mem
Router# show ip routeRouter# show mem
Router# show ip route
Router# show flashRouter# show flash
Router# show startup-configRouter# show startup-configRouter# show running-configRouter# show running-config
Router# show process cpuRouter# show protocols
Router# show process cpuRouter# show protocols
Router# show versionRouter# show version
Router# show lineRouter# show line
show flash: shows all files in flash.show startup-config: shows the backup configuration stored in NVRAM.show running-config: shows the configuration the router is using at the moment.show interfaces: shows the status of all interfaces. You can type show interface s0 to see just the statistics of serial 0.show line: shows you all the available lines that can be configured on a router. The default lines are aux, console and vty.show version: covered in the next slide…
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
24
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
show versionshow version CommandCommand
Router# show versionCisco Internetwork Operating System Software IOS (tm) 2600 Software (C2600-JS-L), Version 12.0(8), RELEASE SOFTWARE (fc1)Copyright (c) 1986-1999 by cisco Systems, Inc.Compiled Mon 08-Feb-99 18:18 by phanguyeImage text-base: 0x03050C84, data-base: 0x00001000
ROM: System Bootstrap, Version 11.0(10c), SOFTWAREBOOTFLASH:3000 Bootstrap Software (IGS-BOOT-R),Version 11.0(10c), RELEASE SOFTWARE(fc1)
R1 uptime is 22 minutesSystem restarted by reloadSystem image file is "flash:c2600-js-l_120-8.bin"(output cut)
Displays system hardware config info, software version, and thenames and sources of config files and boot images on a router
The “show version” command will provide basic configuration for the system hardware as well as the software version, the names and sources of configuration files, and the boot images.The last information given from this command is the value of theconfiguration register. In this example, the value is 0x2102—the default setting. The configuration register setting of 0x2102 tells the router to look in NVRAM for the boot sequence. By manipulating the configuration register, you can perform actions such as password recovery, or determine the boot sequence, or where to boot from.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
25
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
show versionshow version Command cont.Command cont.
…cisco 2610 (MPC860) processor (revision 0x202) with 45056K/4096K bytes of memory.Processor board ID JAB032008NM (3952172322)M860 processor: part number 0, mask 49Bridging software.X.25 software, Version 3.0.0.SuperLAT software (copyright 1990 by Meridian Technology Corp).TN3270 Emulation software.1 Ethernet/IEEE 802.3 interface(s)1 Serial network interface(s)2 Serial(sync/async) network interface(s)32K bytes of non-volatile configuration memory.16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Note: The above router has 48 Meg of RAM and 16 Meg of System Flash
The above router has 48 meg of RAM, 32K of NVRAM and 16 meg of Flash memory. The IOS size for this router is limited to a maximum size of 16 megs.The last information given from this command is the value of theconfiguration register. In this example, the value is 0x2102—the default setting. The configuration register setting of 0x2102 tells the router to look in NVRAM for the boot sequence.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
26
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
ConfigurationConfiguration--RegisterRegister
• 0x2102=load IOS from flash and then the configuration from NVRAM. The router looks in NVRAM for the boot sequence
• 0x2100=Load ROM Monitor Mode
• 0x2101=load Mini-IOS from ROM
• 0x2142=Load IOS from Flash and do not load startup-config
Router#config t
Router(config)#config-register 0x2102
All Cisco routers have a 16-bit software register that’s written into NVRAM. By default, the configuration register is set to load the Cisco IOS from flash memory and to look for and load the startup-config file from NVRAM.You can change the configuration register by using the config-register command.
Router# config tRouter(config)# config-register 0x2102
On newer routers, this can also be carried out from ROMMON mode using the ‘confreg’ command.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
27
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
When this router is rebooted, why does it When this router is rebooted, why does it lose itlose it’’s configuration?s configuration?
…cisco 2610 (MPC860) processor (revision 0x202) with 16384/2084kbytes of memory.Processor board ID JAB03040BPS (3406519245)M860 processor: part number 0, mask 49Bridging software.X.25 software, Version 3.0.0.SuperLAT software (copyright 1990 by Meridian Technology Corp).TN3270 Emulation software.1 Ethernet/IEEE 802.3 interface(s)1 Serial network interface(s)2 Serial(sync/async) network interface(s)32K bytes of non-volatile configuration memory.16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2142
It doesn’t lose the configuration, it just never loads the configuration from NVRAM because the configuration register is set to bypass the startup-config in NVRAM.The configuration register should be 0x2102
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
28
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Viewing the ConfigurationViewing the Configuration
show startup-configAllows you to display the
backup configuration
show running-configDisplays the active
configuration
Config
NVRAM
IOS
Config
RAM
You can view the configuration files on a router by typing show running-config or show startup-config from privileged mode. The main difference is that the running-config is what is actually active on the router, where the startup-config is what is saved in NVRAM. By performing a “copy running-config startup-config”, it saves the running-config into NVRAM.
A best practice commonly used in various industries is to keep several versions of the router’s configuration on a TFTP server, and to regularly save the running-config after changes are made and successfully tested. This canprovide an audit trail of when changes were introduced, and can aid in troubleshooting problems brought on as a result of changes.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
29
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Setup ModeSetup Mode
• When you erase the configuration on a router and reboot, you will be in Setup mode
• You can type “setup” from privilege mode to enter setup mode
• Square brackets indicate default or current settings• Enable password and Enable secret password are
configured during setup mode. The enable secret password cannot be seen as clear text when viewing the configuration
• If both the Enable password and Enable secret passwords are set, the router will utilize the Enable secret password as it is more secure.
Once the IOS is loaded, up and running, a valid configuration will be loaded from NVRAM.However, if there isn’t a configuration stored in NVRAM, the router will go into setup mode—a step-by-step process to help you configure the router. You can also enter setup mode at any time from the command line by typing the command setup from privileged mode.The Enable password and Enable secret password are configured during setup mode. The enable secret password cannot be seen as clear text when viewing the configuration. For this reason, it should be used wherever possible because it can protect against someone using router configurations to gain unauthorized access to the routers. It displays in the router configuration as an MD5 hash, and in many cases is used as a last resort password if TACACS or RADIUS fails.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
30
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Configuring the RouterConfiguring the Router
Router#configure
Configuring from terminal, memory, or network [terminal]?
• Terminal: Configures information into RAM (changes
the running-config)
• Memory: Configures information from NVRAM into
running-config
• Network: Configures information from a file stored
on a TFTP host into running-config
To configure from a CLI, you can make global changes to the router by typing configure terminal (or config t for short), which puts you in global configuration mode and changes what’s known as the running-config. A global command (commands run from global config) is one that is set once and affects the entire router.You can type config from the privileged-mode prompt and then just press <Enter> to take the default of terminal.
You would use the memory or network option to upload a configuration file from either memory or a TFTP server on the network. In many cases, this is used to pre-stage changes, migrations, or to facilitate review processes.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
31
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Router Modes Router Modes
User EXEC Mode: Limited to basic monitoring commands
Provides access to all other router commands
Commands that effect theentire system
Commands that affectinterfaces/processes only
Interactive configuration dialogSetup Mode:
Specific Configuration Mode:
Global Configuration Mode:
Privileged EXEC mode:
This slide shows a summary of the various router modes used on a router.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
32
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Router(config)#
Router> enable
Router# configure terminal
<ctrl>-z (end)
User EXEC mode:
Privileged EXEC mode:
Global configuration mode:
Configuration Mode PromptInterface Router(config-if)#Subinterface Router(config-subif)#Line Router(config-line)#Router Router(config-router)#
Router Modes ExampleRouter Modes Example
It’s really important that you understand the different prompts you can find when configuring a router. Knowing these well will help you navigate and recognize where you are at any time within configuration mode.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
33
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Saving ConfigurationsSaving Configurations
Copy the current configuration to NVRAM
Router# copy running-config startup-configDestination filename [startup-config]? <enter>Building configuration…
You can manually save the file from DRAM to NVRAM by using the copy running-config startup-config command. You can use the shortcut copy run start also. You can also save to other files on NVRAM or a TFTP server in addition to the startup config.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
34
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Restoring ConfigurationsRestoring Configurations
Copy the saved configuration to DRAM
Router# copy startup-config running-configDestination filename [running-config]? <enter>Building configuration…
Configures information into RAM on a router Retrieves a routers configuration file from NVRAM
Building configuration…
The copy startup-config running-config will append the startup-config file into RAM. This is one way of backing out of changes made that may not have been successful.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
35
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Administrative FunctionsAdministrative Functions
Administrative Functions help you
administer your internetwork.
This includes:
• Hostnames
• Banners
• Interface Descriptions
• Passwords
This next section will teach you how to configure administrative functions on a router.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
36
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Router NameRouter(config)# hostname R1R1(config)#
Message of the Day BannerR1(config)# banner motd #MIS meeting at 13:00 Everyone that has attended this classgets a 50% raise.#
Configuring Router IdentificationConfiguring Router Identification
You can set the identity of the router with the “hostname” command. This is only locally significant, which means it has no bearing on how the router performs name lookups, but is used by Cisco MIBs to identify the router. A good naming standard should be able to provide some functional and geographical information. Unique naming is an important best practice as it will aid in troubleshooting and prevent confusion over duplicate names.
A good reason for having a banner is to add a security notice to users remotely accessing your internetwork.
You can set a banner on a Cisco router so that when either a user logs into the router or an administrator telnets into the router, the banner will give them the information you want them to have. As another best practice, the banner can be used to identify the revision of the standard configuration template used, and should not contain proprietary or confidential information since it will be seen by users prior to authentication.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
37
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Interface Description
R1(config)# interface fastethernet 0/1R1(config-if)# description Finance LAN
R1(config-if)# interface serial 0/0R1(config-if)# description WAN to Miami
View descriptions with the following commands:
R1# show running-configR1# show interface
Configuring Interface DescriptionConfiguring Interface Description
Setting descriptions on an interface is helpful to the administrator and support staff. This is a helpful command because you can use it to keep track of circuit numbers, for example. If configurations are stored offline, this information can be accessed to create circuit databases, or assist in creation of port maps and network diagrams. Standardizing on the format provides a consistent format in which to create a script to pull the information together into a database, spreadsheet or network drawing.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
38
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
R1(config)# do show runR1(config-if)# do show interface
For newer routers running 12.3 and above,you can use the:
Do the Do the ““dodo””
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
39
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
R1(config)# line console 0R1(config-line)# password toddR1(config-line)# login
Console and Auxiliary Password
Console/Aux Password ConfigurationConsole/Aux Password Configuration
R1(config-line)# line aux 0R1(config-line)# password lammleR1(config-line)# login
Consoleconnection
No Access!
To set the console password, use the “line console 0” command. Same for the aux port.You need to enable the “login” command, or the router will not prompt for the password.
Use caution if line passwords are the same as enable secret. Please keep in mind that these will be shown in clear text within the router configuration unless the “service password-encryption” command is utilized.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
40
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Other Console Line CommandsOther Console Line Commands
R1(config)# line console 0R1(config-line)# exec-timeout 0 0
R1(config)# line console 0R1(config-line)# logging synchronous
Prevent console session timeout
Redisplays interrupted console input
Consoleconnection
For one, the exec-timeout 0 0 command sets the timeout for the console EXEC session to zero, which basically means to never time out.
Logging synchronous is a very cool command, and it should be a default command, but it’s not. It’s basically stops annoying console messages from popping up and disrupting the input you’re trying to type.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
41
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Telnet VTY PasswordTelnet VTY Password
Virtual Terminal PasswordR1(config)# line vty 0 4R1(config-line)# password toddR1(config-line)# login (or no login)R1(config-line)#
Telnetconnection
NOTE: no vty password – no telnet accessCisco supports 5 simultaneous Telnet sessions by default: 0-4 – although your router may support more.
To set the user-mode password for Telnet access into the router, use the “line vty” command. Routers that aren’t running the Enterprise edition of the Cisco IOS default to five VTY lines— 0 through 4. But if you have the Enterprise edition, you’ll have significantly more. The best way to find out how many lines you have is to use that question mark:Router(config-line)#line vty 0 ?<1-4> Last Line Number<cr>You can use the “no login” option so that you can telnet into a router and not be prompted for a password (not recommended!).
An access-class can be used on the VTY lines to further restrict access.
**Note ** If the password is not set, and TACACS or RADIUS is not configured, you will get “Password not set” when attempting to telnet to the router, and be logged off.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
42
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
• Telnet• Most common access method• Insecure
• SSH • Encrypted• IP domain must be defined • key must be generated
Telnet versus SSH AccessTelnet versus SSH Access
!--- The username command create the username and password for the SSH sessionusername cisco password 0 cisco
ip domain-name mydomain.com
crypto key generate rsa
ip ssh version 2
line vty 0 4login localtransport input ssh
SSH Server The SSH Server feature enables a SSH client to make a secure, encrypted connection to a Cisco router. This connection provides functionality that is similar to that of an inbound Telnet connection. Before SSH, security was limited to Telnet security. SSH allows a strong encryption to be used with the Cisco IOS software authentication. The SSH server in Cisco IOS software will work with publicly and commercially available SSH clients. SSH Integrated Client The SSH Integrated Client feature is an application running over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco router to make a secure, encrypted connection to another Cisco router or to any other device running the SSH server. This connection provides functionality that is similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network. The SSH client in the Cisco IOS software works with publicly and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard (DES), Triple DES (3DES), and password authentication. User authentication is performed like that in the Telnet session to the router. The user authentication mechanisms supported for SSH are RADIUS, TACACS+ and the use of locally stored user names and passwords.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
43
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Secure ShellSecure Shell
Here are the minimum commands needed to
configure SSH on your router or switch:
R1# config t
R1(config)# username Todd password Lammle
R1(config)# ip domain-name lammle.com
R1(config)# crypto key generate rsa
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
(Optional: transport input ssh telnet)
You must remember the command:
transport input ssh
This enables SSH under the VTY lines.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
44
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Verifying SSHVerifying SSH
To verify that the SSH server is enabled and
view the version and configuration data for
your SSH connection:
R1# show ip ssh
To verify the status of your SSH server
connections:
R1# show ssh
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
45
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Enable PasswordsEnable Passwords
Enable Password Router(config)# enable password lammle
Enable Secret PasswordRouter(config)# enable secret fido
No Access!
The enable secret is encrypted by default andsupersedes the enable password if set
Setting the Enable password prompts you for a password when you enter the “enable” command.
The “Enable Secret” password is encrypted by default and supersedes the enable password. As a best practice, it is recommended to use the Enable Secret since it is encrypted within the configuration using an MD5 hash. Other means of encrypting the password (level 7) can be easily cracked using shareware programs. This is especially of concern if the configuration files were accessed. Use of Enable Secret password is therefore recommended.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
46
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Encrypting your PasswordsEncrypting your Passwords
Router(config)# service password-encryptionRouter(config)# exit *Router# show running-config
Router(config)# no service password-encryption
Encrypts your enable password and line passwords
*You need to perform a “show run” if you configureyour passwords before you enable the encryption service
Router# config t
The service password-encryption encrypts passwords in the plain text configuration file
Remember that you can see all the passwords except the Enable Secret when performing a show running-config on a router.
To manually encrypt your passwords, use the “service password-encryption”global configuration command.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
47
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Draw a line from the left to the Draw a line from the left to the answer on the rightanswer on the right
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
48
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Chapter 1 LabChapter 1 Lab
Hands-on Lab 1.1
Open your lab books and complete hands-on lab 2.3
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
49
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Chapter 1 ContinuedChapter 1 Continued
Configuring Router Interfaces
Open your lab books and complete hands-on lab 2.3
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
50
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
R1(config)# interface type number
R2(config)# interface type slot/port
R1(config)# interface ethernet 0
R2(config)# interface fastethernet 0/1
Choosing an interface
Examples of choosing an interface
e0 fa0
Configuring an InterfaceConfiguring an Interface
e0/0 fa0/1
R1
R2
Some of the configurations used to configure an interface are Network layer addresses, media type, bandwidth, and other administrator commands.Different routers use different methods to choose the interfaces used on them.
Most of today’s routers are modular, the configuration would be “interface type slot/port”.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
51
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Adding IP Addresses continuedAdding IP Addresses continued
R1(config-if)# ip address 11.1.1.2 255.255.255.0
R1(config-if)# interface e0
R1(config-if)# ip address 11.1.2.2 255.255.255.0
R1(config)# interface serial 0
R1# config t
Interfaces on fixed series routers
Even though you don’t have to use IP on your routers, it’s most often what people use. To configure IP addresses on an interface, use the ip address command from interface configuration mode.
Note: The command “ip address address mask” starts the IP processing on the interface
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
52
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Adding IP Addresses continuedAdding IP Addresses continued
R1(config-if)# ip address 11.1.1.2 255.255.255.0
R1(config-if)# int fa0/0
R1(config-if)# ip address 11.1.2.2 255.255.255.0
R1(config)# interface serial 0/0
R1# config t
Interfaces on modular series routers
This slide demonstrates how to configure an IP address on 2600 router interfaces.
Notice the syntax for both of the different interfaces (serial & ethernet) is the same though the configuration command to access the interfaces are different. Don’t forget which interface you are programming….
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
53
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Adding IP Addresses continuedAdding IP Addresses continued
R1(config-if)# ip address 11.1.1.2 255.255.255.0
R1(config-if)# int fa0/0
R1(config-if)# ip address 11.1.2.2 255.255.255.0
R1(config)# interface serial 0/0/0
R1# config t
Interfaces on ISR series routers
This slide demonstrates how to configure an IP address on 2600 router interfaces.
Notice the syntax for both of the different interfaces (serial & ethernet) is the same though the configuration command to access the interfaces are different. Don’t forget which interface you are programming….
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
54
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Adding IP Addresses continuedAdding IP Addresses continued
R1(config-if)# ip address 11.1.1.2 255.255.255.0R1(config-if)# ip address 11.1.2.2 255.255.255.0 secondary
R1(config)# interface Ethernet 0R1# config t
Secondary Addresses (not advised)
Note: Different subnets/broadcast domains on same interface
E0
This slide shows how two hosts on the same LAN would need to go through a router to communicate because the hosts think they are on different subnets!
If you type another IP address and press Enter on a router interface, it will replace the existing IP address and mask. This is definitely a most excellent feature of the Cisco IOS.
However, if you want to add a second subnet address to an interface, you have to use the secondary command.
I really wouldn’t recommend having multiple IP addresses on an interface because it’s inefficient.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
55
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Serial Interface ClockingSerial Interface Clocking
CSU/DSUCSU/DSU
DTE
DCE DTE
Clocking typically provided by DCE network to routers.
In non-production environments,A DCE network is not always present
Serial interfaces will usually be attached to a CSU/DSU type of device that provides clocking for the line.
But if you have a back-to-back configuration (for example, one that’s used in a lab/classroom environment), on one end—the data communication equipment (DCE) end of the cable—must provide clocking.
The type of cable plugged into the serial interface can be verified by performing ‘show controller’ command. The clock present is representative of the cable plugged in (DTE or DCE). If it’s DCE, the clockrate command will be needed in a back to back configuration.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
56
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
R1(config-if)# clock rate 64000R1(config)# interface serial 0R1# config t
R1(config-if)# bandwidth 64R1(config-if)# exitR1(config)# exit
Set clock rate if needed
Set interface bandwidth
DCE
DTE
DCE side determined by cableAdd clocking to DCE side only
Configuring a Serial InterfaceConfiguring a Serial Interface
Note: show controllers will show the cable connection typeISR routers auto-detect cable type and set clock rate to 2,000,000 by default
By default, Cisco routers are all data terminal equipment (DTE) devices, so you must tell an interface to provide clocking if you need it to act like a DCE device. You configure a DCE serial interface with the clock rate command.
The show controllers command displays information about the physical interface itself. It’ll also give you the type of serial cable plugged into a serial port. Usually, this will only be a DTE cable that plugs into a type of data service unit (DSU).R1# show controllers serial 0Hd unit 0, idb = 0x121c04, driver structure at 0x127078Buffer size 1524, hd unit 0, v.35 DCE cable
The bandwidth and delay of an interface is used by routing protocols such as IGRP, EIGRP, and OSPF to calculate the best cost (path) to a remote network. So if you’re using RIP routing, then the bandwidth or delay setting of an interface is irrelevant, since RIP uses only hop count to determine that.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
57
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Disabling or Enabling an InterfaceDisabling or Enabling an Interface
R1# configure terminalR1(config)# interface serial 0R1(config-if)# no shutdown%LINK-3-UPDOWN: Interface Seria0, changed state to up%LINEPROTO-5-UPDOWN: Line Protocol on Interface Serial0, changed state to up
R1# configure terminalR1(config)# interface serial 0R1(config-if)# shutdown%LINK-5-CHANGED: Interface Serial0, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down
Disable an interface
Enable an interface
You can turn an interface off with the interface “shutdown” command, and turn it on with the “no shutdown” command. If an interface is shut down, it will display administratively down when using the “show interface”command.
REMEMBER TO DO A “NO SHUTDOWN” COMMAND WHEN YOU HAVE CONFIGURED A DEVICE….THIS TRIPS UP MANY STUDENTS ON THE SIMULATION PORTION OF THE EXAM.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
58
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
R1# show interface serial 0Serial0 is up, line protocol is up
Hardware is HD64570Internet address is 11.1.1.2/24 100% Reliable No LoadMTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255Encapsulation HDLC, loopback not set, keepalive set (10 sec)Last input 00:00:09, output 00:00:04, output hang neverLast clearing of "show interface" counters neverInput queue: 0/75/0 (size/max/drops); Total output drops: 0Queueing strategy: weighted fairOutput queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/1/256 (active/max active/max total)Reserved Conversations 0/0 (allocated/max allocated)
5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/sec
(output cut)
Verifying Your ChangesVerifying Your ChangesVerifying Your Changes
The command “show interface” reveals to us the hardware address (if a LAN interface), logical address, and encapsulation method, as well as statistics.Maximum Transmission Unit (MTU) shows how many bytes of data can be sent in each encapsulated packet. BW is 1.544kbps by default on serial interfaces, Delay is 20,000 microseconds.If the link is 100% reliable, the “rely 255/255” will be shown. If the link is basically at no load , the “load 1/255” will be displayed. The encapsulation on a serial interface is HDLC by default. The loopback can be set to test the link and the keepalive is 10 seconds by default. This is a Data Link layer keepalive that is sent between routers. If the timers are not exactly the same, the Data Link layer will not come up.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
59
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
R1# show interfaces serial 1
Serial1 is up, line protocol is up
Operational..................Connection problem...Interface problem........Disabled ......................
Serial1 is up, line protocol is upSerial1 is up, line protocol is downSerial1 is down, line protocol is downSerial1 is administratively down, line protocol is down
KeepalivesCarrier Detect
Interpreting Interface StatusInterpreting Interface Status
(Physical) (Data Link)
The most important statistic of the show interface command is the output of the line and data-link protocol status. If the output reveals that serial 1 is up and the line protocol is up, then the interface is up and running.
The first listed “up” in this example, shows carrier detect from the CSU/DSU. The second “up” in this example shows keepalives from the remote router.
Another thing to confirm is the state of the signals. This is shown at the bottom of the output, and on most serial interfaces can also be seen on the router’s serial interface as a series of green lights. Usually when the router interface is up and normal, all of the signals will show to be up.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
60
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Show ip interface briefShow ip interface brief
R1# show ip interface briefInterface IP-Address OK? Method Status ProtocolFastEthernet0/0 192.168.10.1 YES manual up upFastEthernet0/1 10.1.1.2 YES DHCP up upSerial0/0/0 172.1.1.12 YES manual up upSerial0/0/1 unassigned YES unset administratively down down
This command is used to get a quick view of the status of all interfaces configured on the router. The status and protocol fields are quick indicators as to the state of the interface. When you are troubleshooting if you see the status as administratively down, you need to perform a “no shutdown” on the interface to mark it administratively up.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
61
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Which issue on the left corresponds Which issue on the left corresponds to the router output on the right?to the router output on the right?
Layer 1 problem
Layer 2 problem
Layer 3 problem
Port operational
Port disabled
Serial 0/1 is up, line protocol is up
Serial 0/1 is up, line protocol is down
Serial 0/1 is down, line protocol is down
Serial 0/1 is administratively down, line protocol is down
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
62
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Erasing NVRAM on a RouterErasing NVRAM on a Router
R1(config)# exitR1# erase startup-configErasing the nvram will remove all the files! Continue?OKErase of nvram complete
Erasing a router configuration
You can delete the startup-config file by using the “erase startup-config”command.
This command would be recommended if the router was being re-deployed or decommissioned, and you wanted to make sure none of the old configuration elements were present when it either comes back online, or is decommissioned. Once the configuration is erased, the user will be prompted to enter setup commands as if the router had come from the factory.
The “write earase” command is another command that performs the same function.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
63
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Draw a line from the left to the Draw a line from the left to the answer on the rightanswer on the right……..
# configure term
(config-if)# ip address 192.168.3.3/24
(config-if)# ip address 10.8.26.0 255.255.248.0
(config)# ip address 172.16.10.1 255.255.255.0
(config)# interface fa0/0
(config-if)# no shutdown
(config-if)# enable interface
# enable
> enable
Enter privileged EXEC mode
Enter global config mode
Enter interface config mode
Configure the interface IP address
Enable the interface
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
64
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Chapter 1 LabChapter 1 Lab
Hands-on Lab 1.2
Open your lab book and complete hands-on lab 2.4
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
65
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Introduction to CiscoIntroduction to CiscoCatalyst SwitchesCatalyst Switches
Chapter 1 Continued
This section will introduce you to Cisco Catalyst IOS Switches and how to set an IP address on the switch so it can be managed in-band.
When Cisco’s talking about switching, they really mean layer-2 switching unless they say otherwise. Layer-2 switching is the process of using the hardware address of devices on a LAN to segment a network.
Switching will be explained in detail in a later chapter.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
66
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Catalyst Switches Catalyst Switches
If POST completes successfully, the system LED turns green.If POST fails, the system LED turns amber. This is typically fatal.
The 2950 comes in a bunch of flavors, and runs 10Mbps all the way up to 1Gbps switched ports, with either twisted-pair or fiber. It can be a layer 3 switch, and runs what is known as Catalyst IOS. This operating system is very similar to Cisco IOS running on a router, and all ports are treated as interfaces.
The 3550 and 3750 switches can provide layer 3 services, the 2950 cannot.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
67
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Hubs (Physical)Hubs (Physical)
A B C D
• All devices in the same collision domain• All devices in the same broadcast domain• Devices share the same bandwidth
Hubs just connect network segments together.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
68
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Switches/Bridges (Layer 2)Switches/Bridges (Layer 2)
Each segment has its own collision domainAll segments are in the same broadcast domainDedicated bandwidth when only one host connected to switch port
1 2 3 4
Crossover cableStraight-through cable
Switches/Bridges break up collision domains, but create one large broadcast domain by default.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
69
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Switches Supersede BridgesSwitches Supersede Bridges
Operate at Layer 2 of the OSI modelForward, filter, or flood framesHave many portsBridges/Switches learn MAC addresses by examining the source MACaddress of each frame received
Internet
Hub Switch Hub
Segment 1 Segment 2
Layer-2 switching is hardware based, which means it uses the MAC address from the host’s NIC cards to filter the network. Unlike bridges that use software to create and manage a filter table, switches use application-specific integrated circuits (ASICs) to build and maintain their filter tables. But it’s still okay to think of a layer-2 switch as a multiportbridge because their basic reason for being is the same: to break up collision domains.Layer-2 switches and bridges are faster than routers because they don’t take up time looking at the Network layer header information. Instead, they look at the frame’s hardware addresses before deciding to either forward the frame or drop it.Switches create private dedicated domains and don’t share bandwidth like a hub would.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
70
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
LAN Switch FeaturesLAN Switch Features
Dedicated Communication Between Devices
Multiple Simultaneous Conversations
Full-Duplex Communication
Media-Rate Adaptation
100 MB 10 MB
LAN Switches provide many features including dedicated connections between an end node and the switch allowing for a much smaller collision domain and the capability to run at full duplex.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
71
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Three Switch FunctionsThree Switch Functions
• Address learning
• Forward/filter decision
• Loop avoidance
There are three distinct functions of layer-2 switching: address learning, forward/filter decisions, and loop avoidance.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
72
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Learning Host LocationsLearning Host Locations
• Initial MAC address table is empty
MAC address table
0260.8c01.1111
0260.8c01.2222
0260.8c01.3333
0260.8c01.4444
E0 E1
E2 E3
A B
C D
When a switch is first powered on, the MAC forward/filter table is empty.When a device transmits and an interface receives a frame, the switch places the frame’s source address in the MAC forward/filter table, allowing it to remember which interface the sending device is located on. The switch then has no choice but to flood the network with this frame because it has no idea where the destination device is actually located.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
73
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
How Switches Filter FramesHow Switches Filter Frames
Station A sends a frame to station CDestination is known, frame is not flooded
E0: 0260.8c01.1111E2: 0260.8c01.2222E1: 0260.8c01.3333E3: 0260.8c01.4444
0260.8c01.1111
0260.8c01.2222
0260.8c01.3333
0260.8c01.4444
E0 E1
E2 E3
XXXX DC
A B
MAC address table
When the switch is powered on, it has nothing in its MAC address forward/filter table.But when the hosts start communicating, the switch places the source hardware address of each frame in the table along with which port the frame’s address corresponds.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
74
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Broadcast and Multicast Frames
• Station D sends a broadcast or multicast frame
• Broadcast and multicast frames are flooded to all ports other than the originating port
0260.8c01.1111
0260.8c01.2222
0260.8c01.3333
0260.8c01.4444
E0 E1
E2 E3 DC
A B
E0: 0260.8c01.1111E2: 0260.8c01.2222E1: 0260.8c01.3333E3: 0260.8c01.4444
MAC address table
When a frame arrives at a switch interface, the destination hardware address is compared to the forward/filter MAC database. If the destination hardware address is known and listed in the database, the frame is only sent out the correct exit interface. The switch doesn’t transmit the frame out any interface except for the destination interface. This preserves bandwidth on the other network segments and is called frame filtering.But if the destination hardware address isn’t listed in the MAC database, then the frame is broadcast out all active interfaces except the interface the frame was received on. If a device answers the broadcast, the MAC database is updated with the device’s location (interface).If a host or server sends a broadcast on the LAN, the switch will broadcast the frame out all active ports by default. Remember, the switch only creates smaller collision domains, but it’s still one large broadcast domain by default.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
75
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
show macshow mac--addressaddress--tabletable
S1 needs to forward a frame with an address of 00b0.d056.efa4.
What will the switch do with this frame?
Switch-1# show mac address-table
Dynamic Addresses Count: 3Secure Addresses (User-defined) Count: 0Static Addresses (User-defined) Count: 0System Self Addresses Count: 41Total Mac Addresses: 50
Non-static Address Table:
Destination Address Address Type VLAN Destination Port0010.0de0.e289 Dynamic 1 FastEthernet0/10010.7b00.1540 Dynamic 2 FastEthernet0/30010.7b00.1545 Dynamic 2 FastEthernet0/2
What would the switch do if it received a frame and the source address was 00b0.d056.efa4?
It would place the address in the MAC Address Table with the destination port being the source port the packet was received on.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
76
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Connecting Switches togetherConnecting Switches together
When connecting a cable into a switch, at first the link lights are orange, then turn green indicating normal operation. Why?
Crossover cable
You would use a crossover cable to connect switches together. A crossover cable has the following pins crossed:1 to 32 to 63 to 16 to 2
The lights turn orange for 50 seconds because of the Spanning-Tree Protocol (STP), which is covered later in this course. This behavior does depend on the type of switches being interconnected, their speed and duplex settings, and their spanning tree configuration. Care and caution should be exercised when interconnecting switches, as not to introduce loops in the network topology, as well as to limit the broadcast domain and not to substantially oversubscribe the uplink ports. STP is covered in detail later in the course.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
77
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Do switches need an IP Address?Do switches need an IP Address?
Which type of Ethernet cable is used to
connect the hubs to the switch?
Crossover cable
Hub Hub Hub
Switch Switch
No, switches do not need an IP address. We would add an IP address to a switch only for management purposes and it is configured under the VLAN 1 interface, or the management VLAN – NOT on an interface. This can also take the form of an Sc0 interface in the case of switches running Catalyst OS.
To connect a hub to a switch, you would use a crossover cable. Why not a straight-through?
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
78
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
What is the default gateway address What is the default gateway address for the hosts?for the hosts?
Both the hosts and the switch would use a
default gateway address of 192.168.10.1
E0: 192.168.10.1
192.168.10.2
The default gateway address of the hosts (which allows them to send packets out of the local network) is always set to a router or layer 3 network address. The layer 2 switch usually does not perform any routing functions, and would not be able to route the packet if directed to it’s IP address.
The switch, when sending packets out of the local network for management purposes only, needs a default gateway address set to the router as well – just like a host would.
Remember, the IP address and default gateway set on the switch have nothing to do with a host sending packets out of the local network. Think of the switch’s configuration in the same way as any host that does not route traffic. The switch simply breaks up collision domains for the local network and the router is used to connect networks together.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
79
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Switch(config)# interface vlan 1Switch(config-if)# ip address 192.168.10.2 255.255.255.0Switch(config-if)# no shutdownSwitch(config-if)# exit
Configures an IP address and subnet mask for the switch
Configuring the Switch IP AddressConfiguring the Switch IP Address
Switch(config)#ip default-gateway 192.168.10.1
• The rest of the commands are similar to a routers IOS• i.e. copy run start, erase start, show run, passwords…, etc…
Configures the default gateway for the switch
The IP address is configured differently on the Catalyst switches than it is on any router—you actually configure it under the VLAN1 interface.Remember that every port on every switch is a member of VLAN1 by default. This really confuses a lot of people—you’d think that you would set an IP address under a switch interface—but no, that’s not where it goes! Remember that you set an IP address “for” the switch so you can mange the switch in-band (through the network). You set the “ip default-gateway”command so that you can manage the switch from outside the local network. Remember to also perform a “no shut” under the VLAN interface.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
80
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Testing your understanding
As is true on routers, both the 2950’s and 3550’s configurations are stored in NVRAM.
You save the configuration with the “copy running-config startup-config”command, and you can erase the contents of NVRAM with the “erase startup-config” command.
On a Catalyst OS switch:Switch (enable)>clear config allSwitch (enable)>reset
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
81
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
show runningshow running--configconfig
Switch# sh running-configBuilding configuration...[output cut]!interface Vlan1ip address 172.16.10.3 255.255.255.0!ip default-gateway 172.16.10.2!
The “show running-config” command displays the active configuration.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
82
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Chapter 1 LabChapter 1 Lab
Hands-On Lab 1.3 & 1.4
Open your lab books and complete labs 2.5 and 2.6
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
83
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Chapter 1 SummaryChapter 1 Summary
• Cisco routers provide a command line interface (CLI)• There are two modes
• User EXEC• Privileged EXEC
• The enable command is used to enter Privileged EXEC mode from User EXEC mode
• Routers contain four types of memory:• RAM (Random Access Memory)• ROM (Read Only Memory)• Flash• NVRAM (NonVolatile RAM)
• Learned CTRL and ESC sequences to manipulate the command line.
• Learned the startup sequence of the router.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
84
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Chapter 1 Summary (cont.)Chapter 1 Summary (cont.)
• Learned how to manipulate / store / restore the router configuration file.
• There are several passwords on a Cisco router that control access. Examples are as follows:
• enable
• enable secret
• line VTY # (telnet access)
• console
• auxiliary
• Unencrypted passwords can be encrypted in the configuration file so they are not seen as clear text.
• Banners can be used to display messages
• Default configuration register setting is 0x2102 (0x2142 is usedfor password recovery)
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
333
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
SecuritySecurity
Chapter 6
The proper use and configuration of access lists is a vital part of router configuration because access lists are such versatile networking accessories. Contributing mightily to the efficiency and operation of your network, access lists give network managers a huge amount of control over traffic flow throughout the enterprise. With access lists, managers can gather basic statistics on packet flow and security policies can be implemented. Sensitive devices can also be protected from unauthorized access.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
334
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Common Threats to Physical InstallationsCommon Threats to Physical Installations
• Hardware threats
• Environmental threats
• Electrical threats
• Maintenance threats
What should be part of a comprehensive network security plan?*Physically secure network equipment from potential access by unauthorized individuals.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
335
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Common AttacksCommon Attacks
• Denial of Service (DoS): a flood of packets
that are requesting a TCP connection to a
server
lammle.com
Bad Guy
Internet
65,000 timesSY N
SY NSY N
ACKACK
…CRASH!
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
336
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Security AppliancesSecurity Appliances
• IDSAn intrusion detection system is used to detect several types of
malicious behaviors that can compromise the security and trust of a
computer system. This includes network attacks against vulnerable
services, data driven attacks on applications, host based attacks such
as privilege escalation, unauthorized logins and access to sensitive
files, and malware (viruses, trojan horses and worms).
• IPSAn intrusion prevention system is a computer security device that
monitors network and/or system activities for malicious or unwanted
behavior and can react, in real-time, to block or prevent those
activities. Network-based IPS, for example, will operate in-line to
monitor all network traffic for malicious code or attacks. When an
attack is detected, it can drop the offending packets while still
allowing all other traffic to pass.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
337
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Why Use Why Use ACLsACLs??
Filtering: Manage IP traffic by filtering packets passing through a routerClassification: Identify traffic for special handling
An access list is a mechanism for identifying particular traffic. One application of an access list is for filtering traffic into or out of a router interface.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
338
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
ACL Applications: FilteringACL Applications: Filtering
Permit or deny packets moving through the router.Permit or deny vty access to or from the router.Without ACLs, all packets could be transmitted to all parts of your network.
This figure illustrates common uses for IP access lists.While this chapter focuses on IP access lists, the concept of access lists as mechanisms to control traffic in a network applies to all protocols.An improved security solution is the lock-and-key access feature, which is available only with IP extended access lists. Lock-and-key access allows you to set up dynamic access lists that grant access per user to a specific source/destination host through a user authentication process. You can allow user access through a firewall dynamically, without compromising security restrictions.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
339
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Types of IP Types of IP ACLsACLs
Standard ACL
• Checks source address
• Generally permits or denies entire protocol suite
Extended ACL
• Checks source and destination address
• Generally permits or denies specific protocols and
applications
Two methods used to identify standard and
extended ACLs:
• Numbered ACLs use a number for identification
• Named ACLs use a descriptive name or number for
identification
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
340
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
How to Identify How to Identify ACLsACLs
Numbered standard IPv4 lists (1–99) test conditions of all IP packets for source addresses. Expanded range (1300–1999).Numbered extended IPv4 lists (100–199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports. Expanded range (2000–2699).Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name).
With Cisco IOS 12.0, the IP access-lists range has been expanded to also include:<1300-1999> IP standard access list (expanded range)<2000-2699> IP extended access list (expanded range)
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
341
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
IP Access List Entry Sequence NumberingIP Access List Entry Sequence Numbering
• Requires Cisco IOS Release 12.3
• Allows you to edit the order of ACL statements using sequence
numbers
• In software earlier than Cisco IOS Release 12.3, a text editor
is used to create ACL statements, then the statements are
copied into the router in the correct order.
• Allows you to remove a single ACL statement from the list using a
sequence number
• With named ACLs in software earlier than Cisco IOS Release
12.3, you must use no {deny | permit} protocol source
source-wildcard destination destination-wildcard to
remove an individual statement.
• With numbered ACLs in software earlier than Cisco IOS
Release 12.3, you must remove the entire ACL to remove a
single ACL statement.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
342
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
ACL Configuration GuidelinesACL Configuration Guidelines
• Standard or extended indicates what can be filtered.• Only one ACL per interface, per protocol, and per
direction is allowed.• The order of ACL statements controls testing,
therefore, the most specific statements go at the top of the list.
• The last ACL test is always an implicit deny everything else statement, so every list needs at least one permit statement.
• ACLs are created globally and then applied to interfaces for inbound or outbound traffic.
• An ACL can filter traffic going through the router, or traffic to and from the router, depending on how it is applied.
• When placing ACLs in the network:• Place extended ACLs close to the source• Place standard ACLs close to the destination
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
343
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Dynamic Dynamic ACLsACLs
Dynamic ACLs (lock-and-key): Users that want to traverse the router are blocked until they use Telnet to connect to the router and areauthenticated.
Use Telnet to connect to router and authenticate.
Use FTP, HTTP, etc. to connect to the server.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
344
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Reflexive Reflexive ACLsACLs
Reflexive ACLs: Used to allow outbound traffic and limit inbound traffic in response to sessions that originate inside the router
Inbound Traffic Initiated Outside
Inbound Traffic Initiated Inside
S0
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
345
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
TimeTime--Based Based ACLsACLs
Time-based ACLs: Allow for access control based on the time of day and week
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
346
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Access List ApplicationsAccess List Applications
Typical uses for Access lists:
• Permit or deny packets moving through the router
• Permit or deny vty access to or from the router
• Stop basic user data. Without access lists all packets
could be transmitted onto all parts of your network
Advanced uses for Access-lists:
• Priority and custom queuing
• Dial-on-Demand Routing (DDR)
• Route table filtering
• Classify network traffic
This figure illustrates common uses for IP access lists.
While this chapter focuses on IP access lists, the concept of access lists as mechanisms to control traffic in a network applies to all protocols.An improved security solution is the lock-and-key access feature, which is available only with IP extended access lists. Lock-and-key access allows you to set up dynamic access lists that grant access per user to a specific source/destination host through a user authentication process. You can allow user access through a firewall dynamically, without compromising security restrictions.
Access lists can be used to permit or deny packets moving through the router, permit or deny Telnet (VTY) access to or from a router, and create dial-on-demand interesting traffic that triggers dialing to a remote location.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
347
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
172.16.16.29 0.0.0.0 specifies this host
192.168.10.0 0.0.0.255 specifies this network
You must remember your block sizes:
128, 64, 32, 16, 8 and 4
Wildcards ReviewWildcards Review
OutgoingPacketE0
S0IncomingPacket
Wildcards are used with access lists to specify an individual host, a network, or a certain range of a network or networks.
To understand a wildcard, you need to understand what a block size is; they’re used to specify a range of addresses. Some of the different block sizes available are 64, 32, 16, 8, and 4.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
348
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Wildcard MasksWildcard Masks
The wildcard is always one less then the block size.
Subnet Mask
172.16.10.32/27 0.0.0.31
172.16.10.4/30 0.0.0.3
172.16.10.128/26 0.0.0.63
172.16.10.32/28 0.0.0.15
172.16.10.8/29 0.0.0.7
172.16.16.0/20 0.0.15.255
This is a review of wildcard masks, as first discussed when configuring OSPF.
You really need to know these!!
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
349
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Access List Command OverviewAccess List Command Overview
Standard IP Access List Commands
Router(config)# access-list 10 permit host 172.16.10.1Router(config)# access-list 10 permit 172.16.10.2Router(config)# access-list 10 permit 172.16.10.3 0.0.0.0Router(config)# int e0Router(config-if)# ip access-group 10 in
Router(config)#
{ protocol } access-group access-list-number {in | out}Router(config-if)#
access-list access-list-number {permit | deny} {test conditions}
Example Standard IP Access List Commands
This slides demonstrates a “basic” standard access-list. Each of the three test statements say the same thing. It is showing three different ways to specify a host.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
350
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Wildcard Example 1Wildcard Example 1
Internet
E0 E1
S0
172.16.10.0/24 172.16.20.0/24access-list 10 deny 172.16.10.0 0.0.0.255access-list 10 permit anyint e1
ip access-group 10 out
This example will deny anyone on network 172.16.10.0 from exiting interface E1
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
351
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Wildcard Example 2Wildcard Example 2
Internet
E0 E1S0
access-list 10 deny 172.16.10.2 0.0.0.0access-list 10 permit anyint e1
ip access-group 10 out
172.16.20.0/24172.16.10.2/24
This example stops only host 172.16.10.2 from existing interface E1.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
352
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Wildcard Example 3Wildcard Example 3
Internet
E0 E1S0
access-list 10 deny 192.168.10.128 0.0.0.63access-list 10 permit anyint e1
ip access-group 10 out
192.168.10.64/26192.168.10.128/26
This example will deny anyone on subnet 192.168.10.128 from exiting interface E1.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
353
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Wildcard QuestionWildcard Question
You have the following four test statements:
access-list 10 permit 172.16.16.0 0.0.0.255
access-list 10 permit 172.16.17.0 0.0.0.255
access-list 10 permit 172.16.18.0 0.0.0.255
access-list 10 permit 172.16.19.0 0.0.0.255
What one statement can replace these four?
Answer:
access-list 10 permit 172.16.16.0 0.0.3.255
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
354
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Applying Access lists to a VTY LineApplying Access lists to a VTY Line
0 1 2 3 4
Virtual ports (typically vty 0 through 4)
Physical port (e0) (Telnet)
Setup IP address filter with standard access list
statement
Use line configuration mode to filter access with the
access-class command
You should set identical restrictions on all vty lines
Router#
e0
When you apply an access to the VTY lines, you don’t need to specify the telnet protocol since access to the VTY implies terminal access.
You also don’t need to specify a destination address, since it really doesn’t matter which interface address the user used as a target for the telnet session.
You really only need to control where the user is coming from—their source IP address. Nice!
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
355
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Virtual Terminal Access ExampleVirtual Terminal Access Example
The above example permits only hosts in
network 192.89.55.0 to connect to the router’s
vtys
Router(config)#access-list 10 permit 192.89.55.0 0.0.0.255
Router(config)# line vty 0 4
Router(config-line)# access-class 10 in
Create the access-list
Apply it to all VTY lines
The above example permits only hosts in network 192.89.55.0 to connect to the router’s VTY lines
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
356
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Chapter 6 LabChapter 6 Lab
Hands-on Lab 6.1 & 6.2
Open your lab books and complete labs 6.1 and 6.2
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
357
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Standard versus Extended Access ListStandard versus Extended Access List
Standard Extended
Filters Based onSource.
Filters Based onSource and destination.
Permit or deny entire TCP/IP protocol suite.
Specifies a specific IP protocol and port number.
Range is 100 – 199 and 2000 - 2699.
Range is 1 – 99 and 1300 - 1999.
Standard access listsThese use only the source IP address in an IP packet as the condition test. All decisions are made based on source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They don’t distinguish between any of the many types of IP traffic such as WWW, telnet, UDP, etc. Extended access listsExtended access lists can evaluate many of the other fields in the layer 3 and layer 4 header of an IP packet.
IP Source AddressIP Destination AddressProtocol Field in Network Layer PacketPort number in Transport Layer Segment
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
358
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
172.16.3.0 172.16.4.0
172.16.4.13E0S0
E1
Non-172.16.0.0
Extended Access List ExampleExtended Access List Example
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
This slide shows an example of an extended IP access list.It denies FTP (port 21 is FTP and port 20 is FTP data) from subnet 172.16.4.0 to 172.16.3.0. Actually since there is an implicit DENY at the end of each access list, this access list denies all packets since there is NOT a permit statement. Note: If access list 101 were applied to an interface, all traffic wither inbound or outbound (depending on how the ACL was applied) would be denied.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
359
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Extended Access List ExampleExtended Access List Example
172.16.3.0 172.16.4.0
172.16.4.13E0S0
E1
Non-172.16.0.0
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
access-list 101 permit ip any any
(access-list 101 deny ip any any)
Don’t forget to include the permit statement to permit all other IP traffic. Access list 101 could be applied inbound to interface E1 or outbound to interface E0.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
360
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
access-list 101 permit ip any any
interface ethernet 1
ip access-group 101 in
Extended Access List ExampleExtended Access List Example
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
361
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Extended Access List ExampleExtended Access List Example
172.16.3.0 172.16.4.0
172.16.4.13E0S0
E1
Non-172.16.0.0
access-list 101 deny tcp 172.16.3.0 0.0.0.255 host 172.16.4.13 eq 23
access-list 101 permit ip any any
interface ethernet 0
ip access-group 101 in
This slide demonstrates an extended access-list that will stop anyone from network 171.16.3.0 telnetting to host 172.16.4.13
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
362
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Extended Access List Example
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
access-list 101 deny tcp 172.16.3.0 0.0.0.255 any eq www log
access-list 101 permit ip 0.0.0.0 255.255.255.255 any
interface ethernet 0
ip access-group 101 in
This slide demonstrates an extended access-list that will stop anyone from network 172.16.3.0 using HTTP to any destination.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
363
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Extended Access List ExampleExtended Access List Example
• You want to stop users from the Sales LAN entering the Marketing LAN. What access-list would you create, and to what interface will you apply it?
S0 (DCE)S1
E0 E0LAN_A LAN_B
Host C Host D Host E Host F
Sales LAN192.168.11.0
255.255.255.0
Marketing LAN192.168.12.0255.255.255.0
192.168.10.1/24
Extended:On the LAN_A routeraccess-list 110 deny ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255access-list 110 permit ip any anyint e0ip access-group 110 in
OR
Standard:On the LAN_B routeraccess-list 10 deny 192.168.11.0 0.0.0.255access-list 10 permit any int e0ip access-group 10 out
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
364
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Access List Configuration GuidelinesAccess List Configuration Guidelines
• The order of ACL statements is crucial.• Recommended: Use a text editor on a PC to create the
ACL statements, then cut and paste them into the router.• Top-down processing is important.• Place the more specific test statements first.
• Statements cannot be rearranged or removed.• Use the no access-list number command to remove the
entire ACL.• Exception: Named ACLs permit removal of individual
statements.• Implicit deny any will be applied to all packets
that do not match any ACL statement unless the ACL ends with an explicit permit any statement.
GuidelinesAccess list numbers indicate which protocol is filtered.One access list per interface, per protocol, per direction is allowed.The order of access list statements controls testing. Place the most restrictive statements at the top of list.There is an implicit deny any statement as the last access list test. Every list needs at least one permit statement.Create access lists before applying them to interfaces.Access lists filter traffic going through the router; they do not apply to traffic originating from the router.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
365
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Named Access ListsNamed Access Lists
• Instead of using numbers, you can use
names to configure your access-lists.
Here is an example:
ip access-list standard Lammle
permit host 1.1.1.1
interface ethernet 0
ip access-group Lammle in
Named access lists are just another way to create standard and extended access lists. In medium to large enterprises, management of access lists can become, well, a real hassle over time.
For example, when you need to make a change to an access list, a frequent practice is to copy the access list to a text editor, change the number, edit the list, then paste the new list back into the router.
Named access lists allow you to use names to both create and apply either standard or extended access lists.
There is nothing new or different about these access lists aside from being able to refer to them in a way that makes sense to humans.
However, you do not need to delete the named access-list in order to make changes. This is one of the best benefits of named access-lists.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
366
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Named Standard ACL ExampleNamed Standard ACL Example
Deny a specific host
RouterX(config)#ip access-list standard troublemakerRouterX(config-std-nacl)#deny host 172.16.4.13RouterX(config-std-nacl)#permit 172.16.4.0 0.0.0.255RouterX(config-std-nacl)#interface e0RouterX(config-if)#ip access-group troublemaker out
All hosts on subnet 172.16.4.0 are blocked from going out on E0 to subnet 172.16.3.0.The arrow represent the access list is applied as an outbound access list.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
367
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Named Extended ACL ExampleNamed Extended ACL Example
Deny Telnet from a specific subnet
RouterX(config)#ip access-list extended badgroupRouterX(config-ext-nacl)#deny tcp 172.16.4.0 0.0.0.255 any eq 23RouterX(config-ext-nacl)#permit ip any anyRouterX(config-ext-nacl)#interface e0RouterX(config-if)#ip access-group badgroup out
All hosts telnet requests initiating on subnet 172.16.4.0 are blocked going out on E0 to subnet 172.16.3.0.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
368
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Commenting ACL StatementsCommenting ACL Statements
access-list access-list-number remark remark
ip access-list {standard|extended} name
Creates a named ACL comment
Creates a numbered ACL comment
RouterX(config {std- | ext-}nacl)#
RouterX(config)#
remark remark
RouterX(config)#
Creates a named ACL
Or
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
369
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Monitoring ACL StatementsMonitoring ACL Statements
RouterX# show access-lists {access-list number|name}
RouterX# show access-lists Standard IP access list SALES
10 deny 10.1.1.0, wildcard bits 0.0.0.25520 permit 10.3.3.130 permit 10.4.4.140 permit 10.5.5.1
Extended IP access list ENG10 permit tcp host 10.22.22.1 any eq telnet (25 matches)20 permit tcp host 10.33.33.1 any eq ftp30 permit tcp host 10.44.44.1 any eq ftp-data
Displays all access lists
This is the most consolidated method for seeing several access lists. The implicit deny all statement is not displayed unless it is explicitly entered in the access list.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
370
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Todd#show ip int e0Ethernet0 is up, line protocol is up
Internet address is 10.1.1.11/24Broadcast address is 255.255.255.255Address determined by setup commandMTU is 1500 bytesHelper address is not setDirected broadcast forwarding is disabledOutgoing access list is not setInbound access list is 1Proxy ARP is enabledSecurity level is defaultSplit horizon is enabledICMP redirects are always sentICMP unreachables are always sentICMP mask replies are never sentIP fast switching is enabled
<output cut>
Verifying Access ListsVerifying Access Lists
Lists IP interface information. Indicates whether outgoing and/or inbound access lists are set.
Review the output of the “show ip interface” command. The highlighted text shows details about access list settings in the show command output.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
371
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Monitoring Access List StatementsMonitoring Access List Statements
Todd# show access-listsStandard IP access list 1
permit 10.2.2.1permit 10.3.3.1permit 10.4.4.1permit 10.5.5.1
Extended IP access list 101permit tcp host 10.22.22.1 any eq telnetpermit tcp host 10.33.33.1 any eq ftppermit tcp host 10.44.44.1 any eq ftp-data
Todd# show {protocol} access-list {access-list number}
Todd# show access-lists {access-list number}
show access-list: Displays all access lists and their parameters configured on the router. This command does not show you which interface the list is set on.
show access-list 110: Shows only the parameters for the access list 110. This command does not show you the interface the list is set on.
show ip access-list: Shows only the IP access lists configured on the router.
show ip interface: Shows which interfaces have access lists set.
show running-config: Shows the access lists and which interfaces have access lists set.
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
372
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Remember!Remember!
To view the contents of all access-lists
use the command:
show access-lists
To see which interface has an access list set, which displays the placement and direction of an IP access list on a router:
show ip interface
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
373
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Match the following:Match the following:
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
374
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Access List QuestionAccess List Question
• The access control list shown in the figure has been applied to the
Ethernet interface of R1 using the ip access-group 101 in command.
• Which telnet sessions will be blocked by this ACL?
The following telnet session will be blocked by the ACL:Any host with an address between 5.1.1.8 and 5.1.1.11 on R1 will not be able to telnet to network 5.1.3.0
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
375
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
AccessAccess--List QuestionList Question
Write an access-list that will block all
telnet connections to 10.0.1.0/24
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
376
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Chapter 6 LabChapter 6 Lab
Hands-on Lab 6.3
Open your lab books and complete hands-on lab 6.3
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
377
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Chapter 6 SummaryChapter 6 Summary
• There are two kinds of IP access lists:
• Standard - Controls traffic based on source address only
• Extended - Controls traffic based on both source and destination addresses as well as protocol and in some cases port numbers
• Named access lists were added at IOS version 11.2.
• Port number ranges were added at IOS version 11.3.
• Access lists serve several purposes. Some of which are as follows:
• Act as a firewall
• Control routing updates
• Identify interesting traffic for DDR
• They can never have a DENY without a PERMIT. If so everything is denied.
• Every access-list contains an “IMPLICIT DENY ALL” at the end.
• If a packet does not match any condition, it is discarded
.
.Cisco CCNA Training Curriculum
Course Outsource© 2008 - All Rights Reserved. ..
378
© Copyright 2006 Course Outsource. All Rights Reserved. © Copyright 2008 Course Outsource. All Rights Reserved.
Chapter 6 Summary (cont.)Chapter 6 Summary (cont.)
• Access lists should be defined from most specific to least specific.
• Standard IP access lists should be placed close to the destination.
• Extended IP access lists should be placed close to the source.
• There can only be one inbound and one outbound access list per
protocol per interface.
• Standard IP access lists are in the range of 1-99 and 1399–1999.
• Extended IP access lists are in the range of 100-199 and 2000-
2699.
• Extended IP access lists can specify certain protocols in the
TCP/IP suite.