About the Author

Steve McQuerry, CCIE No. 6108, is a consulting systems engineer with Cisco focused on data center architecture. Steve works with enterprise customers in the Midwestern United States to help them plan their data center architectures. Steve has been an active member of the internetworking community since 1991 and has held multiple certifications from Novell, Microsoft, and Cisco. Before joining Cisco, Steve worked as an independent contractor with Global Knowledge, where he taught and developed...

ACL Operation

ACLs express the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router. Instead, ACLs are statements that specify conditions of how the router handles the traffic flow through specified interfaces. Inbound ACLs Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient...

ACL Wildcard Masking

Address filtering occurs when you use ACL address wildcard masking to identify how to check or ignore corresponding IP address bits. Wildcard masking for IP address bits uses the numbers 1 and 0 to identify how to treat the corresponding IP address bits, as follows Wildcard mask bit 0 Match the corresponding bit value in the address. Wildcard mask bit 1 Do not check (ignore) the corresponding bit value in the address. NOTE A wildcard mask is sometimes referred to as an inverse mask. By...

Additional Types of ACLs

Standard and extended ACLs can become the basis for other types of ACLs that provide additional functionality. These other types of ACLs include the following Dynamic ACLs (lock-and-key) Dynamic ACLs depend on Telnet connectivity, authentication (local or remote), and extended ACLs. Lock-and-key configuration starts with the application of an extended ACL to block traffic through the router. Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect...

Applying IP Address Space in the Enterprise Network

The Cisco Enterprise Architecture model provides a modular framework for designing and deploying networks. It also provides the ideal structure for overlaying a hierarchical IP addressing scheme. Following are some guidelines Design the IP addressing scheme so that blocks of 2n contiguous network numbers (such as 4, 8, 16, 32, 64, and so on) can be assigned to the subnets in a given building distribution and access switch block. This approach lets you summarize each switch block into one large...

Authorized Self Study Guide

Interconnecting Cisco Network Devices, Part 2 (ICND2) Copyright 2008 Cisco Systems, Inc. Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the...

Br

The configuration in Example 6-4 provides a solution for this example. Example 6-4 Access List Preventing Traffic Originating from a Specific Subnet RouterX(config) access-list 1 deny 172.16.4.0 0.0.0.255 RouterX(config) access-list 1 permit any (access-list 1 deny 0.0.0.0 255.255.255.255) RouterX(config) interface ethernet 0 RouterX(config-if) ip access-group 1 out Table 6-4 describes the command syntax that is presented in Example 6-4. Table 6-4 Numbered Standard IPv4 ACL Example Denying a...

Chapter Objectives

Upon completing this chapter, you will be able to describe when to use NAT or Port Address Translation (PAT) on a medium-sized network and configure NAT or PAT on routers. You will also be able to explain IPv6 addressing and configure IPv6 in a Cisco router. This ability includes being able to meet these objectives Configure and verify static, dynamic, and overloading NAT and identify key show and debug command parameters that are required for troubleshooting NAT and PAT Explain the format of...

Chapter Organization

This book is divided into eight chapters and an appendix and is designed to be read in order because many chapters build on content from previous chapters. Chapter 1, Review of Cisco IOS for Routers and Switches, provides a review of the Cisco IOS. This is an assumed knowledge for readers, but this chapter provides a brief review of command structure that is used throughout the other chapters of the book. Chapter 2, Medium-Sized Switched Network Construction, explores the operation and...

Chapter Summary

Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco routing protocol that is designed to address the shortcomings of both distance vector and link-state routing protocols. This chapter expanded on the underlying technologies within EIGRP, including the path selection process, changes in topology, load balancing, authentication, and troubleshooting common problems. The following summarizes the key points that were discussed in this chapter EIGRP is a classless routing protocol that...

Choosing Interconnection Technologies

A number of technologies are available to interconnect devices in a switched network. The interconnection technology that you select depends on the amount of traffic the link must carry. You will likely use a mixture of copper and fiber-optic cabling based on distances, noise immunity requirements, security, and other business requirements. Figure 2-14 illustrates different connectivity for network devices providing services in the enterprise. Some of the more common interconnection...

Cisco Catalyst Switches Do Not Exchange VTP Information

When Cisco switches do not exchange VTP information, you need to be able to determine why they are not functioning properly. Use the following guidelines to troubleshoot this problem There are several reasons why VTP fails to exchange the VLAN information. Verify these items if switches that run VTP fail to exchange VLAN information. VTP information passes only through a trunk port. Ensure that all ports that interconnect switches are configured as trunks and are actually trunking. Ensure that...

Components of Troubleshooting EIGRP

When troubleshooting any network protocol, it is important to follow a defined flow or methodology. The main aspect of troubleshooting routing protocols involves ensuring that communication exists between the routers. The following sections describe the basic components of troubleshooting a network that is running EIGRP. Figure 5-8 shows an example of the flow used for diagnosing EIGRP problems. The major components of EIGRP troubleshooting include the following items EIGRP neighbor...

Components of Troubleshooting OSPF

Troubleshooting OSPF requires an understanding of the operation of the protocol as well as a specific approach methodology. Figure 4-8 shows the major components of OSPF troubleshooting and the order in which the process flows. Figure 4-8 Components of Troubleshooting OSPF Figure 4-8 Components of Troubleshooting OSPF The major components of OSPF troubleshooting include the following

Configuring ACLs

This section describes the steps to configure named and numbered, standard and extended ACLs. This section also explains how to verify that the ACLs function properly and discusses some common configuration errors to avoid. Standard IPv4 ACLs, numbered 1 to 99 and 1300 to 1999 or named, filter packets based on a source address and mask, and they permit or deny the entire TCP IP protocol suite. This standard ACL filtering may not provide the filtering control you require. You may need a more...

Configuring and Verifying OSPF

The router ospf command uses a process identifier as an argument. The process ID is a unique, arbitrary number that you select to identify the routing process. The process ID does not need to match the OSPF process ID on other OSPF routers. The network command identifies which IP networks on the router are part of the OSPF network. For each network, you must also identify the OSPF area to which the networks belong. The network command takes the three arguments listed in Table 4-1. The table...

Configuring InterVLAN Routing

To be able to route between VLANs on a switch, you will need to be able to configure inter-VLAN routing. In Figure 2-33, the FastEthernet 0 0 interface is divided into multiple subinterfaces FastEthernet 0 0.1 and FastEthernet 0 0.2. Each subinterface represents the router in each of the VLANs for which it routes. Figure 2-33 Inter-VLAN Routing Configuration Figure 2-33 Inter-VLAN Routing Configuration Use the encapsulation dot1q vlan identifier command (where vlan identifier is the VLAN...

Configuring Named ACLs

The named ACL feature allows you to identify standard and extended IP ACLs with an alphanumeric string (name) instead of the current numeric representations. Named IP ACLs allow you to delete individual entries in a specific ACL. If you are using Cisco IOS Release 12.3, you can use sequence numbers to insert statements anywhere in the named ACL. If you are using a software version earlier than Cisco IOS Release 12.3, you can insert statements only at the bottom of the named ACL. Because you can...

Considering Traffic Source to Destination Paths

When you are designing and implementing networks, a key factor for VLAN deployment is understanding the traffic patterns and the various traffic types. Figure 2-4 displays some common components of a network this along with the traffic requirements should be a baseline for designing VLANs. Figure 2-4 Network Enterprise Components Figure 2-4 Network Enterprise Components Table 2-5 lists the common types of network traffic that should be considered before placing devices and configuring the VLAN....

Contents

Chapter 1 Review of Cisco IOS for Routers and Switches 3 Chapter Objectives 3 Cisco IOS CLI Functions 4 Configuration Modes of Cisco IOS Software 4 Help Facilities of the Cisco IOS CLI 6 Commands Review 7 Summary of Cisco IOS CLI Commands 8 Chapter Summary 8 Review Questions 8 Chapter 2 Medium-Sized Switched Network Construction 13 Chapter Objectives 13 Implementing VLANs and Trunks 13 Understanding VLANs 14 VLAN Overview 15 Grouping Business Functions into VLANs 16 Applying IP Address Space in...

Dedications

Becky, as the years go by, I love you more. Thank you for your support and understanding. Katie, your work ethic has always amazed me. As you prepare to move into the next phase of your life, remember your goals and keep working hard and you can achieve anything. Logan, you have never believed there was anything you couldn't do. Keep that drive and spirit, and there will be no limit to what you can accomplish. Cameron, you have a keen sense of curiosity that...

Deleting VLANs and Port Membership

When you delete a VLAN from a switch that is in VTP server mode, the VLAN is removed from all switches in the VTP domain. When you delete a VLAN from a switch that is in VTP transparent mode, the VLAN is deleted only on that specific switch. Use the global configuration command no vlan vlan-id to remove a VLAN. NOTE Before deleting a VLAN, be sure to reassign all member ports to a different VLAN. Any ports that are not moved to an active VLAN are unable to communicate with other stations after...

Describing Port Security

Port security is a feature supported on Cisco Catalyst switches that restricts a switch port to a specific set or number of MAC addresses. The switch can learn these addresses dynamically, or you can configure them statically. Figure 2-35 shows how the switch interacts with port security. A port that is configured with port security accepts frames only from those addresses that it has learned or that you have configured. Port security has several implementations Dynamic You specify how many...

Designate the Root Bridge

Often, information about the location of the spanning-tree root bridge is not available at troubleshooting time. Do not let STP decide which switch becomes the root bridge. For each VLAN, you can usually identify which switch can best serve as the root bridge. Which switch would make the best root bridge depends on the design of the network. Generally, choose a powerful switch in the middle of the network. If you put the root bridge in the center of the network with direct connection to the...

Ether Channel Overview

The increasing deployment of switched Ethernet to the desktop can be attributed to the proliferation of bandwidth-intensive applications. Any-to-any communications of new applications, such as video to the desktop, interactive messaging, and collaborative white-boarding, increase the need for scalable bandwidth. At the same time, mission-critical applications call for resilient network designs. With the wide deployment of faster switched Ethernet links in the campus, organizations either need...

Example Network Design

A business with approximately 250 employees wants to migrate to the Cisco Enterprise Architecture. Table 2-1 shows the number of users in each department. Six VLANs are required to accommodate one VLAN per user community. Following the guidelines of the Cisco Enterprise Architecture, six IP subnets are required. The business has decided to use network 10.0.0.0 as its base address. To accommodate future growth, there will be one block of IP addresses per building, as follows Building A is...

Example Router on a Stick

Figure 2-31 illustrates a router attached to a core switch. The configuration between a router and a core switch is sometimes referred to as a router on a stick. The router can receive packets on one VLAN and forward them to another VLAN. To perform inter-VLAN routing functions, the router must know how to reach all VLANs being interconnected. Each VLAN must have a separate connection on the router, and you must enable 802.1Q trunking on those connections. The router already knows about...

Example Spanning Tree Operation

The best way to understand how spanning tree operates is to look at an operation example. Figure 2-26 shows a sample network spanning tree topology and the relevant information used by spanning tree. Root Bridge Default Priority 32768 MAC 0c00.1111.0000 MAC 0c00.1111.1111 MAC 0c00.1111.2222 MAC 0c00.1111.1111 MAC 0c00.1111.2222 The following describes the STP port states illustrated in Figure 2-26 The root bridge is switch Z, which has the lowest BID. The root port is port 0 on switches X and...

Example Spanning Tree Path Cost

The spanning-tree path cost is an accumulated total path cost based on the bandwidth of all the links in the path. In the figure, some of the path costs specified in the 802.1D specification are shown. The 802.1D specification has been revised in the older specification, the cost was calculated based on a bandwidth of 1000 Mbps. The calculation of the new specification uses a nonlinear scale to accommodate higher-speed interfaces. NOTE Most Cisco Catalyst switches incorporate the revised cost...

Example Spanning Tree Recalculation

In Figure 2-27, if switch Z (the root bridge) fails and does not send a BPDU to switch Y within the max_age time (default is 20 seconds, which equals 10 missed BPDUs), switch Y detects the missing BPDU from the root bridge. When the max_age timer on switch Y expires before a new BPDU has been received from switch Z, a spanning-tree recalculation is initiated. Switch Y transitions its blocking port (port 1) from the blocking state to the listening state to the learning state, and then finally to...

Example VTP Configuration

Example 2-1 demonstrates the commands that you would enter to configure VTP and display VTP status. The characteristics of the switch in this example are as follows The switch is transparent in the VTP domain. The configuration revision is 0. NOTE In the output from the show vtp status command, VTP Version identifies what version of VTP the switch is capable of running, and VTP V2 Mode indicates whether VTP Version 2 is being used. If VTP V2 Mode shows disabled, VTP Version 1 is being used....

Features

This book features actual router and switch output to aid in the discussion of the configuration of these devices. Many notes, tips, and cautions are also spread throughout the text. In addition, you can find many references to standards, documents, books, and websites to help you understand networking concepts. At the end of each chapter, your comprehension and knowledge are tested by review questions prepared by a certified Cisco instructor. NOTE The operating systems used in this book are...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at...

Introducing EIGRP

EIGRP is a Cisco-proprietary routing protocol that combines the advantages of link-state and distance vector routing protocols. EIGRP is an advanced distance vector or hybrid routing protocol that includes the following features Rapid convergence EIGRP uses the Diffusing Update Algorithm (DUAL) to achieve rapid convergence. A router that uses EIGRP stores all available backup routes for destinations so that it can quickly adapt to alternate routes. If no appropriate route or backup route exists...

Introducing OSPF

Open Shortest Path First is a link-state routing protocol. You can think of a link as an interface on a router. The state of the link is a description of that interface and of its relationship to its neighboring routers. A description of the interface would include, for example, the IP address of the interface, the subnet mask, the type of network to which it is connected, the routers that are connected to that network, and so on. The collection of all of these link states forms a link-state...

Introducing VLSMs

When an IP network is assigned more than one subnet mask for a given major network, it is considered a network with VLSMs, overcoming the limitation of a fixed number of fixed-size subnetworks imposed by a single subnet mask. Figure 3-30 shows the 172.16.0.0 network with four separate subnet masks. VLSMs provide the capability to include more than one subnet mask within a network and the capability to subnet an already subnetted network address. In addition, VLSM offers the following benefits...

Medium Sized Routed Network Construction

Routing is the process of determining where to send data packets that are destined for addresses outside the local network. Routers gather and maintain routing information to enable the transmission and receipt of these data packets. Routing information takes the form of entries in a routing table, with one entry for each identified route. The router can use a routing protocol to create and maintain the routing table dynamically so that network changes can be accommodated whenever they occur....

Multiple Spanning Tree Protocol

Multiple Spanning Tree Protocol (MSTP), originally defined in IEEE 802.1s and later merged into IEEE 802.1Q-2003, defines a spanning-tree protocol that has several spanning-tree instances running for the network. But unlike PVRST+, which has one instance of RSTP per VLAN, MSTP reduces the switch load by allowing a single instance of spanning tree to run for multiple VLANs.

Native VLAN Mismatches

The native VLAN that is configured on each end of an IEEE 802.1Q trunk must be the same. Remember that a switch receiving an untagged frame assigns the frame to the native VLAN of the trunk. If one end of the trunk is configured for native VLAN 1 and the other end is configured for native VLAN 2, a frame sent from VLAN 1 on one side is received on VLAN 2 on the other. VLAN 1 leaks into the VLAN 2 segment. There is no reason this behavior would be required, and connectivity issues will occur in...

Overview of Switch Security Concerns

Much industry attention surrounds security attacks from outside the walls of an organization and at the upper Open Systems Interconnection (OSI) layers. Network security often focuses on edge routing devices and the filtering of packets based on Layer 3 and Layer 4 headers, ports, stateful packet inspection, and so on. This focus includes all issues surrounding Layer 3 and above, as traffic makes its way into the campus network from the Internet. Campus access devices and Layer 2 communication...

Per VLAN Spanning Tree

The 802.1D standard defines a Common Spanning Tree (CST) that assumes only one spanning-tree instance for the entire switched network, regardless of the number of VLANs. In a network running CST, these statements are true No load sharing is possible one uplink must block for all VLANs. The CPU is spared only one instance of spanning tree must be computed. Per VLAN Spanning Tree Plus (PVST+) defines a spanning-tree protocol that has several spanning-tree instances running for the network, one...

Problem Host Connectivity

Host 10.1.1.1 has no connectivity with 10.100.100.1. The following output reveals information about the access list(s) in place to help determine the possible cause of the problem 10 deny 10.1.1.0, wildcard bits 20 permit 10.1.1.1 30 permit ip any any The cause of this problem is that Host 10.1.1.1 has no connectivity with 10.100.100.1 because of the order of the access list 10 rules. Because the router processes ACLs from the top down, statement 10 would deny host 10.1.1.1, and statement 20...

Process for Configuring Port Security

Table 2-14 describes the process that can achieve the desired results for this scenario. Port security is configured to allow only five connections on that port, and one entry is configured for each of the five allowed MAC addresses. This step populates the MAC address table with five entries for that port and allows no additional entries to be learned dynamically. When frames arrive on the switch port, their source MAC address is checked against the MAC address table. If the source MAC address...

Q Native VLAN

An 802.1Q trunk and its associated trunk ports have a native VLAN value. 802.1Q does not tag frames for the native VLAN. Therefore, ordinary stations can read the native untagged frames but cannot read any other frame because the frames are tagged. Figure 2-10 shows a frame from the native VLAN being distributed across the network trunks untagged.

Q Trunking Configuration

The 802.1Q protocol carries traffic for multiple VLANs over a single link on a multivendor network. 802.1Q trunks impose several limitations on the trunking strategy for a network. You should consider the following Ensure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If they are different, spanning-tree loops might result. Native VLAN frames are untagged. Table 2-6 shows how 802.1Q trunking interacts with other switch features. Table 2-6 Switch Feature...

Rapid Spanning Tree Protocol

Rapid Spanning Tree Protocol (RSTP), specified in the IEEE 802.1w standard, supersedes STP as specified in 802.1D, while remaining compatible with STP. RSTP can be seen as an evolution of the 802.1D standard rather than a revolution. The 802.1D terminology remains primarily the same. Most parameters have been left unchanged, so users familiar with 802.1D can configure the new protocol comfortably. Bridge ID Without the Extended System ID RSTP significantly reduces the time to reconverge the...

Resolving Issues with STP

STP provides loop resolution by managing the physical paths to given network segments. STP allows physical path redundancy while preventing the undesirable effects of active loops in the network. STP is an IEEE committee standard defined as 802.1D. Figure 2-21 illustrates how a blocked port would prevent traffic flow between the segments. STP forces certain ports into a standby state so that they do not listen to, forward, or flood data frames. The overall effect is that there is only one path...

Review Questions

Use the questions here to review what you learned in this chapter. The correct answers and solutions are found in the appendix, Answers to Chapter Review Questions. 1. Which feature is required for multiple VLANs to span multiple switches a. A trunk to connect the switches b. A router to connect the switches c. A bridge to connect the switches d. A VLAN configured between the switches 2. What does a VMPS map to VLAN assignments 3. What are two reasons for using 802.1Q (Choose two.) a. To allow...

Reviewing Subnets

Prior to working with VLSM, it is important to have a firm grasp on IP subnetting. When you are creating subnets, you must determine the optimal number of subnets and hosts. Computing Usable Subnetworks and Hosts Remember that an IP address has 32 bits and comprises two parts a network ID and a host ID. The length of the network ID and host ID depends on the class of the IP address. The number of hosts available also depends on the class of the IP address. The default number of bits in the...

RSTP Port Roles

RSTP defines the port roles as follows Root A forwarding port elected for the spanning-tree topology. Designated A forwarding port elected for every switched LAN segment. Alternate An alternate path to the root bridge that is different from the path that the root port takes. Backup A backup path that provides a redundant (but less desirable) connection to a segment to which another switch port already connects. Backup ports can exist only where two ports are connected in a loopback by a...

Securing Switch Devices

You should use your security policy to determine how to configure security on your various network devices. Best practices for securing these devices also exist. Follow these recommended practices for secure switch access Set system passwords Use the enable secret command to set the password that grants privileged access to the Cisco IOS system. Because the enable secret command simply implements a Message Digest 5 (MD5) hash on the configured password, that password remains vulnerable to...

Summary of Implementing EIGRP

The following summarizes the key points that were discussed in the previous sections EIGRP is a classless, advanced distance vector routing protocol that runs the DUAL algorithm. EIGRP requires you to configure an autonomous system number that must match on all routers to exchange routes. EIGRP is capable of load balancing across unequal-cost paths. EIGRP supports MD5 authentication to protect against unauthorized, rogue routers entering your network.

Summary of Implementing Variable Length Subnet Masks

The following list summarizes the key points discussed in this section Subnetting lets you efficiently allocate addresses by taking one large broadcast domain and breaking it up into smaller, more manageable broadcast domains. VLSMs let you more efficiently allocate IP addresses by adding multiple layers of the addressing hierarchy. The benefits of route summarization include smaller routing tables and the ability to isolate topology changes.

Summary of OSPF Introduction

The following summarizes the key points that were discussed in this section OSPF is a classless, link-state routing protocol that uses an area hierarchy for fast convergence. OSPF exchanges hello packets to establish neighbor adjacencies between routers. The SPF algorithm uses a cost metric to determine the best path. Lower costs indicate a better path. The router ospf process-id command is used to enable OSPF on the router. Use a loopback interface to keep the OSPF router ID consistent. The...

Summary of Reviewing Routing Operations

The following list summarizes the key points discussed in this section Dynamic routing requires administrators to configure either a distance vector or a link-state routing protocol. Distance vector routing protocols incorporate solutions such as split horizon, route poisoning, and hold-down timers to prevent routing loops. Link-state routing protocols scale to large network infrastructures better than distance vector routing protocols, but they require more planning to implement.

Summary of Troubleshooting ACLs

The following summarizes the key points that were discussed in this section An improperly configured access list can prevent legitimate traffic from passing through a router or allow unauthorized traffic to pass through the router. You can use the show access-lists command to verify the configuration of an access list on a router. You can use the show ip interface command to verify where the access list is applied to an interface and what direction it is applied in.

Summary of Troubleshooting EIGRP

The following summarizes the key points that were discussed in this section Troubleshooting EIGRP includes several aspects, such as resolving neighbor relationships, routing table issues, and authentication problems. Issues that can cause EIGRP neighbor problems include incorrect network commands and hello packet information mismatches. Use the show ip eigrp neighbors command to help troubleshoot these issues. Missing EIGRP routes from the routing table can be because of route filtering or...

Switch Behavior with Broadcast Frames

Switches handle broadcast and multicast frames differently from the way they handle unicast frames. Because broadcast and multicast frames may be of interest to all stations, the switch or bridge normally floods broadcast and multicast frames to all ports except the originating port. A switch or bridge never learns a broadcast or multicast address because broadcast and multicast addresses never appear as the source address of a frame. This flooding of broadcast and multicast frames can cause a...

Trademark Acknowledgments

All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Americas Headquarters Asia Pacific H Cisco Systems, Ina Cisco Systems, Inc. Cisco Systems International BV 170 West Tasman Drive 168 Robinson Road Haarler berg park San Jose. CA...

Troubleshooting ACLs

When you finish the ACL configuration, use the show commands to verify the configuration. Use the show access-lists command to display the contents of all ACLs, as demonstrated in Example 6-13. By entering the ACL name or number as an option for this command, you can display a specific ACL. To display only the contents of all IP ACLs, use the show ip access-list command. Example 6-13 Verifying Access List Configuration 10 deny 10.1.1.0, wildcard bits 0.0.0.255 20 permit 10.3.3.1 30 permit...

Trunk Mode Mismatches

You should statically configure trunk links whenever possible. However, Cisco Catalyst switch ports run DTP by default, which tries to automatically negotiate a trunk link. This Cisco proprietary protocol can determine an operational trunking mode and protocol on a switch port when it is connected to another device that is also capable of dynamic trunk negotiation. Table 2-15 outlines DTP mode operations. Creates the trunk link based on the DTP request from the neighboring switch. Dynamic Auto...

Unable to See VLAN Details in the show run Command Output

VTP client and server systems require VTP updates from other VTP servers to be immediately saved without user intervention. A VLAN database was introduced into Cisco IOS Software as a method to immediately save VTP updates for VTP clients and servers. In some versions of software, this VLAN database is in the form of a separate file in Flash, called the vlan.dat file. You can view VTP and VLAN information that is stored in the vlan.dat file for the VTP client or VTP server if you issue the show...

Understanding ACLs

To be able to configure and implement ACLs, you need to understand the capacity in which they are used. Cisco devices use ACLs in two primary functions classification and filtering. The following explains each of these functions Classification Routers also use ACLs to identify particular traffic. After an ACL has identified and classified traffic, you can configure the router with instructions on how to handle that traffic. For example, you can use an ACL to identify the executive subnet as the...

Understanding Trunking with 8021Q

A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch. Ethernet trunks carry the traffic of multiple VLANs over a single link and allow you to extend the VLANs across an entire network. Cisco supports IEEE 802.1Q for FastEthernet and Gigabit Ethernet interfaces. In addition, some Cisco switches support Cisco Inter-Switch Link (ISL) trunks, a prestandard trunking technology. Figure 2-8 shows an example of trunks...

Understanding VLAN Trunking Protocol

VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the additions, deletions, and name changes of VLANs across networks. VTP minimizes misconfigurations and configuration inconsistencies that can cause problems, such as duplicate VLAN names or incorrect VLAN-type specifications. Figure 2-11 shows how you can use VTP to manage VLANs between switches. VTP Client VTP Client VTP Client VTP Client VTP Client VTP Client VTP Client VTP...

Understanding VLANs

Understanding how VLANs operate and what the associated protocols are is important for configuring, verifying, and troubleshooting VLANs on Cisco access switches. This section describes VLAN operations and their associated protocols. A poorly designed network has increased support costs, reduced service availability, security risks, and limited support for new applications and solutions. Less-than-optimal performance affects end users and access to central resources directly. Some of the issues...

Use the Diagram of the Network

Before you troubleshoot a bridging loop, you must at least be aware of the following The topology of the bridge network The location of the root bridge The location of the blocked ports and the redundant links This knowledge is essential for the following reasons Before you can determine what to fix in the network, you must know how the network looks when it is functioning correctly. Most of the troubleshooting steps simply use show commands to identify error conditions. Knowledge of the...

VLAN Port Assignment

After creating a VLAN, you can manually assign a port or a number of ports to that VLAN. A port can belong to only one VLAN at a time. When you assign a switch port to a VLAN using this method, it is known as a static-access port. On most Cisco Catalyst switches, you configure the VLAN port assignment from interface configuration mode using the switchport access command, as demonstrated in Example 2-4. Use the vlan vlan_number option to set static-access membership. Use the dynamic option to...

Voice VLAN Essentials

Some Cisco Catalyst switches offer a unique feature called a voice VLAN, which lets you overlay a voice topology onto a data network. You can segment phones into separate logical networks, even though the data and voice infrastructure are physically the same, as illustrated in Figure 2-5. The voice VLAN feature places the phones into their own VLANs without any end-user intervention. The user simply plugs the phone into the switch, and the switch provides the phone with the necessary VLAN...

VTP Operation

VTP advertisements are flooded throughout the management domain. VTP advertisements are sent every 5 minutes or whenever VLAN configurations change. Advertisements are transmitted over the default VLAN (VLAN 1) using a multicast frame. A configuration revision number is included in each VTP advertisement. A higher configuration revision number indicates that the VLAN information being advertised is more current than the stored information. Figure 2-12 illustrates this operation. One of the most...

Warning and Disclaimer

This book is designed to provide information about the configuration and operation of Cisco routers and switches as described in the Interconnecting Cisco Network Devices 2 (ICND2) course. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to...

Port Based Authentication

The IEEE 802.1X standard defines a port-based access control and authentication protocol that restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The authentication server authenticates each workstation that is connected to a switch port before making available any services offered by the switch or the LAN. Figure 2-36 shows the roles of each device in port-based authentication. Figure 2-36 802.1X Port-Based Authentication Requests Access and...

Loopback Interfaces

The OSPF router ID is used to uniquely identify each router in the OSPF network. By default, this ID is selected by the operating system from the configured IP addresses on the router. To modify the OSPF router ID to use a loopback address, first define a loopback interface with the following command RouterX(config) interface loopback number The highest IP address, used as the router ID by default, can be overridden by configuring an IP address on a loopback interface. OSPF is more reliable if...

ACL Identification

When you create numbered ACLs, you enter an ACL number as the first argument of the global ACL statement. The test conditions for an ACL vary depending on whether the number identifies a standard or extended ACL. You can create many ACLs for a protocol. Select a different ACL number for each new ACL within a given protocol. However, you can apply only one ACL per protocol, per direction, and per interface. Specifying an ACL number from 1 to 99 or 1300 to 1999 instructs the router to accept...

Configuring RSTP

Cisco Catalyst switches support three types of spanning-tree protocols PVST+, PVRST+, and MSTP. PVST+ Based on the 802.1D standard, this includes Cisco proprietary extensions, such as BackboneFast, UplinkFast, and PortFast, which improve STP convergence time. PVRST+ Based on the 802.1w standard, this has a faster convergence than 802.1D. MSTP (802.1s) Combines the best aspects of PVST+ and the IEEE standards. To implement PVRST+, perform these steps Step 2 Designate and configure a switch to be...

I

The configuration in Example 6-8 provides a solution for this example. Example 6-8 Access List Preventing Telnet Traffic from a Specific Subnet RouterX(config) access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23 RouterX(config) access-list 101 permit ip any any RouterX(config) interface ethernet 0 RouterX(config-if) ip access-group 101 out This example denies Telnet traffic from 172.16.4.0 that is being sent out interface E0. All other IP traffic from any other source to any destination is...

Troubleshooting OSPF Neighbor Adjacencies

The first component to troubleshoot and verify is the OSPF neighbor adjacency. Figure 4-9 shows the verification troubleshooting components for neighbor adjacencies. Figure 4-9 Troubleshooting OSPF Neighbor Adjacencies Figure 4-9 Troubleshooting OSPF Neighbor Adjacencies A healthy OSPF neighbor state is Full. If the OSPF neighbor state remains in any other state, it may indicate a problem. Example 4-12 demonstrates sample output from the show ip ospf neighbor command to gather this information....

MAC Database Instability

MAC database instability results when multiple copies of a frame arrive on different ports of a switch. This subtopic describes how MAC database instability can arise and explains what problems can result. Figure 2-20 illustrates this problem switch B installs a database entry, mapping the MAC address of host X to port 1. Sometime later, when the copy of the frame transmitted through switch A arrives at port 2 of switch B, switch B removes the first entry and installs an entry that incorrectly...

Troubleshooting OSPF Routing Tables

After you have verified that the adjacencies are correct, the next step is to troubleshoot verify the routing tables. Figure 4-10 shows the procedures for verifying the routing tables. Figure 4-10 Troubleshooting OSPF Routing Tables Figure 4-10 Troubleshooting OSPF Routing Tables An OSPF route found in the routing table can have a variety of different codes O OSPF intra-area, within the same area, route from a router within the same OSPF area O IA OSPF inter-area, from another area in the OSPF...

SPF Algorithm

The SPF algorithm places each router at the root of a tree and calculates the shortest path to each node, using Dijkstra's algorithm, based on the cumulative cost that is required to reach that destination. LSAs are flooded throughout the area using a reliable algorithm, which ensures that all routers in an area have the same topological database. Each router uses the information in its topological database to calculate a shortest path tree, with itself as the root. The router then uses this...

Using OSPF debug Commands

The debug ip ospf events output shown in Example 4-6 might appear if any of the following situations occur The IP subnet masks for the routers on the same network do not match. The OSPF hello interval for the router does not match the OSPF hello interval that is configured on a neighbor. The OSPF dead interval for the router does not match the OSPF dead interval that is configured on a neighbor. If a router that is configured for OSPF routing is not seeing an OSPF neighbor on an attached...

Troubleshooting Plaintext Password Authentication

If you are using OSPF password authentication, you must also be prepared to troubleshoot any authentication problems that may occur during the adjacency process. You can use the debug ip ospf adj command to display OSPF adjacency-related events. This command is useful when troubleshooting authentication. If plaintext password authentication is configured on the Router X serial 0 0 1 interface but no authentication is configured on the Router Y serial 0 0 1 interface, the routers will not be...

OSPF Authentication

OSPF neighbor authentication (also called neighbor router authentication or route authentication) can be configured such that routers can participate in routing based on predefined passwords. When you configure neighbor authentication on a router, the router authenticates the source of each routing update packet that it receives. This authentication is accomplished by the exchange of an authenticating key (sometimes referred to as a password) that is known to both the sending and receiving...

Establishing OSPF Neighbor Adjacencies

Neighbor OSPF routers must recognize each other on the network before they can share information because OSPF routing depends on the status of the link between two routers. This process is done using the Hello protocol. The Hello protocol establishes and maintains neighbor relationships by ensuring bidirectional (two-way) communication between neighbors. Bidirectional communication occurs when a router recognizes itself listed in the hello packet received from a neighbor. Figure 4-2 illustrates...

Troubleshooting Eigrp Neighbor Relationships

The first step in the flow is to troubleshoot neighbor relationships. Figure 5-9 shows the steps for troubleshooting these issues. Figure 5-9 Troubleshooting EIGRP Neighbor Issues Figure 5-9 Troubleshooting EIGRP Neighbor Issues Example 5-9 shows output from the show ip eigrp neighbors command, which indicates that a successful neighbor relationship exists with two routers. Example 5-9 Confirming EIGRP Neighbor Relationships Example 5-9 Confirming EIGRP Neighbor Relationships For EIGRP routers...

Load Balancing with EIGRP

Typically, networks are configured with multiple paths to a remote network. When these paths are equal or nearly equal, it makes sense to utilize all the available paths. Unlike Layer 2 forwarding, Layer 3 forwarding has the capability to load-balance between multiple paths. That is, the router can send frames out multiple interfaces to reduce the amount of traffic sent to a single network connection. The key to this feature is that the network paths must be of equal cost (or nearly equal for...

Transitioning to IPv6

The ability to scale networks for future demands requires a limitless supply of IP addresses and improved mobility. IP version 6 (IPv6) satisfies the increasingly complex requirements of hierarchical addressing that IP version 4 (IPv4) does not provide. IPv6 uses some different address types that make IPv6 more efficient than IPv4. This section describes the different types of addresses that IPv6 uses and how to assign these addresses. Transitioning to IPv6 from IPv4 deployments can require a...

Configuring Numbered Standard IPv4 ACLs

To configure numbered standard IPv4 ACLs on a Cisco router, you must create a standard IPv4 ACL and activate an ACL on an interface. The access-list command creates an entry in a standard IPv4 traffic filter list. The ip access-group command links an existing ACL to an interface. Only one ACL per protocol, per direction, and per interface is allowed. NOTE To remove an IP ACL from an interface, first enter the no ip access-group name number in out command on the interface then enter the global...

EIGRP Authentication

You can configure EIGRP neighbor authentication, also known as neighbor router authentication or route authentication, such that routers can participate in routing based on predefined passwords. By default, no authentication is used for EIGRP packets. EIGRP can be configured to use Message Digest Algorithm 5 (MD5) authentication. When you configure neighbor authentication on a router, the router authenticates the source of each routing update packet that it receives. For EIGRP MD5...

Grouping Business Functions into VLANs

Each VLAN in a switched network corresponds to an IP network. So VLAN design must take into consideration the implementation of a hierarchical network-addressing scheme. Hierarchical network addressing means that IP network numbers are applied to network segments or VLANs in an orderly fashion that considers the network as a whole. Blocks of contiguous network addresses are reserved for and configured on devices in a specific area of the network. Some of the benefits of hierarchical addressing...

Scaling the Network with NAT and PAT

Global Routing Table

Two Internet scalability challenges are the depletion of registered IP version 4 (IPv4) address space and scaling in routing. Cisco IOS Network Address Translation (NAT) and Port Address Translation (PAT) are mechanisms for conserving registered IPv4 addresses in large networks and simplifying IPv4 address management tasks. NAT and PAT translate IPv4 addresses within private internal networks to legal IPv4 addresses for transport over public external networks, such as the Internet, without...

Understanding Distance Vector Routing Protocols

Distance vector-based routing algorithms (also known as Bellman-Ford-Moore algorithms) pass periodic copies of a routing table from router to router and accumulate distance vectors. (Distance means how far, and vector means in which direction.) Regular updates between routers communicate topology changes. Each router receives a routing table from its direct neighbor. For example, in Figure 3-5, Router B receives information from Router A. Router B adds a distance vector metric (such as the...

Troubleshooting Eigrp Routing Tables

If the neighbor relationships are established, routes can be exchanged. If they are not being exchanged, the next step is to troubleshoot EIGRP routing table issues. Figure 5-10 shows the steps involved in troubleshooting these problems. Figure 5-10 Troubleshooting EIGRP Routing Tables Figure 5-10 Troubleshooting EIGRP Routing Tables EIGRP routes that appear with a D in the routing table indicate that they are intra-AS routes, and those with D EX indicate that they are external AS routes. No...

VLAN Creation

Before you create VLANs, you must decide whether to use VTP to maintain global VLAN configuration information for your network. The maximum number of VLANs is switch dependent. Many access layer Cisco Catalyst switches can support up to 250 user-defined VLANs. Cisco Catalyst switches have a factory default configuration in which various default VLANs are preconfigured to support various media and protocol types. The default Ethernet VLAN is VLAN 1. Cisco Discovery Protocol and VTP...

Verifying the OSPF Configuration

You can use any one of a number of show commands to display information about an OSPF configuration. The show ip protocols command displays parameters about timers, filters, metrics, networks, and other information for the entire router. The show ip route command displays the routes that are known to the router and how they were learned. This command is one of the best ways to determine connectivity between the local router and the rest of the internetwork. Example 4-1 shows the output from the...

Troubleshooting Eigrp Authentication

The last step in the flowchart in Figure 5-8 is to troubleshoot EIGRP authentication problems, if configured. This is accomplished by verifying that EIGRP authentication is successful. Example Successful MD5 Authentication The output of the debug eigrp packets command on Router X, shown in Example 5-17, illustrates that Router X is receiving EIGRP packets with MD5 authentication and a key ID equal to 1 from Router Y. Example 5-17 Confirming MD5 Authentication on Router X QUERY, REPLY, HELLO,...

Link State and Advanced Distance Vector Protocols

In addition to distance vector-based routing, the second basic algorithm used for routing is the link-state algorithm. Link-state protocols build routing tables based on a topology database. This database is built from link-state packets that are passed between all the routers to describe the state of a network. The shortest path first algorithm uses the database to build the routing table. Figure 3-26 shows the components of a link-state protocol. Understanding the operation of link-state...

Example Selecting the Root Bridge

In Figure 2-23, both switches use the same default priority. The switch with the lowest MAC address is the root bridge. In the example, switch X is the root bridge, with a BID of 0x8000 (0c00.1111.1111). When STP is enabled, every bridge in the network goes through the blocking state and the transitory states of listening and learning at power-up. If properly configured, the ports then stabilize to the forwarding or blocking state. Forwarding ports provide the lowest-cost path to the root...

Configuring Numbered Extended IPv4 ACLs

For more precise traffic-filtering control, use extended IPv4 ACLs, numbered 100 to 199 and 2000 to 2699 or named, which check for the source and destination IPv4 address. In addition, at the end of the extended ACL statement, you can specify the protocol and optional TCP or User Datagram Protocol (UDP) application to filter more precisely. Figure 6-16 illustrates the IP header fields that can be examined with an extended access list. Figure 6-16 Extended IPv4 Access Lists Figure 6-16 Extended...

Configuring and Verifying EIGRP

Use the router eigrp and network commands to create an EIGRP routing process. Note that EIGRP requires an autonomous system (AS) number. The AS number does not have to be registered as is the case when routing on the Internet with the Border Gateway Protocol (BGP) routing protocol. However, all routers within an AS must use the same AS number to exchange routing information with each other. Figure 5-3 shows the EIGRP configuration of a simple network. 172.16.1.1 10.1.1.1 10.1.1.2 10.2.2.2...