The Ultimate CCNA Lab Workbook Labs Designed For CCNA Rack Rentals Chris Bryant CCIE #12933
The Bryant Advantage CCNA lab workbook is designed to assist candidates in preparation for the exam for the Cisco Certified Network Associate (r) and Cisco Certified Network Professional (r) certifications. This book will help you master all the skills you'll need to pass the CCNA exams, and give you a solid foundation for your future Cisco studies.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0 ratings0% found this document useful (0 votes)
120 views0 pages
The Ultimate CCNA Lab Workbook Labs Designed For CCNA Rack Rentals Chris Bryant CCIE #12933
The Bryant Advantage CCNA lab workbook is designed to assist candidates in preparation for the exam for the Cisco Certified Network Associate (r) and Cisco Certified Network Professional (r) certifications. This book will help you master all the skills you'll need to pass the CCNA exams, and give you a solid foundation for your future Cisco studies.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 0
The Ultimate
CCNA Lab Workbook
Labs Designed For CCNA Rack Rentals At www.thebryantadvantage.com
Chris Bryant CCIE #12933
www.thebryantadvantage.com
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 2005 The Bryant Advantage
Copyright Information:
Cisco, Cisco Systems, CCIE, Cisco Certified Internetwork Expert, Cisco Certified Network Associate, and Cisco Certified Network Professional are registered trademarks of Cisco Systems, Inc., and/or its affiliates in the U.S. and certain countries.
All other products and company names are the trademarks, registered trademarks, and service marks of the respective owners. Throughout this ebook, The Bryant Advantage has used its best efforts to distinguish proprietary trademarks from descriptive names by following the capitalization styles used by the manufacturer.
Disclaimer:
This publication, The Bryant Advantage CCNA Lab Workbook, is designed and intended to assist candidates in preparation for the exam for the Cisco Certified Network Associate and Cisco Certified Network Professional certifications. All efforts have been made by the author to make this book as accurate and complete as possible, but no guarantee, warranty, or fitness are implied, expressly or implicitly. The enclosed material is presented on an as is basis. Neither the author, Bryant Instructional Services, or the parent company assume any liability or responsibility to any person or entity with respect to loss or damages incurred from the information contained in this workbook.
Copyright 2005, The Bryant Advantage.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com
2005 The Bryant Advantage Welcome to The Bryant Advantage CCNA Lab Workbook! Used in combination with my CCNA / CCNP Rack Rentals, this book will help you master all the skills youll need to pass the CCNA exams, and give you a solid foundation for your future Cisco studies.
The best way to learn about Cisco technologies is to use them. Youve got to read to learn the theory, but its vital to see the theory in action. With that in mind, lets take a look at the network topology youll use in this lab workbook.
There are two additional Cisco routers in your pod that are not shown here. The first is a 2500 router acting as a frame relay switch, which makes it possible to have a frame relay cloud in a practice lab. Your frame relay switch is preconfigured. (If youd like to see the configuration of a frame relay switch, visit my website and check the Tutorials section, or write me at [email protected] and Ill be glad to email you a copy.)
Chris Bryant, CCIE #12933 www.thebryantadvantage.com The second router is the access server; thats the router you will actually be using Telnet to communicate with. There is no need to change the configuration of this device.
2005 The Bryant Advantage
Please Read The Following Rules Carefully. Theyre Not The Usual mumbo jumbo Legalities.
By connecting to my remote labs, you agree to abide by the following rules.
1. Do not change the configuration of the access server in any way. Doing so may end your session, and a refund will not be given. You will also be prohibited from renting the pods in the future. 2. Do not change the configuration register of any router or switch. 3. You are more than welcome to practice your enable secret, enable password, console password, and telnet passwords. However, you MUST use the passwords cisco or ccna, without the quotation marks. Upper case or lower case is fine.
Thank you!
Connecting To Your Remote Pod
Getting started with your pod of Cisco routers and 2950 switches is easy! First, youll need to Telnet to your access server. The IP address, username, and password for your session was sent to you in a separate email. (The phone numbers for your ISDN connection is also in that email.)
You can use any Telnet version to connect to your access server. You can use HyperTerminal if you like, but Ive seen some versions have trouble with Telnet. If you use HyperTerminal and have trouble authenticating, use Telnet by going out to your C: prompt.
From your C: prompt, you can type telnet to go into Microsoft telnet, or type telnet x.x.x.x, with the IP address in place of the xs. Chris Bryant, CCIE #12933 www.thebryantadvantage.com
2005 The Bryant Advantage C:\> telnet
Welcome to Microsoft Telnet Client
Escape Character is 'CTRL+]'
Microsoft Telnet> open 100.100.100.100 (put the IP address you were sent in email in place of the 100.100.100.100)
User Access Verification
Username:
Password:
OR:
C:\>telnet 100.100.100.100
User Access Verification
Username:
Password:
A few tips for logging in:
1. You will be prompted for a username, then a password. 2. Do not hit the space bar at the end of entering either; this will send a null space and you will not be authenticated. 3. The cursor WILL NOT MOVE when you enter your username and password. Thats a Cisco default. You will not see asterisks, as you do when logging in to most Microsoft products.
After entering your username and password, youll be put into privileged exec mode on the access server: Chris Bryant, CCIE #12933 www.thebryantadvantage.com 2005 The Bryant Advantage
User Access Verification
Password: BRYANT_POD_ONE#
Your three routers and two Cisco 2950 switches are all connected to this access server. Heres how to access each device.
First, clear the lines leading to the other devices.
BRYANT_POD_ONE#clear line 01 [confirm] [OK] BRYANT_POD_ONE#clear line 02 [confirm] [OK] BRYANT_POD_ONE#clear line 03 [confirm] [OK] BRYANT_POD_ONE#clear line 04 [confirm] [OK] BRYANT_POD_ONE#clear line 05 [confirm] [OK] BRYANT_POD_ONE#
When you see the [confirm] choice, just hit your enter key to accept it.
Now that the lines are cleared, youre going to connect to each device from your access server. This reads like a long process, but it will only take you a minute or two.
Type R1 at the prompt:
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 2005 The Bryant Advantage BRYANT_POD_ONE#r1 Trying R1 (100.1.1.1, 2001)... Open
R1#
Note: When you see the word Open, hit the Enter key again. Youll then see the prompt for R1.
Now, you need to learn the big keystroke that youll be using to go back from the access server. Here it is:
<CTRL SHIFT 6> < X>
This keystroke is a little awkward at first, but before long youll be doing it without thinking about it. You hit ctrl-shift-6 the same way youd enter ctrl-alt-delete (we all know that one!), then release those keys and hit x. Then youre right back at the access server. Repeat the process for R2, R3, SW1, and SW2.
R1# < Use above keystroke to go back to access server > BRYANT_POD_ONE#r2 Trying R2 (100.1.1.1, 2002)... Open
R2# < Use above keystroke to go back to access server > BRYANT_POD_ONE#r3 Trying R3 (100.1.1.1, 2003)... Open
R3# < Use above keystroke to go back to access server > BRYANT_POD_ONE#sw1 Trying SW1 (100.1.1.1, 2004)... Open
sw1# < Use above keystroke to go back to access server > BRYANT_POD_ONE#sw2 Trying SW2 (100.1.1.1, 2005)... Open
sw2# < Use above keystroke to go back to access server > BRYANT_POD_ONE#
Remember, youre always coming back to the access server to get from one router to another. Before long, youll be using that keystroke without even thinking about it.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 2005 The Bryant Advantage Now that youve created those connections, you will use only the number of the connection to go back to each device. At the access server, just type these numbers to get to each device:
1: R1 2: R2 3: R3 4: SW1 5: SW2
Dont type the entire name of the device again; just type the numbers you see here on the access server, as shown below.
BRYANT_POD_ONE#1 [Resuming connection 1 to r1 ... ]
R1# BRYANT_POD_ONE#2 [Resuming connection 2 to r2 ... ]
R2# BRYANT_POD_ONE#3 [Resuming connection 3 to r3 ... ]
R3# BRYANT_POD_ONE#4 [Resuming connection 4 to sw1 ... ]
sw1# BRYANT_POD_ONE#5 [Resuming connection 5 to sw2 ... ]
sw2# BRYANT_POD_ONE#
Dont forget to hit enter again after you see the resuming connection message. That will get you to the enable prompt.
Thats all there is to it!
Chris Bryant, CCIE #12933 www.thebryantadvantage.com
2005 The Bryant Advantage Table Of Contents
IP Addressing: Page 1
LAN Switching: Page 6
Frame Relay: Page 17
ISDN / Point-To-Point: Page 25
Passwords And Services: Page 38
Static Routing: Page 43
Distance Vector Protocols: Page 47
OSPF: Page 61
EIGRP: Page 78
Advanced TCP/IP Features: Page 85
Starting From Scratch: Page 94 Chris Bryant, CCIE #12933 www.thebryantadvantage.com 2005 The Bryant Advantage Your Bryant Advantage Rack Rental Cisco pod is ready! Youll be spending time working with real Cisco 2500 routers, all running IOS 12.2, and real Cisco 2950 switches.
Your CCNA Lab Workbook is attached. To get the most out of your rack time:
Repeat the tasks as often as you can. Repetition is the mother of skill.
Run debugs and show commands often. I suggest many throughout the lab workbook that you should be very familiar with before taking the CCNA exams.
Dont feel limited to running only these labs. Run all the IOS Help commands you like and explore command options.
Should you choose to do so, you can erase the config on these devices with write erase and then reload them with reload. If you do, all your configs are gone and youre really starting from scratch! Feel free to do this, but I do recommend you configure these extra commands when they come back up (theyre already configured on your routers and switches when you log in).
Line con 0 Logging synchronous Exec-timeout 0 0
The IP address to Telnet to is 65.37.154.163 . For tips on connecting, read the opening pages of the lab workbook.
Your password is leader724 . There is no username.
Your ISDN phone numbers:
R1: 5553333 R2: 5554444
Your time begins: March 8, 8 AM Eastern Standard Time Your time ends: March 9, 7 AM Eastern Standard Time
Read the warnings at the beginning of the ebook carefully. Changing the configuration register of any router or switch will result in you losing rack rental privileges. Do not change the configuration of the access server.
Connection information is found at the beginning of the lab workbook.
Ricardo, thanks for your purchase, and enjoy your rack time! Send me an email if you have any problems connecting, or any questions regarding the labs. Thanks again!
Chris Bryant CCIE #12933 IP Addressing Lab
Youve got to know how to assign IP addresses to pass the CCNA exams, and youre about to get a lot of practice. Were going to configure physical interfaces, logical interfaces, and loopback interfaces.
You also need to know how to name a router. We do this with the hostname command. Change the names of the routes to whatever you like, but after practicing this command, change the names back to R1, R2, R3, SW1, and SW2. Those are the names youll see through the lab workbook.
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#hostname Router1 Router1(config)#hostname R1 R1(config)#^Z R1#
The ^Z youll see on the screen is what ctrl-z sends to the console, and of course, you know from your CCNA reading that ctrl-z brings you back out to the enable prompt.
Notice that the hostname command took effect immediately, as all global commands do.
Lets take a look at the networks well be configuring.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 1
2005 The Bryant Advantage Lets start with R1. DO NOT OPEN THE SERIAL 0 INTERFACES.
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface serial0 R1(config-if)#ip address 172.12.123.1 255.255.255.0 R1(config-if)#interface serial1 R1(config-if)#ip address 172.12.13.1 255.255.255.0 R1(config-if)#no shut R1(config-if)# 00:18:34: %LINK-3-UPDOWN: Interface Serial1, changed state to down R1(config-if)#interface loopback0 R1(config-if)#ip address 1.1.1.1 255.255.255.255 R1(config-if)#interface bri0 R1(config-if)#ip address 172.12.21.1 255.255.255.252 R1(config-if)#no shut R1(config-if)# 00:19:11: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down 00:19:11: %LINK-3-UPDOWN: Interface BRI0:2, changed state to down 00:19:11: %LINK-3-UPDOWN: Interface BRI0, changed state to up 00:19:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to down 00:19:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:2, changed state to down R1(config-if)#wr Building configuration.
Dont worry about the line protocols being down; other labs will take care of that. All were doing right now is setting the IP addresses and opening the interfaces. Get used to saving your work as often as possible with wr, short for write. Use IOS Help to see the options and the defaults. (Remember, IOS Help is the question mark symbol.)
Dont forget to open the interfaces! If youre having a connectivity problem and run a command such as show interface ethernet 0, and you see the following, it means the interface is manually closed and needs to be opened with the no shut command.
R2#show interface ethernet0 Ethernet0 is administratively down, line protocol is down
Now configure R2s interfaces. Do not open interface serial0. Chris Bryant, CCIE #12933 www.thebryantadvantage.com 2
2005 The Bryant Advantage
R2(config)#interface serial0 R2(config-if)#encap frame R2(config-if)#no frame inverse-arp R2(config-if)#interface serial 0.123 multipoint R2(config-subif)#ip address 172.12.123.2 255.255.255.0 R2(config-subif)#interface bri0 R2(config-if)#ip address 172.12.21.2 255.255.255.252 R2(config-if)#no shut R2(config-if)# 00:27:23: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down 00:27:23: %LINK-3-UPDOWN: Interface BRI0:2, changed state to down 00:27:23: %LINK-3-UPDOWN: Interface BRI0, changed state to up R2(config-if)#i 00:27:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to down 00:27:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:2, changed state to down R2(config-if)#interface ethernet0 R2(config-if)#ip address 172.23.23.2 255.255.255.224 R2(config-if)#no shut 00:28:45: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up 00:28:46: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up R2(config-if)#interface loopback0 R2(config-if)#ip address 2.2.2.2 255.255.255.255 R2(config-if)#^Z R2#
Note that you configured frame relay on R2. That allows us to create the multipoint subinterface. Frame Relay will be covered completely in a later lab, but you cannot create that multipoint interface until youve enable frame relay.
Also notice that you dont have to run no shut on a loopback interface. (Its not wrong if you do, but you dont have to.
Lets configure R3s interfaces. Do not open interface serial0.
R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#interface serial 0 R3(config-if)#encap frame R3(config-if)#no frame inverse-arp R3(config-if)#interface serial0.31 point-to-point Chris Bryant, CCIE #12933 www.thebryantadvantage.com 3
2005 The Bryant Advantage R3(config-subif)#ip address 172.12.123.3 255.255.255.0 R3(config-subif)#interface serial 1 R3(config-if)#ip address 172.12.13.3 255.255.255.0 R3(config-if)#no shut 00:33:32: %LINK-3-UPDOWN: Interface Serial1, changed state to up 00:33:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up R3(config-if)#interface ethernet0 R3(config-if)#ip address 172.23.23.3 255.255.255.224 R3(config-if)#no shut 00:33:46: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up 00:33:47: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed sta te to up R3(config-if)#interface loopback0 00:33:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to down R3(config-if)#ip address 3.3.3.3 255.255.255.0
Again, note that you configured frame relay on the serial0 physical interface, then created a point-to-point subinterface. The Serial0 physical interface then had to be opened.
I urge you to not just walk through these labs, but to use the show and debug commands youll read about in this book, in my Ultimate CCNA Study Guide PDF, and to use IOS Help often to see the other options. Take advantage of the fact that youre working with real Cisco routers and switches, not toys like simulator programs.
You do not need to configure IP addresses on the switches.
Theres another command Id like to introduce you to, since we all mistype from time to time. Notice what happens when you mistype a command on a Cisco router:
R3#hudjgmg Translating "hudjgmg"...domain server (255.255.255.255)
% Unknown command or computer name, or unable to find computer address
By default, a Cisco router or switch is going to attempt to resolve a mistyped command via DNS. Thats what the domain server is that its looking for, and of course you know that 255.255.255.255 is a layer 3 broadcast.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 4
2005 The Bryant Advantage This only takes about 15 seconds to come back with the unknown command line in a practice lab, but it can take much longer in a production network. To disable this default behavior, use the global command no ip domain-lookup on each device in your pod. Notice that immediately after using this command, the router tries to resolve the command locally but does not send the broadcast out.
R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#no ip domain-lookup R3(config)#^Z R3#jfujjke 00:50:24: %SYS-5-CONFIG_I: Configured from console by console R3#jfujjke Translating "jfujjke" % Unknown command or computer name, or unable to find computer address
As with all commands you read about and practice with in my books, do not run a command on a production network unless you are sure of the result. VERY sure. This is particularly true of the debugs youll be using in my labs.
Congratulations! Youve now configured plenty of IP addresses. If youre confronted with that task on one of your CCNA exams, youre more than ready. Just dont forget to open the interfaces on exam day!
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 5
2005 The Bryant Advantage LAN Switching Lab
With the command vtp domain, place both switches in the vtp domain CCNA. Enable pruning with the vtp pruning command. You can also set a password of CISCO for VTP.
SW1#conf t SW1(config)#vtp domain CCNA Changing VTP domain name from NULL to CCNA SW1(config)#vtp password CISCO Setting device VLAN database password to CISCO SW1(config)#vtp pruning Pruning switched on
SW2#conf t SW2(config)#vtp domain CCNA Changing VTP domain name from NULL to CCNA SW2(config)#vtp password CISCO Setting device VLAN database password to CISCO SW2(config)#vtp pruning Pruning switched on
The VTP domain name changes from null, indicating that there was no VTP domain previously set.
Run show vtp status on both routers to ensure they belong to the correct VTP domain.
SW1#show vtp status VTP Version : 2 Configuration Revision : 1 Maximum VLANs supported locally : 1005 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : CCNA VTP Pruning Mode : Enabled
SW2#show vtp status VTP Version : 2 Configuration Revision : 1 Maximum VLANs supported locally : 1005 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : CCNA Chris Bryant, CCIE #12933 www.thebryantadvantage.com 6
2005 The Bryant Advantage VTP Pruning Mode : Enabled By default, both switches are in VTP Server mode. With the vtp mode client command, put SW2 in vtp client mode. All VLANs created in this lab will now have to be created on SW1, the VTP Server. Verify the change with show vtp status.
SW2#conf t Enter configuration commands, one per line. End with CNTL/Z. SW2(config)#vtp 01:10:41: %SYS-5-CONFIG_I: Configured from console by console SW2(config)#vtp mode client Setting device to VTP CLIENT mode. SW2(config)#^Z 01:10:47: %SYS-5-CONFIG_I: Configured from console by console SW2#show vtp status VTP Version : 2 Configuration Revision : 1 Maximum VLANs supported locally : 64 Number of existing VLANs : 5 VTP Operating Mode : Client VTP Domain Name : CCNA VTP Pruning Mode : Enabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xB2 0xD2 0xE9 0x70 0xF1 0x6B 0xA1 0x04 Configuration last modified by 0.0.0.0 at 3-1-93 01:10:14
Run show cdp neighbors on the switches to see what devices are directly connected to the switches.
SW1#show cdp neighbor Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID SW2 Fas 0/12 152 S I WS-C2950-1 Fas 0/12 SW2 Fas 0/11 152 S I WS-C2950-1 Fas 0/11 R2 Fas 0/2 129 R 2520 Eth 0
SW2#show cdp neighbor Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID SW1 Fas 0/12 150 S I WS-C2950-2 Fas 0/12 Chris Bryant, CCIE #12933 www.thebryantadvantage.com 7 SW1 Fas 0/11 150 S I WS-C2950-2 Fas 0/11
2005 The Bryant Advantage R3 Fas 0/3 138 R 2500 Eth 0 You can see in the output of show cdp neighbors that the two switches are connected at fast 0/11 and fast 0/12. Show interface trunk shows that the trunk has already been created dynamically, with no additional configuration.
SW2#show interface trunk
Port Mode Encapsulation Status Native vlan Fa0/11 desirable 802.1q trunking 1 Fa0/12 desirable 802.1q trunking 1
Port Vlans allowed on trunk Fa0/11 1-4094 Fa0/12 1-4094
Port Vlans allowed and active in management domain Fa0/11 1 Fa0/12 1
Port Vlans in spanning tree forwarding state and not pruned Fa0/11 1 Fa0/12 none
Show vlan brief reinforces the theory that by default, all switch ports are placed into VLAN 1 (except the trunk ports).
SW2#show vlan brief
VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10
R2 and R3s Ethernet addresses have already been configured, the trunk line is operational, and both ports are in VLAN 1. Ping R2s Ethernet interface from R3, and then R3s Ethernet interface from R2 to verify IP connectivity.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 8
2005 The Bryant Advantage
R2#ping 172.23.23.3
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.23.23.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =4/4/8 ms
R3#ping 172.23.23.2
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.23.23.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =4/4/8 ms
With pings, exclamation points indicate good connectivity, and periods indicate no connectivity.
Now, create VLAN 23. Try creating this vlan on SW2 first.
SW2#conf t Enter configuration commands, one per line. End with CNTL/Z. SW2(config)#vlan 23 VTP VLAN configuration not allowed when device is in CLIENT mode.
As you can see, you cannot create, delete, or modify VLANs on VTP clients. This VLAN will have to be created on SW1, the VTP server. After doing so, the VTP client should see VLAN 23 as well.
SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#vlan 23 SW1(config-vlan)#^Z 01:23:34: %SYS-5-CONFIG_I: Configured from console by console SW1#show vlan brief
VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24 23 VLAN0023 active Chris Bryant, CCIE #12933 www.thebryantadvantage.com 9
2005 The Bryant Advantage
SW2#show vlan br 01:23:55: %SYS-5-CONFIG_I: Configured from console by console SW2#show vlan brief
VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------ 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10 23 VLAN0023 active
On sw1, put port fast 0/2 into VLAN 23. (Thats the port connected to R2.) Verify with show vlan brief.
SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#int fast 0/2 SW1(config-if)#switchport mode access SW1(config-if)#switchport access vlan 23 SW1(config-if)#^Z
SW1#show vlan brief
VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/3, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24 23 VLAN0023 active Fa0/2
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 10
2005 The Bryant Advantage
Now that R2 and R3 are in separate VLANs, can they still send pings back and forth?
R2#ping 172.23.23.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.23.23.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
R3#ping 172.23.23.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.23.23.2, timeout is 2 seconds: .....
No, they cant. The difference is that theyre now in separate VLANs, and devices in different VLANs cant communicate unless routing is taking place somewhere. Here, no routing is taking place, so the pings dont go through.
Put R3s switch port into VLAN 23, and try the ping again.
SW2#conf t Enter configuration commands, one per line. End with CNTL/Z. SW2(config)#interface fast0/3 SW2(config-if)#switchport mode access SW2(config-if)#switchport access vlan 23 SW2(config-if)#^Z 01:31:57: %SYS-5-CONFIG_I: Configured from console by console SW2#show vlan brief
VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------ 1 default active Fa0/1, Fa0/2, Fa0/4, Fa0/5 Fa0/6, Fa0/7, Fa0/8, Fa0/9 Fa0/10 23 VLAN0023 active Fa0/3
R3#ping 172.23.23.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.23.23.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =4/4/8 ms Chris Bryant, CCIE #12933 www.thebryantadvantage.com 11
2005 The Bryant Advantage
R2#ping 172.23.23.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.23.23.3, timeout is 2 seconds: !!!!!
Now that R2 and R3 are in the same VLAN, pings can go through.
On SW1, view the spanning tree information for VLAN 23 with the show spanning tree vlan 23 command. Do the same on SW2.
SW1#show spanning vlan 23 VLAN0023 Spanning tree enabled protocol ieee Root ID Priority 32791 Address 000e.d7f5.a040 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32791 (priority 32768 sys-id-ext 23) Address 000e.d7f5.a040 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300
VLAN0023 Spanning tree enabled protocol ieee Root ID Priority 32791 Address 000e.d7f5.a040 Cost 19 Port 11 (FastEthernet0/11) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32791 (priority 32768 sys-id-ext 23) Address 000f.90e2.14c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Chris Bryant, CCIE #12933 www.thebryantadvantage.com 12
Your root bridge may be SW2 at this point. The important point here is that you know how to identify the root bridge for a vlan.
Recall that the lowest BID will win the root bridge election. Both bridges have the same priority; since the BID is a concatenation of the priority and MAC address, the device with the lowest MAC address will be the root bridge.
Look under the BridgeID on both switches. The highlighted address is that switchs MAC address. In this example, the first four bits of the MAC address on SW1 are 0009, where the first four bits of SW2s MAC are 000a. MAC addresses are expressed in hex, and since a in hex represents 10, SW1 will have the lower MAC address and is therefore elected the root bridge.
The default behavior of the root bridge is that all ports will be in forwarding mode, which is exactly what is happening on SW1. On SW2, one port is the root port and is in forwarding mode. The other port is placed into blocking mode.
The root bridge can be changed with one simple command. This command will adjust the numeric priority of the switch its configured on to a low enough value so its BID will be the lowest for that VLAN, making it the root bridge. Run the command spanning-tree vlan 23 root primary on your non-root bridge. Then run show spanning vlan 23 to verify that your non-root bridge has indeed become the root bridge.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 13
2005 The Bryant Advantage
SW2#conf t Enter configuration commands, one per line. End with CNTL/Z. SW2(config)#spanning-tree vlan 23 root primary SW2(config)#^Z SW2#show spanning vlan 23
VLAN0023 Spanning tree enabled protocol ieee Root ID Priority 24599 Address 000f.90e2.14c0 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24599 (priority 24576 sys-id-ext 23) Address 000f.90e2.14c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15
On SW1, configure PortFast on the port leading to R2 with spanning portfast, and note the warning the router displays. Remove PortFast with no spanning portfast.
SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#int fast 0/2 SW1(config-if)#spanning portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION
%Portfast has been configured on FastEthernet0/2 but will only have effect when the interface is in a non-trunking mode. SW1(config-if)#no spanning portfast SW1(config-if)#^Z Chris Bryant, CCIE #12933 www.thebryantadvantage.com SW1# 14
2005 The Bryant Advantage
Combine the two physical connections between the two switches into one logical connection by creating an EtherChannel. On each of the ports physically connected to the other switch, run channel-group 1 mode on.
SW1#conf t SW1(config)#interface fast 0/11 SW1(config-if)#channel-group 1 mode on Creating a port-channel interface Port-channel 1 03:37:59: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up SW1(config)#interface fast 0/12 SW1(config-if)#channel-group 1 mode on
SW2#conf t SW2(config)#interface fast 0/11 SW2(config-if)#channel-group 1 mode on Creating a port-channel interface Port-channel 1 03:38:11: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up SW2(config-if)#interface fast 0/12 SW2(config-if)#channel-group 1 mode on
One benefit of EtherChannels is that the bandwidth of both physical channels is now being used. (STP put one of the ports in blocking mode; only one physical path was being used.) Another benefit is that STP considers the Etherchannel to be one single connection; if one of the two lines went down, the STP algorithm would not run, and there would be no break in transmission, since STP is only concerned with the logical portchannel, not the physical interfaces:
SW1#show spanning vlan 23 VLAN0023 Spanning tree enabled protocol ieee Root ID Priority 24599 Address 000a.8a4b.fb00 Cost 12 Port 65 (Port-channel1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32791 (priority 32768 sys-id-ext 23) Address 0009.b738.9180 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Chris Bryant, CCIE #12933 www.thebryantadvantage.com 15
2005 The Bryant Advantage Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -----------------------------
A hub-and-spoke Frame Relay network will now be configured, with R1 serving as the hub and R2 and R3 as the spokes. First, configure Frame Relay on R1s Serial0 interface with encapsulation frame- relay, and disable dynamic mapping with no frame-relay inverse- arp. After doing so, run show frame map on R1; no mappings should appear.
R1#conf t R1(config)#interface serial0 R1(config-if)#encapsulation frame-relay R1(config-if)#no frame-relay inverse-arp
R1#show frame map R1# If nothing appears after running show frame map, as shown here, no maps exist.
Configure two Permanent Virtual Circuits (PVC) on R1 with two frame map statements, mapping DLCI 122 to R2 and DLCI 123 to R3. Ensure that broadcasts will be sent over these virtual circuits with the broadcast keyword. Run show frame map after doing so.
Configuring frame map statements on the hub router.
R1#conf t R1(config)#interface serial0 R1(config-if)#frame map ip 172.12.123.2 122 broadcast R1(config-if)#frame map ip 172.12.123.3 123 broadcast R1(config-if)#int s0 R1(config-if)#no shut R1(config-if)# 03:05:51: %LINK-3-UPDOWN: Interface Serial0, changed state to up 03:05:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up R1#show frame map Serial0 (up): ip 172.12.123.2 dlci 122(0x7A,0x1CA0), static, broadcast, CISCO, status defined, inactive Serial0 (up): ip 172.12.123.3 dlci 123(0x7B,0x1CB0), static, broadcast, CISCO, status defined, inactive
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 17 The mappings are inactive because frame-relay has not yet been configured on the remote routers R2 and R3.
2005 The Bryant Advantage With show frame map, if you see the PVC is inactive, theres a problem on the other end. If you see deleted, theres a problem on the local end. (A problem with the mapping or the interface is still shut.)
R2s serial0.123 interface was configured as multipoint. Configure S0 and S0.123 as follows:
R2#conf t R2(config)#interface serial0 R2(config-if)#encapsulation frame-relay R2(config-if)#no frame inverse-arp
R2(config-if)#interface s0.123 multipoint R2(config-subif)#frame map ip 172.12.123.1 221 broadcast R2(config-subif)#frame map ip 172.12.123.3 221 R2(config-subif)#int s0 R2(config-if)#no shut R2(config-if)# 03:06:56: %LINK-3-UPDOWN: Interface Serial0, changed state to up 03:06:57: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up
A logical Serial interface can be either multipoint or point-to-point. When using a multipoint interface on a frame relay network, frame map statements are used just as they are on a physical interface. Enabling frame relay and disabling or enabling Inverse ARP are still done on the physical interface.
Note that the frame map statement for 172.12.123.3 does not include a broadcast statement. Routers do not forward broadcasts, so R1 would not forward a broadcast from R2 to R3. Therefore, there is no reason to send them. (Its not wrong to do so, but you will be sending unnecessary broadcasts.)
Run show frame map on R2:
R2#show frame map Serial0.123 (up): ip 172.12.123.1 dlci 221(0xDD,0x34D0), static, broadcast, CISCO, status defined, active Serial0.123 (up): ip 172.12.123.3 dlci 221(0xDD,0x34D0), static, CISCO, status defined, active
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 18
2005 The Bryant Advantage
You configured a point-to-point interface on R3 in the previous lab. The command for frame relay is a little different in this situation:
R3#conf t R3(config)#interface serial0 R3(config-if)#encapsulation frame-relay R3(config-if)#no frame-relay inverse-arp R3(config-if)#interface serial 0.31 point-to-point R3(config-subif)#frame-relay interface-dlci 321 R3(config-subif)#int s0 R3(config-if)#no shut 03:06:52: %LINK-3-UPDOWN: Interface Serial0, changed state to up 03:06:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up
Point-to-point Serial interfaces on a frame relay network do not use dynamic or static mappings. A point-to-point interface has only one possible destination the other end of the point-to-point connection. With only one possibly destination, no mapping is necessary. Instead, the command frame-relay interface-dlci indicates the single DLCI that will be used by this interface.
R3#show frame map Serial0.31 (up): point-to-point dlci, dlci 321(0x141,0x5010), broadcast status defined, active
From each router, ping the other two routers Serial interfaces on the frame relay network. All pings will be successful. Run show frame lmi and show frame map on each router as well. Notice that the LMI counters are incrementing, and the frame map commands show all maps as active. (Only R1 is shown here, but send pings and run your show commands on all three routers.)
R1#ping 172.12.123.2
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.123.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =68/68/68 ms
R1#ping 172.12.123.3
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.123.3, timeout is 2 seconds: !!!!! Chris Bryant, CCIE #12933 www.thebryantadvantage.com 19 Success rate is 100 percent (5/5), round-trip min/avg/max =68/68/68 ms
2005 The Bryant Advantage
R1#show frame lmi
LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE =CISCO Invalid Unnumbered info 0 Invalid Prot Disc 0 Invalid dummy Call Ref 0 Invalid Msg Type 0 Invalid Status Message 0 Invalid Lock Shift 0 Invalid Information ID 0 Invalid Report IE Len 0 Invalid Report Request 0 Invalid Keep IE Len 0 Num Status Enq. Sent 121 Num Status msgs Rcvd 123 Num Update Status Rcvd 0 Num Status Timeouts 0
On R1, change the frame LMI type to ANSI with the frame-relay lmi- type command. After about 30 seconds, the line will go down.
R1#conf t R1(config)#interface serial0 R1(config-if)#frame-relay lmi-type ansi 00:46:40: %SYS-5-CONFIG_I: Configured from console by console R1# 00:47:12: %FR-5-DLCICHANGE: Interface Serial0 - DLCI 122 state changed to INACTIVE 00:47:12: %FR-5-DLCICHANGE: Interface Serial0 - DLCI 123 state changed to INACTIVE 00:47:12: %FR-5-DLCICHANGE: Interface Serial0 - DLCI 122 state changed to DELETED 00:47:12: %FR-5-DLCICHANGE: Interface Serial0 - DLCI 123 state changed to DELETED 00:47:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down
The LMI mismatch leads to the line going down and the DLCIs going inactive.
Run show frame lmi on R1. Wait a few seconds, then run it again, then again. Notice that the timeouts are incrementing. Once it hit 3, the line protocol came down.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 20
2005 The Bryant Advantage
R1#show frame lmi
LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE =ANSI Invalid Unnumbered info 0 Invalid Prot Disc 0 Invalid dummy Call Ref 0 Invalid Msg Type 0 Invalid Status Message 0 Invalid Lock Shift 0 Invalid Information ID 0 Invalid Report IE Len 0 Invalid Report Request 0 Invalid Keep IE Len 0 Num Status Enq. Sent 256 Num Status msgs Rcvd 240 Num Update Status Rcvd 0 Num Status Timeouts 16
The router is receiving LMI status messages, but when the LMI type was changed, the Status Timeouts began to accrue. This command gives an indication that there is a problem with the LMIs. The LMIs are the heartbeat of frame relay; without the right LMIs, the frame connection dies.
The myseq value continues to increase, but the yourseen value remains at 0. Between debug frame lmi and show frame lmi, it can be seen that LMI messages are being received from the DCE, but not accepted another indicator of an LMI mismatch.
Leave that debug command on, and change the LMI default back to Cisco. (You must know all three LMI types before taking the CCNA exams!)
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 21
2005 The Bryant Advantage
R1#debug frame lmi Frame Relay LMI debugging is on Displaying all Frame Relay LMI data R1#conf t R1(config)#interface serial0 R1(config-if)#frame-relay lmi-type cisco
The incoming myseq packets are now being accepted, and the outgoing messages see the yourseen value begin to accrue. The DTE end of the connection goes up, the line protocol goes up soon after that, and finally the previously deleted DLCIs are again active.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 22
2005 The Bryant Advantage
Use IOS Help to see what the LMI options are.
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#int serial 0 R1(config-if)#frame lmi-type ? cisco ansi q933a
Run show frame pvc on R1. Note the status for each DLCI, and the uptime.
R1#show frame pvc
PVC Statistics for interface Serial0 (Frame Relay DTE)
Active Inactive Deleted Static Local 2 0 0 0 Switched 0 0 0 0 Unused 0 0 0 0
input pkts 5 output pkts 5 in bytes 520 out bytes 520 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 pvc create time 00:49:19, last time pvc status changed 00:01:15
input pkts 17 output pkts 5 in bytes 4024 out bytes 520 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 pvc create time 00:49:12, last time pvc status changed 00:01:17
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 23
2005 The Bryant Advantage Before you take your CCNA exams, be very familiar with what each of these commands show you, and what the letters FECN, BECN, and DE mean:
FECN: Congestion was experienced in the direction in which this packet was traveling.
BECN: Congestion was experienced in the opposite direction in which this packet was traveling.
DE: Packet was marked discard eligible.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 24
2005 The Bryant Advantage ISDN / Point-To-Point Lab
R1 and R3 are directly connected via their S1 interfaces by a DTE/DCE cable. Before taking your CCNA exams, you MUST know what command will tell you whether the DTE or DCE end of the cable is connected to a router. Heres how you do it:
show controller displays the DTE and DCE ends of the connection. The output of these commands has been truncated for clarity.
R1#show controller serial 1 HD unit 1, idb =0x107114, driver structure at 0x10C590 buffer size 1524 HD unit 1, V.35 DTE cable
R3#show controller serial 1 HD unit 1, idb =0xC7D1C, driver structure at 0xCCAA0 buffer size 1524 HD unit 1, V.35 DCE cable
Ping R1s serial interface from R3.
R3#ping 172.12.13.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.13.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
The escape sequence for pings is CTRL-SHIFT-6 performed twice in succession.
The ping fails. Run show interface serial1 to see why.
R3#show interface serial1 Serial1 is up, line protocol is down Hardware is HD64570 Internet address is 172.12.13.3/24
The truncated output of show interface serial1 shows the physical interface is up, but the line protocol is down.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 25
2005 The Bryant Advantage The line protocol is down because the DCE end of the cable must supply a clock rate to the DTE end. To resolve this, configure clock rate 56000 on R3s Serial interface. Once the line protocol is up, run show interface serial1 again to verify, and ping R1s Serial interface again. The ping will succeed.
R3#conf t R3(config)#interface serial1 R3(config-if)#clock rate 56000
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up
R3#show interface serial1 Serial1 is up, line protocol is up Hardware is HD64570 Internet address is 172.12.13.3/24
Once the DCE supplies a clock rate to the DTE, the line comes up.
R3#ping 172.12.13.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.13.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =36/36/36 ms The ping is successful.
The two BRI interfaces will now be configured with PPP PAP authentication. You assigned IP addresses to these interfaces in the IP addressing lab. You will use the phone numbers sent with your authentication information. Configure the ISDN switchtype with the global isdn switch-type command, and run show isdn status to verify. Layer 1 will be ACTIVE and Layer 2 will show a TEI assigned.
Note that while only R1 is shown here, isdn switch-type must be configured on R1 AND R2; this command is necessary on any Cisco router running ISDN if you leave it out, everything else can be perfect and the connection will not work.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 26
2005 The Bryant Advantage R1#conf t R1(config)#isdn switch-type basic-ni R1(config)#^Z R1#show isdn status Global ISDN Switchtype =basic-ni ISDN BRI0 interface dsl 0, interface ISDN Switchtype =basic-ni Layer 1 Status: ACTIVE Layer 2 Status: TEI =66, Ces =1, SAPI =0, State =MULTIPLE_FRAME_ESTABLISHED Layer 3 Status: 0 Active Layer 3 Call(s) Configure dialer map statements on R1 and R2, each mapping to the other routers BRI interface. Ping R1s BRI interface from R2. Put the phone numbers you were sent in email in place of the xxxxxxx you see below.
NOTE: If you changed the names of R1 and R2, change them back to those names with the hostname command. The hostnames R1 and R2 will be used for authentication in this lab, as youll soon see.
R1#conf t R1(config)#interface bri0 R1(config-if)#dialer map ip 172.12.21.2 name R2 broadcast xxxxxxx
R2#conf t R2(config)#interface bri0 R2(config-if)#dialer map ip 172.12.21.1 name R1 broadcast xxxxxxx
R2#ping 172.12.21.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.21.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
The dialer map configuration is correct, but the pings do not go through.
The ping fails because there is no interesting traffic defined that will bring the line up. Using the dialer-list and dialer-group commands, allow any IP traffic to bring up the line. Ping R1 from R2. After the ping goes through, run show dialer to see what packets brought the line up.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 27
2005 The Bryant Advantage All IP traffic is defined as interesting traffic by the dialer-list command, and that list is called by the dialer-group command. The ping packets bring the line up.
R1#conf t R1(config)#dialer-list 1 protocol ip permit R1(config)#interface bri0 R1(config-if)#dialer-group 1
R2#conf t R2(config)#dialer-list 1 protocol ip permit R2(config)#interface bri0 R2(config-if)#dialer-group 1
R2#ping 172.12.21.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.21.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max =36/37/40 ms %LINK-3-UPDOWN: Interface BRI0:1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up R2# %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 R1
Its normal for a ping to be 80 percent successful the first time you ping a destination. After that, youll see 100 percent connectivity.
R2#show dialer BRI0 - dialer type =ISDN
Dial String Successes Failures Last called Last status 8358661 2 0 00:00:04 successful 0 incoming call(s) have been screened.
BRI0:1 - dialer type =ISDN Idle timer (120 secs), Fast idle timer (20 secs) Wait for carrier (30 secs), Re-enable (15 secs) Dialer state is data link layer up Dial reason: ip (s=172.12.21.2, d=172.12.21.1) Time until disconnect 117 secs Connected to 8358661 (R1)
The dial reason in the output of show dialer clearly shows the source (s) and destination (d) of the packet that caused the line to dial. While it was obvious here why the line went up, routing protocols send multicasts and broadcasts that can cause such a line to dial and stay dialed for days, weeks, or even months at a time, which costs a great Chris Bryant, CCIE #12933 www.thebryantadvantage.com 28
2005 The Bryant Advantage deal of money. This command is vital in diagnosing any issue involving an ISDN line that dials and stays up.
The routers will now authenticate each other with PAP over the ISDN link. Configure the global command username / password on each router, naming the remote router as the username and the password the remote router will be sending as the password. Use encapsulation ppp and ppp authentication pap to enable each router to authenticate the other. Have R1 send a password of CCNA and R2 to send a password of CISCO. Use the ppp pap sent- username command as shown in the following illustration.
Note that you have to manually configure PPP. The default encapsulation for a Serial or BRI interface is HDLC. Youll also see the TEI go down and then come back up; thats normal when you change the encapsulation.
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#username R2 password CISCO R1(config)#int bri0 R1(config-if)#encapsulation ppp 03:45:46: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 66 changed to down 03:45:48: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0, TEI 66 changed to up R1(config-if)#ppp authentication pap R1(config-if)#ppp pap sent-username R1 password CCNA R1(config-if)#^Z R1#
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#username R1 password CCNA R2(config)#int bri0 R2(config-if)#encapsulation ppp 03:47:36: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 66 changed to down 03:47:37: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0, TEI 66 changed to up R2(config-if)#ppp pap sent-username R2 password CISCO R2(config-if)#^Z R2#
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 29
2005 The Bryant Advantage Run debug ppp negotiation on R2 and ping R1s BRI interface.
R2#debug ppp negotiation PPP protocol negotiation debugging is on R2#ping 172.12.21.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.21.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max =36/37/40 ms %LINK-3-UPDOWN: Interface BRI0:1, changed state to up BR0:1 PPP: Phase is AUTHENTICATING, by both < Both routers are authenticating the other. > BR0:1 PAP: O AUTH-REQ id 1 len 13 from "R2" < R2 is sending an authentication request to R1. > BR0:1 PAP: I AUTH-ACK id 1 len 5 < The I indicates an incoming packet; the remote route is acknowledging the authentication request. > BR0:1 PAP: I AUTH-REQ id 1 len 12 from "R1" < A PAP authentication request has been received from R1. > BR0:1 PAP: Authenticating peer R1 < R1 is being authenticated. > BR0:1 PAP: O AUTH-ACK id 1 len 5 < An acknowledgment of the PAP authentication request from R1 is sent. >
Notice that with PAP, there is authentication, but there are no challenge/responses shown in the debug. That will change when you configure CHAP.
Before configuring CHAP, do the following:
1. Run no encapsulation ppp under both BRI interfaces. 2. Remove the username/password statements simply by repeating the earlier commands with the word no in front of the command, as shown below.
A tip: When you need to remove a command from a Cisco router, youll usually do it just by running the command by putting the word no in front of it.
Also, anytime you want to look at the running configuration of the router, run show config. Hit the enter key to go down one line at a time, and the space bar to go down a full screen. When you see what you wanted to see, hit ESC to back to the prompt.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 30
2005 The Bryant Advantage R1#conf t R1(config)#no username R2 password CISCO R1(config)#int bri0 R1(config-if)#no encapsulation ppp R1(config-if)#^Z R1# 03:56:01: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 66 changed to down 03:56:02: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0, TEI 66 changed to up
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#no username R1 password CCNA R2(config)#interface bri0 R2(config-if)#no encapsulation ppp R2(config-if)#^Z 03:56:58: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 66 changed to down 03:56:59: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0, TEI 66 changed to up
Configure the routers for CHAP authentication. The switch-type, dialer map statements, and dialer-lists have already been configured. On both R1 and R2, configure a username / password statement with the password CCNA. Configure both routers for PPP encapsulation and CHAP authentication with the encapsulation ppp and ppp authentication chap commands.
R1#conf t R1(config)#username R2 password CCNA R1(config)#interface bri0 R1(config-if)#encapsulation ppp 03:58:58: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 66 changed to do 03:58:59: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0, TEI 66 changed to up R1(config-if)#ppp authentication chap R1(config-if)#^Z R1#
R2#conf t R2(config)#username R1 password CCNA R2(config)#interface bri0 R2(config-if)#encapsulation ppp 04:00:00: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 66 changed to down 04:00:01: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0, TEI 66 changed to up R2(config-if)#ppp authentication chap R2(config-if)#^Z Chris Bryant, CCIE #12933 www.thebryantadvantage.com 31
2005 The Bryant Advantage With CHAP, the passwords must be the same. Note that there is no sent-password command, as there was with PAP.
Run debug ppp negotiation, and ping R1 from R2.
R2#debug ppp negotiation PPP protocol negotiation debugging is on R2#ping 172.12.21.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.21.1, timeout is 2 seconds:
04:01:30: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up 04:01:30: BR0:1 PPP: Using dialer call direction 04:01:30: BR0:1 PPP: Treating connection as a callout 04:01:30: BR0:1 PPP: Phase is ESTABLISHING, Active Open [0 sess, 0 load] 04:01:30: BR0:1 LCP: O CONFREQ [Closed] id 1 len 15 04:01:30: BR0:1 LCP: AuthProto CHAP (0x0305C22305) 04:01:30: BR0:1 LCP: MagicNumber 0x1158551A (0x05061158551A) 04:01:30: BR0:1 LCP: I CONFREQ [REQsent] id 1 len 15 04:01:30: BR0:1 LCP: AuthProto CHAP (0x0305C22305) 04:01:30: BR0:1 LCP: MagicNumber 0x1158F056 (0x05061158F056) 04:01:30: BR0:1 LCP: O CONFACK [REQsent] id 1 len 15 04:01:30: BR0:1 LCP: AuthProto CHAP (0x0305C22305) 04:01:30: BR0:1 LCP: MagicNumber 0x1158F056 (0x05061158F056) 04:01:30: BR0:1 LCP: I CONFACK [ACKsent] id 1 len 15 04:01:30: BR0:1 LCP: AuthProto CHAP (0x0305C22305) 04:01:30: BR0:1 LCP: MagicNumber 0x1158551A (0x05061158551A) 04:01:30: BR0:1 LCP: State is Open 04:01:30: BR0:1 PPP: P.!hase is AUTHENTICATING, by both [0 sess, 0 load] 04:01:30: BR0:1 CHAP: O CHALLENGE id 1 len 23 from "R2" 04:01:30: BR0:1 CHAP: I CHALLENGE id 1 len 23 from "R1" 04:01:30: BR0:1 CHAP: O RESPONSE id 1 len 23 from "R2" 04:01:30: BR0:1 CHAP: I SUCCESS id 1 len 4 04:01:30: BR0:1 CHAP: I RESPONSE id 1 len 23 from "R1" 04:01:30: BR0:1 CHAP: O SUCCESS id 1 len 4 04:01:30: BR0:1 PPP: Phase is UP [0 sess, 0 load] 04:01:30: BR0:1 IPCP: O CONFREQ [Closed] id 1 len 10 04:01:30: BR0:1 IPCP: Address 172.12.21.2 (0x0306AC0C1502) 04:01:30: BR0:1 CDPCP: O CONFREQ [Closed] id 1 len 4 04:01:30: BR0:1 IPCP: I CONFREQ [REQsent] id 1 len 10 04:01:30: BR0:1 IPCP: Address 172.12.21.1 (0x0306AC0C1501) 04:01:30: BR0:1 IPCP: O CONFACK [REQsent] id 1 len 10 04:01:30: BR0:1 IPCP: Address 172.12.21.1 (0x0306AC0C1501) 04:01:30: BR0:1 CDPCP: I CONFREQ [REQsent] id 1 len 4 04:01:30: BR0:1 CDPCP: O CONFACK [REQsent] id 1 len 4 Chris Bryant, CCIE #12933 www.thebryantadvantage.com 32
2005 The Bryant Advantage 04:01:30: BR0:1 IPCP: I CONFACK [ACKsent] id 1 len 10 04:01:30: BR0:1 IPCP: Addr!!! Success rate is 80 percent (4/5), round-trip min/avg/max =36/49/88 ms R2#ess 172.12.21.2 (0x0306AC0C1502) 04:01:30: BR0:1 IPCP: State is Open 04:01:30: BR0:1 CDPCP: I CONFACK [ACKsent] id 1 len 4 04:01:30: BR0:1 CDPCP: State is Open 04:01:30: BR0 IPCP: Install route to 172.12.21.1 04:01:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up R2# 04:01:36: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 5551111 R1
As before, run show dialer to see what interesting traffic brought the link up.
R2#show dialer BRI0 - dialer type =ISDN
Dial String Successes Failures Last called Last statu 8358661 4 0 00:00:12 successfu 0 incoming call(s) have been screened.
BRI0:1 - dialer type =ISDN Idle timer (120 secs), Fast idle timer (20 secs) Wait for carrier (30 secs), Re-enable (15 secs) Dialer state is data link layer up Dial reason: ip (s=172.12.21.2, d=172.12.21.1) Time until disconnect 109 secs Connected to 8358661 (R1)
BRI0:2 - dialer type =ISDN Idle timer (120 secs), Fast idle timer (20 secs) Wait for carrier (30 secs), Re-enable (15 secs) Dialer state is idle
The ping packet from R2 was the cause of the line dialing.
Obviously, theres a lot more going on here. Notice the challenges and responses being sent by both sides.
I recommend you run CHAP by using mismatched passwords, and run this same debug so you can see what it looks like when theres a problem with passwords.
Turn your debugs off with undebug all . Chris Bryant, CCIE #12933 www.thebryantadvantage.com 33
2005 The Bryant Advantage Using ppp multilink and dialer load-threshold, configure the ISDN interface on R1 to bring up the second B-channel when the first B- channel reaches 50% of its outbound capacity. You can also change the dialer idle-timeout default of 120 seconds as shown below. (Remember that only interesting traffic resets the idle-timeout.)
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface bri0 R1(config)#dialer idle-timeout 30 (This value is in seconds, not minutes!) R1(config-if)#ppp multilink R1(config-if)#dialer load-thresh 127 ? either Threshold decision based on max of inbound and outbound traffic inbound Threshold decision based on inbound traffic only outbound Threshold decision based on outbound traffic only <cr> R1(config-if)#dialer load-thresh 127 outbound
Its very important that you realize that the value you enter with dialer load-threshold is a ratio of 255, not 100. If you wanted to have the second b-channel come up when the first one reaches 75% capacity, youd need to enter the number that is 75% of 255, NOT 100.
Also, you must configure ppp multilink to have the second link come up at the specified capacity level.
The following dialer profile lab is a bonus. Its doubtful youll be asked anything about dialer profiles on the CCNA exams, but the chance is there. Make sure youre proficient with PAP, CHAP, and the different ISDN show and debug commands covered earlier before spending time configuring dialer profiles.
On the BRI interface, remove the following: the PPP encapsulation type, the dialer-map statement, the dialer-group statement, the dialer-load statement, the IP address, and any commands referencing PAP or CHAP authentication.
The ISDN switch-type command and username / password command should remain.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 34
2005 The Bryant Advantage R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface bri0 R1(config-if)#no encapsulation ppp R1(config-if)#no dialer map ip 172.12.21.2 name R2 broadcast 8358662 R1(config-if)#no dialer-group 1 R1(config-if)#no dialer load-threshold 127 outbound R1(config-if)#no ip address
Make sure the TEI comes back up after going down. If it does not, shut and reopen the BRI interface.
After removing these statements, the running config should show this for the BRI interface:
interface BRI0 no ip address isdn switch-type basic-ni
Configure a dialer profile with the command interface dialer 1 on R1. The IP address that was on the BRI interface will be placed on this logical interface. Use dialer remote-name to indicate the name of the remote router to be dialed, and dialer string to configure the number to be dialed.
R1#conf t R1(config)#interface dialer1 R1(config-if)#dialer-group 1
The physical BRI interface and logical Dialer interface must now be linked. Configure Dialer1 with the dialer pool 1 command, then make the BRI interface a member of that pool with the dialer pool- member 1 command.
R1#conf t R1(config)#interface dialer1 R1(config-if)#dialer pool 1
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 35
2005 The Bryant Advantage R1#conf t R1(config)#interface bri0 R1(config-if)#dialer pool-member 1 R2 is still using PPP encapsulation and CHAP authentication; R1 must also. On both the physical and logical interfaces, configure encapsulation ppp and ppp authentication chap.
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface bri0 R1(config-if)#encapsulation ppp R1(config-if)#ppp authentication chap
R1(config)#interface dialer1 R1(config-if)#encapsulation ppp R1(config-if)#ppp authentication chap
When the encapsulation type is changed on the physical interface, the TEI goes up and down.. If the TEI doesnt come back up, open and shut the physical interface. No such up / down behavior will occur when the encapsulation type is configured on the logical interface.
Run debug ppp negotiation and ping R2s BRI interface.
R1#debug ppp negotiation PPP protocol negotiation debugging is on R1#ping 172.12.21.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.21.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max =36/36/36 ms
22:12:07: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up 22:12:07: %DIALER-6-BIND: Interface BRI0:1 bound to profile Dialer1 22:12:07: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662 22:12:07: BR0:1 PPP: Phase is AUTHENTICATING, by both 22:12:07: BR0:1 CHAP: O CHALLENGE id 3 len 23 from "R1" 22:12:07: BR0:1 CHAP: I CHALLENGE id 3 len 23 from "R2" 22:12:07: BR0:1 CHAP: O RESPONSE id 3 len 23 from "R1" 22:12:07: BR0:1 CHAP: I SUCCESS id 3 len 4 22:12:07: BR0:1 CHAP: I RESPONSE id 3 len 23 from "R2" 22:12:07: BR0:1 CHAP: O SUCCESS id 3 len 4 22:12:07: BR0:1 PPP: Phase is UP
Chris Bryant, CCIE #12933 www.thebryantadvantage.com
36
2005 The Bryant Advantage <The expected series of challenges, responses, and successes occur. >
R1#show dialer BRI0:1 - dialer type =ISDN Idle timer (120 secs), Fast idle timer (20 secs) Wait for carrier (30 secs), Re-enable (15 secs) Dialer state is data link layer up Dial reason: ip (s=172.12.21.1, d=172.12.21.2) Interface bound to profile Dialer1 Time until disconnect 112 secs Current call connected 00:00:10 Connected to 8358662 (R2)
Dialer1 - dialer type = DIALER PROFILE Idle timer (120 secs), Fast idle timer (20 secs) Wait for carrier (30 secs), Re-enable (15 secs) Dialer state is data link layer up
The BRI physical interface is bound to Dialer1, the logical interface, and the status of the Dialer Profile is up as well.
NOTE: If you keep the dialer profile on this router during the protocol labs, make sure to substitute dialer0 or dialer1 , whichever you named this interface, for bri0 in the passive-interface command in the following labs.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 37
2005 The Bryant Advantage Passwords and Services Lab
REMINDER: Please use only the words cisco and ccna for passwords, without the quotation marks. Thank you!
Configuring Router Passwords
The first two passwords to configure are the enable secret and enable password. If the names sound alike, thats because they have the same function. The user will be prompted to enter this password when entering privileged exec mode. The enable password is for older routers, also referred to as legacy routers. The enable secret password will be used by the majority of the users.
If both passwords are in effect, the enable secret password takes precedence.
R3#conf t R3(config)#enable password cisco R3(config)#^Z R3#logout
The enable password has been set. Users will be prompted for this password when attempting to enter privileged exec mode. To test this, log out with the logout command as shown, and use the password cisco to get back in.
R3 con0 is now available Press RETURN to get started.
R3>en Password: R3#
The user was prompted for the enable password before being allowed into privileged exec mode. The password does not appear as it is being keyed in.
Now set an enable secret password of ccna. Log out, and try the enable password cisco. You wont be allowed access, since the enable secret of ccna is taking precedence. The enable secret password always has precedence over the enable password.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 38
2005 The Bryant Advantage R3#conf t R3(config)#enable secret ccna R3(config)#^Z R3#logout
The enable secret password has been set. Users will be prompted for this password when attempting to enter privileged exec mode.
R3 con0 is now available Press RETURN to get started.
R3>en Password: R3#
The user was prompted for the enable secret password before being allowed into privileged exec mode. The password does not appear as it is being keyed in. The previously set enable password of cisco no longer works.
A password can also be set for the console. Enter line configuration mode with the command line console 0, enter login to have the user prompted for a password when logging on to the console, and the password command is used to set the password.
R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#line console 0 R3(config-line)#login R3(config-line)#password cisco R3(config-line)#^Z R3(config)#logout
R3 con0 is now available Press RETURN to get started.
User Access Verification
Password: <cisco was entered here > R3>enable Password: <ccna was entered here. > R3#
The user is now prompted for the console password before user exec mode can be accessed. After entering that password, the user is prompted for the enable secret password to enter privileged exec mode.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 39
2005 The Bryant Advantage Now youve set an enable password, an enable secret password, and a console password. The final password you need to set is the password that will be used to authentication telnet users. (By default, a Cisco router can support five simultaneous telnet sessions. This configuration will apply the same password to all five sessions.)
R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#line vty 0 4 R3(config-line)#login % Login disabled on line 2, until 'password' is set % Login disabled on line 3, until 'password' is set % Login disabled on line 4, until 'password' is set % Login disabled on line 5, until 'password' is set % Login disabled on line 6, until 'password' is set R3(config-line)#password cisco
It really doesnt matter what order you enter the login command and the password; as you can see, if you enable login first, youre reminded that no one can log in until a password is set. By default, a Cisco router will not allow anyone to connect to it via Telnet unless a password has been configured on the vty lines.
Encrypting All Router Passwords In The Running Configuration
After configuring a console password and a telnet password, the passwords appear in the running configuration in clear-text.
R3#show config <output truncated for clarity > ! line con 0 password cisco login line aux 0 line vty 0 4 password cisco login
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 40
2005 The Bryant Advantage By default, only the enable secret password will be encrypted in the running configuration. To encrypt all passwords in the running config, use the global command service password-encryption.
R3#conf t R3(config)#service password-encryption
R3#show config service password-encryption ! line con 0 password 7 10692C2D3C3827392F27040A login line aux 0 line vty 0 4 password 7 14343B382F2B login ! end
The number you see is the level of encryption, which can range from 0 7. The command service password-encryption gives the strongest possible encryption level on the router.
Cisco Discovery Protocol
Cisco Discovery Protocol (CDP) runs by default between all directly connected Cisco devices.
Show cdp neighbor displays all directly connected Cisco routers and switches. CDP is Cisco-proprietary, so it will not display non-Cisco devices.
CDP can be disabled at both the global and interface level. To disable CDP at the interface level, run no cdp enable on the interface, and cdp enable to turn it back on.
By default, the cdp timer defines how often CDP packets are transmitted, and cdp holdtime defines how long a device will hold a received packet.
To turn CDP off for the entire router, run no cdp run. To view the current global status of CDP, run show cdp.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 41
2005 The Bryant Advantage Run each of these commands on all five of your devices. Practice turning CDP off and on at the global level and the interface level until youre very confident that you know which command is which.
R2#show cdp Global CDP information: Sending CDP packets every 45 seconds Sending a holdtime value of 100 seconds
The CDP values have been successfully changed. show cdp interface will give the timer information for each interface on the router.
R2#conf t R2(config)#interface bri0 R2(config-if)#no cdp enable
CDP is disabled on the BRI interface. This does NOT have to be done to keep the line from dialing, as will be shown.
R2#conf t R2(config)#no cdp run
CDP is disabled globally.
R2#show cdp % CDP is not enabled
CDP has been successfully disabled.
Knowing which password does what is vital to passing the CCNA exams. Know how to configure and spot a correctly configured console password, enable password, and telnet password. And you REALLY need to know CDP inside and out! Theres not much there, but you gotta know it! Chris Bryant, CCIE #12933 www.thebryantadvantage.com 42
2005 The Bryant Advantage Static Routing Lab
Create a static route on R3 and one on R1 that will allow R3 to successfully ping R2s loopback interface, 2.2.2.2. The route should only consider traffic destined for 2.2.2.2. Use show ip route to display the static routes.
R3#conf t R3(config)#ip route 2.2.2.2 255.255.255.255 172.12.123.1 R3#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets S 2.2.2.2 [1/0] via 172.12.123.1 3.0.0.0/27 is subnetted, 1 subnets C 3.3.3.0 is directly connected, Loopback0 172.12.0.0/24 is subnetted, 2 subnets C 172.12.13.0 is directly connected, Serial1 C 172.12.123.0 is directly connected, Serial0.31 172.23.0.0/27 is subnetted, 1 subnets C 172.23.23.0 is directly connected, Ethernet0
R1#conf t R1(config)#ip route 2.2.2.2 255.255.255.255 172.12.123.2
R1#show ip route <codes deleted for clarity >
Gateway of last resort is not set
1.0.0.0/27 is subnetted, 1 subnets C 1.1.1.0 is directly connected, Loopback0 2.0.0.0/32 is subnetted, 1 subnets S 2.2.2.2 [1/0] via 172.12.123.2 172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks C 172.12.13.0/24 is directly connected, Serial1 C 172.12.21.0/30 is directly connected, BRI0 C 172.12.123.0/24 is directly connected, Serial0 Chris Bryant, CCIE #12933 www.thebryantadvantage.com 43
2005 The Bryant Advantage Examining the syntax of the ip route commands used in this lab:
ip route: The command. 2.2.2.2 : The destination address. 255.255.255.255: The wildcard mask. This particular mask means that only traffic destined for 2.2.2.2 will use this static route. 172.12.123.1: The next-hop IP address used to reach the destination.
ip route: The command. 2.2.2.2: The destination address. 255.255.255.255. The wildcard mask. Again, only traffic destined for 2.2.2.2 will use this static route. 172.12.123.2: The next-hop IP address used to reach this destination.
On R3, run debug ip packet, then ping 2.2.2.2. The pings will return successfully, and the packets can be seen leaving and entering the router. Turn all debugs off with undebug all.
R3#debug ip packet IP packet debugging is on R3#ping 2.2.2.2
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =132/136/144 m R3# IP: s=172.12.123.3 (local), d=2.2.2.2 (Serial0.31), len 100, sending IP: s=2.2.2.2 (Serial0.31), d=172.12.123.3 (Serial0.31), len 100, rcvd 3 IP: s=172.12.123.3 (local), d=2.2.2.2 (Serial0.31), len 100, sending IP: s=2.2.2.2 (Serial0.31), d=172.12.123.3 (Serial0.31), len 100, rcvd 3 IP: s=172.12.123.3 (local), d=2.2.2.2 (Serial0.31), len 100, sending IP: s=2.2.2.2 (Serial0.31), d=172.12.123.3 (Serial0.31), len 100, rcvd 3 IP: s=172.12.123.3 (local), d=2.2.2.2 (Serial0.31), len 100, sending IP: s=2.2.2.2 (Serial0.31), d=172.12.123.3 (Serial0.31), len 100, rcvd 3 IP: s=172.12.123.3 (local), d=2.2.2.2 (Serial0.31), len 100, sending IP: s=2.2.2.2 (Serial0.31), d=172.12.123.3 (Serial0.31), len 100, rcvd 3 R3#undebug all All possible debugging has been turned off
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 44
2005 The Bryant Advantage Remove the static routes with the command no ip route. Replace them with a static route with a destination and wildcard mask of 0.0.0.0. This route will serve as a default route; to verify this, run show ip route after configuring these default static routes.
Notice that with static routes, you can configure either a next-hop address or an exit interface on the end of the static route command. Here, youll configure both.
R3#conf t R3(config)#no ip route 2.2.2.2 255.255.255.255 172.12.123.1 R3(config)#ip route 0.0.0.0 0.0.0.0 serial0.31
R1#conf t R1(config)#no ip route 2.2.2.2 255.255.255.255 172.12.123.2 R1(config)#ip route 0.0.0.0 0.0.0.0 172.12.123.2
A static route configured with a destination and subnet mask of 0.0.0.0 will serve as a default route.
Examining the routing table of R3 after configuring the default static route.
R3#show ip route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
3.0.0.0/24 is subnetted, 1 subnets C 3.3.3.0 is directly connected, Loopback0 172.12.0.0/24 is subnetted, 2 subnets C 172.12.13.0 is directly connected, Serial1 C 172.12.123.0 is directly connected, Serial0.31 172.23.0.0/24 is subnetted, 1 subnets C 172.23.23.0 is directly connected, Ethernet0 S* 0.0.0.0/0 is directly connected, Serial0.31
The static route appears on R3 as a candidate default route, and is then used as the default route. The gateway of last resort is now set to 0.0.0.0. This is a result of using an exit interface to configure the static default route, rather than a next-hop IP address.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 45
2005 The Bryant Advantage
Examining R1s routing table after configuring the static default route.
R1#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
Gateway of last resort is 172.12.123.2 to network 0.0.0.0
1.0.0.0/27 is subnetted, 1 subnets C 1.1.1.0 is directly connected, Loopback0 172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks C 172.12.13.0/24 is directly connected, Serial1 C 172.12.21.0/30 is directly connected, Dialer1 C 172.12.123.0/24 is directly connected, Serial0 S* 0.0.0.0/0 [1/0] via 172.12.123.2
R1 is also using the static route as a default route. The gateway of last resort is set to 172.12.123.2, the next-hop address set in the static default route.
For your CCNA exams, its very important to know how to remove a command, not just enable one. Here, you saw that a static route is removed with the no ip route command, followed by the static route being removed. Its the same as configuring a static route; just put no in front of the entire command.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 46
2005 The Bryant Advantage RIP Lab: Configuring RIP Version 1; using show and debug commands.
Remove any existing routing protocol configuration from your network.
Configure RIP version 1 on all three routers. Run RIP over all interfaces interconnecting the routers, and the loopback interfaces.
R1#conf t R1(config)#router rip R1(config-router)#version 1 R1(config-router)#network 172.12.0.0 R1(config-router)#network 1.0.0.0
1d04h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up 1d04h: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up
Almost immediately after you configure R1 with RIP, youll see the ISDN line come up. Why? Run show dialer to see what traffic brought the link up.
R1#show dialer
BRI0 - dialer type =ISDN
Dial String Successes Failures Last DNIS Last status 5552222 2 0 00:00:08 successful 0 incoming call(s) have been screened. 0 incoming call(s) rejected for callback.
BRI0:1 - dialer type =ISDN Idle timer (120 secs), Fast idle timer (20 secs) Wait for carrier (30 secs), Re-enable (15 secs) Dialer state is data link layer up Dial reason: ip (s=172.12.21.1, d=255.255.255.255) Time until disconnect 113 secs Connected to 5552222 (R2)
The destination 255.255.255.255 brought the link up. RIP version 1 updates are broadcasts. Since all IP traffic was defined as interesting traffic in the ISDN lab, the link comes up.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 47
2005 The Bryant Advantage RIP has no built-in mechanism for allowing for ISDN links, which is why you dont see RIP run across very many ISDN links in the first place. Configure passive-interface bri0 under the RIP router process. Passive-interface bri0 will allow this interface to accept routing updates, but not to send them.
Verify this with show ip protocols. Become very familiar with all the information this command displays.
R1#show ip protocols Routing Protocol is "rip" Sending updates every 30 seconds, next due in 27 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Redistributing: rip Default version control: send version 1, receive version 1 Interface Send Recv Triggered RIP Key-chain Loopback0 1 1 Serial0 1 1 Serial1 1 1 Automatic network summarization is in effect Maximum path: 4 Routing for Networks: 1.0.0.0 172.12.0.0 Passive Interface(s): BRI0 Routing Information Sources: Gateway Distance Last Update Distance: (default is 120)
Chris Bryant, CCIE #12933 www.thebryantadvantage.com
48
2005 The Bryant Advantage Configure RIP on R2 and R3, enabling RIP on all interfaces. Make the BRI interface on R2 passive.
R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#router rip R3(config-router)#version 1 R3(config-router)#network 3.0.0.0 R3(config-router)#network 172.12.0.0 R3(config-router)#network 172.23.0.0 R3(config-router)#^Z
In these labs, youll hardcode the routers to run RIP version 1, then RIP version 2. Keep in mind that the RIP default is to send version 1, and accept versions 1 and 2.
On each router, run show ip route, then show ip route rip. Here only the output of these commands on R1 will be shown. Note that show ip route shows all the known routes, where show ip route rip shows only the RIP-discovered routes. R1#show ip route Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets C 1.1.1.1 is directly connected, Loopback0 R 2.0.0.0/8 [120/1] via 172.12.123.2, 00:00:20, Serial0 R 3.0.0.0/8 [120/1] via 172.12.13.3, 00:00:02, Serial1 [120/1] via 172.12.123.3, 00:00:02, Serial0 172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks C 172.12.13.0/24 is directly connected, Serial1 C 172.12.21.0/30 is directly connected, BRI0 C 172.12.123.0/24 is directly connected, Serial0 R 172.23.0.0/16 [120/1] via 172.12.123.2, 00:00:21, Serial0 [120/1] via 172.12.13.3, 00:00:03, Serial1 Chris Bryant, CCIE #12933 www.thebryantadvantage.com 49
2005 The Bryant Advantage [120/1] via 172.12.123.3, 00:00:03, Serial0 R1#show ip route rip R 2.0.0.0/8 [120/1] via 172.12.123.2, 00:00:12, Serial0 R 3.0.0.0/8 [120/1] via 172.12.13.3, 00:00:23, Serial1 [120/1] via 172.12.123.3, 00:00:23, Serial0 R 172.23.0.0/16 [120/1] via 172.12.123.2, 00:00:12, Serial0 [120/1] via 172.12.13.3, 00:00:23, Serial1 [120/1] via 172.12.123.3, 00:00:23, Serial0
Note that equal-cost load balancing, enabled by default in both versions of RIP, is in effect. R1 has three paths to the Ethernet segment; one through the frame relay cloud via R2, one through the frame relay cloud via R3, and one via the point-to-point Serial link to R3. All three have the same metric of 1, so RIP puts all three of these routes into the routing table. (Remember that distance-vector protocols perform equal-cost load balancing by default, over four paths by default, and this can be changed to a range from one to six paths with the maximum-paths command.)
Also notice that since RIP version 1 does not support VLSM, you see classful masks in the routing table for the loopbacks and for the Ethernet segment.
Change the maximum number of paths that load-balancing can use on each router with the maximum-paths command.
R1#conf t R1(config)#router rip R1(config-router)#maximum-paths 6
R2#conf t R2(config)#router rip R2(config-router)#maximum-paths 6
R3#conf t R3(config)#router rip R3(config-router)#maximum-paths 6
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 50
2005 The Bryant Advantage
View the routing updates by running debug ip rip. Clear the routing table with clear ip route * , and youll see the routing process reinitialize. (Both very important commands, both for your CCNA exams and for real life.)
R1#debug ip rip RIP protocol debugging is on R1#clear ip route * 22:01:04: RIP: sending v1 update to 255.255.255.255 via Serial0 (172.12.123.1) 22:01:04: subnet 172.12.13.0, metric 1 22:01:04: subnet 172.12.123.0, metric 1 22:01:04: network 1.0.0.0, metric 1 22:01:04: network 2.0.0.0, metric 2 22:01:04: network 3.0.0.0, metric 2 22:01:04: network 172.23.0.0, metric 2 22:01:04: RIP: sending v1 update to 255.255.255.255 via Serial1 (172.12.13.1) 22:01:04: subnet 172.12.123.0, metric 1 22:01:04: network 1.0.0.0, metric 1 22:01:04: network 2.0.0.0, metric 2 22:01:06: RIP: sending general request on Loopback0 to 255.255.255.255 22:01:06: RIP: sending general request on Serial0 to 255.255.255.255 22:01:06: RIP: sending general request on Serial1 to 255.255.255.255 22:01:07: RIP: received v1 update from 172.12.123.3 on Serial0
Debug ip rip not only shows you the updates and the broadcasts being sent and received, but it also helps with troubleshooting.
Are RIP versions 1 and 2 interchangeable? Keep the debug on R1, change R1s version of RIP to version 2, and clear the routing table.
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#router rip R1(config-router)#version 2 R1(config-router)#^Z 1d04h: %SYS-5-CONFIG_I: Configured from console by console R1#clear ip route *
<updates will be sent first> 1d04h: RIP: ignored v1 packet from 172.12.13.3 (illegal version) 1d04h: RIP: ignored v1 packet from 172.12.123.3 (illegal version) R1#undebug all 1d04h: RIP: ignored v1 packet from 172.12.123.2 (illegal version)
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 51
2005 The Bryant Advantage
R1 is refusing the RIP version 1 updates. The two versions of RIP are not interchangeable, as you can see by looking at the routing table:
R1#show ip route Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets C 1.1.1.1 is directly connected, Loopback0 172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks C 172.12.13.0/24 is directly connected, Serial1 C 172.12.21.0/30 is directly connected, BRI0 C 172.12.123.0/24 is directly connected, Serial0
The RIP routes are gone.
Remove the RIP process from all three routes with the no router rip command.
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#no router rip R1(config)#^Z R1#wr Building configuration...
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#no router rip R2(config)#^Z R2#wr Building configuration...
R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#no router rip R3(config)#^Z R3#wr Building configuration...
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 52
2005 The Bryant Advantage
Lab: Configuring RIP Version 2. Disabling auto- summarization; using text and MD5 authentication; Troubleshooting RIP with show and debug commands.
Configure RIP version 2 on all three routers. Disable RIPs auto- summarization feature with no auto-summary. Enable RIP on all interfaces of each router, including the loopbacks. Prevent the dialer interfaces from sending RIP version 2 multicasts with the passive- interface command.
R1#conf t R1(config)#router rip R1(config-router)#version 2 < The RIP-enabled interfaces will receive and send version 2 only. > R1(config-router)#no auto-summary R1(config-router)#network 172.12.0.0 R1(config-router)#network 1.0.0.0 R1(config-router)#passive-interface dialer1
To verify VLSM support and equal-cost load-balancing, run show ip route rip on R1.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 53
2005 The Bryant Advantage
R1#show ip route rip 2.0.0.0/27 is subnetted, 1 subnets R 2.2.2.0 [120/1] via 172.12.123.2, 00:00:15, Serial0 3.0.0.0/27 is subnetted, 1 subnets R 3.3.3.0 [120/1] via 172.12.13.3, 00:00:14, Serial1 [120/1] via 172.12.123.3, 00:00:14, Serial0 172.23.0.0/27 is subnetted, 1 subnets R 172.23.23.0 [120/1] via 172.12.123.2, 00:00:15, Serial0 [120/1] via 172.12.13.3, 00:00:14, Serial1 [120/1] via 172.12.123.3, 00:00:15, Serial0
VLSM support is evident from the non-classful subnets masks for networks 2.0.0.0 and 3.0.0.0. Equal-cost load balancing is taking place as well, with three routes sharing the load from R1 to network 172.23.23.0.
From each router, ping the remote loopback addresses. All pings should succeed.
You know that RIP version 1 sends updates to 255.255.255.255. What address does RIP version 2 send updates to? Run debug ip rip, then run clear ip route * to immediately clear the routing table. (This command forces the routing protocol to send and request updates now, rather than waiting for the next regularly scheduled update.)
R1#debug ip rip RIP protocol debugging is on R1#clear ip route * 1d04h: RIP: sending request on Loopback0 to 224.0.0.9 1d04h: RIP: sending request on Serial1 to 224.0.0.9 1d04h: RIP: sending request on Serial0 to 224.0.0.9
RIP version 2 multicasts updates to 224.0.0.9.
Turn your debugs off with undebug all. You can also turn off debugs on an individual basis by running the command for that particular debug with no in front of the command.
R1#no debug ip rip RIP protocol debugging is off R1#undebug all Chris Bryant, CCIE #12933 www.thebryantadvantage.com 54
2005 The Bryant Advantage All possible debugging has been turned off
IGRP Lab
Remove any previous routing protocol configurations before proceeding.
Configure IGRP on R1, R2, and R3 with the router igrp 1 command. IGRP will run on all interfaces in the 172.12.0.0 network, the 172.23.0.0 network, and all loopback interfaces. We dont want IGRP updates to bring the ISDN line up; configure passive-interface bri0 under the IGRP process.
The 1 in the router igrp command refers to the Autonomous System (AS). IGRP is a classful routing protocol, so wildcard masks are not used in the network statements. Passive-interface prevents the named interface from sending routing updates out for this protocol, but the interface could still receive them.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 55 Run show ip route on R1. R1 will see three equal-cost paths to the Ethernet network. IGRP supports load-sharing over up to four equal- cost paths by default, so all three paths appear in the routing table.
2005 The Bryant Advantage R1 will also see a route to the loopback address on R2 and two routes to the loopback address on R3. (You can also run show ip route igrp in order to see only the IGRP routes.)
R1#show ip route igrp I 2.0.0.0/8 [100/8976] via 172.12.123.2, 00:00:02, Serial0 I 3.0.0.0/8 [100/8976] via 172.12.13.3, 00:00:02, Serial1 [100/8976] via 172.12.123.3, 00:00:01, Serial0 I 172.23.0.0/16 [100/8576] via 172.12.123.2, 00:00:02, Serial0 [100/8576] via 172.12.13.3, 00:00:02, Serial1 [100/8576] via 172.12.123.3, 00:00:01, Serial0
Remember that the numbers in the brackets following the network number in the routes are the Administrative Distance and the IGRP metric, in that order.
Note that classful masks are in use. IGRP does not support variable-length subnet masks (VLSM).
From each router, ping the loopback addresses of the other two routers. From R1, ping both R2s and R3s Ethernet interfaces. All pings should succeed. If they dont, check your IGRP configuration and make sure you have all the networks listed.
There are two serial connections between R1 and R3. IGRP is assuming that both lines are T1 lines, running at 1544 KBPS. If the direct connection between the routers was actually a 512 KBPS line, equal-cost load sharing would be occurring because of IGRPs bandwidth assumption, not because of the actual bandwidth.
If R1s direct connection to R3 is in fact three times slower than going through the frame relay cloud, you would not want IGRP to perform equal-cost load balancing, since the actual bandwidth isnt equivalent to IGRPs assumption of 1544 KBPS. To give IGRP a more accurate picture of the networks bandwidth, configure bandwidth 512 on R1 and R3s Serial1 interface.
R1#conf t R1(config)#interface serial1 R1(config-if)#bandwidth 512
R3#conf t R3(config)#interface serial 1 R3(config-if)#bandwidth 512
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 56
2005 The Bryant Advantage IGRPs assumption that all serial lines run at 1544 KBPS is overridden by the bandwidth 512 command. IGRP now believes this line runs at 512 KBPS.
To see the effect of this command, clear your routing table on R1.
R1#clear ip route * R1#show ip route igrp I 2.0.0.0/8 [100/8976] via 172.12.123.2, 00:00:17, Serial0/0 I 3.0.0.0/8 [100/8976] via 172.12.123.3, 00:00:24, Serial0/0 I 172.23.0.0/16 [100/8576] via 172.12.123.3, 00:00:24, Serial0/0 [100/8576] via 172.12.123.2, 00:00:17, Serial0/0
The routing table is cleared with clear ip route *. To see only the routes received in IGRP updates instead of the entire table, run show ip route igrp.
One of the paths to 3.0.0.0 is gone from the table, as is one of the routes to 172.23.0.0. Both routes now gone from the table went through the 172.12.13.0 network. Now that IGRP sees that link as slower than the others, equal-cost load-balancing will not occur over the 172.12.13.0 network, and those two routes are removed from the IGRP routing table.
Its important to understand that the bandwidth command does not actually change the bandwidth of the connection; it changes IGRPs assumption of what the bandwidth is.
At this point, all traffic leaving R1 for R3s loopback is going over the frame relay connection, and only two of the possible three paths from R1 to the Ethernet segment are being used. Youll now configure unequal-cost load-balancing, which means that paths with unequal costs will proportionally share the load. By proportionally share, I mean that if one paths metric is four times higher than another, the lower-cost path will handle four times as much traffic as the higher- cost path.
You probably know that the variance command will be used here, but do you know how to get the metric of the higher-cost path in IGRP? Its debug ip igrp transactions. Run that debug and clear the routing table. (Dont worry; in EIGRP, this is a lot easier.)
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 57
2005 The Bryant Advantage R1#debug ip igrp transactions IGRP protocol debugging is on R1#clear ip route *
1d05h: IGRP: broadcasting request on Loopback0 1d05h: IGRP: broadcasting request on Serial0 1d05h: IGRP: broadcasting request on Serial1 1d05h: IGRP: received update from 172.12.13.3 on Serial1 1d05h: subnet 172.12.123.0, metric 23531 (neighbor 8476) 1d05h: network 1.0.0.0, metric 24031 (neighbor 8976) 1d05h: network 2.0.0.0, metric 22131 (neighbor 1600) 1d05h: network 3.0.0.0, metric 22031 (neighbor 501) 1d05h: network 172.23.0.0, metric 21631 (neighbor 1100) R1#undebug all
Notice that IGRP is broadcasting requests. Like RIP version 1, IGRP uses the IP address 255.255.255.255 to send and receive updates.
In this update from 172.12.13.3, the metric to reach 3.0.0.0 is 22031; the metric to reach 172.23.0.0 (the Ethernet segment) is 21631.
The variance command is used to configure unequal-cost load balancing with both IGRP and EIGRP. The variance value is a multiplier; multiplied by the metric of the best route, it must be larger than the metric of any feasible successor.
The concept is much clearer when actual metrics are used. The metric of the best route for both those routes is 8576. (We see that in the routing table with show ip route .) What number, multiplied by 8576, will be greater than 21631?
Three times 8576 is 25728. Configure variance 3 under the IGRP routing process on R1, clear the routing table, and display the IGRP routing table.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 58
2005 The Bryant Advantage
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#router igrp 1 R1(config-router)#variance 3
R1#clear ip route * R1#show ip route igrp I 2.0.0.0/8 [100/22131] via 172.12.13.3, 00:00:04, Serial1/0 [100/9076] via 172.12.123.3, 00:00:04, Serial0/0 [100/8976] via 172.12.123.2, 00:00:04, Serial0/0 I 3.0.0.0/8 [100/22031] via 172.12.13.3, 00:00:04, Serial1/0 [100/8976] via 172.12.123.3, 00:00:04, Serial0/0 [100/9076] via 172.12.123.2, 00:00:04, Serial0/0 I 172.23.0.0/16 [100/21631] via 172.12.13.3, 00:00:04, Serial1/0 [100/8576] via 172.12.123.3, 00:00:04, Serial0/0 [100/8576] via 172.12.123.2, 00:00:04, Serial0/0
The variance command has two effects, one intended and one unintended. The routes to 172.23.0.0 and 3.0.0.0 through 172.12.13.3 are back in the routing table and will participate in unequal-cost load sharing. Note that the metrics themselves do not change.
There are now three routes to R2s loopback as well. There was only one, but the variance 3 command means that any feasible route to R2 with a metric of 26928 (8976 x 3) results in the installation of the other two routes, both with a metric lower than 26928.
As a bonus, on the next page youll find a copy of a chart from my Bryant Advantage Ultimate CCNA Study Guide. You must know the similarities and differences between RIPv1, RIPv2, and IGRP before taking the CCNA exams.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 59
2005 The Bryant Advantage
RI P version 1 RI P version 2 I GRP Comparison:
RIP V 1 RIP v 2 IGRP VLSM Support No Yes No Administrative Distance 120 120 100 Authentication Support No Yes, MD5 and Text No Equal-Cost Load Balancing Yes Yes Yes Unequal-Cost Load Balancing No No Yes, with variance Updates Sent To What Address Broadcast 255.255.255.255 Multicast Address 224.0.0.9 Broadcast 255.255.255.255 Metric Hop Count Hop Count Composite Metric involving Hop Count, Bandwidth, and Delay by default. Can also include Load and Reliability. Default Paths Used In Load Balancing 4 4 4
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 60
2005 The Bryant Advantage OSPF Lab: Configuring OSPF areas, stub areas, and ISDN demand circuit.
Remove any existing routing protocol configuration.
This is the OSPF network you will build:
Configure OSPF Area 0 on each router interface connected to the Frame Relay cloud with the router ospf 1 and network commands. Run show ip ospf interface on each router to see what OSPF network type the interfaces are running.
Configuring OSPF on the Frame Relay cloud interfaces on R1, R2, and R3. R1#conf t R1(config)#router ospf 1 R1(config-router)#network 172.12.123.0 0.0.0.255 area 0
R2#conf t R2(config)#router ospf 1 R2(config-router)#network 172.12.123.0 0.0.0.255 area 0
R3#conf t R3(config)#router ospf 1 R3(config-router)#network 172.12.123.0 0.0.0.255 area 0 Chris Bryant, CCIE #12933 www.thebryantadvantage.com 61
2005 The Bryant Advantage
R1#show ip ospf interface serial0 Serial0 is up, line protocol is up Internet Address 172.12.123.1/24, Area 0 Process ID 1, Router ID 1.1.1.1, Network Type NON_BROADCAST, Cost: 64
R2#show ip ospf interface serial0.123 Serial0.123 is up, line protocol is up Internet Address 172.12.123.2/24, Area 0 Process ID 1, Router ID 2.2.2.2, Network Type NON_BROADCAST, Cost: 64
R3#show ip ospf interface serial0.31 Serial0.31 is up, line protocol is up Internet Address 172.12.123.3/24, Area 0 Process ID 1, Router ID 3.3.3.3, Network Type POINT_TO_POINT, Cost: 64
R3s point-to-point interface is defaulting to OSPF network type point- to-point. The timers will be different between R3 and R1, requiring that the network type be changed before an adjacency can occur.
This is a hub-and-spoke OSPF network, requiring that the hub router, R1, be the Designated Router. Additionally, since all three interfaces will be OSPF network type non-broadcast after changing R3, neighbor statements will need to be configured on the hub router.
Change R3s serial 0.31 interface to OSPF network type non-broadcast with the ip ospf network interface-level command. Prevent R2 and R3 from possibly becoming the Designated Router by configuring ip ospf priority 0 on the interfaces connected to the Frame Relay cloud.
R2#conf t R2(config)#int s0.123 R2(config-subif)#ip ospf priority 0
Allow R1 to discover its OSPF neighbors over the OSPF nonbroadcast network with two neighbor commands, naming the remote Frame Relay cloud neighbors. Run show ip ospf neighbor on R1 to verify adjacencies. (The adjacency wont take effect immediately; continue to run this command to see the various stages of adjacency.) Chris Bryant, CCIE #12933 www.thebryantadvantage.com 62
2005 The Bryant Advantage
R1#conf t R1(config)#router ospf 1 R1(config-router)#neighbor 172.12.123.2 R1(config-router)#neighbor 172.12.123.3
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface 3.3.3.3 0 FULL/DROTHER 00:01:57 172.12.123.3 Serial0 2.2.2.2 0 FULL/DROTHER 00:01:57 172.12.123.2 Serial0
Notice the Neighbor ID of each remote address is the loopback address. How can that be if you didnt configure OSPF on those loopbacks?
When determining the Router ID (RID) of an OSPF-enabled router, OSPF will always use the numerically highest IP address on the routers loopback interfaces, regardless of whether that loopback is OSPF-enabled.
What if there is no loopback? OSPF will then use the numerically highest IP address of the physical interfaces, regardless of whether that loopback is OSPF-enabled.
BOTTOM LINE: An interface does not have to be running OSPF to have its IP address used as the OSPF RID.
The OSPF RID can be changed, but it requires a restart or to reinitialize the OSPF routing process. Use the router-id command to change the default RID of each router as shown, and clear the OSPF process to do so.
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#router ospf 1 R1(config-router)#router-id 11.11.11.11 Reload or use " clear ip ospf process" command, for this to take effect R1#clear ip ospf process Reset ALL OSPF processes? [no]: yes 1d05h: %OSPF-5-ADJ CHG: Process 1, Nbr 3.3.3.3 on Serial0 from 2WAY to DOWN, Neighbor Down: Interface down or detached 1d05h: %OSPF-5-ADJ CHG: Process 1, Nbr 2.2.2.2 on Serial0 from 2WAY to DOWN, Neighbor Down: Interface down or detached
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 63
2005 The Bryant Advantage
After entering the router-id command, the router console informed you that you have to reload the router or reset the OSPF processes for this to take effect. You enter the clear ip ospf process command to do this; notice that when youre asked if you really want to do this, the prompt is no? Thats because all the OSPF adjacencies on this router will be lost and will have to begin the process again. Thats OK on a practice rack, not good in a production network. Dont use that one at work.
Run this command on R2 and R3, and wait for the adjacencies to come back before continuing with the lab. You can check the adjacency stage with show ip ospf neighbor.
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#router ospf 1 R2(config-router)#router-id 22.22.22.22 Reload or use "clear ip ospf process" command, for this to take effect R2(config-router)#^Z 1d05h: %SYS-5-CONFIG_I: Configured from console by console R2#clear ip ospf process Reset ALL OSPF processes? [no]: yes R2# 1d05h: %OSPF-5-ADJ CHG: Process 1, Nbr 11.11.11.11 on Serial0.123 from FULL to DOWN, Neighbor Down: Interface down or detached
1d05h: %OSPF-5-ADJ CHG: Process 1, Nbr 11.11.11.11 on Serial0.123 from LOADING to FULL, Loading Done
R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#router ospf 1 R3(config-router)#router-id 33.33.33.33 Reload or use "clear ip ospf process" command, for this to take effect R3(config-router)#^Z 1d05h: %SYS-5-CONFIG_I: Configured from console by console R3#clear ip ospf process Reset ALL OSPF processes? [no]: yes 1d05h: %OSPF-5-ADJ CHG: Process 1, Nbr 11.11.11.11 on Serial0.31 from FULL to DOWN, Neighbor Down: Interface down or detached
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 64
2005 The Bryant Advantage
Run show ip ospf neighbor on R1 to see the changes.
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface 33.33.33.33 0 FULL/DROTHER 00:01:58 172.12.123.3 Serial0 22.22.22.22 0 FULL/DROTHER 00:01:54 172.12.123.2 Serial0 3.3.3.3 0 FULL/DROTHER 00:00:33 172.12.123.3 Serial0 N/A 0 ATTEMPT/DROTHER - 172.12.123.2 Serial0
You see the new adjacencies that reflect the changed OSPF RIDs. The old adjacencies are timing out and will soon disappear from the table.
Add R1s loopback address to Area 1, R2s loopback to Area 2, and R3s loopback to Area 3. Use a wildcard mask of 0.0.0.0 so that only the loopback interface will be part of the respective area.
R1#conf t R1(config)#router ospf 1 R1(config-router)#network 1.1.1.1 0.0.0.0 area 1
R2#conf t R2(config)#router ospf 1 R2(config-router)#network 2.2.2.2 0.0.0.0 area 2
R3#conf t R3(config)#router ospf 1 R3(config-router)#network 3.3.3.3 0.0.0.0 area 3
On R1, run show ip route ospf. A route to both R2s and R3s loopback should be present. Ping both interfaces to verify connectivity.
R1#show ip route ospf 2.0.0.0/32 is subnetted, 1 subnets O IA 2.2.2.2 [110/65] via 172.12.123.2, 00:00:09, Serial0 3.0.0.0/32 is subnetted, 1 subnets O IA 3.3.3.3 [110/65] via 172.12.123.3, 00:00:02, Serial0
Notice that the /32 masks are present; OSPF supports VLSM.
Note the O IA on the far left-hand side of the command output. The O indicates that this is an OSPF route; the IA means it is an InterArea route, or a route to a destination in another area. Chris Bryant, CCIE #12933 www.thebryantadvantage.com 65
2005 The Bryant Advantage
R1#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =68/73/96 ms
R1#ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =68/69/72 ms
Run show ip route ospf on R2. Routes to the loopbacks of R1 and R3 should be present. Ping both loopbacks to verify connectivity.
R2#show ip route ospf 1.0.0.0/32 is subnetted, 1 subnets O IA 1.1.1.1 [110/65] via 172.12.123.1, 00:10:35, Serial0.123 3.0.0.0/32 is subnetted, 1 subnets O IA 3.3.3.3 [110/65] via 172.12.123.3, 00:10:35, Serial0.123 R2#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =68/68/68 ms R2#ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =128/133/144 ms
Run show ip route ospf on R3. Routes to the loopbacks of R1 and R2 should be present. Ping both loopbacks to verify connectivity.
R3#show ip route ospf 1.0.0.0/32 is subnetted, 1 subnets O IA 1.1.1.1 [110/65] via 172.12.123.1, 00:14:52, Serial0.31 2.0.0.0/32 is subnetted, 1 subnets O IA 2.2.2.2 [110/65] via 172.12.123.2, 00:14:52, Serial0.31 R3#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Chris Bryant, CCIE #12933 www.thebryantadvantage.com 66
2005 The Bryant Advantage !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 64/66/68 ms
R3#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =128/133/144 ms
Configure the Ethernet segment connecting R2 and R3 as Area 23. Area 23 will be made a stub area. Use the area stub command on R3, but not R2. Run show ip ospf neighbor to verify the adjacency.
R2#conf t R2(config)#router ospf 1 R2(config-router)#network 172.23.23.0 0.0.0.31 area 23
R3#conf t R3(config)#router ospf 1 R3(config-router)#network 172.23.23.0 0.0.0.31 area 23 R3(config-router)#area 23 stub
R3#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 1 FULL/DR 00:01:32 172.12.123.1 Serial0.31
You can wait a few minutes, and youll see the same thing. The adjacency to R2 is not even starting. To diagnose problems with OSPF adjacencies, run debug ip ospf adjacency.
R3#debug ip ospf adj OSPF adjacency events debugging is on OSPF: Hello from 172.23.23.2 with mismatched Stub/Transit area option bit
Theres the problem! The Hello packet is coming in from 172.23.23.2, but the Stub option bit is mismatched. For a stub area to form, all routers must agree that the area is a stub. The command area stub must be configured on all routers with an interface in that area.
On R2, configure area 23 stub in router configuration mode. On R3, run debug ip ospf adj and show ip ospf neighbor to verify the adjacency. Chris Bryant, CCIE #12933 www.thebryantadvantage.com 67
2005 The Bryant Advantage
R3#debug ip ospf adj OSPF adjacency events debugging is on R3#show debug < Bonus! This shows your current debugs. > IP routing: OSPF adjacency events debugging is on <Only some of the debug output is shown here.> d06h: OSPF: 2 Way Communication to 22.22.22.22 on Ethernet0, state 2WAY d06h: OSPF: Backup seen Event before WAIT timer on Ethernet0 d06h: OSPF: DR/BDR election on Ethernet0 d06h: OSPF: Elect BDR 33.33.33.33 d06h: OSPF: Elect DR 22.22.22.22 d06h: OSPF: Elect BDR 33.33.33.33 d06h: OSPF: Elect DR 22.22.22.22 d06h: DR: 22.22.22.22 (Id) BDR: 33.33.33.33 (Id) d06h: OSPF: Send DBD to 22.22.22.22 on Ethernet0 seq 0x21F5 opt 0x40 flag 0x7n 32 d06h: OSPF: Rcv DBD from 22.22.22.22 on Ethernet0 seq 0x1283 opt 0x40 flag 0x7en 32 mtu 1500 state EXSTART R3PF: Rcv DBD from 22.22.22.22 on Ethernet0 seq 0x21F6 opt 0x40 flag 0x0 len 32 mtu 1500 state EXCHANGE 1d06h: OSPF: Send DBD to 22.22.22.22 on Ethernet0 seq 0x21F7 opt 0x40 flag 0x1 l en 32 1d06h: OSPF: Rcv DBD from 22.22.22.22 on Ethernet0 seq 0x21F7 opt 0x40 flag 0x0 len 32 mtu 1500 state EXCHANGE 1d06h: OSPF: Exchange Done with 22.22.22.22 on Ethernet0 1d06h: OSPF: Synchronized with 22.22.22.22 on Ethernet0, state FULL 1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 22.22.22.22 on Ethernet0 from LOADING to F ULL, Loading Done 1d06h: OSPF: Build router LSA for area 23, router ID 33.33.33.33, seq 0x80000003 #p R3# 1d06h: OSPF: Neighbor change Event on interface Ethernet0 1d06h: OSPF: DR/BDR election on Ethernet0 1d06h: OSPF: Elect BDR 33.33.33.33 1d06h: OSPF: Elect DR 22.22.22.22 1d06h: DR: 22.22.22.22 (Id) BDR: 33.33.33.33 (Id)
R3#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface 11.11.11.11 1 FULL/DR 00:01:58 172.12.123.1 Serial0.31 22.22.22.22 1 FULL/DR 00:00:35 172.23.23.2 Ethernet0 Chris Bryant, CCIE #12933 www.thebryantadvantage.com 68
2005 The Bryant Advantage
The adjacency has formed over the Ethernet segment.
On R3, run show ip ospf interface to compare the characteristics of the Serial and Ethernet interfaces running OSPF.
R3#show ip ospf interface Serial0.31 is up, line protocol is up Internet Address 172.12.123.3/24, Area 0 Process ID 1, Router ID 33.33.33.33, Network Type NON_BROADCAST, Cost: 64 Transmit Delay is 1 sec, State DROTHER, Priority 0 Designated Router (ID) 11.11.11.11, Interface address 172.12.123.1 No backup designated router on this network Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 Hello due in 00:00:03 Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 3 Last flood scan time is 0 msec, maximum is 4 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 11.11.11.11 (Designated Router) Suppress hello for 0 neighbor(s) Loopback0 is up, line protocol is up Internet Address 3.3.3.3/24, Area 3 Process ID 1, Router ID 33.33.33.33, Network Type LOOPBACK, Cost: 1 Loopback interface is treated as a stub Host Ethernet0 is up, line protocol is up Internet Address 172.23.23.3/27, Area 23 Process ID 1, Router ID 33.33.33.33, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 22.22.22.22, Interface address 172.23.23.2 Backup Designated router (ID) 33.33.33.33, Interface address 172.23.23.3 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:03 Index 1/3, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 22.22.22.22 (Designated Router) Suppress hello for 0 neighbor(s)
Notice the differences in hello and dead times on a non-broadcast interface, such as a Serial interface and an Ethernet interface. No Chris Bryant, CCIE #12933 www.thebryantadvantage.com 69
2005 The Bryant Advantage matter the hello timer, the default for the dead timer is 4 times the hello timer.
On R3, run show ip ospf. Area 23 will be shown as a stub area.
R3#show ip ospf Routing Process "ospf 1" with ID 3.3.3.3 Supports only single TOS(TOS0) routes It is an area border router Number of areas in this router is 3. 2 normal 1 stub 0 nssa Area BACKBONE(0) Number of interfaces in this area is 1 Area has no authentication Area 3 Number of interfaces in this area is 1 Area has no authentication Area 23 Number of interfaces in this area is 1 It is a stub area generates stub default route with cost 1 Area has no authentication
From R1, ping R2s and R3s Ethernet interfaces.
R1#ping 172.23.23.2
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.23.23.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 64/66/68 ms R1#ping 172.23.23.3
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.23.23.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 64/66/68 ms
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 70
2005 The Bryant Advantage
Place the ISDN link into Area 12. Run show ip ospf neighbor to verify adjacency.
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#router ospf 1 R1(config-router)#network 172.12.21.0 0.0.0.3 area 12 R1(config-router)# 1d06h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up 1d06h: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up 1d06h: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 5552222 R2
The link comes up immediately. Why? Run show dialer to see the destination of the interesting traffic that caused the line to dial.
R1#show dialer
BRI0 - dialer type =ISDN
Dial String Successes Failures Last DNIS Last status 5552222 6 0 00:01:01 successful 0 incoming call(s) have been screened. 0 incoming call(s) rejected for callback.
BRI0:1 - dialer type =ISDN Idle timer (120 secs), Fast idle timer (20 secs) Wait for carrier (30 secs), Re-enable (15 secs) Dialer state is data link layer up Dial reason: ip (s=172.12.21.1, d=224.0.0.5) Time until disconnect 118 secs Connected to 5552222 (R2)
BRI0:2 - dialer type =ISDN Idle timer (120 secs), Fast idle timer (20 secs) Wait for carrier (30 secs), Re-enable (15 secs) Dialer state is idle
The OSPF Hello packets, destined for 224.0.0.5, brought the line up. As youll soon see, OSPF has a built-in mechanism for handling this situation without using the passive-interface command.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 71
2005 The Bryant Advantage In the meantime, configure OSPF on R2s BRI interface. Run show ip ospf neighbor to verify the adjacency over the ISDN link.
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#router ospf 1 R2(config-router)#network 172.12.21.0 0.0.0.3 area 12 1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 11.11.11.11 on BRI0 from LOADING to FULL, Loading Done
R2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface 11.11.11.11 1 FULL/DR 00:01:46 172.12.123.1 Serial0.123 11.11.11.11 1 FULL/ - 00:00:31 172.12.21.1 BRI0 33.33.33.33 1 FULL/BDR 00:00:34 172.23.23.3 Ethernet0
The good news is that the adjacency forms over the BRI interface very quickly. The bad news is that the ISDN link is going to stay up, since every OSPF Hello is going to reset the dialer idle-timeout.
Also, note that there is no DR or BDR over the ISDN link. Point-to- point links have no DR or BDR.
OSPF allows us to suppress the sending of Hello packets over an ISDN link, which keeping the adjacency! This is done with one simple command, and you only need it on one side of the link. On R1, configure the command ip ospf demand-circuit on the BRI interface.
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface bri0 R1(config-if)#ip ospf demand-circuit 1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 22.22.22.22 on BRI0 from FULL to DOWN, Neighbor Down: Interface down or detached 1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 22.22.22.22 on BRI0 from LOADING to FULL,Loading Done
In this example, the link was up when the command was entered. The adjacency came down immediately, and then came back up just as Chris Bryant, CCIE #12933 www.thebryantadvantage.com 72
2005 The Bryant Advantage fast. Is the ISDN link still up? Is the OSPF adjacency really up? Run show dialer and show ip ospf neighbor to see.
R1#show dialer
BRI0 - dialer type =ISDN
Dial String Successes Failures Last DNIS Last status 5552222 7 0 00:07:15 successful 0 incoming call(s) have been screened. 0 incoming call(s) rejected for callback.
BRI0:1 - dialer type =ISDN Idle timer (120 secs), Fast idle timer (20 secs) Wait for carrier (30 secs), Re-enable (15 secs) Dialer state is idle
BRI0:2 - dialer type =ISDN Idle timer (120 secs), Fast idle timer (20 secs) Wait for carrier (30 secs), Re-enable (15 secs) Dialer state is idle R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface 33.33.33.33 0 FULL/DROTHER 00:01:38 172.12.123.3 Serial0 22.22.22.22 0 FULL/DROTHER 00:01:37 172.12.123.2 Serial0 22.22.22.22 1 FULL/ - - 172.12.21.2 BRI0 R1#
The line is down, and the adjacency is still up! This is why OSPF is the protocol of choice to run over ISDN links. (If the link is still up when you run these commands, watch the idle-timeout value under show dialer; its going to go down to zero and the line will drop.)
Youve read about how every OSPF router must have a physical interface in area 0, and if it doesnt, a virtual link can solve the problem. Youre now going to configure a virtual link, and see the routing problems that occur when one router doesnt have an interface in area 0.
First, on R1, add the point-to-point link to R3 into the OSPF configuration, placing it into area 13. On R3, do the same, and remove the frame-relay interface from Area 0. After doing so, clear Chris Bryant, CCIE #12933 www.thebryantadvantage.com 73
2005 The Bryant Advantage the OSPF processes on R3. (When clearing OSPF processes, dont be surprised to see the ISDN link come back up.)
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#router ospf 1 R1(config-router)#network 172.12.13.0 0.0.0.255 area 13
R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#router ospf 1 R3(config-router)#network 172.12.13.0 0.0.0.255 area 13 R3(config-router)#no network 172.12.123.0 0.0.0.255 area 0
R3#clear ip ospf process Reset ALL OSPF processes? [no]: yes 1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 11.11.11.11 on OSPF_VL0 from FULL to DOWN, Neighbor Down: Interface down or detached 1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 11.11.11.11 on Serial1 from FULL to DOWN, Neighbor Down: Interface down or detached 1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 22.22.22.22 on Ethernet0 from FULL to DOWN, Neighbor Down: Interface down or detached R3# 1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 22.22.22.22 on Ethernet0 from LOADING to FULL, Loading Done 1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 11.11.11.11 on Serial1 from LOADING to FULL, Loading Done
R3s adjacencies come right back up.
R3 now has no physical interface in Area 0. Checking R3s routing table, there doesnt seem to be a problem:
R3#show ip route ospf 1.0.0.0/32 is subnetted, 1 subnets O IA 1.1.1.1 [110/75] via 172.23.23.2, 00:01:44, Ethernet0 2.0.0.0/32 is subnetted, 1 subnets O IA 2.2.2.2 [110/11] via 172.23.23.2, 00:01:44, Ethernet0 172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks O IA 172.12.21.0/30 [110/1572] via 172.23.23.2, 00:00:52, Ethernet0
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 74
2005 The Bryant Advantage Ping both of the other loopbacks from R3, and theyll go through. So whats the big deal about Area 0? Here, R3 doesnt have a physical interface in Area 0, and there doesnt seem to be a problem right?
Wrong. The problem is on R2. Check R2s OSPF routing table.
R2#show ip route ospf 1.0.0.0/32 is subnetted, 1 subnets O IA 1.1.1.1 [110/65] via 172.12.123.1, 00:02:37, Serial0.123 172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks O IA 172.12.13.0/24 [110/259] via 172.12.123.1, 00:02:37, Serial0.123
R2 no longer has a route to R3s loopback, and pings to that loopback fail.
R2#ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
For full OSPF connectivity, a virtual link must be created between R1 and R3. Since R1 does have an interface in Area 0, that will give us full connectivity.
Configure the virtual link as shown. Notice that the command starts with the transit area; a virtual link cannot be configured through a stub area. Also, the IP address specified in the command is the remote routers OSPF RID, not the next-hop IP address.
R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#router ospf 1 R3(config-router)#area 13 virtual-link 11.11.11.11
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#router ospf 1 1d06h: %OSPF-4-ERRRCV: Received invalid packet: mismatch area ID, from backbone area must be virtual-link but not found from 172.12.13.3, Serial1 Chris Bryant, CCIE #12933 www.thebryantadvantage.com 75
2005 The Bryant Advantage R1(config-router)#area 13 virtual-link 33.33.33.33
1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 33.33.33.33 on OSPF_VL1 from LOADING to FULL, Loading Done 1d06h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up 1d06h: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up 1d06h: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 5552222 R2 There are several things to note when configuring this virtual link. First, the error message youll see on R1 is normal; that just means that R3 wants to form a virtual link but R1 doesnt; that error message will not appear again after you configure the virtual link.
Again, the ISDN link comes up. Thats normal when the OSPF network topology changes. The link will go down when the idle-timeout hits zero, and it will not come back up.
R1#show ip ospf virtual-link Virtual Link OSPF_VL1 to router 33.33.33.33 is up Run as demand circuit DoNotAge LSA allowed. Transit area 13, via interface Serial1, Cost of using 195 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:03 Adjacency State FULL (Hello suppressed) Index 2/4, retransmission queue length 0, number of retransmission 1 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 1, maximum is 1 Last retransmission scan time is 0 msec, maximum is 0 msec
You must see the adjacency state as FULL to know that the virtual link is up and running. Check R2s OSPF routing table.
R2#show ip route ospf 1.0.0.0/32 is subnetted, 1 subnets O IA 1.1.1.1 [110/65] via 172.12.123.1, 00:03:50, Serial0.123 3.0.0.0/32 is subnetted, 1 subnets O IA 3.3.3.3 [110/260] via 172.12.123.1, 00:03:50, Serial0.123 172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks O IA 172.12.13.0/24 [110/259] via 172.12.123.1, 00:03:50, Serial0.123 R2#ping 3.3.3.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =112/116/120 ms Chris Bryant, CCIE #12933 www.thebryantadvantage.com 76
2005 The Bryant Advantage
R3s loopback interface is back R2s routing table, and pings succeed.
Make sure you know the basic rules for configuring a virtual link, the syntax of the command, and when one is necessary and not necessary before taking the CCNA exams.
Before moving on to another protocol lab, remove OSPF from each router with the global command no router ospf 1. Chris Bryant, CCIE #12933 www.thebryantadvantage.com 77
2005 The Bryant Advantage EIGRP Lab
Configure EIGRP AS 100 on R1, R2, and R3 over the Frame Relay cloud. Disable EIGRPs automatic summarization with the no auto- summary command. (If you need to review why EIGRP auto- summary is usually turned off when configured, there is an illustrated example in The Bryant Advantage Ultimate CCNA Study Guides EIGRP chapter.)
R1#conf t R1(config)#router eigrp 100 R1(config-router)#no auto-summary R1(config-router)#network 172.12.123.0 0.0.0.255
R2#conf t R2(config)#router eigrp 100 R2(config-router)#no auto-summary R2(config-router)#network 172.12.123.0 0.0.0.255
R3#conf t R3(config)#router eigrp 100 R3(config-router)#no auto-summary R3(config-router)#network 172.12.123.0 0.0.0.255
On R1, run show ip eigrp neighbor.
R1#show ip eigrp neighbor IP-EIGRP neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq Type (sec) (ms) Cnt Num 1 172.12.123.3 Se0/0 11 00:02:45 1 5000 0 1 0 172.12.123.2 Se0/0 161 00:03:01 1 5000 0 1
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 78
2005 The Bryant Advantage On each router, add the loopback address to the EIGRP process.
R1#conf t R1(config)#router eigrp 100 R1(config-router)#network 1.1.1.1 0.0.0.0
R2#conf t R2(config)#router eigrp 100 R2(config-router)#network 2.2.2.2 0.0.0.0
R3#conf t R3(config)#router eigrp 100 R3(config-router)#network 3.3.3.3 0.0.0.0
On each router, run show ip route eigrp. R1 has a route for both R2s and R3s loopback. R2 and R3 will only see R1s loopback address, and not each others. Why?
R1#show ip route eigrp 2.0.0.0/24 is subnetted, 1 subnets D 2.2.2.0 [90/2297856] via 172.12.123.2, 00:03:19, Serial0/0 3.0.0.0/24 is subnetted, 1 subnets D 3.3.3.0 [90/2297856] via 172.12.123.3, 00:03:04, Serial0/0
R2#show ip route eigrp 1.0.0.0/24 is subnetted, 1 subnets D 1.1.1.0 [90/2297856] via 172.12.123.1, 00:03:40, Serial0/0.123
R3#show ip route eigrp 1.0.0.0/24 is subnetted, 1 subnets D 1.1.1.0 [90/2297856] via 172.12.123.1, 00:05:17, Serial0/0.31
Note: The letter D indicates an EIGRP route! (E was already taken by EGP when EIGRP came along. It wasnt just done to make the exams harder. ;) )
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 79
2005 The Bryant Advantage EIGRP uses Split Horizon by default to prevent looping. In this lab, though, it prevents full network reachability. R2 and R3 both form neighbor relationships with R1s Serial physical interface. R2 advertises its loopback address to R1s Serial interfaces, as does R3. Split Horizon does not allow a route to be advertised back out the same interface it was received on. This prevents R1 from advertising R2s loopback to R3, or R3s loopback to R2.
Split Horizon must be disabled to allow full network reachability in this lab. To do so, run no ip split-horizon eigrp 100 on R1s Serial interface. When Split Horizon is disabled, that will cause the neighbor relationships to fail, and then reestablish. Run show ip route eigrp 100 on both R2 and R3. The appropriate route to the remote loopback address will now appear. From each router, ping the other routers loopbacks. All pings will succeed.
R1#conf t R1(config)#int serial0 R1(config-if)#no ip split-horizon eigrp 100
10:02:27: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.123.3 (Serial0/0) ip: new adjacency 10:02:54: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.123.2 (Serial0/0) ip: new adjacency
< The adjacencies come down after Split Horizon is changed, but are back within 30 seconds. The routes may need a minute or so to show up on R2 and R3.>
R2#show ip route eigrp 1.0.0.0/24 is subnetted, 1 subnets D 1.1.1.0 [90/2297856] via 172.12.123.1, 00:00:06, Serial0/0.123 3.0.0.0/24 is subnetted, 1 subnets D 3.3.3.0 [90/2809856] via 172.12.123.1, 00:00:06, Serial0/0.123
R3#show ip route eigrp 1.0.0.0/24 is subnetted, 1 subnets D 1.1.1.0 [90/2297856] via 172.12.123.1, 00:00:12, Serial0/0.31 2.0.0.0/24 is subnetted, 1 subnets D 2.2.2.0 [90/2809856] via 172.12.123.1, 00:00:12, Serial0/0.31 Chris Bryant, CCIE #12933 www.thebryantadvantage.com 80
2005 The Bryant Advantage Add the Ethernet segment between R2 and R3 to EIGRP AS 100.
R2#conf t R2(config)#router eigrp 100 R2(config-router)#network 172.23.23.0 0.0.0.255
R3#conf t R3(config)#router eigrp 100 R3(config-router)#network 172.23.23.0 0.0.0.255
Run show ip eigrp neighbor on each router.
R2#show ip eigrp neighbor IP-EIGRP neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq Type (sec) (ms) Cnt Num 1 172.23.23.3 Et0/0 12 00:03:29 4 200 0 15 0 172.12.123.1 Se0/0.123 126 00:11:16 40 240 0 15
R3#show ip eigrp neighbor IP-EIGRP neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq Type (sec) (ms) Cnt Num 1 172.23.23.2 Et0/0 11 00:03:34 1529 5000 0 14 0 172.12.123.1 Se0/0.31 176 00:11:24 40 240 0 16
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 81
2005 The Bryant Advantage Run show ip eigrp topology to look at the Successor and Feasible Successor routes on R1.
R1#show ip eigrp topology IP-EIGRP Topology Table for AS(100)/ID(150.1.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status
P 1.1.1.0/24, 1 successors, FD is 128256 via Connected, Loopback1 P 2.2.2.0/24, 1 successors, FD is 2297856 via 172.12.123.2 (2297856/128256), Serial0/0 via 172.12.123.3 (2323456/409600), Serial0/0 P 3.3.3.0/24, 1 successors, FD is 2297856 via 172.12.123.3 (2297856/128256), Serial0/0 via 172.12.123.2 (2323456/409600), Serial0/0 P 172.23.23.0/27, 2 successors, FD is 2195456 via 172.12.123.3 (2195456/281600), Serial0/0 via 172.12.123.2 (2195456/281600), Serial0/0 P 172.12.123.0/24, 1 successors, FD is 2169856 via Connected, Serial0/0
According to the code list at the top of this command output, the P code stands for Passive, and all these routes have a P next to them. Is this good? Yes. A passive EIGRP route means that it is not currently being calculated by DUAL. An active EIGRP route means that it is being calculated. A route that stays in active state cannot be used to transport packets; such a route is said to be SIA, or stuck in active.
R1 has two Successor routes for the Ethernet network. Why? First, the EIGRP process checks to see if the routes meet the Feasibility Condition. The Feasible Distance, the best metric the router has for that destination, is 2195456. That happens to be the same metric for both possible routes, and since the Advertised Distance (281600) for both routes is less than the Feasible Distance, both routes are Feasible Successors. Since the metric for both paths is exactly the same, equal-cost load balancing will occur, and both routes are placed into the topology table as Successors, and both will be placed into the EIGRP routing table.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 82
2005 The Bryant Advantage Consider R1s two possible routes to R2s loopback and R3s loopback from the EIGRP topology table:
R1#show ip eigrp topology
P 2.2.2.0/24, 1 successors, FD is 2297856 via 172.12.123.2 (2297856/128256), Serial0/0 via 172.12.123.3 (2323456/409600), Serial0/0
P 3.3.3.0/24, 1 successors, FD is 2297856 via 172.12.123.3 (2297856/128256), Serial0/0 via 172.12.123.2 (2323456/409600), Serial0/0
The Feasible Distance for this route is 2297856; that is the best metric the router has for the route. The first route in the list has this FD, and will be the Successor (primary route).
The second route must meet the Feasibility Condition. Is its Advertised Distance lower than the Feasible Distance (FD) of the Successor? Yes. The routes Advertised Distance is 409600; the FD is 2297856. The route meets the Feasibility Condition and is placed into the topology table. It is now a Feasible Successor; it can be used if the Successor fails, but by default, it will not participate in load- sharing. The same can be said for the two paths to R3s loopback.
Configure the EIGRP network to load-balance over these two possible paths to each loopback address with the appropriate variance command. Recall that the variance command is a multiplier; the router will multiply the Feasible Distance by this value. If a feasible successor has a metric less than that of this equation, the route will be placed into the EIGRP routing table and used for load-balancing.
The Feasible Distance in each case is 2297856; the metric for the Feasible Successor in each case is 2323456. Since thats barely higher than the Feasible Distance, a variance value of 2 will do the job. Configure variance 2 under the EIGRP process on R1, clear the routing table with clear ip route *, and run show ip route eigrp.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 83
2005 The Bryant Advantage
Before using variance to configure unequal-cost load-sharing:
R1#show ip route eigrp 2.0.0.0/32 is subnetted, 1 subnets D 2.2.2.2 [90/2297856] via 172.12.123.2, 00:12:53, Serial0 3.0.0.0/24 is subnetted, 1 subnets D 3.3.3.0 [90/2297856] via 172.12.123.3, 00:12:53, Serial0
R1#conf t R1(config)#router eigrp 100 R1(config-router)#variance 2
R1#clear ip route * R1#show ip route eigrp 2.0.0.0/24 is subnetted, 1 subnets D 2.2.2.0 [90/2297856] via 172.12.123.2, 00:00:04, Serial0/0 [90/2323456] via 172.12.123.3, 00:00:04, Serial0/0 3.0.0.0/24 is subnetted, 1 subnets D 3.3.3.0 [90/2297856] via 172.12.123.3, 00:00:04, Serial0/0 [90/2323456] via 172.12.123.2, 00:00:04, Serial0/0 172.23.0.0/27 is subnetted, 1 subnets D 172.23.23.0 [90/2195456] via 172.12.123.3, 00:00:04, Serial0/0 [90/2195456] via 172.12.123.2, 00:00:04, Serial0/0
The variance command allows any feasible successor with a metric of less than (2297856 x 2) to participate in load-balancing. R1 can now use both routes to R2s and R3s loopback network.
After the variance command:
R1#show ip route eigrp 2.0.0.0/32 is subnetted, 1 subnets D 2.2.2.2 [90/2297856] via 172.12.123.2, 00:00:03, Serial0 [90/2323456] via 172.12.123.3, 00:00:03, Serial0 3.0.0.0/24 is subnetted, 1 subnets D 3.3.3.0 [90/2297856] via 172.12.123.3, 00:00:05, Serial0 [90/2323456] via 172.12.123.2, 00:00:05, Serial0 Chris Bryant, CCIE #12933 www.thebryantadvantage.com 84
2005 The Bryant Advantage Advanced TCP/IP Concepts Lab
Before beginning the lab, a routing protocol must be configured. The protocol should be RIPv2, OSPF, or EIGRP. Each router must be able to ping the loopbacks on each of the other two routers and the Serial interface connected to the Frame Relay cloud. R2 and R3s Ethernet interfaces should be able to be pinged by every router. The BRI interface and the directly connected interface between R1 and R3 should be shut down.
With the access-list command, configure R1 so that only packets from the 172.12.123.0 /24 network can enter the Serial interface. Test the configuration by sending a ping on R2 from both 172.12.123.2 and 2.2.2.2.
R1#conf t R1(config)#access-list 1 permit 172.12.123.0 0.0.0.255 < Wildcard masks are used with access lists. There is an implicit deny at the end of every access list; any traffic that is not expressly permitted is implicitly denied. > R1(config)#interface serial0/0 R1(config-if)#ip access-group 1 in < Access lists are applied to interfaces with the ip access-group command. The direction the access-list is applied in follows that command. >
A ping will be sent from R2 from two different addresses. A ping such as the ones sent in labs up to this point are seen by the remote router as having originated from the interface it left the other router in. For example, running ping 172.12.123.1 from R2 will result in a ping with a source address of 172.12.123.2. Since this address falls in the permit statement of the access-list configured above, the traffic will be let through at R1s serial interface, and the ping succeeds.
R2#ping 172.12.123.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds: !!!!! On R1, run show ip access-list to see matches against every statement in the access-list. R1#show ip access-list Standard IP access list 1 permit 172.12.123.0, wildcard bits 0.0.0.255 (5 matches)
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 85
2005 The Bryant Advantage The number of matches you see will vary; remember that routing protocol updates are being permitted as well, not just pings.
To send a ping from an IP address other than the exit interfaces IP address, use an extended ping.
R2#ping Protocol [ip]: Target IP address: 172.12.123.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: loopback0 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds: Packet sent with a source address of 2.2.2.2 U.U.U Success rate is 0 percent (0/5)
The key is in the extended commands. The default for this is N, but by answering Y, the source interface of the ping can be changed as shown. The ping sent from the loopback address 2.2.2.2 does not go through. That traffic is blocked by the access-list on R1.
To be able to see how many packets are denied by a standard ACL, the implicit deny statement must be explicitly configured. Show ip access-list will then show the denied packets as well as the permitted ones.
R1#conf t R1(config)#no access-list 1 R1(config)#access-list 1 permit 172.12.123.0 0.0.0.255 R1(config)#access-list 1 deny any < The implicit deny any is expressly configured so packets denied by it will show in show ip access-list, as seen below. >
R1#show ip access-list Standard IP access list 1 permit 172.12.123.0, wildcard bits 0.0.0.255 (4 matches) deny any (8 matches) Chris Bryant, CCIE #12933 www.thebryantadvantage.com 86
2005 The Bryant Advantage On R3, write a standard ACL that denies traffic from IP address 1.1.1.1, but permits all other IP traffic with the access-list and ip access-group commands.
R3#conf t R3(config)#access-list 1 deny 1.1.1.1 R3(config)#access-list 1 perm any R3(config)#interface serial 0.31 R3(config-if)#ip access-group 1 in
The first line of the ACL denies traffic from 1.1.1.1, and the second permits all other traffic. The order of the lines in an ACL is vital. If these lines were reversed and access-list 1 permit any was the first line, all traffic would be permitted, including traffic from 1.1.1.1. The deny statement would never be reached.
R3#conf t R3(config)#access-list 1 deny 1.1.1.1 R3(config)#access-list 1 perm any R3(config)#interface serial 0.31 R3(config-if)#ip access-group 1 in
The first line of the ACL denies traffic from 1.1.1.1, and the second permits all other traffic. The order of the lines in an ACL is vital. If these lines were reversed and access-list 1 permit any was the first line, all traffic would be permitted, including traffic from 1.1.1.1. The deny statement would never be reached.
From R1, ping 172.12.123.3, first with a regular ping, then with an extended ping from source 1.1.1.1.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 87
2005 The Bryant Advantage R1#ping 172.12.123.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.123.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max =60/60/60 ms R1#ping Protocol [ip]: Target IP address: 172.12.123.3 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 1.1.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.12.123.3, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 U.U.U Success rate is 0 percent (0/5) As expected, the ping from 172.12.123.1 is good, but the ping from 1.1.1.1 was stopped by the ACL on R3.
On R3, run show ip access-list to view the number of packets that have been permitted and denied.
R3#show ip access-list Standard IP access list 1 deny 1.1.1.1 (5 matches) permit any (20 matches)
The pings sourcing from 1.1.1.1 were stopped at the serial interface. All other traffic is being permitted.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 88
2005 The Bryant Advantage
Using an extended ACL on R3, prevent traffic from coming into the routers Ethernet interface if the source is 172.23.23.2 and the destination is 3.3.3.3.
To define a source and destination in an ACL, an extended ACL must be used. The numeric ranges for extended ACLs are 100-199 and 2000 - 2699.
R3#conf t R3(config)#access-list 125 deny ip host 172.23.23.2 host 3.3.3.3 R3(config)#access-list 125 perm ip any any
The first line of the ACL uses the host option. This takes the place of a wildcard mask of 0.0.0.0; that is, the host option means that the IP address that follows it is the only IP address to be affected. Its used twice in this ACL, since a specific source address and a specific destination address are being denied.
The second line uses the any option. This takes the place of a wildcard mask of 255.255.255.255. Since any is used twice, once for the source and once for the destination, all traffic is affected by this line.
The ACL is then applied to the Ethernet interface. There is now one ACL on the Ethernet interface and one on the serial interface. The rule is that two ACLs can be applied to a single interface, one affecting outgoing traffic and another affecting incoming traffic.
R3(config)#interface ethernet0 R3(config-if)#ip access-group 125 in
From R2, ping 172.23.23.3 and 3.3.3.3 with regular pings. After doing so, run show ip access-list on R3.
R2#ping 3.3.3.3
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) R2#ping 172.23.23.3
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.23.23.3, timeout is 2 seconds: !!!!!
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 89
2005 The Bryant Advantage The pings to 3.3.3.3 fail, but the pings to 172.23.23.3 succeed. Since the standard ping command was used, the source IP address of the ping is the exiting interface, 172.23.23.2.
R3#show ip access-list Standard IP access list 1 deny 1.1.1.1 (8 matches) permit any (70 matches) Extended IP access list 125 deny ip host 172.23.23.2 host 3.3.3.3 (8 matches) permit ip any any (386 matches)
Both ACLs configured on R3 are shown. List 125 is denying the specific packets with a source of 172.23.23.2 and a destination of 3.3.3.3. All other packets are going through. When a source and destination are specified, both have to match for that line of the ACL to take effect.
On R2, use the ip access-list command to prevent any traffic from interface 3.3.3.3. Apply this named ACL to the Ethernet interface.
R2#conf t R2(config)#ip access-list standard BLOCKNETWORK3 R2(config-std-nacl)#deny host 3.3.3.3 R2(config-std-nacl)#perm any R2(config-std-nacl)#interface ethernet0 R2(config-if)#ip access-group BLOCKNETWORK3 in
To configure a named access list, use the ip access-list command, followed by standard or extended, and then the name of the ACL. Make the name intuitive. Apply a named ACL with the ip access-group command, just as if the list were a numbered ACL.
From R3, send an extended ping that sources from 3.3.3.3 to 172.23.23.2. When the ping fails, run show ip access-list on R2 to ensure the ACL is blocking the packets.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 90
2005 The Bryant Advantage
R3#ping Protocol [ip]: Target IP address: 172.23.23.2 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 3.3.3.3 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.23.23.2, timeout is 2 seconds: Packet sent with a source address of 3.3.3.3 .. Success rate is 0 percent (0/5)\
R2#show ip access-list Standard IP access list BLOCKNETWORK3 deny 3.3.3.3 (5 matches) permit any (18 matches)
The pings with a source address of 3.3.3.3 are blocked by the ACL.
On R3, write a standard ACL that permits only host 172.12.123.1. Allow the explicit deny to prevent all other addresses. Apply the access-list to the VTY lines to allow only this address to telnet into R3 with the access-class command. Set a password of CCNA for telnet access.
R3#conf t R3(config)#access-list 5 permit 172.12.123.1 R3(config)#line vty 0 4 < Configures the VTY lines, used for Telnet access. > R3(config-line)#login < Allows login with a password that must be configured under the VTY lines. > R3(config-line)#password CCNA < Password to be used for Telnet access. > Chris Bryant, CCIE #12933 www.thebryantadvantage.com R3(config-line)#access-class 5 in 91
2005 The Bryant Advantage < The access-list is applied to VTY lines with the access-class command. Only the user specified in the ACL will be able to Telnet to this router. >
From R1 and R2, telnet to 172.12.123.3.
R1#telnet 172.12.123.3 Trying 172.12.123.3 ... Open
From R1, the telnet succeeds. While performing this lab, notice that the password never appears when telnetting to the router, nor does the cursor move.
From R2, the telnet attempt fails. The console message is simply that the remote host refused it. It was refused because only R1s serial address is permitted by the ACL applied to the VTY lines; the implicit deny stops all other telnet attempts. The user attempting to connect to R3 is not given any details as to why the telnet attempt was refused.
On R3, run show ip access-list.
R3#show ip access-list Standard IP access list 1 deny 1.1.1.1 (8 matches) permit any (430 matches) Standard IP access list 5 permit 172.12.123.1 (6 matches) Extended IP access list 125 deny ip host 172.23.23.2 host 3.3.3.3 (18 matches) permit ip any any (1248 matches)
Note the permit any statements on the first two ACLs continue to accrue as the lab progresses, as routing update packets are being sent around the network. The number and frequency depends on the routing protocol.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 92
2005 The Bryant Advantage
On R1, use the ip host command to configure the router to telnet to 172.12.123.3 when R3 is typed. (No quotation marks.)
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip host R3 172.12.123.3
R1#R3 Trying R3 (172.12.123.3)... Open
User Access Verification
Password: R3>en Password: R3#
After configuring the ip host command, simply entering R3 on R1 will telnet to 172.12.123.3.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com 93
2005 The Bryant Advantage Starting From Scratch: Erasing Your Router And Switch Configurations
When youre done with your labs, I recommend you erase your configurations and start from the very beginning. Why? Because you do your best learning the second and third time you do anything. Thats when you reinforce everything youve learned.
The process is just a little different on the routers and switches, as theres a file we need to delete on the switches if you really want to start over. Lets take a quick look at the router process:
1. At the enable prompt, run the command write erase.
2. Reload the router with reload. If prompted to save your config, enter "N".
3. Hit enter to confirm reload when prompted.
4. The router will reload and will eventually prompt you to go into setup mode. While you need to know the two ways to get out of setup mode for the exams, you're better off not going into it in the first place. Enter "n" and you will be back at the router> prompt in about a minute.
5. At the router prompt, enter "enable", then "config t", and you can name the router with the hostname command.
6. For your convenience, run the following non-CCNA commands on every router and switch:
line console 0 logging synchronous exec-timeout 0 0
logging synchronous - prevents router from interrupting your typing with syslog messages; they're held until no data entry is detected.
exec-timeout 0 0 - Prevents you from being timed out of privileged exec mode.
It's the same on the switches, with one exception. After running "write erase", run the following command at the enable prompt:
delete vlan.dat
You'll be prompted with two questions to make sure you want to delete this file. Do NOT enter "y" or "yes"; if you do so, the switch thinks you're trying to erase a file named "y". Simply hit "enter" for both confirms, THEN reload the switch and follow the router steps.
The file "vlan.dat" contains your vlan and VTP information and is not erased with "write erase", since this file is kept in flash rather than nvram. To truly start over, you need to manually erase this file.
Thats it! If you have any questions, just let me know at [email protected] .