capitolo 1. features and configuration of cisco...

WebLibrary Frame File

Capitolo 1. Features and configuration of Ciscorouters

1.1. Getting started

1.1.1. Prerequisites

The full comprehension of this document requires a preexisting knowledge ofthe following basic concepts:

The IPv4 protocol, at least what concerns the main addressing problems

The knowledge of problems and transport technologies of the levels 1-2 inthe OSI stack

It is also required a certain familiarity with the configuration of a real network.

1.1.2. Objectives

At the end of this document the participant will be able to master the maincommands needed to configure the most common Cisco devices, i.e. routers andswitches, and an overview of the configuration commands related to the mostcommon network interfaces available on them (i.e. Ethernet and Serial).

This document intends to be a rapid guide to these devices withoutrepresenting an alternative to the official manuals; its objective is to offer thereader a structured starting point towards the better interaction with the Ciscodevices. This document should be considered as preliminary to otherconfiguration documents for Cisco devices.

1.1.3. Structure

Within this document you will find the list of the main commands and a briefdescription of their use. The main topics are:

general characteristics of the devices

basic configuration, usually required to start playing with an "empty"router

main information to know about the Cisco CLI (Command Line Interface)environment

an outline of debugging problems

file://localhost/Z:/Documents/Web/netlibrary/cisco/configbase/text.htm 7.03.01 13/10/2010


configuration of the most common interfaces

1.1.4. Summary

This document is a "lab manual" and therefore has no summary.

1.2. Preliminary outline of Cisco routers

The network devices (particularly the Ciscorouters/switches) are structured in the followingmain components:

CPUA component that supervises thefunctioning of the device, whoseprocessing power varies according to theclass of the machine. On high-endmachines there may be present severalprocessing elements (CPU or ASICdedicated) specialized in particular tasks.The tasks of the CPU can be summarizedin:

taking care of the forwardingprocess (reading of the arrivingpackets on the various interfaces,decision of the exit interface, thesending of the packet on that interface)

the computing of the forwarding tables, the updating of therouting data

supervising of the router (managing of the operator's commands,management protocols like SNMP,...)

Types of memory

ROM: memory that contains the fundamental software of therouter (mainly the one necessary for turning the device on). Itincludes some diagnostics programs and some basic commands,necessary for example in order to restore the operating system incase where the FLASH memory is deleted. It also includes thebootstrap program.

NVRAM: is a particular non-volatile memory exclusively to thestorage of configuration files. The use of a memory different fromthe FLASH one offers the possibility to entirely replace the FLASHwithout losing the device configuration.

FLASH: "permanent" type of memory, which contains theoperating system (Cisco IOS). It represents the massmemorization unit of the device. It also offers the possibility tomemorize files chosen by the operator (e.g. the backupconfiguration file).

RAM: is the working memory, whose content is lost when thedevice is turned off. It keeps a copy of the operating system(which is copied by the FLASH to the RAM in the bootstrap phaseby most of the devices), a copy of the configuration file (which iscopied by the NVRAM in the bootstrap phase), and all thestructures required for the functioning of the device at run-time(e.g. routing table, ARP cache, etc).

Configuration interfacesCisco devices can be configured at the first hand through a set ofspecific physical interfaces. When the device is configured, the deviceshould appear reachable also from the network and hence thoseinterfaces become useless. However, this is not an option when you



install a brand new device. Configuration interfaces available on CISCOdevices are the following:

CONSOLE: serial asynchronous interface (RS232). This interfaceis used for the local configuration of the device, that can be donethrough a PC with a serial port directly connected to the device.This requires the operator to be physically present in the sameplace where the device is located.

AUX: serial asynchronous interface (RS232). Physically it is thesame as the console port, but functionally it is used as aconnection port for other peripherals, for example a modem. Forinstance, this option allows an operator to access a configurationport through the telephone network, making possible theinteraction with the device without the physical presence in theplace where the device is located. Note that a device is alsoconfigurable through the IP network, but in certain cases (e.g.malfunctioning network with unreachable device, or theapplication of some wrong configuration command that blocks thefunctioning of the device) the access to a "console" portrepresents the only way to restore the functionalities of thedevice.

LinecardsLinecards are expansion cards that are inserted in particular slots andhost various types of physical interfaces (Ethernet, ...); often the routeris sold with a minimum number of network interfaces and it is up to theuser to decide, considering its needs, what is the group of interfacesappropriate for his own requirements. Often, the cost of the linecardsexceeds the cost of the router itself.

Network interfacesThey include the physical interfaces (the "connectors" dedicated to thenetwork connection points); some of the most important are:

Ethernet: Ethernet Interface of type 10BaseT

FastEthernet: Fast Ethernet Interface

GigaEthernet: Giga Ethernet Interface

Serial: serial asynchronous interfaces (to be connected, with theproper proprietary cable, to the synchronous modems with theV.35 interface); they are used for the dedicated connections(CDN), X.25 connections, Frame Relay, etc.

ATM: ATM interface, in optical fiber or copper.

The power of a router (meaning the numberof packets sent in a second) is variable infunction of some architectural choices of therouter:

Low-end routers have cards (interfaces)with limited processing capabilities and allthe work is done by the central CPU whosepower determine the overall performanceof the device.

Mid-range routers have intelligent cardswith integrated CPUs/specialized ASICs;these carry out the great part of theforwarding process, while the central CPUis in charge of the computation of theforwarding tables and of the managing ofthe device.

High-end routers (layer 3-7 switches)have intelligent cards with intelligenthardware forwarding process, with very high performance; the centralCPU is in charge of the computation of the forwarding tables and of themanaging of the device. In the last two cases, the forwarding rate of the



router are mainly determined by the linecard capabilities and do no longerdepend on the processing power of the central CPU.

The main advantage of a Cisco device (but the same thing is valid for othermanufacturers) is the operating system, traditionally very powerful even ifdifficult at first, which defines among other things all the commands for thevarious functionalities in a homogeneous way. For instance, even if it is possibleto use traditional PCs equipped with appropriate software (routing, bridging,NAT, ...) alternatively to commercial devices, the configuration of the variousmodules is often very different, the modules can be not well integrated, etc.Therefore, even if the PCs are functionally identical to a commercial device, theyhave superior costs from the point of view of the management.

On the Cisco devices, the operating system (IOS) lies in the FLASH memory.Moreover, the operating system (through the CLI) acquires from the operatorthe commands required for the configuration of the device and puts them intoaction.

1.2.1. Access to the devices

The access to the device can occur throughthe network or by connecting a terminal (or a PC)to the console port of the router; in the first casethe network device must be part of an IPnetwork; in case of a brand new router, only thesecond option is available. The remoteconfiguration is usually preferred (for the obviousreason of being independent from the location ofthe router). In this mode, an emulation programof remote terminal is used (telnet or SSH; thesecond allows the encrypting of thecommunication), which allows to configure thedevice with the usual command line interface,which represents the preferred configurationmode of the Cisco devices. However this way ofinteraction requires the presence of a networkconnection active and functioning at the IP levelbetween the device and the managementmachine. In this case, since a device (particularlya router) is typically equipped with moreinterfaces and therefore more IP addresses, it is possible to use any addressamong them for the connection. In other words, if the device has threereachable addresses A, B and C, it will be possible to access the router by typing

either telnet A, telnet B or telnet C.

Other ways of interaction include the use of the SNMP protocol or a a web

browser (the service can be enabled through the command ip http server

from the configuration mode). While the SNMP also offers the possibility ofconfiguration, very few network managers use this method. Vice-versa, for whatthe web interaction is concerned, it offers very limited functionalities (status ofeach interface, ...) and is usually used as a control rather than a realconfiguration tool.



The interaction through the network may betroublesome when the considered IP addressbecomes unreachable (e.g. an interface with adisconnected cable). In this case that IP addresscannot be used to access the device and it isnecessary to refer to another IP address (ifreachable). This is the reason why oftencommercial devices have an extra configured

virtual interface (the loopback interface), whichhas the characteristic of not being connected toany physical interface, and therefore is reachable(assuming that the routing for that addressexists) as soon as an available path at the IPlevel exists.

The access through the console does nothave these reachability problems; however, it isnecessary to be physically present in thatlocation, as the router is connected with theconfiguration terminal through a console cable.In the past a VT100 terminal was used, i.e. asimple and "stupid" terminal that was able tosend/receive data through a serial interface. Thisdevice can be emulated by a software programlike HyperTerminal in the Windows world, whichis configured with the appropriate parametersrelative to the serial interface:

9600 bps, 8 bit, No Parity, StopBit 1, Flow Control Hardware

Alternatively, it is possible to connect theconsole port (or AUX) to a modem, with thesame interaction methods as the ones previouslyshown. When a serial terminal is used, we cansend to the device also some special characters,for example the break. In Windows, the Breakkey is obtained by pressing simultaneously the

keys CTRL+&.

In the figure it is shown a possible accessscreen to a router through a HyperTerminal toolavailable on Windows. In this window it ispossible to type in the configuration commandsaccording to the syntax of the command line ofthe Cisco devices.

1.2.2. Configuration files



A new configuration command given to the router

is written in a configuration file named running-config, stored in the RAM and immediately putinto action by the device. However, thisconfiguration file is lost when the device isturned off and hence the effect of thosecommands is no longer available at the followingboot of the router.

The devices keep a second configuration file

in the NVRAM memory, named startup-config,that is used as configuration file when the routerboots. The two files, the one in RAM and theother in NVRAM, may not be in sync. Forinstance, in the previous example the two filesare not in sync: in order to make effective theconfiguration of the RAM at the next reboot it isnecessary to save that file in NVRAM, from whereit will be read at the next boot. Therefore:

the configurations written in RAM and NVRAM might not be aligned; if theRAM configuration is missing (e.g. at the startup of the router) the one inNVRAM is read

the RAM configuration is copied in the NVRAM only as a response to aparticular command of the operator

it is possible to proceed with an appropriate backup policy, by copying theactive configuration from the RAM to the NVRAM only when we are sure itis correct (e.g. the router performed correctly with the given configurationfor a certain amount of time)

all the configuration changes given by the operator are exclusively savedon the RAM, which appears as having the "priority" over the NVRAMconfiguration file

The current configuration of the router can also be saved (or read) throughthe network with the TFTP protocol. It is therefore possible to tell the router towrite the configuration file in the network (instead of the NVRAM) on a particularTFTP server with the result that we obtain a text file with the list of all theconfiguration commands. Similarly it is possible to tell the router to read aconfiguration file through the network instead of proceeding to the manualconfiguration of everything. Obviously this method requires the network to befunctioning and the TFTP server to be reachable at the IP level.

Cisco devices make an heavy use of TFTP servers; also the updating to anew version of the operating system uses these types of servers.

1.2.3. Menus and commands



The IOS has a completely text-based userinterface (CLI, Command Line Interface). Thereare some graphic tools available, but theircapabilities are limited and therefore can be usedonly with very simple configurations; they areactually used more often for the visualization ofsome running parameters.

The menus of the IOS command line follow ahierarchic organization on N levels. It is possibleto go from one level to another using someparticular keywords; in order to exit the submenu

the keyword exit is used. The keyword end

allows the direct return from any configurationsubmenu to the privileged mode. The transitionsfrom one mode to the other are highlighted bythe different prompt that is printed by the router,

e.g Router> in user mode, that becomes Router#

in privileged mode.

The main operating modes are the following:

User modeThis is the basic operating mode,available when the user connects to thedevice. In this mode it is possible todisplay some data on the functioning ofthe device, although the privileges withinthis level are very limited. The switchingto the following mode is done through

the keyword enable. In order to accessthis mode an authentication phrasemight be required.Switching to other operating modes :enable to switch to the privileged mode;exit: to abandon the current sessionwith the router.

Privileged modeThis mode allows displaying all the dataregarding the functioning of the router, and to reset the value of somedynamic structures that are calculated at runtime (e.g., ARP cache,interface counters, etc). However it does not allow to change theconfiguration of the device, even if there are some commands that allowthe management of the configuration files from the device, and throughthem it is possible to replace one configuration file with another.Strangely, while in this mode it is possible to substitute an entireconfiguration file with another, it is not possible to insert singleconfiguration commands, referred to a particular function.

Switching to other operating modes : configure terminal to switchto the configuration mode (Note: there are other commands to enter the

configuration mode, e.g configure network ); exit: to return to theuser mode.

Configuration modeIn this mode it is possible to modify the router configuration.Switching to other operating modes : the appropriate command(which depends on the particular function we want to configure) has tobe used in order to enter in the submenu dedicated to the configurationof that portion of the router; for instance, to enter the configuration

mode of the Ethernet0 interface, it is necessary to type interfaceethernet 0. To return to the privileged mode: exit.

Configuration mode of a given functionalityThis mode is used to configure the particular functionality. In the case ofthe previous example it is possible to configure the parameters of thatinterface (e.g full/half duplex mode, IP address, etc).Switching to the other operating modes : normally there are no



further submenus available. To go back to the general configuration

mode: exit. To go directly to the privileged mode: end.

At any time the IOS keeps available acontextual help, obtainable by typing thecharacter "?". The output lists all the commandsavailable in that particular mode; for a more

specific help it is possible to type "command ? "related to the desired command. This type ofhelp is available in a recursive way ; therefore, tofind out the meaning and the options relative tothe option B of the command A, it is possible to

type commandA optionB ? and so on.

In order to speed up the input of thecommands, the IOS also supports abbreviatedcommands; when a particular command in acertain context is no longer ambiguous, it isautomatically recognized by the system. Forinstance it is possible to type the abbreviated

command sh instead of the full command show.IOS also has the auto-completion: by typing acommand and pressing the TAB, the IOS automatically completes the command,

provided that it is recognized and not ambiguous. In other words, by typing sh

and pressing the TAB, the full command show will be printed on the screen. Thisauto-completion method is particularly useful to check that the partial commandthat you are typing in is actually the one you want.

Each command is available in the negated and affirmed form: it is possible toenable a certain function by typing "command_string" and disable the functionby typing "no command_string". Therefore, to cancel an existing command it issufficient to type the command preceded by the word no. For instance, if the

command shutdown disables a network interface, the command no shutdown

does the opposite, re-enabling the interface.

The IOS is not several years old, and some changes have been made tosome commands over time. New versions not only add new commands andfunctionalities, but they sometimes replace old commands with new ones, usinga different syntax. Therefore it might happen that some of the cited commandsare no longer working on some routers either because the IOS version is too oldto support them, or because the selected product line does not support thatspecific command.

1.2.3.1. Default commands

Cisco devices store the configuration in aconfiguration file. The configuration can be

displayed with specific commands (e.g., showrunning-config for the running configuration).Unfortunately, the configuration file does notexplicitly include all the operating parametersconfigured on the router. For instance, in thefigure you can see that in the first case the

interface Serial0 is configured with a particulartype of protocol of the level data-link with the

command encapsulation hdlc . However thiscommand does not appear in the configurationsection dedicated to the serial interface of the

router, e.g. when the command show running-config is typed. Vice-versa, if the procedure isrepeated by applying the commandencapsulation ppp (which represents a data-link protocol alternative to the HDLC) instead of

the command encapsulation hdlc , it isdisplayed afterwards in the configuration.



The reason is that Cisco devices consider some commands as default choiceand therefore are not displayed in the configuration file in order to avoid makingit excessively verbose. This behavior however generates two kinds of problems:

the user must be sufficiently expert to remember that some functionalitiesare present (or configured in a certain default mode) even though there isno explicit line in the configuration file

the replacement of the current configuration by rewriting it with a newconfiguration file might cause problems.

In particular, the second point deserves afurther examination. The Cisco devices allow tocopy an entire configuration file on the device(e.g., using an external TFTP server, using a filestored in the FLASH memory, or more triviallythrough a copy-paste of the existingconfiguration via terminal, etc). However, whatCisco calls "copy" should be more correctlyreferred to as "merge". In fact, supposing thatwe have a device with the active configurationlike the one in the figure. This configuration

includes the line encapsulation ppp , thatspecifies the particular protocol of the data-linklevel on the serial interface. If, through one ofthe many available commands, you want toapply a new configuration to the device (the oneat the top) that does not include the above line,the result is that the device will find again theencapsulation ppp command in the finalconfiguration. In fact, the commandencapsulation hdlc , that represents the default command, is omitted in thesecond configuration file, and therefore cannot replace the alternative commandencapsulation ppp.

A very frequent error is related to the command shutdown, which disables a

network interface. The opposite command, no shutdown, makes the interfaceactive, but is omitted as it is considered the default command. Now, let ussuppose that the router has a given network interface disabled: the configuration

file, as displayed through the show running-config command will include the

command shutdown. At this point, if you copy a new configuration (in which the

above interface is active, but whose command no shutdown is not displayed,being the default choice) on the current one, the state of the interface will notchange as the new configuration will merge with the current one and hence the

command shutdown is not overwritten. To enable the interface is therefore

necessary to explicitly type the command that enables it (no shutdown).

It is therefore necessary to take into consideration these default commandswhen you have to apply new configurations on the devices starting from anexisting configuration. Vice-versa, the problem does not exist when the devicedoes not have an initial configuration, as it is, by definition, the one with thedefault commands.

1.2.3.2. Overwriting commands



Most of IOS configuration commands have onlyone instance. For instance, just one IP addresscan be configured as primary on an interface, oran interface can have just one activeencapsulation. The IOS requires that if acommand is typed in again with otherparameters, the existing one is lost. For instancethe figure shows a configuration in which theserial interface is configured with the IP address1.1.1.1. As a result of a new configurationcommand that aims to set the address value to2.2.2.2, the first address is lost and overwrittenby the second.

Therefore, often it is not necessary to cancela previous command (typing its negated form, in

this case no ip address 1.1.1.1 255.0.0.0) inorder to change its value, but it is sufficient toproceed with the typing of a new command thatwill directly replace the previous one.

1.2.4. Resetting of the operating system in case the FLASH memory is deleted

The FLASH memory contains the operatingsystem. However, this memory can be deleted by

a clumsy command (e.g. erase flash:) and inthis case it is necessary to restore it with at leasta valid IOS image.

If the IOS is no longer present on the FLASHmemory, we can distinguish two cases thatdepend whether the router has undergone to areboot or not.

1.2.4.1. Router with operating system (no reboot occurred)

This case is the simplest one because router has not yet performed a reboot.In this case the operating system is still active (it has been copied in the mainmemory) and therefore it accepts all the IOS commands. From the privilegedmode it is possible to type the following command:

copy tftp:filenameIOS flash:

This command will download the file containing the operating system from aTFTP server and will write it on the FLASH memory. Once this point has beencompleted, the router is ready for a reboot. Obviously you need to have anactive TFTP server, which must be reachable from the router under examination.

1.2.4.2. Router in ROMMON (without operating system)

This case is more complex and occurs when the router has alreadyperformed a reboot. In this case, the router will not find the operating systemand will enter a special mode called ROMMON. This operating mode can be easily

identified from the command prompt which will be rommon>.



This mode includes only some basic commands and not all the IOS

commands. The utility that has to be used in this case is tftpdnld in order to beable to download a new image of the operating system from a TFTP server. Theutility will ask for some ambient variables (e.g. the IP address assigned to therouter, etc), and afterwards the file will be requested to the TFTP server.However in this case the choices are limited with respect to the previous case;for instance is necessary the presence of an IP connection between the primaryinterface of the router and the TFTP server, while in the previous case anyinterface would have been sufficient.

At the end of the download, we can restart the router by launching the boot

command.

1.2.4.3. Resetting of the VLAN database in case the FLASH memory is deleted

If the FLASH memory has been completely deleted, devices that haveswitched interfaces have also to restore the VLAN database, as it is stored as a

regular file (vlan.dat) on the FLASH memory.

For the resetting of this file it is sufficient to type the command vlandatabase (in privileged mode) and set again all the active VLANs on the device.For further details on the VLAN database, please see the corresponding section.

1.3. Basic configuration

1.3.1. Main configuration steps

The main steps required for the completeconfiguration of the Cisco routers can besummarized as follows:

basic configuration: system parameters,passwords

interface configuration: framing, speed,network addresses

routing configuration: default route,parameters belonging to each routingprocess (OSPF, )

advanced configuration: access lists, etc.

1.3.2. Resetting the configuration



In case you want to reset the currentconfiguration of the router and return to thedefault one, you can use the following procedure(shown in the figure) and type the followingcommands:

Cisco> enable

Enters the privileged mode.

Cisco# erase startup-configDeletes the configuration present in theNVRAM memory.

As a result to this command, the devicewill ask for a confirmation request,

where you need to answer "y".

Cisco# reloadForces the reboot of the router. As aresult to this command, the router willnotice that the active configuration isdifferent from the one present in the NVRAM. Therefore, it prints awarning suggesting the user to save the current configuration in theNVRAM in order to avoid losing it. To this question it is necessary to

answer "n", as our goal is the reset the router, we do not want to savethe current configuration.As a result of our answer, the device will make a second confirmation

request, to which it is necessary to answer "y". At this point the rebootbegins.

...A phase in which the device continues with the bootstrap follows. At theend of this phase, the device will prints a warning that suggests to entera guided configuration phase. To this request it is necessary to answer

"n". At this point, the device will initialize its interfaces and will go intouser mode.

1.3.3. Basic configuration

Instead of presenting a list of the mostimportant commands, we will present anexample of real configuration starting from anempty router.

Cisco> enableEnters the administration mode (apassword might be required if it waspreviously set).

Cisco# configure terminalEnters the configuration mode; thedevice now expects new configurationcommands typed on the terminal.

Cisco(config)# hostname name

Assigns a name to the router; it will be

used as a prompt (e.g. MyRouter>).

Cisco(config)# enable password ena_pwd

Enables (and sets) the password neededto move into privileged mode from user mode (that is the password

required when we type the command enable). Note how the password isshown in clear-text in the current configuration. Warning: see the noteat the end of the paragraph.

Cisco(config)# username name password passwd

Associates the password to each router user. It can be used either toaccess a router, or to configure the router and access it in dial up. In thesecond case, the router uses the password associated to the name ofthe user that logs in. Attention: see the note at the end of theparagraph.



Cisco(config)# line vty 0 4

Configures the virtual terminals. The first number after the VTYrepresents the number of the first virtual terminal; the second one isthe number of the last virtual terminal (in this case we have up to 5contemporary accesses to the router).

Cisco(config-line)# login

Sets the obligation of a login phase within the access via telnet (butdoes not set a password).

Cisco(config-line)# password telnet_pwd

Enables (and configures) the access password to the router when we tryto access via telnet. Attention: see the note at the end of theparagraph.

Cisco(config-line)# exit

Exits the configuration mode of the virtual terminals.

Cisco(config)# exitExits the configuration mode.

Important note : please be careful not to set any password in lab sessions.In fact, when another user tries to log-in ad the password is unknown, we needto proceed to a password recovery operation that is rather annoying (and timeconsuming). Therefore, it is highly recommended not to set a password.

NOTE: when the configuration is shown on screen (e.g. sh run) only theoptions that are not set to the standard value are printed.

1.3.4. Management and display of the configuration files

Cisco beginners often get confused whendealing with configuration files. Particularly, thecapability to display the correct configuration isvery important to check that the givencommands are really applied to the device. Themost important commands are the following:

Cisco# show running-configDisplays the current configuration of thedevice (i.e., the one in RAM).

Cisco# copy running-config startup-configSaves the current active configuration inthe NVRAM.

Cisco# copy running-config flash:myconfigSaves the current configuration in a file

named myconfig and stored in theFLASH memory. Similarly, it is possibleto save the configuration in a file on a

TFTP server (copy running-configtftp:myconfig); in this case the TFTP server must be active andreachable at the IP level.!!Warning!! When you type this command, the router will try to formatthe FLASH first, and asks for a confirmation. Please type n, or all theinformation on the FLASH will be lost. In the case when this occurs, it isnecessary to restore the operating system on the FLASH memory usingthe corresponding procedure.

Cisco# show startup-configDisplays the configuration that will be used by the router at boot (i.e.,the one on NVRAM).

Cisco# show configurationWarning: this configuration is NOT the one currently active on therouter, but the one saved on the NVRAM. Therefore we suggest not touse this command in order to avoid mistakes, and to use the commandsrunning-config and startup-config instead.

Cisco# erase startup-config



Deletes the configuration present in the NVRAM memory.As a result of this command, the device will display a confirmation

request, to which it is necessary to reply "y".!!Warning!! Be careful when you play with the erase command, as itcould be used to delete other memory areas. In particular, it could beused to delete the FLASH memory (so that the router hangs at the nextreboot because of the lack of the IOS image).

Cisco# dir flashDisplays the list of the files contained in the FLASH memory.

Please note that an excellent backup technique for the configuration file is to

do a "cut-and-paste" of the configuration printed by a command such asn showrunning-config and save it on your own hard disk. This is fast, easy, andpainless. Then, you can re-apply that configuration on an empty router (pleasecheck the appropriate section on how to reset the configuration of a Ciscodevice).

1.4. Control and debugging problems

1.4.1. Device control

The main utility, control and debuggingcommands are usually available only in privilegedmode. The fundamental commands fall into thefollowing categories:

copy: for copying the configuration files ina different location.

show: for displaying information. It can beused to show configuration files, the stateof the interfaces, the state of the routing,the state of the caches (e.g. the ARPtable), etc.

erase: for deleting files.

clear: for resetting the run-timecomputed structures (e.g. caches,interface counters, etc).

debug: to enable debug information on themonitoring as a consequence of certainevents, mentioned after the command.

Some examples of commands are the following:

Cisco# show command_string

Displays the parameters relative to command_string.

Cisco# show interfaces

Displays the state of the network interfaces.

Cisco# show ? (or show ip ?)Lists the possible options of the show (or show ip) command.

Cisco# clear arp-cacheDeletes all the values contained in the ARP cache of the device.

Cisco# debug command_string

Enables the debug of the particular function command_string.

Cisco# debug ?

Shows the possible options of the debug command, i.e. the possibleprotocols/events/etc. on which the debugging can be enabled.

Cisco# debug ip packet dumpPrints the hexadecimal dump of the packets that are forwarded by therouter; it is a very dangerous command for its capability to saturate therouter.



Cisco# no debug allDisables all the previously enabled debug commands.

Cisco# term mon (term no mon for disabling it)Enables the debugging on the current telnet session. This command isrequire if we access the router from the network (e.g., via via telnet) inorder to redirect the debug output on the local terminal and not on theconsole of the router.

Debugging functionalities must be used carefully, having care to avoid boththe saturation of the router CPU and of the network bandwidth (in the case ofremote debugging). It is not infrequent that the CPU of the router is saturatedby the debugging messages and that the device is no longer able to accept anyother command. In these circumstances the debugging will cause the total lossof control on the router that can be restored only through its console(sometimes, the complete restoration of the router can be achieved only afterphysically turning off the router and turning it on again).

1.4.2. Controlling and debugging the network

The Cisco IOS includes some traditional TCP/IP commands used to control and debug thenetwork, such as:

ping addressControls the address reachability.Normally 5 packets are sent and theresult is shown on the screen using thefollowing symbols:

"!": the reply had a positiveoutcome

"U": the router received anexplicit notification ofunreachability (e.g. an ICMPpacket)

".": the reply did not arrive intime. Consider the fact that in thecase of low-performance devices, the first PING might be lostbecause of the time necessary to fill in the data structures in thedevice.

Note that in some cases a PING reply may be missing not because theRequest was lost, but because the Reply was lost. One of the frequentreasons of this error is due to the source address of the packet, which isautonomously decided by the device (for instance a router has usuallyseveral IP addresses, and if it does not have a loopback address, it willchoose a "random" address as source) and there might not be a routefor that particular address. In these cases it is useful to type thecommand PING with no parameters, that forces the router tointeractively ask the parameters that have to be used (e.g., also thesource address).

trace addressDisplays the path towards the destination; if more paths are found, itdisplays all of them.

[telnet] addressOpens a virtual terminal with the destination.

It is worthy remembering that these diagnostic tools are very approximate.For instance a missing response to the ping command does not automaticallyimply the lack of a route toward the destination, but it may be due to the lack ofthe return route instead. Therefore, it is important to make sure that theneighbors of the router are reachable, and then continue with the debugging inconcentric circles, of increasing rays.



1.5. Configuration and control of interfaces

The IOS assigns to each physical network interface an identifier which isunique within the system. This identifier includes the type of the interface (e.g.

Ethernet interfaces will have a name that begin with Ethernet, Fast Ethernet

with FastEthernet, console with CON, and so on) followed by a numerical

identifier in increasing order (e.g., Ethernet0, Ethernet1, Serial0, Serial1).When the Cisco device includes different slots for linecards, the interface name

contains also the number of the linecard (e.g. Ethernet0/1 indicates the secondEthernet of the first linecard). There are cases in which some devices can even

have three numerical levels (e.g. Ethernet0/0/1).

From this point on, the following rules will be used:

presented commands, except when clearly specified, will be available onlyin configuration mode (or in one of its submenus)

command show represents the most notable exception, since it is availableonly in privileged mode.

1.5.1. Configuration commands

1.5.1.1. State of the interfaces

The physical interface of a Cisco device canbe in the following three states:

Administratively Down: the interface hasbeen disabled by management (e.g.

through a shutdown command) and cannotsend nor receive frames;

Down: the interface is active, butsomething prevents it from functioning andthe router does not detect the presence ofthe carrier signal on the interface. Forinstance, it can happen on a serialinterface in DCE mode with no activeclockrate, of in an Ethernet network whenunable to understand the speed at theother side of the link.

Up: the interface is active and the carriersignal is correctly detected. This does notnecessarily mean that the interface isworking properly: for instance a serial link might not work because of theencapsulation, maybe PPP on one side and HDLC on the other.

The line protocol on the other hand represents the state of the networkconnection and can take the following values:

Down: the line protocol is not active (e.g. the encapsulation is wrong, etc)

Up: the line protocol is active and therefore the interface is able to sendits data on the physical channel.

Both the status of the interface and the status of its line protocol can be

shown by commands such show interfaces.

1.5.1.2. General configuration commands



In this section we present some commands thatoperate on all kinds of physical interfaces. Wepresent a configuration outline that makes use ofthese commands (note that only some of thesecommands are typically used in a normalconfiguration).

Cisco# configure terminalEnters the configuration mode.

Cisco(config)# ip subnet-zero

Enables the use of the "subnet zero" onthe interfaces and on the routingupdates. This command allows IPnetworks ending with ".0" to use anynetmask (otherwise, only the "natural"netmasks /24, /16 e /8 are allowed); forinstance the network 130.192.1.0/30 isallowed only upon issuing this command,while the 130.192.1.4/30 does notrequire it.

Cisco(config)# interface name

Enters the configuration submenu of the interface name. This commandenables the configuration submenu of the selected interface, enablingthe following commands.

Cisco(config-if)# ip address address mask

Assigns the given address and mask to the interface.

Cisco(config-if)# ip address address mask secondary

This command allows the configuration of more IP addresses on thesame physical interface; in fact, "secondary" tells the router that theaddress has to be used in addition to the primary one, instead ofreplacing this new address to the one already configured. Please notethat multiple secondary addresses can be assigned to the sameinterface.

Cisco(config-if)# description interface_description

Assigns a literal string as a description of the interface.

Cisco(config-if)# no shutdownEnables the interface; to return in an "administratively down" state, we

have to use the dual shutdown command.

Cisco(config-if)# mtu value

Defines a MTU different with respect to the standard one.

Cisco(config-if)# ip proxy arpEnables the proxy arp on that interface.

Cisco(config-if)# endExits the configuration menu and returns to the privileged mode.

1.5.1.3. Display and control commands



The control commands can be enabled in theprivileged mode and are normally showcommands.

show interface [name]

Displays several information about therouter interfaces; if name is specified,that particular interface is shown. Amongother data, this command displays alsothe state of the interface and the stateits line protocol.

show interfaces [type]

Displays the actual data relative to aparticular type of interfaces of the router(e.g. all the Ethernet interfaces).

show controllers [interface]

Displays the information related to thephysical controller of an interface; it ismostly used for debugging the internal data of the interface when thereare some signs of malfunctioning. For instance, in the case of a seriallink, this command tells the operator if the serial is used in DTE or DCEmode, the value of the possible clockrate, etc.

show cdp neighbors

Displays the list of the neighbors of the current router (obviously,provided that these are Cisco devices as well); this information isobtained thanks to a Cisco proprietary protocol (Cisco DiscoveryProtocol), enabled by default on all routers.

show process cpu

Displays the occupation data of the current CPU and its current activeprocesses; it is useful to verify the current load on the router.

clear interface name

Does a hardware reset on the selected interface.

clear counters

Sets to zero the counters (e.g. the number of transmitted packets,...)associated to the selected interface.

1.5.2. Example of configuration of a FastEthernet interface

We present here a typical configuration doneon an Ethernet interface.

Cisco> enableEnters the privileged mode.


Cisco(config)# interface FastEthernet0Enters the configuration mode of theFastEthernet0 interface.Note: this is a traditional routedinterface (i.e., not switched), andtherefore the configuration of the IPaddresses has to be done directly on theinterface itself.

Cisco(config-if)# ip address192.168.100.2 255.255.255.0

Assigns the IP address (and thenetmask) to the interface.

Cisco(config-if)# no shutdownEnables the interface, removing it from the shutdown state(administratively down).

Cisco(config-if)# endExits the configuration menu and returns into the privileged mode.



1.5.2.1. The VLAN database

While usually Cisco devices use routedinterfaces (i.e., standard interfaces with L3capabilities), there is the possibility to use alsoswitched interfaces, i.e. interfaces that have onlyL2 capabilities. The main difference is thatswitched interface do not accept any L3command, i.e. we cannot configure an IP addresson them; we will show in the following how toovercome this limitation. However, one of themost important features of those interfaces isthe capability to be dynamically assigned todifferent VLANs (even though VLANs can beassigned also on L3 interfaces, although in adifferent mode and with slightly differentcapabilities).

The user cannot distinguish betweentraditional (i.e., routed) or L2 (i.e., switched)interfaces by simply looking at the Cisco devicefrom the external. The type of the interface can be known only by checking theinterface specifications on the data sheet of the selected Cisco device. Pleasenote that the same Cisco router can have routed interfaces on some slots, andswitched interfaces on some others.

When VLANs have to be configured on a switched interface, the explicitconfiguration of the VLAN database has to be carried out first. Please note thatthis step is not required in case VLANs are configured on a routed interface.

The VLAN database is configured while in privileged mode (please bewarehere): it is the only configuration function that is not carried out in configurationmode. Furthermore, VLAN settings are not saved in the general configuration

file, but are saved in a vlan.dat file, stored on the FLASH memory. Therefore, if

the user saves only its configuration file (e.g., show running-config ) on adevice with switched interfaces, the VLAN database is lost. The user has to take

care of saving also the vlan.dat file, using the appropriate commands.

The VLAN database can be configured using the commands shown in thisexample (typically, only some of them may be required depending on what theuser is supposed to do) :

Cisco> enable

Enters the privileged mode.

Cisco# vlan databaseEnters the management menu of the VLAN database.

Cisco(vlan)# vlan45

Enables a new VLAN (identified by the number 45).

Cisco(vlan)# no vlan44Deletes a VLAN previously active (identified by the number 44).

Cisco(vlan)# show

Displays the currently configured VLANs in the VLAN database.

Cisco(vlan)# exitExits the management mode of the VLAN database and activates thechanges.

Note: while the configuration commands (in configure terminal

mode) are immediately active, the commands related to the VLAN

database become active only after issuing the exit command.

The configuration of the VLAN database is saved on the FLASH memory, andtherefore is automatically reactivated at the following reboot of the router.There is no difference between active configuration and startup configurationhere.



It is important to remember that the size of the VLAN database can belimited on some devices (e.g. 4 VLANs for some low-end devices). In this case itis necessary to remove some VLANs present in the database in order to be ableto configure new values.

1.5.3. Example of configuration of a switched FastEthernet interface with L3capabilities

Switched interfaces can be used either asdata-link level interface (on a switched network),or as network level interface (i.e., as routerinterface), depending on the configuration of theinterface itself.

When you want to use a switched interfacewith L3 capabilities (i.e., in routed mode), theconfiguration is slightly different from the one ofa native routed interface. In fact, since the IOSdoes not allow assigning an IP address directly tothe interface, we have to (a) associate theswitched interface to a given VLAN and then (b)assign the IP address to that VLAN. If theassociation between switched interfaces andVLANs is 1:1, the system behaves like having asingle routed interface (at least from an externalview of the device).

An example is shown in the figure: we want to connect 2 devices through adirect cable, but one side of the cable ends with a switched interface. However,from an "external" configuration point of view, it has to appear as if theconsidered interface responds to the address 192.168.100.2. We present apossible configuration of the considered device:


Cisco# vlan databaseEnters the configuration of the VLAN database.

Cisco(vlan)# vlan 12Enables the VLAN 12 on the switched interfaces of the device.

Cisco(vlan)# exitExits the management mode of the VLAN database and activates thechanges.


Cisco(config)# interface FastEthernet2Enters the configuration mode of the physical (switched) interfaceFastEthernet2.

Cisco(config-if)# switchport access vlan 12Assigns the interface to the VLAN 12 in access mode.Given that ethernet frames are not tagged with the VLAN-ID when theinterface is in access mode, the value 12 has simply internal validity,and has to be equal to the corresponding number present in the othercommands that refers to VLANs (i.e. the value configured in the VLAN

database and in the interface vlan command that will follow).

Cisco(config-if)# no ip addressNo IP address is assigned to the physical FastEthernet interface.

Cisco(config-if)# no shutdown

Enables the interface, deleting it from the shutdown state(administratively down).

Cisco(config-if)# exitExits the configuration context of the FastEthernet2 interface.



Cisco(config) interface Vlan 12Enters the configuration mode of the virtual interface Vlan12. Thisinterface is necessary to enable a level 3 address (routed) on the entireVLAN.Note: this interface is virtual and can be created/deleted dynamicallydepending on user's needs (i.e. depending on how many virtual L3interfaces we want to assign to physical L2 interfaces). In particular, thiscommand (a) creates the interface and (b) enters in configuration modeof the interface itself. Being this interface an L3 one, all L3 commandsavailable on the other interfaces are available here as well. The number

"12" must be equal to the one associated to the command switchport

present on the real FastEthernet interface.Note: once created, the VLAN interfaces are automatically active;

therefore it is not necessary to explicitly type in the command noshutdown.Note: a virtual VLAN interface can be deleted through the no vlanvlan_id command.

Cisco(config-if) ip address 192.168.12.2 255.255.255.0Assigns the IP address (and netmask) to the virtual VLAN interface (and,indirectly, to all L2 interfaces associated to the current VLAN).


It is important to remember that the VLAN interface is a virtual interface,and therefore is dynamically created based on the commands of the operator. In

other words, this interface will not be shown by command show running-config

in a device which has just been initialized. However, as soon as that interface is

created, the command show running-config will display this new interface inthe configuration file.

In modern Cisco devices, switched interfaces are always associated to a

VLAN. If the command switchport is not explicitly present, the port isautomatically configured in access mode and associated to the VLAN 1.

1.5.3.1. Complex configuration example

The figure shows a possible configurationscenario, which is more complex than the onepresented previously. Leaving out the detailsrelated to the used commands (which havealready been presented), in this example thedevice has one routed interface (FastEthernet0),and two switched interfaces (FastEthernet1 andFastEthernet2). Moreover the last two interfacesare connected to end-stations that belong to thesame LAN, and hence they have the same defaultgateways.

The configuration requires the creation of oneVLAN (vlan 12 ) that will assume the function ofdefault gateway for all the and-systemsconnected to it and it is associated to the lasttwo interfaces.

Vice versa, being FastEthernet0 a routedinterface, no VLANs must be configured on it. Please note that the VLAN is notrequired because of the type of the interface (which is routed and not switched),and not because the interface is directly connected to another endpoint at L3. Infact, if FastEthernet was a switched interface, an additional VLAN would berequired.

1.5.4. Serial interfaces



Serial interfaces accept the most part of thecommands presented above and they will alwaysact as routed interfaces; in addition, some othercommands are available for setting somepeculiar parameters of these interfaces:

encapsulation ppp | hdlc | x25 | frame-relay

Defines the line protocol in use on thephysical link. Differently from Ethernetlinks in which all frames have the sameformat, point-to-point links supportseveral data-link layer protocols (someguarantee more compatibility acrossdifferent vendors, some have limitedoverhead, etc). HDLC is a proprietaryCISCO version (allows multiple L3protocols) and therefore PPP should beused when the interoperability with othermanufacturers in required. HDLC does not require authentication. TheX.25 - Frame Relay encapsulations are used when the serial interface isconnected to a physical access using these technologies.

clockrate value

Defines the speed of the serial link. The clockrate command is requiredonly when the router is connected back-to-back with another routerusing a direct DCE/DTE cable, and only on the router that is on the DCEside (meaning the side of the "telephone exchange"). This command isneeded by an operator to define the maximum line speed to which theuser can transmit. In a regular direct geographical link (CDN, HDSL, etc)the clock is provided by the modem and not by the interface, thereforemaking this command useless.

ppp authentication chap | papEnables the use of the authentication in that particular PPP link. In orderto authenticate from the other end of the link, the router uses its own

name contained in the general command username. The twoauthentication protocols can be active at the same time, and are triedout in the order in which they appear. If the protocol is CHAP, we needto set the key (secret) used for the challenge by this protocol instead ofthe password.

Cisco(config-if)# no fair-queueDisables the weighted fair queuing scheduling algorithm on the giveninterface. Although this command can be used on all interfaces, if it ismainly used on Serial links because it provides the main avantages incase of low-speed connections.

1.5.4.1. Example



An example of configuration referred to thenetwork shown in the figure, is the following:


Cisco# configure terminal

Enters the configuration mode.

Cisco# interface Serial0Enters the configuration mode of theinterface Serial0.Note: this interface is of type DCE andtherefore it is necessary to also configure

the clockrate. To see wether aninterface is DTE or DCE it is sufficient to

type the command show controllersserial 0, in privileged mode.

Cisco(config-if)# ip address 192.168.89.1255.255.255.0

Assigns the IP address (and the netmask) to the interface.

Cisco(config-if)# encapsulation pppEnters the configuration mode.

Enables the PPP as data-link protocol.

Cisco(config-if)# no shutdownEnters the configuration mode.

Enables the interface, deleting it from the shutdown state(administratively down).

Cisco(config-if)# clockrate 64000


Sets the link speed, and must be typed only on the interface that act asDCE and if the DTE/DCE interfaces are connected by a direct cable, withno intermediate modems.


1.5.5. Unnumbered interfaces

Cisco supports also unnumbered interfaces,i.e. an interface without an IP address. In fact,the configuration is a little bit more complex, inthat the IP address is not simply missing, but wehave to tell the router that the interface is oftype unnumbered.

This feature may be interesting in order tosave IP addresses on links in which the IPaddress on both sides of the link is obvious (i.e.,IP networks whose prefix length is /30). In thesenetworks, the endpoint at the other side of thelink is not ambiguous (in fact, the link is a point-to-point link) and therefore there is no need ofan IP address in order to determine who has toreceive that frame. Vice versa, on an Ethernetlink we may have multiple possible endpoints,and therefore unnumbered interfaces are notpossible.

In this case, the IP routes will use the interface name as next hop, instead ofthe IP address of the other endpoint.

An example of configuration referred to the router R1 in the figure is thefollowing:




Cisco# configure terminal


Cisco# interface Serial0Enters the configuration mode of the interface Serial0.

Cisco(config-if)# ip unnumbered loopback0

Sets the interface as unnumbered and refer to interface loopback0 for apossible IP address.

Cisco(config-if)# exit

Exits the configuration of the interface.

Cisco# interface Ethernet0Enters the configuration mode of the interface Ethernet0.

Cisco(config-if)# ip address 192.168.10.1 255.255.255.0

Assign an IP address to the interface.

Cisco(config-if)# exitExits the configuration of the interface.

Cisco# ip route 192.168.14.0 255.255.255.0 serial0

Defines an IP route for remote network 192.168.14.0/24 whose "nexthop" is the interface Serial0.

Cisco# end

Exits the configuration menu and returns to the privileged mode.

One of the problems of unnumbered

interfaces is that we cannot use ping on them,since they do not have any IP address.Therefore, the debugging may be cumbersome.In order to limit this problem, we can create a

virtual interface named loopback, which is aninterface that is associated to the entire Ciscorouter and is not directly linked to a physicalinterface. Being virtual, we can create as manyloopback interfaces as we want. If the lookpbackinterface is created and associated to an IPaddress, the Serial interface linked to thatloopback can assume that IP address when

needed (e.g. in case of ping).

In this case, the configuration will become:



Cisco# interface Serial0Enters the configuration mode of the interface Serial0.

Cisco(config-if)# ip unnumbered loopback0Sets the interface as unnumbered and refer to interface loopback0 for apossible IP address.


Cisco# interface Loopback0Create the virtual interface Loopback0 and enters in its configurationmode.

Cisco(config-if)# ip address 192.168.20.1 255.255.255.255Assign an IP address to the interface. Please note that the prefix length /32 can be used only on loopback interfaces.




Cisco# interface Ethernet0Enters the configuration mode of the interface Ethernet0.

Cisco(config-if)# ip address 192.168.10.1 255.255.255.0

Assign an IP address to the interface.



Defines an IP route for remote network 192.168.14.0/24 whose "nexthop" is the interface Serial0.


Defines an IP route for remote network 192.168.24.1/32 (i.e., theloopback interface on router R2) whose "next hop" is the interfaceSerial0.

Cisco# endExits the configuration menu and returns to the privileged mode.

In some cases the loopback interface is associated to an IP address thatoverlaps to an another interface (e.g. Ethernet0), avoiding in this way a secondstatic router and the occupation of an additional address (and network).

1.5.6. IPv6

The configuration of the IPv6 addresses isextremely similar to the configuration of the IPv4address. However, because of some additionalcommands and some particularities of thistechnology, we prefer to list some of the mostimportant commands separately.

The most important configuration commandsare the following:

Cisco(config)# ipv6 unicast-routingEnables the router to handle IPv6 unicasttraffic. Without this commands, all theIPv6 packet received by the router arediscarded.

Cisco(config-if)# ipv6 address address/prefixlength

Assigns address address/prefixlength tothe given interface.

Cisco(config-if)# ipv6 address autoconfigTells the interface that it has to learn its IPv6 address through statelessautoconfiguration. This command is discouraged on router interfaces,since usually is the router that assigns addresses, and not vice versa.

Cisco(config-if)# ipv6 nd suppress-ra (or)

Cisco(config-if)# ipv6 nd ra suppressDisables the sending of the router advertisement messages on thespecified interface. The command slightly varies in function of the IOSversion present on the device.

Cisco(config-if)# ipv6 address 2001:400::1/64

Assigns address 2001:400::1/64 to the interface.



The most common commands for managing theIPv6 protocol are the following:

Cisco# show ipv6 interfaceShows all the IPv6 addresses associatedto the interface, with all the details(active multicast addresses, possibleICMP settings, Duplicate AddressDetection, etc).

Cisco# show ipv6 interface brief

Briefly shows the state of the IPv6interfaces (up/down) and the main IPv6addresses associated to the interfaces.

Cisco# show ipv6 neighborsDisplays the neighbor cache(corresponding to the ARP cache in IPv4)of a IPv6 router.

Cisco# clear ipv6 neighbors

Deletes the neighbor cache.

1.6. Netmask and Wildcard

Netmasks and wildcards are two equivalentways to indicate a contiguous IP address space.The netmask has been specified in IP, while theconcept of Wildcard is proprietary of Cisco and isexactly specular to the netmask. In other words,while for a netmask the "0" value represents the"ignore" concept and the "1" value represents the"controls" concept, a wildcard has an exactly thedual meaning. The use of the wildcard instead ofthe netmask depends on the particular Ciscocommand; some accept only netmasks, othersonly wildcards. In the figure are shown, as anexample, the main used wildcard up to groups of256 hosts.

For instance, to group together all theaddresses contained between 10.0.16.0 and10.31.255.255 with an unique entry, it ispossible to write the pair address-netmask10.0.16.0 255.255.16.255, or the pair address-wildcard 10.0.16.0 0.0.15.255.depending on which formalism the current command is expected to accept.

In general, netmasks are used when dealing with IP addresses (e.g., in theIP address configuration) and in some network protocols. Wildcards are used inthe OSPF routing protocol and in case of security access lists.
