introduction to routers command line

8/10/2019 Introduction to Routers Command Line

1/33

55Boson NetSim for CCNA Lab Manual

NETSIM FOR CCNA LAB MANUALLab Primer

Lab Primer

Lesson 1: Introduction to the Cisco RouterCommand-Line Interface

Modes

User Mode vs. Privileged ModeUser mode is indicated by the >prompt next to the router name. In user mode, you can look at some of the

routers settings. In privileged mode (indicated by the #prompt), you can use the different showcommands to

display all of the routers settings.

Router>

Router>enableRouter#

The Enable and Enable Secret PasswordsYou can set an enable password to control access to privileged mode. This is a very important password because,

command at

the privileged mode prompt.

Router>

Router>enable

Router#config term

Router(config)#enable password boson

You can securely encrypt an enable password by using the enable secret command.

Router(config)#enable secret cisco

The enable secret

The password is case-sensitive. A password set with the enable passwordcommand is stored as clear text,

whereas a password set with the enable secret

router with an enable secret password is preferred. The enable secret password always takes precedence if both

the enable secret password and the enable password are set.

command. To exit con- end command or press the CTRL+Z key combination.

Router#config t

Router(config)#end

Router#


2/33

56 Boson NetSim for CCNA Lab Manual


Accessing HelpTo view all commands available from a mode, type ?; you do not have to press the ENTER key after typing the

question mark. This will display a list of all available commands in the current mode. You can also use the

question mark after you have started typing a command. For example, if you want to see all commands that canbe used with the showcommand, type show ?at the #prompt.

Router#show ?

access-expression List access expression

access-lists List access lists

backup Backup status

cdp CDP information

clock Display the system clock

cls DLC user information

compress Show compression statistics

configuration Contents of Non-Volatile memory

--More--

The Host Name

host name is also visible via Cisco Discovery Protocol (CDP). However, the host name is not used for TCP/IP ad-

dress resolution. The following code demonstrates how to set the host name of a router or switch.

Router>

Router>enable

Router#conf t

Router(config)#hostname Router1

Router1(config)#

in the routers

command.

The following is an example of the type of output you will see when you run the command.

Router>

Router>enable

Router#show running-config

Building configuration...

Current configuration:

!

version 12.0

!

hostname Router

!

interface Serial0


3/33



no ip address

shutdown

!

interface BRI0no ip address

shutdown

!

interface Ethernet0

no ip address

shutdown

!

line con 0

line aux 0

line vty 0 4

!end

Router#

in the routers CLI. If you

erase

Router#erase startup-configErasing the nvram filesystem will remove all files! Continue? [confirm]

[OK]

Erase of nvram: complete

Router#reload

Proceed with reload? [confirm]

Lesson 2: Basic Commands

Show Commands

Show VersionThe show version show

versionto obtain critical information, such as the router platform type, the operating system revision, the

show

versioncommand.


4/33



Router>show version

Router1 Operating System Software

Router uptime is 2 minutes

System returned to ROM by power-onSystem image file is flash:c2500.bin

[output ommitted]

1 Ethernet/IEEE 802.3 interface(s)

1 Serial(sync/async) network interface(s)

1 ISDN Basic Rate interface(s)

32K bytes of non-volatile configuration memory.

4096K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

Show Protocols show protocolscommand.

The following is an example of the type of output you will see when you issue the show protocolscommand.

Router>show protocols

Global values:

Internet Protocol routing is enabled

BRI0 is administratively down, line protocol is Down

Ethernet0 is administratively down, line protocol is Down

Serial0 is administratively down, line protocol is Down

Show Flash

is an example of the type of output you will see when you issue the command.

Router>show flash

System flash directory:

File Length Name/status

1 3015588 c2500.bin

[3015652 bytes used, 1178652 available, 4194304 total]

4096K bytes of processor board System flash (Read/Write)

Show HistoryBy default, the routers command-line interface (CLI) maintains in memory the last 10 commands you have

entered. This default value can be changed. You can use one of two methods to cycle through previous router

commands entered since the last power loss. To simultaneously view all of the past commands still in router

memory, use the show historycommand. For single-line retrieval, use either the UP ARROW key or the CTRL+P

key combination to see the previous command, and use either the DOWN ARROW key or the CTRL+N key combi-

nation to see the next command.

Router>show history


5/33



show version

show protocols

show flash

enableshow running-config

disable

show history

Show ClockThe router keeps its own clock that can be used to synchronize devices. The show clockcommand displays

the clock.

Router#show clock

*00:38:35.755 UTC Mon Mar 1 1993

Router#

Show HostsYou can create a list of host names on your router. You can view the entries (if any) by typing show hosts.

Router#show hosts

Default domain is not set

Name/address lookup uses static mappings

Host Flags Age Type Address(es)

Router#

Show Users

The show userscommand displays users who are connected to the router.Router#show users

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

Router#

Show InterfacesThe show interfaces

Router#show interfaces

BRI0 is administratively down, line protocol is down

Hardware is BRI

MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255

Encapsulation HDLC, loopback not set

Last input never, output never, output hang never

Last clearing of show interface counters never

Input queue: 0/75/0 (size/max/drops); Total output drops: 0

Queuing strategy: weighted fair

Output queue: 0/1000/64/0 (size/max total/threshold/drops)

Conversations 0/0/256 (active/max active/max total)


6/33



Reserved Conversations 0/0 (allocated/max allocated)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 5 interface resets

0 output buffer failures, 0 output buffers swapped out

0 carrier transitions

--More--

Notice the --More--indicator. This means that more information pertaining to the last command can be

displayed. To view more commands line by line, press the ENTER key. To view more output one screen at a time,

press the SPACEBAR. To exit the output and return to the router prompt, press any letter. (It may be helpful to

remember to press the E key for exit.)

Ping

The pingcommand allows a user to test basic connectivity. The syntax for the pingcommand is as follows:

pingip_address

The ping

receives a reply, it will be noted in the CLI with an exclamation mark (!). If no reply is received, it will be noted

with a period (.).

The following shows the output of a successful ping of the 10.1.1.1 IP address:

Router#ping 10.1.1.1Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/37/44 ms

Router#

The following shows the output of a failed ping of the 2.2.2.2 IP address:

Router#ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:.....

Success rate is 0 percent (0/5)

Router#

The pingcommand is one of the most commonly used test tools. The PING protocol uses Internet Control Message

Protocol (ICMP) to communicate with other routers.


7/33



Address Resolution Protocol (ARP) resolution.

You can also use the command or the show ip interfacecommand on the local router to

view its IP addresses.

IP Addressing

The following syntax places an IP address on the interface:

ip address ip_address subnet_mask

Remember that /24 denotes a subnet mask of 255.255.255.0. For your convenience, here is a handy table

matching slash notation to the corresponding dotted decimal subnet masks:

Slash Dotted Decimal Slash Dotted Decimal Slash Dotted Decimal

/8 255.0.0.0 /16 255.255.0.0 /24 255.255.255.0

/9 255.128.0.0 /17 255.255.128.0 /25 255.255.255.128

/10 255.192.0.0 /18 255.255.192.0 /26 255.255.255.192

/11 255.224.0.0 /19 255.255.224.0 /27 255.255.255.224

/12 255.240.0.0 /20 255.255.240.0 /28 255.255.255.240

/13 255.248.0.0 /21 255.255.248.0 /29 255.255.255.248

/14 255.252.0.0 /22 255.255.252.0 /30 255.255.255.252

/15 255.254.0.0 /23 255.255.254.0 /31 255.255.255.254


8/33



Router>

Router>en

Router#conf tEnter configuration commands, one per line. End with CNTL/Z.


Router1(config)#int e0

Router1(config-if)#ip address 10.1.1.1 255.255.255.0

Router1(config-if)#no shut

Router1(config-if)#int s0



Router1(config-if)#end

Router1#

You can use sh ip interface briefto view the IP addresses on the interface:

Router1#sh ip interface brief

Interface IP-Address OK? Method Status Protocol

BRI0 unassigned YES manual up up

Ethernet0 10.1.1.1 YES manual up up

Serial0 172.16.10.1 YES manual up up

Router1#

Router>

Router>en






Router2(config-if)#exit

Router2(config)#exit

Router2#exit

Lesson 4: Router Interfaces

Examining the Interfaces

Routers can have many types of interfaces, such as Token Ring, FDDI, Ethernet, serial, ISDN, and so on. You will

often need to view the status and settings, so you need to know a few important commands. The show inter-

faces command is one of the more important commands.

Router#show interface


9/33



Ethernet0 is administratively down, line protocol is down

Hardware is Lance, address is 0060.5cc4.f445 (bia 0060.5cc4.f445)

MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255

Encapsulation ARPA, loopback not set, keepalive set (10 sec)[output omitted]

This command produces output about each interface. In this case, you can see that Ethernet 0 is administratively

down. That means that it has been turned off with the shutdown command.

Ethernet 0 is Line protocol is Meaning

administratively

downdown

Indicates that the interface has been turned off with the

shutdowncommand

up downIndicates that the cable is connected, but keepalives are not be-

ing received

down downIndicates a cabling problem, that no clock rate is set on the DCE,

or that another router interface is shut down

up up Indicates that the interface is connected and receiving keepalives

You can view particular interfaces with the show interface command; for instance, you can

issue the show interface serial 0command. Alternatively, you can use the show ip interface briefcommand to

quickly display the status of all interfaces.

Router#show ip int brief

Interface IP-Address OK? Method Status Protocol

Ethernet0 unassigned YES not set administratively down down

PCbus0 unassigned YES not set administratively down down

Serial0 unassigned YES not set up down

Router#

Examining the Controllers

Controllers are the part of the interface that makes the physical connection. The controller of most interest is the

kind of cable that is attached to a serial interface.

A data terminal equipment (DTE) cable is the cable you should typically use. If the local interface is the DTE side

of the connection, the other end of the connection must provide clocking.

Data communications equipment (DCE) means that this device must provide the clocking on the wire.

The show controllerscommand will allow you to see if an interface is a DCE or DTE.

Router#show controllers serial 0

HD unit 0, idb = 0xA2B58, driver structure at 0xA7020

buffer size 1524 HD unit 0, V.35 DCE cable

cpb = 0x42, eda = 0x2140, cda = 0x2000


10/33



-

no shutdowncommand.


Router(config)#interface ethernet 0

Router(config-if)#no shutdown

Router(config-if)#

%LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up

%LINK-3-UPDOWN: Interface Ethernet0, changed state to up

Router(config-if)#end

Router#

If your interface is the DCE, you must provide clocking using the clock ratecommand.

Router#config tEnter configuration commands, one per line. End with CNTL/Z.

Router(config)#interface serial 0

Router(config-if)#clock rate 56000

Router(config-if)#end

Router#

It is often helpful to use the descriptioncommand to add a description of the purpose of the interface.

Router#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#int e0

Router(config-if)#description My Connection to the Engineering HubRouter(config-if)#end

Router#

You can use any of the following commands to view your changes:

show running-config

OR

show interfaces

OR

show controllers

Lesson 5: CDP -

CDP is a Data Link protocol that operates at Layer 2 of the Open Systems Interconnection (OSI) model. This is

important to understand because CDP is not routable and can only travel to directly connected devices.


11/33



CDP allows you to view information such as operating system version, protocol information, and much more. This

information can be very handy for troubleshooting a variety of problems.

CDP Commands

The CDP commands are simple. See the following tables.

no cdp run turns off CDP for the entire router

cdp run turns on CDP for the entire router (default setting)

cdp timer 120

cdp enable turns on CDP for the interface (default setting)

no cdp enable turns off CDP for the interface

Show Commandsshow cdp interface displays interface settings

show cdp neighbor displays directly connected neighbors

show cdp neighbor detail displays detailed information about neighbors

show cdp displays general information

Lesson 6: ARP

ARP Commands

Show arp

The show arpcommand displays the Address Resolution Protocol (ARP) table, which contains detailed informa-

tion about interfaces that are learning media access control (MAC) addresses. Looking at the table below, you

can see that the router learned the IP address and MAC address of each Ethernet interface. The Agecolumn

indicates how long the router has had the information, and the Interfacecolumn indicates the interface from

which it learned this information. Notice that the age of the 1.1.1.4 address is not indicated because it is the IP

address of the Ethernet port that is connected to the router.

Router#show arp

Protocol Address Age (min) Hardware Addr Type InterfaceInternet 1.1.1.2 207 0000.0c32.f57d ARPA Ethernet0

Internet 1.1.1.4 - 0060.7062.e040 ARPA Ethernet0

Router#

Clear arp

The information stored in the ARP table can become corrupted occasionally, which causes the router to experi-

ence packet-delivery problems. When this happens, the ARP table must be cleared and rebuilt. You must access


12/33



privileged mode and issue the clear arpcommand in order to clear the ARP table. After you have cleared the

ARP table, you can view it again using the show arpcommand. In this example, notice that all entries, with the

exception of the directly connected interfaces of the router, have disappeared.

Router#show arpProtocol Address Age (min) Hardware Addr Type Interface

Internet 1.1.1.2 - 0060.7062.e040 ARPA Ethernet0

Router#

Lesson 7: Routing Protocols

RIP

Routing Information Protocol (RIP) is a standards-based, distance vector, interior gateway protocol (IGP) that

is used by routers to exchange routing information. RIP uses hop count to determine the best path between twolocations. Hop count is the number of routers through which a packet must travel in order to reach the desti-

nation network. The maximum allowable number of hops a packet can traverse in an IP network where RIP is

implemented is 15 hops.

In a RIP network, each router broadcasts its entire RIP table to its neighboring routers every 30 seconds. When

a router receives a neighbors RIP table, it uses the information provided to update its own routing table and

then sends the updated table to its neighbors. This procedure is repeated by each router and results in a state

referred to as network convergence, in which all routers have an identical view of the internetwork topology.

Router>en






%LINK-3-UPDOWN: Interface Ethernet0, changed state to up


Router1(config)#int s0


Router1(config-if)#no shut%LINK-3-UPDOWN: Interface Serial0, changed state to up

%LINK-3-UPDOWN: Interface Serial0, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down


Router1(config)#

RIP version 1 is classful, which means it does not include the subnet mask in its routing table updates. RIP

version 2 is classless and does include the subnet information in its routing table updates. RIP version 1 is used


13/33



in the example above. In order to use RIP version 2, the version 2command must be entered after the router rip

command.

To enable RIP as the routing protocol on Router 1, the router ripcommand must be issued. Notice the new mode

the router has entered.Router1(config)#router rip

Router1(config-router)#

Once RIP is running on Router 1, network statements must be used to tell the router which networks it is con-

nected to. Every router interface that is directly connected to an active network needs a network number. Some

-

Router 1s Ethernet 0 interface has an IP address of 10.1.1.1 with a /24 subnet mask, and its serial 0 interface has

an IP address of 172.16.10.1 with a /16 subnet mask. Because RIP is classful, only the class portions of the ad-

network 10.0.0.0statement should be

used for the Ethernet 0 interface, and the network 172.16.0.0statement should be used for the serial 0 interface.

Router1(config-router)#network 172.16.0.0Router1(config-router)#network 10.0.0.0Router1(config-router)#

Router>enRouter#conf tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname Router2Router2(config)#int e0Router2(config-if)#ip address 10.1.1.2 255.255.255.0Router2(config-if)#no shut00:17:25: %LINK-3-UPDOWN: Interface Ethernet0, changed state to upRouter2(config-if)#exitRouter2(config)#


14/33



Now, the RIP information must be added.

Router2(config)#router ripRouter2(config-router)#network 10.0.0.0Router2(config-router)#exitRouter2(config)#exitRouter2#

RIP should now be running on the network between Router 1 and Router 2.

Router>en

Router#conf t






00:20:35: %LINK-3-UPDOWN: Interface Serial0, changed state to up


Router4(config)#

Now, the RIP information must be added.

Router4(config)#router rip

Router4(config-router)#network 172.16.0.0

Router4(config-router)#exit


Router4#

showcommands can be used to verify that the routers are

receiving RIP routes. The most commonly used command is show ip route, which displays all entries in the rout-

ing table. This command should be issued at the privileged mode prompt on Router 4 to display the routes to the

directly connected Router 1 and to the other routers on the network.

Router4# show ip route

Gateway of last resort is not set

172.16.0.0/16 is subnetted, 1 subnet

C 172.16.10.0 is directly connected, Serial 0

R 10.0.0.0 [120/1] via 172.16.10.1 00:03:18, Serial 0

In the line R 10.0.0.0 [120/1] via 172.16.10.1, 00:00:21, Serial0, the Rindicates that this is a RIP route. The

10.0.0.0portion of the output indicates the destination network. The [120/1]portion of the output indicates that

120 is the administrative distance and that 1 hop is required to reach the destination. RIPs default adminis-

trative distance is 120; administrative distance is considered the trustworthiness of the route. If two routing

protocols have the same route, the router will pick the route with the lower administrative distance. The via

172.16.10.1portion of the output indicates that 172.16.10.1 is the address of the next hop. The Serial0portion

of the output indicates that this information was learned via the serial 0 interface.

The show ip protocolscommand displays information about the IP routing protocols that are enabled. The fol-

lowing is example output from the show ip protocolscommand.


15/33



Router4#show ip protocols

Routing Protocol is rip

Sending updates every 30 seconds, next due in 12 seconds

Invalid after 180 seconds, hold down 180, flushed after 240Outgoing update filter list for all interfaces is

Incoming update filter list for all interfaces is

Redistributing: rip

Default version control: send version 1, receive any version

Interface Send Recv Key-chain

Routing for Networks:

172.16.0.0

Routing Information Sources:

Gateway Distance Last Update

172.16.10.1 120 00:00:09

Distance: (default is 120)

Router4#

The output indicates that updates are being sent every 30 seconds. RIP is a distance vector routing protocol, so

it exchanges its entire routing table every 30 seconds. The 172.16.0.0 network is under the Routing for Networks

area, which indicates that the network statement is working. Notice that the administrative distance is 120,

which is the default.

IGRP

Interior Gateway Routing Protocol (IGRP) is a standards-based, distance vector IGP that is used by routers to

exchange routing information. IGRP uses a composite metric of bandwidth and delay to determine the best path

unit (MTU), reliability, and load for the link.

In an IGRP network, each router broadcasts its entire IGRP table to its neighboring routers every 90 seconds. When

a router receives a neighbors IGRP table, it uses the information provided to update its own routing table and then

sends the updated table to its neighbors. This procedure is repeated by each router and results in a state referred

to as network convergence, in which all routers have an identical view of the internetwork topology.

Router>en

Router#conf t

Enter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname Router1




00:35:15: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up




16/33






Router1(config-if)#exit00:35:16: %LINEPROTO-5-UPDO WN: Line protocol on Interface Ethernet0, changed state to up

IGRP is classful, which means it does not include the subnet mask in its routing table updates.

To enable IGRP as the routing protocol on Router 1, the router IGRP AScommand must be used. The AS param-

administration with a common routing policy. The same autonomous system number must be used on every

router with which Router 1s routing table should be shared.

In this example, autonomous system number 100will be used. Notice the new mode the router has entered.

Router1(config)#router IGRP 100


Now that IGRP is running on the router, network statements must be used to tell the router which networks it

is connected to. Every router interface that is directly connected to an active network needs a network number.

Some networks will use the same IP addressing schemes with different subnets, and some will use entirely dif-

ferent addressing schemes. The diagram below shows two different addressing schemes.

Router 1s Ethernet 0 interface has an IP address of 10.1.1.1 with a /24 subnet mask, and its serial 0 interface

has an IP address of 172.16.10.1 with a /16 subnet mask. Because IGRP is classful, only the class portions of

network 10.0.0.0statement

should be issued for the Ethernet 0 interface, and the network 172.16.0.0statement should be issued for the

serial 0 interface.





17/33



Router>en

Router#conf t

Enter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname Router2






01:23:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up

Router2(config)#





Router2#

IGRP should now be running on the network between Router 1 and Router 2.

Router>en

Router#conf t


Router(config)#hostname Router4Router4(config)#int s0






Router4(config)#


Router4(config-router)#network 172.16.0.0Router4(config-router)#exit


Router4#

showcommands can be used to verify that the routers are receiving

routes. The show ip routecommand should be issued on Router 4 to display the route to the directly connected Router 1.

Router4#show ip route

Gateway of last resort is not set


18/33



172.16.0.0/16 is subnetted, 1 subnet

C 172.16.10.0 is directly connected, Serial 0

I 10.0.0.0 [100/651] via 172.16.10.1 00:03:18, Serial 0

In the line I 10.0.0.0 [100/651] via 172.16.10.1, 00:00:21, Serial0, the I indicates that this is an IGRP route. The10.0.0.0portion of the output indicates the destination network. The 100in the 100/651notation indicates that

100 is the administrative distance (IGRPs default administrative distance is 100). If two routing protocols with

the same route are available, the router will pick the route with the lower administrative distance. The 651value

indicates the calculated metric, which is based on bandwidth delay. The via 172.16.10.1portion of the output

indicates the address of the next hop. The Serial0portion of the output indicates that this information was

learned via the serial 0 interface.

The show ip protocolscommand displays information about the IP routing protocols that are enabled.

Router4#show ip protocols

Routing Protocol is igrp 100

Sending updates every 90 seconds, next due in 12 secondsInvalid after 270 seconds, hold down 280, flushed after 630

Outgoing update filter list for all interfaces is not set

Incoming update filter list for all interfaces is not set

Default networks flagged in outgoing updates

Default networks accepted from incoming updates

IGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0

IGRP maximum hopcount 100

IGRP maximum metric variance 1

Redistributing: igrp 100

Routing for Networks:

172.16.0.0

Routing Information Sources:

Gateway Distance Last Update

172.16.10.1 100 00:00:09

Distance: (default is 100)

Router4#

The output indicates that updates are being sent every 90 seconds. Because IGRP is a distance vector routing

protocol, it exchanges its entire routing table every 90 seconds. The 172.16.0.0 network is under the Routing for

Networksarea, which indicates that the network statement is working. Notice that the administrative distance

is 100, which is the default.

OSPF

OSPF is a dynamic link-state, hierarchical IGP that is based on open standards. It was designed as a replace-

ment for RIP and was derived from an early version of Intermediate System to Intermediate System (IS-IS). OSPF

is a robust protocol whose features include least-cost routing, multipath routing, and load balancing. The short-

est path through the network is calculated by using the Dijkstra algorithm. Cisco uses its own implementation

of the OSPF standards with additional features that are important for interoperability.


19/33



a few phases of initialization. First, the router uses hello packets to identify its neighbors and develop adjacen-

cies (relationships for exchanging routing updates) with them. The router then starts the ExStart phase, which

is the initial database exchange. Next is the Exchange phase in which the Designated Router sends the routinginformation and receives an acknowledgement (ack) receipt from the new router. During the Loading phase, the

which it is an active member of the network.

Router>en

Router#conf t





Router(config-if)#no shut


Router(config-if)#exit





00:15:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up


Next, the router ospf 100command should be issued to enable OSPF as the routing protocol. The 100param-

same for all of the routers within the OSPF area. The networks that are added to the OSPF session make up the

area. Notice the new mode that the router enters once the command is issued.

Router1(config)#router ospf 100


Once OSPF is running on Router 1, network statements must be used to tell the router which networks it is con-

nected to, as well as to assign it its wildcard mask and OSPF area. Every router interface that is directly connect-

diagram below shows two different addressing schemes.


20/33



Router 1s Ethernet 0 interface has an IP address of 10.1.1.1 with a /24 subnet mask, and its serial 0 interface

has an IP address of 172.16.10.1 with a /16 subnet mask. When the network statements are issued, the class

portions of the addresses, the wildcard masks, and the area IDs (an integer between 0 and 4,294,967,295)

must be provided. Thus, on Router 1, the network 10.0.0.0 0.0.0.255 area 0command should be issued on the

Ethernet 0 interface, and the network 172.16.0.0 0.0.0.255 area 0command should be issued on the serial 0

Router1(config-router)#network 10.0.0.0 0.0.0.255 area 0




Router1#

Now, the

100 and that the two networks were added to OSPF area 0.

Router1#show running-config

Router>en

Router#conf t



Router2(config)#int e0Router2(config-if)#ip address 10.1.1.2 255.255.255.0





Router2(config)#


21/33





Router2(config-router)#exitRouter2(config)#exit

Router2#

OSPF should now be running on the network between Router 1 and Router 2.

Router>en

Router#conf t




Router4(config-if)#ip address 172.16.10.2 255.255.0.0Router4(config-if)#no shut






Router4#

OSPF should now be running on all three routers. The pingcommand can be used to test connectivity between the

routers. From Router 1, Router 4s serial 0 interface and Router 2s Ethernet interface should be pinged.Router1#ping 172.16.10.2

Router1#ping 10.1.1.2

Next, Router 1 should be pinged from Router 2 and Router 4.



If all pings succeed, the routers are talking to each other in both directions and routing is successful.

Now, the show ip ospf interface

Router1#show ip ospf interfaceThis is an excellent command for learning all interface information. The output includes the interface IP ad-

dress, area assignment, process ID, router ID, cost, priority, network type, timer intervals, and adjacent neighbor

information. You can also see the Designated Router (DR)/Backup Designated Router (BDR) information when it

is applied.

Finally, the show ip ospf neighborcommand should be issued.

Router1#show ip ospf neighbor


22/33



This command displays all of the important information concerning neighbors and the adjacency state. It also

Lesson 8: PPP with CHAP Authentication

PPP

Point-to-Point Protocol (PPP) is a protocol for communicating between two computers using a serial interface,

typically a personal computer connected by phone line to a server. For example, your Internet service provider

may supply you a PPP connection so that the providers server can respond to your requests, pass them on to the

Internet, and forward the Internet responses back to you. PPP is typically used with the Internet Protocol (IP).

PPP is sometimes considered a member of the TCP/IP suite of protocols. PPP operates at the Data Link layer

(Layer 2) of the Open Systems Interconnection (OSI) reference model. Essentially, it packages a computers TCP/

IP packets and forwards them to the server where they can actually be put on the Internet.

or satellite transmissions. It uses a variation of High Speed Data Link Control (HDLC) for packet encapsulation.

PPP is usually preferred over the earlier de facto standard, Serial Line Internet Protocol (SLIP), because it can

handle synchronous as well as asynchronous communication. PPP can share a line with other users, and it

includes error detection that SLIP lacks. PPP is preferred over SLIP when possible.

CHAP

Challenge-Handshake Authentication Protocol (CHAP) provides a more secure procedure for connecting to a

system than Password Authentication Protocol (PAP). Heres how CHAP works:

After the link is made, the server sends a challenge message to the connection requestor. The requestor

responds with a value obtained by using a one-way hash function.

The server checks the response by comparing its own calculation of the expected hash value.

If the values match, the authentication is acknowledged; otherwise, the connection is usually terminated.

At any time, the server can request that a new challenge message be sent by the connected party. Because

The following interface command enables PPP:

encapsulation ppp

PPP must be enabled on both ends of the link.

The following interface command must be added in order for authentication to be enabled:

ppp authentication chap

The routers will now require authentication over the link. They will attempt to log in with their host names as

1.

2.

3.


23/33



router, an entry that matches the remote routers user name and password must be made:

username Other_Router password Other_enable_pass

(R1)s0----------s0(R2)

PPP without CHAPRouter 1:

hostname R1

interface serial 0

encapsulation PPP

no shutdown

Router 2:

hostname R2

interface serial 0

encapsulation PPP

no shutdown

PPP with CHAP Default Names and PasswordRouter 1:

hostname R1

enable secret toast1

username R2 password cool2

interface serial 0

encapsulation PPPppp authentication chap

no shutdown

Router 2:

hostname R2

enable secret cool2

username R1 password toast1

interface serial 0

encapsulation PPP

ppp authentication chap

no shutdownThe following is a link where you can read more about PPP/CHAP authentication: http://www.cisco.com/warp/pub-

lic/471/understanding_ppp_chap.html


24/33



Lesson 9: Frame RelayFrame Relay is a network access protocol similar in principle to X.25. The main difference between Frame Relay

-forms both error detection and error correction, Frame Relay only performs error detection.

X.25 performs data checking and correcting at the network level. Consequently, the network devices on an X.25

network correct the corrupt data or ask for the data to be retransmitted. The cost of such checking and retrans-

mission is network delay.

Frame Relay leaves the task of error correction to the protocols used by intelligent devices at each end of the

network. These intelligent devices provide end-to-end data integrity. Because Frame Relay relies on the devices

and less delay occurs overall.

The following command can be used to add a description to an interface to help keep track of permanent virtual

circuits (PVCs). An example of a description might be Frame Relay to Boston.

descriptiondescriptive_string

encapsulation frame-relay [cisco | ietf]

Relay subinterface:

frame-relay interface-dlci dlci [broadcast]

A DLCI is assigned by the local Frame Relay provider for every PVC connected to the router. DLCI numbers are not

exchanged between routers. DLCI numbering at one Frame Relay site is mutually exclusive from DLCI numbering

at another site.

The broadcastkeyword is optional and should only be included if broadcast packets (e.g., IP, RIP, or IPX RIP/SAP

updates) need to be forwarded out of the subinterface. In static routing examples, routing updates are not

required and the keyword is omitted.

type from the Frame Relay provider:

frame-relay lmi-type {ansi | cisco | q933a}

LMI is a Frame Relay control protocol sent to the router from the Frame Relay switch at the service provider and is

not exchanged between routers. The LMI type at one location does not have to match the LMI type at other locations.

Supported LMI Types

cisco default

ansi ANSI Annex D

q933a CCITT Q933a


25/33



protocol address and a Frame Relay DLCI:

frame-relay map-ip ip_address dlci [broadcast]

Again, the broadcastkeyword is optional and should only be included if broadcast packets need to be forwardedout of the subinterface. In static routing examples, routing updates are not required and the keyword is omitted.

-

point connection.

interface serial0.subinterface_# [point-to-point | multipoint]

A subinterface is treated as if it were a separate interface dedicated for a PVC to a remote site. Serial0indicates

that the subinterface belongs to the physical serial 0 interface, and subinterface _#is the unique subinterface

ID number. The subinterface ID number can be any unique value between 0 and 4,294,967,295 and does not have

to be in any particular order (i.e., it is not necessary to begin with 1 and sequentially progress with 2, 3, and so

on). In fact, to reduce confusion, it is good practice to identify a subinterface with the same number as the DLCIused on that subinterface.

ip address ip_address subnet_mask

Lesson 10: Access Lists

of packets within a network based on information provided within the list. Standard IP access lists are very

straightforward because the source IP address of a packet is the only criterion used to determine whether thepacket should be permitted or denied.

Access lists can be used for a variety of reasons, including controlling the propagation and reception of

primary implementation, and the main topic of this lesson, is the implementation of the access list as a security

mechanism.

Implementing Restricted Access

You may choose to implement security policies for a variety of reasons, including, but certainly not limited to, the

Without the use of access lists, all packets within a network are allowed without restriction to all parts of the

network.

an outside network such as the Internet. This type of access list is typically placed at the point of connection

between the two networks. When an access list is used for interdepartmental isolation, the access list is typically

placed at strategic locations within the internal network.


26/33



The Basics of Standard IP Access Lists

The basic format of the standard IP access list is as follows:

access-list [#] [permit | deny] [source_address| any] [source_mask]

An access list may contain multiple lines, each following the format shown above. The access list may specify

multiple source IP addresses to be evaluated. Each line entry of the access list must maintain the same access list

-

fore, the most general statements should be placed at the beginning of the list to avoid extra processing.

list based on the access list number that is assigned. The numbering range for standard IP access lists is from

1 through 99. All standard IP access lists must be numbered within this range.

After a number in the appropriate range has been assigned to the access list, the list dictates whether thepackets to be evaluated will be permitted (allowed to pass) or denied (dropped and not allowed to pass). This

is accomplished by using the permitor denykeyword in the access-listcommand. The keyword instructs the

permitted or denied.

The standard IP access list allows for a source mask to be applied to the source IP address. Although similar to

the subnet mask that is applied to IP addresses, the source mask is somewhat different. When a source mask

is used with IP access lists, a bit set to 0 means match exactly, and a bit set to 1 means do not care. For

example, if you would like to include all hosts in the Class C network 192.1.1.0, the source address-source

second, and third octets of the address (192.1.1) must match exactly (indicated by 0.0.0, or all zeros, in the

(indicated by 255, or all ones, in the source mask for the fourth octet). The use of this source address-source

mask combination allows a single line in the access list to include all hosts in the 192.1.1.0 network.

Using the keyword anyis the same as using a source address-source mask combination of 0.0.0.0

255.255.255.255. The 255.255.255.255 source mask indicates that you do not care which bits are set in any

the router will, by default, use a source mask of 0.0.0.0 and match exactly the address entered.

After an access list has been created, the Cisco router will assume that any source IP addresses that are not

explicitly permitted in the list will be denied. In other words, at the end of the access list, the router will implic-

1.1.1.1, all other source addresses will be implicitly denied.

Creating a Simple Standard IP Access List

Now we will discuss creating a standard IP access list using the following format:

access-list [#] [permit | deny] [source_address| any] [source_mask]


27/33



Router#conf t


Router(config)#access-list 1 permit host 1.1.1.1Router(config)#exit

Router#

permitstatement for host address 1.1.1.1. Because the source mask was not speci-

deny anystatement at the end

Applying the Access List to an Interface

command for applying a standard IP access list to an interface is as follows:

ip access-group [access_list_number] [in | out]

Access lists can be applied as either outbound or inbound on the router interfaces. When an access list is applied

as an inbound list and the router receives an inbound packet, it checks the source address of the packet against

the access list. The packet is routed to the destination interface if the source address matches a permitstatement

in the access list. The packet is discarded if the source address matches a denystatement in the access list.

When an access list is applied as an outbound list and the router receives a packet on an interface, the packet is

routed to the appropriate outbound interface, and the source address of the packet is then checked against the

access list. At this point, the router either permits the packet to exit the interface if its source address matches a

permitstatement in the access list or discards the packet if its source address matches a denystatement in the

access list.

The following commands apply access list 1 to interface Ethernet 0 as an inbound access list. Note theinparam-eter in the ip access-group 1command.

Router#conf t


Router(config)#int Ethernet 0

Router(config-if)#ip access-group 1 in


Router(config)#exit

Router#

The following commands apply access list 1 to interface Ethernet 0 as an outbound access list. Note the out

parameter in the ip access-group 1command.Router#conf t


Router(config)#int Ethernet 0

Router(config-if)#ip access-group 1 out


Router(config)#exit

Router#


28/33



Creating a More Advanced Standard IP Access List

In this exercise, we will create access list 2 to meet the following criteria:

Permit all packets originating from network 10.1.1.0 255.255.255.128. Deny all packets originating from network 10.1.1.128 255.255.255.128.

Deny all packets originating from network 15.1.1.0, except for packets from a single host of 15.1.1.5.

The following commands will accomplish these goals:

Router#conf t


Router(config)#access-list 2 deny 10.1.1.128 0.0.0.127

Router(config)#access-list 2 permit host 15.1.1.5

Router(config)#access-list 2 deny 15.1.1.0 0.0.0.255Router(config)#access-list 2 permit any

Router(config)#exit

Router#

permitstatement for

, takes care of this criteria. Review the criteria, and verify that the

necessary tasks have been completed:

Permit all packets originating from network 10.1.1.0 255.255.255.128

The last line of the access list, , accomplishes this criterion. Itis not necessary to explicitly permit the 10.1.1.0 255.255.255.128 network in the access list because no

other statements in the access list deny this network.

Deny all packets originating from network 10.1.1.128 255.255.255.128.

, accomplishes

of the fourth octet has been assigned to the subnet and the last seven bits have been reserved for host

addressing. Thus, the source mask in the denystatement, 0.0.0.127, indicates that you do not care

Deny all packets originating from network 15.1.1.0, except for packets from a single host of 15.1.1.5.

This has been accomplished with line two, , and line three,

, of the access list. Remember that access lists

stipulated that packets from network 15.1.1.0 be denied and that packets from host 15.1.1.5 be permit-

ted. If lines two and three had been swapped and the entire 15.1.1.0 network was denied prior to permit-

ting host 15.1.1.5, packets with a source address of 15.1.1.5 would match the more general criteria of

deny 15.1.1.0


29/33



The last line of the access list, , accomplishes this by permit-

Bringing It All Together

In general, the process for creating and implementing standard IP access lists is as follows:

Create the access list with a number in the range of 1 through 99.

Apply the access list, either inbound or outbound, to the appropriate interface.

Items 1 and 2 above have been fairly well covered in this lesson. Lastly, the placement of the access list needs to

be discussed. In general, standard IP access lists should be placed nearer to the destination than to the source.

However, this is not an absolute rule; certain exceptions exist. Due to the fact that standard IP access lists only

operate on the source address, detailed granularity is not always possible. Care must be taken to avoid imple-menting undesirable policies. If a standard access list is placed near the source, it is possible that access will

be impeded to devices other than those intended.

For example, if access list 2, which we created in this lesson, were implemented as an inbound access list on the

Ethernet interface of a router directly connected to the 15.1.1.0 network, the only host that would be allowed off

the local segment would be 15.1.1.5. This access list would most likely be implemented as an outbound access

In the diagram below, assume that Workstation C has the 15.1.1.5 IP address and that Workstation D has the

10.1.1.133 IP address. You want to implement a policy for Workstation A that only allows Workstation C access

from Ethernet C. You also want to implement a policy that will deny any access from Ethernet D. Access list

placement is critical in this situation. If access list 2 from above is implemented as an outbound access list on

Ethernet B, which is undesired. The same scenario holds true if the access list is implemented as an inbound

access list on Router 1s serial interface. If you place this access list as an outbound access list on Router 1s

Ethernet A interface, the desired policy is intact without any unwanted policy implementations.

1.

2.

3.


30/33



Access List Cheat Sheet

Wildcard masks have a variety of uses in access lists, but typically you will want to do one of the following:

Match an entire subnet

Match an IP range

Match every host and any host

Here are some simple examples to accomplish these requirements.

All wildcard mask bits are zeros. For a standard access list to permit the host 192.168.0.58, you could use the

following command:

access-list 101 permit 192.168.0.58 0.0.0.0

Because standard access lists assume a 0.0.0.0 mask, you could rewrite the command as follows:access-list 101 permit 192.168.0.58

For an extended access list to permit the same host of 192.168.0.58, you should use one of the following commands:

access-list 101 permit ip 192.168.0.58 0.0.0.0 any

OR

access-list 101 permit ip host 192.168.0.58 any


31/33



Match an Entire SubnetThe key to matching an entire subnet is to use the following formula for the wildcard mask:

Wildcard mask = 255.255.255.255 subnet

So, for example, if the current subnet is 255.255.255.0, the mask would be 0.0.0.255, as calculated below:255.255.255.255

255.255.255.0 -

0.0.0.255

In this equation, subtract each octet separately since an IP address is not a whole number.

To permit access to the network of 200.0.18.0 with a subnet mask of 255.255.255.0, you should use the following

commands.

Using a standard access list:


Using an extended access list:access-list 101 permit ip 200.0.18.0 0.0.0.255 any

To permit access to the network of 10.4.0.0 with a subnet mask of 255.255.0.0, you should use the following

commands.



Using an extended access list:


Match an IP Range

address from the higher IP address.

10.3.31.255

10.3.16.0 -

0.0.15.255

In this case, the wildcard mask for this range is 0.0.15.255.

To permit access to this range, you should use the following commands.





Note that each non-zero value in the mask must be one less than a power of 2 (i.e., 0, 1, 3, 7, 15, 31, 63, 127, 255).

Match Every Host and Any HostThis is the easiest access list to create.


32/33




access-list 1 permit any

OR



access-list 1 permit ip any any

Lesson 11: SwitchesSwitches, which work at the Data Link layer (Layer 2) of the Open Systems Interconnection (OSI) model, concen-

trate the point of attachment for workstations, servers, routers, hubs, and other switches. A switch provides a

dedicated point-to-point connection between two networking devices; thus, collisions do not occur.

Switch Components

A switch includes all of the hardware components of a PC, including a CPU, RAM, and an internetwork operating

system (IOS). A switch can be managed the same as a router; you can console into its console port, telnet to its

IP address, and even change the IOS through the use of TFTP.

Switches use some of the same commands that routers use. To check information about the interfaces, you can

use the show interfacescommand. To display the IP information for the interfaces, use the show ip interfaces

show versioncommand. To

command.

The show mac-address-tablecommand displays the MAC table for the switch. The MAC table is the table that

matches all the ports on the switch with the MAC addresses it has learned.

Command-Line Interface

User Mode vs. Privileged ModeUser mode is indicated by the >prompt that follows the switch name. In user mode, you can look at some of the

switchs settings, but you cannot change them. In privileged mode, accessed by using the enablecommand in

user mode and indicated by the #prompt, you can use the different showcommands to view all settings on the

command.

Switch>

Switch>enable

Switch#

Accessing HelpTo view all commands available from this mode, type ?. This will display a list of all available commands in the

current mode. You can also use the question mark after you have started typing a command. For example if you

want to use a showcommand but you do not remember which one to use, type show ?to display all commands

that you can use with the showcommand.

r1#show ?


33/33


access-expression List access expression

access-lists List access lists

backup Backup status

cdp CDP informationclock Display the system clock

cls DLC user information

compress Show compression statistics

configuration Contents of Non-Volatile memory

--More--

command. You can exit

endor pressing the CTRL+Z key combination.

Switch#config t

Switch(config)#end

introduction to routers command line

Documents