The Ultimate

CCNA Lab Workbook

Labs Designed For CCNA Rack Rentals
At www.thebryantadvantage.com

Chris Bryant
CCIE #12933

www.thebryantadvantage.com
















Chris Bryant, CCIE #12933
www.thebryantadvantage.com
2005 The Bryant Advantage



Copyright Information:

Cisco, Cisco Systems, CCIE, Cisco Certified Internetwork Expert,
Cisco Certified Network Associate, and Cisco Certified Network
Professional are registered trademarks of Cisco Systems, Inc.,
and/or its affiliates in the U.S. and certain countries.

All other products and company names are the trademarks, registered
trademarks, and service marks of the respective owners. Throughout
this ebook, The Bryant Advantage has used its best efforts to
distinguish proprietary trademarks from descriptive names by
following the capitalization styles used by the manufacturer.

Disclaimer:

This publication, The Bryant Advantage CCNA Lab Workbook, is
designed and intended to assist candidates in preparation for the exam
for the Cisco Certified Network Associate and Cisco Certified
Network Professional certifications. All efforts have been made by
the author to make this book as accurate and complete as possible,
but no guarantee, warranty, or fitness are implied, expressly or
implicitly. The enclosed material is presented on an as is basis.
Neither the author, Bryant Instructional Services, or the parent
company assume any liability or responsibility to any person or entity
with respect to loss or damages incurred from the information
contained in this workbook.

Copyright 2005, The Bryant Advantage.












Chris Bryant, CCIE #12933
www.thebryantadvantage.com


2005 The Bryant Advantage
Welcome to The Bryant Advantage CCNA Lab Workbook! Used in
combination with my CCNA / CCNP Rack Rentals, this book will help
you master all the skills youll need to pass the CCNA exams, and give
you a solid foundation for your future Cisco studies.

The best way to learn about Cisco technologies is to use them. Youve
got to read to learn the theory, but its vital to see the theory in
action. With that in mind, lets take a look at the network topology
youll use in this lab workbook.



There are two additional Cisco routers in your pod that are not shown
here. The first is a 2500 router acting as a frame relay switch, which
makes it possible to have a frame relay cloud in a practice lab. Your
frame relay switch is preconfigured. (If youd like to see the
configuration of a frame relay switch, visit my website and check the
Tutorials section, or write me at [email protected] and
Ill be glad to email you a copy.)

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
The second router is the access server; thats the router you will
actually be using Telnet to communicate with. There is no need to
change the configuration of this device.

2005 The Bryant Advantage

Please Read The Following Rules Carefully.
Theyre Not The Usual mumbo jumbo
Legalities.

By connecting to my remote labs, you agree to abide by the
following rules.

1. Do not change the configuration of the access server in
any way. Doing so may end your session, and a refund
will not be given. You will also be prohibited from renting
the pods in the future.
2. Do not change the configuration register of any router or
switch.
3. You are more than welcome to practice your enable
secret, enable password, console password, and telnet
passwords. However, you MUST use the passwords
cisco or ccna, without the quotation marks. Upper
case or lower case is fine.

Thank you!

Connecting To Your Remote Pod

Getting started with your pod of Cisco routers and 2950 switches is
easy! First, youll need to Telnet to your access server. The IP
address, username, and password for your session was sent to you in
a separate email. (The phone numbers for your ISDN connection is
also in that email.)

You can use any Telnet version to connect to your access server. You
can use HyperTerminal if you like, but Ive seen some versions have
trouble with Telnet. If you use HyperTerminal and have trouble
authenticating, use Telnet by going out to your C: prompt.





From your C: prompt, you can type telnet to go into Microsoft telnet,
or type telnet x.x.x.x, with the IP address in place of the xs.
Chris Bryant, CCIE #12933
www.thebryantadvantage.com


2005 The Bryant Advantage
C:\> telnet

Welcome to Microsoft Telnet Client

Escape Character is 'CTRL+]'

Microsoft Telnet> open 100.100.100.100 (put the IP address
you were sent in email in place of the 100.100.100.100)

User Access Verification

Username:

Password:

OR:

C:\>telnet 100.100.100.100

User Access Verification

Username:

Password:


A few tips for logging in:

1. You will be prompted for a username, then a password.
2. Do not hit the space bar at the end of entering either; this will
send a null space and you will not be authenticated.
3. The cursor WILL NOT MOVE when you enter your
username and password. Thats a Cisco default. You will
not see asterisks, as you do when logging in to most Microsoft
products.







After entering your username and password, youll be put into
privileged exec mode on the access server:
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
2005 The Bryant Advantage


User Access Verification

Password:
BRYANT_POD_ONE#

Your three routers and two Cisco 2950 switches are all connected to
this access server. Heres how to access each device.

First, clear the lines leading to the other devices.

BRYANT_POD_ONE#clear line 01
[confirm]
[OK]
BRYANT_POD_ONE#clear line 02
[confirm]
[OK]
BRYANT_POD_ONE#clear line 03
[confirm]
[OK]
BRYANT_POD_ONE#clear line 04
[confirm]
[OK]
BRYANT_POD_ONE#clear line 05
[confirm]
[OK]
BRYANT_POD_ONE#

When you see the [confirm] choice, just hit your enter key to accept it.

Now that the lines are cleared, youre going to connect to each device
from your access server. This reads like a long process, but it will only
take you a minute or two.








Type R1 at the prompt:

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
2005 The Bryant Advantage
BRYANT_POD_ONE#r1
Trying R1 (100.1.1.1, 2001)... Open

R1#

Note: When you see the word Open, hit the Enter key again. Youll
then see the prompt for R1.

Now, you need to learn the big keystroke that youll be using to go
back from the access server. Here it is:

<CTRL SHIFT 6> < X>

This keystroke is a little awkward at first, but before long youll be
doing it without thinking about it. You hit ctrl-shift-6 the same way
youd enter ctrl-alt-delete (we all know that one!), then release those
keys and hit x. Then youre right back at the access server. Repeat
the process for R2, R3, SW1, and SW2.

R1# < Use above keystroke to go back to access server >
BRYANT_POD_ONE#r2
Trying R2 (100.1.1.1, 2002)... Open

R2# < Use above keystroke to go back to access server >
BRYANT_POD_ONE#r3
Trying R3 (100.1.1.1, 2003)... Open

R3# < Use above keystroke to go back to access server >
BRYANT_POD_ONE#sw1
Trying SW1 (100.1.1.1, 2004)... Open

sw1# < Use above keystroke to go back to access server >
BRYANT_POD_ONE#sw2
Trying SW2 (100.1.1.1, 2005)... Open

sw2# < Use above keystroke to go back to access server >
BRYANT_POD_ONE#

Remember, youre always coming back to the access server to get
from one router to another. Before long, youll be using that
keystroke without even thinking about it.

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
2005 The Bryant Advantage
Now that youve created those connections, you will use only the
number of the connection to go back to each device. At the access
server, just type these numbers to get to each device:

1: R1
2: R2
3: R3
4: SW1
5: SW2

Dont type the entire name of the device again; just type the numbers
you see here on the access server, as shown below.

BRYANT_POD_ONE#1
[Resuming connection 1 to r1 ... ]

R1#
BRYANT_POD_ONE#2
[Resuming connection 2 to r2 ... ]

R2#
BRYANT_POD_ONE#3
[Resuming connection 3 to r3 ... ]

R3#
BRYANT_POD_ONE#4
[Resuming connection 4 to sw1 ... ]

sw1#
BRYANT_POD_ONE#5
[Resuming connection 5 to sw2 ... ]

sw2#
BRYANT_POD_ONE#

Dont forget to hit enter again after you see the resuming
connection message. That will get you to the enable prompt.

Thats all there is to it!




Chris Bryant, CCIE #12933
www.thebryantadvantage.com


2005 The Bryant Advantage
Table Of Contents

IP Addressing: Page 1

LAN Switching: Page 6

Frame Relay: Page 17

ISDN / Point-To-Point: Page 25

Passwords And Services: Page 38

Static Routing: Page 43

Distance Vector Protocols: Page 47

OSPF: Page 61

EIGRP: Page 78

Advanced TCP/IP Features: Page 85

Starting From Scratch: Page 94
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
2005 The Bryant Advantage
Your Bryant Advantage Rack Rental Cisco pod is ready! Youll be
spending time working with real Cisco 2500 routers, all running IOS
12.2, and real Cisco 2950 switches.

Your CCNA Lab Workbook is attached. To get the most out of your
rack time:

Repeat the tasks as often as you can. Repetition is the mother of skill.

Run debugs and show commands often. I suggest many throughout
the lab workbook that you should be very familiar with before taking
the CCNA exams.

Dont feel limited to running only these labs. Run all the IOS Help
commands you like and explore command options.

Should you choose to do so, you can erase the config on these devices
with write erase and then reload them with reload. If you do, all
your configs are gone and youre really starting from scratch! Feel
free to do this, but I do recommend you configure these extra
commands when they come back up (theyre already configured on
your routers and switches when you log in).

Line con 0
Logging synchronous
Exec-timeout 0 0

The IP address to Telnet to is 65.37.154.163 . For tips on connecting,
read the opening pages of the lab workbook.

Your password is leader724 . There is no username.

Your ISDN phone numbers:

R1: 5553333
R2: 5554444

Your time begins: March 8, 8 AM Eastern Standard Time
Your time ends: March 9, 7 AM Eastern Standard Time

Read the warnings at the beginning of the ebook carefully. Changing
the configuration register of any router or switch will result in you
losing rack rental privileges. Do not change the configuration of the
access server.

Connection information is found at the beginning of the lab workbook.

Ricardo, thanks for your purchase, and enjoy your rack time! Send
me an email if you have any problems connecting, or any questions
regarding the labs. Thanks again!

Chris Bryant
CCIE #12933
IP Addressing Lab

Youve got to know how to assign IP addresses to pass the CCNA
exams, and youre about to get a lot of practice. Were going to
configure physical interfaces, logical interfaces, and loopback
interfaces.

You also need to know how to name a router. We do this with the
hostname command. Change the names of the routes to whatever
you like, but after practicing this command, change the names back to
R1, R2, R3, SW1, and SW2. Those are the names youll see through
the lab workbook.

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#hostname Router1
Router1(config)#hostname R1
R1(config)#^Z
R1#

The ^Z youll see on the screen is what ctrl-z sends to the console,
and of course, you know from your CCNA reading that ctrl-z brings you
back out to the enable prompt.

Notice that the hostname command took effect immediately, as all
global commands do.

Lets take a look at the networks well be configuring.

Network Type Network / Subnet
Mask
Ethernet (R2, R3) 172.23.23.0 /27
ISDN (R1, R2) 172.12.21.0 /30
Serial to Frame Relay Cloud (All) 172.12.123.0 /24
Directly Connected Serial Interfaces
(R1, R3)
172.12.13.0 /24
Router 1 Loopback Address 1.1.1.1 / 32
Router 2 Loopback Address 2.2.2.2 /32
Router 3 Loopback Address 3.3.3.3 / 32




Chris Bryant, CCIE #12933
www.thebryantadvantage.com
1

2005 The Bryant Advantage
Lets start with R1. DO NOT OPEN THE SERIAL 0 INTERFACES.

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface serial0
R1(config-if)#ip address 172.12.123.1 255.255.255.0
R1(config-if)#interface serial1
R1(config-if)#ip address 172.12.13.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#
00:18:34: %LINK-3-UPDOWN: Interface Serial1, changed state to down
R1(config-if)#interface loopback0
R1(config-if)#ip address 1.1.1.1 255.255.255.255
R1(config-if)#interface bri0
R1(config-if)#ip address 172.12.21.1 255.255.255.252
R1(config-if)#no shut
R1(config-if)#
00:19:11: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
00:19:11: %LINK-3-UPDOWN: Interface BRI0:2, changed state to down
00:19:11: %LINK-3-UPDOWN: Interface BRI0, changed state to up
00:19:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed
state
to down
00:19:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:2, changed
state
to down
R1(config-if)#wr
Building configuration.

Dont worry about the line protocols being down; other labs will take
care of that. All were doing right now is setting the IP addresses and
opening the interfaces. Get used to saving your work as often as
possible with wr, short for write. Use IOS Help to see the options
and the defaults. (Remember, IOS Help is the question mark symbol.)


Dont forget to open the interfaces! If youre having a connectivity
problem and run a command such as show interface ethernet 0,
and you see the following, it means the interface is manually closed
and needs to be opened with the no shut command.

R2#show interface ethernet0
Ethernet0 is administratively down, line protocol is down

Now configure R2s interfaces. Do not open interface serial0.
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
2

2005 The Bryant Advantage

R2(config)#interface serial0
R2(config-if)#encap frame
R2(config-if)#no frame inverse-arp
R2(config-if)#interface serial 0.123 multipoint
R2(config-subif)#ip address 172.12.123.2 255.255.255.0
R2(config-subif)#interface bri0
R2(config-if)#ip address 172.12.21.2 255.255.255.252
R2(config-if)#no shut
R2(config-if)#
00:27:23: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
00:27:23: %LINK-3-UPDOWN: Interface BRI0:2, changed state to down
00:27:23: %LINK-3-UPDOWN: Interface BRI0, changed state to up
R2(config-if)#i
00:27:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed
state to down
00:27:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:2, changed
state to down
R2(config-if)#interface ethernet0
R2(config-if)#ip address 172.23.23.2 255.255.255.224
R2(config-if)#no shut
00:28:45: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up
00:28:46: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed
state to up
R2(config-if)#interface loopback0
R2(config-if)#ip address 2.2.2.2 255.255.255.255
R2(config-if)#^Z
R2#

Note that you configured frame relay on R2. That allows us to create
the multipoint subinterface. Frame Relay will be covered completely in
a later lab, but you cannot create that multipoint interface until youve
enable frame relay.

Also notice that you dont have to run no shut on a loopback
interface. (Its not wrong if you do, but you dont have to.

Lets configure R3s interfaces. Do not open interface serial0.

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#interface serial 0
R3(config-if)#encap frame
R3(config-if)#no frame inverse-arp
R3(config-if)#interface serial0.31 point-to-point
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
3

2005 The Bryant Advantage
R3(config-subif)#ip address 172.12.123.3 255.255.255.0
R3(config-subif)#interface serial 1
R3(config-if)#ip address 172.12.13.3 255.255.255.0
R3(config-if)#no shut
00:33:32: %LINK-3-UPDOWN: Interface Serial1, changed state to up
00:33:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed
state to up
R3(config-if)#interface ethernet0
R3(config-if)#ip address 172.23.23.3 255.255.255.224
R3(config-if)#no shut
00:33:46: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up
00:33:47: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed
sta te to up
R3(config-if)#interface loopback0
00:33:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed
state to down
R3(config-if)#ip address 3.3.3.3 255.255.255.0

Again, note that you configured frame relay on the serial0 physical
interface, then created a point-to-point subinterface. The Serial0
physical interface then had to be opened.

I urge you to not just walk through these labs, but to use the show
and debug commands youll read about in this book, in my Ultimate
CCNA Study Guide PDF, and to use IOS Help often to see the other
options. Take advantage of the fact that youre working with real
Cisco routers and switches, not toys like simulator programs.

You do not need to configure IP addresses on the switches.

Theres another command Id like to introduce you to, since we all
mistype from time to time. Notice what happens when you mistype a
command on a Cisco router:

R3#hudjgmg
Translating "hudjgmg"...domain server (255.255.255.255)

% Unknown command or computer name, or unable to find computer address

By default, a Cisco router or switch is going to attempt to resolve a
mistyped command via DNS. Thats what the domain server is that
its looking for, and of course you know that 255.255.255.255 is a
layer 3 broadcast.

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
4

2005 The Bryant Advantage
This only takes about 15 seconds to come back with the unknown
command line in a practice lab, but it can take much longer in a
production network. To disable this default behavior, use the global
command no ip domain-lookup on each device in your pod. Notice
that immediately after using this command, the router tries to resolve
the command locally but does not send the broadcast out.

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#no ip domain-lookup
R3(config)#^Z
R3#jfujjke
00:50:24: %SYS-5-CONFIG_I: Configured from console by console
R3#jfujjke
Translating "jfujjke"
% Unknown command or computer name, or unable to find computer address

As with all commands you read about and practice with in my books,
do not run a command on a production network unless you are
sure of the result. VERY sure. This is particularly true of
the debugs youll be using in my labs.

Congratulations! Youve now configured plenty of IP addresses. If
youre confronted with that task on one of your CCNA exams, youre
more than ready. Just dont forget to open the interfaces on exam
day!

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
5

2005 The Bryant Advantage
LAN Switching Lab

With the command vtp domain, place both switches in the vtp
domain CCNA. Enable pruning with the vtp pruning command. You
can also set a password of CISCO for VTP.

SW1#conf t
SW1(config)#vtp domain CCNA
Changing VTP domain name from NULL to CCNA
SW1(config)#vtp password CISCO
Setting device VLAN database password to CISCO
SW1(config)#vtp pruning
Pruning switched on

SW2#conf t
SW2(config)#vtp domain CCNA
Changing VTP domain name from NULL to CCNA
SW2(config)#vtp password CISCO
Setting device VLAN database password to CISCO
SW2(config)#vtp pruning
Pruning switched on

The VTP domain name changes from null, indicating that there was
no VTP domain previously set.

Run show vtp status on both routers to ensure they belong to the
correct VTP domain.

SW1#show vtp status
VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : CCNA
VTP Pruning Mode : Enabled

SW2#show vtp status
VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : CCNA
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
6

2005 The Bryant Advantage
VTP Pruning Mode : Enabled
By default, both switches are in VTP Server mode. With the vtp mode
client command, put SW2 in vtp client mode. All VLANs created in
this lab will now have to be created on SW1, the VTP Server. Verify
the change with show vtp status.

SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#vtp
01:10:41: %SYS-5-CONFIG_I: Configured from console by console
SW2(config)#vtp mode client
Setting device to VTP CLIENT mode.
SW2(config)#^Z
01:10:47: %SYS-5-CONFIG_I: Configured from console by console
SW2#show vtp status
VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 64
Number of existing VLANs : 5
VTP Operating Mode : Client
VTP Domain Name : CCNA
VTP Pruning Mode : Enabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xB2 0xD2 0xE9 0x70 0xF1 0x6B 0xA1 0x04
Configuration last modified by 0.0.0.0 at 3-1-93 01:10:14

Run show cdp neighbors on the switches to see what devices are
directly connected to the switches.

SW1#show cdp neighbor
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
SW2 Fas 0/12 152 S I WS-C2950-1 Fas 0/12
SW2 Fas 0/11 152 S I WS-C2950-1 Fas 0/11
R2 Fas 0/2 129 R 2520 Eth 0

SW2#show cdp neighbor
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
SW1 Fas 0/12 150 S I WS-C2950-2 Fas 0/12
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
7
SW1 Fas 0/11 150 S I WS-C2950-2 Fas 0/11

2005 The Bryant Advantage
R3 Fas 0/3 138 R 2500 Eth 0
You can see in the output of show cdp neighbors that the two
switches are connected at fast 0/11 and fast 0/12. Show interface
trunk shows that the trunk has already been created dynamically,
with no additional configuration.

SW2#show interface trunk

Port Mode Encapsulation Status Native vlan
Fa0/11 desirable 802.1q trunking 1
Fa0/12 desirable 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/11 1-4094
Fa0/12 1-4094

Port Vlans allowed and active in management domain
Fa0/11 1
Fa0/12 1

Port Vlans in spanning tree forwarding state and not pruned
Fa0/11 1
Fa0/12 none


Show vlan brief reinforces the theory that by default, all switch ports
are placed into VLAN 1 (except the trunk ports).

SW2#show vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10


R2 and R3s Ethernet addresses have already been configured, the
trunk line is operational, and both ports are in VLAN 1. Ping R2s
Ethernet interface from R3, and then R3s Ethernet interface from R2
to verify IP connectivity.




Chris Bryant, CCIE #12933
www.thebryantadvantage.com
8

2005 The Bryant Advantage

R2#ping 172.23.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =4/4/8 ms

R3#ping 172.23.23.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =4/4/8 ms

With pings, exclamation points indicate good connectivity, and periods
indicate no connectivity.

Now, create VLAN 23. Try creating this vlan on SW2 first.

SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#vlan 23
VTP VLAN configuration not allowed when device is in CLIENT mode.

As you can see, you cannot create, delete, or modify VLANs on VTP
clients. This VLAN will have to be created on SW1, the VTP server.
After doing so, the VTP client should see VLAN 23 as well.

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#vlan 23
SW1(config-vlan)#^Z
01:23:34: %SYS-5-CONFIG_I: Configured from console by console
SW1#show vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24
23 VLAN0023 active
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
9

2005 The Bryant Advantage


SW2#show vlan br
01:23:55: %SYS-5-CONFIG_I: Configured from console by console
SW2#show vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- ------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10
23 VLAN0023 active


On sw1, put port fast 0/2 into VLAN 23. (Thats the port connected to
R2.) Verify with show vlan brief.

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#int fast 0/2
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 23
SW1(config-if)#^Z

SW1#show vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24
23 VLAN0023 active Fa0/2











Chris Bryant, CCIE #12933
www.thebryantadvantage.com
10

2005 The Bryant Advantage


Now that R2 and R3 are in separate VLANs, can they still send pings
back and forth?

R2#ping 172.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.23.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R3#ping 172.23.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.23.2, timeout is 2 seconds:
.....

No, they cant. The difference is that theyre now in separate VLANs,
and devices in different VLANs cant communicate unless routing is
taking place somewhere. Here, no routing is taking place, so the
pings dont go through.

Put R3s switch port into VLAN 23, and try the ping again.

SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#interface fast0/3
SW2(config-if)#switchport mode access
SW2(config-if)#switchport access vlan 23
SW2(config-if)#^Z
01:31:57: %SYS-5-CONFIG_I: Configured from console by console
SW2#show vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- ------------------------------
1 default active Fa0/1, Fa0/2, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10
23 VLAN0023 active Fa0/3


R3#ping 172.23.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =4/4/8 ms
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
11

2005 The Bryant Advantage



R2#ping 172.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.23.3, timeout is 2 seconds:
!!!!!

Now that R2 and R3 are in the same VLAN, pings can go through.

On SW1, view the spanning tree information for VLAN 23 with the
show spanning tree vlan 23 command. Do the same on SW2.

SW1#show spanning vlan 23
VLAN0023
Spanning tree enabled protocol ieee
Root ID Priority 32791
Address 000e.d7f5.a040
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32791 (priority 32768 sys-id-ext 23)
Address 000e.d7f5.a040
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2 Desg FWD 100 128.2 Shr
Fa0/11 Desg FWD 19 128.11 P2p
Fa0/12 Desg FWD 19 128.12 P2p

SW2#show spanning vlan 23

VLAN0023
Spanning tree enabled protocol ieee
Root ID Priority 32791
Address 000e.d7f5.a040
Cost 19
Port 11 (FastEthernet0/11)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32791 (priority 32768 sys-id-ext 23)
Address 000f.90e2.14c0
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
12

2005 The Bryant Advantage



Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/3 Desg FWD 100 128.3 Shr
Fa0/11 Root FWD 19 128.11 P2p
Fa0/12 Altn BLK 19 128.12 P2p


Your root bridge may be SW2 at this point. The important point here
is that you know how to identify the root bridge for a vlan.

Recall that the lowest BID will win the root bridge election. Both
bridges have the same priority; since the BID is a concatenation of the
priority and MAC address, the device with the lowest MAC address will
be the root bridge.

Look under the BridgeID on both switches. The highlighted address is
that switchs MAC address. In this example, the first four bits of the
MAC address on SW1 are 0009, where the first four bits of SW2s MAC
are 000a. MAC addresses are expressed in hex, and since a in hex
represents 10, SW1 will have the lower MAC address and is therefore
elected the root bridge.

The default behavior of the root bridge is that all ports will be in
forwarding mode, which is exactly what is happening on SW1. On
SW2, one port is the root port and is in forwarding mode. The other
port is placed into blocking mode.

The root bridge can be changed with one simple command. This
command will adjust the numeric priority of the switch its configured
on to a low enough value so its BID will be the lowest for that VLAN,
making it the root bridge. Run the command spanning-tree vlan 23
root primary on your non-root bridge. Then run show spanning
vlan 23 to verify that your non-root bridge has indeed become the
root bridge.







Chris Bryant, CCIE #12933
www.thebryantadvantage.com
13

2005 The Bryant Advantage



SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#spanning-tree vlan 23 root primary
SW2(config)#^Z
SW2#show spanning vlan 23

VLAN0023
Spanning tree enabled protocol ieee
Root ID Priority 24599
Address 000f.90e2.14c0
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 24599 (priority 24576 sys-id-ext 23)
Address 000f.90e2.14c0
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------
Fa0/3 Desg FWD 100 128.3 Shr
Fa0/11 Desg FWD 19 128.11 P2p
Fa0/12 Desg FWD 19 128.12 P2p


On SW1, configure PortFast on the port leading to R2 with spanning
portfast, and note the warning the router displays. Remove PortFast
with no spanning portfast.

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#int fast 0/2
SW1(config-if)#spanning portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

%Portfast has been configured on FastEthernet0/2 but will only
have effect when the interface is in a non-trunking mode.
SW1(config-if)#no spanning portfast
SW1(config-if)#^Z
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
SW1#
14

2005 The Bryant Advantage



Combine the two physical connections between the two switches into
one logical connection by creating an EtherChannel. On each of the
ports physically connected to the other switch, run channel-group 1
mode on.

SW1#conf t
SW1(config)#interface fast 0/11
SW1(config-if)#channel-group 1 mode on
Creating a port-channel interface Port-channel 1
03:37:59: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
SW1(config)#interface fast 0/12
SW1(config-if)#channel-group 1 mode on

SW2#conf t
SW2(config)#interface fast 0/11
SW2(config-if)#channel-group 1 mode on
Creating a port-channel interface Port-channel 1
03:38:11: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
SW2(config-if)#interface fast 0/12
SW2(config-if)#channel-group 1 mode on


One benefit of EtherChannels is that the bandwidth of both physical
channels is now being used. (STP put one of the ports in blocking
mode; only one physical path was being used.) Another benefit is that
STP considers the Etherchannel to be one single connection; if one of
the two lines went down, the STP algorithm would not run, and there
would be no break in transmission, since STP is only concerned with
the logical portchannel, not the physical interfaces:

SW1#show spanning vlan 23
VLAN0023
Spanning tree enabled protocol ieee
Root ID Priority 24599
Address 000a.8a4b.fb00
Cost 12
Port 65 (Port-channel1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32791 (priority 32768 sys-id-ext 23)
Address 0009.b738.9180
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
15

2005 The Bryant Advantage
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- -----------------------------

Po1 Root FWD 12 128.65 P2p
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
16

2005 The Bryant Advantage
Frame Relay Lab

A hub-and-spoke Frame Relay network will now be configured, with R1
serving as the hub and R2 and R3 as the spokes. First, configure
Frame Relay on R1s Serial0 interface with encapsulation frame-
relay, and disable dynamic mapping with no frame-relay inverse-
arp. After doing so, run show frame map on R1; no mappings
should appear.

R1#conf t
R1(config)#interface serial0
R1(config-if)#encapsulation frame-relay
R1(config-if)#no frame-relay inverse-arp

R1#show frame map
R1#
If nothing appears after running show frame map, as shown here, no maps exist.

Configure two Permanent Virtual Circuits (PVC) on R1 with two frame
map statements, mapping DLCI 122 to R2 and DLCI 123 to R3.
Ensure that broadcasts will be sent over these virtual circuits with the
broadcast keyword. Run show frame map after doing so.

Configuring frame map statements on the hub router.

R1#conf t
R1(config)#interface serial0
R1(config-if)#frame map ip 172.12.123.2 122 broadcast
R1(config-if)#frame map ip 172.12.123.3 123 broadcast
R1(config-if)#int s0
R1(config-if)#no shut
R1(config-if)#
03:05:51: %LINK-3-UPDOWN: Interface Serial0, changed state to up
03:05:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed
state to up
R1#show frame map
Serial0 (up): ip 172.12.123.2 dlci 122(0x7A,0x1CA0), static,
broadcast,
CISCO, status defined, inactive
Serial0 (up): ip 172.12.123.3 dlci 123(0x7B,0x1CB0), static,
broadcast,
CISCO, status defined, inactive

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
17
The mappings are inactive because frame-relay has not yet been configured on the remote
routers R2 and R3.

2005 The Bryant Advantage
With show frame map, if you see the PVC is inactive, theres a
problem on the other end. If you see deleted, theres a problem on
the local end. (A problem with the mapping or the interface is still
shut.)

R2s serial0.123 interface was configured as multipoint. Configure S0
and S0.123 as follows:

R2#conf t
R2(config)#interface serial0
R2(config-if)#encapsulation frame-relay
R2(config-if)#no frame inverse-arp

R2(config-if)#interface s0.123 multipoint
R2(config-subif)#frame map ip 172.12.123.1 221 broadcast
R2(config-subif)#frame map ip 172.12.123.3 221
R2(config-subif)#int s0
R2(config-if)#no shut
R2(config-if)#
03:06:56: %LINK-3-UPDOWN: Interface Serial0, changed state to up
03:06:57: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0,
changed state to up

A logical Serial interface can be either multipoint or point-to-point. When using a
multipoint interface on a frame relay network, frame map statements are used just as they
are on a physical interface. Enabling frame relay and disabling or enabling Inverse ARP
are still done on the physical interface.

Note that the frame map statement for 172.12.123.3 does not include a broadcast
statement. Routers do not forward broadcasts, so R1 would not forward a broadcast
from R2 to R3. Therefore, there is no reason to send them. (Its not wrong to do so, but
you will be sending unnecessary broadcasts.)

Run show frame map on R2:

R2#show frame map
Serial0.123 (up): ip 172.12.123.1 dlci 221(0xDD,0x34D0), static,
broadcast,
CISCO, status defined, active
Serial0.123 (up): ip 172.12.123.3 dlci 221(0xDD,0x34D0), static,
CISCO, status defined, active




Chris Bryant, CCIE #12933
www.thebryantadvantage.com
18

2005 The Bryant Advantage

You configured a point-to-point interface on R3 in the previous lab.
The command for frame relay is a little different in this situation:

R3#conf t
R3(config)#interface serial0
R3(config-if)#encapsulation frame-relay
R3(config-if)#no frame-relay inverse-arp
R3(config-if)#interface serial 0.31 point-to-point
R3(config-subif)#frame-relay interface-dlci 321
R3(config-subif)#int s0
R3(config-if)#no shut
03:06:52: %LINK-3-UPDOWN: Interface Serial0, changed state to up
03:06:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0,
changed state to up

Point-to-point Serial interfaces on a frame relay network do not use dynamic or static
mappings. A point-to-point interface has only one possible destination the other end of
the point-to-point connection. With only one possibly destination, no mapping is
necessary. Instead, the command frame-relay interface-dlci indicates the single DLCI
that will be used by this interface.

R3#show frame map
Serial0.31 (up): point-to-point dlci, dlci 321(0x141,0x5010), broadcast
status defined, active

From each router, ping the other two routers Serial interfaces on the
frame relay network. All pings will be successful. Run show frame lmi
and show frame map on each router as well. Notice that the LMI
counters are incrementing, and the frame map commands show all
maps as active. (Only R1 is shown here, but send pings and run your
show commands on all three routers.)

R1#ping 172.12.123.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.123.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =68/68/68 ms

R1#ping 172.12.123.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.123.3, timeout is 2 seconds:
!!!!!
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
19
Success rate is 100 percent (5/5), round-trip min/avg/max =68/68/68 ms

2005 The Bryant Advantage


R1#show frame lmi

LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE =CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 121 Num Status msgs Rcvd 123
Num Update Status Rcvd 0 Num Status Timeouts 0


On R1, change the frame LMI type to ANSI with the frame-relay lmi-
type command. After about 30 seconds, the line will go down.

R1#conf t
R1(config)#interface serial0
R1(config-if)#frame-relay lmi-type ansi
00:46:40: %SYS-5-CONFIG_I: Configured from console by console
R1#
00:47:12: %FR-5-DLCICHANGE: Interface Serial0 - DLCI 122 state changed to
INACTIVE
00:47:12: %FR-5-DLCICHANGE: Interface Serial0 - DLCI 123 state changed to
INACTIVE
00:47:12: %FR-5-DLCICHANGE: Interface Serial0 - DLCI 122 state changed to
DELETED
00:47:12: %FR-5-DLCICHANGE: Interface Serial0 - DLCI 123 state changed to
DELETED
00:47:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed
state to down

The LMI mismatch leads to the line going down and the DLCIs going inactive.

Run show frame lmi on R1. Wait a few seconds, then run it again,
then again. Notice that the timeouts are incrementing. Once it hit 3,
the line protocol came down.







Chris Bryant, CCIE #12933
www.thebryantadvantage.com
20

2005 The Bryant Advantage


R1#show frame lmi

LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE =ANSI
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 256 Num Status msgs Rcvd 240
Num Update Status Rcvd 0 Num Status Timeouts 16

The router is receiving LMI status messages, but when the LMI type was changed, the
Status Timeouts began to accrue. This command gives an indication that there is a
problem with the LMIs. The LMIs are the heartbeat of frame relay; without the right
LMIs, the frame connection dies.

Run debug frame lmi on R1.

R1#debug frame lmi
Frame Relay LMI debugging is on
Displaying all Frame Relay LMI data
00:52:12: Serial0(out): StEnq, myseq 31, yourseen 0, DTE down
00:52:12: datagramstart =0xE0183C, datagramsize =14
00:52:12: FR encap =0x00010308
00:52:12: 00 75 95 01 01 00 03 02 1F 00
00:52:12:
00:52:22: Serial0(out): StEnq, myseq 32, yourseen 0, DTE down
00:52:22: datagramstart =0xE0183C, datagramsize =14
00:52:22: FR encap =0x00010308
00:52:22: 00 75 95 01 01 00 03 02 20 00
00:52:22:
00:52:32: Serial0(out): StEnq, myseq 33, yourseen 0, DTE down
00:52:32: datagramstart =0xE0183C, datagramsize =14
00:52:32: FR encap =0x00010308
00:52:32: 00 75 95 01 01 00 03 02 21 00

The myseq value continues to increase, but the yourseen value remains at 0.
Between debug frame lmi and show frame lmi, it can be seen that LMI messages are
being received from the DCE, but not accepted another indicator of an LMI mismatch.

Leave that debug command on, and change the LMI default back to
Cisco. (You must know all three LMI types before taking the CCNA
exams!)

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
21

2005 The Bryant Advantage

R1#debug frame lmi
Frame Relay LMI debugging is on
Displaying all Frame Relay LMI data
R1#conf t
R1(config)#interface serial0
R1(config-if)#frame-relay lmi-type cisco

00:56:22: Serial0(out): StEnq, myseq 1, yourseen 0, DTE down
00:56:22: datagramstart =0xE0183C, datagramsize =13
00:56:22: FR encap =0xFCF10309
00:56:22: 00 75 01 01 00 03 02 01 00
00:56:22: Serial0(in): Status, myseq 1
00:56:22: RT IE 1, length 1, type 0
00:56:22: KA IE 3, length 2, yourseq 1 , myseq 1
00:56:22: PVC IE 0x7 , length 0x6 , dlci 122, status 0x2 , bw 0
00:56:22: PVC IE 0x7 , length 0x6 , dlci 123, status 0x2 , bw 0
00:56:32: Serial0(out): StEnq, myseq 2, yourseen 1, DTE down
00:56:32: datagramstart =0xE0183C, datagramsize =13
00:56:32: FR encap =0xFCF10309
00:56:32: 00 75 01 01 01 03 02 02 01
00:56:32: Serial0(in): Status, myseq 2
00:56:32: RT IE 1, length 1, type 0
00:56:32: KA IE 3, length 2, yourseq 2 , myseq 2
00:56:32: PVC IE 0x7 , length 0x6 , dlci 122, status 0x2 , bw 0
00:56:32: PVC IE 0x7 , length 0x6 , dlci 123, status 0x2 , bw 0
00:56:42: Serial0(out): StEnq, myseq 3, yourseen 2, DTE up
00:56:42: datagramstart =0xE0183C, datagramsize =13
00:56:42: FR encap =0xFCF10309
00:56:42: 00 75 01 01 01 03 02 03 02
00:56:42: Serial0(in): Status, myseq 3
00:56:42: RT IE 1, length 1, type 1
00:56:42: KA IE 3, length 2, yourseq 3 , myseq 3
00:56:43: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed
state to up
00:57:22: %FR-5-DLCICHANGE: Interface Serial0 - DLCI 122 state changed to
ACTIVE
00:57:22: %FR-5-DLCICHANGE: Interface Serial0 - DLCI 123 state changed to
ACTIVE

The incoming myseq packets are now being accepted, and the outgoing messages see
the yourseen value begin to accrue. The DTE end of the connection goes up, the line
protocol goes up soon after that, and finally the previously deleted DLCIs are again
active.


Chris Bryant, CCIE #12933
www.thebryantadvantage.com
22

2005 The Bryant Advantage

Use IOS Help to see what the LMI options are.

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int serial 0
R1(config-if)#frame lmi-type ?
cisco
ansi
q933a

Run show frame pvc on R1. Note the status for each DLCI, and the
uptime.

R1#show frame pvc

PVC Statistics for interface Serial0 (Frame Relay DTE)

Active Inactive Deleted Static
Local 2 0 0 0
Switched 0 0 0 0
Unused 0 0 0 0

DLCI =122, DLCI USAGE =LOCAL, PVC STATUS =ACTIVE, INTERFACE =
Serial0

input pkts 5 output pkts 5 in bytes 520
out bytes 520 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 0 out DE pkts 0
out bcast pkts 0 out bcast bytes 0
pvc create time 00:49:19, last time pvc status changed 00:01:15

DLCI =123, DLCI USAGE =LOCAL, PVC STATUS =ACTIVE, INTERFACE =
Serial0

input pkts 17 output pkts 5 in bytes 4024
out bytes 520 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 0 out DE pkts 0
out bcast pkts 0 out bcast bytes 0
pvc create time 00:49:12, last time pvc status changed 00:01:17

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
23

2005 The Bryant Advantage
Before you take your CCNA exams, be very familiar with what each of
these commands show you, and what the letters FECN, BECN, and DE
mean:

FECN: Congestion was experienced in the direction in which this
packet was traveling.

BECN: Congestion was experienced in the opposite direction in which
this packet was traveling.

DE: Packet was marked discard eligible.


Chris Bryant, CCIE #12933
www.thebryantadvantage.com
24

2005 The Bryant Advantage
ISDN / Point-To-Point Lab

R1 and R3 are directly connected via their S1 interfaces by a DTE/DCE
cable. Before taking your CCNA exams, you MUST know what
command will tell you whether the DTE or DCE end of the cable is
connected to a router. Heres how you do it:

show controller displays the DTE and DCE ends of the connection. The output of
these commands has been truncated for clarity.

R1#show controller serial 1
HD unit 1, idb =0x107114, driver structure at 0x10C590
buffer size 1524 HD unit 1, V.35 DTE cable

R3#show controller serial 1
HD unit 1, idb =0xC7D1C, driver structure at 0xCCAA0
buffer size 1524 HD unit 1, V.35 DCE cable

Ping R1s serial interface from R3.

R3#ping 172.12.13.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.13.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

The escape sequence for pings is CTRL-SHIFT-6 performed twice in succession.

The ping fails. Run show interface serial1 to see why.

R3#show interface serial1
Serial1 is up, line protocol is down
Hardware is HD64570
Internet address is 172.12.13.3/24

The truncated output of show interface serial1 shows the physical interface is up, but
the line protocol is down.







Chris Bryant, CCIE #12933
www.thebryantadvantage.com
25

2005 The Bryant Advantage
The line protocol is down because the DCE end of the cable must
supply a clock rate to the DTE end. To resolve this, configure clock
rate 56000 on R3s Serial interface. Once the line protocol is up, run
show interface serial1 again to verify, and ping R1s Serial interface
again. The ping will succeed.

R3#conf t
R3(config)#interface serial1
R3(config-if)#clock rate 56000

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up

R3#show interface serial1
Serial1 is up, line protocol is up
Hardware is HD64570
Internet address is 172.12.13.3/24

Once the DCE supplies a clock rate to the DTE, the line comes up.

R3#ping 172.12.13.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =36/36/36 ms
The ping is successful.

The two BRI interfaces will now be configured with PPP PAP
authentication. You assigned IP addresses to these interfaces in the IP
addressing lab. You will use the phone numbers sent with your
authentication information. Configure the ISDN switchtype with the
global isdn switch-type command, and run show isdn status to
verify. Layer 1 will be ACTIVE and Layer 2 will show a TEI assigned.

Note that while only R1 is shown here, isdn switch-type must
be configured on R1 AND R2; this command is necessary on any
Cisco router running ISDN if you leave it out, everything else
can be perfect and the connection will not work.








Chris Bryant, CCIE #12933
www.thebryantadvantage.com
26

2005 The Bryant Advantage
R1#conf t
R1(config)#isdn switch-type basic-ni
R1(config)#^Z
R1#show isdn status
Global ISDN Switchtype =basic-ni
ISDN BRI0 interface
dsl 0, interface ISDN Switchtype =basic-ni
Layer 1 Status:
ACTIVE
Layer 2 Status:
TEI =66, Ces =1, SAPI =0, State =MULTIPLE_FRAME_ESTABLISHED
Layer 3 Status:
0 Active Layer 3 Call(s)
Configure dialer map statements on R1 and R2, each mapping to the
other routers BRI interface. Ping R1s BRI interface from R2. Put the
phone numbers you were sent in email in place of the xxxxxxx you see
below.

NOTE: If you changed the names of R1 and R2, change them
back to those names with the hostname command. The
hostnames R1 and R2 will be used for authentication in this
lab, as youll soon see.

R1#conf t
R1(config)#interface bri0
R1(config-if)#dialer map ip 172.12.21.2 name R2 broadcast xxxxxxx

R2#conf t
R2(config)#interface bri0
R2(config-if)#dialer map ip 172.12.21.1 name R1 broadcast xxxxxxx

R2#ping 172.12.21.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.21.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

The dialer map configuration is correct, but the pings do not go through.

The ping fails because there is no interesting traffic defined that will
bring the line up. Using the dialer-list and dialer-group commands,
allow any IP traffic to bring up the line. Ping R1 from R2. After the
ping goes through, run show dialer to see what packets brought the
line up.

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
27

2005 The Bryant Advantage
All IP traffic is defined as interesting traffic by the dialer-list command, and that list is
called by the dialer-group command. The ping packets bring the line up.

R1#conf t
R1(config)#dialer-list 1 protocol ip permit
R1(config)#interface bri0
R1(config-if)#dialer-group 1

R2#conf t
R2(config)#dialer-list 1 protocol ip permit
R2(config)#interface bri0
R2(config-if)#dialer-group 1

R2#ping 172.12.21.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.21.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max =36/37/40 ms
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up
R2#
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 R1

Its normal for a ping to be 80 percent successful the first time you
ping a destination. After that, youll see 100 percent connectivity.

R2#show dialer
BRI0 - dialer type =ISDN

Dial String Successes Failures Last called Last status
8358661 2 0 00:00:04 successful
0 incoming call(s) have been screened.

BRI0:1 - dialer type =ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: ip (s=172.12.21.2, d=172.12.21.1)
Time until disconnect 117 secs
Connected to 8358661 (R1)

The dial reason in the output of show dialer clearly shows the source (s) and
destination (d) of the packet that caused the line to dial. While it was obvious here why
the line went up, routing protocols send multicasts and broadcasts that can cause such a
line to dial and stay dialed for days, weeks, or even months at a time, which costs a great
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
28

2005 The Bryant Advantage
deal of money. This command is vital in diagnosing any issue involving an ISDN line
that dials and stays up.

The routers will now authenticate each other with PAP over the ISDN
link. Configure the global command username / password on each
router, naming the remote router as the username and the password
the remote router will be sending as the password. Use
encapsulation ppp and ppp authentication pap to enable each
router to authenticate the other. Have R1 send a password of CCNA
and R2 to send a password of CISCO. Use the ppp pap sent-
username command as shown in the following illustration.

Note that you have to manually configure PPP. The default
encapsulation for a Serial or BRI interface is HDLC. Youll also see the
TEI go down and then come back up; thats normal when you change
the encapsulation.

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#username R2 password CISCO
R1(config)#int bri0
R1(config-if)#encapsulation ppp
03:45:46: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 66 changed to
down
03:45:48: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0, TEI 66 changed to up
R1(config-if)#ppp authentication pap
R1(config-if)#ppp pap sent-username R1 password CCNA
R1(config-if)#^Z
R1#

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#username R1 password CCNA
R2(config)#int bri0
R2(config-if)#encapsulation ppp
03:47:36: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 66 changed to
down
03:47:37: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0, TEI 66 changed to up
R2(config-if)#ppp pap sent-username R2 password CISCO
R2(config-if)#^Z
R2#




Chris Bryant, CCIE #12933
www.thebryantadvantage.com
29

2005 The Bryant Advantage
Run debug ppp negotiation on R2 and ping R1s BRI interface.


R2#debug ppp negotiation
PPP protocol negotiation debugging is on
R2#ping 172.12.21.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.21.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max =36/37/40 ms
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Phase is AUTHENTICATING, by both
< Both routers are authenticating the other. >
BR0:1 PAP: O AUTH-REQ id 1 len 13 from "R2"
< R2 is sending an authentication request to R1. >
BR0:1 PAP: I AUTH-ACK id 1 len 5
< The I indicates an incoming packet; the remote route is acknowledging the
authentication request. >
BR0:1 PAP: I AUTH-REQ id 1 len 12 from "R1"
< A PAP authentication request has been received from R1. >
BR0:1 PAP: Authenticating peer R1
< R1 is being authenticated. >
BR0:1 PAP: O AUTH-ACK id 1 len 5
< An acknowledgment of the PAP authentication request from R1 is sent. >

Notice that with PAP, there is authentication, but there are no
challenge/responses shown in the debug. That will change when you
configure CHAP.

Before configuring CHAP, do the following:

1. Run no encapsulation ppp under both BRI interfaces.
2. Remove the username/password statements simply by
repeating the earlier commands with the word no in front of the
command, as shown below.

A tip: When you need to remove a command from a Cisco router,
youll usually do it just by running the command by putting the word
no in front of it.

Also, anytime you want to look at the running configuration of the
router, run show config. Hit the enter key to go down one line at a
time, and the space bar to go down a full screen. When you see what
you wanted to see, hit ESC to back to the prompt.

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
30

2005 The Bryant Advantage
R1#conf t
R1(config)#no username R2 password CISCO
R1(config)#int bri0
R1(config-if)#no encapsulation ppp
R1(config-if)#^Z
R1#
03:56:01: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 66 changed to
down
03:56:02: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0, TEI 66 changed to up

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#no username R1 password CCNA
R2(config)#interface bri0
R2(config-if)#no encapsulation ppp
R2(config-if)#^Z
03:56:58: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 66 changed to
down
03:56:59: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0, TEI 66 changed to up

Configure the routers for CHAP authentication. The switch-type, dialer
map statements, and dialer-lists have already been configured. On
both R1 and R2, configure a username / password statement with
the password CCNA. Configure both routers for PPP encapsulation and
CHAP authentication with the encapsulation ppp and ppp
authentication chap commands.

R1#conf t
R1(config)#username R2 password CCNA
R1(config)#interface bri0
R1(config-if)#encapsulation ppp
03:58:58: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 66 changed to do
03:58:59: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0, TEI 66 changed to up
R1(config-if)#ppp authentication chap
R1(config-if)#^Z
R1#

R2#conf t
R2(config)#username R1 password CCNA
R2(config)#interface bri0
R2(config-if)#encapsulation ppp
04:00:00: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 66 changed to
down
04:00:01: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0, TEI 66 changed to up
R2(config-if)#ppp authentication chap
R2(config-if)#^Z
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
31

2005 The Bryant Advantage
With CHAP, the passwords must be the same. Note that there is no
sent-password command, as there was with PAP.

Run debug ppp negotiation, and ping R1 from R2.

R2#debug ppp negotiation
PPP protocol negotiation debugging is on
R2#ping 172.12.21.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.21.1, timeout is 2 seconds:

04:01:30: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
04:01:30: BR0:1 PPP: Using dialer call direction
04:01:30: BR0:1 PPP: Treating connection as a callout
04:01:30: BR0:1 PPP: Phase is ESTABLISHING, Active Open [0 sess, 0 load]
04:01:30: BR0:1 LCP: O CONFREQ [Closed] id 1 len 15
04:01:30: BR0:1 LCP: AuthProto CHAP (0x0305C22305)
04:01:30: BR0:1 LCP: MagicNumber 0x1158551A (0x05061158551A)
04:01:30: BR0:1 LCP: I CONFREQ [REQsent] id 1 len 15
04:01:30: BR0:1 LCP: AuthProto CHAP (0x0305C22305)
04:01:30: BR0:1 LCP: MagicNumber 0x1158F056 (0x05061158F056)
04:01:30: BR0:1 LCP: O CONFACK [REQsent] id 1 len 15
04:01:30: BR0:1 LCP: AuthProto CHAP (0x0305C22305)
04:01:30: BR0:1 LCP: MagicNumber 0x1158F056 (0x05061158F056)
04:01:30: BR0:1 LCP: I CONFACK [ACKsent] id 1 len 15
04:01:30: BR0:1 LCP: AuthProto CHAP (0x0305C22305)
04:01:30: BR0:1 LCP: MagicNumber 0x1158551A (0x05061158551A)
04:01:30: BR0:1 LCP: State is Open
04:01:30: BR0:1 PPP: P.!hase is AUTHENTICATING, by both [0 sess, 0 load]
04:01:30: BR0:1 CHAP: O CHALLENGE id 1 len 23 from "R2"
04:01:30: BR0:1 CHAP: I CHALLENGE id 1 len 23 from "R1"
04:01:30: BR0:1 CHAP: O RESPONSE id 1 len 23 from "R2"
04:01:30: BR0:1 CHAP: I SUCCESS id 1 len 4
04:01:30: BR0:1 CHAP: I RESPONSE id 1 len 23 from "R1"
04:01:30: BR0:1 CHAP: O SUCCESS id 1 len 4
04:01:30: BR0:1 PPP: Phase is UP [0 sess, 0 load]
04:01:30: BR0:1 IPCP: O CONFREQ [Closed] id 1 len 10
04:01:30: BR0:1 IPCP: Address 172.12.21.2 (0x0306AC0C1502)
04:01:30: BR0:1 CDPCP: O CONFREQ [Closed] id 1 len 4
04:01:30: BR0:1 IPCP: I CONFREQ [REQsent] id 1 len 10
04:01:30: BR0:1 IPCP: Address 172.12.21.1 (0x0306AC0C1501)
04:01:30: BR0:1 IPCP: O CONFACK [REQsent] id 1 len 10
04:01:30: BR0:1 IPCP: Address 172.12.21.1 (0x0306AC0C1501)
04:01:30: BR0:1 CDPCP: I CONFREQ [REQsent] id 1 len 4
04:01:30: BR0:1 CDPCP: O CONFACK [REQsent] id 1 len 4
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
32

2005 The Bryant Advantage
04:01:30: BR0:1 IPCP: I CONFACK [ACKsent] id 1 len 10
04:01:30: BR0:1 IPCP: Addr!!!
Success rate is 80 percent (4/5), round-trip min/avg/max =36/49/88 ms
R2#ess 172.12.21.2 (0x0306AC0C1502)
04:01:30: BR0:1 IPCP: State is Open
04:01:30: BR0:1 CDPCP: I CONFACK [ACKsent] id 1 len 4
04:01:30: BR0:1 CDPCP: State is Open
04:01:30: BR0 IPCP: Install route to 172.12.21.1
04:01:31: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed
state to up
R2#
04:01:36: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 5551111 R1

As before, run show dialer to see what interesting traffic brought the link up.

R2#show dialer
BRI0 - dialer type =ISDN

Dial String Successes Failures Last called Last statu
8358661 4 0 00:00:12 successfu
0 incoming call(s) have been screened.

BRI0:1 - dialer type =ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: ip (s=172.12.21.2, d=172.12.21.1)
Time until disconnect 109 secs
Connected to 8358661 (R1)

BRI0:2 - dialer type =ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle

The ping packet from R2 was the cause of the line dialing.


Obviously, theres a lot more going on here. Notice the challenges
and responses being sent by both sides.

I recommend you run CHAP by using mismatched passwords, and run
this same debug so you can see what it looks like when theres a
problem with passwords.

Turn your debugs off with undebug all .
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
33

2005 The Bryant Advantage
Using ppp multilink and dialer load-threshold, configure the ISDN
interface on R1 to bring up the second B-channel when the first B-
channel reaches 50% of its outbound capacity. You can also change
the dialer idle-timeout default of 120 seconds as shown below.
(Remember that only interesting traffic resets the idle-timeout.)

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface bri0
R1(config)#dialer idle-timeout 30 (This value is in seconds, not minutes!)
R1(config-if)#ppp multilink
R1(config-if)#dialer load-thresh 127 ?
either Threshold decision based on max of inbound and outbound traffic
inbound Threshold decision based on inbound traffic only
outbound Threshold decision based on outbound traffic only
<cr>
R1(config-if)#dialer load-thresh 127 outbound

Its very important that you realize that the value you enter with
dialer load-threshold is a ratio of 255, not 100. If you wanted to
have the second b-channel come up when the first one reaches 75%
capacity, youd need to enter the number that is 75% of 255, NOT
100.

Also, you must configure ppp multilink to have the second link come
up at the specified capacity level.

The following dialer profile lab is a bonus. Its doubtful youll be
asked anything about dialer profiles on the CCNA exams, but the
chance is there. Make sure youre proficient with PAP, CHAP, and the
different ISDN show and debug commands covered earlier before
spending time configuring dialer profiles.

On the BRI interface, remove the following: the PPP encapsulation
type, the dialer-map statement, the dialer-group statement, the
dialer-load statement, the IP address, and any commands referencing
PAP or CHAP authentication.

The ISDN switch-type command and username / password
command should remain.




Chris Bryant, CCIE #12933
www.thebryantadvantage.com
34

2005 The Bryant Advantage
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface bri0
R1(config-if)#no encapsulation ppp
R1(config-if)#no dialer map ip 172.12.21.2 name R2 broadcast 8358662
R1(config-if)#no dialer-group 1
R1(config-if)#no dialer load-threshold 127 outbound
R1(config-if)#no ip address

Make sure the TEI comes back up after going down. If it does not, shut and reopen the
BRI interface.

After removing these statements, the running config should show this for the BRI
interface:

interface BRI0
no ip address
isdn switch-type basic-ni

Configure a dialer profile with the command interface dialer 1 on R1.
The IP address that was on the BRI interface will be placed on this
logical interface. Use dialer remote-name to indicate the name of
the remote router to be dialed, and dialer string to configure the
number to be dialed.

R1#conf t
R1(config)#interface dialer 1
R1(config-if)#ip address 172.12.21.1 255.255.255.252
R1(config-if)#dialer remote-name R2
R1(config-if)#dialer string xxxxxxx

R1#conf t
R1(config)#interface dialer1
R1(config-if)#dialer-group 1

The physical BRI interface and logical Dialer interface must now be
linked. Configure Dialer1 with the dialer pool 1 command, then
make the BRI interface a member of that pool with the dialer pool-
member 1 command.

R1#conf t
R1(config)#interface dialer1
R1(config-if)#dialer pool 1


Chris Bryant, CCIE #12933
www.thebryantadvantage.com
35

2005 The Bryant Advantage
R1#conf t
R1(config)#interface bri0
R1(config-if)#dialer pool-member 1
R2 is still using PPP encapsulation and CHAP authentication; R1 must
also. On both the physical and logical interfaces, configure
encapsulation ppp and ppp authentication chap.

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface bri0
R1(config-if)#encapsulation ppp
R1(config-if)#ppp authentication chap

R1(config)#interface dialer1
R1(config-if)#encapsulation ppp
R1(config-if)#ppp authentication chap

When the encapsulation type is changed on the physical interface, the TEI goes up and
down.. If the TEI doesnt come back up, open and shut the physical interface. No such
up / down behavior will occur when the encapsulation type is configured on the
logical interface.

Run debug ppp negotiation and ping R2s BRI interface.

R1#debug ppp negotiation
PPP protocol negotiation debugging is on
R1#ping 172.12.21.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.21.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max =36/36/36 ms

22:12:07: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
22:12:07: %DIALER-6-BIND: Interface BRI0:1 bound to profile Dialer1
22:12:07: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662
22:12:07: BR0:1 PPP: Phase is AUTHENTICATING, by both
22:12:07: BR0:1 CHAP: O CHALLENGE id 3 len 23 from "R1"
22:12:07: BR0:1 CHAP: I CHALLENGE id 3 len 23 from "R2"
22:12:07: BR0:1 CHAP: O RESPONSE id 3 len 23 from "R1"
22:12:07: BR0:1 CHAP: I SUCCESS id 3 len 4
22:12:07: BR0:1 CHAP: I RESPONSE id 3 len 23 from "R2"
22:12:07: BR0:1 CHAP: O SUCCESS id 3 len 4
22:12:07: BR0:1 PPP: Phase is UP


Chris Bryant, CCIE #12933
www.thebryantadvantage.com

36

2005 The Bryant Advantage
<The expected series of challenges, responses, and successes occur. >

R1#show dialer
BRI0:1 - dialer type =ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: ip (s=172.12.21.1, d=172.12.21.2)
Interface bound to profile Dialer1
Time until disconnect 112 secs
Current call connected 00:00:10
Connected to 8358662 (R2)

Dialer1 - dialer type = DIALER PROFILE
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up

The BRI physical interface is bound to Dialer1, the logical interface, and the status of the
Dialer Profile is up as well.


NOTE: If you keep the dialer profile on this router
during the protocol labs, make sure to substitute
dialer0 or dialer1 , whichever you named this
interface, for bri0 in the passive-interface command in
the following labs.

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
37

2005 The Bryant Advantage
Passwords and Services Lab

REMINDER: Please use only the words cisco and ccna for
passwords, without the quotation marks. Thank you!

Configuring Router Passwords

The first two passwords to configure are the enable secret and
enable password. If the names sound alike, thats because they
have the same function. The user will be prompted to enter this
password when entering privileged exec mode. The enable password
is for older routers, also referred to as legacy routers. The enable
secret password will be used by the majority of the users.

If both passwords are in effect, the enable secret password
takes precedence.

R3#conf t
R3(config)#enable password cisco
R3(config)#^Z
R3#logout

The enable password has been set. Users will be prompted for this password when
attempting to enter privileged exec mode. To test this, log out with the logout command
as shown, and use the password cisco to get back in.

R3 con0 is now available
Press RETURN to get started.

R3>en
Password:
R3#

The user was prompted for the enable password before being allowed into privileged
exec mode. The password does not appear as it is being keyed in.

Now set an enable secret password of ccna. Log out, and try the
enable password cisco. You wont be allowed access, since the enable
secret of ccna is taking precedence. The enable secret password
always has precedence over the enable password.




Chris Bryant, CCIE #12933
www.thebryantadvantage.com
38

2005 The Bryant Advantage
R3#conf t
R3(config)#enable secret ccna
R3(config)#^Z
R3#logout

The enable secret password has been set. Users will be prompted for this password when
attempting to enter privileged exec mode.

R3 con0 is now available
Press RETURN to get started.

R3>en
Password:
R3#

The user was prompted for the enable secret password before being allowed into
privileged exec mode. The password does not appear as it is being keyed in. The
previously set enable password of cisco no longer works.

A password can also be set for the console. Enter line configuration
mode with the command line console 0, enter login to have the user
prompted for a password when logging on to the console, and the
password command is used to set the password.

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#line console 0
R3(config-line)#login
R3(config-line)#password cisco
R3(config-line)#^Z
R3(config)#logout

R3 con0 is now available
Press RETURN to get started.

User Access Verification

Password: <cisco was entered here >
R3>enable
Password: <ccna was entered here. >
R3#

The user is now prompted for the console password before user exec mode can be
accessed. After entering that password, the user is prompted for the enable secret
password to enter privileged exec mode.

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
39

2005 The Bryant Advantage
Now youve set an enable password, an enable secret password, and a
console password. The final password you need to set is the
password that will be used to authentication telnet users. (By default,
a Cisco router can support five simultaneous telnet sessions. This
configuration will apply the same password to all five sessions.)

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#line vty 0 4
R3(config-line)#login
% Login disabled on line 2, until 'password' is set
% Login disabled on line 3, until 'password' is set
% Login disabled on line 4, until 'password' is set
% Login disabled on line 5, until 'password' is set
% Login disabled on line 6, until 'password' is set
R3(config-line)#password cisco

It really doesnt matter what order you enter the login command and
the password; as you can see, if you enable login first, youre
reminded that no one can log in until a password is set. By default, a
Cisco router will not allow anyone to connect to it via Telnet
unless a password has been configured on the vty lines.

Encrypting All Router Passwords In The Running Configuration

After configuring a console password and a telnet password, the
passwords appear in the running configuration in clear-text.

R3#show config
<output truncated for clarity >
!
line con 0
password cisco
login
line aux 0
line vty 0 4
password cisco
login







Chris Bryant, CCIE #12933
www.thebryantadvantage.com
40

2005 The Bryant Advantage
By default, only the enable secret password will be encrypted in the
running configuration. To encrypt all passwords in the running config,
use the global command service password-encryption.

R3#conf t
R3(config)#service password-encryption

R3#show config
service password-encryption
!
line con 0
password 7 10692C2D3C3827392F27040A
login
line aux 0
line vty 0 4
password 7 14343B382F2B
login
!
end

The number you see is the level of encryption, which can range from 0
7. The command service password-encryption gives the
strongest possible encryption level on the router.

Cisco Discovery Protocol

Cisco Discovery Protocol (CDP) runs by default between all directly
connected Cisco devices.

Show cdp neighbor displays all directly connected Cisco routers and
switches. CDP is Cisco-proprietary, so it will not display non-Cisco
devices.

CDP can be disabled at both the global and interface level. To disable
CDP at the interface level, run no cdp enable on the interface, and
cdp enable to turn it back on.

By default, the cdp timer defines how often CDP packets are
transmitted, and cdp holdtime defines how long a device will hold a
received packet.

To turn CDP off for the entire router, run no cdp run. To view the
current global status of CDP, run show cdp.

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
41

2005 The Bryant Advantage
Run each of these commands on all five of your devices. Practice
turning CDP off and on at the global level and the interface level until
youre very confident that you know which command is which.

R2#show cdp
Global CDP information:
Sending CDP packets every 45 seconds
Sending a holdtime value of 100 seconds

The CDP values have been successfully changed. show cdp interface will give the
timer information for each interface on the router.

R2#conf t
R2(config)#interface bri0
R2(config-if)#no cdp enable

CDP is disabled on the BRI interface. This does NOT have to be done to keep the line
from dialing, as will be shown.

R2#conf t
R2(config)#no cdp run

CDP is disabled globally.

R2#show cdp
% CDP is not enabled

CDP has been successfully disabled.


Knowing which password does what is vital to passing the CCNA
exams. Know how to configure and spot a correctly configured console
password, enable password, and telnet password. And you REALLY
need to know CDP inside and out! Theres not much there, but you
gotta know it!
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
42

2005 The Bryant Advantage
Static Routing Lab

Create a static route on R3 and one on R1 that will allow R3 to
successfully ping R2s loopback interface, 2.2.2.2. The route should
only consider traffic destined for 2.2.2.2. Use show ip route to
display the static routes.

R3#conf t
R3(config)#ip route 2.2.2.2 255.255.255.255 172.12.123.1
R3#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route, o - ODR

Gateway of last resort is not set

2.0.0.0/32 is subnetted, 1 subnets
S 2.2.2.2 [1/0] via 172.12.123.1
3.0.0.0/27 is subnetted, 1 subnets
C 3.3.3.0 is directly connected, Loopback0
172.12.0.0/24 is subnetted, 2 subnets
C 172.12.13.0 is directly connected, Serial1
C 172.12.123.0 is directly connected, Serial0.31
172.23.0.0/27 is subnetted, 1 subnets
C 172.23.23.0 is directly connected, Ethernet0

R1#conf t
R1(config)#ip route 2.2.2.2 255.255.255.255 172.12.123.2

R1#show ip route
<codes deleted for clarity >

Gateway of last resort is not set

1.0.0.0/27 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
S 2.2.2.2 [1/0] via 172.12.123.2
172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.12.13.0/24 is directly connected, Serial1
C 172.12.21.0/30 is directly connected, BRI0
C 172.12.123.0/24 is directly connected, Serial0
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
43

2005 The Bryant Advantage
Examining the syntax of the ip route commands used in this lab:

R3(config)#ip route 2.2.2.2 255.255.255.255 172.12.123.1

ip route: The command.
2.2.2.2 : The destination address.
255.255.255.255: The wildcard mask. This particular mask means that only traffic
destined for 2.2.2.2 will use this static route.
172.12.123.1: The next-hop IP address used to reach the destination.

R1(config)#ip route 2.2.2.2 255.255.255.255 172.12.123.2

ip route: The command.
2.2.2.2: The destination address.
255.255.255.255. The wildcard mask. Again, only traffic destined for 2.2.2.2 will use this
static route.
172.12.123.2: The next-hop IP address used to reach this destination.


On R3, run debug ip packet, then ping 2.2.2.2. The pings will
return successfully, and the packets can be seen leaving and entering
the router. Turn all debugs off with undebug all.


R3#debug ip packet
IP packet debugging is on
R3#ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =132/136/144 m
R3#
IP: s=172.12.123.3 (local), d=2.2.2.2 (Serial0.31), len 100, sending
IP: s=2.2.2.2 (Serial0.31), d=172.12.123.3 (Serial0.31), len 100, rcvd 3
IP: s=172.12.123.3 (local), d=2.2.2.2 (Serial0.31), len 100, sending
IP: s=2.2.2.2 (Serial0.31), d=172.12.123.3 (Serial0.31), len 100, rcvd 3
IP: s=172.12.123.3 (local), d=2.2.2.2 (Serial0.31), len 100, sending
IP: s=2.2.2.2 (Serial0.31), d=172.12.123.3 (Serial0.31), len 100, rcvd 3
IP: s=172.12.123.3 (local), d=2.2.2.2 (Serial0.31), len 100, sending
IP: s=2.2.2.2 (Serial0.31), d=172.12.123.3 (Serial0.31), len 100, rcvd 3
IP: s=172.12.123.3 (local), d=2.2.2.2 (Serial0.31), len 100, sending
IP: s=2.2.2.2 (Serial0.31), d=172.12.123.3 (Serial0.31), len 100, rcvd 3
R3#undebug all
All possible debugging has been turned off

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
44

2005 The Bryant Advantage
Remove the static routes with the command no ip route. Replace
them with a static route with a destination and wildcard mask of
0.0.0.0. This route will serve as a default route; to verify this, run
show ip route after configuring these default static routes.

Notice that with static routes, you can configure either a next-hop
address or an exit interface on the end of the static route command.
Here, youll configure both.

R3#conf t
R3(config)#no ip route 2.2.2.2 255.255.255.255 172.12.123.1
R3(config)#ip route 0.0.0.0 0.0.0.0 serial0.31

R1#conf t
R1(config)#no ip route 2.2.2.2 255.255.255.255 172.12.123.2
R1(config)#ip route 0.0.0.0 0.0.0.0 172.12.123.2

A static route configured with a destination and subnet mask of 0.0.0.0 will serve as a
default route.

Examining the routing table of R3 after configuring the default static route.

R3#show ip route


Gateway of last resort is 0.0.0.0 to network 0.0.0.0

3.0.0.0/24 is subnetted, 1 subnets
C 3.3.3.0 is directly connected, Loopback0
172.12.0.0/24 is subnetted, 2 subnets
C 172.12.13.0 is directly connected, Serial1
C 172.12.123.0 is directly connected, Serial0.31
172.23.0.0/24 is subnetted, 1 subnets
C 172.23.23.0 is directly connected, Ethernet0
S* 0.0.0.0/0 is directly connected, Serial0.31

The static route appears on R3 as a candidate default route, and is
then used as the default route. The gateway of last resort is now
set to 0.0.0.0. This is a result of using an exit interface to configure
the static default route, rather than a next-hop IP address.




Chris Bryant, CCIE #12933
www.thebryantadvantage.com
45

2005 The Bryant Advantage

Examining R1s routing table after configuring the static default route.

R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default

Gateway of last resort is 172.12.123.2 to network 0.0.0.0

1.0.0.0/27 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.12.13.0/24 is directly connected, Serial1
C 172.12.21.0/30 is directly connected, Dialer1
C 172.12.123.0/24 is directly connected, Serial0
S* 0.0.0.0/0 [1/0] via 172.12.123.2

R1 is also using the static route as a default route. The gateway of
last resort is set to 172.12.123.2, the next-hop address set in the
static default route.

For your CCNA exams, its very important to know how to remove a
command, not just enable one. Here, you saw that a static route is
removed with the no ip route command, followed by the static route
being removed. Its the same as configuring a static route; just put
no in front of the entire command.


Chris Bryant, CCIE #12933
www.thebryantadvantage.com
46

2005 The Bryant Advantage
RIP Lab: Configuring RIP Version 1; using
show and debug commands.

Remove any existing routing protocol configuration from your network.

Configure RIP version 1 on all three routers. Run RIP over all
interfaces interconnecting the routers, and the loopback interfaces.

R1#conf t
R1(config)#router rip
R1(config-router)#version 1
R1(config-router)#network 172.12.0.0
R1(config-router)#network 1.0.0.0

1d04h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
1d04h: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state
to up

Almost immediately after you configure R1 with RIP, youll see the
ISDN line come up. Why? Run show dialer to see what traffic
brought the link up.

R1#show dialer

BRI0 - dialer type =ISDN

Dial String Successes Failures Last DNIS Last status
5552222 2 0 00:00:08 successful
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.

BRI0:1 - dialer type =ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: ip (s=172.12.21.1, d=255.255.255.255)
Time until disconnect 113 secs
Connected to 5552222 (R2)

The destination 255.255.255.255 brought the link up. RIP version 1
updates are broadcasts. Since all IP traffic was defined as interesting
traffic in the ISDN lab, the link comes up.

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
47

2005 The Bryant Advantage
RIP has no built-in mechanism for allowing for ISDN links, which is
why you dont see RIP run across very many ISDN links in the first
place. Configure passive-interface bri0 under the RIP router process.
Passive-interface bri0 will allow this interface to accept routing
updates, but not to send them.

R1(config)#router rip
R1(config-router)#passive-interface bri0

Verify this with show ip protocols. Become very familiar with all the
information this command displays.

R1#show ip protocols
Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 27 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: rip
Default version control: send version 1, receive version 1
Interface Send Recv Triggered RIP Key-chain
Loopback0 1 1
Serial0 1 1
Serial1 1 1
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
1.0.0.0
172.12.0.0
Passive Interface(s):
BRI0
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 120)











Chris Bryant, CCIE #12933
www.thebryantadvantage.com

48

2005 The Bryant Advantage
Configure RIP on R2 and R3, enabling RIP on all interfaces. Make the
BRI interface on R2 passive.

R2#conf t
R2(config)#router rip
R2(config-router)#passive-interface bri0
R2(config-router)#version 1
R2(config-router)#network 2.0.0.0
R2(config-router)#network 172.12.0.0
R2(config-router)#network 172.23.0.0
R2(config-router)#^Z
R2#


R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router rip
R3(config-router)#version 1
R3(config-router)#network 3.0.0.0
R3(config-router)#network 172.12.0.0
R3(config-router)#network 172.23.0.0
R3(config-router)#^Z

In these labs, youll hardcode the routers to run RIP version 1, then
RIP version 2. Keep in mind that the RIP default is to send version 1,
and accept versions 1 and 2.

On each router, run show ip route, then show ip route rip. Here only
the output of these commands on R1 will be shown. Note that show ip
route shows all the known routes, where show ip route rip shows only
the RIP-discovered routes.
R1#show ip route
Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
R 2.0.0.0/8 [120/1] via 172.12.123.2, 00:00:20, Serial0
R 3.0.0.0/8 [120/1] via 172.12.13.3, 00:00:02, Serial1
[120/1] via 172.12.123.3, 00:00:02, Serial0
172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.12.13.0/24 is directly connected, Serial1
C 172.12.21.0/30 is directly connected, BRI0
C 172.12.123.0/24 is directly connected, Serial0
R 172.23.0.0/16 [120/1] via 172.12.123.2, 00:00:21, Serial0
[120/1] via 172.12.13.3, 00:00:03, Serial1
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
49

2005 The Bryant Advantage
[120/1] via 172.12.123.3, 00:00:03, Serial0
R1#show ip route rip
R 2.0.0.0/8 [120/1] via 172.12.123.2, 00:00:12, Serial0
R 3.0.0.0/8 [120/1] via 172.12.13.3, 00:00:23, Serial1
[120/1] via 172.12.123.3, 00:00:23, Serial0
R 172.23.0.0/16 [120/1] via 172.12.123.2, 00:00:12, Serial0
[120/1] via 172.12.13.3, 00:00:23, Serial1
[120/1] via 172.12.123.3, 00:00:23, Serial0

Note that equal-cost load balancing, enabled by default in both
versions of RIP, is in effect. R1 has three paths to the Ethernet
segment; one through the frame relay cloud via R2, one through the
frame relay cloud via R3, and one via the point-to-point Serial link to
R3. All three have the same metric of 1, so RIP puts all three of
these routes into the routing table. (Remember that distance-vector
protocols perform equal-cost load balancing by default, over four paths
by default, and this can be changed to a range from one to six paths
with the maximum-paths command.)

Also notice that since RIP version 1 does not support VLSM, you see
classful masks in the routing table for the loopbacks and for the
Ethernet segment.

Change the maximum number of paths that load-balancing can use on
each router with the maximum-paths command.

R1#conf t
R1(config)#router rip
R1(config-router)#maximum-paths 6

R2#conf t
R2(config)#router rip
R2(config-router)#maximum-paths 6

R3#conf t
R3(config)#router rip
R3(config-router)#maximum-paths 6








Chris Bryant, CCIE #12933
www.thebryantadvantage.com
50

2005 The Bryant Advantage

View the routing updates by running debug ip rip. Clear the routing
table with clear ip route * , and youll see the routing process
reinitialize. (Both very important commands, both for your CCNA
exams and for real life.)

R1#debug ip rip
RIP protocol debugging is on
R1#clear ip route *
22:01:04: RIP: sending v1 update to 255.255.255.255 via Serial0 (172.12.123.1)
22:01:04: subnet 172.12.13.0, metric 1
22:01:04: subnet 172.12.123.0, metric 1
22:01:04: network 1.0.0.0, metric 1
22:01:04: network 2.0.0.0, metric 2
22:01:04: network 3.0.0.0, metric 2
22:01:04: network 172.23.0.0, metric 2
22:01:04: RIP: sending v1 update to 255.255.255.255 via Serial1 (172.12.13.1)
22:01:04: subnet 172.12.123.0, metric 1
22:01:04: network 1.0.0.0, metric 1
22:01:04: network 2.0.0.0, metric 2
22:01:06: RIP: sending general request on Loopback0 to 255.255.255.255
22:01:06: RIP: sending general request on Serial0 to 255.255.255.255
22:01:06: RIP: sending general request on Serial1 to 255.255.255.255
22:01:07: RIP: received v1 update from 172.12.123.3 on Serial0

Debug ip rip not only shows you the updates and the broadcasts
being sent and received, but it also helps with troubleshooting.

Are RIP versions 1 and 2 interchangeable? Keep the debug on R1,
change R1s version of RIP to version 2, and clear the routing table.

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#^Z
1d04h: %SYS-5-CONFIG_I: Configured from console by console
R1#clear ip route *

<updates will be sent first>
1d04h: RIP: ignored v1 packet from 172.12.13.3 (illegal version)
1d04h: RIP: ignored v1 packet from 172.12.123.3 (illegal version)
R1#undebug all
1d04h: RIP: ignored v1 packet from 172.12.123.2 (illegal version)

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
51

2005 The Bryant Advantage


R1 is refusing the RIP version 1 updates. The two versions of RIP are
not interchangeable, as you can see by looking at the routing table:

R1#show ip route
Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.12.13.0/24 is directly connected, Serial1
C 172.12.21.0/30 is directly connected, BRI0
C 172.12.123.0/24 is directly connected, Serial0

The RIP routes are gone.

Remove the RIP process from all three routes with the no router rip
command.

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no router rip
R1(config)#^Z
R1#wr
Building configuration...

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#no router rip
R2(config)#^Z
R2#wr
Building configuration...

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#no router rip
R3(config)#^Z
R3#wr
Building configuration...





Chris Bryant, CCIE #12933
www.thebryantadvantage.com
52

2005 The Bryant Advantage



Lab: Configuring RIP Version 2. Disabling auto-
summarization; using text and MD5 authentication;
Troubleshooting RIP with show and debug
commands.

Configure RIP version 2 on all three routers. Disable RIPs auto-
summarization feature with no auto-summary. Enable RIP on all
interfaces of each router, including the loopbacks. Prevent the dialer
interfaces from sending RIP version 2 multicasts with the passive-
interface command.

R1#conf t
R1(config)#router rip
R1(config-router)#version 2
< The RIP-enabled interfaces will receive and send version 2 only. >
R1(config-router)#no auto-summary
R1(config-router)#network 172.12.0.0
R1(config-router)#network 1.0.0.0
R1(config-router)#passive-interface dialer1

R2#conf t
R2(config)#router rip
R2(config-router)#version 2
R2(config-router)#no auto-summary
R2(config-router)#passive-int bri0
R2(config-router)#network 172.12.0.0
R2(config-router)#network 172.23.0.0
R2(config-router)#network 2.0.0.0

R3#conf t
R3(config)#router rip
R3(config-router)#version 2
R3(config-router)#no auto-summary
R3(config-router)#network 172.12.0.0
R3(config-router)#network 172.23.0.0
R3(config-router)#network 3.0.0.0


To verify VLSM support and equal-cost load-balancing, run show ip
route rip on R1.

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
53

2005 The Bryant Advantage



R1#show ip route rip
2.0.0.0/27 is subnetted, 1 subnets
R 2.2.2.0 [120/1] via 172.12.123.2, 00:00:15, Serial0
3.0.0.0/27 is subnetted, 1 subnets
R 3.3.3.0 [120/1] via 172.12.13.3, 00:00:14, Serial1
[120/1] via 172.12.123.3, 00:00:14, Serial0
172.23.0.0/27 is subnetted, 1 subnets
R 172.23.23.0 [120/1] via 172.12.123.2, 00:00:15, Serial0
[120/1] via 172.12.13.3, 00:00:14, Serial1
[120/1] via 172.12.123.3, 00:00:15, Serial0


VLSM support is evident from the non-classful subnets masks for
networks 2.0.0.0 and 3.0.0.0. Equal-cost load balancing is taking
place as well, with three routes sharing the load from R1 to network
172.23.23.0.

From each router, ping the remote loopback addresses. All pings
should succeed.

You know that RIP version 1 sends updates to 255.255.255.255. What
address does RIP version 2 send updates to? Run debug ip rip, then
run clear ip route * to immediately clear the routing table. (This
command forces the routing protocol to send and request updates
now, rather than waiting for the next regularly scheduled update.)

R1#debug ip rip
RIP protocol debugging is on
R1#clear ip route *
1d04h: RIP: sending request on Loopback0 to 224.0.0.9
1d04h: RIP: sending request on Serial1 to 224.0.0.9
1d04h: RIP: sending request on Serial0 to 224.0.0.9

RIP version 2 multicasts updates to 224.0.0.9.

Turn your debugs off with undebug all. You can also turn off debugs
on an individual basis by running the command for that particular
debug with no in front of the command.

R1#no debug ip rip
RIP protocol debugging is off
R1#undebug all
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
54

2005 The Bryant Advantage
All possible debugging has been turned off


IGRP Lab

Remove any previous routing protocol configurations before
proceeding.

Configure IGRP on R1, R2, and R3 with the router igrp 1
command. IGRP will run on all interfaces in the 172.12.0.0
network, the 172.23.0.0 network, and all loopback
interfaces. We dont want IGRP updates to bring the ISDN
line up; configure passive-interface bri0 under the IGRP
process.

R1#conf t
R1(config)#router igrp 1
R1(config-router)#network 172.12.0.0
R1(config-router)#network 1.0.0.0
R1(config-router)#passive-interface bri0

The 1 in the router igrp command refers to the Autonomous System (AS). IGRP is a
classful routing protocol, so wildcard masks are not used in the network statements.
Passive-interface prevents the named interface from sending routing updates out for this
protocol, but the interface could still receive them.

R2#conf t
R2(config-if)#router igrp 1
R2(config-router)#network 172.12.0.0
R2(config-router)#network 2.0.0.0
R2(config-router)#network 172.23.0.0
R2(config-router)#passive-interface bri0

R3#conf t
R3(config-if)#router igrp 1
R3(config-router)#network 172.12.0.0
R3(config-router)#network 172.23.0.0
R3(config-router)#network 3.0.0.0


Chris Bryant, CCIE #12933
www.thebryantadvantage.com
55
Run show ip route on R1. R1 will see three equal-cost paths to the
Ethernet network. IGRP supports load-sharing over up to four equal-
cost paths by default, so all three paths appear in the routing table.

2005 The Bryant Advantage
R1 will also see a route to the loopback address on R2 and two
routes to the loopback address on R3. (You can also run show ip
route igrp in order to see only the IGRP routes.)

R1#show ip route igrp
I 2.0.0.0/8 [100/8976] via 172.12.123.2, 00:00:02, Serial0
I 3.0.0.0/8 [100/8976] via 172.12.13.3, 00:00:02, Serial1
[100/8976] via 172.12.123.3, 00:00:01, Serial0
I 172.23.0.0/16 [100/8576] via 172.12.123.2, 00:00:02, Serial0
[100/8576] via 172.12.13.3, 00:00:02, Serial1
[100/8576] via 172.12.123.3, 00:00:01, Serial0

Remember that the numbers in the brackets following the network number in the
routes are the Administrative Distance and the IGRP metric, in that order.

Note that classful masks are in use. IGRP does not support variable-length subnet
masks (VLSM).

From each router, ping the loopback addresses of the other two
routers. From R1, ping both R2s and R3s Ethernet interfaces. All
pings should succeed. If they dont, check your IGRP configuration
and make sure you have all the networks listed.

There are two serial connections between R1 and R3. IGRP is
assuming that both lines are T1 lines, running at 1544 KBPS. If the
direct connection between the routers was actually a 512 KBPS line,
equal-cost load sharing would be occurring because of IGRPs
bandwidth assumption, not because of the actual bandwidth.

If R1s direct connection to R3 is in fact three times slower than going
through the frame relay cloud, you would not want IGRP to perform
equal-cost load balancing, since the actual bandwidth isnt equivalent
to IGRPs assumption of 1544 KBPS. To give IGRP a more accurate
picture of the networks bandwidth, configure bandwidth 512 on R1
and R3s Serial1 interface.

R1#conf t
R1(config)#interface serial1
R1(config-if)#bandwidth 512

R3#conf t
R3(config)#interface serial 1
R3(config-if)#bandwidth 512

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
56

2005 The Bryant Advantage
IGRPs assumption that all serial lines run at 1544 KBPS is overridden by the bandwidth
512 command. IGRP now believes this line runs at 512 KBPS.



To see the effect of this command, clear your routing table on R1.

R1#clear ip route *
R1#show ip route igrp
I 2.0.0.0/8 [100/8976] via 172.12.123.2, 00:00:17, Serial0/0
I 3.0.0.0/8 [100/8976] via 172.12.123.3, 00:00:24, Serial0/0
I 172.23.0.0/16 [100/8576] via 172.12.123.3, 00:00:24, Serial0/0
[100/8576] via 172.12.123.2, 00:00:17, Serial0/0

The routing table is cleared with clear ip route *. To see only the routes received in
IGRP updates instead of the entire table, run show ip route igrp.

One of the paths to 3.0.0.0 is gone from the table, as is one of the routes to 172.23.0.0.
Both routes now gone from the table went through the 172.12.13.0 network. Now that
IGRP sees that link as slower than the others, equal-cost load-balancing will not occur
over the 172.12.13.0 network, and those two routes are removed from the IGRP routing
table.

Its important to understand that the bandwidth command does not
actually change the bandwidth of the connection; it changes IGRPs
assumption of what the bandwidth is.

At this point, all traffic leaving R1 for R3s loopback is going over the
frame relay connection, and only two of the possible three paths from
R1 to the Ethernet segment are being used. Youll now configure
unequal-cost load-balancing, which means that paths with unequal
costs will proportionally share the load. By proportionally share, I
mean that if one paths metric is four times higher than another, the
lower-cost path will handle four times as much traffic as the higher-
cost path.

You probably know that the variance command will be used here, but
do you know how to get the metric of the higher-cost path in IGRP?
Its debug ip igrp transactions. Run that debug and clear the
routing table. (Dont worry; in EIGRP, this is a lot easier.)





Chris Bryant, CCIE #12933
www.thebryantadvantage.com
57

2005 The Bryant Advantage
R1#debug ip igrp transactions
IGRP protocol debugging is on
R1#clear ip route *

1d05h: IGRP: broadcasting request on Loopback0
1d05h: IGRP: broadcasting request on Serial0
1d05h: IGRP: broadcasting request on Serial1
1d05h: IGRP: received update from 172.12.13.3 on Serial1
1d05h: subnet 172.12.123.0, metric 23531 (neighbor 8476)
1d05h: network 1.0.0.0, metric 24031 (neighbor 8976)
1d05h: network 2.0.0.0, metric 22131 (neighbor 1600)
1d05h: network 3.0.0.0, metric 22031 (neighbor 501)
1d05h: network 172.23.0.0, metric 21631 (neighbor 1100)
R1#undebug all

Notice that IGRP is broadcasting requests. Like RIP version 1, IGRP
uses the IP address 255.255.255.255 to send and receive updates.

In this update from 172.12.13.3, the metric to reach 3.0.0.0 is 22031;
the metric to reach 172.23.0.0 (the Ethernet segment) is 21631.

The variance command is used to configure unequal-cost load
balancing with both IGRP and EIGRP. The variance value is a
multiplier; multiplied by the metric of the best route, it must be larger
than the metric of any feasible successor.

The concept is much clearer when actual metrics are used. The metric
of the best route for both those routes is 8576. (We see that in the
routing table with show ip route .) What number, multiplied by 8576,
will be greater than 21631?

Three times 8576 is 25728. Configure variance 3 under the IGRP
routing process on R1, clear the routing table, and display the IGRP
routing table.










Chris Bryant, CCIE #12933
www.thebryantadvantage.com
58

2005 The Bryant Advantage

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router igrp 1
R1(config-router)#variance 3

R1#clear ip route *
R1#show ip route igrp
I 2.0.0.0/8 [100/22131] via 172.12.13.3, 00:00:04, Serial1/0
[100/9076] via 172.12.123.3, 00:00:04, Serial0/0
[100/8976] via 172.12.123.2, 00:00:04, Serial0/0
I 3.0.0.0/8 [100/22031] via 172.12.13.3, 00:00:04, Serial1/0
[100/8976] via 172.12.123.3, 00:00:04, Serial0/0
[100/9076] via 172.12.123.2, 00:00:04, Serial0/0
I 172.23.0.0/16 [100/21631] via 172.12.13.3, 00:00:04, Serial1/0
[100/8576] via 172.12.123.3, 00:00:04, Serial0/0
[100/8576] via 172.12.123.2, 00:00:04, Serial0/0


The variance command has two effects, one intended and one unintended. The routes to
172.23.0.0 and 3.0.0.0 through 172.12.13.3 are back in the routing table and will
participate in unequal-cost load sharing. Note that the metrics themselves do not
change.

There are now three routes to R2s loopback as well. There was only one, but the
variance 3 command means that any feasible route to R2 with a metric of 26928
(8976 x 3) results in the installation of the other two routes, both with a metric lower than
26928.

As a bonus, on the next page youll find a copy of a chart from my
Bryant Advantage Ultimate CCNA Study Guide. You must know the
similarities and differences between RIPv1, RIPv2, and IGRP before
taking the CCNA exams.












Chris Bryant, CCIE #12933
www.thebryantadvantage.com
59

2005 The Bryant Advantage

RI P version 1 RI P version 2 I GRP Comparison:

RIP V 1 RIP v 2 IGRP
VLSM Support No Yes No
Administrative
Distance
120 120 100
Authentication
Support
No Yes, MD5
and Text
No
Equal-Cost
Load Balancing
Yes Yes Yes
Unequal-Cost
Load Balancing
No No Yes, with variance
Updates Sent
To
What Address
Broadcast
255.255.255.255
Multicast
Address
224.0.0.9
Broadcast
255.255.255.255
Metric Hop Count Hop
Count
Composite Metric
involving Hop Count,
Bandwidth, and Delay
by default. Can also
include Load and
Reliability.
Default Paths
Used In Load
Balancing
4 4 4

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
60

2005 The Bryant Advantage
OSPF Lab: Configuring OSPF areas, stub areas, and ISDN
demand circuit.

Remove any existing routing protocol configuration.

This is the OSPF network you will build:



Configure OSPF Area 0 on each router interface connected to the
Frame Relay cloud with the router ospf 1 and network commands.
Run show ip ospf interface on each router to see what OSPF
network type the interfaces are running.

Configuring OSPF on the Frame Relay cloud interfaces on R1, R2, and R3.
R1#conf t
R1(config)#router ospf 1
R1(config-router)#network 172.12.123.0 0.0.0.255 area 0

R2#conf t
R2(config)#router ospf 1
R2(config-router)#network 172.12.123.0 0.0.0.255 area 0

R3#conf t
R3(config)#router ospf 1
R3(config-router)#network 172.12.123.0 0.0.0.255 area 0
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
61

2005 The Bryant Advantage

R1#show ip ospf interface serial0
Serial0 is up, line protocol is up
Internet Address 172.12.123.1/24, Area 0
Process ID 1, Router ID 1.1.1.1, Network Type NON_BROADCAST, Cost: 64

R2#show ip ospf interface serial0.123
Serial0.123 is up, line protocol is up
Internet Address 172.12.123.2/24, Area 0
Process ID 1, Router ID 2.2.2.2, Network Type NON_BROADCAST, Cost: 64

R3#show ip ospf interface serial0.31
Serial0.31 is up, line protocol is up
Internet Address 172.12.123.3/24, Area 0
Process ID 1, Router ID 3.3.3.3, Network Type POINT_TO_POINT, Cost: 64

R3s point-to-point interface is defaulting to OSPF network type point-
to-point. The timers will be different between R3 and R1, requiring
that the network type be changed before an adjacency can occur.

This is a hub-and-spoke OSPF network, requiring that the hub router, R1, be the
Designated Router. Additionally, since all three interfaces will be OSPF network type
non-broadcast after changing R3, neighbor statements will need to be configured on
the hub router.

Change R3s serial 0.31 interface to OSPF network type non-broadcast
with the ip ospf network interface-level command. Prevent R2 and
R3 from possibly becoming the Designated Router by configuring ip
ospf priority 0 on the interfaces connected to the Frame Relay cloud.

R3#conf t
R3(config)#int s0.31
R3(config-subif)#ip ospf network non-broadcast
R3(config-subif)#ip ospf priority 0

R2#conf t
R2(config)#int s0.123
R2(config-subif)#ip ospf priority 0



Allow R1 to discover its OSPF neighbors over the OSPF nonbroadcast
network with two neighbor commands, naming the remote Frame
Relay cloud neighbors. Run show ip ospf neighbor on R1 to verify
adjacencies. (The adjacency wont take effect immediately; continue
to run this command to see the various stages of adjacency.)
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
62

2005 The Bryant Advantage

R1#conf t
R1(config)#router ospf 1
R1(config-router)#neighbor 172.12.123.2
R1(config-router)#neighbor 172.12.123.3

R1#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 0 FULL/DROTHER 00:01:57 172.12.123.3 Serial0
2.2.2.2 0 FULL/DROTHER 00:01:57 172.12.123.2 Serial0

Notice the Neighbor ID of each remote address is the loopback
address. How can that be if you didnt configure OSPF on those
loopbacks?

When determining the Router ID (RID) of an OSPF-enabled router,
OSPF will always use the numerically highest IP address on the
routers loopback interfaces, regardless of whether that loopback
is OSPF-enabled.

What if there is no loopback? OSPF will then use the numerically
highest IP address of the physical interfaces, regardless of
whether that loopback is OSPF-enabled.

BOTTOM LINE: An interface does not have to be running OSPF
to have its IP address used as the OSPF RID.

The OSPF RID can be changed, but it requires a restart or to
reinitialize the OSPF routing process. Use the router-id command to
change the default RID of each router as shown, and clear the OSPF
process to do so.

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router ospf 1
R1(config-router)#router-id 11.11.11.11
Reload or use " clear ip ospf process" command, for this to take effect
R1#clear ip ospf process
Reset ALL OSPF processes? [no]: yes
1d05h: %OSPF-5-ADJ CHG: Process 1, Nbr 3.3.3.3 on Serial0 from 2WAY to
DOWN, Neighbor Down: Interface down or detached
1d05h: %OSPF-5-ADJ CHG: Process 1, Nbr 2.2.2.2 on Serial0 from 2WAY to
DOWN, Neighbor Down: Interface down or detached

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
63

2005 The Bryant Advantage

After entering the router-id command, the router console informed
you that you have to reload the router or reset the OSPF processes for
this to take effect. You enter the clear ip ospf process command to
do this; notice that when youre asked if you really want to do this, the
prompt is no? Thats because all the OSPF adjacencies on this router
will be lost and will have to begin the process again. Thats OK on a
practice rack, not good in a production network. Dont use that one at
work.

Run this command on R2 and R3, and wait for the adjacencies to come
back before continuing with the lab. You can check the adjacency
stage with show ip ospf neighbor.

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router ospf 1
R2(config-router)#router-id 22.22.22.22
Reload or use "clear ip ospf process" command, for this to take effect
R2(config-router)#^Z
1d05h: %SYS-5-CONFIG_I: Configured from console by console
R2#clear ip ospf process
Reset ALL OSPF processes? [no]: yes
R2#
1d05h: %OSPF-5-ADJ CHG: Process 1, Nbr 11.11.11.11 on Serial0.123 from
FULL to DOWN, Neighbor Down: Interface down or detached

1d05h: %OSPF-5-ADJ CHG: Process 1, Nbr 11.11.11.11 on Serial0.123 from
LOADING to FULL, Loading Done

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router ospf 1
R3(config-router)#router-id 33.33.33.33
Reload or use "clear ip ospf process" command, for this to take effect
R3(config-router)#^Z
1d05h: %SYS-5-CONFIG_I: Configured from console by console
R3#clear ip ospf process
Reset ALL OSPF processes? [no]: yes
1d05h: %OSPF-5-ADJ CHG: Process 1, Nbr 11.11.11.11 on Serial0.31 from
FULL to DOWN, Neighbor Down: Interface down or detached




Chris Bryant, CCIE #12933
www.thebryantadvantage.com
64

2005 The Bryant Advantage


Run show ip ospf neighbor on R1 to see the changes.

R1#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
33.33.33.33 0 FULL/DROTHER 00:01:58 172.12.123.3 Serial0
22.22.22.22 0 FULL/DROTHER 00:01:54 172.12.123.2 Serial0
3.3.3.3 0 FULL/DROTHER 00:00:33 172.12.123.3 Serial0
N/A 0 ATTEMPT/DROTHER - 172.12.123.2 Serial0

You see the new adjacencies that reflect the changed OSPF RIDs. The
old adjacencies are timing out and will soon disappear from the table.

Add R1s loopback address to Area 1, R2s loopback to Area 2, and
R3s loopback to Area 3. Use a wildcard mask of 0.0.0.0 so that only
the loopback interface will be part of the respective area.

R1#conf t
R1(config)#router ospf 1
R1(config-router)#network 1.1.1.1 0.0.0.0 area 1

R2#conf t
R2(config)#router ospf 1
R2(config-router)#network 2.2.2.2 0.0.0.0 area 2

R3#conf t
R3(config)#router ospf 1
R3(config-router)#network 3.3.3.3 0.0.0.0 area 3

On R1, run show ip route ospf. A route to both R2s and R3s
loopback should be present. Ping both interfaces to verify connectivity.

R1#show ip route ospf
2.0.0.0/32 is subnetted, 1 subnets
O IA 2.2.2.2 [110/65] via 172.12.123.2, 00:00:09, Serial0
3.0.0.0/32 is subnetted, 1 subnets
O IA 3.3.3.3 [110/65] via 172.12.123.3, 00:00:02, Serial0

Notice that the /32 masks are present; OSPF supports VLSM.

Note the O IA on the far left-hand side of the command output. The
O indicates that this is an OSPF route; the IA means it is an
InterArea route, or a route to a destination in another area.
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
65

2005 The Bryant Advantage


R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =68/73/96 ms

R1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =68/69/72 ms


Run show ip route ospf on R2. Routes to the loopbacks of R1 and
R3 should be present. Ping both loopbacks to verify connectivity.

R2#show ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O IA 1.1.1.1 [110/65] via 172.12.123.1, 00:10:35, Serial0.123
3.0.0.0/32 is subnetted, 1 subnets
O IA 3.3.3.3 [110/65] via 172.12.123.3, 00:10:35, Serial0.123
R2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =68/68/68 ms
R2#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =128/133/144 ms

Run show ip route ospf on R3. Routes to the loopbacks of R1 and
R2 should be present. Ping both loopbacks to verify connectivity.

R3#show ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O IA 1.1.1.1 [110/65] via 172.12.123.1, 00:14:52, Serial0.31
2.0.0.0/32 is subnetted, 1 subnets
O IA 2.2.2.2 [110/65] via 172.12.123.2, 00:14:52, Serial0.31
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
66

2005 The Bryant Advantage
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/66/68 ms

R3#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =128/133/144 ms


Configure the Ethernet segment connecting R2 and R3 as Area 23.
Area 23 will be made a stub area. Use the area stub command on R3,
but not R2. Run show ip ospf neighbor to verify the adjacency.

R2#conf t
R2(config)#router ospf 1
R2(config-router)#network 172.23.23.0 0.0.0.31 area 23

R3#conf t
R3(config)#router ospf 1
R3(config-router)#network 172.23.23.0 0.0.0.31 area 23
R3(config-router)#area 23 stub

R3#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/DR 00:01:32 172.12.123.1 Serial0.31

You can wait a few minutes, and youll see the same thing. The
adjacency to R2 is not even starting. To diagnose problems with OSPF
adjacencies, run debug ip ospf adjacency.

R3#debug ip ospf adj
OSPF adjacency events debugging is on
OSPF: Hello from 172.23.23.2 with mismatched Stub/Transit area option bit

Theres the problem! The Hello packet is coming in from 172.23.23.2,
but the Stub option bit is mismatched. For a stub area to form, all
routers must agree that the area is a stub. The command area
stub must be configured on all routers with an interface in
that area.

On R2, configure area 23 stub in router configuration mode. On R3,
run debug ip ospf adj and show ip ospf neighbor to verify the
adjacency.
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
67

2005 The Bryant Advantage



R3#debug ip ospf adj
OSPF adjacency events debugging is on
R3#show debug < Bonus! This shows your current debugs. >
IP routing:
OSPF adjacency events debugging is on
<Only some of the debug output is shown here.>
d06h: OSPF: 2 Way Communication to 22.22.22.22 on Ethernet0, state 2WAY
d06h: OSPF: Backup seen Event before WAIT timer on Ethernet0
d06h: OSPF: DR/BDR election on Ethernet0
d06h: OSPF: Elect BDR 33.33.33.33
d06h: OSPF: Elect DR 22.22.22.22
d06h: OSPF: Elect BDR 33.33.33.33
d06h: OSPF: Elect DR 22.22.22.22
d06h: DR: 22.22.22.22 (Id) BDR: 33.33.33.33 (Id)
d06h: OSPF: Send DBD to 22.22.22.22 on Ethernet0 seq 0x21F5 opt 0x40 flag
0x7n 32
d06h: OSPF: Rcv DBD from 22.22.22.22 on Ethernet0 seq 0x1283 opt 0x40 flag
0x7en 32 mtu 1500 state EXSTART
R3PF: Rcv DBD from 22.22.22.22 on Ethernet0 seq 0x21F6 opt 0x40 flag 0x0
len 32 mtu 1500 state EXCHANGE
1d06h: OSPF: Send DBD to 22.22.22.22 on Ethernet0 seq 0x21F7 opt 0x40 flag
0x1 l en 32
1d06h: OSPF: Rcv DBD from 22.22.22.22 on Ethernet0 seq 0x21F7 opt 0x40
flag 0x0
len 32 mtu 1500 state EXCHANGE
1d06h: OSPF: Exchange Done with 22.22.22.22 on Ethernet0
1d06h: OSPF: Synchronized with 22.22.22.22 on Ethernet0, state FULL
1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 22.22.22.22 on Ethernet0 from
LOADING to F ULL, Loading Done
1d06h: OSPF: Build router LSA for area 23, router ID 33.33.33.33, seq
0x80000003 #p
R3#
1d06h: OSPF: Neighbor change Event on interface Ethernet0
1d06h: OSPF: DR/BDR election on Ethernet0
1d06h: OSPF: Elect BDR 33.33.33.33
1d06h: OSPF: Elect DR 22.22.22.22
1d06h: DR: 22.22.22.22 (Id) BDR: 33.33.33.33 (Id)

R3#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
11.11.11.11 1 FULL/DR 00:01:58 172.12.123.1 Serial0.31
22.22.22.22 1 FULL/DR 00:00:35 172.23.23.2 Ethernet0
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
68

2005 The Bryant Advantage

The adjacency has formed over the Ethernet segment.

On R3, run show ip ospf interface to compare the characteristics of
the Serial and Ethernet interfaces running OSPF.

R3#show ip ospf interface
Serial0.31 is up, line protocol is up
Internet Address 172.12.123.3/24, Area 0
Process ID 1, Router ID 33.33.33.33, Network Type NON_BROADCAST, Cost:
64
Transmit Delay is 1 sec, State DROTHER, Priority 0
Designated Router (ID) 11.11.11.11, Interface address 172.12.123.1
No backup designated router on this network
Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5
Hello due in 00:00:03
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 3
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 11.11.11.11 (Designated Router)
Suppress hello for 0 neighbor(s)
Loopback0 is up, line protocol is up
Internet Address 3.3.3.3/24, Area 3
Process ID 1, Router ID 33.33.33.33, Network Type LOOPBACK, Cost: 1
Loopback interface is treated as a stub Host
Ethernet0 is up, line protocol is up
Internet Address 172.23.23.3/27, Area 23
Process ID 1, Router ID 33.33.33.33, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 22.22.22.22, Interface address 172.23.23.2
Backup Designated router (ID) 33.33.33.33, Interface address 172.23.23.3
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:03
Index 1/3, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 22.22.22.22 (Designated Router)
Suppress hello for 0 neighbor(s)


Notice the differences in hello and dead times on a non-broadcast
interface, such as a Serial interface and an Ethernet interface. No
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
69

2005 The Bryant Advantage
matter the hello timer, the default for the dead timer is 4 times the
hello timer.

On R3, run show ip ospf. Area 23 will be shown as a stub area.


R3#show ip ospf
Routing Process "ospf 1" with ID 3.3.3.3
Supports only single TOS(TOS0) routes
It is an area border router
Number of areas in this router is 3. 2 normal 1 stub 0 nssa
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has no authentication
Area 3
Number of interfaces in this area is 1
Area has no authentication
Area 23
Number of interfaces in this area is 1
It is a stub area
generates stub default route with cost 1
Area has no authentication


From R1, ping R2s and R3s Ethernet interfaces.


R1#ping 172.23.23.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/66/68 ms
R1#ping 172.23.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/66/68 ms






Chris Bryant, CCIE #12933
www.thebryantadvantage.com
70

2005 The Bryant Advantage



Place the ISDN link into Area 12. Run show ip ospf neighbor to
verify adjacency.

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router ospf 1
R1(config-router)#network 172.12.21.0 0.0.0.3 area 12
R1(config-router)#
1d06h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
1d06h: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed
state to up
1d06h: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 5552222 R2

The link comes up immediately. Why? Run show dialer to see the
destination of the interesting traffic that caused the line to dial.

R1#show dialer

BRI0 - dialer type =ISDN

Dial String Successes Failures Last DNIS Last status
5552222 6 0 00:01:01 successful
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.

BRI0:1 - dialer type =ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: ip (s=172.12.21.1, d=224.0.0.5)
Time until disconnect 118 secs
Connected to 5552222 (R2)

BRI0:2 - dialer type =ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle

The OSPF Hello packets, destined for 224.0.0.5, brought the line up.
As youll soon see, OSPF has a built-in mechanism for handling this
situation without using the passive-interface command.

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
71

2005 The Bryant Advantage
In the meantime, configure OSPF on R2s BRI interface. Run show ip
ospf neighbor to verify the adjacency over the ISDN link.


R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router ospf 1
R2(config-router)#network 172.12.21.0 0.0.0.3 area 12
1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 11.11.11.11 on BRI0 from LOADING
to FULL, Loading Done


R2#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
11.11.11.11 1 FULL/DR 00:01:46 172.12.123.1 Serial0.123
11.11.11.11 1 FULL/ - 00:00:31 172.12.21.1 BRI0
33.33.33.33 1 FULL/BDR 00:00:34 172.23.23.3 Ethernet0


The good news is that the adjacency forms over the BRI interface very
quickly. The bad news is that the ISDN link is going to stay up, since
every OSPF Hello is going to reset the dialer idle-timeout.

Also, note that there is no DR or BDR over the ISDN link. Point-to-
point links have no DR or BDR.

OSPF allows us to suppress the sending of Hello packets over an ISDN
link, which keeping the adjacency! This is done with one simple
command, and you only need it on one side of the link. On R1,
configure the command ip ospf demand-circuit on the BRI
interface.


R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface bri0
R1(config-if)#ip ospf demand-circuit
1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 22.22.22.22 on BRI0 from FULL to
DOWN, Neighbor Down: Interface down or detached
1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 22.22.22.22 on BRI0 from LOADING
to FULL,Loading Done

In this example, the link was up when the command was entered. The
adjacency came down immediately, and then came back up just as
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
72

2005 The Bryant Advantage
fast. Is the ISDN link still up? Is the OSPF adjacency really up? Run
show dialer and show ip ospf neighbor to see.



R1#show dialer

BRI0 - dialer type =ISDN

Dial String Successes Failures Last DNIS Last status
5552222 7 0 00:07:15 successful
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.

BRI0:1 - dialer type =ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle

BRI0:2 - dialer type =ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
R1#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
33.33.33.33 0 FULL/DROTHER 00:01:38 172.12.123.3 Serial0
22.22.22.22 0 FULL/DROTHER 00:01:37 172.12.123.2 Serial0
22.22.22.22 1 FULL/ - - 172.12.21.2 BRI0
R1#

The line is down, and the adjacency is still up! This is why OSPF is the
protocol of choice to run over ISDN links. (If the link is still up when
you run these commands, watch the idle-timeout value under show
dialer; its going to go down to zero and the line will drop.)

Youve read about how every OSPF router must have a physical
interface in area 0, and if it doesnt, a virtual link can solve the
problem. Youre now going to configure a virtual link, and see the
routing problems that occur when one router doesnt have an interface
in area 0.

First, on R1, add the point-to-point link to R3 into the OSPF
configuration, placing it into area 13. On R3, do the same, and
remove the frame-relay interface from Area 0. After doing so, clear
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
73

2005 The Bryant Advantage
the OSPF processes on R3. (When clearing OSPF processes, dont be
surprised to see the ISDN link come back up.)



R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router ospf 1
R1(config-router)#network 172.12.13.0 0.0.0.255 area 13

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router ospf 1
R3(config-router)#network 172.12.13.0 0.0.0.255 area 13
R3(config-router)#no network 172.12.123.0 0.0.0.255 area 0

R3#clear ip ospf process
Reset ALL OSPF processes? [no]: yes
1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 11.11.11.11 on OSPF_VL0 from
FULL to DOWN, Neighbor Down: Interface down or detached
1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 11.11.11.11 on Serial1 from FULL to
DOWN, Neighbor Down: Interface down or detached
1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 22.22.22.22 on Ethernet0 from
FULL to DOWN, Neighbor Down: Interface down or detached
R3#
1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 22.22.22.22 on Ethernet0 from
LOADING to FULL, Loading Done
1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 11.11.11.11 on Serial1 from
LOADING to FULL, Loading Done

R3s adjacencies come right back up.

R3 now has no physical interface in Area 0. Checking R3s routing
table, there doesnt seem to be a problem:

R3#show ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O IA 1.1.1.1 [110/75] via 172.23.23.2, 00:01:44, Ethernet0
2.0.0.0/32 is subnetted, 1 subnets
O IA 2.2.2.2 [110/11] via 172.23.23.2, 00:01:44, Ethernet0
172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
O IA 172.12.21.0/30 [110/1572] via 172.23.23.2, 00:00:52, Ethernet0

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
74

2005 The Bryant Advantage
Ping both of the other loopbacks from R3, and theyll go through. So
whats the big deal about Area 0? Here, R3 doesnt have a physical
interface in Area 0, and there doesnt seem to be a problem right?




Wrong. The problem is on R2. Check R2s OSPF routing table.

R2#show ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O IA 1.1.1.1 [110/65] via 172.12.123.1, 00:02:37, Serial0.123
172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
O IA 172.12.13.0/24 [110/259] via 172.12.123.1, 00:02:37, Serial0.123

R2 no longer has a route to R3s loopback, and pings to that loopback
fail.

R2#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


For full OSPF connectivity, a virtual link must be created between R1
and R3. Since R1 does have an interface in Area 0, that will give us
full connectivity.

Configure the virtual link as shown. Notice that the command starts
with the transit area; a virtual link cannot be configured through
a stub area. Also, the IP address specified in the command is the
remote routers OSPF RID, not the next-hop IP address.

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router ospf 1
R3(config-router)#area 13 virtual-link 11.11.11.11

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router ospf 1
1d06h: %OSPF-4-ERRRCV: Received invalid packet: mismatch area ID,
from backbone area must be virtual-link but not found from 172.12.13.3,
Serial1
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
75

2005 The Bryant Advantage
R1(config-router)#area 13 virtual-link 33.33.33.33

1d06h: %OSPF-5-ADJ CHG: Process 1, Nbr 33.33.33.33 on OSPF_VL1 from
LOADING to FULL, Loading Done
1d06h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
1d06h: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed
state to up
1d06h: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 5552222 R2
There are several things to note when configuring this virtual link. First, the error
message youll see on R1 is normal; that just means that R3 wants to form a
virtual link but R1 doesnt; that error message will not appear again after you
configure the virtual link.

Again, the ISDN link comes up. Thats normal when the OSPF network topology
changes. The link will go down when the idle-timeout hits zero, and it will not
come back up.

R1#show ip ospf virtual-link
Virtual Link OSPF_VL1 to router 33.33.33.33 is up
Run as demand circuit
DoNotAge LSA allowed.
Transit area 13, via interface Serial1, Cost of using 195
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:03
Adjacency State FULL (Hello suppressed)
Index 2/4, retransmission queue length 0, number of retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec

You must see the adjacency state as FULL to know that the virtual link
is up and running. Check R2s OSPF routing table.

R2#show ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O IA 1.1.1.1 [110/65] via 172.12.123.1, 00:03:50, Serial0.123
3.0.0.0/32 is subnetted, 1 subnets
O IA 3.3.3.3 [110/260] via 172.12.123.1, 00:03:50, Serial0.123
172.12.0.0/16 is variably subnetted, 3 subnets, 2 masks
O IA 172.12.13.0/24 [110/259] via 172.12.123.1, 00:03:50, Serial0.123
R2#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =112/116/120 ms
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
76

2005 The Bryant Advantage

R3s loopback interface is back R2s routing table, and pings succeed.

Make sure you know the basic rules for configuring a virtual link, the
syntax of the command, and when one is necessary and not necessary
before taking the CCNA exams.

Before moving on to another protocol lab, remove OSPF from each
router with the global command no router ospf 1.
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
77

2005 The Bryant Advantage
EIGRP Lab

Configure EIGRP AS 100 on R1, R2, and R3 over the Frame Relay
cloud. Disable EIGRPs automatic summarization with the no auto-
summary command. (If you need to review why EIGRP auto-
summary is usually turned off when configured, there is an illustrated
example in The Bryant Advantage Ultimate CCNA Study Guides EIGRP
chapter.)

R1#conf t
R1(config)#router eigrp 100
R1(config-router)#no auto-summary
R1(config-router)#network 172.12.123.0 0.0.0.255

R2#conf t
R2(config)#router eigrp 100
R2(config-router)#no auto-summary
R2(config-router)#network 172.12.123.0 0.0.0.255

R3#conf t
R3(config)#router eigrp 100
R3(config-router)#no auto-summary
R3(config-router)#network 172.12.123.0 0.0.0.255

On R1, run show ip eigrp neighbor.

R1#show ip eigrp neighbor
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq Type
(sec) (ms) Cnt Num
1 172.12.123.3 Se0/0 11 00:02:45 1 5000 0 1
0 172.12.123.2 Se0/0 161 00:03:01 1 5000 0 1













Chris Bryant, CCIE #12933
www.thebryantadvantage.com
78

2005 The Bryant Advantage
On each router, add the loopback address to the EIGRP process.

R1#conf t
R1(config)#router eigrp 100
R1(config-router)#network 1.1.1.1 0.0.0.0

R2#conf t
R2(config)#router eigrp 100
R2(config-router)#network 2.2.2.2 0.0.0.0

R3#conf t
R3(config)#router eigrp 100
R3(config-router)#network 3.3.3.3 0.0.0.0

On each router, run show ip route eigrp. R1 has a route for both
R2s and R3s loopback. R2 and R3 will only see R1s loopback
address, and not each others. Why?

R1#show ip route eigrp
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/2297856] via 172.12.123.2, 00:03:19, Serial0/0
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.3.0 [90/2297856] via 172.12.123.3, 00:03:04, Serial0/0

R2#show ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/2297856] via 172.12.123.1, 00:03:40, Serial0/0.123

R3#show ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/2297856] via 172.12.123.1, 00:05:17, Serial0/0.31

Note: The letter D indicates an EIGRP route!
(E was already taken by EGP when EIGRP
came along. It wasnt just done to make the
exams harder. ;) )






Chris Bryant, CCIE #12933
www.thebryantadvantage.com
79

2005 The Bryant Advantage
EIGRP uses Split Horizon by default to prevent looping. In this lab,
though, it prevents full network reachability. R2 and R3 both form
neighbor relationships with R1s Serial physical interface. R2
advertises its loopback address to R1s Serial interfaces, as does R3.
Split Horizon does not allow a route to be advertised back out
the same interface it was received on. This prevents R1 from
advertising R2s loopback to R3, or R3s loopback to R2.

Split Horizon must be disabled to allow full network reachability in this
lab. To do so, run no ip split-horizon eigrp 100 on R1s Serial
interface. When Split Horizon is disabled, that will cause the neighbor
relationships to fail, and then reestablish. Run show ip route eigrp
100 on both R2 and R3. The appropriate route to the remote loopback
address will now appear. From each router, ping the other routers
loopbacks. All pings will succeed.

R1#conf t
R1(config)#int serial0
R1(config-if)#no ip split-horizon eigrp 100

10:02:23: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.123.2
(Serial0/0) down: split horizon changed
10:02:23: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.123.3
(Serial0/0) down: split horizon changed

10:02:27: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.123.3
(Serial0/0) ip: new adjacency
10:02:54: %DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.12.123.2
(Serial0/0) ip: new adjacency

< The adjacencies come down after Split Horizon is changed, but are back
within 30 seconds. The routes may need a minute or so to show up on R2
and R3.>

R2#show ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/2297856] via 172.12.123.1, 00:00:06, Serial0/0.123
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.3.0 [90/2809856] via 172.12.123.1, 00:00:06, Serial0/0.123

R3#show ip route eigrp
1.0.0.0/24 is subnetted, 1 subnets
D 1.1.1.0 [90/2297856] via 172.12.123.1, 00:00:12, Serial0/0.31
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/2809856] via 172.12.123.1, 00:00:12, Serial0/0.31
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
80

2005 The Bryant Advantage
Add the Ethernet segment between R2 and R3 to EIGRP AS 100.

R2#conf t
R2(config)#router eigrp 100
R2(config-router)#network 172.23.23.0 0.0.0.255

R3#conf t
R3(config)#router eigrp 100
R3(config-router)#network 172.23.23.0 0.0.0.255

Run show ip eigrp neighbor on each router.

R2#show ip eigrp neighbor
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq Type
(sec) (ms) Cnt Num
1 172.23.23.3 Et0/0 12 00:03:29 4 200 0 15
0 172.12.123.1 Se0/0.123 126 00:11:16 40 240 0 15

R3#show ip eigrp neighbor
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq Type
(sec) (ms) Cnt Num
1 172.23.23.2 Et0/0 11 00:03:34 1529 5000 0 14
0 172.12.123.1 Se0/0.31 176 00:11:24 40 240 0 16





















Chris Bryant, CCIE #12933
www.thebryantadvantage.com
81

2005 The Bryant Advantage
Run show ip eigrp topology to look at the Successor and Feasible
Successor routes on R1.

R1#show ip eigrp topology
IP-EIGRP Topology Table for AS(100)/ID(150.1.1.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 1.1.1.0/24, 1 successors, FD is 128256
via Connected, Loopback1
P 2.2.2.0/24, 1 successors, FD is 2297856
via 172.12.123.2 (2297856/128256), Serial0/0
via 172.12.123.3 (2323456/409600), Serial0/0
P 3.3.3.0/24, 1 successors, FD is 2297856
via 172.12.123.3 (2297856/128256), Serial0/0
via 172.12.123.2 (2323456/409600), Serial0/0
P 172.23.23.0/27, 2 successors, FD is 2195456
via 172.12.123.3 (2195456/281600), Serial0/0
via 172.12.123.2 (2195456/281600), Serial0/0
P 172.12.123.0/24, 1 successors, FD is 2169856
via Connected, Serial0/0

According to the code list at the top of this command output, the P
code stands for Passive, and all these routes have a P next to them.
Is this good? Yes. A passive EIGRP route means that it is not
currently being calculated by DUAL. An active EIGRP route means
that it is being calculated. A route that stays in active state cannot be
used to transport packets; such a route is said to be SIA, or stuck in
active.

R1 has two Successor routes for the Ethernet network. Why? First,
the EIGRP process checks to see if the routes meet the Feasibility
Condition. The Feasible Distance, the best metric the router has for
that destination, is 2195456. That happens to be the same metric for
both possible routes, and since the Advertised Distance (281600) for
both routes is less than the Feasible Distance, both routes are Feasible
Successors. Since the metric for both paths is exactly the same,
equal-cost load balancing will occur, and both routes are placed into
the topology table as Successors, and both will be placed into the
EIGRP routing table.




Chris Bryant, CCIE #12933
www.thebryantadvantage.com
82

2005 The Bryant Advantage
Consider R1s two possible routes to R2s loopback and R3s loopback
from the EIGRP topology table:


R1#show ip eigrp topology

P 2.2.2.0/24, 1 successors, FD is 2297856
via 172.12.123.2 (2297856/128256), Serial0/0
via 172.12.123.3 (2323456/409600), Serial0/0

P 3.3.3.0/24, 1 successors, FD is 2297856
via 172.12.123.3 (2297856/128256), Serial0/0
via 172.12.123.2 (2323456/409600), Serial0/0


The Feasible Distance for this route is 2297856; that is the best metric
the router has for the route. The first route in the list has this FD, and
will be the Successor (primary route).

The second route must meet the Feasibility Condition. Is its
Advertised Distance lower than the Feasible Distance (FD) of the
Successor? Yes. The routes Advertised Distance is 409600; the FD is
2297856. The route meets the Feasibility Condition and is placed into
the topology table. It is now a Feasible Successor; it can be used if
the Successor fails, but by default, it will not participate in load-
sharing. The same can be said for the two paths to R3s loopback.

Configure the EIGRP network to load-balance over these two possible
paths to each loopback address with the appropriate variance
command. Recall that the variance command is a multiplier; the
router will multiply the Feasible Distance by this value. If a feasible
successor has a metric less than that of this equation, the route will be
placed into the EIGRP routing table and used for load-balancing.

The Feasible Distance in each case is 2297856; the metric for the
Feasible Successor in each case is 2323456. Since thats barely higher
than the Feasible Distance, a variance value of 2 will do the job.
Configure variance 2 under the EIGRP process on R1, clear the
routing table with clear ip route *, and run show ip route eigrp.





Chris Bryant, CCIE #12933
www.thebryantadvantage.com
83

2005 The Bryant Advantage

Before using variance to configure unequal-cost load-sharing:

R1#show ip route eigrp
2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/2297856] via 172.12.123.2, 00:12:53, Serial0
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.3.0 [90/2297856] via 172.12.123.3, 00:12:53, Serial0

R1#conf t
R1(config)#router eigrp 100
R1(config-router)#variance 2

R1#clear ip route *
R1#show ip route eigrp
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/2297856] via 172.12.123.2, 00:00:04, Serial0/0
[90/2323456] via 172.12.123.3, 00:00:04, Serial0/0
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.3.0 [90/2297856] via 172.12.123.3, 00:00:04, Serial0/0
[90/2323456] via 172.12.123.2, 00:00:04, Serial0/0
172.23.0.0/27 is subnetted, 1 subnets
D 172.23.23.0 [90/2195456] via 172.12.123.3, 00:00:04, Serial0/0
[90/2195456] via 172.12.123.2, 00:00:04, Serial0/0


The variance command allows any feasible successor with a metric of less than
(2297856 x 2) to participate in load-balancing. R1 can now use both routes to
R2s and R3s loopback network.

After the variance command:

R1#show ip route eigrp
2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/2297856] via 172.12.123.2, 00:00:03, Serial0
[90/2323456] via 172.12.123.3, 00:00:03, Serial0
3.0.0.0/24 is subnetted, 1 subnets
D 3.3.3.0 [90/2297856] via 172.12.123.3, 00:00:05, Serial0
[90/2323456] via 172.12.123.2, 00:00:05, Serial0
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
84

2005 The Bryant Advantage
Advanced TCP/IP Concepts Lab

Before beginning the lab, a routing protocol must be configured. The
protocol should be RIPv2, OSPF, or EIGRP. Each router must be able
to ping the loopbacks on each of the other two routers and the Serial
interface connected to the Frame Relay cloud. R2 and R3s Ethernet
interfaces should be able to be pinged by every router. The BRI
interface and the directly connected interface between R1 and
R3 should be shut down.

With the access-list command, configure R1 so that only packets
from the 172.12.123.0 /24 network can enter the Serial interface.
Test the configuration by sending a ping on R2 from both
172.12.123.2 and 2.2.2.2.

R1#conf t
R1(config)#access-list 1 permit 172.12.123.0 0.0.0.255
< Wildcard masks are used with access lists. There is an implicit deny at the end
of every access list; any traffic that is not expressly permitted is implicitly denied.
>
R1(config)#interface serial0/0
R1(config-if)#ip access-group 1 in
< Access lists are applied to interfaces with the ip access-group command. The
direction the access-list is applied in follows that command. >

A ping will be sent from R2 from two different addresses. A ping such as the
ones sent in labs up to this point are seen by the remote router as having
originated from the interface it left the other router in. For example, running ping
172.12.123.1 from R2 will result in a ping with a source address of 172.12.123.2.
Since this address falls in the permit statement of the access-list configured
above, the traffic will be let through at R1s serial interface, and the ping
succeeds.

R2#ping 172.12.123.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds:
!!!!!
On R1, run show ip access-list to see matches against every statement in the
access-list.
R1#show ip access-list
Standard IP access list 1
permit 172.12.123.0, wildcard bits 0.0.0.255 (5 matches)

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
85

2005 The Bryant Advantage
The number of matches you see will vary; remember that routing
protocol updates are being permitted as well, not just pings.

To send a ping from an IP address other than the exit interfaces IP
address, use an extended ping.

R2#ping
Protocol [ip]:
Target IP address: 172.12.123.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: loopback0
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.123.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
U.U.U
Success rate is 0 percent (0/5)

The key is in the extended commands. The default for this is N, but by
answering Y, the source interface of the ping can be changed as shown. The
ping sent from the loopback address 2.2.2.2 does not go through. That traffic is
blocked by the access-list on R1.

To be able to see how many packets are denied by a standard ACL, the implicit
deny statement must be explicitly configured. Show ip access-list will then
show the denied packets as well as the permitted ones.

R1#conf t
R1(config)#no access-list 1
R1(config)#access-list 1 permit 172.12.123.0 0.0.0.255
R1(config)#access-list 1 deny any
< The implicit deny any is expressly configured so packets denied by it will
show in show ip access-list, as seen below. >

R1#show ip access-list
Standard IP access list 1
permit 172.12.123.0, wildcard bits 0.0.0.255 (4 matches)
deny any (8 matches)
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
86

2005 The Bryant Advantage
On R3, write a standard ACL that denies traffic from IP address
1.1.1.1, but permits all other IP traffic with the access-list and ip
access-group commands.

R3#conf t
R3(config)#access-list 1 deny 1.1.1.1
R3(config)#access-list 1 perm any
R3(config)#interface serial 0.31
R3(config-if)#ip access-group 1 in

The first line of the ACL denies traffic from 1.1.1.1, and the second permits all
other traffic. The order of the lines in an ACL is vital. If these lines were
reversed and access-list 1 permit any was the first line, all traffic would be
permitted, including traffic from 1.1.1.1. The deny statement would never be
reached.

R3#conf t
R3(config)#access-list 1 deny 1.1.1.1
R3(config)#access-list 1 perm any
R3(config)#interface serial 0.31
R3(config-if)#ip access-group 1 in

The first line of the ACL denies traffic from 1.1.1.1, and the second permits all
other traffic. The order of the lines in an ACL is vital. If these lines were
reversed and access-list 1 permit any was the first line, all traffic would be
permitted, including traffic from 1.1.1.1. The deny statement would never be
reached.

From R1, ping 172.12.123.3, first with a regular ping, then with an
extended ping from source 1.1.1.1.















Chris Bryant, CCIE #12933
www.thebryantadvantage.com
87

2005 The Bryant Advantage
R1#ping 172.12.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.123.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =60/60/60 ms
R1#ping
Protocol [ip]:
Target IP address: 172.12.123.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 1.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.12.123.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
U.U.U
Success rate is 0 percent (0/5)
As expected, the ping from 172.12.123.1 is good, but the ping from 1.1.1.1 was
stopped by the ACL on R3.

On R3, run show ip access-list to view the number of packets that
have been permitted and denied.

R3#show ip access-list
Standard IP access list 1
deny 1.1.1.1 (5 matches)
permit any (20 matches)

The pings sourcing from 1.1.1.1 were stopped at the serial interface. All other
traffic is being permitted.








Chris Bryant, CCIE #12933
www.thebryantadvantage.com
88

2005 The Bryant Advantage

Using an extended ACL on R3, prevent traffic from coming into the
routers Ethernet interface if the source is 172.23.23.2 and the
destination is 3.3.3.3.

To define a source and destination in an ACL, an extended ACL must be used.
The numeric ranges for extended ACLs are 100-199 and 2000 - 2699.

R3#conf t
R3(config)#access-list 125 deny ip host 172.23.23.2 host 3.3.3.3
R3(config)#access-list 125 perm ip any any

The first line of the ACL uses the host option. This takes the place of a wildcard
mask of 0.0.0.0; that is, the host option means that the IP address that follows it
is the only IP address to be affected. Its used twice in this ACL, since a specific
source address and a specific destination address are being denied.

The second line uses the any option. This takes the place of a wildcard mask of
255.255.255.255. Since any is used twice, once for the source and once for
the destination, all traffic is affected by this line.

The ACL is then applied to the Ethernet interface. There is now one ACL on the
Ethernet interface and one on the serial interface. The rule is that two ACLs can
be applied to a single interface, one affecting outgoing traffic and another
affecting incoming traffic.

R3(config)#interface ethernet0
R3(config-if)#ip access-group 125 in

From R2, ping 172.23.23.3 and 3.3.3.3 with regular pings. After doing
so, run show ip access-list on R3.

R2#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R2#ping 172.23.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.23.3, timeout is 2 seconds:
!!!!!

Chris Bryant, CCIE #12933
www.thebryantadvantage.com
89

2005 The Bryant Advantage
The pings to 3.3.3.3 fail, but the pings to 172.23.23.3 succeed. Since the
standard ping command was used, the source IP address of the ping is the
exiting interface, 172.23.23.2.

R3#show ip access-list
Standard IP access list 1
deny 1.1.1.1 (8 matches)
permit any (70 matches)
Extended IP access list 125
deny ip host 172.23.23.2 host 3.3.3.3 (8 matches)
permit ip any any (386 matches)

Both ACLs configured on R3 are shown. List 125 is denying the specific packets
with a source of 172.23.23.2 and a destination of 3.3.3.3. All other packets are
going through. When a source and destination are specified, both have to match
for that line of the ACL to take effect.

On R2, use the ip access-list command to prevent any traffic from
interface 3.3.3.3. Apply this named ACL to the Ethernet interface.

R2#conf t
R2(config)#ip access-list standard BLOCKNETWORK3
R2(config-std-nacl)#deny host 3.3.3.3
R2(config-std-nacl)#perm any
R2(config-std-nacl)#interface ethernet0
R2(config-if)#ip access-group BLOCKNETWORK3 in

To configure a named access list, use the ip access-list command, followed by
standard or extended, and then the name of the ACL. Make the name
intuitive. Apply a named ACL with the ip access-group command, just as if the
list were a numbered ACL.

From R3, send an extended ping that sources from 3.3.3.3 to
172.23.23.2. When the ping fails, run show ip access-list on R2 to
ensure the ACL is blocking the packets.










Chris Bryant, CCIE #12933
www.thebryantadvantage.com
90

2005 The Bryant Advantage



R3#ping
Protocol [ip]:
Target IP address: 172.23.23.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 3.3.3.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.23.2, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
..
Success rate is 0 percent (0/5)\

R2#show ip access-list
Standard IP access list BLOCKNETWORK3
deny 3.3.3.3 (5 matches)
permit any (18 matches)

The pings with a source address of 3.3.3.3 are blocked by the ACL.


On R3, write a standard ACL that permits only host 172.12.123.1.
Allow the explicit deny to prevent all other addresses. Apply the
access-list to the VTY lines to allow only this address to telnet into R3
with the access-class command. Set a password of CCNA for telnet
access.

R3#conf t
R3(config)#access-list 5 permit 172.12.123.1
R3(config)#line vty 0 4
< Configures the VTY lines, used for Telnet access. >
R3(config-line)#login
< Allows login with a password that must be configured under the VTY lines. >
R3(config-line)#password CCNA
< Password to be used for Telnet access. >
Chris Bryant, CCIE #12933
www.thebryantadvantage.com
R3(config-line)#access-class 5 in
91

2005 The Bryant Advantage
< The access-list is applied to VTY lines with the access-class command. Only
the user specified in the ACL will be able to Telnet to this router. >

From R1 and R2, telnet to 172.12.123.3.

R1#telnet 172.12.123.3
Trying 172.12.123.3 ... Open

User Access Verification

Password:
R3>logout

R2#telnet 172.12.123.3
Trying 172.12.123.3 ...
% Connection refused by remote host

From R1, the telnet succeeds. While performing this lab, notice that the
password never appears when telnetting to the router, nor does the cursor move.

From R2, the telnet attempt fails. The console message is simply that the remote
host refused it. It was refused because only R1s serial address is permitted by
the ACL applied to the VTY lines; the implicit deny stops all other telnet attempts.
The user attempting to connect to R3 is not given any details as to why the telnet
attempt was refused.

On R3, run show ip access-list.

R3#show ip access-list
Standard IP access list 1
deny 1.1.1.1 (8 matches)
permit any (430 matches)
Standard IP access list 5
permit 172.12.123.1 (6 matches)
Extended IP access list 125
deny ip host 172.23.23.2 host 3.3.3.3 (18 matches)
permit ip any any (1248 matches)

Note the permit any statements on the first two ACLs continue to accrue as the
lab progresses, as routing update packets are being sent around the network.
The number and frequency depends on the routing protocol.





Chris Bryant, CCIE #12933
www.thebryantadvantage.com
92

2005 The Bryant Advantage



On R1, use the ip host command to configure the router to telnet to
172.12.123.3 when R3 is typed. (No quotation marks.)

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip host R3 172.12.123.3

R1#R3
Trying R3 (172.12.123.3)... Open


User Access Verification

Password:
R3>en
Password:
R3#

After configuring the ip host command, simply entering R3 on R1 will telnet to
172.12.123.3.


Chris Bryant, CCIE #12933
www.thebryantadvantage.com
93

2005 The Bryant Advantage
Starting From Scratch: Erasing Your Router
And Switch Configurations

When youre done with your labs, I recommend you erase
your configurations and start from the very beginning.
Why? Because you do your best learning the second and
third time you do anything. Thats when you reinforce
everything youve learned.

The process is just a little different on the routers and
switches, as theres a file we need to delete on the switches
if you really want to start over. Lets take a quick look at
the router process:

1. At the enable prompt, run the command write erase.

2. Reload the router with reload. If prompted to save your
config, enter "N".

3. Hit enter to confirm reload when prompted.

4. The router will reload and will eventually prompt you to
go into setup mode. While you need to know the two ways
to get out of setup mode for the exams, you're better off not
going into it in the first place. Enter "n" and you will be back
at the router> prompt in about a minute.

5. At the router prompt, enter "enable", then "config t",
and you can name the router with the hostname command.

6. For your convenience, run the following non-CCNA
commands on every router and switch:

line console 0
logging synchronous
exec-timeout 0 0

logging synchronous - prevents router from interrupting
your typing with syslog messages; they're held until no data
entry is detected.

exec-timeout 0 0 - Prevents you from being timed out of
privileged exec mode.

It's the same on the switches, with one exception. After
running "write erase", run the following command at the
enable prompt:

delete vlan.dat

You'll be prompted with two questions to make sure you
want to delete this file. Do NOT enter "y" or "yes"; if you
do so, the switch thinks you're trying to erase a file named
"y". Simply hit "enter" for both confirms, THEN reload the
switch and follow the router steps.

The file "vlan.dat" contains your vlan and VTP information
and is not erased with "write erase", since this file is kept in
flash rather than nvram. To truly start over, you need to
manually erase this file.

Thats it! If you have any questions, just let me know at
[email protected] .

To your success,

Chris Bryant
CCIE #12933