Anda di halaman 1dari 172

IOS

Essentials
Version 1.0.2 - November 16, 2015

by Christian Brli

www.macparc.ch/ccna

































Table of Contents

1
2
3

Basic Switch Configuration ............................................................................................................................................... 6


Basic Router Configuration ............................................................................................................................................... 7
Verification Commands ...................................................................................................................................................... 8
3.1
Various show Commands ........................................................................................................................................ 8
3.2
Output Filters ............................................................................................................................................................... 8
4 Command History Feature ................................................................................................................................................ 9
5 Switch Management Interface Configuration ........................................................................................................... 9
5.1
Configure Switch Management Interface ......................................................................................................... 9
5.2
Configure Switch Default Gateway ..................................................................................................................... 9
5.3
Verify Switch Management Interface Configuration ................................................................................... 9
5.4
VLAN Creation and Association to a Switch Port ......................................................................................... 9
6 Configure Switch Ports .................................................................................................................................................... 10
6.1
Duplex and Speed .................................................................................................................................................... 10
6.2
Auto-MDIX .................................................................................................................................................................. 10
7 Switch & Port Security ..................................................................................................................................................... 11
7.1
Configure SSH for Remote Management ....................................................................................................... 11
7.2
Secure/Disable Unused Ports ............................................................................................................................ 12
7.3
DHCP Snooping ......................................................................................................................................................... 12
7.4
Configure Port Security ......................................................................................................................................... 13
7.5
Configure Violation Mode .................................................................................................................................... 13
7.6
Verify Port Security ................................................................................................................................................ 14
7.7
Configure Network Time Protocol (NTP) ..................................................................................................... 14
8 VLANs ...................................................................................................................................................................................... 15
8.1
Create VLAN(s) ......................................................................................................................................................... 15
8.2
Assigning Ports to VLANs .................................................................................................................................... 15
8.3
Remove VLAN Assignment .................................................................................................................................. 15
8.4
Deleting VLANs ......................................................................................................................................................... 15
8.5
Display VLAN Information .................................................................................................................................. 16
8.6
Display Interface VLAN (or Trunk) Configuration .................................................................................... 16
9 Trunks ..................................................................................................................................................................................... 17
9.1
Trunk Configuration ............................................................................................................................................... 17
9.2
Resetting Trunk ........................................................................................................................................................ 17
9.3
Dynamic Trunk Protocol (DTP) ........................................................................................................................ 17
10 Troubleshoot VLANs and Trunks ................................................................................................................................ 19
10.1 Missing VLAN ............................................................................................................................................................ 19
10.2 Troubleshooting Trunks ....................................................................................................................................... 20
10.3 Common Problems with Trunks ....................................................................................................................... 20
10.4 Security Protect Ports with PVLAN Edge .................................................................................................. 21
11 Inter-VLAN Routing .......................................................................................................................................................... 22
11.1 Legacy Inter-VLAN Routing ................................................................................................................................ 22
11.2 Router-on-a-Stick Inter-VLAN Routing .......................................................................................................... 23
11.3 Multilayer Switch Inter-VLAN Routing .......................................................................................................... 24
11.4 Troubleshoot Inter-VLAN Routing ................................................................................................................... 26
12 Static Routing ....................................................................................................................................................................... 27
12.1 IPv4 Static Route ...................................................................................................................................................... 27
12.2 IPv4 Default Static Route ..................................................................................................................................... 28
12.3 IPv4 Summary Static Route ................................................................................................................................ 28
12.4 IPv4 Floating Static Route .................................................................................................................................... 29
12.5 Troubleshoot IPv4 Static Route Configuration ........................................................................................... 30
12.6 IPv6 Static Route ...................................................................................................................................................... 30
12.7 IPv6 Default Static Route ..................................................................................................................................... 31
12.8 IPv6 Summary Static Route ................................................................................................................................ 31


13 Dynamic Routing ................................................................................................................................................................ 32
13.1 Check for Dynamic Routing Protocols ............................................................................................................ 32
13.2 Enable RIP or RIPv2 (IPv4) ................................................................................................................................. 33
13.3 Enable RIPng (IPv6) ............................................................................................................................................... 34
14 Single-Area OSPFv2 (IPv4) ............................................................................................................................................ 35
14.1 Router ID ..................................................................................................................................................................... 35
14.2 Enable OSPF on Interfaces ................................................................................................................................... 36
14.3 Propagating a Default Static Route in OSPF ................................................................................................. 38
14.4 OSPF Cost .................................................................................................................................................................... 39
14.5 Secure OSPF with MD5 Authentication .......................................................................................................... 42
14.6 Verify OSPF ................................................................................................................................................................. 43
15 Single-Area OSPFv3 (IPv6) ............................................................................................................................................ 46
15.1 Differences between OSPFv2 and OSPFv3 ................................................................................................... 46
15.2 Steps to Configure OSPFv3 .................................................................................................................................. 46
15.3 Configure Link-Local Addresses ....................................................................................................................... 47
15.4 OSPFv3 Router ID .................................................................................................................................................... 48
15.5 Enable OSPFv3 on Interfaces ............................................................................................................................. 49
15.6 Modify OSPFv3 Hello and Dead Intervals ..................................................................................................... 50
15.7 Propagating a Default Static Route in OSPFv3 ............................................................................................ 51
15.8 Verify OSPFv3 ........................................................................................................................................................... 52
16 Multiarea OSPF .................................................................................................................................................................... 54
16.1 Configure Multiarea OSPFv2 .............................................................................................................................. 54
16.2 OSPF Route Summarization ................................................................................................................................ 55
16.3 Configure Multiarea OSPFv3 .............................................................................................................................. 56
16.4 Verify Multiarea OSPF ........................................................................................................................................... 57
17 EIGRP for IPv4 ..................................................................................................................................................................... 59
17.1 Router ID ..................................................................................................................................................................... 59
17.2 The network Command ........................................................................................................................................ 60
17.3 Passive Interfaces .................................................................................................................................................... 61
17.4 Automatic Summarization ................................................................................................................................... 62
17.5 Manual Summarization ......................................................................................................................................... 64
17.6 Propagating a Default Static Route .................................................................................................................. 65
17.7 Fine-tuning EIGRP Interfaces ............................................................................................................................. 66
17.8 MD5 Authentication ............................................................................................................................................... 67
17.9 Troubleshoot EIGRP ............................................................................................................................................... 69
17.10
Verify EIGRP for IPv4 ....................................................................................................................................... 70
18 EIGRP for IPv6 ..................................................................................................................................................................... 73
18.1 Configure IPv6 Link-local Adresses ................................................................................................................. 73
18.2 Configure EIGRP for IPv6 ..................................................................................................................................... 73
18.3 Enable EIGRP for IPv6 on Interfaces ............................................................................................................... 74
18.4 Passive Interfaces .................................................................................................................................................... 74
18.5 Manual Summarization ......................................................................................................................................... 75
18.6 Propagating a Default Static Route .................................................................................................................. 76
18.7 Fine-tuning EIGRP Interfaces ............................................................................................................................. 77
18.8 MD5 Authentication ............................................................................................................................................... 78
18.9 Troubleshoot EIGRP ............................................................................................................................................... 78
18.10
Verify EIGRP for IPv6 ....................................................................................................................................... 79
19 Access Control Lists (ACLs) ........................................................................................................................................... 81
19.1 Numbered and Named ACLs ............................................................................................................................... 81
19.2 Wildcard Bit Mask Abbrevations ...................................................................................................................... 81
19.3 The Implied "Deny All Traffic" Criteria Statement ................................................................................... 81
19.4 Standard ACLs (IPv4) ............................................................................................................................................ 82
19.5 Extended ACLs (IPv4) ............................................................................................................................................ 87
19.6 IPv6 ACLs .................................................................................................................................................................... 91
19.7 Verify ACLs ................................................................................................................................................................. 93



20 DHCP ........................................................................................................................................................................................ 95
20.1 Basic DHCPv4 Configuration .............................................................................................................................. 95
20.2 Verify DHCPv4 .......................................................................................................................................................... 96
20.3 DHCPv4 Relay ........................................................................................................................................................... 97
20.4 Configure a Router as DHCP Client .................................................................................................................. 97
20.5 Verify DHCPv4 Relay & Services ....................................................................................................................... 98
20.6 Debug DHCPv4 .......................................................................................................................................................... 98
20.7 DHCPv6 ........................................................................................................................................................................ 99
21 NAT for IPv4 ....................................................................................................................................................................... 105
21.1 Static NAT ................................................................................................................................................................. 105
21.2 Dynamic NAT ........................................................................................................................................................... 107
21.3 PAT (NAT Overload) ............................................................................................................................................ 109
21.4 Port Forwarding (Tunneling) ........................................................................................................................... 111
21.5 Troubleshoot NAT ................................................................................................................................................. 112
22 Spanning Tree .................................................................................................................................................................... 113
22.1 Default Switch STP Settings .............................................................................................................................. 113
22.2 Configure and Verify the Bridge ID (BID)/Priority ................................................................................ 113
22.3 Configure and Verify Port Cost ........................................................................................................................ 114
22.4 PortFast and BPDU Guard .................................................................................................................................. 115
22.5 PVST+ Load Balancing ......................................................................................................................................... 116
22.6 Rapid PVST+ ............................................................................................................................................................ 117
22.7 Analyzing the STP Topology ............................................................................................................................. 118
22.8 STP Status Overview ............................................................................................................................................ 118
22.9 First Hop Redundancy Protocols (FHRP) ................................................................................................... 119
23 EtherChannel ..................................................................................................................................................................... 121
23.1 Link Aggregation Control Protocol (LACP) ................................................................................................ 121
23.2 Port Aggregation Protocol (PagP) .................................................................................................................. 122
23.3 Verify EtherChannel ............................................................................................................................................. 123
24 Point-to-Point Connections ......................................................................................................................................... 125
24.1 Configure HDLC Encapsulation ....................................................................................................................... 125
24.2 Verify a Serial Interface ...................................................................................................................................... 125
24.3 Configure PPP Encapsulation ........................................................................................................................... 127
24.4 Verify PPP Configuration/Encapsulation ................................................................................................... 131
25 Frame Relay ........................................................................................................................................................................ 133
25.1 Basic Frame Relay Configuration ................................................................................................................... 133
25.2 Configure a Static Frame Relay Map ............................................................................................................. 134
25.3 Configure Point-to-Point Subinterfaces ....................................................................................................... 136
25.4 Local Management Interface (LMI) ............................................................................................................... 137
25.5 Verify Frame Relay ............................................................................................................................................... 138
25.6 Troubleshoot Frame Relay ................................................................................................................................ 140
26 PPPoE Client Configuration for DSL ......................................................................................................................... 141
27 Virtual Private Networks (VPNs) .............................................................................................................................. 142
27.1 GRE Tunnel ............................................................................................................................................................... 142
28 Monitoring the Network ............................................................................................................................................... 144
28.1 Syslog .......................................................................................................................................................................... 144
28.2 Simple Network Management (SNMP) ........................................................................................................ 148
28.3 NetFlow ...................................................................................................................................................................... 150
29 Troubleshooting the Network .................................................................................................................................... 154
29.1 Data Collection for Documentation ............................................................................................................... 154
29.2 Gather Symptoms .................................................................................................................................................. 155
29.3 Troubleshooting IP Connectivity .................................................................................................................... 156
30 IOS Images & Licensing ................................................................................................................................................. 163
30.1 Display the IOS Image .......................................................................................................................................... 163
30.2 IOS Backup ............................................................................................................................................................... 164
30.3 Select Boot System ................................................................................................................................................ 165
30.4 IOS Licensing ........................................................................................................................................................... 166
IOS Shortcuts ................................................................................................................................................................................ 172
4

1 Basic Switch Configuration



Switch> enable
Switch# configure terminal
Switch(config)# hostname S1
S1(config)# no ip domain-lookup
S1(config)# enable secret class
S1(config)# line
S1(config-line)#
S1(config-line)#
S1(config-line)#
S1(config-line)#

console 0
logging synchronous
password cisco
login
exit

S1(config)# line
S1(config-line)#
S1(config-line)#
S1(config-line)#

vty 0 4
password cisco
login
exit

S1(config)# line
S1(config-line)#
S1(config-line)#
S1(config-line)#

aux 0
password cisco
login
exit

S1(config)# service password-encryption


R1(config)# banner motd #Authorized Personnel Only!#
S1(config)# interface vlan 1
S1(config-if)# description VLAN 1
S1(config-if)# ip address 172.16.5.2 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# exit
S1(config)# ip default-gateway 172.16.5.1
S1(config)# end
S1# write
Building configuration
[OK]



Restore a switch into its factory default condition with 1 default VLAN

Switch# delete flash:vlan.dat
Switch# erase startup-config
Switch# reload

2 Basic Router Configuration



Router> enable
Router# configure terminal
Router(config)# hostname R1
R1(config)# no ip domain-lookup
R1(config)# enable secret class
R1(config)# line
R1(config-line)#
R1(config-line)#
R1(config-line)#
R1(config-line)#

console 0
logging synchronous
password cisco
login
exit

R1(config)# line
R1(config-line)#
R1(config-line)#
R1(config-line)#

vty 0 4
password cisco
login
exit

R1(config)# line
R1(config-line)#
R1(config-line)#
R1(config-line)#

aux 0
password cisco
login
exit

R1(config)# service password-encryption


R1(config)# banner motd #Authorized Personnel Only!#
R1(config)# interface g0/0
R1(config-if)# description Link to LAN 1
R1(config-if)# ip address 172.16.5.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface g0/1
R1(config-if)# description Link to LAN 2
R1(config-if)# ip address 192.168.5.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface serial 0/0/0
R1(config-if)# description Link to R2
R1(config-if)# ip address 209.10.5.1 255.255.255.0
R1(config-if)# clock rate 128000
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface loopback 0
R1(config-if)# ip address 10.0.0.1 255.255.255.0
R1(config-if)# end
R1# write


Resetting Router Configuration

Router# erase startup-config
Router# reload

3 Verification Commands

3.1 Various show Commands



Display interface status




Display current startup configuration


Display current operation configuration


Display commands configured on a specified int








Display information about flash file system

Display system hardware and software status

Display history of commands entered


Display IP information for all interfaces


Display IP information about an interface


Display contents of the IPv4 routing table (RAM)

Displays configured routing protocols


Displays info about learned OSPF neighbors

Displays info about the enabled routed protocol

Displays info on directly connected devices

Display the MAC address table
















S1# show interfaces interface-id


S1# show startup-config
S1# show running-config
S1# show running-config interface
interface-id
S1# show flash
S1# show version
S1# show history
R1# show ip interface [ brief ]
R1# show ip interface-id
R1# show ip route
R1# show ip protocols
R1# show ip ospf neighbor
R1# show protocols
R1# show cdp neighbors
S1# show mac-address-table

or

S1# show mac address-table

3.2 Output Filters



To enable the filtering command, enter a pipe (|) character after the show command and then enter a
filtering parameter and a filtering expression.

Example:

S1# show ip interface brief | exclude unassigned


Filtering parameters that can be configured after the pipe:

section
Shows entire section that starts with the filtering expression
include
Includes all output lines that match the filtering expression
exclude
Excludes all output lines that match the filtering expression
begin
Shows all the output lines, starting with the line that matches the filtering expression


8

4 Command History Feature



To recall the most recent command in the history buffer, press Ctrl+P or the Up Arrow key.

To return to more recent commands in the history buffer, press Ctrl+N or the Down Arrow key.

Show command history buffer:
R1# show history

By default, command history is enabled and the system captures the last 10 command lines in its
history buffer.

Command to increase or decrease the size of the buffer (for the current terminal session):

R1# terminal history size 100


5 Switch Management Interface Configuration

5.1 Configure Switch Management Interface



S1# configure terminal
S1(config)# interface vlan 99
S1(config-if)# ip address 192.168.1.2 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# end
S1# copy running-config startup-config

5.2 Configure Switch Default Gateway


S1# configure terminal


S1(config)# ip default-gateway 192.168.1.1
S1(config)# end
S1# copy running-config startup-config

5.3 Verify Switch Management Interface Configuration


S1# show ip interface brief

5.4 VLAN Creation and Association to a Switch Port



The SVI for VLAN 99 will not appear as "up/up" until VLAN 99 is created and there is a device
connected to a switch port associated with VLAN 99. To create a VLAN with the vlan_id of 99, and
associate it to an interface, use the following commands:

S1# configure terminal
S1(config)# vlan vlan_id
S1(config-vlan)# name vlan_name
S1(config-vlan)# exit
S1(config)# interface interface-id
S1(config-if)# switchport access vlan vlan_id

6 Configure Switch Ports


6.1 Duplex and Speed



S1# configure terminal
S1(config)# interface FastEthernet 0/1
S1(config-if)# duplex full
S1(config-if)# speed 100
S1(config-if)# end
S1# copy running-config startup-config

6.2 Auto-MDIX

S1# configure terminal
S1(config)# interface FastEthernet 0/1
S1(config-if)# duplex auto
S1(config-if)# speed auto
S1(config-if)# mdix auto
S1(config-if)# end
S1# copy running-config startup-config



Verify Auto-MDIX

S1# show controllers ethernet-controller fa 0/1 phy | include Auto-MDIX

10

7 Switch & Port Security


7.1 Configure SSH for Remote Management



Verify SSH support

S1# show ip ssh



Configure the IP domain

S1# configure terminal
S1(config)# ip domain-name cisco.com



Generate RSA key pairs

S1(config)# crypto key generate rsa
The name for the keys will be S1.cisco.com

How many bits in the modulus [512]: 1024



(Deleting RSA key pairs)

S1(config)# crypto key zeroize rsa



Configure user authentication

S1(config)# username admin secret ccna



Configure the vty lines

S1(config)# line
S1(config-line)#
S1(config-line)#
S1(config-line)#

vty 0 15
transport input ssh
login local
exit



Enable SSH version 2

S1(config)# ip ssh version 2
S1(config)# exit

11

7.2 Secure/Disable Unused Ports


S1(config-if)# shutdown



Configure a range of ports

S1(config)# interface range FastEthernet0/5 24


S1(config-if-range)# shutdown

7.3 DHCP Snooping



Enable DHCP snooping

S1(config)# ip dhcp snooping



Enable DHCP snooping for specific VLANs

S1(config)# ip dhcp snooping vlan 10,20



Defining the trusted ports

S1(config)# interface FastEthernet0/1
S1(config-if)# ip dhcp snooping trust



Limit the rate at which bogus DHCP requests can continually be sent through untrusted ports

S1(config)# interface FastEthernet0/2
S1(config-if)# ip dhcp snooping limit rate 5

12

7.4 Configure Port Security



7.4.1

Static Secure MAC Addresses

S1(config-if)# switchport port-security mac-address mac-address


7.4.2

Dynamic Secure MAC Addresses

S1(config)# interface FastEthernet 0/1


S1(config-if)# switchport mode access
S1(config-if)# switchport port-security


7.4.3 Sticky Secure MAC Addresses

To convert dynamically learned MAC addresses to sticky secure MAC addresses

S1(config)# interface FastEthernet 0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security maximum 50
S1(config-if)# switchport port-security mac-address sticky



Manually defined sticky secure MAC addresses

S1(config-if)# switchport port-security mac-address sticky mac-address



Disable sticky learning

S1(config-if)# no switchport port-security mac-address sticky

7.5 Configure Violation Mode



S1(config-if)# switchport port-security violation {protect | restrict |
shutdown}

13

7.6 Verify Port Security



7.6.1

Verify Port Security Settings

S1# show port-security [interface interface-id]


7.6.2

Verify sticky MAC Running Config

S1# show run | begin FastEthernet 0/5


7.6.3

Verify Secure MAC Addresses

S1# show port-security address

7.7 Configure Network Time Protocol (NTP)



7.7.1 Configuring NTP on a Router

NTP server

R1(config)# ntp master 1



NTP client

R2(config)# ntp server 10.0.0.1


7.7.2

Verify NTP

R2# show ntp associations


R2# show ntp status

14

8 VLANs

8.1 Create VLAN(s)



S1# configure terminal
S1(config)# vlan vlan-id
S1(config-vlan)# name vlan-name
S1(config-vlan)# end



Good practice, but not necessary: Normal Range VLANs (11005) are saved to vlan.dat (flash
memory).

S1# copy running-config startup-config



Create a series of VLAN IDs

S1(config)# vlan 100,125,130,140-159

8.2 Assigning Ports to VLANs



S1# configure terminal
S1(config)# interface [range] interface-id
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan vlan-id
S1(config-if)# end

8.3 Remove VLAN Assignment


S1# configure terminal


S1(config)# interface [range] interface-id
S1(config-if)# no switchport access vlan
S1(config-if)# end

8.4 Deleting VLANs


S1# configure terminal


S1(config)# no vlan vlan-id
S1(config)# end



Deleting the entire vlan.dat file (reset to factory default VLAN configuration)

S1# delete flash:vlan.dat

or
S1# delete vlan.dat

15

8.5 Display VLAN Information



Display contents of the vlan.dat file

S1# show vlan [brief | id vlan-id | name vlan-name | summary]

8.6 Display Interface VLAN (or Trunk) Configuration



S1# show interfaces [interface-id | vlan vlan-id | ] switchport

16

9 Trunks

9.1 Trunk Configuration



S1# configure terminal
S1(config)# interface interface-id
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk native vlan vlan-id
S1(config-if)# switchport trunk allowed vlan vlan-list
S1(config-if)# end

9.2 Resetting Trunk



S1# configure terminal
S1(config)# interface interface-id
S1(config-if)# no switchport trunk allowed vlan
S1(config-if)# no switchport trunk native vlan
S1(config-if)# end



Return Port to Access Mode

S1(config-if)# switchport mode access

9.3 Dynamic Trunk Protocol (DTP)



9.3.1

Negotiated Interface Modes

S1(config-if)# switchport mode access


Permanent nontrunking mode, regardless of whether the neighboring interface is a trunk interface.;
negotiates to convert the link into a nontrunk link.


S1(config-if)# switchport mode dynamic auto


Default switchport mode for all Ethernet interfaces.
The interface is able to convert the link to a trunk link if the neighboring interface is set to trunk or
desirable mode.


S1(config-if)# switchport mode dynamic desirable


Able to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring
interface is set to trunk or desirable mode.


S1(config-if)# switchport mode trunk


Permanent trunking mode, even if the neighboring interface is not a trunk interface; negotiates to
convert the neighboring link into a trunk link.


17


9.3.2 DTP Configuration Matrix

Results of the DTP configuration options on opposite ends of a trunk link


9.3.3 Disable DTP

E.g. to enable trunking from a Cisco switch to a device that does not support DTP

S1(config-if)# switchport nonegotiate


Prevents the interface from generating DTP frames. You can use this command only when the interface
switchport mode is access or trunk. You must manually configure the neighboring interface as a
trunk interface to establish a trunk link.

9.3.4

Determine the Current DTP Mode

S1# show dtp interface interface-id

18

10 Troubleshoot VLANs and Trunks


10.1 Missing VLAN



Step 1: Use the show vlan command to check whether the port belongs to the expected VLAN.
If the port is assigned to the wrong VLAN, use the switchport access vlan command
to correct the VLAN membership.
Use the show mac address-table command to check which addresses were learned
on a particular port of the switch and to which VLAN that port is assigned.

Step 2: If the VLAN to which the port is assigned is deleted, the port becomes inactive.
Use the show vlan or show interfaces switchport command.


Examples:

S1# show mac-address-table interface FastEthernet 0/1


S1# show interfaces FastEthernet 0/1 switchport

19

10.2 Troubleshooting Trunks



Step 1: Use the show interfaces trunk command to check whether the local and peer native

VLANs match. If the native VLAN does not match on both sides, VLAN leaking occurs.

Step 2: Use the show interfaces trunk command to check whether a trunk has been

established between switches.
Statically configure trunk links whenever possible. Cisco Catalyst switch ports use DTP
by default and attempt to negotiate a trunk link.


Example:

S1# show interfaces FastEthernet 0/1 trunk

10.3 Common Problems with Trunks


20

10.4 Security Protect Ports with PVLAN Edge



The PVLAN Edge feature has the following characteristics:

A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port
that is also a protected port, except for control traffic. Data traffic cannot be forwarded between
protected ports at Layer 2.
Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
Protected ports must be manually configured.

10.4.1 Configuring the PVLAN Edge Feature

S1(config-if)# switchport protected


10.4.2 Disable Protected Port

S1(config-if)# no switchport protected


10.4.3 Verify the PVLAN Edge Configuration

S1# show interfaces interface-id switchport

21

11 Inter-VLAN Routing

11.1 Legacy Inter-VLAN Routing



11.1.1 Switch Configuration

S1# configure terminal


S1(config)# vlan 10
S1(config-vlan)# vlan 30
S1(config-vlan)# interface f0/11
S1(config-if)# switchport access
S1(config-if)# interface f0/4
S1(config-if)# switchport access
S1(config-if)# interface f0/6
S1(config-if)# switchport access
S1(config-if)# interface f0/5
S1(config-if)# switchport access
S1(config-if)# end

vlan 10
vlan 10
vlan 30
vlan 30


11.1.2 Router Configuration

R1(config)# interface g0/0
R1(config-if)# ip address 172.17.10.1 255.255.255.0
R1(config-if)# no shutdown
R1(config)# interface g0/1
R1(config-if)# ip address 172.17.30.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# end

22

11.2 Router-on-a-Stick Inter-VLAN Routing



11.2.1 Switch Configuration

S1(config)# vlan 10
S1(config-vlan)# vlan 30
S1(config-vlan)# interface f0/5
S1(config-if)# switchport mode trunk
S1(config-if)# end


11.2.2 Router Configuration

R1(config)# interface g0/0.10
R1(config-subif)# encapsulation dot1q 10
R1(config-subif)# ip address 172.17.10.1 255.255.255.0
R1(config-subif)# interface g0/0.30
R1(config-subif)# encapsulation dot1q 30
R1(config-subif)# ip address 172.17.30.1 255.255.255.0
R1(config-subif)# interface g0/0
R1(config-if)# no shutdown
R1(config-if)# end



Verify Subinterfaces:

R1# show vlan
R1# show ip route



Verify Routing:

PC1> ping 172.17.30.23
PC1> tracert 172.17.30.23

23

11.3 Multilayer Switch Inter-VLAN Routing



11.3.1 Inter-VLAN Routing with Switch Virtual Interfaces (SVI)

S1(config)# interface vlan 10
S1(config-if)# ip address 172.17.10.1 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# exit
S1(config)# interface vlan 30
S1(config-if)# ip address 172.17.30.1 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# exit
S1(config)# ip routing


11.3.2 Inter-VLAN Routing with Routed Ports

S1(config)# interface fastethernet 0/1
S1(config-if)# no switchport
S1(config-if)# ip address 172.17.10.1 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# exit
S1(config)# interface fastethernet 0/3
S1(config-if)# no switchport
S1(config-if)# ip address 172.17.30.1 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# exit
S1(config)# ip routing

24


11.3.3 Static Routing on a Cisco Catalyst 2960 Switch


Check setting template

S1(config)# show sdm prefer



Enable the routing functionality on the Cisco 2960 Layer 2 switch
Full-featured multilayer switches (e.g. Cisco Catalyst 3560 Series) support the EIGRP, OSPF, and BGP
routing protocols.

S1(config)# sdm prefer lanbase-routing
S1(config)# do reload



S1(config)# interface fastethernet 0/6
S1(config-if)# switchport access vlan 2
S1(config-if)# interface vlan 1
S1(config-if)# ip address 192.168.1.1 255.255.255.0
S1(config-if)# interface vlan 2
S1(config-if)# ip address 192.168.2.1 255.255.255.0
S1(config-if)# no shutdown
S1(config)# ip routing



Configure default route

S1(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.254



Configure a static route to the remote network 192.168.2.0/24 (VLAN 2) on the Router R1

R1(config)# ip route 192.168.2.0 255.255.255.0 g0/1


25

11.4 Troubleshoot Inter-VLAN Routing



The issues common to legacy inter-VLAN routing and router-on-a-stick inter-VLAN routing are also
manifested in the context of Layer 3 switching. To troubleshoot issues, the following items should be
checked for accuracy:

VLANs:
VLANs must be defined across all the switches. VLANs must be enabled on the trunk


ports. Ports must be in the right VLANs.

SVIs:
SVIs must have the correct IP address or subnet mask. SVIs must be up. SVIs must


match with the VLAN number.

Routing:
Routing must be enabled. Each interface or network should be added to the routing


protocol.

Hosts:
Hosts must have the correct IP address or subnet mask. Hosts must have a default


gateway associated with an SVI or routed port.


26

12 Static Routing

12.1 IPv4 Static Route



A static route can be configured to reach a specific remote network.

R1(config)# ip route network-address subnet-mask {next-hop-ip | exit-intf
[ip-adress]} [ distance ] [ name name ] [ permanent ] [ tag tag ]



The distance parameter is used to create a floating static route by setting an administrative distance
that is higher than a dynamically learned route.


Common Examples:

Next-hop address:
R1(config)# ip route 172.16.1.0 255.255.255.0 172.16.2.2

Exit interface:
R1(config)# ip route 172.16.1.0 255.255.255.0 serial 0/0/0

Fully specified:
R1(config)# ip route 172.16.1.0 255.255.255.0 G0/1 172.16.2.2


Verifying

R1#
R1#
R1#
R1#
R1#
R1#

ping 192.168.2.2
traceroute 192.168.2.10
show ip route
show ip route static | begin Gateway
show ip route 192.168.2.1
show running-config | section ip route

27

12.2 IPv4 Default Static Route



A default static route is similar to a default gateway on a host. The default static route specifies the exit
point to use when the routing table does not contain a path for the destination network.

R1(config)# ip route 0.0.0.0 0.0.0.0 {next-hop-ip | exit-intf}


Common Examples:

Next-hop address:
R1(config)#
Exit interface:
R1(config)#
Fully specified:
R1(config)#

Verifying:
R1# show ip route

ip route 0.0.0.0 0.0.0.0 192.168.6.2


ip route 0.0.0.0 0.0.0.0 serial 0/0/0
ip route 0.0.0.0 0.0.0.0 serial 0/0/0 192.168.6.2
static


12.3 IPv4 Summary Static Route

Example:



The four static route entries could be reduced to 172.20.0.0/14 entry. The four static route entries can
be removed and replaced by a summary static route.

R1(config)# no ip route 172.20.0.0 255.255.0.0 serial 0/0/0
R1(config)# no ip route 172.21.0.0 255.255.0.0 serial 0/0/0
R1(config)# no ip route 172.22.0.0 255.255.0.0 serial 0/0/0
R1(config)# no ip route 172.23.0.0 255.255.0.0 serial 0/0/0
R1(config)#
R1(config)# ip route 172.20.0.0 255.252.0.0 serial 0/0/0


28

12.4 IPv4 Floating Static Route



Floating static routes are static routes that have an administrative distance greater than the
administrative distance of another static route or dynamic routes. They are very useful when
providing a backup to a primary link.



By default, static routes have an administrative distance of 1, making them preferable to routes
learned from dynamic routing protocols.

For example, the administrative distances of some common dynamic routing protocols are:
EIGRP = 90
IGRP = 100
OSPF = 110
IS-IS = 115
RIP = 120

The administrative distance of a static route can be increased to make the route less desirable than
that of another static route or a route learned through a dynamic routing protocol. In this way, the
static route floats and is not used when the route with the better administrative distance is active.



Verification shows that the default route to R2 is installed in the routing table. Note that the backup
route to R3 is not present in the routing table.


29

12.5 Troubleshoot IPv4 Static Route Configuration



Common IOS troubleshooting commands include:

ping target-ip-address source { ip-address | exit-intf }


traceroute
show ip route
show ip interface brief
show cdp neighbors [detail]

(extended ping)


12.6 IPv6 Static Route

Enable IPv6 Routing: R1(config)# ipv6 unicast-routing

R1(config)# ipv6 route ipv6-prefix/prefix-length { ipv6-address | exit-intf }



Verifying:
R1# show ipv6 route

Common Examples:

Next-hop address:
R1(config)# ip route 2001:db8:acad:2::/64 2001:db8:acad:4::2
Exit interface:
R1(config)# ip route 2001:db8:acad:2::/64 s0/0/0
Fully specified:
R1(config)# ip route 172.16.1.0 255.255.255.0 s0/0/0 fe80::2


Verifying

R1#
R1#
R1#
R1#
R1#
R1#

ping 192.168.2.2
traceroute 192.168.2.10
show ipv6 route
show ipv6 route static
show ipv6 route 2001:db8:acad:3::
show running-config | section ipv6 route



30

12.7 IPv6 Default Static Route



Enable IPv6 Routing: R1(config)# ipv6 unicast-routing

R1(config)# ipv6 route ::/0 { ipv6-address | exit-intf }


Common Examples:

Next-hop address:

Exit interface:


Verify:

R1(config)# ipv6 route ::/0 2001:db8:acad:4::2


R1(config)# ipv6 route ::/0 serial 0/0/0

R1# show ipv6 route static

12.8 IPv6 Summary Static Route



Example:

The four static route entries could be reduced to 2001:db8:acad::/61 entry. The four static route
entries can be removed and replaced by a summary static route.

R1(config)# no ipv6 route 2001:db8:acad:1::/64 2001:db8:feed:1::2
R1(config)# no ipv6 route 2001:db8:acad:2::/64 2001:db8:feed:1::2
R1(config)# no ipv6 route 2001:db8:acad:3::/64 2001:db8:feed:1::2
R1(config)# no ipv6 route 2001:db8:acad:4::/64 2001:db8:feed:1::2
R1(config)#
R1(config)# ipv6 route 2001:db8:acad::/61 2001:db8:feed:1::2


31

13 Dynamic Routing

13.1 Check for Dynamic Routing Protocols



Determine which routing protocols are supported by the IOS

R1(config)# router ? respectively R1(config)# ipv6 router ?



Verify the IPv4 routing protocol settings currently configured

R1# show ip protocols respectively R1# show ipv6 protocols

32

13.2 Enable RIP or RIPv2 (IPv4)


R1(config)# router rip


Disable and eliminate RIP

R1(config)# no router rip



Configure which locally connected networks should be advertised

R1(router-config)# network network-address


Example:

R1(config)# router rip
R1(router-config)# network 192.168.1.0
R1(router-config)# network 192.168.2.0



Enable RIPv2

R1(config)# router rip
R1(router-config)# version 2



Disable automatic network number summarization

R1(router-config)# no auto-summary


(RIPv2 must be enabled before automatic summarization is disabled.)


Configure passive interfaces (stop routing updates out of specified interfaces)

R1(router-config)# passive-interface intf


Examples:

R1(config)# router rip
R1(router-config)# passive-interface serial 0/0/0


Stop routing updates out of all interfaces

R1(router-config)# passive-interface default


Re-enable routing updates out of a specified interface

R1(router-config)# no passive-interface gigabitethernet 0/1



Propagate a default route (configured on the edge router)

R1(config)# ip route 0.0.0.0 0.0.0.0 serial 0/0/0 192.168.6.2


R1(config)# router rip
R1(router-config)# default-information originate

33

13.3 Enable RIPng (IPv6)


R1(config-if)# ipv6 rip domain-name enable


Example:

R1(config)# ipv6 unicast-routing
R1(config)#
R1(config)# interface g0/1
R1(config-if)# ipv6 rip RIP-AS enable
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)#
R1(config)# interface s0/0/1
R1(config-if)# ipv6 rip RIP-AS enable
R1(config-if)# no shutdown



Propagate a default route (configured on the edge router)

R1(config)# ipv6 route 0::/0 2001:db8:feed:1::1


R1(config)# interface s0/0/1
R1(config-if)# ipv6 rip RIP-AS default-information originate



Display (only) the RIP routes from the IPv6 routing table

R1# show ipv6 route rip


34

14 Single-Area OSPFv2 (IPv4)



Enter router OSPF configuration mode

R1(config)# router ospf process-id


Example:
R3(config)# router ospf 10

The process-id value represents a number between 1 and 65,535 and is selected by the network
administrator. The process-id value is locally significant, which means that it does not have to be the
same value on the other OSPF routers to establish adjacencies with those neighbors.

14.1 Router ID

14.1.1 Configure & Verify Router ID

R1(config-router)# router-id rid


R1# show ip protocols


Example:

R3(config-router)# router-id 3.3.3.3

14.1.2 Modify Router ID



Modify router ID by clearing the routing process


R1# clear ip ospf process
Reset ALL OSPF processes? [no]: y



Verify (only Router ID section)

R1# show ip protocols | section Router ID


14.1.3 Using a Loopback Interface as the Router ID

R3(config)# interface loopback 0
R3(config-if)# ip address 3.3.3.3 255.255.255.255
R3(config-if)# end

35

14.2 Enable OSPF on Interfaces



14.2.1 Assigning Interfaces to an OSPF Area

R1(config-router)# network network-address wildcard-mask area area-id


Example:


R1(config-router)# network 172.16.1.0 0.0.0.255 area 0


R1(config-router)# network 10.10.10.0 0.0.0.3 area 0
R1(config-router)# network 10.10.10.4 0.0.0.3 area 0

14.2.2 Assigning Interfaces to an OSPF Area with a Quad Zero



As an alternative, OSPFv2 can be enabled using the interface IPv4 address with a quad 0 wildcard
mask.

R1(config-router)# network intf-ip-address 0.0.0.0 area area-id

Example:
R1(config-router)# network 172.16.1.1 0.0.0.0 area 0

R1(config-router)# network 10.10.10.1 0.0.0.0 area 0

R1(config-router)# network 10.10.10.5 0.0.0.0 area 0

The advantage of specifying the interface is that the wildcard mask calculation is not necessary.
OSPFv2 uses the interface address and subnet mask to determine the network to advertise.

14.2.3 Change the OSPF Interface Priority

The OSPF DR and BDR election decision is based on the following criteria:

Step 1: The routers in the network elect the router with the highest interface priority as the DR. The

router with the second highest interface priority is elected as the BDR. The priority can be

configured to be any number between 0 255. The higher the priority, the likelier the router

will be selected as the DR. If the priority is set to 0, the router is not capable of becoming the

DR. The default priority of multiaccess broadcast interfaces is 1. Therefore, unless otherwise

configured, all routers have an equal priority value and must rely on another tie breaking

method during the DR/BDR election.

Step 2: If the interface priorities are equal, then the router with the highest router ID is elected the DR.

The router with the second highest router ID is the BDR.

36


14.2.4 Modify OSPFv2 Hello and Dead Intervals

R1(config-if)# ip ospf hello-interval seconds
R1(config-if)# ip ospf dead-interval seconds


Reset to default values (Hello = 10 s; Dead = 40 s):

R1(config-if)# no ip ospf hello-interval


R1(config-if)# no ip ospf dead-interval



Verify OSPF intervals:

R1# show ip ospf interface interface


R1# show ip ospf interface interface | include Timer



Verify OSPF timer activity:


R1# show ip ospf neighbor

37


14.2.5 Configure Passive Interfaces

R1(config-router)# passive-interface intf


Example:
R1(config-router)# passive-interface GigabitEthernet 0/0


All interfaces can be made passive: R1(config-router)# passive-interface default

Re-enabled interface: R1(config-router)# no passive-interface GigabitEthernet 0/1


14.3 Propagating a Default Static Route in OSPF



To propagate a default route, the edge router aka the entrance, gateway, or autonomous system
boundary router (ASBR) - must be configured with:

A default static route using the ip route 0.0.0.0 0.0.0.0 {ip-address | exit-intf}
command.
The default-information originate router configuration mode command instructs the router
to be the source of the default route information and propagate the default static route in OSPF
updates.


38

14.4 OSPF Cost



14.4.1 Verify Cost of a Route (Metric)

14.4.2 Adjust Reference Bandwith



OSPF uses a reference bandwidth of 100 Mb/s (cost=1) for any links that are equal to or faster than a
fast Ethernet connection.
To assist OSPF in making the correct path determination, the reference bandwidth must be changed to
a higher value to accommodate networks with links faster than 100 Mb/s.

Gigabit Ethernet:
R1(config-router)# auto-cost reference-bandwidth 1000

10 Gigabit Ethernet: R1(config-router)# auto-cost reference-bandwidth 10000

Return to default:
R1(config-router)# auto-cost reference-bandwidth 100

OSPF cost if the reference bandwidth is set to Gigabit Ethernet:

39


14.4.3 Verify Link Cost


14.4.4 Adjust Interface Bandwith Setting

Use the show interfaces command to view the interface bandwidth setting.


On Cisco routers, the default bandwidth on most serial interfaces is set to 1.544 Mb/s.

Adjust the interface bandwidth:

R1(config)# intf
R1(config-if)# bandwidth kilobits


Restore to the default value:

40


R1(config-if)# no bandwidth [kilobits]


14.4.5 Manually Setting the OSPF Cost

As an alternative to setting the default interface bandwidth, the cost can be manually configured on an
interface.

R1(config)# intf
R1(config-if)# ip ospf cost value




Both the bandwidth interface command and the ip ospf cost interface command achieve the same
result, which is to provide an accurate value for use by OSPF in determining the best route.

An advantage of configuring a cost over setting the interface bandwidth is that the router does not
have to calculate the metric when the cost is manually configured. In contrast, when the interface
bandwidth is configured, the router must calculate the OSPF cost based on the bandwidth. The ip
ospf cost command is useful in multi-vendor environments where non-Cisco routers may use a
metric other than bandwidth to calculate the OSPF costs.


41

14.5 Secure OSPF with MD5 Authentication



14.5.1 Enable OSPF MD5 Authentication Globally

R1(config)# area area-id authentication message-digest
R1(config-if)# ip ospf message-digest-key key md5 password


14.5.2 Enable OSPF MD5 Authentication on a Per-Interface basis

R1(config-if)# ip ospf message-digest-key key md5 password
R1(config-if)# ip ospf authentication message-digest


42

14.6 Verify OSPF



14.6.1 Verify OSPF Neighbors

R1# show ip ospf neighbor



FULL state means that the router and its neighbor have identical OSPF LSDBs. On multiaccess
networks such as Ethernet, two routers that are adjacent may have their states displayed as 2WAY.
The dash indicates that no DR or BDR is required because of the network type.

Two routers may not form an OSPF adjacency if:

The subnet masks do not match, causing the routers to be on separate networks.
OSPF Hello or Dead Timers do not match.
OSPF Network Types do not match.
There is a missing or incorrect OSPF network command.

14.6.2 Verify OSPF Protocol Settings

The show ip protocols is a quick way to verify vital OSPF configuration information. This includes
the OSPF process ID, the router ID, networks the router is advertising, the neighbors the router is
receiving updates from, and the default administrative distance (default is 110 for OSPF).

R1# show ip protocols

43


14.6.3 Verify OSPF Process Information

The show ip ospf command displays the OSPF area information and the last time the SPF algorithm
was calculated.

R1# show ip ospf



44


14.6.4 Verify OSPF Interface Settings

R1# show ip ospf interface [brief]

R1# show ip ospf interface interface


14.6.5 Verify the OSPF Learned Routes

Display only the OSPF learned routes in the routing table.

R1# show ip route ospf

14.6.6 Verify OSPF MD5 authentication

R1# show ip ospf interface interface

R1# show ip ospf interface | include Message

45

15 Single-Area OSPFv3 (IPv6)


15.1 Differences between OSPFv2 and OSPFv3


15.2 Steps to Configure OSPFv3


46

15.3 Configure Link-Local Addresses



Unless configured manually, Cisco routers create the link-local address using FE80::/10 prefix and the
EUI-64 process. EUI-64 involves using the 48-bit Ethernet MAC address, inserting FFFE in the middle
and flipping the seventh bit. For serial interfaces, Cisco uses the MAC address of an Ethernet interface.

Configuring the link-local address manually provides the ability to create an address that is
recognizable and easier to remember. As well, a router with several interfaces can assign the same
link-local address to each IPv6 interface. This is because the link-local address is only required for
local communications.

R1(config)# interface GigabitEthernet 0/0
R1(config-if)# ipv6 address FE80::1 link-local
R1(config-if)# exit
R1(config)# interface Serial 0/0/0
R1(config-if)# ipv6 address FE80::1 link-local
R1(config-if)# exit
R1(config)# interface Serial 0/0/1
R1(config-if)# ipv6 address FE80::1 link-local
R1(config-if)# exit

47

15.4 OSPFv3 Router ID



Enter router OSPFv3 configuration mode

R1(config)# ipv6 router ospf process-id


Example:

R3(config)# ipv6 router ospf 10

15.4.1 Configure & Verify OSPFv3 Router ID



R1(config-rtr)# router-id rid
R1# show ipv6 protocols


Example:


15.4.2 Modify OSPFv3 Router ID

R1# ipv6 router ospf 10


R1(config-rtr)# router-id 1.1.1.1
R1(config-rtr)# end
R1# clear ipv6 ospf process
Reset ALL OSPF processes? [no]: y
R1# show ipv6 protocols

48

15.5 Enable OSPFv3 on Interfaces



OSPFv3 uses a different method to enable an interface for OSPF. Instead of using the network router
configuration mode command to specify matching interface addresses, OSPFv3 is configured directly
on the interface.

R1(config-if)# ipv6 ospf process-id area area-id

49

15.6 Modify OSPFv3 Hello and Dead Intervals


R1(config-if)# ipv6 ospf hello-interval seconds


R1(config-if)# ipv6 ospf dead-interval seconds


Reset to default values (Hello = 10 s; Dead = 40 s):

R1(config-if)# no ipv6 ospf hello-interval


R1(config-if)# no ipv6 ospf dead-interval



Verify OSPF intervals:



Verify OSPF timer activity:

R1# show ipv6 ospf interface interface | include Timer

R1# show ipv6 ospf neighbor

50

R1# show ipv6 ospf interface interface

15.7 Propagating a Default Static Route in OSPFv3




To propagate a default route, the edge router aka the entrance, gateway, or autonomous system
boundary router (ASBR) - must be configured with:

A default static route using the ipv6 route ::/0 {ipv6-address | exit-intf} command.
The default-information originate router configuration mode command instructs the router
to be the source of the default route information and propagate the default static route in OSPF
updates.


51

15.8 Verify OSPFv3



15.8.1 Verify OSPFv3 Neighbors

R1# show ipv6 ospf neighbor


15.8.2 Verify OSPFv3 Protocol Settings

R1# show ipv6 protocols


15.8.3 Verify OSPF Process Information

R1# show ipv6 ospf


52


15.8.4 Verify OSPFv3 Interface Settings

R1# show ipv6 ospf interface [brief]

R1# show ipv6 ospf interface serial 0/0/1


15.8.5 Verify the IPv6 Routing Table

R1# show ipv6 route ospf

53

16 Multiarea OSPF

16.1 Configure Multiarea OSPFv2




A router simply becomes an Area Border Router (ABR) when it has two network statements in
different areas.

54

16.2 OSPF Route Summarization



16.2.1 Interarea Route Summarization



Interarea route summarization occurs on Area Border Routers (ABRs) and applies to routes from
within each area. It does not apply to external routes injected into OSPF via redistribution.

16.2.2 External Route Summarization



External route summarization is specific to external routes that are injected into OSPF via route
redistribution. Again, it is important to ensure the contiguity of the external address ranges that are
being summarized. Generally, only Autonomous System Boundary Routers (ASBRs) summarize
external routes.

External route summarization is configured on ASBRs using the summary-address address mask
router configuration mode command.

R2(config-router)# summary-address 172.16.0.0 255.255.224.0


55

16.3 Configure Multiarea OSPFv3


56

16.4 Verify Multiarea OSPF



The same verification commands used to verify single-area OSPF also can be used to verify the
multiarea OSPF topology:

show ip ospf neighbor
show ip ospf
show ip ospf interface


Commands that verify specific multiarea information include:

show ip protocols


show ip ospf interface brief

57

show ip route ospf


show ip ospf database



Note: For the equivalent OSPFv3 command, simply substitute ip with ipv6.

58

17 EIGRP for IPv4


R1(config)# router eigrp autonomous-system


Example:
R1(config)# router eigrp 1

The autonomous-system argument can be assigned to any 16-bit value between the number 1 and
65,535. All routers within the EIGRP routing domain must use the same autonomous system number.

Remove the EIGRP routing process: no router eigrp autonomous-system

17.1 Router ID

17.1.1 Configure & Verify Router ID

R1(config-router)# eigrp router-id ipv4-address

R1# show ip protocols


17.1.2 Using a Loopback Interface as the Router ID

R3(config)# interface loopback 0
R3(config-if)# ip address 3.3.3.3 255.255.255.255
R3(config-if)# end

59

17.2 The network Command



Enables any interface on this router that matches the network address in the network router
configuration mode command to send and receive EIGRP updates.
The network of the interfaces is included in EIGRP routing updates.

60


To configure EIGRP to advertise specific subnets only, use the wildcard-mask option with the
network command:

R1(config-router)# network network-address [wildcard-mask]



Some IOS versions also let you enter the subnet mask instead of a wildcard mask. However, if the
subnet mask is used, the IOS converts the command to the wildcard-mask format within the
configuration.

17.3 Passive Interfaces



There are two primary reasons for enabling the passive-interface command:

To suppress unnecessary update traffic, such as when an interface is a LAN interface, with no other
routers connected
To increase security controls, such as preventing unknown rogue routing devices from receiving
EIGRP updates

R1(config)# router eigrp as-number
R1(config-router)# passive-interface interface-type interface-number



To configure all interfaces as passive, use the passive-interface default command. To disable an
interface as passive, use the no passive-interface interface-type interface-number
command.

61

17.4 Automatic Summarization



17.4.1 Configure EIGRP Automatic Summarization

R1(config)# router eigrp as-number
R1(config-router)# auto-summary


17.4.2 Verify Auto-Summary


62



EIGRP for IPv4 automatically includes a Null0 summary route whenever the following conditions exist:

There is at least one subnet that was learned via EIGRP.
There are two or more network EIGRP router configuration mode commands.
Automatic summarization is enabled.

The Null0 interface is a virtual IOS interface that is a route to nowhere, commonly known as "the bit
bucket." Packets that match a route with a Null0 exit interface are discarded.
The purpose of the Null0 summary route is to prevent routing loops for destinations that are included
in the summary, but do not actually exist in the routing table.


63

17.5 Manual Summarization



17.5.1 Configure EIGRP Manual Summarization

R1(config)# router eigrp as-number
R1(config-if)# ip summary-address eigrp as-number network-address subnet-mask


Note: Summary routes have to be configured on all interfaces that send EIGRP packets.

17.5.2 Verify Manual Summary


64

17.6 Propagating a Default Static Route



17.6.1 Configure a Default Static Route in EIGRP


17.6.2 Verify Default Static Route in EIGRP

65

17.7 Fine-tuning EIGRP Interfaces



17.7.1 EIGRP Bandwidth

By default, EIGRP uses only up to 50 percent of an interfaces bandwidth for EIGRP information. This
prevents the EIGRP process from over-utilizing a link and not allowing enough bandwidth for the
routing of normal traffic.

R1(config-if)# ip bandwidth-percent eigrp as-number percent


17.7.2 Hello Intervals and Hold Timers

R1(config-if)# ip hello-interval eigrp as-number seconds

R1(config-if)# ip hold-time eigrp as-number seconds


17.7.3 Load Balancing

Cisco IOS, by default, allows load balancing using up to four equal-cost paths; however, this can be
modified - up to 32 equal-cost routes can be kept in the routing table.

R1(config-router)# maximum-paths value

66

17.8 MD5 Authentication



Step 1: Create a keychain and key



a) In global configuration mode, create the keychain.

b) Specify the key ID which is used to identify an authentication key within a keychain. The range of
keys is from 0 to 2,147,483,647. It is recommended that the key number be the same on all routers in
the configuration.

c) Specify the key string for the key. The key string is similar to a password. Routers exchanging
authentication keys must be configured using the same key string.


Step 2: Configure EIGRP authentication using keychain and key



a) In global configuration mode, specify the interface on which to configure EIGRP message
authentication.

b) Enable EIGRP message authentication. The md5 keyword indicates that the MD5 hash is to be used
for authentication.

c) Specify the keychain that should be used for authentication. The name-of-chain argument specifies
the keychain that was created in Step 1.


67


Verify EIGRP MD4 authentication:

Adjacencies are only formed when both connecting devices have authentication configured,. To verify
that the correct EIGRP adjacencies were formed after being configured for authentication, use the
show ip eigrp neighbors command on each router.



After EIGRP message authentication is configured on one router, any adjacent neighbors that have not
yet been configured for authentication are no longer EIGRP neighbors - the following IOS message
appears:

%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.3.2 (Serial0/0/0) is down:
authentication mode changed


When the adjacent interface is configured, the adjacency is re-established and the following IOS
message will be displayed:

%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 172.16.3.2 (Serial0/0/0) is up: new
adjacency

68

17.9 Troubleshoot EIGRP



69

17.10 Verify EIGRP for IPv4



17.10.1 Examine Neighbors


17.10.2 Examine the IPv4 Routing Table

70


17.10.3 Examine Routing Protocol Processes


Default Administrative Distances:


71


17.10.4 Examine Topology Table


All links can be displayed using the show ip eigrp topology all-links command.



72

18 EIGRP for IPv6


18.1 Configure IPv6 Link-local Adresses



Verify link-local addresses:

18.2 Configure EIGRP for IPv6


R1(config)# ipv6 router eigrp autonomous-system


R1(config-rtr)# eigrp router-id ipv4-address
R1(config-rtr)# no shutdown

73

18.3 Enable EIGRP for IPv6 on Interfaces


R1(config-if)# ipv6 eigrp autonomous-system

18.4 Passive Interfaces


74

18.5 Manual Summarization



Note: Autosummarization is not available for EIGRP IPv6 networks.

18.5.1 Configure EIGRP Manual Summarization

R1(config-if)# ipv6 summary-address eigrp as-number prefix/prefix-length


18.5.2 Verify Manual Summary

75

18.6 Propagating a Default Static Route



18.6.1 Configure a Default Static Route in EIGRP


18.6.2 Verify Default Static Route in EIGRP

76

18.7 Fine-tuning EIGRP Interfaces



18.7.1 EIGRP Bandwidth

By default, EIGRP uses only up to 50 percent of an interfaces bandwidth for EIGRP information.

R1(config-if)# ipv6 bandwidth-percent eigrp as-number percent


18.7.2 Hello Intervals and Hold Timers

R1(config-if)# ipv6 hello-interval eigrp as-number seconds
R1(config-if)# ipv6 hold-time eigrp as-number seconds

77

18.8 MD5 Authentication



The algorithms and the configuration to authenticate EIGRP for IPv6 messages are the same as EIGRP
for IPv4. The only difference is the interface configuration mode commands use ipv6, instead of ip.

R1(config-if)# ipv6 authentication mode eigrp as-number md5
R1(config-if)# ipv6 authentication key-chain eigrp as-number name-of-chain


Example:

18.9 Troubleshoot EIGRP



The following commands are used with EIGRP for IPv6:

R1# show ipv6 eigrp neighbors

R1# show ipv6 route

R1# show ipv6 protocols

78

18.10 Verify EIGRP for IPv6



18.10.1 Examine Neighbors


18.10.2 Examine IPv6 Routing Protocol Processes


79


18.10.3 Examine the IPv6 Routing Table

80

19 Access Control Lists (ACLs)


19.1 Numbered and Named ACLs


19.2 Wildcard Bit Mask Abbrevations



The host keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must
match or only one host is matched.

Example: Instead of entering 192.168.10.10 0.0.0.0, you can use host 192.168.10.10.


The any option substitutes for the IP address and 255.255.255.255 mask. This mask says to ignore the
entire IPv4 address or to accept any addresses.

Example: Instead of entering 0.0.0.0 255.255.255.255, you can use the keyword any.

19.3 The Implied "Deny All Traffic" Criteria Statement



By default, there is an implied deny at the end of all ACLs for traffic that was not matched to a
configured entry. A single-entry ACL with only one deny entry or an ACL without any entry has the
effect of denying all traffic. At least one permit ACE must be configured in an ACL or all traffic is
blocked.
Although all ACLs end with an implicit deny statement, we recommend the use of an explicit deny
statement. You can display the count of packets denied by issuing the show access-list command.
Because only packets denied by explicit deny statements are counted, you will find out more
information about who your access list is disallowing if an explicit deny statement exists.

Standard ACL:
R1(config)# access-list 1 deny any

Extended ACL:
R1(config)# access-list 100 deny ip any any

IPv6 ACL:

R1(config-ipv6-acl)# access-list 100 deny ip any any



81

19.4 Standard ACLs (IPv4)



19.4.1 Configure Standard ACL

R1(config)# access-list access-list-number { deny | permit | remark }
source [ source-wildcard ][ log ]


Examples:

R1(config)# access-list 1 remark Permit hosts from the 192.168.10.0 LAN


R1(config)# access-list 1 permit 192.168.10.0 0.0.0.255
R1(config)# access-list 1 deny 192.168.0.0 0.0.255.255


Remove ACL (from router):

R1(config)# no access-list 1

82


19.4.2 Apply Standard ACL to Interfaces

R1(config-if)# ip access-group { access-list-number | access-list-name }
{ in | out }


Remove ACL (from interface):

R1(config-if)# no ip access-group 1


19.4.3 Named Standard ACL

R1(config)# ip access-list [standard | extended] name


R1(config-std-nacl)# [deny | permit | remark ] {source [source-wildcard]} [log]
R1(config-if)# ip access-group name [in | out]


Example:

83


19.4.4 Commenting ACLs

R1(config)# access-list access-list_number remark remark


R1(config-std-nacl)# remark remark


Remove remark:

R1(config)# no access-list access-list_number remark remark


R1(config-std-nacl)# no remark remark

84


19.4.5 Edit Standard Numbered ACL

Edit Numbered ACL using a text editor:


Edit Numbered ACL using a text editor:


85


19.4.6 Edit Standard Named ACL

Add a line to a named ACL:

19.4.7 Using a Standard ACL to Secure VTY Access



If the Cisco IOS software on your router does not support SSH, you can improve the security of
administrative lines by restricting VTY access (define which IP addresses are allowed Telnet access to
the router).
You can also use this technique with SSH to further improve administrative access security.

86

19.5 Extended ACLs (IPv4)



19.5.1 Configure Extended ACL

R1(config)# access-list access-list-number {deny | permit | remark} protocol
source [source-wildcard]} [operator oparand] [port port-number or
name] destination [destination-wildcard] [operator oparand]
[port port-number or name] [established]


Examples:


87


Generating port numbers:

R1(config)# access-list 100 permit tcp any any eq ?


19.5.2 Apply Extended ACL to Interfaces

R1(config-if)# ip access-group { access-list-number | access-list-name }


{ in | out }

88


19.5.3 Filter Traffic with Extended ACL

The example shown denies FTP traffic from subnet 192.168.11.0 going to subnet 192.168.10.0, but
permits all other traffic.
FTP uses TCP ports 20 and 21; therefore the ACL requires both port name keywords ftp and ftp-data
to deny FTP.



FTP uses TCP ports 20 and 21; therefore the ACL requires both ports ftp and ftp-data to deny FTP.

If using port numbers instead of port names, the commands would be written as:

access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 20
access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 21


To prevent the implied deny any statement at the end of the ACL from blocking all traffic, the permit
ip any any statement is added.


89


19.5.4 Named Extended ACL

R1(config)# ip access-list [standard | extended] name


R1(config-ext-nacl)# [deny | permit | remark ] {source [source-wildcard]} [log]
R1(config-if)# ip access-group name [in | out]


Remove ACL from router:
R1(config)# no ip access-list extended name

Remove Named Extended ACL from interface:
R1(config-if)# no ip access-group name

19.5.5 Edit Extended ACL




90

19.6 IPv6 ACLs



19.6.1 Default IPv6 ACL Statements

IPv6 includes an implicit "Deny All Traffic" statement at the end of each ACL (similar to every IPv4
standard or extended ACL):

deny ipv6 any any

The difference is IPv6 also includes two other implicit statements by default:

permit icmp any any nd-na
permit icmp any any nd-ns

These two statements allow the router to participate in the IPv6 equivalent of ARP for IPv4. Recall that
ARP (Layer 2) is used in IPv4 to resolve Layer 3 addresses to Layer 2 MAC addresses. IPv6 uses ICMP
Neighbor Discovery (ND, Layer 3) messages to accomplish the same thing. ND uses Neighbor
Solicitation (NS) and Neighbor Advertisement (NA) messages.

19.6.2 Configure IPv6 ACL

91


Examples:

R1(config)# ipv6 access-list NO-R3-LAN-ACCESS


R1(config-ipv6-acl)# deny ipv6 2001:db8:cafe:30::/64 any
R1(config-ipv6-acl)# permit ipv6 any any
R1(config-ipv6-acl)# end

R1(config)# ipv6 access-list NO-FTP-TO-LAN-11


R1(config-ipv6-acl)# deny tcp any 2001:db8:cafe:11::/64 eq ftp
R1(config-ipv6-acl)# deny tcp any 2001:db8:cafe:11::/64 eq ftp-data
R1(config-ipv6-acl)# permit ipv6 any any
R1(config-ipv6-acl)# exit
R1(config)# interface g0/0
R1(config-if)# ipv6 traffic-filter NO-FTP-TO-LAN-11 in
R1(config-if)# end


19.6.3 Apply IPv6 ACL to Interfaces

R1(config-if)# ipv6 traffic-filter access-list-name { in | out }

92

19.7 Verify ACLs


R1# show access-lists


Clear counter: R1# clear access-list counters access-list_number


R1# show ip interface interface

93

R1# show ipv6 interface interface

R1# show running-config

94

20 DHCP

20.1 Basic DHCPv4 Configuration



Exclude specific address range (for routers, servers, printers, etc.):

R1(config)# ip dhcp excluded-address low-address [high-address]



Configuring a DHCPv4 pool:

R1(config)# ip dhcp pool pool-name



Configuring specific tasks (in DHCPv4 configuration mode):


Example:



Re-enable (disable) DHCP

R1(config)# (no) service dhcp

95

20.2 Verify DHCPv4


R1# show running-config | section dhcp

R1# show ip dhcp binding

R1# show ip dhcp server statistics


96

20.3 DHCPv4 Relay


R1(config-if)# ip helper-address dhcp-server-address


By default, the ip helper-address command forwards the following eight UDP services:

Time (Port 37)
TACACS (Port 49)
DNS (Port 53)
DHCP/BOOTP client (Port 67)
DHCP/BOOTP server (Port 68)
TFTP (Port 69)
NetBIOS name service (Port 137)
NetBIOS datagram service (Port 138)

20.4 Configure a Router as DHCP Client


R1(config-if)# ip address dhcp

97

20.5 Verify DHCPv4 Relay & Services


R1# show running-config | section interface interface-id



In the figure, the show running-config | include no service dhcp command verifies that the
DHCPv4 service is enabled since there is no match for no service dhcp.
If the service had been disabled, the no service dhcp command would be displayed in the output.

20.6 Debug DHCPv4




Verify that the router is receiving DHCPv4 requests from clients.
This troubleshooting step involves configuring an ACL for debugging output.
The figure shows an extended ACL permitting only packets with UDP destination ports of 67 or 68
(used by DHCPv4 clients and servers).
The extended ACL is used with the debug ip packet command to display only DHCPv4 messages.

Another useful command for troubleshooting DHCPv4 operation is the debug ip dhcp server
events command which reports server events, like address assignments and database updates. It is
also used for decoding DHCPv4 receptions and transmissions.


98

20.7 DHCPv6

DHCPv6 messages from the server to the client use UDP destination port 546.
The client sends DHCPv6 messages to the server using UDP destination port 547.

20.7.1 Stateless Address Autoconfiguration (SLAAC)



RA messages are configured on an individual interface of a router. To re-enable an interface for SLAAC
that might have been set to another option, the M and O flags need to be reset to their initial values of
0.

R1(config-if)# no ipv6 nd managed-config-flag

R1(config-if)# no ipv6 nd other-config-flag


99


20.7.2 Stateless DHCPv6 (Router as Server)

R1(config-if)# ipv6 nd other-config-flag


Example:


20.7.3 Stateless DHCPv6 (Router as Client)

R1(config-if)# ipv6 enable

R1(config-if)# ipv6 address autoconfig

100


20.7.4 Verify Stateless DHCPv6 Server

R1# show ipv6 dhcp pool

R1# show ipv6 interface interface-id

R1# debug ipv6 dhcp detail

101


20.7.5 Stateful DHCPv6 (Router as Server)

R1(config-if)# ipv6 nd managed-config-flag


Example:


20.7.6 Stateful DHCPv6 (Router as Client)

R1(config-if)# ipv6 enable
R1(config-if)# ipv6 address dhcp


102


20.7.7 Verify Stateful DHCPv6 Server

R1# show ipv6 dhcp pool

R1# show ipv6 dhcp dhcp binding

R1# show ipv6 interface interface-id

103


20.7.8 DHCPv6 Relay

R1(config-if)# ipv6 dhcp relay destination dhcpv6-server-address


20.7.9 Troubleshoot/Verify DHCPv6

Troubleshooting issues with DHCPv4 and DHCPv6, involves the same tasks:

Resolve address conflicts
Verify physical connectivity
Test connectivity using a static IP address
Verify switch port configuration
Test operation on the same subnet or VLAN


R1# show ipv6 dhcp conflict

R1# show ipv6 interface interface

R1# debug ipv6 dhcp detail

104

21 NAT for IPv4


21.1 Static NAT



21.1.1 Configure Static NAT


105


21.1.2 Verify Static NAT

106

21.2 Dynamic NAT



21.2.1 Configure Dynamic NAT


Example:

107


21.2.2 Verify Dynamic NAT



108

21.3 PAT (NAT Overload)



21.3.1 Configure PAT with Address Pool


Example:

109


21.3.2 Configure PAT with Single Address


21.3.3 Verify PAT


110

21.4 Port Forwarding (Tunneling)



Example:



Similar to static NAT, the show ip nat translations command can be used to verify the port
forwarding.


111

21.5 Troubleshoot NAT


R1# debug ip nat [detailed]


debug ip nat detailed generates more overhead than debug ip nat, but it can provide the detail

that may be needed to troubleshoot a NAT issue.



* (asterisk) - The asterisk next to NAT indicates that the translation is occurring in the fast-switched
path. The first packet in a conversation is always process-switched, which is slower. The remaining
packets go through the fast-switched path if a cache entry exists.



112

22 Spanning Tree

22.1 Default Switch STP Settings


22.2 Configure and Verify the Bridge ID (BID)/Priority



Method 1:




Method 2:

S1(config)# spanning-tree vlan vlan-id root primary


S2(config)# spanning-tree vlan vlan-id root secondary
S3(config)# spanning-tree vlan vlan-id priority value

S1# show spanning-tree

113

22.3 Configure and Verify Port Cost



Default Port Costs


Configure Port Cost:





S1(config)# interface interface-id
S1(config-if)# spanning-tree cost value


Reset Port Cost (to Default): S1(config-if)# no spanning-tree cost

Verify Port Cost:

114

22.4 PortFast and BPDU Guard



When a switch port is configured with PortFast that port transitions from blocking to forwarding state
immediately, bypassing the usual 802.1D STP transition states (the listening and learning states). You
can use PortFast on access ports to allow these devices to connect to the network immediately.
PortFast is useful for DHCP. Without PortFast, a PC can send a DHCP request before the port is in
forwarding state, denying the host from getting a usable IP address and other information.

In a valid PortFast configuration, Bridge Protocol Data Units (BPDU) should never be received, because
that would indicate that another switch (or bridge) is connected to the port, potentially causing a
spanning tree loop. When BPDU guard is enabled, it puts the port in an error-disabled state on receipt
of a BPDU. This will effectively shut down the port.

S1(config)# interface interface-id
S1(config-if)# spanning-tree portfast
S1(config-if)# spanning-tree bpduguard enable


Enable PortFast on all nontrunking interfaces:

S1(config)# spanning-tree portfast default


Enable BPDU guard on all PortFast-enabled ports:

S1(config)# spanning-tree portfast bpduguard default


Verify PortFast and BPDU Guard:

S1# show running-config | begin spanning-tree

115

22.5 PVST+ Load Balancing



Example:



S3(config)# spanning-tree vlan 20 root primary
S3(config)# spanning-tree vlan 10 root secondary
S1(config)# spanning-tree vlan 10 root primary
S1(config)# spanning-tree vlan 20 root secondary


Alternatively:









Verify:

S3(config)# spanning-tree vlan 20 priority 4096


S3(config)# spanning-tree vlan 10 priority 8192

S1(config)# spanning-tree vlan 10 priority 4096


S1(config)# spanning-tree vlan 20 priority 8192

S1# show running-config | begin spanning-tree



116

22.6 Rapid PVST+



Example:


Verify:

S1# show running-config | begin spanning-tree

117

22.7 Analyzing the STP Topology


22.8 STP Status Overview


S1# show spanning-tree

S1# show spanning-tree vlan vlan_id


118

22.9 First Hop Redundancy Protocols (FHRP)



22.9.1 Hot Standby Router Protocol (HSRP)

R1(config-if)# standby [group-number] priority priority


R1(config-if)# standby [group-number] preempt [delay {minimum | reload | sync}
seconds]
R1(config-if)# standby [group-number] ip ip-address [secondary]


Active Router:







Standby Router:

Disable HSRP:

Verify HSRP:

R1(config-if)# standby 1 priority 150


(default priority is 100)
R1(config-if)# standby 1 preempt
R1(config-if)# standby 1 ip 192.168.1.254
R2(config-if)# standby 1 ip 192.168.1.254
R1(config-if)# no standby 1
R1# show standby [all] [brief]

R1# show standby type number [group-number | all] [brief]

119


22.9.2 Gateway Load Balancing Protocol (GLBP)

R1(config-if)# glbp [group-number] priority priority
R1(config-if)# glbp [group-number] preempt [delay {minimum | reload | sync}
seconds]
R1(config-if)# glbp [group-number] ip ip-address [secondary]


Active Router:










Standby Router:




Disable GLBP:

Verify GLBP:

glbp
glbp
glbp
glbp

1
1
1
1

priority 150
(default priority is 100)
preempt
ip 192.168.1.254
load-balancing round-robin

R2(config-if)# glbp 1 ip 192.168.1.254


R2(config-if)# glbp 1 load-balancing round-robin
R1(config-if)# no glbp [group-number] ip ip-address
[secondary]
R1# show glbp [all] [brief]



120

R1(config-if)#
R1(config-if)#
R1(config-if)#
R1(config-if)#

23 EtherChannel

23.1 Link Aggregation Control Protocol (LACP)




Step 1: Specify the interfaces that compose the EtherChannel group

S1(config)# interface range interface

Step 2: Create the port channel interface

S1(config-if-range)# channel-group identifier mode active



Example:

121

23.2 Port Aggregation Protocol (PagP)




Step 1: Specify the interfaces that compose the EtherChannel group


S1(config)# interface range interface

Step 2: Create the port channel interface


S1(config-if-range)# channel-group identifier mode desirable


Example:

S1(config)# interface range f0/1 - 2
S1(config-if-range)# channel-group 1 mode desirable
Creating a port-channel interface Port-channel 1
S1(config-if-range)# no shut


S2(config)# interface range f0/1 - 2
S2(config-if-range)# channel-group 1 mode auto
Creating a port-channel interface Port-channel 1
S2(config-if-range)# no shut

122

23.3 Verify EtherChannel


S1# show etherchannel summary

S1# show etherchannel port-channel

123

S1# show interface port-channel channel-number

S1# show interfaces interface etherchannel

S1# show run | begin interface port channel


124

24 Point-to-Point Connections

24.1 Configure HDLC Encapsulation




Cisco HDLC (cHDLC) is the default encapsulation method used by Cisco devices on synchronous serial
lines. If connecting non-Cisco devices, use synchronous PPP.

24.2 Verify a Serial Interface



125


126

24.3 Configure PPP Encapsulation


R1(config)# interface serial 0/0/0


R1(config-if)# encapsulation ppp


24.3.1 PPP Compression

R1(config)# interface serial 0/0/0


R1(config-if)# encapsulation ppp
R1(config-if)# compress [ predictor | stac ]

127


24.3.2 Link Quality Monitoring

R1(config)# interface serial 0/0/0
R1(config-if)# encapsulation ppp
R1(config-if)# ppp quality 80



The ppp quality percentage command ensures that the link meets the quality requirement set;
otherwise, the link closes down.

Disable LQM:
R1(config-if)# no ppp quality



128


24.3.3 Multilink PPP

Step 1: Create a multilink bundle.
The interface multilink number command creates the multilink interface.
In interface configuration mode, an IP address is assigned to the multilink interface.
The interface is enabled for multilink PPP.
The interface is assigned a multilink group number.

Step 2: Assign interfaces to the multilink bundle. Each interface that is part of the multilink group:
Is enabled for PPP encapsulation.
Is enabled for multilink PPP.
Is bound to the multilink bundle using the multilink group number configured in Step 1.


To disable PPP multilink, use the no ppp multilink command.


129


24.3.4 PPP Authentication

To specify the order in which the CHAP or PAP protocols are requested on the interface, use the ppp
authentication interface configuration command, as shown in the figure. Use the no form of the
command to disable this authentication.

PAP:

CHAP:

130

24.4 Verify PPP Configuration/Encapsulation


131


Turn off debug mode:

R1# undebug all

132

(short: un all or u all )

25 Frame Relay

25.1 Basic Frame Relay Configuration




Step 1: Set the IP address on the interface


Step 2: Configure encapsulation


encapsulation frame-relay [cisco | ietf]

The cisco encapsulation type is the default Frame Relay encapsulation enabled on supported

interfaces. Use this option if connecting to another Cisco router.
Use the ietf encapsulation option if connecting to a non-Cisco router.

Step 3: Set the bandwidth

Step 4: Set the LMI type (optional)


Verify configuration: show interfaces serial



133

25.2 Configure a Static Frame Relay Map


R1(config-if)# frame-relay map protocol protocol-address dlci [broadcast] [ietf]


[cisco]


Use the keyword ietf when connecting to a non-Cisco router.


Verify:

134


A primary tool of Frame Relay is Inverse Address Resolution Protocol (ARP). Whereas ARP translates
Layer 3 IPv4 addresses to Layer 2 MAC addresses, Inverse ARP does the opposite. The corresponding
Layer 3 IPv4 addresses must be available before VCs can be used.
An example of using static address mapping is a situation in which the router at the other side of the
Frame Relay network does not support dynamic Inverse ARP for a specific network protocol. To
provide connectivity, a static mapping is required to complete the remote network layer address to
local DLCI resolution.
Another example is on a hub-and-spoke Frame Relay network. Use static address mapping on the
spoke routers to provide spoke-to-spoke reachability. Because the spoke routers do not have direct
connectivity with each other, dynamic Inverse ARP would not work between them. Dynamic Inverse
ARP relies on the presence of a direct point-to-point connection between two ends. In this case,
dynamic Inverse ARP only works between hub and spoke, and the spokes require static mapping to
provide reachability to each other.


Verify:

135

25.3 Configure Point-to-Point Subinterfaces



Subinterfaces address the limitations of Frame Relay networks by providing a way to subdivide a
partially meshed Frame Relay network into a number of smaller, fully meshed, or point-to-point,
subnetworks. Each subnetwork is assigned its own network number and appears to the protocols as if
it were reachable through a separate interface.

Example:


136

25.4 Local Management Interface (LMI)



Basically, the LMI is a keepalive mechanism that provides status information about Frame Relay
connections between the router (DTE) and the Frame Relay switch (DCE). Every 10 seconds or so, the
end device polls the network, either requesting a dumb sequenced response or channel status
information. If the network does not respond with the requested information, the user device may
consider the connection to be down. When the network responds with a FULL STATUS response, it
includes status information about DLCIs that are allocated to that line. The end device can use this
information to determine whether the logical connections are able to pass data.


Display the LMI type:



Starting with the Cisco IOS software Release 11.2, the default LMI autosense feature detects the LMI
type supported by the directly connected Frame Relay switch. Based on the LMI status messages it
receives from the Frame Relay switch, the router automatically configures its interface with the
supported LMI type acknowledged by the Frame Relay switch. If it is necessary to set the LMI type, use
the frame-relay lmi-type [cisco | ansi | q933a] interface configuration command.
Configuring the LMI type disables the autosense feature.


137

25.5 Verify Frame Relay



Use the show frame-relay pvc [interface interface] [dlci] command to view PVC and
traffic statistics.



After the statistics are gathered, use the clear counters command to reset the statistics counters.


138


To clear dynamically created Frame Relay maps that are created using Inverse ARP, use the clear
frame-relay inarp command.

To confirm whether the frame-relay inverse-arp command resolved a remote IPv4 address to a
local DLCI, use the show frame-relay map command to display the current map entries:



When an Inverse ARP request is made, the router updates its map table with three possible PVC
connection states:

ACTIVE - Indicates a successful end-to-end (DTE to DTE) circuit.
INACTIVE - Indicates a successful connection to the switch (DTE to DCE) without a DTE detected
on the other end of the PVC. This can occur due to incorrect configuration on the switch.
DELETED - Indicates that the DTE is configured for a DLCI that the switch does not recognize as
valid for that interface.

139

25.6 Troubleshoot Frame Relay



Use the debug frame-relay lmi command to determine whether the router and the Frame Relay
switch are sending and receiving LMI packets properly.



LMI exchange messages:

out is an LMI status message sent by the router.
in is a message received from the Frame Relay switch.
A full LMI status message is a type 0.
An LMI exchange is a type 1.
dlci 102, status 0x2 means that the status of DLCI 102 is active.

The possible values of the status field are as follows:

0x0 - The switch has this DLCI programmed, but for some reason it is not usable. The reason could
possibly be the other end of the PVC is down.
0x2 - The Frame Relay switch has the DLCI and everything is operational.
0x4 - The Frame Relay switch does not have this DLCI programmed for the router, but that it was
programmed at some point in the past. This could also be caused by the DLCIs being reversed on
the router, or by the PVC being deleted by the service provider in the Frame Relay cloud.


140

26 PPPoE Client Configuration for DSL



1.

To create a PPP tunnel, the configuration uses a dialer interface. A dialer interface is a virtual
interface. The PPP configuration is placed on the dialer interface, not the physical interface. The
dialer interface is created using the interface dialer number command. The client can
configure a static IP address, but will more likely be automatically assigned a public IP address by
the ISP.


2.

The PPP CHAP configuration usually defines one-way authentication; therefore, the ISP
authenticates the customer. The hostname and password configured on the customer router must
match the hostname and password configured on the ISP router. Notice in the figure that the
CHAP username and password match the settings on the ISP router.


3.

The physical Ethernet interface that connects to the DSL modem is then enabled with the
command pppoe enable that enables PPPoE and links the physical interface to the dialer
interface. The dialer interface is linked to the Ethernet interface with the dialer pool and
pppoe-client commands, using the same number. The dialer interface number does not have to
match the dialer pool number.


4.

The maximum transmission unit (MTU) should be set down to 1492, versus the default of 1500, to
accommodate the PPPoE headers.


R1(config)# interface dialer 2
R1(config-if)# encapsulation ppp
R1(config-if)# ip address negotiated
R1(config-if)# ppp chap hostname Fred
R1(config-if)# ppp chap password Barney
R1(config-if)# ip mtu 1492
R1(config-if)# dialer pool 1
R1(config-if)# no shutdown
R1(config-if)# interface g0/1
R1(config-if)# no ip address
R1(config-if)# pppoe enable
R1(config-if)# pppoe-client dial-pool-number 1
R1(config-if)# no shutdown
R1(config-if)# exit

141

27 Virtual Private Networks (VPNs)


27.1 GRE Tunnel



GRE is used to create a VPN tunnel between two sites.

27.1.1 Configure GRE Tunnel

Step 1: Create a tunnel interface using the interface tunnel number command.

Step 2: Specify the tunnel source IP address.

Step 3: Specify the tunnel destination IP address.

Step 4: Configure an IP address for the tunnel interface.

Step 5: (Optional) Specify GRE tunnel mode as the tunnel interface mode. GRE tunnel mode is the

default tunnel interface mode for Cisco IOS software.

142


27.1.2 Verify GRE Tunnel

To determine whether the tunnel interface is up or down, use the show ip interface brief
command; to verify the state of a GRE tunnel, use the show interface tunnel command.


If OSPF has also been configured to exchange routes over the GRE tunnel, verify that an OSPF
adjacency has been established over the tunnel interface using the show ip ospf neighbor
command.

143

28 Monitoring the Network


28.1 Syslog

28.1.1 Service Timestamp

To enhance real-time debugging and management, log messages can be time-stamped and the source
address of syslog messages can be set.

To display the amount of time since the device last booted on logged events, enter:

R1(config)# service timestamps log uptime


Force each logged event to display the date and time associated with the event (more useful):

R1(config)# service timestamps log datetime


When using the datetime keyword, the clock on the networking device must be set. This can be
accomplished in one of two ways:

Manually set, using the clock set command
Automatically set, using the Network Time Protocol (NTP):


A network device can be configured as either an NTP server, thereby allowing other devices to
synchronize off of its time, or as an NTP client.

144


28.1.2 Default Logging

By default, Cisco routers and switches send log messages for all severity levels to the console. On some
IOS versions, the device also buffers log messages by default. To enable these two settings, use the
following commands:

R1(config)# logging console


R1(config)# logging buffered



The show logging command displays the default logging service settings on a Cisco router:


28.1.3 Syslog Severity Level


145


28.1.4 Configure Syslog

Step 1: Configure the destination hostname or IP address of the syslog server:

R1(config)# logging 192.168.1.3


Step 2: Control the messages that will be sent to the syslog server with the logging trap level
global configuration mode command.
For example, to limit the messages to levels 4 and lower (0 to 4), use one of the two equivalent
commands:

R1(config)# logging trap 4
R1(config)# logging trap warning


Step 3: Optionally, configure the source interface with the logging source-interface
interface-type interface number global configuration mode command.
This specifies that syslog packets contain the IPv4 or IPv6 address of a specific interface,
regardless of which interface the packet uses to exit the router.
For example, to set the source interface to g0/0, use the following command:

R1(config)# logging source-interface g0/0



A loopback interface is created, then shut down, and then brought back up. The console output reflects
these actions.
The only messages that appear on the syslog server are those with severity level of 4 or lower (more
severe).
The messages with severity level of 5 or higher (less severe) appear on the router console output, but
do not appear on the syslog server output.


146


28.1.5 Verify Syslog

Use the show logging command to view any messages that are logged. When the logging buffer is
large, it is helpful to use the pipe option (|) with the show logging command. The pipe option allows
to specifically state which messages should be displayed.

E.g. issuing the show logging | include changed state to up command ensures that only
interface notifications stating that the interface has changed to state up will be displayed.

Issuing the show logging | begin June 12 22:35 command displays the contents of the logging
buffer that occurred on or after June 12.

147

28.2 Simple Network Management (SNMP)



28.2.1 Configure SNMP

Step 1: (Required) Configure the community string and access level (read-only or read-write) with the
snmp-server community string ro | rw command.

Step 2: (Optional) Document the location of the device using the snmp-server location text
command.

Step 3: (Optional) Document the system contact using the snmp-server contact text command.

Step 4: (Optional) Restrict SNMP access to NMS hosts (SNMP managers) that are permitted by an ACL:
define the ACL and then reference the ACL with the snmp-server community string
access-list-number-or-name command. This command can be used both to specify a
community string and to restrict SNMP access via ACLs. Step 1 and Step 4 can be combined into
one step, if desired; the Cisco networking device combines the two commands into one if they
are entered separately.

Step 5: (Optional) Specify the recipient of the SNMP trap operations with the snmp-server host
host-id [version{1| 2c | 3 [auth | noauth | priv]}] community-string
command. By default, no trap manager is defined.

Step 6: (Optional) Enable traps on an SNMP agent with the snmp-server enable traps
notification-types command. If no trap notification types are specified in this command,
then all trap types are sent. Repeated use of this command is required if a particular subset of
trap types is desired.



By default, SNMP does not have any traps set. Without this command, SNMP managers must poll for all
relevant information.


148


28.2.2 Verify SNMP

To verify the SNMP configuration, use any of the variations of the show snmp privileged EXEC mode
command. The most useful command is simply the show snmp command, as it displays the
information that is commonly of interest when examining the SNMP configuration.



The show snmp command output does not display information relating to the SNMP community string
or, if applicable, the associated ACL.
Using the show snmp community command, the SNMP community string and ACL information will be
displayed:


149

28.3 NetFlow

28.3.1 Configure NetFlow

Step 1: Configure NetFlow data capture - NetFlow captures data from ingress (incoming) and egress
(outgoing) packets.

Step 2: Configure NetFlow data export - The IP address or hostname of the NetFlow collector must be
specified and the UDP port to which the NetFlow collector listens.

Step 3: Verify NetFlow, its operation and statistics - After configuring NetFlow, the exported data can
be analyzed on a workstation running an appropriate application. Minimally, one can rely on
the output from a number of show commands on the router itself.



A NetFlow flow is unidirectional. This means that one user connection to an application exists as two
NetFlow flows, one for each direction. To define the data to be captured for NetFlow in interface
configuration mode:
Capture NetFlow data for monitoring incoming packets on the interface using the ip flow
ingress command.
Capture NetFlow data for monitoring outgoing packets on the interface using the ip flow
egress command.

To enable the NetFlow data to be sent to the NetFlow collector, there are several items to configure on
the router in global configuration mode:
NetFlow collectors IP address and UDP port number - Use the ip flow-export
destination ip-address udp-port command. Some common UDP ports allocated are 99,
2055, and 9996.
(Optional) NetFlow version to follow when formatting the NetFlow records sent to the
collector - Use the ip flow-export version version command. NetFlow exports data in
one of five formats (1, 5, 7, 8, and 9). Version 9 is the most versatile export data format, but not
backward compatible. Version 1 is the default version, it should be used only when it is the
only NetFlow data export format version that is supported by the NetFlow collector software.
(Optional) Source interface to use as the source of the packets sent to the collector - Use the ip
flow-export source typenumber command.


150


28.3.2 Verify NetFlow

To display a summary of the NetFlow accounting statistics, as well as which protocol uses the highest
volume of the traffic, and to see between which hosts this traffic flows, use the show ip cache flow
command.



The output at the top of the display confirms that the router is collecting data. The first highlighted
entry lists a count of 178,617 packets monitored by NetFlow. The end of the output shows statistics
about three flows, the highlighted one corresponding to an active HTTPS connection between the
NetFlow collector and R1. It also shows the source port (SrcP) and destination port (DstP) in
hexadecimal. (Hexadecimal 01BB is equal to decimal 443, the well-known TCP port for HTTPS.)

Significant fields in the flow switching cache lines:


151


Significant fields in the activity by protocol lines:


Significant fields in the NetFlow record lines:

152


Although the output of the show ip cache flow command confirms that the router is collecting
data, to ensure that NetFlow is configured on the correct interfaces in the correct directions, use the
show ip flow interface command:



To check the configuration of the export parameters, use the show ip flow export command.



The first highlighted line shows that NetFlow is enabled with Version 5 export format. The last
highlighted lines show that 1764 flows have been exported in the form of 532 UDP datagrams to the
NetFlow collector at 192.168.1.3 via port 2055.


153

29 Troubleshooting the Network


29.1 Data Collection for Documentation



When documenting the network, it is often necessary to gather information directly from routers and
switches. Obvious useful network documentation commands include ping, traceroute, and telnet
as well as the following show commands:

The show ip interface brief and show ipv6 interface brief commands are used to
display the up or down status and IP address of all interfaces on a device.
The show ip route and show ipv6 route commands are used to display the routing table
in a router to learn the directly connected neighbors, more remote devices (through learned
routes), and the routing protocols that have been configured.
The show cdp neighbor detail command is used to obtain detailed information about
directly connected Cisco neighbor devices.

The following table lists some of the most common Cisco IOS commands used for data collection:


154

29.2 Gather Symptoms


155

29.3 Troubleshooting IP Connectivity



29.3.1 Step 1: Verify the Physical Layer

The most commonly used IOS commands for this purpose are show processes cpu, show memory,
and show interfaces.


29.3.2 Step 2: Check for Duplex Mismatches


156


29.3.3 Step 3: Verify Layer 2 and Layer 3 Addressing on the Local Network

Verify mappings between destination IP addresses and Layer 2 Ethernet addresses on the PC:


Verify the neighbor table on the Cisco IOS router:



A switch forwards a frame only to the port where the destination is connected. To do this, the switch
consults its MAC address table. The MAC address table lists the MAC address connected to each port.


157


Example: Missing default gateway on PC


Example: VLAN mismatch

158


29.3.4 Step 4: Verify Default Gateway

Missing IPv4 gateway:



R1 has a default route via router R2, but notice the ipconfig command reveals the absence of an IPv6
global unicast address and an IPv6 default gateway.



Using the show ipv6 interface GigabitEthernet 0/0 command , it can be seen that although
the interface has an IPv6 address, it is not a member of the All-IPv6-Routers multicast group FF02::2.
This means the router is not sending out ICMPv6 RAs on this interface.


159


29.3.5 Step 5: Verify Correct Path



To verify that the current IPv6 path matches the desired path to reach destinations, use the show ipv6
route command on a router to examine the routing table.


160


29.3.6 Step 6: Verify the Transport Layer

Two of the most common issues that affect transport layer connectivity include ACL configurations
and NAT configurations. A common tool for testing transport layer functionality is the Telnet utility.

Successful Telnet connection:


Testing the transport layer over IPv6 using port 80 (HTTP) from a PC:


Successul router Telnet connection over IPv6:


Testing the transport layer over IPv6 using port 80 (HTTP) from a router:

161


29.3.7 Step 7: Verify ACLs



Use the show ipv6 access-list and show ipv6 interfaces command to show the contents of all
IPv6 ACLs configured on a router.

29.3.8 Step 8: Verify DNS

When you configure DNS on the device, you can substitute the hostname for the IP address:
Use the ip host command to enter name to IPv4 mapping to the switch or router. The ipv6 host
command is used for the same mappings using IPv6.



To display the name-to-IP-address mapping information on the Windows-based PC, use the nslookup
command.

162

30 IOS Images & Licensing


30.1 Display the IOS Image



30.1.1 IOS 12.4 Software Image Name


30.1.2 IOS 15.2 Software Image Name


The memory location can include f (flash), m (RAM), r (ROM) or l (relocatable).
The compression format can be either z (zip) or x (mzip).



163

30.2 IOS Backup



Step 1: Ensure that there is access to the network TFTP server. Ping the TFTP server to test
connectivity.



Step 2: Verify that the TFTP server has sufficient disk space to accommodate the Cisco IOS Software
image. Use the show flash0: command on the router to determine the size of the Cisco IOS
image file.


Step 3: Copy the image to the TFTP server using the copy source-url destination-url
command.


(Copy an image from a TFTP server:)


164

30.3 Select Boot System



To upgrade to the copied IOS image after that image is saved on the router's flash memory, configure
the router to load the new image during bootup using the boot system command. Save the
configuration. Reload the router to boot the router with new image.


Specify the flash device as the source of the Cisco IOS image:

R1(config)# boot system flash0://c1900-universalk9-mz.SPA.152-4.M3.bin


Specify the TFTP server as a source of Cisco IOS image:

R1(config)# boot system tftp://c1900-universalk9-mz.SPA.152-4.M3.bin


If there are no boot system commands in the configuration, the router defaults to loading the first
valid Cisco IOS image in flash memory and running it.


After the router has booted, to verify the new image has loaded, use the show version command.

165

30.4 IOS Licensing



30.4.1 Install an IOS License


Step 1: Purchase the software package or feature to install.

Step 2: Obtain a license.



Step 3: Install the license.

Use the license install stored-location-url privileged exec mode command to install a
license file. Then reload the router using the privileged exec command reload.



166


30.4.2 License verification



Use the show license feature command to view the technology package licenses and feature
licenses supported on the router.


167


30.4.3 Activate an Evaluation Right-To-Use License

An Evaluation license is good for a 60 day evaluation period. After the 60 days, this license
automatically transitions into an Evaluation Right-To-Use license (RTU). These licenses are available
on the honor system and require the customers acceptance of the EULA.

30.4.4 Backup a License



The license save command is used to copy all licenses in a device and store them in a format
required by the specified storage location.

The command to back up a copy of the licenses on a device is:

R1# license save file-sys://lic-location


Use the show flash0: command to verify that the licenses have been saved.


Saved licenses are restored by using the license install command.


168


30.4.5 Uninstall a License

Step 1: Disable the technology package.

Disable the active license with the command:

R1(config)# license boot module module-name technology-package package-name
disable


Reload the router using the reload command. A reload is required to make the software package
inactive.



Step 2: Clear the license.

Clear the technology package license from license storage:

R1# license clear feature-name

Clear the license boot module module-name technology-package package-name disable command
used for disabling the active license:

R1(config)# no license boot module module-name technology-package package-name
disable



Some licenses, such as built-in licenses, cannot be cleared. Only licenses that have been added by using
the license install command are removed. Evaluation licenses are not removed.


169

170

171

IOS Shortcuts

Down Arrow / Ctrl-N

Scroll forward through former commands

Up Arrow / Ctrl-P

Scroll backward through former commands

Tab

Completes the remainder of a partially typed command or keyword

Help lists possible choices, subcommands or missing parameters

Ctrl-A

Moves to the beginning of the line

Ctrl-E

Moves to the end of the line

Ctrl-R

Redisplays a line

Ctrl-Z

Exits the configuration mode and returns to privileged EXEC mode

Ctrl-C

Exits the configuration mode or aborts the current command

Ctrl-Shift-6

Interrupt an IOS process such as ping or traceroute

172