CCNA Routing and Switching: Scaling Networks Practice and Study Guide ICND2 200-101 (Instructor's Version)

CCNA Routing and Switching
Practice and Study Guide:

Exercises, Activities, and Scenarios to Prepare
for the ICND2 (200-101) Certification Exam
Instructors Answer Key
Allan Johnson
Cisco Press
800 East 96th Street
Indianapolis, Indiana 46240 USA
instructor.indb i 3/12/14 7:51 AM

ii CCNA Routing and Switching Practice and Study Guide
Publisher
CCNA Routing and Switching Practice and Paul Boger
Study Guide: Associate Publisher
Dave Dusthimer
Exercises, Activities, and Scenarios to Prepare
for the ICND2 (200-101) Certification Exam Business Operation Manager,
Cisco Press
Jan Cornelssen
Instructors Answer Key
Allan Johnson Executive Editor
Mary Beth Ray
Copyright 2014 Cisco Systems, Inc.
Managing Editor
Cisco Press logo is a trademark of Cisco Systems, Inc. Sandra Schroeder
Published by: Senior Development Editor

Cisco Press Christopher Cleveland
800 East 96th Street
Project Editor
Indianapolis, IN 46240 USA
Mandie Frank
All rights reserved. No part of this book may be reproduced or transmitted in any
Copy Editor
form or by any means, electronic or mechanical, including photocopying, record- Keith Cline
ing, or by any information storage and retrieval system, without written permis-
sion from the publisher, except for the inclusion of brief quotations in a review. Technical Editor
Steve Stiles
Printed in the United States of America
Editorial Assistant
First Printing April 2014 Vanessa Evans
ISBN-13: 978-0-13-381341-8 Designer
Mark Shirar
ISBN-10: 0-13-381341-X
Composition
Tricia Bronkella
Warning and Disclaimer
Proofreader
This book is designed to provide information about networking. Every effort has Sarah Kearns
been made to make this book as complete and as accurate as possible, but no war-
ranty or fitness is implied.
The information is provided on an as is basis. The authors, Cisco Press, and
Cisco Systems, Inc. shall have neither liability nor responsibility to any person or
entity with respect to any loss or damages arising from the information contained
in this book or from the use of the discs or programs that may accompany it.
The opinions expressed in this book belong to the author and are not necessarily
those of Cisco Systems, Inc.
instructor.indb ii 3/12/14 7:51 AM

iii
Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been
appropriately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of
this information. Use of a term in this book should not be regarded as affecting the validity of
any trademark or service mark.
Special Sales
For information about buying this title in bulk quantities, or for special sales opportunities
(which may include electronic versions; custom cover designs; and content particular to your
business, training goals, marketing focus, or branding interests), please contact our corporate
sales department at corpsales@pearsoned.com or (800) 382-3419.
For government sales inquiries, please contact governmentsales@pearsoned.com.
For questions about sales outside the U.S., please contact international@pearsoned.com.
Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value.
Each book is crafted with care and precision, undergoing rigorous development that involves
the unique expertise of members from the professional technical community.
Readers feedback is a natural continuation of this process. If you have any comments regard-
ing how we could improve the quality of this book, or otherwise alter it to better suit your
needs, you can contact us through email at feedback@ciscopress.com. Please make sure to
include the book title and ISBN in your message.
We greatly appreciate your assistance.
instructor.indb iii 3/12/14 7:51 AM

iv CCNA Routing and Switching Practice and Study Guide
About the Author

Allan Johnson entered the academic world in 1999 after 10 years as a business owner/opera-
tor to dedicate his efforts to his passion for teaching. He holds both an MBA and an M.Ed in
Occupational Training and Development. He is an information technology instructor at Del
Mar College in Corpus Christi, Texas. In 2003, Allan began to commit much of his time and
energy to the CCNA Instructional Support Team, providing services to Networking Academy
instructors worldwide and creating training materials. He now works full time for Cisco
Networking Academy as a Learning Systems Developer.
instructor.indb iv 3/12/14 7:51 AM

v
About the Technical Reviewer

Steve Stiles is a Cisco Network Academy Instructor for Rhodes State College and a Cisco
Certified Instructor Trainer, having earned CCNA Security and CCNP level certifications. He
was the recipient of the 2012 Outstanding Teacher of the Year by the Ohio Association of
Two-Year Colleges and co-recipient for the Outstanding Faculty of the Year at Rhodes State
College.
instructor.indb v 3/12/14 7:51 AM

vi CCNA Routing and Switching Practice and Study Guide
Dedication
For my wife, Becky. Without the sacrifices you made during the project, this work would
not have come to fruition. Thank you providing me the comfort and resting place only you
can give.
Allan Johnson
instructor.indb vi 3/12/14 7:51 AM

vii
Acknowledgments
When I began to think of whom I would like to have as a technical editor for this work, Steve
Stiles immediately came to mind. With his instructor and industry background, and his excel-
lent work building activities for the new Cisco Networking Academy curriculum, he was an
obvious choice. Thankfully, when Mary Beth Ray contacted him, he was willing and able to do
the arduous review work necessary to make sure that you get a book that is both technically
accurate and unambiguous.
The Cisco Network Academy authors for the online curriculum and series of Companion
Guides take the reader deeper, past the CCENT exam topics, with the ultimate goal of not only
preparing the student for CCENT certification, but for more advanced college-level technology
courses and degrees, as well. Thank you especially to Amy Gerrie and her team of authors
Rick Graziani, Wayne Lewis, and Bob Vachonfor their excellent treatment of the material; it
is reflected throughout this book.
Mary Beth Rey, Executive Editor, you amaze me with your ability to juggle multiple projects at
once, steering each from beginning to end. I can always count on you to make the tough deci-
sions.
This is my seventh project with Christopher Cleveland as development editor. His dedication to
perfection pays dividends in countless, unseen ways. Thank you again, Chris, for providing me
with much-needed guidance and support. This book could not be a reality without your persis-
tence.
instructor.indb vii 3/12/14 7:51 AM

viii CCNA Routing and Switching Practice and Study Guide
Contents at a Glance
Introduction xvi
Part I: Scaling Networks
Chapter 1 Introduction to Scaling Networks 1
Chapter 2 LAN Redundancy 13
Chapter 3 Link Aggregation 31
Chapter 4 Wireless LANs 41
Chapter 5 Adjust and Troubleshoot Single-Area OSPF 57
Chapter 6 Multiarea OSPF 77
Chapter 7 EIGRP 87
Chapter 8 EIGRP Advanced Configurations and Troubleshooting 109
Chapter 9 IOS Images and Licensing 127
Part II: Connecting Networks
Chapter 10 Hierarchical Network Design 137
Chapter 11 Connecting to the WAN 147
Chapter 12 Point-to-Point Connections 155
Chapter 13 Frame Relay 171
Chapter 14 Network Address Translation for IPv4 181
Chapter 15 Broadband Solutions 193
Chapter 16 Securing Site-to-Site Connectivity 203
Chapter 17 Monitoring the Network 213
Chapter 18 Troubleshooting the Network 223
instructor.indb viii 3/12/14 7:51 AM

ix
Contents
Introduction xvi
Chapter 1 Introduction to Scaling Networks 1

Implementing a Network Design 2
Hierarchical Network Design 2
Identify Scalability Terminology 6
Selecting Network Devices 7
Selecting Switch Hardware 7
Selecting Router Hardware 8
Managing Devices 8
Basic Router Configuration Review 9
Basic Router Verification Review 10
Basic Switch Configuration Review 10
Basic Switch Verification Review 11
Chapter 2 LAN Redundancy 13

Spanning-Tree Concepts 14
Draw a Redundant Topology 14
Purpose of Spanning Tree 15
Spanning-Tree Operation 15
Identify the 802.1D Port Roles 17
Varieties of Spanning Tree Protocols 20
Comparing the STP Varieties 20
PVST+ Operation 21
Rapid PVST+ Operation 22
Spanning-Tree Configuration 23
PVST+ and Rapid PVST+ Configuration 23
First Hop Redundancy Protocols 26
Identify FHRP Terminology 27
Identify the Type of FHRP 28
HSRP and GLBP Configuration and Verification 28
Chapter 3 Link Aggregation 31

Link Aggregation Concepts 32
EtherChannel Advantages 32
EtherChannel Operation 32
instructor.indb ix 3/12/14 7:51 AM

x CCNA Routing and Switching Practice and Study Guide
Link Aggregation Configuration 33

Configuring EtherChannel 34
EtherChannel Configuration Scenario 1 34
Verifying and Troubleshooting EtherChannel 35
Chapter 4 Wireless LANs 41

Wireless LAN Concepts 42
Identify Wireless Technologies 42
WLANs Components and Topologies 44
Wireless LAN Operations 45
Label the 802.11 Frame 45
Wireless Media Contention 48
Associating with an AP 50
Channel Management Concepts 52
Wireless LAN Security 53
WLAN Security Terminology 53
Identify the WLAN Security Characteristics 54
Wireless LAN Configuration 54
Configuring WLAN Routers and Clients 54
Troubleshooting WLAN Issues 55
Chapter 5 Adjust and Troubleshoot Single-Area OSPF 57

Advanced Single-Area OSPF Configurations 58
Single-Area OSPF Configuration Review 58
Configuring Single-Area OSPFv2 58
Verifying Single-Area OSPFv2 59
Configuring Single-Area OSPFv3 59
Verifying Single-Area OSPFv3 61
Identify Network Types 62
OSPF and Multi-Access Networks 63
OSPF and Multi-Access Networks Completion Exercise 63
DR/BDR Election Exercise 65
Redistributing an OSPF Default Route Exercise 67
OSPFv2 Default Route Redistribution 67
OSPFv3 Default Route Redistribution 68
Fine-Tuning OSPF Interfaces 69
Securing OSPFv2 with MD5 Authentication 69
Troubleshooting Single-Area OSPF Implementations 71
OSPF Adjacency Issues 71
Identify OSPFv2 Troubleshooting Commands 71
Identify OSPFv3 Troubleshooting Commands 74
instructor.indb x 3/12/14 7:51 AM

xi
Chapter 6 Multiarea OSPF 77

Multiarea OSPF Operation 78
Multiarea OSPF Terminology and Concepts 78
Multiarea OSPF LSA Operation 79
OSPF Routing Table and Types of Routes 79
Configuring Multiarea OSPF 80
Configuring Multiarea OSPF 80
Configuring Route Summarization for Multiarea OSPFv2 83
Verifying Multiarea OSPF 85
Chapter 7 EIGRP 87
Characteristics of EIGRP 88
Describe Basic EIGRP Features 88
Identify and Describe EIGRP Packet Types 88
Identify Elements of the EIGRP Message Formats 89
Configuring EIGRP for IPv4 94
Configuring EIGRP with IPv4 94
Verifying EIGRP with IPv4 97
Operation of EIGRP 99
EIGRP Metric Concepts 99
DUAL Concepts Exercise 100
DUAL FSM Completion Exercise 102
Configuring EIGRP for IPv6 104
Comparing EIGRP for IPv4 and EIGRP for IPv6 104
Configuring and Verifying EIGRP for IPv6 105
Chapter 8 EIGRP Advanced Configurations and Troubleshooting 109

Advanced EIGRP Configurations 110
Automatic Summarization 110
Manual Summarization 112
IPv4 Manual Summarization 113
IPv6 Manual Summarization 115
Default Route Propagation 116
Fine-Tuning EIGRP Interfaces 118
Securing EIGRP Routing Updates 120
Troubleshoot EIGRP 121
Commands for Troubleshooting EIGRP 121
Troubleshoot EIGRP Connectivity Issues 122
Connectivity Issue #1 122
instructor.indb xi 3/12/14 7:51 AM

xii CCNA Routing and Switching Practice and Study Guide
Chapter 9 IOS Images and Licensing 127

Managing IOS System Files 128
IOS Families, Trains, and Naming Conventions 128
Backing Up Cisco IOS Images 131
IOS Licensing 132
Software Licensing 132
License Verification and Management 133
Chapter 10 Hierarchical Network Design 137

Hierarchical Network Design Overview 138
Enterprise Network Campus Design 138
Hierarchical Network Design 138
Cisco Enterprise Architecture 139
Modular Network Design 139
Cisco Enterprise Architecture Model 140
Evolving Network Architectures 144
Cisco Enterprise Architectures 144
Emerging Network Architectures 144
Chapter 11 Connecting to the WAN 147

WAN Technologies Overview 148
Network Types and Their Evolving WAN Needs 148
WAN Operations and Terminology 149
Selecting a WAN Technology 151
Varieties of WAN Link Connections 151
Private and Public WAN Access Options 152
Chapter 12 Point-to-Point Connections 155

Serial Point-to-Point Overview 156
Serial Communications 156
WAN Protocols 158
HDLC Encapsulation 158
HDLC Configuration and Troubleshooting 159
Troubleshooting Serial Interfaces 159
PPP Operation 160
PPP Components 160
PPP Sessions 162
instructor.indb xii 3/12/14 7:51 AM

xiii
Configure PPP 165

Basic PPP Configuration with Options 165
PPP Authentication 167
PAP Configuration 168
CHAP Configuration 168
Troubleshoot WAN Connectivity 168
Chapter 13 Frame Relay 171

Introduction to Frame Relay 172
Frame Relay Concepts and Terminology 172
Frame Relay Operation 173
Configure Frame Relay 176
Configure Basic Frame Relay 176
Configure Subinterfaces 177
Troubleshoot Connectivity 178
Chapter 14 Network Address Translation for IPv4 181

NAT Operation 181
NAT Characteristics 181
Configuring NAT 183
Configuring Static NAT 183
Configuring Dynamic NAT 184
Configuring Port Address Translation 185
A Word About Port Forwarding 189
Configuring NAT and IPv6 189
Troubleshooting NAT 190
Chapter 15 Broadband Solutions 193

Teleworking 194
Benefits of Teleworking 194
Costs of Teleworking 194
Business Requirements for Teleworker Services 194
Comparing Broadband Solutions 195
Cable 195
DSL 197
Broadband Wireless 199
Selecting Broadband Solutions 200
Configuring xDSL Connectivity 200
PPPoE Overview 200
Configuring PPPoE 201
instructor.indb xiii 3/12/14 7:51 AM

xiv CCNA Routing and Switching Practice and Study Guide
Chapter 16 Securing Site-to-Site Connectivity 203

VPNs 204
Fundamentals of VPNs 204
Types of VPNs 204
Site-to-Site GRE Tunnels 205
Fundamentals of Generic Routing Encapsulation 205
Configuring GRE Tunnels 206
Introducing IPsec 208
Internet Protocol Security 208
IPsec Framework 208
Remote Access 210
Remote-Access VPN Solutions 210
IPsec Remote-Access VPNs 211
Chapter 17 Monitoring the Network 213

Syslog 214
Syslog Operation 214
Configuring Syslog 215
SNMP 215
SNMP Operation 215
Configuring SNMP 218
NetFlow 219
NetFlow Operation 220
Configuring NetFlow 220
Chapter 18 Troubleshooting the Network 223

Troubleshooting with a Systematic Approach 224
Network Documentation 224
Troubleshooting Process and Methodologies 227
Network Troubleshooting 230
Troubleshooting Tools 231
Network Troubleshooting and IP Connectivity 232
instructor.indb xiv 3/12/14 7:51 AM

xv
Icons Used in This Book
DSU/CSU
Router Bridge Hub DSU/CSU
Catalyst Multilayer ATM ISDN/Frame Relay

Switch Switch Switch Switch
Communication Gateway Access Server

Server
Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used
in the IOS Command Reference. The Command Reference describes these conventions as
follows:
Boldface indicates commands and keywords that are entered literally as shown. In actual
configuration examples and output (not general command syntax), boldface indicates
commands that are manually input by the user (such as a show command).
Italics indicate arguments for which you supply actual values.
Vertical bars (|) separate alternative, mutually exclusive elements.
Square brackets [ ] indicate optional elements.
Braces { } indicate a required choice.
Braces within brackets [{ }] indicate a required choice within an optional element.
instructor.indb xv 3/12/14 7:51 AM

xvi CCNA Routing and Switching Practice and Study Guide
Introduction
The purpose of this book is to provide you with an extra resource for studying the exam top-
ics of the Interconnecting Cisco Networking Devices Part 2 (ICND2) exam that leads to Cisco
Certified Networking Associate (CCNA) certification. This book maps to the third and fourth
Cisco Networking Academy courses in the CCNA Routing and Switching curricula: Scaling
Networks (SN) and Connecting Networks (CN). Ideally, the reader will have completed the first
two courses: Introduction to Networks (ITN) and Routing and Switching Essentials (RSE).
SN continues where RSE left off, taking the student deeper into the architecture, components,
and operations of routers and switches in a large and complex network. Successfully completing
this course means that you should be able to configure and troubleshoot routers and switches
and resolve common issues with OSPF, EIGRP, STP, and VTP in both IPv4 and IPv6 networks.
CN pulls everything from the first three courses together as the student learns the WAN
technologies and network services required by converged applications in a complex network.
Successfully completing this course means that you should be able to configure and trouble-
shoot network devices and resolve common WAN issues and implement IPsec and virtual pri-
vate network (VPN) operations in a complex network. To learn more about CCNA Routing and
Switching courses and to find an Academy near you, visit http://www.netacad.com.
However, if you are not an Academy student but would like to benefit from the extensive
authoring done for these courses, you can buy any or all of CCNA Routing and Switching
Companion Guides (CG) and Lab Manuals (LM) of the Academys popular online curriculum.
Although you will not have access to the Packet Tracer network simulator software, you will
have access to the tireless work of an outstanding team of Cisco Academy instructors dedi-
cated to providing students with comprehensive and engaging CCNA Routing and Switching
preparation course material. The titles and ISBNs for the first two courses of the CCNA
Routing and Switching CGs and LMs are as follows:
Scaling Networks Companion Guide (ISBN: 9781587133282)
Scaling Networks Lab Manual (ISBN: 9781587133251)
Connecting Networks Companion Guide (ISBN: 9781587133329)
Connecting Networks Lab Manual (ISBN: 9781587133312)
Goals and Methods

The most important goal of this book is to help you pass the 200-101 Interconnecting Cisco
Networking Devices Part 2 (ICND2) exam, which is associated with the Cisco Certified
Network Associate (CCNA) certification. Passing the CCNA exam means that you have
the knowledge and skills required to successfully install, operate, and troubleshoot a
small branch office network. You can view the detailed exam topics any time at
http://learningnetwork.cisco.com. They are divided into five broad categories:
LAN Switching Technologies
IP Routing Technologies
IP Services
Troubleshooting
WAN Technologies
instructor.indb xvi 3/12/14 7:51 AM

xvii
This book offers exercises that help you learn the concepts, configurations, and troubleshoot-
ing skills crucial to your success as a CCNA exam candidate. Each chapter differs slightly and
includes some or all of the following types of practice:
Vocabulary-matching exercises
Concept question exercises
Skill-building activities and scenarios
Configuration scenarios
Troubleshooting scenarios
Audience for This Book

This books main audience is anyone taking the CCNA Routing and Switching courses of the
Cisco Networking Academy curriculum. Many Academies use this Practice Study Guide as a
required tool in the course, whereas other Academies recommend the Practice Study Guide as
an additional resource to prepare for class exams and the CCNA certification.
The secondary audiences for this book include people taking CCNA-related classes from pro-
fessional training organizations. This book can also be used for college- and university-level
networking courses, and by anyone wanting to gain a detailed understanding of INCD2 routing
and switching concepts.
How This Book Is Organized

Because the content of the Scaling Networks Companion Guide, the Connecting Networks
Companion Guide, and the online curriculum is sequential, you should work through this
Practice and Study Guide in order beginning with Chapter 1.
The book covers the major topic headings in the same sequence as the online curriculum. This
book has 18 chapters, their names the same as the online course chapters. However, the num-
bering is sequential in this book, progressing from Chapter 1 to Chapter 18. The online cur-
riculum starts over at Chapter 1 in the Connecting Networks course.
Most of the configuration chapters use a single topology where appropriate. This allows for
better continuity and easier understanding of routing and switching commands, operations,
and outputs. However, the topology differs from the one used in the online curriculum and the
Companion Guide. A different topology affords you the opportunity to practice your knowl-
edge and skills without just simply recording the information you find in the text.
Packet Tracer
Activity
Note: Throughout the book, you will find references to Packet Tracer and Lab activities. These refer-
ences are provided so that you can, at that point, complete those activities. The Packet Tracer activities
are accessible only if you have access to the online curriculum. However, the Labs are available in the Lab
Manuals previously cited.
Video
Demonstration
instructor.indb xvii 3/12/14 7:51 AM

xviii CCNA Routing and Switching Practice and Study Guide

Chapter 1, Introduction to Scaling Networks: This chapter provides vocabulary and
concept exercises to reinforce your understanding of hierarchical network design and
selecting hardware. You will also practice basic router and switch configuration and veri-
fication.
Chapter 2, LAN Redundancy: The exercises in this chapter cover the concepts, opera-
tions, configuration, and verification of all the current varieties of STP.
Chapter 3, Link Aggregation: This chapters exercises are devoted to the concepts,
configuration, verification, and troubleshooting of EtherChannel.
Chapter 4, Wireless LANs: This chapter is all about wireless connectivity technolo-
gies. You will complete exercises that focus on various types of wireless and the stan-
dards for 802.11. In addition, you will complete activities focused on WLAN compo-
nents, topologies, and security.
Chapter 5, Adjust and Troubleshoot Single-Area OSPF: This chapter focuses on
advanced OSPF concepts, configuration, verification, and troubleshooting.
Chapter 6, Multiarea OSPF: The CCNA exam now includes multiarea OSPF. So, this
chapter includes exercises covering multiarea OSPF concepts and configuration, verifica-
tion, and troubleshooting.
Chapter 7, EIGRP: The exercises in this chapter are devoted to the basic concepts and
configuration of Ciscos routing protocol, EIGRP for IPv4 and IPv6.
Chapter 8, EIGRP Advanced Configurations and Troubleshooting: This chapter
focuses on advanced EIGRP concepts, configuration, verification, and troubleshooting.
Chapter 9, IOS Images and Licensing: This chapter is devoted to the crucial knowl-
edge and skills you need to manage IOS images. Exercises focus on basic IOS image con-
cepts and management tasks.

Chapter 10, Hierarchical Network Design: Part II, much like Part I, starts off network
design. Exercises focus on the various types of network design models and architec-
tures.
Chapter 11, Connecting to the WAN: This chapter is a survey of all the various WAN
access options and technologies that are available for connecting todays networks. The
exercises focus on differentiating between all these WAN options.
Chapter 12, Point-to-Point Connections: One of the older, and still viable, WAN
options is PPP. Exercises in this chapter focus on the serial interface and then the con-
cepts, configuration, verification, and troubleshooting of PPP with PAP and CHAP
authentication.
Chapter 13, Frame Relay: Although some may consider Frame Relay obsolete, it is
still a viable option in depending on your location. This chapter includes exercises cover-
ing the concepts, configuration, verification, and troubleshooting of Frame Relay.
instructor.indb xviii 3/12/14 7:51 AM

xix
Chapter 14, Network Address Translation for IPv4: NAT was created to provide a
temporary solution to the limited address space in IPv4. Just about every router con-
nected to the network uses NAT or forwards traffic to a NAT-enabled device for address
translation. This chapter focuses on exercises to reinforce your understanding of NAT
operation and characteristics. Practice activities include configuring, verifying, and trou-
bleshooting static NAT, dynamic NAT, and PAT.
Chapter 15, Broadband Solutions: Working from home or away from a central office
has largely been made possible by the advent of broadband technologies and VPNs. This
exercises in this chapter help you distinguish between the various broadband offerings
on the market.
Chapter 16, Securing Site-to-Site Connectivity: VPNs allow teleworkers and branch
sites connect to the corporate network regardless of the underlying WAN access option.
The exercises in this chapter are devoted to the concepts of the various VPN solutions,
including IPsec and GRE configuration.
Chapter 17, Monitoring the Network: As a network administrator, you are more likely
to be managing a network using a variety of tools rather than designing and building
them. The exercises in this chapter cover three popular network monitoring tools: syslog,
SNMP, and NetFlow.
Chapter 18, Troubleshooting the Network: Throughout your CCNA studies, you have
practice troubleshooting skills in relation to specific technologies. This chapter reviews
troubleshooting methodologies and the tools and commands you use to troubleshoot
a network. Troubleshooting is a key skill to fine-tune now that you are close to taking
your CCNA exam.
About the Cisco Press Website for This Book

Cisco Press provides additional content that can be accessed by registering your individual
book at the ciscopress.com website. Becoming a member and registering is free, and you then
gain access to exclusive deals on other resources from Cisco Press.
To register this book, go to http://www.ciscopress.com/bookstore/register.asp and enter the
books ISBN located on the back cover of this book. Youll then be prompted to log in or join
ciscopress.com to continue registration.
After you register the book, a link to the supplemental content will be listed on your My
Registered Books page.
instructor.indb xix 3/12/14 7:51 AM

instructor.indb xx 3/12/14 7:51 AM
CHAPTER 1
Introduction to Scaling Networks
As a business grows, so does its networking requirements. To keep pace with a businesss expansion
and new emerging technologies, a network must be designed to scale. A network that scales well is not
only one that can handle growing traffic demands, but also one designed with the inevitable need to
expand. This short chapter sets the stage for the rest of the course. This chapter covers the hierarchical
network design model, the Cisco Enterprise Architecture modules, and appropriate device selections
that you can use to systematically design a highly functional network.
instructor.indb 1 3/12/14 7:51 AM

2 CCNA Routing and Switching Practice and Study Guide
Implementing a Network Design

An enterprise network must be designed to support the exchange of various types of network
traffic, including data files, email, IP telephony, and video applications for multiple business
units.
Hierarchical Network Design

Users expect enterprise networks to be up 99.999 percent of the time. To provide this kind of
reliability, enterprise class equipment uses redundant power supplies and has failover capabili-
ties.
Describe what failover capability means for enterprise class equipment.
Failover capability refers to the ability of a device to switch from a nonfunctioning module,
service, or device to a functioning one with little or no break in service.
Why should a network be organized so that traffic stays local and is not propagated unneces-
sarily on to other portions of the network?
Keeping traffic local optimizes bandwidth.
Designing a network using the three-layer hierarchical design model helps optimize the net-
work. In Figure 1-1, label the three layers of the hierarchical design model.
Figure 1-1 Hierarchical Design Model
Hierarchical Design Model
Internet Internet

Chapter 1: Introduction to Scaling Networks 3
Figure 1-1a Hierarchical Design Model (answer)
Hierarchical Design Model
Internet Internet
Core Layer
Distribution Layer
Access Layer
Briefly describe each layer of the hierarchical design model.

The access layer provides connectivity for the users. The distribution layer is used to forward
traffic from one local network to another. Finally, the core layer represents a high-speed back-
bone layer between dispersed networks.
The Cisco Enterprise Architecture divides the network into functional components while
still maintaining the core, distribution, and access layers. The primary Cisco Enterprise
Architecture modules include Enterprise Campus, Enterprise Edge, Service Provider Edge, and
Remote.
A well-designed network not only controls traffic but also limits the size of failure domains.
Briefly describe a failure domain.
A failure domain is the area of a network that is impacted when a critical device or network
service experiences problems.

Use the list of modules to label the parts of the Cisco Enterprise Architecture in Figure 1-2.
Modules
1 Campus Core
2 Remote Access & VPN
3 Building Distribution
4 Internet Connectivity
5 Building Access
6 Server Farm & Data Center
7 WAN Site-to-Site VPN
8 E-Commerce
Figure 1-2 Cisco Enterprise Architecture
Enterprise Campus Enterprise Edge Service Remote

Provider Edge
Enterprise
Branch
Campus Infrastructure Module
ISP A
ISP B Enterprise
Teleworker
PSTN
Enterprise
Data Center
Frame Relay,
ATM, MAN, ...
Network
Management

Figure 1-2a Cisco Enterprise Architecture (answer)

Provider Edge
5 Enterprise
8 Branch

ISP A
3
4
ISP B Enterprise
Teleworker
1
2
PSTN
6 Enterprise
Data Center
7
Frame Relay,
ATM, MAN, ...
Network
Management

Identify Scalability Terminology

Match the definition on the left with the term on the right. This is a one-to-one matching exercise.
Definition Terms
g. Isolates routing updates and minimizes the a. Modular equipment
size of routing tables b. OSPF
c. Cisco proprietary distance vector routing pro- c. EIGRP
tocol
d. Wireless LANs
f. Allows for redundant paths by eliminating
e. Redundancy
switching loops
f. Spanning Tree Protocol
h. Technique for aggregating multiple links
between equipment to increase bandwidth g. Scalable Routing Protocol
e. Minimizes the possibility of a single point of h. EtherChannel

failure
a. Supports new features and devices without
requiring major equipment upgrades
b. Link-state routing protocol with a two-layer
hierarchical design
d. Increases flexibility, reduces costs, and pro-
vides mobility to users

Selecting Network Devices

When designing a network, it is important to select the proper hardware to meet current network requirements
and to allow for network growth. Within an enterprise network, both switches and routers play a critical role in
network communication.
Selecting Switch Hardware

Match the business consideration on the left with the switch feature on the right. This is a one-to-one matching
exercise.
Business Consideration Switch Feature

a. Should provide continuous access to the net- a. Reliability
work b. Modular
d. Daisy-chain switches with high-bandwidth c. Power
throughput
d. Stackable
j. Refers to a switchs ability to support the
e. Frame buffers
appropriate number of devices on the network
f. Cost
h. Ability to adjust to growth of network users
g. Fixed configuration
i. How fast the interfaces will process network
data h. Scalability
e. Important consideration in a network where i. Port speed

there may be congested ports to servers or j. Port density
other areas of the network
c. Provides electrical current to other device and
support redundant power supplies
g. Switches with preset features or options
f. Depends on the number and speed of the
interfaces, supported features, and expansion
capability
b. Switches with insertable switching line/port
cards

Packet Tracer Packet Tracer - Comparing 2960 and 3560 Switches (SN 1.2.1.7/SwN 1.1.2.5)
Activity
Selecting Router Hardware

In Table 1-1, select the router category that applies to each description.
Table 1-1 Identify Router Category Features

Router Description Branch Network Service
Routers Edge Provider
Routers Routers
Fast performance with high security for data centers, X
campus, and branch networks
Simple network configuration and management for LANs X
and WANs
Optimizes services on a single platform X
End-to-end delivery of subscriber services X
Deliver next-generation Internet experiences across all X
devices and locations
High capacity and scalability with hierarchical quality of X
service
Maximizes local services and ensures 24/7/365 uptime X
Unites campus, data center, and branch networks X
Managing Devices
A basic router or switch configuration includes the hostname for identification, passwords for
security, and assignment of IP addresses to interfaces for connectivity. A router configuration
also includes basic routing.
In addition to configuration commands, router and switch verification commands are used to
verify the operational status of the router or switch and related network functionality. Use the
address scheme in Table 1-2 in the following exercises that review the most common router and
switch configuration and verification commands.
Table 1-2 Router and Switch Addressing Table

Device Interface IPv4 Address Subnet Mask Default Gateway
R1 G0/0 172.16.1.1 255.255.255.0 N/A
S0/0/0 172.16.3.1 255.255.255.252 N/A
S0/0/1 192.168.10.5 255.255.255.252 N/A
S1 VLAN 1 192.168.1.5 255.255.255.0 192.168.1.1

Basic Router Configuration Review

Using Table 1-2 and the following requirements, record the commands, including the router
prompt, to implement a basic router configuration:
Hostname is R1.
Console and Telnet lines password is cisco.
Privileged EXEC password is class.
Banner message-of-the-day.
Interface addressing.
OSPF routing, including an appropriate router ID.
Save the configuration.
Router(config)# hostname R1
R1(config)# enable secret class
R1(config)# line con 0
R1(config-line)# password cisco
R1(config-line)# login
R1(config-line)# line vty 0 15
R1(config-line)# password cisco
R1(config-line)# login
R1(config-line)# service password-encryption
R1(config)# banner motd $ Authorized Access Only! $
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip address 172.16.1.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# interface Serial0/0/0
R1(config-if)# interface Serial0/0/1
R1(config-if)# router ospf 10
R1(config-router)# router-id 1.1.1.1
R1(config-router)# network 172.16.1.0 0.0.0.255 area 0
R1(config-router)# do copy run start

Basic Router Verification Review

In Table 1-3, record the verification command that will generate the described output.
Table 1-3 Router Verification Commands

Command Command Output
show ip route Displays the routing table for known networks, including admin-
istrative distance, metric, and outbound interface
show ip protocols Displays information about routing protocols, including process
ID, router ID, and neighbors
show cdp neighbors Displays information about directly connected Cisco devices
show ip interface brief Displays all interfaces in an abbreviated format, including IP
address and status
show ip ospf neighbor Displays information about neighbors, including router ID, state,
IP address, and local interface that learned of neighbor
show interfaces Displays one or all interfaces, including status, bandwidth, and
duplex type
Basic Switch Configuration Review

Using Table 1-2 and the following requirements, record the commands, including the switch
prompt, to implement a basic switch configuration:
Hostname is S1.
Console and Telnet lines password is cisco.
Privileged EXEC password is class.
Banner message-of-the-day.
VLAN 1 interface addressing.
Save the configuration.
Switch(config)# hostname S1
S1(config)# enable secret class
S1(config)# line con 0
S1(config-line)# password cisco
S1(config-line)# login
S1(config-line)# line vty 0 15
S1(config-line)# password cisco
S1(config-line)# login
S1(config-line)# service password-encryption
S1(config)# banner motd $ Authorized Access Only! $
S1(config)# interface vlan 1
S1(config-if)# ip address 192.168.1.5 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# ip default-gateway 192.168.1.1
S1(config-if)# do copy run start

Basic Switch Verification Review

In Table 1-4, record the verification command that will generate the described output.
Table 1-4 Router Verification Commands

Command Command Output
show cdp neighbors Displays information about directly connected Cisco
devices
show port-security address Displays all secure MAC addresses
show mac-address-table Displays a table of learned MAC addresses, including the
port number and VLAN assigned to the port
show interfaces Displays one or all interfaces, including status, bandwidth,
and duplex type
show port-security Displays information about maximum MAC addresses
allowed, current counts, security violation count, and
action to be taken
Packet Tracer
Packet Tracer - Skills Integration Challenge (SN 1.3.1.2)
Challenge

CHAPTER 2
LAN Redundancy
Computer networks are inextricably linked to productivity in todays small and medium-sized business-
es. Consequently, IT administrators have to implement redundancy in their hierarchical networks. When
a switch connection is lost, another link needs to quickly take its place without introducing any traffic
loops. This chapter investigates how Spanning Tree Protocol (STP) logically blocks physical loops in the
network and how STP has evolved into a robust protocol that rapidly calculates which ports should be
blocked in a VLAN-based network. In addition, the chapter briefly explores how Layer 3 redundancy is
implemented through First Hop Redundancy Protocols (FHRPs).

Spanning-Tree Concepts
Redundancy increases the availability of a network topology by protecting the network from a
single point of failure, such as a failed network cable or switch. STP was developed to address
the issue of loops in a redundant Layer 2 design.
Draw a Redundant Topology

In Figure 2-1, draw redundant links between the access, distribution, and core switches. Each
access switch should have two links to the distribution layer with each link connecting to a
different distribution layer switch. Each distribution layer switch should have two links to the
core layer with each link connecting to a different core layer switch.
Figure 2-1 Redundant Topology
C1 C2 Core
Distribution
D1 D2 D3 D4
Access
S1 S2 S3 S4 S5 S6
PC1 PC2 PC3 PC4 PC5 PC6
Figure 2-1a Redundant Topology (answer)
C1 C2 Core
Distribution
D1 D2 D3 D4
Access
S1 S2 S3 S4 S5 S6
PC1 PC2 PC3 PC4 PC5 PC6

Chapter 2: LAN Redundancy 15
Purpose of Spanning Tree

STP prevents specific types of issues in a redundant topology like the one in Figure 2-1.
Specifically, three potential issues would occur if STP was not implemented. Describe each of
the following issues:
MAC database instability: Instability in the content of the MAC address table results
from copies of the same frame being received on different ports of the switch. Data for-
warding can be impaired when the switch consumes the resources that are coping with
instability in the MAC address table.
Broadcast storms: Without some loop-avoidance process, each switch may flood broad-
casts endlessly. This situation is commonly called a broadcast storm.
Multiple frame transmission: Multiple copies of unicast frames may be delivered to des-
tination stations. Many protocols expect to receive only a single copy of each transmis-
sion. Multiple copies of the same frame can cause unrecoverable errors.
You should be prepared to use a topology like Figure 2-1 to explain exactly how these three
issues would occur if STP was not implemented.
Packet Tracer
Packet Tracer - Examining a Redundant Design (SN 2.1.1.5/SwN 4.1.1.5)
Activity
Spanning-Tree Operation
Because Rapid Spanning Tree Protocol (RSTP), which is documented in IEEE 802.1D-2004,
supersedes the original STP documented in IEEE 802.1D-1998, all references to STP assume
RSTP unless otherwise indicated.
STP ensures that there is only one logical path between all destinations on the network by
intentionally blocking redundant paths that could cause a loop. A switch port is considered
blocked when network traffic is prevented from entering or leaving that port.
STP uses the spanning-tree algorithm (STA) to determine which switch ports on a network need
to be blocking to prevent loops from occurring. The STA designates a single switch as the root
bridge and uses it as the reference point for all subsequent calculations. Switches participat-
ing in STP determine which switch has the lowest bridge ID (BID) on the network. This switch
automatically becomes the root bridge.
A bridge protocol data unit (BPDU) is a frame containing STP information exchanged by
switches running STP. Each BPDU contains a BID that identifies the switch that sent the BPDU.
The lowest BID value determines which switch is root.
After the root bridge has been determined, the STA calculates the shortest path to the root
bridge. If there is more than one path to choose from, STA chooses the path with the lowest
path cost.

When the STA has determined the best paths emanating from the root bridge, it configures
the switch ports into distinct port roles. The port roles describe their relation in the network to
the root bridge and whether they are allowed to forward traffic:
Root ports: Switch ports closest to the root bridge
Designated ports: Nonroot ports that are still permitted to forward traffic on the
network
Alternate and backup ports: Ports in a blocking state to prevent loops
Disabled port: Ports that are administratively shut down
After a switch boots, it sends BPDU frames containing the switch BID and the root ID every
2 seconds. Initially, each switch identifies itself as the root bridge after boot.
How would a switch determine that another switch is now the root bridge?
If the root ID in the BPDU received from another switch is lower than the root ID on the
receiving switch, the receiving switch updates its cached root ID information to that of the
sending switch.
How does the STA determine path cost?
The path information is determined by summing up the individual egress port costs along the
path from the respective switch to the root bridge.
Record the default port costs for various link speeds in Table 2-1.
Table 2-1 Port Costs

Link Speed Cost (Revised IEEE Cost (Previous IEEE
Specification) Specification)
10 Gbps 2 1
1 Gbps 4 1
100 Mbps 19 10
10 Mbps 100 100
Although switch ports have a default port cost associated with them, the port cost is configu-
rable.
To configure the port cost of an interface, enter the spanning-tree cost value command in
interface configuration mode. The range value can be between 1 and 200,000,000.
Record the commands, including the switch prompt, to configure the port cost for F0/1 as 15:
S2(config)# interface f0/1
S2(config-if)# spanning-tree cost 15
To verify the port and path cost to the root bridge, enter the show spanning-tree privileged
EXEC mode command, as shown here:
S2# show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee

Root ID Priority 32769

Address c025.5cd7.ef00
Cost 15
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address c07b.bcc4.a980
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 15 128.1 P2p
Fa0/2 Altn BLK 19 128.2 P2p
Fa0/3 Desg LIS 19 128.3 P2p
Fa0/4 Desg LIS 19 128.4 P2p
Fa0/6 Desg FWD 19 128.6 P2p<output omitted>
The BID field of a BPDU frame contains three separate fields: bridge priority, extended system
ID, and MAC address.
Of these three fields, the bridge priority is a customizable value that you can use to influence
which switch becomes the root bridge. The default value for this field is 32768.
Cisco enhanced its implementation of STP to include support for the extended system ID field,
which contains the ID of the VLAN with which the BPDU is associated.
Because using the extended system ID changes the number of bits available for the bridge pri-
ority, the customizable values can only be multiples of 4096.
When two switches are configured with the same priority and have the same extended system
ID, the switch with the lowest MAC address has the lower BID.
Identify the 802.1D Port Roles

The topologies in the next three figures do not necessarily represent an appropriate network
design. However, they provide good exercise topologies for you to practice determining the
STP port roles. In Figures 2-2 through 2-4, use the priority values and MAC addresses to
determine the root bridge. Then label the ports with one of the following:
RP: Root Port
DP: Designated Port
AP: Alternate Port

Figure 2-2 802.1D Port Roles - Scenario 1
G1/1
G1/1
S1 S2
F0/1 F0/1
G1/2
G1/2
F0/1 F0/1
S3 S4
Device Priority MAC Address

S1 32769 000a:0001:1111
S2 24577 000a:0002:2222
S3 32769 000a:0003:3333
S4 32769 000a:0004:4444
Figure 2-2a 802.1D Port Roles - Scenario 1 (answer)
G1/1 Root
G1/1
S1 RP DP S2
F0/1 F0/1
G1/2
DP DP DP
AP RP
G1/2 RP
F0/1 F0/1
S3 S4

S1 32769 000a:0001:1111
S2 24577 000a:0002:2222
S3 32769 000a:0003:3333
S4 32769 000a:0004:4444
G1/1
G1/1
S1 S2
F0/1 F0/1
G1/2
G1/2
F0/1 F0/1
S3 S4

S1 24577 000a:0001:1111
S2 32769 000a:0002:2222
S3 32769 000a:0003:3333
S4 32769 000a:0004:4444

Root
G1/1
G1/1
S1 DP RP S2
F0/1 F0/1
G1/2
DP DP DP
RP RP
G1/2 AP
F0/1 F0/1
S3 S4

S1 24577 000a:0001:1111
S2 32769 000a:0002:2222
S3 32769 000a:0003:3333
S4 32769 000a:0004:4444
G1/1
G1/1
S1 S2
F0/1 F0/1
G1/2
G1/2
F0/1 F0/1
S3 S4

S1 32769 000a:0001:1111
S2 32769 000a:0002:2222
S3 24577 000a:0003:3333
S4 32769 000a:0004:4444
G1/1
G1/1
S1 DP AP S2
F0/1 F0/1
G1/2
RP RP DP
DP RP
G1/2 DP
F0/1 F0/1
S3 S4
Root
S1 32769 000a:0001:1111
S2 32769 000a:0002:2222
S3 24577 000a:0003:3333
S4 32769 000a:0004:4444

Lab Building a Switched Network with Redundant Links (SN 2.1.2.10/SwN 4.1.2.10)
Varieties of Spanning Tree Protocols

STP has been improved multiple times since its introduction in the original IEEE 802.1D speci-
fication. A network administrator should know which type to implement based on the equip-
ment and topology needs.
Comparing the STP Varieties

Identify each of the STP varieties described in the following list:
Multiple Spanning Tree Protocol (MSTP): This is an IEEE that maps multiple VLANs
into the same spanning tree instance.
Rapid Spanning Tree Protocol (RSTP) or IEEE 802.1w: This is an evolution of STP that
provides faster convergence than STP.
802.1D-2004: This is an updated version of the STP standard, incorporating IEEE
802.1w.
PVST+: This is a Cisco enhancement of STP that provides a separate 802.1D spanning
tree instance for each VLAN configured in the network.
Rapid PVST+: This is a Cisco enhancement that provides a separate instance of 802.1w
per VLAN.
STP: This is the original IEEE 802.1D version (802.1D-1998 and earlier) that provides a
loop-free topology in a network with redundant links.
Complete the cells in Table 2-2 to identify each the characteristics of each STP variety.
Table 2-2 STP Characteristics - Exercise 1

Protocol Standard Resources Needed Convergence Tree Calculation
STP 802.1D Low Slow All VLANs
PVST+ Cisco High Slow Per VLAN
RSTP 802.1w Medium Fast All VLANs
Rapid PVST+ Cisco Very high Fast Per VLAN
MSTP 802.1s, Cisco Medium or high Fast Per instance
In Table 2-3, indicate which varieties of STP are best described by the characteristic. Some
characteristics apply to more than one STP variety.

Table 2-3 STP Characteristics - Exercise 2

Characteristic STP PVST+ RSTP Rapid MSTP MST
PVST+
A Cisco implementation of 802.1s that X
provides up to 16 instances of RSTP.
Cisco enhancement of RSTP. X
The default STP mode for Cisco Catalyst X
switches.
Has the highest CPU and memory X
requirements.
Can lead to suboptimal traffic flows. X X
Cisco proprietary versions of STP. X X X
Cisco enhancement of STP. Provides a X
separate 802.1D spanning-tree instance
for each VLAN.
There is only 1 root bridge and 1 tree. X X
Uses 1 IEEE 802.1D spanning-tree X
instance for the entire bridged network,
regardless of the number of VLANs.
Supports PortFast, BPDU guard, BPDU X X
filter, root guard, and loop guard.
An evolution of STP that provides faster X
STP convergence.
Maps multiple VLANs that have the X
same traffic flow requirements into the
same spanning-tree instance.
First version of STP to address conver- X
gence issues, but still provided only one
STP instance.
PVST+ Operation
After a switch boots, the spanning tree is immediately determined as ports transition through
five possible states and three BPDU timers on the way to convergence. Briefly describe each
state:
Blocking: The port is an alternate port and does not participate in frame forwarding. The
port continues to process received BPDU frames to determine the location and root ID
of the root bridge and what port role the switch port should assume in the final active
STP topology.
Listening: STP has determined that the port can be selected as a root port or designated
port based upon the information in the BPDU frames it has received so far. At this point,
the switch port is not only receiving BPDU frames, it is also transmitting its own BPDU
frames and informing adjacent switches that the switch port is preparing to participate
in the active topology. The port returns to blocking state if it is determined that the port
does not provide the lowest cost path to the root bridge.

Learning: The port prepares to participate in frame forwarding and begins to populate
the MAC address table.
Forwarding: The port is considered part of the active topology and forwards frames and
also sends and receives BPDU frames.
Disabled: The Layer 2 port does not participate in spanning tree and does not forward
or process frames. The switch port is administratively disabled.
Once stable, every active port in the switched network is either in the forwarding state or the
blocking state.
List and briefly describe the four steps PVST+ performs for each VLAN to provide a loop-free
logical topology.
Step 1. Elects one root bridge: The root bridge is the switch with the lowest bridge ID.
Step 2. Selects the root port on each nonroot bridge: STP establishes one root port on each
nonroot bridge. The root port is the lowest-cost path from the nonroot bridge to the
root bridge.
Step 3. Selects the designated port on each segment: The designated port is selected on the
switch that has the lowest-cost path to the root bridge.
Step 4. The remaining ports in the switched network are alternate ports: Alternate ports
normally remain in the blocking state, to logically break the loop topology.
In Table 2-4, answer the Operation Allowed question with yes or no for each port state.
Table 2-4 Operations Allowed at Each Port State

Operation Allowed Port State
Blocking Listening Learning Forwarding Disabled
Can receive and process BPDUs Yes Yes Yes Yes No
Can forward data frames No No No Yes No
received on interface
Can forward data frames No No No Yes No
switched from another interface
Can learn MAC addresses No No Yes Yes No
Rapid PVST+ Operation

RSTP (IEEE 802.1w) is an evolution of the original 802.1D standard and is incorporated into
the IEEE 802.1D-2004 standard. Rapid PVST+ is the Cisco implementation of RSTP on a per-
VLAN basis. What is the primary difference between Rapid PVST+ and RSTP?
With Rapid PVST+, an independent instance of RSTP runs for each VLAN.
Briefly describe the RSTP concept that corresponds to the PVST+ PortFast feature.
RSTP identifies those ports that can be considered edge ports that are directly connected to
an end device. Because edge ports are not connected to another switch, they can immediately
transition to the forwarding state.

What command implements Ciscos version of an edge port?

spanning-tree portfast
In Table 2-5, indicate whether the characteristic describes PVST+, Rapid PVST+, or both.
Table 2-5 Comparing PVST+ and Rapid PVST+

Characteristic PVST+ Rapid PVST+ Both
Cisco proprietary protocol. X
Port roles: root, designated, alternate, edge, backup. X
CPU processing and trunk bandwidth usage is greater than X
with STP.
Ports can transition to forwarding state without relying on a X
timer.
The root bridge is determined by the lowest BID + VLAN ID X
+ MAC.
Runs a separate IEEE 802.1D STP instance for each VLAN. X
Possible to have load sharing with some VLANS forwarding X
on each trunk.
Sends a BPDU hello message every 2 seconds. X
Spanning-Tree Configuration
It is crucial to understand the impact of a default switch configuration on STP convergence and
what configurations can be applied to adjust the default behavior.
PVST+ and Rapid PVST+ Configuration

Complete Table 2-6 to show the default spanning-tree configuration for a Cisco Catalyst 2960
series switch.
Table 2-6 Default Switch Configuration

Feature Default Setting
Enable state Enabled on VLAN 1
Spanning-tree mode PVST+
Switch priority 32768
Spanning-tree port priority 128
(configurable on a per-interface basis)
Spanning-tree port cost 1000 Mbps: 4
(configurable on a per-interface basis)
100 Mbps: 19
10 Mbps: 100
Spanning-tree VLAN port priority 128
(configurable on a per-VLAN basis)

Feature Default Setting

Spanning-tree VLAN port cost 1000 Mbps: 4
(configurable on a per-VLAN basis)
100 Mbps: 19
10 Mbps: 100
Spanning-tree timers Hello time: 2 seconds
Forward-delay time: 15 seconds
Maximum-aging time: 20 seconds
Transmit hold count: 6 BPDUs
Document the two different configuration commands that you can use to configure the bridge
priority value so that the switch is root for VLAN 1. Use the value 4096 when necessary:
S1(config)# spanning-tree vlan 1 root primary
!or
S1(config)# spanning-tree vlan 1 priority 4096
Record the command to verify that the local switch is now root:
S1# show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 000A.0033.3333
This bridge is the root
Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)

Address 0019.aa9e.b000
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 4 128.1 Shr
Fa0/2 Desg FWD 4 128.2 Shr
Explain the purpose of the BPDU guard feature on Cisco switches.

The BPDU guard feature protects the spanning tree from recalculations that might occur if a
BPDU is received on an edge port because it connected to a switch.

What command interface configuration command enables BPDU guard?

spanning-tree bpduguard enable
What global configuration command will configure all nontrunking ports as edge ports?
spanning-tree portfast default
What global configuration command will configure BPDU guard on all PortFast-enabled
ports?
spanning-tree portfast bpduguard default
The power of PVST+ is that it can load balance across redundant links. By default, the least-
favored redundant link is not used. So, you must manually configure PVST+ to use the link.
Figure 2-5 represents a small section of Figure 2-1, showing only two distribution layer switch-
es and one access layer switch. For this example, we have attached PC2 to S1. PC1 is assigned
to VLAN 15, and PC2 is assigned to VLAN 25. D1 should be the primary root for VLAN 1
and VLAN 15 and the secondary root for VLAN 25. D2 should be the primary root for VLAN
25 and the secondary root for VLAN 15.
Figure 2-5 PVST+ Configuration Topology
Root for VLAN 15 Root for VLAN 25
D1 D2
S1
PC1 PC2
VLAN 15 VLAN 25
Based on these requirements, document the commands to modify the default PVST+ operation
on D1 and D2.
D1 commands
D1(config)# spanning-tree vlan 1 root primary
D1(config)# spanning-tree vlan 25 root secondary
D2 commands
D2(config)# spanning-tree vlan 15 root secondary

Document the commands to configure all nontrunking ports on S1 as edge ports with BPDU
guard enabled.
S1(config)# spanning-tree portfast default
S1(config)# spanning-tree portfast bpduguard default
Now, assume that you want to run rapid PVST+ on all three switches. What command is
required?
spanning-tree mode rapid-pvst
Lab - Configuring Rapid PVST+, PortFast, and BPDU Guard (SN 2.3.2.3/SwN 4.3.2.3)
Packet Tracer - Configuring PVST+ (SN 2.3.1.5/SwN 4.3.1.5)

Packet Tracer
Activity
Packet Tracer
Packet Tracer - Configuring Rapid PVST+ (SN 2.3.2.2/SwN 4.3.2.2)
Activity
First Hop Redundancy Protocols

Up to this point, weve been reviewing STP and how to manipulate the election of root bridges
and load balance across redundant links. In addition to Layer 1 and Layer 2 redundancy, a
high-availability network might also implement Layer 3 redundancy by sharing the default
gateway responsibility across multiple devices. Through the use of a virtual IP address, two
Layer 3 devices can share the default gateway responsibility. The section reviews First Hop
Redundancy Protocols (FHRPs) that provide Layer 3 redundancy.

Identify FHRP Terminology

Match the definition on the left with the terms on the right. This is a one-to-one matching exercise.
Definitions Terms
b. The ability to dynamically recover from the a. Default gateway
failure of a device acting as the default gate- b. First-hop redundancy
way
c. Forwarding router
h. Two or more routers sharing a single MAC and
d. Redundancy rrotocol
IP address
e. Standby router
c. A device that is part of a virtual router group
assigned to the role of default gateway f. Virtual IP address
d. Provides the mechanism for determining which g. Virtual MAC address

router should take the active role in forwarding h. Virtual router
traffic
a. A device that routes traffic destined to net-
work segments beyond the source network
segment
e. A device that is part of a virtual router group
assigned the role of alternate default gateway
f. A Layer 3 address assigned to a protocol
that shares the single address among multiple
devices
g. The Layer 2 address returned by ARP for an
FHRP gateway

Identify the Type of FHRP

In Table 2-7, indicate whether the characteristic describes HSRP, VRRP, or GLBP.
Table 2-7 FHRP Characteristics

FHRP Characteristic HSRP VRRP GLBP
Used in a group of routers for selecting an active device and a stand- X
by device.
A nonproprietary election protocol that allows several routers on a X
multi-access link to use the same virtual IPv4 address.
Cisco-proprietary FHRP protocol designed to allow for transparent X
failover of a first-hop IPv4 devices.
Cisco-proprietary FHRP protocol that protects data traffic from a X
failed router or circuit while also allowing load sharing between a
group of redundant routers.
One router is elected as the virtual router master, with the other rout- X
ers acting as backups in case the virtual router master fails.
HSRP and GLBP Configuration and Verification

Refer to the topology in Figure 2-6. R2 has been configured for HSRP group 20, priority 120,
IP address 192.168.1.20, and virtual IP address 192.168.1.1.
Figure 2-6 HSRP and GLBP Configuration Topology
Core
R2 Virtual IP R1
192.168.1.20 192.168.1.1 192.168.1.10
Example 2-1 shows the HSRP configuration for R2.
Example 2-1 R2 HSRP Configuration
R2# show run interface g0/1

<output omitted>
interface GigabitEthernet0/1
ip address 192.168.1.20 255.255.255.0
standby 20 ip 192.168.1.1
standby 20 priority 120
<output omitted>

Using the information in Example 2-1, document the commands to configure R1 as the HSRP
active router in group 20 using a priority of 210.

R1(config-if)#standby 20 ip 192.168.1.1
R1(config-if)#standby 20 priority 210
What command would generate the following output to verify the HSRP configuration?
R1# show standby brief

P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gi0/1 20 210 Active local 192.168.1.20 192.168.1.1
Now assume that all HSRP configurations have been removed. R2 has been configured for
GLBP group 20, priority 120, IP address 192.168.1.20, and virtual IP address 192.168.1.1.
Example 2-2 shows the GLBP configuration for R2.
Example 2-2 R2 GLBP Configuration
R2# show run interface g0/1

<output omitted>
ip address 192.168.1.20 255.255.255.0
glbp 20 ip 192.168.1.1
glbp 20 priority 120
<output omitted>
Using the information in Example 2-2, document the commands to configure R1 to be in GLBP
group 20 using a priority of 210.

R1(config-if)# glbp 20 ip 192.168.1.1
R1(config-if)# glbp 20 priority 210
What command would generate the following output to verify the GLBP configuration?
R1# show glbp

GigabitEthernet0/0 - Group 20
State is Active
1 state change, last state change 00:03:05
Virtual IP address is 192.168.1.1

Hello time 3 sec, hold time 10 sec

Next hello sent in 1.792 secs
Redirect time 600 sec, forwarder timeout 14400 sec
Preemption disabled
Active is local
Standby is 192.168.1.20, priority 120 (expires in 9.024 sec)
Priority 210 (configured)
Weighting 100 (default 100), thresholds: lower 1, upper 100
Load balancing: round-robin
Group members:
0006.f671.db58 (192.168.1.10) local
0006.f671.eb38 (192.168.1.20)
There are 2 forwarders (1 active)
Forwarder 1
State is Active
1 state change, last state change 00:02:53
MAC address is 0007.b400.0a01 (default)
Owner ID is 0006.f671.db58
Redirection enabled
Preemption enabled, min delay 30 sec
Active is local, weighting 100
Forwarder 2
State is Listen
MAC address is 0007.b400.0a02 (learnt)
Owner ID is 0006.f671.eb38
Redirection enabled, 599.040 sec remaining (maximum 600 sec)
Time to live: 14399.040 sec (maximum 14400 sec)
Preemption enabled, min delay 30 sec
Active is 192.168.1.20 (primary), weighting 100 (expires in 9.312 sec)
Lab - Configuring HSRP and GLBP (SN 2.4.3.4/SwN 4.4.3.4)

CHAPTER 3
Link Aggregation
Link aggregation is the ability to create one logical link using multiple physical links between two
devices. This allows load sharing among the physical links, rather than having a STP block one or more
of the links.

Link Aggregation Concepts

One of the best ways to reduce the time it takes for STP convergence is to simply avoid STP.
EtherChannel is a form of link aggregation used in switched networks.
EtherChannel Advantages
EtherChannel technology was originally developed by Cisco as a technique of grouping several
Fast Ethernet or Gigabit Ethernet switch ports into one logical channel.
List at least three advantages to using EtherChannel:
Most configuration tasks can be done on the EtherChannel interface instead of on each
individual port.
EtherChannel relies on existing switch ports. No need to upgrade.
Load balancing takes place between links that are part of the same EtherChannel.
EtherChannel creates an aggregation that is seen as one logical link. Where there is only
one EtherChannel link, all physical links in the EtherChannel are active because STP sees
only one (logical) link.
EtherChannel provides redundancy because the overall link is seen as one logical con-
nection. Assuming at least one physical link is present; the EtherChannel remains
functional, even if its overall throughput decreases because of a lost link within the
EtherChannel.
EtherChannel Operation
You can configure EtherChannel as static or unconditional. However, there are also two proto-
cols that can be used to configure the negotiation process: Port Aggregation Protocol (PAgP
Cisco proprietary) and Link Aggregation Control Protocol (LACPIEEE 802.3ad).
These two protocols ensure that both sides of the link have compatible configurationssame
speed, duplex setting, and VLAN information. The modes for each differ slightly.
For PAgP, briefly describe each of the following modes:
On: This mode forces the interface to channel without PAgP.
Desirable: The interface initiates negotiations with other interfaces by sending PAgP
packets.
Auto: The interface responds to the PAgP packets that it receives, but does not initiate
PAgP negotiation.
For LACP, briefly describe each of the following modes:
On: This mode forces the interface to channel without LACP.
Active: The interface initiates negotiations with other interfaces by sending LACP
packets.
Passive: The interface responds to the LACP packets that it receives, but does not initi-
ate LACP negotiation.
In Table 3-1, indicate the mode that is described.

Chapter 3: Link Aggregation 33
Table 3-1 PAgP and LACP Modes

Mode PAgP and/or LACP Mode Description
Active Initiates LACP negotiations with other interfaces.
On Forces EtherChannel state without PAgP or LACP initiated negotiations.
Auto Places an interface in a passive, responding state. Does not initiate PAgP
negotiations.
Desirable Actively initiates PAgP negotiations with other interfaces.
Passive Places an interface in a passive, responding state. Does not initiate LACP
negotiations.
The mode that is configured on each side of the EtherChannel link determines whether
EtherChannel will be operational.
In Table 3-2, two switches are using PAgP. Indicate with yes or no whether EtherChannel is
established.
Table 3-2 EtherChannel Negotiation Using PAgP

Switch 1 Mode Switch 2 Mode EtherChannel Established?
Auto Auto No
Auto Desirable Yes
On Desirable No
On Off No
Desirable Desirable Yes
In Table 3-3, two switches are using LACP. Indicate with yes or no whether EtherChannel is
established.
Table 3-3 EtherChannel Negotiation Using LACP

Switch 1 Mode Switch 2 Mode EtherChannel Established?
Passive On No
Passive Active Yes
On On Yes
Passive Passive No
On Active No
Link Aggregation Configuration

EtherChannel configuration is rather straightforward once you decide on which protocol you
will use. In fact, the easiest method is to just force both sides to be on.

Configuring EtherChannel
To configure EtherChannel, complete the following steps:
Step 1. Specify the interfaces that, participate in the EtherChannel group using the interface
range interface command.
What are the requirements for each interface before they can form an EtherChannel?
All interfaces must support EtherChannel, be configured with the same speed and
duplex settings, support the same VLAN or be configured as a trunk, and share the
same range of allowed VLANs on trunks.
Step 2. Create the port channel interface with the channel-group identifier mode {on | auto
| desirable | active | passive} command in interface range configuration mode. The
keyword on forces the port to channel without PAgP or LACP. The keywords auto
and desirable enable PAgP. The keywords active and passive enable LACP.
Step 3. The channel-group command automatically creates a port channel interface using
the identifier as the number. Use the interface port-channel identifier command to
configure channel-wide settings like trunking, native VLANs, or allowed VLANs.
As you can see from the configuration steps, the way you specify whether to use PAgP, LACP,
or no negotiations is by configuring one keyword in the channel-group command.
So, with those steps in mind, consider Figure 3-1 in each of the following configuration scenarios.
Figure 3-1 EtherChannel Topology
Fa0/1
S1 S2
Fa0/2
EtherChannel Configuration Scenario 1

Record the commands, including the switch prompt, to configure the S1 Fa0/1 and Fa0/2 into an
EtherChannel without negotiations. Then force the channel to trunking using native VLAN 99.
S1(config)# interface range fa0/1-2

S1(config-range-if)# channel-group 1 mode on
S1(config-range-if)# interface port-channel 1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk native vlan 99

Record the commands, including the switch prompt, to configure the S1 Fa0/1 and Fa0/2 into
an EtherChannel using PAgP. S1 should initiate the negotiations. The channel should trunk,
allowing only VLANs 1, 10, and 20.

S1(config-range-if)# channel-group 1 mode desirable
S1(config-if)# switchport trunk allowed vlan 1,10,20


Record the commands, including the switch prompt, to configure the S1 Fa0/1 and Fa0/2 into
an EtherChannel using LACP. S1 should not initiate the negotiations. The channel should trunk,
allowing all VLANs.

S1(config-range-if)# channel-group 1 mode passive
Lab - Configuring EtherChannel (SN 3.2.1.4/SwN 5.2.1.4)
Packet Tracer - Configuring EtherChannel (SN 3.2.1.3/SwN 5.2.1.3)

Packet Tracer
Activity
Verifying and Troubleshooting EtherChannel

Record the commands used to display the output in Example 3-1.
Example 3-1 EtherChannel Verification Commands

S1# show interface port-channel1
Port-channel1 is up, line protocol is up (connected)
Hardware is EtherChannel, address is 0cd9.96e8.8a01 (bia 0cd9.96e8.8a01)
MTU 1500 bytes, BW 200000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
<output omitted>
S1# show etherchannel summary

Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met

u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1

Number of aggregators: 1

Group Port-channel Protocol Ports

------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/1(P) Fa0/2(P)
S1# show etherchannel port-channel

Channel-group listing:
----------------------
Group: 1
----------
Port-channels in the group:
---------------------------
Port-channel: Po1 (Primary Aggregator)
------------
Age of the Port-channel = 0d:00h:25m:17s

Logical slot/port = 2/1 Number of ports = 2
HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = LACP
Port security = Disabled
Ports in the Port-channel:
Index Load Port EC state No of bits

------+------+------+------------------+-----------
0 00 Fa0/1 Active 0
0 00 Fa0/2 Active 0
Time since last port bundled: 0d:00h:05m:41s Fa0/2

Time since last port Un-bundled: 0d:00h:05m:48s Fa0/2
S1# show interfaces f0/1 etherchannel

Port state = Up Mstr Assoc In-Bndl
Channel group = 1 Mode = Active Gcchange = -
Port-channel = Po1 GC = - Pseudo port-channel = Po1
Port index = 0 Load = 0x00 Protocol = LACP
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.

A - Device is in active mode. P - Device is in passive mode.

Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Fa0/1 SA bndl 32768 0x1 0x1 0x102 0x3D
Partner's information:
LACP port Admin Oper Port Port

Port Flags Priority Dev ID Age key Key Number State
Fa0/1 SA 32768 0cd9.96d2.4000 4s 0x0 0x1 0x102 0x3D
Age of the port in the current state: 0d:00h:24m:59s

S1#
When troubleshooting an EtherChannel issue, keep in mind the configuration restrictions for
interfaces that participate in the channel. List at least four restrictions.
All ports must be in the same VLANs or configured as trunks.
Trunking mode must be the same for each side of the channel.
Allowed VLANs on trunks must be the same for both sides.
Both sides of the channel must be configured with compatible PAgP or LACP dynamic
negotiation options.
The link speed and duplex setting must match.
Refer to the output for S1 and S2 in Example 3-2. Record the command that generated the
output.
Example 3-2 Troubleshooting an EtherChannel Issue
S1# show etherchannel summary

Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SD) - Fa0/1(D) Fa0/2(D)
S1# show run | begin interface Port-channel

interface Port-channel1
switchport mode trunk
!
interface FastEthernet0/1
channel-group 1 mode auto
!
!
<output omitted>
S 1#
S2# show run | begin interface Port-channel
interface Port-channel1
!
!
!
<output omitted>
S2#
Explain why the EtherChannel between S1 and S2 is down.

Both sides of the link are set to the PAgP auto mode, which means that the interface will listen
for PAgP packets but will not initiate negotiations. Neither side initiates negotiation, so the
channel is down.
EtherChannel and spanning tree must interoperate. For this reason, the order in which
EtherChannel-related commands are entered is important. To correct this issue, you must first
remove the port channel. Otherwise, spanning-tree errors cause the associated ports to go into
blocking or errdisabled state. With that in mind, what would you suggest to correct the issue
shown in Example 3-2 if the requirement is to use PAgP? What commands would be required?
Remove the port channel 1 interface, and then configure the interfaces to use desirable mode.
This can be done on one or both switches.
S1(config)# no interface Port-channel 1

S1(config)# interface range f0/1 - 2
S1(config-if-range)# channel-group 1 mode desirable

S1(config-if-range)# interface Port-channel 1

S2(config)# no interface Port-channel 1
S2(config)# interface range f0/1 - 2
S2(config-if-range)# channel-group 1 mode desirable
S2(config-if-range)# no shutdown
S2(config-if-range)# interface Port-channel 1
Lab - Troubleshooting EtherChannel (SN 3.2.2.4/SwN 5.2.2.4)
Packet Tracer - Troubleshooting EtherChannel (SN 3.2.2.3/SwN 5.2.2.3)

Packet Tracer
Activity
Packet Tracer - Skills Integration Challenge (SN 3.3.1.2/SwN 5.3.1.2)

CHAPTER 4
Wireless LANs
Wireless networks are becoming increasingly ubiquitous. If you have a router at home, chances are it
supports a wireless LAN (WLAN). In the work environment, WLANs provide the ability to connect
from any location at any time within the campus network. WLANs use radio frequencies that present
some unique design and implementation considerations. This chapter reviews WLAN technology, com-
ponents, security, planning, implementation, and troubleshooting.

Wireless LAN Concepts

Wireless access can result in increased productivity and more relaxed employees. With wire-
less networking, employees have the flexibility to work when they want, where they want. This
section reviews basic wireless concepts and components.
Identify Wireless Technologies

When referring to communication networks, the term wireless encompasses a wide variety
of technologies. Although the focus for the CCNA student is on WLANs, you should also be
aware of the basic features of other wireless technologies and applications. In Table 4-1, indi-
cate the wireless technology described by each feature.
Table 4-1 Identify the Wireless Technology

Wireless Technology Feature Bluetooth Wi-Fi WiMax Cellular Satellite
Clear line of sight required X
IEEE 802.16 X
IEEE 802.15 X
Uses 2G, 3G, and 4G variations X
Supports speeds up to 1 Gbps X
Provides mobile broadband connectivity X
Supports download speeds up to 10 X
Mbps
Supports speeds up to 5 Mbps X
Distance transmissions of up to 300 X
meters
Requires directional dish aligned with X
GEO device
Supports speeds up to 24 Mbps X
Transmission distances of up to 30 miles X
(50 km)
Distance transmissions of up to 100 X
meters
Supports speeds up to 7 Gbps X
IEEE 802.11 X
WLANs standards began in 1997 with the first 802.11 specification. Subsequent revisions have
increased the speed and changed the frequency. As the standard rapidly evolved, it became
important to maintain backward compatibility so that devices would still be able to connect to
newer and faster access points.
In Table 4-2, all the current flavors of 802.11 are listed in chronological order. For each one,
indicate the maximum speed, frequency or frequencies, and with what earlier versions the
specification is compatible (if any).

Chapter 4: Wireless LANs 43
Table 4-2 Comparing the WLAN Standards

IEEE Standard Maximum Speed Frequency Backward Compatibility
With
802.11 2 Mbps 2.4 GHz None
802.11a 54 Mbps 5 GHz None
802.11b 11 Mbps 2.4 GHz None
802.11g 54 Mbps 2.4 GHz 802.11b
802.11n 600 Mbps 2.4 GHz and 5 GHz 802.11a/b/g
802.11ac 1.3 Gbps 5 GHz 802.11a/n
802.11ad 7 Gbps 2.4 GHz, 5 GHz, and 60 GHz 802.11a/b/g/n/ac
Using your completed Table 4-2, indicate in Table 4-3 the frequencies at which each standard
operates.
Table 4-3 WLAN Standards and Frequencies

2.4 GHz (UHF) 5 GHz (SFH) 60 GHz (EHF)
802.11a 802.11a X 802.11a
802.11b X 802.11b 802.11b
802.11g X 802.11g 802.11g
802.11n X 802.11n X 802.11n
802.11ac 802.11ac X 802.11ac
802.11ad X 802.11ad X 802.11ad X
As a network technician, you should be aware of other wireless applications that could poten-
tially cause problems with your WLAN implementations. In Table 4-4, indicate the frequency
for each wireless application. Some applications may use more than one frequency.
Table 4-4 Wireless Application Frequencies

Wireless Application 2.4 GHz (UHF) 5 GHz (SHF) 60 GHz (EHF)
Cellular broadband X
Radar landing systems X
GPS systems X
Radio astronomy X X
Bluetooth X
Satellite communications X
Microwave communications X
In Table 4-5, indicate whether the feature describes LANs or WLANs.

Table 4-5 Comparing LANs and WLANs

WLAN or LAN Feature 802.3 LANs 802.11 WLANs
Collision detection (CSMA/CD). X
Cables are used to interconnect devices. X
Additional laws and regulations in local areas may apply. X
Allows for device mobility. X
Signal interference is normally not a problem. X
Collision avoidance (CSMA/CA). X
Connects to an Ethernet switch. X
Radio frequencies (RFs) are used to interconnect devices. X
Connects to an access point. X
Provides for better security. X
WLANs Components and Topologies

Today, all laptops, tablets, and smartphones include an integrated wireless NIC. However, desk-
top computers usually do not. In a home or small office network, it might not be desirable or
feasible to run cabling to a desktop. In such situations, you can easily install a wireless network
interface card (NIC) to provide connectivity.
Wireless NICs associate (and possibly authenticate) with an access point (AP). Briefly explain
the difference between an autonomous AP and controller-based AP.
Autonomous APs are standalone devices configured using the Cisco CLI or a GUI.
Autonomous APs are useful in situations where only a couple of APs are required in the net-
work. A home router is a good example of an autonomous AP. Controller-based APs are server-
dependent devices that require no initial configuration, but are automatically configured and
managed by a WLAN controller.
Two or more autonomous APs can be combined into a cluster to ease management require-
ments. What four conditions must be met before a cluster can be formed:
Clustering mode is enabled on the APs.
The APs joining the cluster have the same cluster name.
The APs are connected on the same network segment.
The APs use the same radio mode.
Briefly explain the two main 802.11 wireless topologies:
Ad hoc mode: When two devices connect wirelessly without the aid of an infrastructure
device, such as a wireless router or AP. Examples include Bluetooth and Wi-Fi Direct.
Infrastructure mode: When wireless clients interconnect via a wireless router or AP,
such as in WLANs. APs connect to the network infrastructure using the wired distribu-
tion system (DS), such as Ethernet.

In Figure 4-1, label the two wireless topologies with either infrastructure mode or ad hoc
mode.
Figure 4-1 WLAN Topologies
The topology on the left shows an example of infrastructure mode. The topology on the right
shows an example of ad hoc mode.
Infrastructure mode uses two topology building blocks: a basic service set (BSS) and an
extended service set (ESS). Briefly describe each and how they interrelate.
A BSS consists of a single AP interconnecting all associated wireless clients. When a single BSS
provides insufficient RF coverage, two or more BSSs can be joined through a common distri-
bution system (DS) into an ESS.
Lab - Investigating Wireless Implementations (SN 4.1.2.10/SwN 8.1.2.10)
Wireless LAN Operations

WLAN operations have similar structures and concepts to Ethernets 802.3. 802.11 uses a
frame format similar to 802.3, but with more fields. 802.11 uses a collision detection system
similar to Ethernets carrier sense multiple access collision detect (CSMA/CD). However,
Ethernet does not have to worry about finding, authenticating, and associating with an AP. Nor
does Ethernet have to worry about managing channels on the wireless radio frequencies. This
section reviews the 802.11 frame, CSMA/CA, AP association, and channel management.
Label the 802.11 Frame

In Figure 4-2, label each field in the 802.11 frame.

Figure 4-2 802.11 Frame Format
Header Payload FCS
Figure 4-2a 802.11 Frame Format (answer)
Header Payload FCS
Frame Sequence
Duration Address1 Address2 Address3 Address4
Control Control
Power
Protocol Frame Frame More More
ToDS FromDS Retry Manage- Security Reserved
Version Type Subtype Fragments Data
ment

Match the subfield description on the left with the subfield on the right. This is a one-to-one matching exercise.
Subfield Description Subfield
e. Indicates whether encryption/authentication is a. Protocol version
being used b. Frame subtype
b. Identifies the frame as either a management, c. FromDS
control, or data frame
d. Power management
d. Active or power-save mode status of the send-
e. Security
ing device
a. Specifies which 802.11 protocols is being used
c. Indicates to an associated AP client that data
is exiting a DS (distributed system)

Wireless Media Contention

A wireless device operates in a half-duplex, shared media environment. So, a wireless device
must also sense the carrier because multiple devices have accesscarrier sense multiple access
(CSMA). However, unlike half-duplex Ethernet operations, a wireless device that is sending
cannot also listen for collision. Therefore, IEEE developed a collision avoidance (the CA in
CSMA/CA) mechanism called the distributed coordination function (DCF). Using DCF, a wire-
less client transmits only if the channel is clear. All transmissions are acknowledged. Therefore,
if a wireless client does not receive an acknowledgment, it assumes a collision occurred and
retries after a random waiting interval. In the flowchart in Figure 4-3, label the missing steps in
the CSMA/CA process.
Figure 4-3 CSMA/CA Process
Start
Assemble a Frame
No
Yes
No
Yes
Transmit Application Data
End

Figure 4-3a CSMA/CA Process (answer)
Start
Assemble a Frame
Is the Channel No
Wait for Random Backoff Time
Idle?
Yes
Transmit RTS
No
CTS Received?
Yes
Transmit Application Data
End

Associating with an AP
Before a wireless device can communicate over the network, it must first associate with an AP or wireless rout-
er. To do so, it must discover and authenticate with an AP.
Match the definitions on the left with the association parameter on the right. This is a one-to-one matching
activity.
Definitions Security Parameter
e. A unique identifier that wireless clients use a. Security mode
to distinguish between multiple wireless net- b. Password
works in the same vicinity
c. Channel settings
d. Identifies the 802.11 WLAN standards sup-
d. Network mode
ported by the AP
e. SSID
a. Currently standards include WEP, WPA, or
WPA2
c. Refers to the frequency bands being used to
transmit wireless data
b. Prevents intruders and other unwanted users
from associating with the AP

To discover and connect with an AP or wireless routers, clients use a probing process, which
can either be passive or active, as shown in Figure 4-4. Label each example as either passive or
active.
Figure 4-4 Two Methods to Discover an AP
Sender Receiver Sender Receiver
Beacon Frame (0x08) Probe Request Frame (0x04)

SSID SSID
Supported standards Supported standards
Security settings
Beacon Frame (0x08) Probe Response Frame (0x05)

SSID SSID
Supported standards Supported standards
Security settings Security settings
Beacon Frame (0x08)

SSID
Supported standards
Security settings
Passive mode is illustrated on the left. Active mode is illustrated on the right.
Briefly explain the two authentication mechanisms:
Open authentication: Fundamentally a NULL authentication where the wireless client
says authenticate me and the AP responds with yes. Open authentication provides
wireless connectivity to any wireless device and should only be used in situations where
security is of no concern.
Shared-key authentication: Technique is based on a key that is pre-shared between the
client and the AP.
After discovering and authenticating with an AP or wireless router, the wireless device goes
through an association process. Label Step 3 in Figure 4-5 with the association substeps.
Figure 4-5 The AP Association Process
Step 1 (Discovery): Step 2 (Authentication): Step 3 (Association):
Listen for beacon frames to 1

Agree with AP to share
find WLAN SSIDs
Open authentication
(passive mode)
or or 2
Send a probe request to the
Initiate Shared Key
AP with or without a known
authentication process
SSID (active mode) 3
1. Send clients MAC address to AP.

2. Receive APs MAC address (BSSID).
3. Receive APs association identifier (AID).

Channel Management Concepts

In wireless implementations, a common practice is for the radio wave frequencies to be allocated as ranges.
Such ranges are then split into smaller ranges called channels. Depending on the 802.11 standard, there are vari-
ous ways to manage these channels. Match the channels, frequency modulation technique, or standard on the
right with the definitions on the left.
Definitions Channels, Frequency Modulation, and Standards
h. Spreads the signal over larger-frequency bands; a. 11
used by 802.11b, cordless phones, CDMA cel- b. 12
lular, and GPS networks
c. 13
c. Number of channels identified in Europe for
d. 1,5,10
802.11b
e. 1,6,11
e. Nonoverlapping 802.11b channels
f. 802.11g
i. Rapidly switches the signal over many fre-
quency channels; used by the original 802.11 g. 802.11n
standard, walkie-talkies, and Bluetooth h. DSSS
g. Supports four nonoverlapping channels and i. FHSS
channel bonding j. OFDM
a. Number of channels identified in North
America for 802.11b
j. Maximizes spectral efficiency without caus-
ing adjacent channel interference; used by
802.11a/g/n/ad

Wireless LAN Security

WLANs present unique security concerns because anyone within range of the AP and with the correct creden-
tials can gain access to the network.
WLAN Security Terminology

Match the definitions on the left with the WLAN security terms on the right. This is a one-to-one matching
exercise.
Definitions WLAN Security Term
k. Wireless home router connected to the corpo- a. TKIP
rate network without authorization b. Man-in-the-middle attack
f. Attacker sends a series of disassociate com- c. SSID cloaking
mands to all wireless clients within a BSS
d. AES
g. Attacker takes advantage of the CSMA/CA
e. WEP
contention method to monopolize the band-
width and deny all other clients access to the f. Spoofed disconnect attack
AP g. CTS Flood
j. The 802.11i industry standard for securing h. WPA
wireless networks i. MAC address filtering
b. An AP configured with the same SSID as a j. WPA2
legitimate AP k. Rogue AP
a. Uses Message Integrity Check (MIC) to
ensure the message has not been tampered
with
h. Basically WEP with TKIP encryption
e. Obsolete wireless authentication method
i. Manually allow or deny based on physical
address
c. Disable the transmission of the beacon
d. Uses Counter Mode Cipher Block Chaining
Message Authentication Code Protocol
(CCMP), which allows destination hosts to
recognize whether the bits have been tam-
pered with

Identify the WLAN Security Characteristics

The best way to secure a wireless network is to use authentication and encryption systems.
The two major types of authentication are open authentication and shared authentication.
Open is basically no authentication. Shared-key authentication comes in three flavors: WEP,
WPA, and WPA2. In Table 4-6, indicate the authentication method for each characteristic.
Table 4-6 WLAN Security Characteristics

WLAN Security Characteristic Open Authentication Shared-Key Authentication
WEP WPA WPA2
TKIP data encryption X
AES data encryption X
MIC authentication X
No password authentication X
Medium security risk X
Shared-key authentication X
RC4 data encryption X
No data encryption X
Highest security risk X
Lowest security risk X
High security risk X
CCMP authentication X
Wireless LAN Configuration

Modern wireless routers offer a variety of features, and most are designed to be functional
right out of the box with the default settings. However, it is good practice to change this initial
configurationparticularly, the default administrator passwordso that public known default
settings cannot be used to access the wireless settings.
Configuring WLAN Routers and Clients

The best way to practice configuring wireless routers is to complete the Lab and Packet Tracer
activities associated with the course. You can also make sure your own home router is config-
ured with some of the following settings:
Change the administrator password.
Change the IP addressing assigned through DHCP to wireless clients.
Change the service set identification (SSID) name. However, if you disable SSID broad-
casts, users will have to manually enter the SSID.
Enable the strongest authentication protocol supported by the wireless router: hopefully
WPA2.

Enable MAC address filtering if you know the devices that will be joining the WLAN.
Otherwise, you will have to manually add new devices each time someone wants to
access the WLAN.
If desired, configure a guest network and password for guest users to access the WLAN.
If you do not have access to a wireless router, Packet Tracer, or Lab equipment, you can search
the Internet for wireless router configuration simulation. Several wireless router manufactur-
ers host a simulation web page where you can practice configuring their specific GUI.
Lab - Configuring a Wireless Router and Client (SN 4.4.2.3/SwN 8.4.2.3)
Packet Tracer - Configuring Wireless LAN Access (SN 4.4.2.2/SwN 8.4.2.2)

Packet Tracer
Activity
Troubleshooting WLAN Issues

Troubleshooting WLAN issues normally requires an elimination process. Start with the wire-
less client by checking the following:
Does the client have a valid IP address configuration?
Can the client successfully access the wired network?
Is the client configured with the correct security settings?
Is the client configured with the correct channel and SSID?
Is the wireless NIC driver up-to-date?
If the wireless client is operating as expected, check the following:
Is the AP powered on?
How far away is the closest AP?
Are other devices in the area interfering with the signal?
Are there any cabling or connector issues?
Finally, check the configuration of the AP to verify that it conforms to the desired specifica-
tions.
Occasionally, issues with the AP software are identified and corrected by the manufacturer. So,
you should regularly check to make sure that the firmware is up-to-date on the AP.
Packet Tracer - Skills Integration Challenge (SN 4.5.1.2/SwN 8.5.1.2)

Packet Tracer
Challenge

CHAPTER 5
Adjust and Troubleshoot Single-Area OSPF
Although we will spend a little bit of time on it, you should already know how to configure basic
single-area OSPF. This chapter focuses on the concepts and configurations to fine-tune the operation
of OSPF, including manipulating the designated router / backup designated router (DR/BDR) elec-
tion, propagating a default router, fine-tuning Open Shortest Path First (OSPF) Protocol interfaces, and
authenticating OSPF neighbors.

Advanced Single-Area OSPF Configurations

In this section, we review the concepts and configurations to fine-tune the operation of
OSPFv2 and OSPFv3.
Single-Area OSPF Configuration Review

The following activity may look familiar to you if you also used the CCENT Practice and
Study Guide. It is repeated here so that you can get back up to speed on OSPF before we look
at more advanced configurations.
Configuring Single-Area OSPFv2

Figure 5-1 shows the topology that we will use to configure OSPFv2 and OSPFv3. This first
topology shows IPv4 network addresses. The IPv4 addressing scheme is in Table 5-1.
Figure 5-1 OSPFv2 Topology with IPv4 Network Addresses

192.168.1.0/26
G0/0
S0/0/1
S0/0/0 RTA DCE
192.168.1.252/30 192.168.1.244/30
OSPF
T1 T1
Area 0
S0/0/0
DCE S0/0/1 192.168.1.64/26
192.168.1.128/26
G0/0 192.168.1.248/30 G0/0
S0/0/1
RTC 384 kbps S0/0/0 RTB
DCE
Table 5-1 IPv4 Addressing Scheme for OSPFv2

Device Interface IPv4 Address Subnet Mask
RTA G0/0 192.168.1.1 255.255.255.192
S0/0/0 192.168.1.253 255.255.255.252
S0/0/1 192.168.1.245 255.255.255.252
Router ID 1.1.1.1
RTB G0/0 192.168.1.65 255.255.255.192
S0/0/0 192.168.1.249 255.255.255.252
S0/0/1 192.168.1.246 255.255.255.252
Router ID 2.2.2.2
RTC G0/0 192.168.1.129 255.255.255.192
S0/0/0 192.168.1.254 255.255.255.252
S0/0/1 192.168.1.250 255.255.255.252
Router ID 3.3.3.3

Chapter 5: Adjust and Troubleshoot Single-Area OSPF 59
In the space provided, document the correct commands, including the router prompt, to con-
figure the routers in Figure 5-1 with OSPFv2. Include commands to configure the router ID and
disable updates on the LAN interface.
RTA(config)# router ospf 1
RTA(config-router)# router-id 1.1.1.1
RTA(config-router)# network 192.168.1.0 0.0.0.63 area 0
RTA(config-router)# passive-interface g0/0
RTB(config)# router ospf 1
RTB(config-router)# router-id 2.2.2.2
RTB(config-router)# network 192.168.1.64 0.0.0.63 area 0
RTB(config-router)# passive-interface g0/0
RTC(config)# router ospf 1
RTC(config-router)# router-id 3.3.3.3
RTC(config-router)#network 192.168.1.128 0.0.0.63 area 0
RTC(config-router)#network 192.168.1.252 0.0.0.3 area 0
RTC(config-router)# passive-interface g0/0
Verifying Single-Area OSPFv2

Fill in the missing command to complete the following sentences:
The show ip ospf neighbor command can be used to verify and troubleshoot OSPF neighbor
relationships.
The show ip protocols command is a quick way to verify vital OSPF configuration informa-
tion, including the OSPF process ID, the router ID, networks the router is advertising, the
neighbors the router is receiving updates from, and the default administrative distance, which is
110 for OSPF.
The show ip ospf command can also be used to examine the OSPF process ID and router ID.
In addition, this command displays the OSPF area information as well as the last time the SPF
algorithm was calculated.
The quickest way to verify Hello and Dead intervals is to use the show ip ospf interface com-
mand.
The quickest way to verify OSPF convergence is to use the show ip route command to view
the routing table for each router in the topology.
Configuring Single-Area OSPFv3

Figure 5-2 shows the same topology we used for OSPFv2, but with IPv6 network addresses.
Table 5-2 shows the IPv6 addressing scheme.

Figure 5-2 OSPFv3 Topology with IPv6 Network Addresses
2001:DB8:1:1::/64
G0/0
S0/0/1
S0/0/0 RTA DCE
2001:DB8:F:AC::/64 2001:DB8:F:AB::/64
OSPF
T1 T1
Area 0
S0/0/0
DCE S0/0/1 2001:DB8:1:2::/64
2001:DB8:1:3::/64
G0/0 2001:DB8:F:BC::/64 G0/0
S0/0/1
RTC 384 kbps S0/0/0 RTB
DCE
Table 5-2 IPv6 Addressing Scheme for OSPFv3

Device Interface IPv6 Address/Prefix
RTA G0/0 2001:DB8:1:1::1/64
S0/0/0 2001:DB8:F:AC::1/64
S0/0/1 2001:DB8:F:AB::1/64
Link-local FE80::A
Router ID 1.1.1.1
RTB G0/0 2001:DB8:1:2::1/64
S0/0/0 2001:DB8:F:BC::1/64
S0/0/1 2001:DB8:F:AB::2/64
Link-local FE80::B
Router ID 2.2.2.2
RTC G0/0 2001:DB8:1:3::1/64
S0/0/0 2001:DB8:F:AC::2/64
S0/0/1 2001:DB8:F:BC::2/64
Link-local FE80::C
Router ID 3.3.3.3
The routers are already configured with interface addressing. Record the correct commands,
including the router prompt, to configure the routers with OSPFv3. Include commands to
enable IPv6 routing, configure the router ID, change the reference bandwidth to 10000, and
disable updates on the LAN interface. Except for the router ID, the commands are the same for
all three routers. So, you need to document only one router.
RTA(config)# ipv6 unicast-routing

RTA(config)# ipv6 router ospf 10
RTA(config-rtr)# router-id 1.1.1.1
RTA(config-rtr)# auto-cost reference-bandwidth 10000
RTA(config-rtr)# passive-interface g0/0

RTA(config-rtr)# interface g0/0

RTA(config-if)# ipv6 ospf 10 area 0
RTA(config-if)# interface s0/0/0
Verifying Single-Area OSPFv3

Fill in the missing command to complete the following sentences:
The show ipv6 ospf neighbor command can be used to verify and troubleshoot OSPF neigh-
bor relationships.
The show ipv6 protocols command is a quick way to verify vital OSPF configuration informa-
tion, including the OSPF process ID, the router ID, and interfaces the router is advertising.
The show ipv6 ospf command can also be used to examine the OSPF process ID and router
ID. In addition, this command displays the OSPF area information as well as the last time the
SPF algorithm was calculated.
To view a quick summary of OSPFv3-enabled interfaces, use the show ipv6 ospf interface
brief command. However, the quickest way to verify Hello and Dead intervals is to use the
show ipv6 ospf interface command.
The quickest way to verify OSPF convergence is to use the show ipv6 route command to view
the routing table for each router in the topology.
Lab - Configuring Basic Single-Area OSPFv2 (SN 5.1.1.9)

Identify Network Types

Match the definition on the left with the network type on the right. This is a one-to-one matching exercise.
Definitions Network Type
e. Connects distant OSPF networks to the back- a. Broadcast multi-access
bone area b. Nonbroadcast multi-access
b. Connects multiple routers using Frame Relay c. Point to multipoint
c. Connects multiple routers in a hub-and-spoke d. Point to point
topology
e. Virtual links
d. Connects two routers directly on a single
WAN network
a. Connects multiple routers using Ethernet tech-
nology

In Figure 5-3, label each network type.
Figure 5-3 Network Types
Internet
R2
Frame Relay
R1 R3 R3
R3
Starting from the top and going clockwise: point to point, broadcast multi-access, nonbroad-
cast multi-access (NBMA), point to multipoint.
OSPF and Multi-Access Networks

A multi-access network is a network with more than two devices on the same shared media.
Examples of multi-access networks include Ethernet and Frame Relay. Frame Relay is a WAN
technology that is discussed in a later CCNA course. The following exercises cover the con-
cepts of multi-access networks in OSPF and the DR/BDR election process.
OSPF and Multi-Access Networks Completion Exercise

Complete the missing words or phrases in the following paragraphs.
On multi-access networks (networks supporting more than two routers) such as Ethernet and
Frame-Relay networks, the hello protocol elects a designated router (DR) and a backup des-
ignated router (BDR). Among other things, the designated router is responsible for generating
LSAs for the entire multi-access network which allows a reduction in routing update traffic.
The DR, BDR, and every other router in an OSPF network sends out Hellos using 224.0.0.5
as the destination address. If a DRother (a router that is not the DR) needs to send a link-state
advertisement (LSA), it will send it using 224.0.0.6 as the destination address. The DR and the
BDR will receive LSAs at this address.
The DR/BDR election is based on OSPF priority and OSPF router ID. By default, all OSPF
routers have a priority of 1. If all OSPF routers have the same priority, the highest router ID
determines the DR and BDR.
If the router ID is not explicitly configured and a loopback interface is not configured, the
highest IP address on an active interface at the moment of OSPF process startup is used as the
router ID.
In Figure 5-4, label the steps taken to elect the DR.

Figure 5-4 Steps in the DR Election Process
Step 2a
If router values from Step 1

Step 1 Step 2 Step 2b
are exactly the same,then...
Step 2c
Step 1: Highest interface priority values. Step 2: Highest router ID. Step 2a: Highest manually
configured router ID. Step 2b: Highest loopback address. Step 2c: Highest active interface IP
address.
Use the topology in Figure 5-5 to determine the router ID for each router, and then determine
which router will be the DR, if applicable.
Figure 5-5 Determine the Router ID
RTF
G0/0: 10.1.19.1/24 S0/0: 209.165.201.2/27
Lo0: 192.168.10.5/32
RTA RTB S0/0: 209.165.201.1/27
S0/0: 10.1.16.2/30 G0/1: 10.1.10.4/24 G0/0: 10.1.10.2/24
S0/0: 10.1.16.1/30 G0/1: 10.1.10.3/24 G0/1: 10.1.10.1/24

Lo0: 192.168.10.3/32
Lo0 RTE RTD RTC
192.168.10.1/32 G0/0: 10.1.13.2/24 G0/0: 10.1.13.1/24
In Table 5-3, record the router ID for each router.
Table 5-3 Listing of Router IDs

Device Router ID
Router A 192.168.10.5
Router B 209.165.201.1
Router C 10.1.10.1
Router D 192.168.10.3
Router E 192.168.10.1
Router F 209.165.201.2
In Table 5-4, determine whether a DR will be elected for each network and record the DRs
hostname. If no DR is elected, indicate so with none.

Table 5-4 Listing of DRs

Network DR
209.165.201.0 None
10.1.16.0 None
10.1.13.0 Router D
10.1.10.0 Router B
Note: Configure your OSPFv2 routers with a router ID to control the DR/BDR election. With OSPFv3,
you must configure a router ID.
Setting the priority on the interface is another way to control DR or BDR.

In addition to configuring loopbacks, it is a good idea to configure RTA with an OSPF priority
that will ensure it always wins the DR/BDR election. The syntax for configuring OSPF priority
is as follows:
Router(config-if)# ip ospf priority priority
Document the commands you use to configure on RTA to make sure that its priority will
always win the DR/BDR election.
RTA(config)# interface Fa 0/0
RTA(config-if)# ip ospf priority 2
!Any priority higher than the default of 1 will work.
DR/BDR Election Exercise

In the following exercises, assume that all routers are simultaneously booted and that router
priorities are set to the default. Determine the network type, if applicable, and label which
router is elected as the DR and which router is elected as the BDR.
Refer to Figure 5-6 and answer the following questions.
Figure 5-6 DR/BDR Election Exercise 1 Topology
Fa0/0 = 172.16.1.1 Fa0/0 = 172.16.1.2

Lo0 = 192.168.1.4 Lo0 = 192.168.1.3
RTA RTB
RTC RTD
Fa0/0 = 172.16.1.3 Fa0/0 = 172.16.1.4
S0/0/0 = 192.168.5.1 S0/0/0 = 192.168.5.2
Lo0 = 192.168.1.2 Lo0 = 192.168.1.1
What is the router ID for RTA? 192.168.1.4

What is the router ID for RTB? 192.168.1.3
What is the router ID for RTC? 192.168.1.2
What is the router ID for RTD? 192.168.1.1

Which router will be elected DR? RTA

Which router will be elected BDR? RTB
Refer to Figure 5-7 and determine whether there will be a DR/BDR election. If applicable, des-
ignate which router is DR and which router is BDR.
172.15.1.1/30
S0/0/0 172.18.1.2/30
RTA S0/0/1
172.15.1.2/30 172.18.1.1/30
S0/0/0 S0/0/0
RTD RTB
Fa0/0 Fa0/0
172.16.1.2/24 172.17.1.2/24
Fa0/1 Fa0/0
172.16.1.1/24 172.17.1.1/24
RTC
Network DR/BDR Election? Which Router Is the DR? Which Router Is the BDR?
172.15.1.0/30 No N/A N/A
172.16.1.0/24 Yes RTC RTD
172.17.1.0/24 Yes RTB RTC
172.18.1.0/30 No N/A N/A
Refer to Figure 5-8 and answer the following questions.
Fa0/0 = 192.168.0.1/24
S0/0/0 = 209.165.201.2/30
S0/0/0
RTA ISP
Fa0/0 S0/0/0 = 209.165.201.1/30
OSPF
Area 0
Fa0/0 Fa0/0
S0/0/0
S0/0/0
RTC RTB
Fa0/0 = 192.168.0.3/24 Fa0/0 = 192.168.0.2/24
S0/0/0 = 192.168.1.3/30 S0/0/0 = 192.168.1.2/30
Lo0 = 10.1.1.1/32

What is the router ID for RTA? 209.165.201.2

What is the router ID for RTB? 192.168.1.2
What is the router ID for RTC? 10.1.1.1
Which router is DR for the 192.168.0.0/24 network? RTA
Which router is BDR for the 192.168.0.0/24 network? RTB
Now assume a priority of zero on RTA. Which router is DR for the 192.168.1.0/24 network?
RTB
What will happen if another router, RTD, joins the 192.168.0.0/24 network with a router ID of
209.165.201.9?
Nothing. Both the DR and BDR have to go down before RTD can become the DR.
Redistributing an OSPF Default Route Exercise

In some topology configurations and routing policy situations, it is desirable to have an
Autonomous System Boundary Router (ASBR) redistribute a default route to the OSPF neigh-
bors in the area. This can be quickly accomplished in both OSPFv2 and OSPFv3.
OSPFv2 Default Route Redistribution

In Figure 5-9, notice that RTA is now our gateway router because it provides access outside the
area. In OSPF terminology, RTA is called the Autonomous System Boundary Router (ASBR)
because it connects to an external routing domain that uses a different routing policy.
Figure 5-9 Propagating a Default Route in OSPFv2

192.168.1.0/26
G0/0 Default Route

S0/1/0 S0/0/0
Address Space DCE
192.168.1.0/24 209.165.201.2/30
RTA 209.165.201.1/30 ISP
S0/0/0 S0/0/1
DCE Static Route
RTA
Propagates
Default Route to
192.168.1.252/30 RTB and RTC 192.168.1.244/30
Public
T1 T1
Web Server
209.165.202.129/30
OSPF
S0/0/0
Area 0
192.168.1.128/26 DCE S0/0/1 192.168.1.64/26
384 kbps S0/0/0
G0/0 G0/0
DCE
S0/0/1
RTC 192.168.1.248/30
RTB
Each routing protocol handles the propagation of default routing information a little different-
ly. For OSPF, the gateway router must be configured with two commands. First, RTA will need
a static default route pointing to ISP. Document the command to configure a static default
route on RTA using the exit interface argument.
RTA(config)# ip route 0.0.0.0 0.0.0.0 serial 0/1/0

Using the exit interface argument, document the command necessary to configure ISP with a
static route pointing to the 192.168.1.0/24 address space.
ISP(config)# ip route 192.168.1.0 255.255.255.0 serial 0/0/0
At this point, any host on the LAN attached to RTA will be able to access ISP and be able to
ping the Public Web Server at 209.165.202.129. However, RTB and RTC still cannot ping out-
side the 192.168.1.0/24 address space. Why?
Because neither router has a default route
Document the command that needs to be configured on RTA to fix this problem.
RTA(config-router)# default-information originate
OSPFv3 Default Route Redistribution

Configuring OSPFv3 to propagate a default route is essentially the same tasks as you do in
OSPFv2. Figure 5-10 is an IPv6 version of Figure 5-9.
Figure 5-10 Propagating a Default Route in OSPFv3
2001:DB8:1:1::/64
2001:DB8:CAFE:1::F/64
G0/0 Default Route
S0/1/0 S0/0/0
Address Space DCE
2001:DB:1::/48 209.165.201.2/30
RTA 209.165.201.1/30 ISP
S0/0/0 S0/0/1
DCE Static Route
RTA
Propagates
Default Route to
2001:DB8:1:AC::/64 RTB and RTC 2001:DB8:1:AB::/64
Public
T1 T1
Web Server
2001:DB8:CAFE:F::F/64
OSPF
S0/0/0
Area 0
2001:DB8:1:3::/64 DCE S0/0/1 2001:DB8:1:2::/64
384 kbps S0/0/0
G0/0 G0/0
DCE
S0/0/1
RTC 2001:DB8:1:BC::/64
RTB
Document the command to configure a static default route on RTA using the exit interface
argument.
RTA(config)# ipv6 route ::/0 serial 0/1/0
Using the exit interface argument, document the command necessary to configure ISP with a
static route pointing to the 2001:DB8:1::/48 address space.
ISP(config)# ipv6 route 2001:DB8:1::/48 serial 0/0/0
Document the command that will cause RTA to propagate the default router to RTB and RTC.
RTA(config)#ipv6 router ospf 1
RTA(config-rtr)#default-information originate

Fine-Tuning OSPF Interfaces

OSPF routers must use matching Hello intervals and Dead intervals on the same link. The
default interval values result in efficient OSPF operation and seldom need to be modified.
However, you can change them.
Again, refer to Figure 5-9. Assuming that the current intervals are 10 and 40, document the
commands necessary to change these OSPFv2 intervals on the link between RTB and RTC to a
value four times greater than the current value.
RTB(config)# interface serial 0/0/0
RTB(config-if)# ip ospf hello-interval 40
RTB(config-if)# ip ospf dead-interval 160
RTC(config)# interface serial 0/0/1
RTC(config-if)# ip ospf hello-interval 40
RTC(config-if)# ip ospf dead-interval 160
Note that it is not necessary to configure the Dead interval as long as the desired interval is
four times the Hello. The IOS will automatically increase the Dead interval to four times the
configured Hello interval.
Now refer to Figure 5-10. Assuming that the current intervals are 10 and 40, document the
commands necessary to change the OSPFv3 intervals on the link between RTB and RTC to a
value four times greater than the current value.
RTB(config)# interface serial 0/0/0
RTB(config-if)# ipv6 ospf hello-interval 40
RTB(config-if)# ipv6 ospf dead-interval 160
RTC(config)# interface serial 0/0/1
RTC(config-if)# ipv6 ospf hello-interval 40
RTC(config-if)# ipv6 ospf dead-interval 160
Other than the show run command, what commands can you use to verify OSPF timers on an
interface for both IPv4 and IPv6?
show ip ospf interface
show ipv6 ospf interface
Securing OSPFv2 with MD5 Authentication

Because routers are targets for network attacks, you should always configure authentication
services for OSPFv2 using the strongest authentication available: MD5 (message digest algo-
rithm 5).
Assume the routers in Figure 5-11 are using MD5 authentication to exchange OSPFv2 routing
updates. Briefly explain the steps in MD5 authentication as R1 sends an OSPF message to R2.
Figure 5-11 OSPFv2 MD5 Authentication Between R1 and R2
S0/0/0
R1 R2
S0/0/1

Both routers are configured with a pre-shared key. So when R1 has a message to send to R2,
it combines the message with the key using MD5 to calculate a signatureknown as a hash
value. R1 adds the signature to the message and sends it to R2. Once received by R2, it com-
bines the message with the key and uses MD5 to calculate the signature. If signatures match,
R2 accepts the message. If not, R2 discards the message.
You can configure OSPFv2 MD5 authentication globally, forcing all OSPF interfaces to use
authentication. Or you can configure authentication on specific interfaces.
Document the command syntax, including the router prompt, to enable OSPFv2 MD5 authen-
tication on all interfaces.
In router configuration mode:
Router(config-router)# area area-id authentication message-digest
Then on each interface:

Router(config-if)# ip ospf message-digest-key key md5 password
Document the command syntax including the router prompt to enable OSPFv2 MD5 authenti-
cation only on specific interfaces.
On a specific interface:
Router(config-if)# ip ospf message-digest-key key md5 password
Router(config-if)# ip ospf authentication message-digest
Refer to Figure 5-9. Document the commands to configure RTA to use MD5 authentication
globally on all OSPF interfaces. Choose your own process ID and key values.

RTA(config-router)# area 0 authentication message-digest
RTA(config-router)# interface s0/0/0
RTA(config-if)# ip ospf message-digest-key 1 md5 cisco123
RTA(config-if)# ip ospf message-digest-key 1 md5 cisco123
Document the commands to configure RTB to use MD5 authentication on the serial interfaces
only. Choose your own process ID and key values.
RTB(config)# interface s0/0/0

RTB(config-if)# ip ospf message-digest-key 1 md5 cisco123
RTB(config-if)# ip ospf authentication message-digest
RTB(config-if)# interface s0/0/1
RTB(config-if)# ip ospf message-digest-key 1 md5 cisco123
RTB(config-if)# ip ospf authentication message-digest
What command can you use to verify OSPF MD5 authentication?

show ip ospf interface
Note: Cisco IOS supports a simple authentication method. However, this method sends the password in
plain text. Therefore, it is not considered a best practice.

Lab - Configuring OSPFv2 Advance Features (SN 5.1.5.8/RP 7.1.4.8)
Packet Tracer
Packet Tracer - Configuring OSPFv2 Advance Features (SN 5.1.5.7/RP 7.1.4.7)
Activity
Troubleshooting Single-Area OSPF Implementations

Troubleshooting single-area OSPF is required skill for any network professional involved in the
implementation and maintenance of an OSPF network. Solid understanding of OSPF operation
and the impact of the OSPF configuration commands is essential.
OSPF Adjacency Issues

A common problem in OSPF convergence is a lack of adjacency with OSPF neighbors. List at
least four reasons why adjacency might fail to establish.
The interfaces are not on the same network.
OSPF network types do not match.
OSPF Hello or Dead timers do not match.
Interface to neighbor is incorrectly configured as passive.
There is a missing or incorrect OSPF network command (OSPFv2), or OSPF is not
configured correctly on the interface (OSPFv3).
Authentication is misconfigured.
What are the OSPFv2 and OSPFv3 commands you use to quickly verify adjacency between
OSPF routers?
show ip ospf neighbors
show ipv6 ospf neighbors
The command will list a state for each known OSPF router. What are the seven states OSPF
transitions through on its way to convergence?
Down, Init, Two-Way, Exstart, Exchange, Loading, Full
Identify OSPFv2 Troubleshooting Commands

The following output is from the topology shown in Figure 5-9. Indicate the command used to
generate the output.
RTA# show ip route ospf

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
192.168.1.0/24 is variably subnetted, 9 subnets, 3 masks

O 192.168.1.64/26 [110/65] via 192.168.1.246, 00:19:35, Serial0/0/1
O 192.168.1.128/26 [110/65] via 192.168.1.254, 00:19:10, Serial0/0/0
O 192.168.1.248/30 [110/128] via 192.168.1.254, 00:19:10, Serial0/0/0
[110/128] via 192.168.1.246, 00:19:35, Serial0/0/1
RTA# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface

192.168.1.254 0 FULL/ - 00:00:31 192.168.1.254 Serial0/0/0
192.168.1.249 0 FULL/ - 00:00:32 192.168.1.246 Serial0/0/1
RTA# show ip ospf interface serial 0/0/0

Serial0/0/0 is up, line protocol is up
Internet Address 192.168.1.253/30, Area 0, Attached via Network Statement
Process ID 1, Router ID 192.168.1.253, Network Type POINT_TO_POINT, Cost: 64
Topology-MTID Cost Disabled Shutdown Topology Name
0 64 no no Base
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:03
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 3/3, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.1.254
Suppress hello for 0 neighbor(s)
RTA# show ip protocols

*** IP Routing is NSF aware ***
Routing Protocol is "ospf 1"

Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 192.168.1.253
It is an autonomous system boundary router

Redistributing External Routes from,

Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
192.168.1.0 0.0.0.63 area 0
192.168.1.244 0.0.0.3 area 0
192.168.1.252 0.0.0.3 area 0
Routing Information Sources:
Gateway Distance Last Update
192.168.1.246 110 00:18:13
192.168.1.254 110 00:17:48
Distance: (default is 110)
RTA# show ip ospf

Routing Process "ospf 1" with ID 192.168.1.253
Start time: 00:44:46.536, Time elapsed: 00:23:27.360
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Supports NSSA (compatible with RFC 3101)
Event-log enabled, Maximum number of events: 1000, Mode: cyclic
It is an autonomous system boundary router
Redistributing External Routes from,
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Incremental-SPF disabled
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 1. Checksum Sum 0x003416
Number of opaque AS LSA 0. Checksum Sum 0x000000
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas transit capable is 0
External flood list length 0
IETF NSF helper support enabled
Cisco NSF helper support enabled

Reference bandwidth unit is 100 mbps

Area BACKBONE(0)
Number of interfaces in this area is 3
Area has no authentication
SPF algorithm last executed 00:16:47.472 ago
SPF algorithm executed 4 times
Area ranges are
Number of LSA 3. Checksum Sum 0x00E037
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
Identify OSPFv3 Troubleshooting Commands

The following output is from the topology shown in Figure 5-10. Indicate the command used
to generate the output.
RTC# show ipv6 protocols

IPv6 Routing Protocol is "connected"
IPv6 Routing Protocol is "ND"
IPv6 Routing Protocol is "ospf 1"
Router ID 3.3.3.3
Number of areas: 1 normal, 0 stub, 0 nssa
Interfaces (Area 0):
GigabitEthernet0/0
Serial0/0/1
Serial0/0/0
Redistribution:
None
RTC# show ipv6 ospf neighbor
OSPFv3 Router with ID (3.3.3.3) (Process ID 1)
Neighbor ID Pri State Dead Time Interface ID Interface

2.2.2.2 0 FULL/ - 00:00:39 6 Serial0/0/1
1.1.1.1 0 FULL/ - 00:00:31 6 Serial0/0/0
RTC# show ipv6 ospf interface serial 0/0/1

Link Local Address FE80::C, Interface ID 7
Area 0, Process ID 1, Instance ID 0, Router ID 3.3.3.3
Network Type POINT_TO_POINT, Cost: 64
Transmit Delay is 1 sec, State POINT_TO_POINT

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:06
Graceful restart helper support enabled
Index 1/2/2, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 2, maximum is 4
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2
Suppress hello for 0 neighbor(s)
RTC# show ipv6 ospf

Routing Process "ospfv3 1" with ID 3.3.3.3
Event-log enabled, Maximum number of events: 1000, Mode: cyclic
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 1. Checksum Sum 0x00B657
Graceful restart helper support enabled
Reference bandwidth unit is 100 mbps
RFC1583 compatibility enabled
Area BACKBONE(0)
Number of interfaces in this area is 3
SPF algorithm executed 4 times
Number of LSA 15. Checksum Sum 0x07E293
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
RTC#show ipv6 route ospf

IPv6 Routing Table - default - 11 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

OE2 ::/0 [110/1], tag 1

via FE80::A, GigabitEthernet0/0
O 2001:DB8:1:1::/64 [110/1]
via GigabitEthernet0/0, directly connected
O 2001:DB8:1:AB::/64 [110/65]
via FE80::B, GigabitEthernet0/0
O 2001:DB8:2:1::/64 [110/1]
via GigabitEthernet0/0, directly connected
Lab - Troubleshooting Basic Single-Area OSPFv2 and OSPFv3 (SN 5.2.3.3/RP

7.2.3.3)
Lab - Troubleshooting Advanced Single-Area OSPFv2 (SN 5.2.3.4/RP 7.2.3.4)
Packet Tracer - Troubleshooting Single-Area OSPFv2 (SN 5.2.2.3/RP 7.2.2.3)

Packet Tracer
Activity
Packet Tracer - Skills Integration Challenge (SN 5.3.1.2/RP 7.3.1.2)

CHAPTER 6
Multiarea OSPF
In larger network implementations, single-area OSPF can require a significant amount of CPU and
memory resources. As the number of routers grows, network administrators often implement multiarea
OSPF to control the size of link-state databases, routing table entries, and the number of SPF calcula-
tions. This chapter reviews the concepts and configurations for multiarea OSPFv2 and OSPFv3.

Multiarea OSPF Operation

Multiarea OSPF was specifically designed to address several issues that result from single-area
OSPF growing beyond its constraints.
Multiarea OSPF Terminology and Concepts

Briefly describe three issues that arise if an OSPF area becomes too big.
OSPF does not perform route summarization by default, so the routing table can
become very large.
The LSDB includes every link in the area which each router must maintain, even if every
link is not selected for the routing table.
In areas that are too large, recalculating the SFP algorithm consumes many CPU cycles.
Briefly describe the role of each of the following OSPF router types.
Internal router: A router with all of its interfaces in the same area
Backbone router: A router that belongs to backbone area which is, by convention, con-
figured as area 0
Area Border Router (ABR): A router with interfaces attached to multiple OSPF areas,
but not an external network
Autonomous System Boundary Router (ASBR): A router with at least one interface
attached to an external, non-OSPF network
In Table 6-1, indicate the OSPF router type for each router in Figure 6-1. A router can be more
than one type.
Figure 6-1 Sample Multiarea OSPF Topology
Area 1 Area 0 Area 2
R1 BB2
R2 BB1 BB3
R4
BB4
R3
External AS

Chapter 6: Multiarea OSPF 79
Table 6-1 Indentify the OSPF Router Type

OSPF Router Type BB1 BB2 BB3 BB4 R1 R2 R3 R4
Internal router X X X X X X
Backbone router X X X X
Area Border Router (ABR) X X
Autonomous System X
Boundary Router (ASBR)
Multiarea OSPF LSA Operation

Although the RFCs for OSPF specify up to 11 different LSA types, at the CCNA level we are
only concerned with the first 5. In Table 6-2, indicate the name for each LSA type.
Table 6-2 Most Common OSPF LSA Types

LSA Type Description
1 Router LSA
2 Network LSA
3 and 4 Summary LSAs
5 AS External LSA
Refer to Figure 6-1. In Table 6-3, indicate which LSA type is used in each of the scenarios.
Table 6-3 Determine the LSA Type

LSA Scenario Type 1 Type 2 Type 3 Type 4 Type 5
BB1 is advertising to Area 1 a link to an X
external autonomous system.
BB1 and BB3 do not forward these LSAs into X
Area 0.
As DR, R2 sends this LSA type to R3. X
BB4 is advertising an external network to X
BB3 and BB1.
BB3 is advertising to Area 2 that BB4 is the X
ASBR.
BB2 is advertising its directly connected X
OSPF-enabled links to BB1 and BB3.
BB2 is advertising the links in Area 0 to the X
routers in Area 1.
OSPF Routing Table and Types of Routes

Because of the different LSA types with routes originating from different areas and from non-
OSPF networks, the routing table uses different codes to identify the various types of routes.
Refer to Example 6-1. Briefly describe each of the three OSPF route types shown.

Example 6-1 A Sample Multiarea OSPF Routing Table

BB1# show ip route | begin Gateway
O*E2 0.0.0.0/0 [110/1] via 10.0.0.1, 00:02:16, Serial0/0/0

C 10.0.0.0/30 is directly connected, Serial0/0/0
L 10.0.0.2/32 is directly connected, Serial0/0/0
O 10.0.1.0/30 [110/128] via 10.0.0.1, 00:03:24, Serial0/0/0
C 172.16.0.0/23 is directly connected, GigabitEthernet0/0
L 172.16.0.1/32 is directly connected, GigabitEthernet0/0
C 172.16.2.0/23 is directly connected, GigabitEthernet0/1
L 172.16.2.1/32 is directly connected, GigabitEthernet0/1
O 172.16.5.0/24 [110/65] via 10.0.0.1, 00:03:24, Serial0/0/0
O IA 172.16.16.0/21 [110/129] via 10.0.0.1, 00:03:24, Serial0/0/0
O IA 172.16.24.0/21 [110/129] via 10.0.0.1, 00:03:24, Serial0/0/0
BB1#
O: Indicates the router received router (type 1) and network (type 2) LSAs describing the
details within an area, meaning that the route is intra-area.
O IA: Indicates the router received a summary (type 3) LSA from an ABR. This is an interarea
route.
O*E2: Indicates the router received an AS External (type 5) LSA either from an ABR or an
ASBR. This is an external route.
List the steps in order that OSPF uses to calculate the best paths.
1. Calculate intra-area OSPF routes.
2. Calculate best path to interarea OSPF routes.
3. Calculate best path route to external non-OSPF networks.
Configuring Multiarea OSPF

At the CCNA level, the configuration of multiarea OSPF is rather straightforward if you are
already comfortable configuring single-area OSPF. This section reviews configuring and verify-
ing multiarea OSPFv2 and OSPFv3.
Configuring Multiarea OSPF

We will use the topology in Figure 6-2 and the addressing in Table 6-4 to configure a dual-
stack network running multiarea OSPFv2 and OSPFv3.

Figure 6-2 Dual-Stacked Multiarea OSPF Topology
Area 0
172.16.5.0/24
2001:DB8:5:1::/64
G0/0 .1 209.165.201.0/30
2001:DB8:F:F::/64
Lo0
Internet
BB2
.1 .1
10.0.0.0/30 S0/0/0 S0/0/1
10.0.1.0/30
2001:DB8:0:E::/64 2001:DB8:0:F::/64
.2 .2
S0/0/0 S0/0/1
BB1 BB3
Area 1 .1 G0/0 G0/1 .1 Area 2 .1 G0/0 G0/1 .1
172.16.0.0/23 172.16.2.0/23 172.16.16.0/21 172.16.24.0/21

2001:DB8:1:1::/64 2001:DB8:1:2::/64 2001:DB8:3:1::/64 2001:DB8:3:2::/64
Based on the addressing shown in the topology, finish documenting the addressing scheme in
Table 6-4.
Table 6-4 Addressing for the Dual-Stacked Multiarea OSPF Topology

Device Interface Addressing Information
BB1 G0/0 172.16.0.0 255.255.254.0
2001:DB8:1:1::2/64
G0/1 172.16.2.0 255.255.254.0
2001:DB8:1:2::2/64
S0/0/0 10.0.0.2 255.255.255.252
2001:DB8:0:E::2/64
Link-Local FE80::1
Router ID 1.1.1.1
BB2 G0/0 172.16.5.1 255.255.255.0
2001:DB8:5:1::1/64
S0/0/0 10.0.0.1 255.255.255.252
2001:DB8:0:E::1/64
S0/0/1 10.0.1.1 255.255.255.252
2001:DB8:0:F::1/64
Lo0 209.165.201.1 255.255.255.252
2001:DB8:F:F::1/64
Link-Local FE80::2
Router ID 2.2.2.2


BB3 G0/0 172.16.16.1 255.255.248.0
2001:DB8:3:1::2/64
G0/1 172.16.24.0 255.255.248.0
2001:DB8:3:2::2/64
S0/0/1 10.0.1.2 255.255.255.252
2001:DB8:0:F::2/64
Link-Local FE80::3
Router ID 3.3.3.3
The only difference between configuring single-area OSPF and multiarea OSPF is assigning the
area value. Recall that for OSPFv2, you configure the area as part of the network command in
OSPF router configuration mode. In OSPFv3, you configure the area as part of the ipv6 ospf
command in interface configuration mode.
Document the OSPFv2 and OSPFv3 routing configurations for all three routers. Include
default routing to the Internet with BB2 redistributing the IPv4 and IPv6 default routes to BB1
and BB2.
!BB1!!!!!!!!!!!!!!!!!!!
router ospf 10
router-id 1.1.1.1
network 172.16.0.0 0.0.1.255 area 1
network 172.16.2.0 0.0.1.255 area 1
network 10.0.0.0 0.0.0.3 area 0
ipv6 router ospf 10
router-id 1.1.1.1
interface g0/0
ipv6 ospf 10 area 1
interface g0/1
ipv6 ospf 10 area 1
interface s0/0/0
ipv6 ospf 10 area 0
!BB2!!!!!!!!!!!!!!!!!!!
ip route 0.0.0.0 0.0.0.0 Lo0
ipv6 route ::/0 Lo0
router ospf 10
router-id 2.2.2.2
network 172.16.5.0 0.0.0.255 area 0
network 10.0.0.0 0.0.0.3 area 0
network 10.0.1.0 0.0.0.3 area 0
default-information originate
ipv6 router ospf 10
router-id 2.2.2.2

default-information originate
interface g0/0
ipv6 ospf 10 area 0
interface s0/0/0
ipv6 ospf 10 area 0
interface s0/0/1
ipv6 ospf 10 area 0
!BB3!!!!!!!!!!!!!!!!!!!
router ospf 10
router-id 3.3.3.3
network 172.16.16.0 0.0.7.255 area 2
network 172.16.24.0 0.0.7.255 area 2
network 10.0.1.0 0.0.0.3 area 0
ipv6 router ospf 10
router-id 3.3.3.3
interface g0/0
ipv6 ospf 10 area 2
interface g0/1
ipv6 ospf 10 area 2
interface s0/0/1
ipv6 ospf 10 area 0
Configuring Route Summarization for Multiarea OSPFv2

ABRs do not automatically summarize network addresses across area boundaries. To reduce
the size of routing tables, you can manually configure ABRs and ASBRs to summarize net-
works so that they will then inject them into another area. In Figure 6-2, BB1 and BB3 can sum-
marize the two LANs into one network advertisement.
What is the command syntax to configure an ABR interarea summary route?
Router(config-router)# area area-id range address mask
What is the summary route for the two LANs attached to BB1:
Address: 172.16.0.0 Mask: 255.255.252.0
Document the command to configure BB1 with an interarea summary route.
BB1(config-router)# area 1 range 172.16.0.0 255.255.252.0
What is the summary route for the two LANs attached to BB3:
Address: 172.16.16.0 Mask: 255.255.240.0
Document the command to configure BB3 with an interarea summary route.
BB3(config-router)# area 2 range 172.16.16.0 255.255.240.0
Your OSPF routing tables should look like the output in Example 6-2.

Example 6-2 Multiarea OSPFv2 and OSPFv3 Routing Tables

BB1# show ip route ospf | begin Gateway
O*E2 0.0.0.0/0 [110/1] via 10.0.0.1, 00:08:36, Serial0/0/0

O 10.0.1.0/30 [110/128] via 10.0.0.1, 00:08:36, Serial0/0/0
O 172.16.0.0/22 is a summary, 00:08:36, Null0
O 172.16.5.0/24 [110/65] via 10.0.0.1, 00:08:36, Serial0/0/0
O IA 172.16.16.0/20 [110/129] via 10.0.0.1, 00:04:44, Serial0/0/0
BB1# show ipv6 route ospf | begin OE2
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
OE2 ::/0 [110/1], tag 10
via FE80::2, Serial0/0/0
O 2001:DB8:0:F::/64 [110/128]
OI 2001:DB8:3:1::/64 [110/129]
OI 2001:DB8:3:2::/64 [110/129]
O 2001:DB8:5:1::/64 [110/65]
BB1#

O IA 172.16.0.0/22 [110/65] via 10.0.0.2, 00:09:51, Serial0/0/0
O IA 172.16.16.0/20 [110/65] via 10.0.1.2, 00:05:59, Serial0/0/1
BB2# show ipv6 route ospf | begin OI 2001
OI 2001:DB8:1:1::/64 [110/65]
OI 2001:DB8:1:2::/64 [110/65]
OI 2001:DB8:3:1::/64 [110/65]
OI 2001:DB8:3:2::/64 [110/65]
BB2#

O*E2 0.0.0.0/0 [110/1] via 10.0.1.1, 00:05:31, Serial0/0/1

O 10.0.0.0/30 [110/128] via 10.0.1.1, 00:05:31, Serial0/0/1
O IA 172.16.0.0/22 [110/129] via 10.0.1.1, 00:05:31, Serial0/0/1
O 172.16.5.0/24 [110/65] via 10.0.1.1, 00:05:31, Serial0/0/1
O 172.16.16.0/20 is a summary, 00:05:31, Null0
BB3# show ipv6 route ospf | begin OE2
OE2 ::/0 [110/1], tag 10
O 2001:DB8:0:E::/64 [110/128]
OI 2001:DB8:1:1::/64 [110/129]
OI 2001:DB8:1:2::/64 [110/129]
O 2001:DB8:5:1::/64 [110/65]
BB3#
Verifying Multiarea OSPF

In Table 6-5, indicate which command or commands will provide the multiarea OSPFv2 verifi-
cation information.
Table 6-5 Multiarea OSPFv2 Verification Commands

Verification Information show ip show ip ospf show ip show ip ospf
protocols interface brief route ospf database
Process ID X X X
State of OSPF Interface X
Networks Configured X
Interface Cost X
Router ID X X
Administrative Distance X X
Number of Areas X
Networks from Other Areas X
All Known Routes X
Total Cost of Route X
Verification commands for multiarea OSPFv3 are almost identical to OSPFv2. In Table 6-6,
indicate which command or commands will provide the multiarea OSPFv3 verification informa-
tion.

Table 6-6 Multiarea OSPFv3 Verification Commands

Verification Information show ipv6 show ipv6 ospf show ipv6 show ipv6 ospf
protocols interface brief route ospf database
Administrative Distance X
All Known Routes X
Interface Cost X
Networks from Other Areas X X
Number of Areas X
Process ID X X X
Router ID X X
State of OSPF Interface X
Total Cost of Route X
Lab - Configuring Multiarea OSPFv2 (SN 6.2.3.8/RP 8.2.3.8)
Lab - Configuring Multiarea OSPFv3 (SN 6.2.3.9/RP 8.2.3.9)
Lab - Troubleshooting Multiarea OSPFv2 and OSPFv3 (SN 6.2.3.10/RP 8.2.3.10)
Packet Tracer Packet Tracer - Configuring Multiarea OSPFv2 (SN 6.2.3.6/RP 8.2.3.6)
Activity
Packet Tracer - Configuring Multiarea OSPFv3 (SN 6.2.3.7/RP 8.2.3.7)

CHAPTER 7
EIGRP
The main purpose in Ciscos development of Enhanced Interior Gateway Routing Protocol (EIGRP) was
to create a classless version of IGRP. EIGRP includes several features that are not commonly found in
other distance vector routing protocols such as RIP (RIPv1 and RIPv2) and IGRP. Although EIGRP may
act like a link-state routing protocol, it is still a distance vector routing protocol.

Characteristics of EIGRP
EIGRP is considered an advanced distance vector routing protocol because it has characteris-
tics not found in other distance vector protocols like RIP and IGRP.
Describe Basic EIGRP Features

A major difference between EIGRP and other distance vector protocols is the algorithm it uses
to calculate the best rate. Name and briefly describe this algorithm.
The Diffusing Update Algorithm (DUAL) guarantees a loop-free route and provides backup
paths throughout the routing domain. These backup routes are maintain in a topology table
and can be immediately installed in the routing table if the primary route fails.
What protocol, unique to EIGRP, provides for the delivery of EIGRP packets to neighbors?
Reliable Transport Protocol (RTP)
What is meant by the statement, EIGRP provides partial and bounded updates?
EIGRP doesnt send periodic updates (like RIP or IGRP). Instead, EIGRP sends out a partial
update if there is a change in a route or routes. Bounded means that the partial update is only
sent to those routers that need it.
Protocol-dependent modules (PDMs) allow EIGRP to route several different network layer
protocols. List at least four functions of EIGRPs PDMs.
Maintaining the neighbor and topology tables of EIGRP routers that belong to that
protocol suite
Building and translating protocol-specific packets for DUAL
Interfacing DUAL to the protocol-specific routing table
Computing the metric and passing this information to DUAL
Implementing filtering and access lists
Performing redistribution functions to and from other routing protocols
Redistributing routes that are learned by other routing protocols
What are the IPv4 and IPv6 multicast addresses used by EIGRPs RTP?
IPv4 uses 224.0.0.10 and IPv6 uses FF02::A.
Identify and Describe EIGRP Packet Types

Like the Open Shortest Path First (OSPF) Protocol, EIGRP relies on different types of packets
to maintain its tables and establish relationships with neighbor routers. In Table 7-1, provide a
brief description for each EIGRP packet type.

Chapter 7: EIGRP 89
Table 7-1 EIGRP Packet Types

Packet Type Description
Hello Used to discover other EIGRP routers in the network
Acknowledgment Used to acknowledge the receipt of any EIGRP packet
Update Used to convey routing information to known destinations
Query Used to request specific information from a neighbor router
Reply Used to respond to a query
Complete the missing elements in this exercise by filling in appropriate words or phrases.
When encountered, circle whether the packet is reliable or unreliable and whether it is unicast
or multicast.
Hello packets:
(Reliable/unreliable) (unicast/multicast) sent to the address, 224.0.0.10, to discover and
maintain neighbors; contains the routers neighbor table
Default Hello interval depends on the bandwidth:
1.544 Mbps = 60 sec. Hello interval (180 holdtime)
> 1.544 Mbps = 5 sec. Hello interval (15 holdtime)
Update packets. Sent (reliably/unreliably), there are two types:
(Unicast/multicast) to new neighbor discovered; contains routing information
(Unicast/multicast) to all neighbors when topology changes
Query packets. Queries are (unicast/multicast) (reliably/unreliably) during route recomputa-
tion, asking neighbors for a new successor to a lost route.
Reply packets. Neighbors (unicast/multicast) a reply to a query whether they have a route.
Acknowledgment packets. Dataless (unicast/multicast) packet that acknowledges the receipt
of a packet that was sent reliably. This type is actually a Hello packet with a nonzero value in
the Acknowledgment field.
An EIGRP router assumes that as long as it is receiving Hello packets from a neighbor, the
neighbor and its routes remain viable. Holdtime tells the router the maximum time the router
should wait to receive the next Hello before declaring that neighbor as unreachable. By default,
this waiting period is three times the Hello interval, or 15 seconds on most networks and 180
seconds on networks with speeds of T1 or slower. If the time expires, EIGRP will declare the
route as down, and DUAL will search for a new path by sending out queries.
Identify Elements of the EIGRP Message Formats

Figure 7-1 shows an example of an encapsulated EIGRP message. Fill in the missing field
contents.

Figure 7-1 Encapsulated EIGRP Message
Data Link Frame IP Packet EIGRP Packet

Type/Length/Values Types
Header Header Header
Data Link Frame

MAC Source Address = Address of Sending Interface
MAC Destination Address = Multicast: 01-00-5E-00-00-0A
IP Packet
IP Source Address = Address of Sending Interface
IP Destination Address = Multicast:
Protocol Field = for EIGRP
EIGRP Packet Header
Opcode for EIGRP Packet Type
TLV Types
Some Types Include:
0x0001
0x0102
0x0103
Figure 7-1a Encapsulated EIGRP Message (answer)

Data Link Frame

MAC Source Address = Address of Sending Interface
MAC Destination Address = Multicast: 01-00-5E-00-00-0A
IP Packet
IP Source Address = Address of Sending Interface
IP Destination Address = Multicast: 224.0.0.10
Protocol Field = 88 for EIGRP
EIGRP Packet Header
Opcode for EIGRP Packet Type
AS Number
TLV Types
Some Types Include:
0x0001 EIGRP Parameters
0x0102 IP Internal Routes
0x0103 IP External Routes
The EIGRP packet header is included with every EIGRP packet, regardless of its type. In the IP
packet header, the Protocol field is set to 88 to indicate EIGRP, and the destination address is
set to the multicast 224.0.0.10.
Every EIGRP message includes the header as shown in Figure 7-2. Fill in the missing field con-
tents.

Chapter 7: EIGRP 91
Figure 7-2 EIGRP Packet Header

Bit 0 7 8 15 16 23 24 31
Version Checksum
Flags
EIGRP
Sequence
Header
Ack
EIGRP
Numbers TLVs
Message
Figure 7-2a EIGRP Packet Header (answer)

Bit 0 7 8 15 16 23 24 31
Version Opcode Checksum
Flags
EIGRP
Sequence
Header
Ack
Autonomous System
EIGRP
Numbers TLVs
Message
Important fields for our discussion include the Opcode field and the Autonomous System (AS)
field. Opcode specifies the EIGRP packet type, one of the following:
Update
Query
Reply
Hello
The number in the AS field is used to track multiple instances of EIGRP.
Encapsulated in the EIGRP packet header is the TLV (Type/Length/Values) shown in Figure
7-3. Fill in the missing field contents.
Figure 7-3 EIGRP Parameters TLV
Data Link Frame IP Packet EIGRP Packet Type/Length/Values Types:

Header Header Header EIGRP Parameters TLV
Bit 0 7 8 15 16 23 24 31
Type = 0x0001 Length
Values
Reserved

Figure 7-3a EIGRP Parameters TLV (answer)

Header Header Header EIGRP Parameters TLV
Bit 0 7 8 15 16 23 24 31
K1 K2 K3 K4
Values
K5 Reserved Hold Time
This EIGRP parameters message includes the weights that EIGRP uses for its composite metric.
By default, only bandwidth and delay are weighted. Both are equally weighted; therefore, the
K1 field for bandwidth and the K3 field for delay are both set to 1. The other K values are set
to 0.
The holdtime is the amount of time the EIGRP neighbor receiving this message should wait
before considering the advertising router to be down.
Figure 7-4 shows the IP Internal message that is used to advertise EIGRP routes within an
autonomous system. Fill in the missing field contents.
Figure 7-4 IP Internal Routes TLV

Header Header Header IP Internal Routes TLV
Bit 0 7 8 15 16 23 24 31
Next Hop
Values
MTU Hope Count
Reliability Load Reserved
Figure 7-4a IP Internal Routes TLV (answer)

Header Header Header IP Internal Routes TLV
Bit 0 7 8 15 16 23 24 31
Next Hop
Delay
Bandwidth
Values
MTU Hope Count
Reliability Load Reserved
Prefix Length Destination

Chapter 7: EIGRP 93
Important fields include the metric fields (Delay and Bandwidth), the subnet mask field (Prefix
Length), and the Destination field.
Explain how the delay value is calculated?
Delay is calculated as the sum of delays from source to destination in units of 10 micro-
seconds.
Explain how the bandwidth value is determined?
Bandwidth is the lowest configured bandwidth of any interface along the route.
The subnet mask is specified as the prefix length or the number of network bits in the subnet
mask. For example, the subnet mask 255.255.255.0 has a prefix length of 24.
Figure 7-5 shows the IP External message that is used when external routes are imported into
the EIGRP routing process. Notice that the bottom half of the IP External TLV includes all the
fields used by the IP Internal TLV. Fill in the missing field contents.
Figure 7-5 IP External Routes TLV

Header Header Header IP External Routes TLV
Bit 0 7 8 15 16 23 24 31
Value
Originating Routers fields
Originating Autonomous System Number used to
track
Arbitrary Tag external
source of
Values Reserved Ext. Protocol ID Flags route.
Same
value
fields used
MTU Hope Count
in the IP
Reliability Load Reserved Internal
TLV.
Figure 7-5a IP External Routes TLV (answer)

Header Header Header IP External Routes TLV
Bit 0 7 8 15 16 23 24 31
Next Hop Value
Originating Routers fields
Originating Autonomous System Number used to
track
Arbitrary Tag external
External Protocol Metric source of
Values Reserved Ext. Protocol ID Flags route.
Delay Same
Bandwidth value
fields used
MTU Hope Count
in the IP
Reliability Load Reserved Internal
Prefix Length Destination TLV.

Configuring EIGRP for IPv4

Implementing EIGRP for IPv4 is with basic configurations is straightforward. Tweaking EIGRP
with more advanced settings is the topic of the next chapter.
Configuring EIGRP with IPv4

Briefly explain the purpose of the autonomous system number in EIGRP configurations.
The autonomous system number functions as a process ID to help routers keep track of mul-
tiple running instances of EIGRP. It has nothing to do with the autonomous system number
assigned by IANA and RIRs to ISPs for their BGP routing configurations
What are the steps a Cisco router uses to choose its router ID?
1. Use the IPv4 address configured with the eigrp router-id command.
2. If the router ID is not configured, use the highest IPv4 address loopback interfaces.
3. If no loopbacks are configured, use the highest active IPv4 address of physical inter-
faces.
What are the two main reasons for using the passive-interface command?
1. To stop unnecessary traffic from being sent out an interface where there are no other
EIGRP routers.
2. To provide security to the EIGRP routing process by preventing a rogue device from
injecting false or less than optimal routing information.
We will use the topology in Figure 7-6 and the addressing in Table 7-2 to configure a dual-
stack network running EIGRP for IPv4 and IPv6.
Figure 7-6 Dual-Stacked Multiarea EIGRP Topology

10.10.0.0/22 10.10.4.0/22
2001:DB8:1:1::/64 2001:DB8:1:2::/64
209.165.201.0/30
G0/1
G0/0 2001:DB8:F:F::/64
Lo0 Internet
S0/0/0 HQ
S0/0/1
172.16.1.248/30 172.16.1.252/30
2001:DB8:F:1::/64 2001:DB8:F:2::/64 10.10.12.0/24
10.10.8.0/23 2001:DB8:1:5::/64
2001:DB8:1:3::/64
768 kbps 512 kbps
S0/0/0 S0/0/1
128 kbps
G0/0 G0/0
B1 S0/0/1 S0/0/0 B3
10.10.10.0/23 172.16.1.244/30 10.10.13.0/24
2001:DB8:1:4::/64 G0/1 G0/1 2001:DB8:1:6::/64
2001:DB8:F::/64

Chapter 7: EIGRP 95
Table 7-2 Addressing for the Dual-Stacked EIGRP Topology

HQ G0/0 10.10.0.1 255.255.252.0
2001:DB8:1:1::1/64
G0/1 10.10.4.1 255.255.252.0
2001:DB8:1:2::1/64
S0/0/0 172.16.1.249 255.255.255.252
2001:DB8:F:1::1/64
S0/0/1 172.16.1.253 255.255.255.252
2001:DB8:F:2::1/64
Lo0 209.165.201.1 255.255.255.252
2001:DB8:F:F::1/64
Link-Local FE80::2
Router ID 2.2.2.2
B1 G0/0 10.10.8.1 255.255.254.0
2001:DB8:1:3::1/64
G0/1 10.10.10.1 255.255.254.0
2001:DB8:1:4::1/64
S0/0/0 172.16.1.250 255.255.255.252
2001:DB8:F:1::2/64
S0/0/1 172.16.1.245 255.255.255.252
2001:DB8:F::1/64
Link-Local FE80::1
Router ID 1.1.1.1
B3 G0/0 10.10.12.1 255.255.255.0
2001:DB8:1:5::1/64
G0/1 10.10.13.1 255.255.255.0
2001:DB8:1:6::1/64
S0/0/0 172.16.1.246 255.255.255.252
2001:DB8:F::2/64
S0/0/1 172.16.1.254 255.255.255.252
2001:DB8:F:2::2/64
Link-Local FE80::3
Router ID 3.3.3.3
Document the most basic routing commands you could use to configure EIGRP for IPv4.
Include the commands to configure the LAN interfaces as passive. The commands for all three
routers are the same, except for the router ID configuration for each router.
!B1!!!!!!!!!!!
router eigrp 1
eigrp router-id 1.1.1.1
network 10.0.0.0

network 172.16.0.0
passive-interface g0/0
!HQ!!!!!!!!!!!
router eigrp 1
network 10.0.0.0
network 172.16.0.0
!B3!!!!!!!!!!!
router eigrp 1
network 10.0.0.0
network 172.16.0.0
Now, for each router, document the network commands you would configure if the policy
stated that you must also configure the wildcard mask for each interface participating in the
EIGRP routing domain.
!B1!!!!!!!!!!!
router eigrp 1
no network 10.0.0.0
no network 172.16.0.0
network 10.10.8.0 0.0.1.255
network 10.10.10.0 0.0.1.255
network 172.16.1.248 0.0.0.3
!HQ!!!!!!!!!!!
router eigrp 1
no network 10.0.0.0
network 10.10.0.0 0.0.3.255
network 10.10.4.0 0.0.3.255
network 172.16.1.248 0.0.0.3
network 172.16.1.252 0.0.0.3
!B3!!!!!!!!!!!
router eigrp 1
no network 10.0.0.0
network 10.10.12.0 0.0.0.255
network 10.10.13.0 0.0.0.255
network 172.16.1.252 0.0.0.3

Chapter 7: EIGRP 97
Verifying EIGRP with IPv4

Before any updates can be sent or received by EIGRP, routers must establish adjacencies with
their neighbors. EIGRP routers establish adjacencies with neighbor routers by exchanging
EIGRP Hello packets.
Use the show ip eigrp neighbors command to view the neighbor table and verify that EIGRP
has established an adjacency with its neighbors. This command enables you to verify and trou-
bleshoot EIGRP. Example 7-1 shows the neighbor table for HQ.
Example 7-1 EIGRP Neighbor Table for HQ

HQ# show ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 172.16.1.254 Se0/0/1 14 00:28:35 2 100 0 33
0 172.16.1.250 Se0/0/0 10 00:28:48 1 100 0 36
As with OSPF, you can use the show ip protocols command shown in Example 7-2 to verify
that EIGRP is enabled. Because this configuration was done on a router with IOS 15.1, auto-
matic summarization is disabled by default.
Example 7-2 Verifying EIGRP Is Enabled on HQ

HQ# show ip protocols
Routing Protocol is "eigrp 1"

Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP-IPv4 Protocol for AS(1)
Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
NSF-aware route hold timer is 240
Router-ID: 2.2.2.2
Topology : 0 (base)
Active Timer: 3 min
Distance: internal 90 external 170
Maximum path: 4
Maximum hopcount 100
Maximum metric variance 1
Automatic Summarization: disabled

Maximum path: 4


10.10.0.0/22
10.10.4.0/22
172.16.1.248/30
172.16.1.252/30
Passive Interface(s):
GigabitEthernet0/0
GigabitEthernet0/1
172.16.1.254 90 00:29:47
172.16.1.250 90 00:29:47
Another way to verify that EIGRP and other functions of the router are configured properly is
to examine the routing tables with the show ip route command. EIGRP routes are denoted in
the routing table with a D, which stands for DUAL.
Example 7-3 shows output from the routing table for B1 with only the EIGRP routes shown.
Also, notice that the output begins at the Gateway of last resort is not set statement. What
command generated this output?
show ip route eigrp | begin Gateway
Example 7-3 B1 Routing Table with EIGRP Routes

B1# show ip route eigrp | begin Gateway
Gateway of last resort is not set

D 10.10.0.0/22 [90/2172416] via 172.16.1.249, 00:43:44, Serial0/0/0
D 10.10.4.0/22 [90/2172416] via 172.16.1.249, 00:43:44, Serial0/0/0
D 10.10.12.0/24 [90/2684416] via 172.16.1.249, 00:43:31, Serial0/0/0
D 10.10.13.0/24 [90/2684416] via 172.16.1.249, 00:43:31, Serial0/0/0
D 172.16.1.252/30 [90/2681856] via 172.16.1.246, 00:00:05, Serial0/0/1
B1#

Chapter 7: EIGRP 99
Lab - Configuring Basic EIGRP with IPv4 (SN 7.2.2.5/RP 4.2.2.5)
Packet Tracer - Configuring Basic EIGRP with IPv4 (SN 7.2.2.4/RP 4.2.2.4)
Packet Tracer
Activity
Operation of EIGRP
EIGRP uses the Diffusing Update Algorithm (DUAL) to select the best routes based on a com-
posite metric. This section reviews the values of the EIGRP metric and how EIGRP performs
the calculation to arrive at the metric displayed in the routing table.
EIGRP Metric Concepts

List the values EIGRP uses in its composite metric to calculate the preferred path to a network:
Bandwidth
Delay
Reliability
Load
Record the formula used to calculate the default EIGRP composite metric.
Default metric = [K1 * Bandwidth + K3 * Delay] * 256
What command can you use to change the default K values?
Router(config-router)# metric weights tos k1 k2 k3 k4 k5
What command do you use to verify the K values used by EIGRP?

show ip protocols
What command enables you to verify the actual values of the EIGRP metric?
show interface
The bandwidth metric is displayed in Kbit (kilobits). The WIC-2T and HWIC-2T use the
default value of 1,544,000 bps, which is the value for a T1 connection. The value may or may
not reflect the actual physical bandwidth of the interface. If actual bandwidth of the link dif-
fers from the default value, you should modify the value. We will review modifying the band-
width calculation to reflect actual values in the next chapter.
Delay is a measure of the time it takes for a packet to traverse a route. This metric is a static
value and is expressed in microseconds.
Complete Table 7-3.
Table 7-3 Interface Delay Values

Media Delay
Ethernet 1000
Fast Ethernet 100
Gigabit Ethernet 10
FDDI 100
T1 (serial default) 20,000

Media Delay
DS0 (64 Kbps) 20,000
1024 Kbps 20,000
56 Kbps 20,000
Reliability is based on the worst value on a particular link and is computed based on keep-
alives.
Load is based on the worst value on a particular link and is computed based on packet rates.
However, because the EIGRP composite metric defaults to bandwidth and delay only, reliabil-
ity and load are not normally considered in the calculation of metric.
DUAL Concepts Exercise

Dual provides the following:
Loop-free paths
Loop-free backup paths which can be used immediately
Fast convergence
Minimum bandwidth usage with bounded updates
Briefly explain the term successor.
A successor is a neighboring router that is used for packet forwarding and is the least-cost
route to the destination network.
Briefly explain what is meant by feasible distance.
Feasible distance (FD) is the lowest calculated metric to reach the destination network.
Examine the following output for B1s routing table shown in Example 7-4.
Example 7-4 Feasible Distance and Successors in the B1 Routing Table


D 10.10.0.0/22 [90/2172416] via 172.16.1.249, 03:06:49, Serial0/0/0
D 10.10.4.0/22 [90/2172416] via 172.16.1.249, 03:06:49, Serial0/0/0
D 10.10.12.0/24 [90/2684416] via 172.16.1.249, 03:06:49, Serial0/0/0
D 10.10.13.0/24 [90/2684416] via 172.16.1.249, 03:06:49, Serial0/0/0
D 172.16.1.252/30 [90/2681856] via 172.16.1.249, 03:06:50, Serial0/0/0

Chapter 7: EIGRP 101
Answer the questions that follow:

What is the IP address of the successor for network 10.10.4.0/22? 172.16.1.249, which is HQ
What is the feasible distance to 10.10.4.0/22? 2172416
What is the IP address of the successor for network 10.10.12.0/24? 172.16.1.249, which is HQ
What is the feasible distance to 10.10.12.0/24? 2684416
Briefly explain the term feasible successor.
A backup path to other routers maintained in a separate table so that DUAL does not have to
be recomputed when the successor becomes unavailable. A feasible successor satisfies the fea-
sibility condition
Briefly explain feasibility condition.
The feasibility condition (FC) is met when a neighbors reported distance (RD) to a network is
less than the local routers feasible distance to the same destination network.
Briefly explain reported distance.
The reported distance or advertised distance is simply an EIGRP neighbors feasible distance
to the same destination network. The reported distance is the metric that a router reports to a
neighbor about its own cost to that network.
The successor, feasible distance, and any feasible successors with their reported distances are
kept by a router in its EIGRP topology table or topology database. This table can be viewed
using the show ip eigrp topology command, as shown in Example 7-5.
Example 7-5 Successors and Feasible Successors in the B1 Topology Table

B1# show ip eigrp topology
EIGRP-IPv4 Topology Table for AS(1)/ID(1.1.1.1)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 10.10.8.0/23, 1 successors, FD is 28160

via Connected, GigabitEthernet0/0
via Connected, Serial0/0/0
via 172.16.1.249 (2684416/2172416), Serial0/0/0
via 172.16.1.246 (3847680/28160), Serial0/0/1
via 172.16.1.249 (2172416/28160), Serial0/0/0
via 172.16.1.249 (2681856/2169856), Serial0/0/0
via 172.16.1.246 (4357120/2169856), Serial0/0/1


via 172.16.1.249 (2172416/28160), Serial0/0/0
via 172.16.1.249 (2684416/2172416), Serial0/0/0
via 172.16.1.246 (3847680/28160), Serial0/0/1
The topology table lists all successors and feasible successors that DUAL has calculated to des-
tination networks. Use the partial output in Example 9-5 to answer the following questions:
For route 10.10.12.0/24...
What is the IP address of the successor? 172.16.1.249
What is the reported distance of the successor? 2172416
What is the feasible distance of the successor? 2684416
What is the IP address of the feasible successor? 172.16.1.246
What is the reported distance of the feasible successor? 28160
What is the feasible distance of the feasible successor? 3847680
Notice that the reported distance of the feasible successor is less than the feasible distance of
the successor.
What happens if an EIGRP router doesnt have feasible successor in the topology table and the
router loses connection to the successor?
Then DUAL must be recomputed and neighbors queried for a possible backup route.
DUAL FSM Completion Exercise

A finite state machine (FSM) is an abstract machine, not a mechanical device with moving
parts. FSMs define a set of possible states that something can go through, what events cause
those states, and what events result from those states. Designers use FSMs to describe how a
device, computer program, or routing algorithm will react to a set of input events.
Figure 7-7 is a simplified flowchart of DUALs FSM. Fill in the flowchart with the states EIGRP
moves through when it loses connectivity with a successor. The flowchart should serve as a
visual study aid to help you remember how DUAL converges on new routes.

Figure 7-7 DUAL FSM Flowchart
Lost Connectivity to
Successor
Yes No
Yes
No

Figure 7-7 DUAL FSM Flowchart (answer)
Lost Connectivity to
Successor
Yes Feasible No Place Destination

Promote to Successor
Successor? Network in Active State
Install Successor in
Routing Table
Yes One or More Query Neighbors for

Select New Successor
New Routes? New Route
No
Install Feasible Remove Destination

Successor(s), if any, in Network from Topology
Topology Table and Routing Tables
7.3.4.4 Packet Tracer - Investigating DUAL FSM
Configuring EIGRP for IPv6

EIGRP for IPv4 and EIGRP for IPv6 are almost identical in their operation. Configuring EIGRP
for IPv6 is actually easier than IPv4. No need to configure network statements. Simply enable
EIGRP for IPv6 globally, assigning a router ID. Then enable EIGRP on each interface you want
to participate in the EIGRP routing process.
Comparing EIGRP for IPv4 and EIGRP for IPv6

In Table 7-4, indicate whether an EIGRP feature is associated with EIGRP for IPv4, EIGRP for
IPv6, or both.

Table 7-4 Comparing EIGRP for IPv4 and IPv6

Features EIGRP for IPv4 EIGRP for IPv6 Both
Advertised IPv4 networks X
Advertised IPv6 networks X
Distance vector X
DUAL algorithm X
Default metric: bandwidth and delay X
Transport protocol: RTP X
Incremental, partial, and bounded updates X
Neighbor discovery: Hello packets X
224.0.0.10 multicast X
FF02::10 multicast X
Configuring and Verifying EIGRP for IPv6

The steps to configure EIGRP for IPv6 are as follows:
Step 1. Enable IPv6 routing.
Step 2. Enable EIGRP for IPv6 globally and configure the router ID.
Step 3. Enable the interfaces that are to participate in EIGRP for IPv6.
With those steps in mind, document the configurations for each router shown in Figure 7-6.
Instructor Note: Although not required of the student, the IPv6 interface addressing is also
including in the following scripts.
!HQ!!!!!!!!!!!
en
conf t
ipv6 unicast-routing
ipv6 router eigrp 1
no shutdown
interface g0/0
ipv6 address 2001:db8:1:1::1/64
ipv6 address fe80::2 link-local
ipv6 eigrp 1
no shutdown
interface g0/1
ipv6 address 2001:db8:1:2::1/64
ipv6 eigrp 1
no shutdown
interface s0/0/0
ipv6 address 2001:db8:f:1::1/64

ipv6 eigrp 1
no shutdown
interface s0/0/1
ipv6 eigrp 1
no shutdown
int lo0
ipv6 address 2001:db8:f:f::1/64
end
!B1!!!!!!!!!!!
en
conf t
ipv6 router eigrp 1
no shutdown
interface g0/0
ipv6 address 2001:db8:1:3::1/64
ipv6 eigrp 1
no shutdown
interface g0/1
ipv6 address 2001:db8:1:4::1/64
ipv6 eigrp 1
no shutdown
interface s0/0/0
ipv6 eigrp 1
no shutdown
interface s0/0/1
ipv6 address 2001:db8:f::1/64
ipv6 eigrp 1
no shutdown
end
!B3!!!!!!!!!!!
en
conf t
ipv6 router eigrp 1

no shutdown
interface g0/0
ipv6 address 2001:db8:1:5::1/64
ipv6 eigrp 1
no shutdown
interface g0/1
ipv6 address 2001:db8:1:6::1/64
ipv6 eigrp 1
no shutdown
interface s0/0/0
ipv6 address 2001:db8:f::2/64
ipv6 eigrp 1
no shutdown
interface s0/0/1
ipv6 eigrp 1
no shutdown
end
What command enables you to verify adjacency with other EIGRP routers?
B1# show ipv6 eigrp neighbors

(sec) (ms) Cnt Num
1 Link-local address: Se0/0/1 11 00:14:52 1 186 0 50
FE80::3
FE80::2
What command enables you to display the EIGRP parameters, including the K values, router
ID, process ID, and administrative distances?
B1# show ipv6 protocols

IPv6 Routing Protocol is "connected"
IPv6 Routing Protocol is "eigrp 1"
Router-ID: 1.1.1.1
Topology : 0 (base)
Active Timer: 3 min


Maximum path: 16
Interfaces:
Serial0/0/0
Serial0/0/1
GigabitEthernet0/0
GigabitEthernet0/1
Redistribution:
None
IPv6 Routing Protocol is "ND"
What command enables you to verify the EIGRP routes are installed in the routing table?
B1# show ipv6 route eigrp

IPv6 Routing Table - default - 14 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination
NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
D 2001:DB8:1:1::/64 [90/2172416]
D 2001:DB8:1:2::/64 [90/2172416]
D 2001:DB8:1:5::/64 [90/2684416]
D 2001:DB8:1:6::/64 [90/2684416]
D 2001:DB8:F:2::/64 [90/2681856]
Lab - Configuring Basic EIGRP for IPv6 (SN 7.4.3.5/RP 4.4.3.5)
Packet Tracer - Configuring Basic EIGRP with IPv6 (SN 7.4.3.4/RP 4.4.3.5)
Packet Tracer
Activity

CHAPTER 8
EIGRP Advanced Configurations and

Troubleshooting
This chapter reviews the various ways you can adjust your Enhanced Interior Gateway Routing
Protocol (EIGRP) implementation to provide additional capabilities and functionality. In addition, trou-
bleshooting EIGRP is also covered.

Advanced EIGRP Configurations

Now that you are familiar with the basic configuration and verification commands for imple-
menting EIGRP, this section focuses on ways you can tweak the implementation to improve
performance, enable load balancing, and authenticate updates between EIGRP neighbors.
Automatic Summarization
Before Cisco IOS 15.01(1)M and 12.2(33), automatic summarization in EIGRP was enabled by
default. Briefly explain the concept of automatic summarization.
Automatic summarization occurs at classful boundaries. So an EIGRP router with several sub-
nets of a Class A, B, or C network will only advertise that network.
Assume an EIGRP router is using automatic summarization. In Table 8-1, record the classful
address advertised by the router for each listing of subnets.
Table 8-1 Determine the Classful Networks Advertised by an EIGRP Router

Subnets Classful Networks
10.10.10.0/24, 10.10.11.0/24, 10.10.12.0/24 10.0.0.0/8
172.16.16.0/22, 172.16.18.0/22 172.16.0.0/16
192.168.1.0/25, 192.168.1.128/25, 192.168.1.0/24, 192.168.2.0/24
192.168.2.0/25, 192.168.2.128/25
EIGRP automatic summarization should be used only if you are absolutely sure that you do
not have any discontiguous subnets. For example, in Figure 8-1, the addressing scheme is dis-
contiguous.
Figure 8-1 EIGRP Automatic Summarization Topology with Discontiguous Subnets
10.10.0.0/22
HQ
172.16.1.248/30 172.16.1.252/30
10.10.8.0/23 10.10.12.0/24
B1 B3
If you enable automatic summarization on the routers, they will not advertise the specific sub-
nets that belong to 10.0.0.0/8 across the 172.16.0.0 WAN links. Instead, they automatically sum-
marize the subnets to 10.0.0.0/8 and advertise the classful network. But each router already has
a link in the 10.0.0.0/8 address space, so the update from the neighbor is stored in the topology
table. No routes to the subnets are installed.
Automatic summarization is disabled by default in IOS 15 and later. What command including
the router prompt will enable automatic summarization?
Router(config-router)# auto-summary

Chapter 8: EIGRP Advanced Configurations and Troubleshooting 111
You can verify whether automatic summarization is enabled with the show ip protocols com-
mand displayed in Example 8-1 for HQ from Figure 8-1.
Example 8-1 Verifying Automatic Summarization Is in Effect


Router-ID: 2.2.2.2
Topology : 0 (base)
Active Timer: 3 min
Maximum path: 4
Automatic Summarization: enabled

172.16.0.0/16 for Gi0/0
Summarizing 2 components with metric 2169856
10.0.0.0/8 for Se0/0/0, Se0/0/1
Summarizing 1 component with metric 28160
Maximum path: 4
10.0.0.0
172.16.0.0
172.16.1.254 90 00:01:30
172.16.1.250 90 00:01:30
To view the entire EIGRP topology table for HQ, use the show ip eigrp topology all-links
command to generate the output displayed in Example 8-2.

Example 8-2 Viewing the Complete EIGRP Topology Table
HQ# show ip eigrp topology all-links

EIGRP-IPv4 Topology Table for AS(1)/ID(2.2.2.2)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status
P 172.16.1.248/30, 1 successors, FD is 2169856, serno 2

via Summary (2169856/0), Null0
via Summary (28160/0), Null0
via 172.16.1.250 (2172416/28160), Serial0/0/0
via 172.16.1.254 (2172416/28160), Serial0/0/1
You can see that HQ has a route for 10.0.0.0/8 from both B1 and B3 in its topology table.
However, it also has its own summary route with a better metric. This is the route installed and
used by HQ, as verified with the show ip route eigrp command displayed in Example 8-3.
Example 8-3 Verifying the Summary Route Installed on HQ

HQ# show ip route eigrp | begin Gateway

D 10.0.0.0/8 is a summary, 00:08:42, Null0
Briefly explain the purpose of the Null0 interface.

The Null0 interface is installed in the routing table to prevent routing loops.
Manual Summarization
In EIGRP design scenarios where it is not desirable to prevent discontiguous subnets, you may
still want to encourage scalable designs so that you can take advantage of EIGRPs manual
summarization. This will help reduce the size of routing tables.

IPv4 Manual Summarization

Figure 8-2 shows the same EIGRP topology we used in Chapter 7, EIGRP. However, now the
topology shows the contracted bandwidth rates on each of the serial interfaces. We will use
that information later to tune how EIGRP chooses the best route.
Note: The bandwidths shown in Figure 8-2 are not realistic for todays network implementations that
require gigabit speeds across WAN links. These bandwidths are used for simplicity.
Figure 8-2 Dual-Stack EIGRP Topology with Bandwidths
10.10.0.0/22 10.10.4.0/22
2001:DB8:1:1::/64 2001:DB8:1:2::/64
209.165.201.0/30
G0/1
G0/0 2001:DB8:F:F::/64
Lo0 Internet
S0/0/0 HQ
S0/0/1
172.16.1.248/30 172.16.1.252/30
2001:DB8:F:1::/64 2001:DB8:F:2::/64 10.10.12.0/24
10.10.8.0/23 2001:DB8:1:5::/64
2001:DB8:1:3::/64
768 kbps 512 kbps
S0/0/0 S0/0/1
128 kbps
G0/0 G0/0
B1 S0/0/1 S0/0/0 B3
10.10.10.0/23 172.16.1.244/30 10.10.13.0/24
2001:DB8:1:4::/64 G0/1 G0/1 2001:DB8:1:6::/64
2001:DB8:F::/64
To calculate the IPv4 summary routes, use the same technique you used to calculate a IPv4
static summary routes:
Step 1. Write out the networks to be summarized in binary.
Step 2. To find the subnet mask for summarization, start with the far-left bit.
Step 3. Working from left to right, find all the bits that match consecutively.
Step 4. When there is a column of bits that do not match, stop. This is the summary
boundary.
Step 5. Count the number of far-left matching bits, which in this example is 22. This
number is used to determine the subnet mask for the summarized route: /22 or
255.255.252.0.
Step 6. To find the network address for summarization, copy the matching 22 bits and add
all 0 bits to the end to make 32 bits.
Once you have your summary, configure the desired interfaces with the ip summary-address
eigrp command. Each interface that will send out an EIGRP update should have the command.
In Figure 8-2, each router can summarizes the two local LANs into one summary route.
Calculate the summary routes for each route and record the commands to configure the serial
interfaces.

HQ
Summary Route: 10.10.0.0/21
Command to configure Serial 0/0/0 and Serial 0/0/1:
ip summary-address eigrp 1 10.10.0.0 255.255.248.0
B1
B3
The following calculations focus on the third octet:
HQ B1 B3
00000000 00001000 00001100
LAN 2 00000100 00001010 00001101
Summary Route 10.10.0.0/21 10.10.8.0/22 10.10.12.0/23
If you are following along in a simulator or on lab equipment, your EIGRP routing tables
should look like Example 8-4.
Note: We have not yet configured the bandwidth values shown in Figure 8-2.
Example 8-4 EIGRP Routing Tables with Manual Summarization in Effect

HQ# show ip route eigrp | begin Gateway

D 10.10.8.0/22 [90/2172416] via 172.16.1.250, 00:01:43, Serial0/0/0
D 10.10.12.0/23 [90/2172416] via 172.16.1.254, 00:01:13, Serial0/0/1
D 172.16.1.244/30 [90/2681856] via 172.16.1.254, 00:01:43, Serial0/0/1
[90/2681856] via 172.16.1.250, 00:01:43, Serial0/0/0

D 10.10.0.0/21 [90/2172416] via 172.16.1.249, 00:00:54, Serial0/0/0

D 10.10.12.0/23 [90/2172416] via 172.16.1.246, 00:00:54, Serial0/0/1

D 172.16.1.252/30 [90/2681856] via 172.16.1.249, 00:00:54, Serial0/0/0
[90/2681856] via 172.16.1.246, 00:00:54, Serial0/0/1

D 10.10.0.0/21 [90/2172416] via 172.16.1.253, 00:00:48, Serial0/0/1
D 10.10.8.0/22 [90/2172416] via 172.16.1.245, 00:00:48, Serial0/0/0
D 172.16.1.248/30 [90/2681856] via 172.16.1.253, 00:00:48, Serial0/0/1
[90/2681856] via 172.16.1.245, 00:00:48, Serial0/0/0
IPv6 Manual Summarization

Briefly explain why IPv6 does not support automatic summarization.
Automatic summarization is based on classful addressing, which does not exist in IPv6.
You can manually configure IPv6 summary routes. However, the IPv6 addressing in Figure 8-2
was not designed for summary routes. If you summarized the IPv6 LANs on any of the routers,
you would be including IPv6 LANs from one or both of the other routers.
For example, the summary for the IPv6 LANs on B3 would be 2001:DB8:1:4::/62. The calcula-
tion focuses on the fourth hextet since it is the one that is changing:
0000 0000 0000 0100 --> included in summary (B1 LAN)
0000 0000 0000 0101 --> B3 LAN
0000 0000 0000 0110 --> B3 LAN
0000 0000 0000 0111 --> included in a B1 summary, if configured
You can see that this summary would include the B1 IPv6 LAN, 2001:DB8:1:4::/64. But it
would also include additional address space summarized by B1 if B1 also configured an IPv6
manual summary route. In fact, a summary route on B1 would include all the IPv6 LANs in the
topology. Prove this using the following workspace to calculate what the IPv6 summary route
would be for B1.
0000 0000 0000 0000
0000 0000 0000 0001 --> HQ LAN
0000 0000 0000 0010 --> HQ LAN
0000 0000 0000 0011 --> B1 LAN
0000 0000 0000 0100 --> B1 LAN
0000 0000 0000 0101 --> B3 LAN
0000 0000 0000 0110 --> B3 LAN
0000 0000 0000 0111

What would be the summary route for B1?

2001:DB8:1::/61
Packet Tracer
Packet Tracer - Configuring EIGRP Manual Summary Routes for IPv4 and IPv6 (SN
Activity 8.1.2.5/RP 5.1.2.5)
Default Route Propagation

Propagating a default route in EIGRP requires one additional command in your EIGRP configu-
ration. What is the command, including the router prompt, for both IPv4 and IPv6?
IPv4:
Router(config-router)# redistribute static
IPv6:
Router(config-rtr)# redistribute static
Figure 8-2 is using a Loopback interface to simulate a connection to the Internet. Record the
commands to configure an IPv4 default route, IPv6 default route, and redistribute the routes to
B1 and B3.
HQ(config)# ip route 0.0.0.0 0.0.0.0 Lo0

HQ(config)# ipv6 route ::/0 Lo0
HQ(config)# router eigrp 1
HQ(config-router)# redistribute static
HQ(config-router)# ipv6 router eigrp 1
HQ(config-rtr)# redistribute static
If you are following along in a simulator or on lab equipment, your verification output for B1
and B3 should look like Example 8-5.
Example 8-5 EIGRP Routing Tables with Default Route Propagation

D*EX 0.0.0.0/0 [170/2297856] via 172.16.1.249, 00:12:58, Serial0/0/0

D 10.10.0.0/21 [90/2172416] via 172.16.1.249, 06:04:19, Serial0/0/0
D 10.10.12.0/23 [90/2172416] via 172.16.1.246, 06:04:19, Serial0/0/1
D 172.16.1.252/30 [90/2681856] via 172.16.1.249, 06:04:19, Serial0/0/0
[90/2681856] via 172.16.1.246, 06:04:19, Serial0/0/1
B1# show ipv6 route eigrp | begin EX ::/0
EX ::/0 [170/2169856]
D 2001:DB8:1:1::/64 [90/2172416]

D 2001:DB8:1:2::/64 [90/2172416]
D 2001:DB8:1:6::/64 [90/2172416]
D 2001:DB8:F:2::/64 [90/2681856]
B1# ping 209.165.201.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.201.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
B1# ping 2001:db8:f:f::1
Sending 5, 100-byte ICMP Echos to 2001:DB8:F:F::1, timeout is 2 seconds:
!!!!!
D*EX 0.0.0.0/0 [170/2297856] via 172.16.1.253, 00:13:32, Serial0/0/1

D 10.10.0.0/21 [90/2172416] via 172.16.1.253, 06:04:52, Serial0/0/1
D 10.10.8.0/22 [90/2172416] via 172.16.1.245, 06:04:52, Serial0/0/0
D 172.16.1.248/30 [90/2681856] via 172.16.1.253, 06:04:52, Serial0/0/1
[90/2681856] via 172.16.1.245, 06:04:52, Serial0/0/0
EX ::/0 [170/2169856]
D 2001:DB8:1:1::/64 [90/2172416]
D 2001:DB8:1:2::/64 [90/2172416]
D 2001:DB8:1:4::/64 [90/2172416]
D 2001:DB8:F:1::/64 [90/2681856]
B3# ping 209.165.201.1


!!!!!
B3# ping 2001:db8:f:f::1
Sending 5, 100-byte ICMP Echos to 2001:DB8:F:F::1, timeout is 2 seconds:
!!!!!
8.1.3.4 Packet Tracer - Propagating a Default Route in EIGRP for IPv4 and IPv6
Fine-Tuning EIGRP Interfaces

Bandwidth Utilization
By default, EIGRP will use only up to 50 percent of the bandwidth of an interface for EIGRP
information. This prevents the EIGRP process from overutilizing a link and not allowing
enough bandwidth for the routing of normal traffic.
The ip bandwidth-percent eigrp command can be used to configure the percentage of band-
width that may be used by EIGRP on an interface. Record the full syntax for this command.
Router(config-if)# ip bandwidth-percent eigrp as-number percent
This command uses the amount of configured bandwidth (or the default bandwidth) when cal-
culating the percent that EIGRP can use.
Hello Intervals and Holdtimes
Hello intervals and holdtimes are configurable on a per-interface basis and do not have to
match with other EIGRP routers to establish adjacencies.
Record the command to configure a different Hello interval.
Router(config-if)# ip hello-interval eigrp as-number seconds
If you change the Hello interval, make sure that you also change the holdtime to a value equal
to or greater than the Hello interval. Otherwise, neighbor adjacency will go down after the
holdtime expires and before the next Hello interval.
Record the command to configure a different holdtime.
Router(config-if)# ip hold-time eigrp as-number seconds
EIGRP has different default Hello intervals and holdtimes based on the type of link. Complete
Table 8-2 with the default values.
Table 8-2 Default Hello Intervals and Holdtimer for EIGRP

Bandwidth Example Link Default Hello Interval Default Holdtime
1.544 Mbps Multipoint Frame Relay 60 seconds 180 seconds
Greater Than T1, Ethernet 5 seconds 15 seconds
1.544 Mbps

Load Balancing
Briefly describe equal-cost load balancing.
Load balancing is the ability of a router to use all local interfaces that routes with the same
metric to a destination address.
By default, EIGRP uses up to four equal-cost paths to load balance traffic. You can see load
balancing in effect in the routing tables shown in previous Examples 8-4 and 8-5.
The reason EIGRP is load balancing is that we have not configured the actual bandwidth
shown in Figure 8-2.
Record the commands to configure the routers with the correct bandwidth values.
HQ(config)# int s0/0/0
HQ(config-if)# bandwidth 768
HQ(config-if)# int s0/0/1
HQ(config-if)# bandwidth 512
B1(config)# int s0/0/0
B1(config-if)# bandwidth 768
B1(config-if)# int s0/0/1
B3(config)# int s0/0/0
B3(config-if)# int s0/0/1
Once the routers are properly configured with the actual bandwidth values, EIGRP recalculates
the metrics and installs the best route in the routing table, as shown in Example 8-6. Notice
that B1 and B3 are no longer using the 128-Kbps link to route to each others LANs. Instead,
they are each using the faster path through HQ.
Example 8-6 EIGRP Routing Tables After Bandwidth Configuration

D*EX 0.0.0.0/0 [170/3973120] via 172.16.1.249, 00:05:50, Serial0/0/0

D 10.10.0.0/21 [90/3847680] via 172.16.1.249, 00:05:50, Serial0/0/0
D 10.10.12.0/23 [90/6026496] via 172.16.1.249, 00:05:21, Serial0/0/0
D 172.16.1.252/30 [90/6023936] via 172.16.1.249, 00:05:31, Serial0/0/0
EX ::/0 [170/3845120]
D 2001:DB8:1:1::/64 [90/3847680]

D 2001:DB8:1:2::/64 [90/3847680]
D 2001:DB8:1:6::/64 [90/6026496]
D 2001:DB8:F:2::/64 [90/6023936]
D*EX 0.0.0.0/0 [170/5639936] via 172.16.1.253, 00:05:43, Serial0/0/1

D 10.10.0.0/21 [90/5514496] via 172.16.1.253, 00:05:43, Serial0/0/1
D 10.10.8.0/22 [90/6026496] via 172.16.1.253, 00:05:43, Serial0/0/1
D 172.16.1.248/30 [90/6023936] via 172.16.1.253, 00:05:43, Serial0/0/1
EX ::/0 [170/5511936]
D 2001:DB8:1:1::/64 [90/5514496]
D 2001:DB8:1:2::/64 [90/5514496]
D 2001:DB8:1:4::/64 [90/6026496]
D 2001:DB8:F:1::/64 [90/6023936]
Securing EIGRP Routing Updates

In most production networks, you would want to configure the EIGRP routers to authenticate
updates received from neighbors. The steps to configure EIGRP with MD5 authentication are
as follows:
Step 1. Create a keychain and key.
Record the command syntax including the router prompt to configure a keychain
and key.
Router(config)# key chain name-of-chain
Router(config-keychain)# key key-id
Router(config-keychain-key)# key-string key-string-text

Step 2. Configure EIGRP authentication to use the keychain and key.

Record the command syntax, including the router prompt, to configure EIGRP
authentication using the keychain and key.
Router(config)# interface type number
Router(config-if)# ip authentication mode eigrp as-num md5
Router(config-if)# ip authentication key-chain eigrp as-num name-of-chain
Now record the commands to configure HQ to authenticate updates from B1 and B3. Assume
that B1 and B3 are already configured. Use MYKEY as the keychain name, 1 as the key ID, and
cisco123 as the key string.
HQ(config)# key chain MYKEY

HQ(config-keychain)# key 1
HQ(config-keychain-key)# key-string cisco123
HQ(config-keychain-key)# int s0/0/0
HQ(config-if)# ip authentication mode eigrp 1 md5
HQ(config-if)# ip authentication key-chain eigrp 1 MYKEY
HQ(config-if)# int s0/0/1
HQ(config-if)# ip authentication mode eigrp 1 md5
HQ(config-if)# ip authentication key-chain eigrp 1 MYKEY
Use the show ip eigrp neighbors command as displayed in Example 8-7 to verify that HQ has
reestablished adjacency with B1 and B3.
Example 8-7 Verifying EIGRP Authentication

(sec) (ms) Cnt Num
1 172.16.1.250 Se0/0/0 10 00:06:25 2 192 0 59
0 172.16.1.254 Se0/0/1 13 00:07:09 3 288 0 59
Lab - Configuring Advanced EIGRP for IPv4 Features (SN 8.1.5.5/RP 5.1.5.5)
Troubleshoot EIGRP
This section reviews the tools and procedures to troubleshoot EIGRP issues.
Commands for Troubleshooting EIGRP

In Table 8-3, the IPv4 version of the troubleshooting commands for EIGRP are listed. The same
commands are available for IPv6. Indicate which command or commands you would use to
answer each of the questions.

Table 8-3 Diagnosing EIGRP Connectivity Issues

Command Is the Neighbor Is the Routing Does Traffic Take
Table Correct? Table Correct? the Desired Path?
show ip eigrp neighbors X
show ip interface brief X
show ip eigrp interface X
show ip protocols X
show ip route eigrp X X
Troubleshoot EIGRP Connectivity Issues

Using the configuration for the devices in Figure 8-2 and the following command outputs diag-
nose the EIGRP connectivity issue and recommend a solution.
Connectivity Issue #1
HQ and B1 have not formed a neighbor adjacency. Use the output in Example 8-8 to trouble-
shoot the first issue.
Example 8-8 Troubleshooting Command Output for Issue #1

(sec) (ms) Cnt Num
0 172.16.1.254 Se0/0/1 10 00:23:18 1 288 0 65
HQ# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 10.10.0.1 YES manual up up
Serial0/0/0 172.16.1.250 YES manual up up
Loopback0 209.165.201.1 YES manual up up
B1# show ip eigrp neighbors
(sec) (ms) Cnt Num
1 172.16.1.246 Se0/0/1 12 00:26:47 9 1170 0 67
B1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES unset administratively down down

Problem and Solution:

HQ and B1 are both using the same IP address on the 172.16.1.248/30 link. Change either one
to use IP address 172.16.1.249 and the neighbor relationship will be restored.
HQ and B3 have not formed a neighbor adjacency. Example 8-9 displays the output for the
second issue.
HQ# show ipv6 eigrp neighbors

(sec) (ms) Cnt Num
FE80::1
B3# show ipv6 eigrp neighbors

B3 does not have EIGPR neighbors because it is configured with a different AS number than
HQ. Configure B3 to use AS number 1 for its IPv6 EIGRP configuration.
Although the IPv6 routes look correct, B3 is using a less-than-optimal route to reach the B1
and HQ IPv4 LANs. Use the output in Example 8-10 to troubleshoot the third issue.


Redistributing: static
Router-ID: 2.2.2.2
Topology : 0 (base)
Active Timer: 3 min


Maximum path: 4
Automatic Summarization: disabled

Address Summarization:
10.10.0.0/21 for Se0/0/0, Se0/0/1
Summarizing 2 components with metric 28160
Maximum path: 4
10.0.0.0
172.16.0.0
Passive Interface(s):
GigabitEthernet0/0
GigabitEthernet0/1
Serial0/0/1
172.16.1.254 90 00:17:55
172.16.1.250 90 00:00:41
D*EX 0.0.0.0/0 [170/21152000] via 172.16.1.245, 00:08:32, Serial0/0/0

D 10.10.0.0/21 [90/21026560] via 172.16.1.245, 00:08:32, Serial0/0/0
D 10.10.8.0/22 [90/20514560] via 172.16.1.245, 00:08:32, Serial0/0/0
D 172.16.1.248/30 [90/21024000] via 172.16.1.245, 00:08:32, Serial0/0/0
EX ::/0 [170/5511936]
D 2001:DB8:1:1::/64 [90/5514496]
D 2001:DB8:1:2::/64 [90/5514496]
D 2001:DB8:1:4::/64 [90/6026496]
D 2001:DB8:F:1::/64 [90/6023936]


The EIGRP configuration on HQ has the Serial 0/0/1 interface set to passive. Therefore, HQ
and B3 have not established adjacency and HQ is not sending IPv4 routing updates to B3.
Lab - Troubleshooting Basic EIGRP for IPv4 and IPv6 (SN 8.2.3.6/RP 5.2.3.6)
Lab - Troubleshooting Advanced EIGRP (SN 8.2.3.7/RP 5.2.3.7)
Packet Tracer
Packet Tracer - Troubleshooting EIGRP for IPv4 (SN 8.2.3.5/RP 5.2.3.5)
Activity

CHAPTER 9
IOS Images and Licensing
Network administrators are responsible for managing the routers and switches owned by the organiza-
tion. This responsibility includes backing up and upgrading software images when needed. This chapter
reviews basic IOS image concepts and management tasks.

Managing IOS System Files

Cisco IOS software is a sophisticated operating system that includes multiple release versions
that are organized into software release families and software trains.
IOS Families, Trains, and Naming Conventions

A software release family is comprised of multiple IOS software release versions. What are the
three features that distinguish an IOS software release family?
Share the same code base
Apply to a related platform (for example, 1900 series routers)
Overlap in support coverage
What are some major software releases within the software release family?
12.3, 12.4, 15.0, and 15.1
Briefly describe a software train.
New versions are created to fix bugs and add new features to an existing software family.
These releases are organized into trains that may contain several releases over the life of a soft-
ware family.
The Cisco IOS Software 12.4 train is considered the mainline train, which receives mostly soft-
ware (bug) fixes with the goal of increasing software quality. These releases are also designated
as Maintenance Deployment releases (MD).
A mainline train is always associated with a technology train (T train). A T train, such as 12.4T,
receives the same software bug fixes as the mainline train.
What else does a T train include?
T trains receive new software and hardware support features.
T train releases are considered Early Deployment (ED) releases.
Decoding the IOS release numbering conventions will go a long way in helping you understand
the various trains used in the IOS 12.4 software release family. In Figure 9-1, indicate whether
the release is a mainline train or a technology train. Then fill in the blanks for each part of the
IOS 12 software release numbering scheme.
Releases before IOS 15 consisted of eight packages for Cisco routers. These packages were the
following:
Five nonpremium packages:
IP Base: Entry-level Cisco IOS Software Image
IP Voice: Converged voice and data, VoIP, VoFR, and IP Telephony
Advanced Security: Security and VPN features, including Cisco IOS Firewall, IDS/IPS,
IPsec, 3DES, and VPN
SP (Service Provider) Services: Adds SSH/SSL, ATM, VoATM, and MPLS to IP Voice
Enterprise Base: Includes AppleTalk, IPX, and IBM Support

Chapter 9: IOS Images and Licensing 129
Figure 9-1 The IOS 12.4 Software Release Numbering Convention
12.4(21 a)
12.4
12.4(20) T 1
12.4T
Figure 9-1a The IOS 12.4 Software Release Numbering Convention (answer)
12.4(21 a)
Train Number
12.4
Maintenance Identifier
Mainline Train Rebuild Identifier
12.4(20) T 1
Train Number
Maintenance Identifier
12.4T
Train Identifier
T Train Rebuild Identifier
Three premium packages:

Advanced Enterprise Services: Full Cisco IOS software features
Enterprise Services: Enterprise base and service provider services
Advanced IP Services: Advanced security, service provider services, and support for IPv6
How does the Cisco IOS 15.0 release model differ from the mainline and T trains of 12.4?
Instead of diverging into separate trains, Cisco IOS Software 15 mainline and T will have
extended maintenance release (EM release) and standard maintenance release (T release). With
the new IOS release model, Cisco IOS 15 mainline releases are referred to as M trains. New
releases for the T trains are available two to three times a year. EM releases are available every
16 to 20 months.

In Figure 9-2, indicate whether the release is a mainline train or a technology train. Then fill in
the blanks for each part of the IOS 15 software release numbering scheme.
Figure 9-2 The IOS 15 Software Release Numbering Convention
15.0 (1) M1
15.0M
15.1 (1) T1
15.0T
Figure 9-2a The IOS 15 Software Release Numbering Convention (answer)
New Feature Release Number
15.0 (1) M1
15.0M Major Release Number

Minor Release Number
M = Extended Maintenance Release
EM Release Maintenance Rebuild Number
New Feature Release Number

15.1 (1) T1
15.0T Major Release Number

Minor Release Number
T = Standard Maintenance Release
T Release Maintenance Rebuild Number
Briefly explain how Services on Demand for Cisco Integrated Services Routers Generation Two
(ISR G2) works.
With the Services on Demand model, all features are included in one universal image shipped
with all ISR G2s. The network administrator then activates feature sets using licensing keys.
The IP base feature set is installed by default.
What is the key difference between universalk9 and universalk9_npe IOS images?
The universalk9_npe software image is provided for customers in those countries with import
requirements disallowing routers with strong cryptography functionality. The npe extension to
the image name stands for no payload encryption.
Decode the IOS 12 image name in Table 9-1. The first one is done for you.

Table 9-1 Decoding IOS 12 Image Names

IOS Images Hardware Feature Train Maintenance Train Rebuild
Set Number Release Identifier Identifier
c1841-ipbasek9-mz.124-12.bin 1841 Ipbasek9 12.4 12 M
c1841-advipservicesk9-mz.124-10b. 1841 Advanced 12.4 10 M b
bin services
c3725-entbase-mz.124-6.T.bin 3725 Enterprise 12.4 6 T
base
Decode the IOS 15 image name in Table 9-2. The first one is done for you.
Table 9-2 Decoding IOS 15 Image Names

IOS Images Hardware Feature Major Minor New Feature Maintenance Maintenance
Set Release Release Release Release Rebuild
c1900-universalk9-mz. 1900 Universal 15 3 2 T
SPA.153-2.T.bin
c2900-universalk9-mz. 2900 Universal 15 3 3 M
SPA.153-3.M.bin
c1841-advipservicesk9- 1841 Advanced 15 1 4 M 6
mz.151-4.M6.bin services
Backing Up Cisco IOS Images

To back up an IOS image to a TFTP server, complete the following steps:
Step 1. Ping the TFTP server to test connectivity.
Step 2. Verify the TFTP server has enough memory to accept the image file. Use the show flash
command to determine the size of the image.
Step 3. Copy the image to the TFTP server using the copy source-url destination-url
command.
In Figure 9-3, you are copying the image c1900-universalk9-mz.SPA.152-4.M1.bin from RTA to the
TFTP server at 10.10.10.10. Record the commands, including the router prompt, to complete this
task.
Figure 9-3 Backing Up an IOS to a TFTP Server
RTA
TFTP Server
10.10.10.10
RTA# ping 10.10.10.10

!!!!!

RTA# show flash

-#- --length-- -----date/time------ path
1 67998028 Nov 30 1983 00:00:00 +00:00 c1900-universalk9-mz.SPA.152-4.M1.bin
188608512 bytes available (68001792 bytes used)

RTA# copy flash tftp
Source filename []? c1900-universalk9-mz.SPA.152-4.M1.bin
Address or name of remote host []? 10.10.10.10
Destination filename [c1900-universalk9-mz.SPA.152-4.M1.bin]? <enter>
!!!!!!!!!!!!!!!!!!!!!!!!!
<output omitted>
67998028 bytes copied in 107.928 secs (630031 bytes/sec)
RTA#
Packet Tracer
Packet Tracer - Using a TFTP Server to Upgrade a Cisco IOS Image (SN 9.1.2.5/RP
Activity 10.1.2.5)
Video
Video Demonstration - Managing Cisco IOS Images (SN 9.1.2.6/RP 10.1.2.6)
Demonstration
IOS Licensing
Before Cisco IOS Software Release 15.0, your router came with the IOS already installed for
the features you desired. If you wanted to upgrade the feature set, you had to order, download,
and install a new version. That all changed with 15.0. Each device ships with the same universal
image. You enable the features you need through the use of licensing keys.
Software Licensing
The feature sets that you enable with licensing keys are called technology packages. What are
the four technology packages available?
IP Base
Data
Unified Communications (UC)
Security (SEC)
On which Cisco ISR G2 platforms can these licenses be used?
Cisco 1900, 2900, and 3900 series routers
What command enables you to view the licenses currently supported on the router?
Router# show license feature
What are the three major steps to activate a new software package or feature on the router?
Step 1. Purchase the software package or feature to be installed.
Step 2. Obtain a Software Activation License file from Cisco.
Step 3. Install the license file.

What two things are needed to obtain a license?

The product activation key (PAK) and a unique device identifier (UDI)
How is the UDI constructed?
The UDI is a combination of the product ID (PID), the serial number (SN), and the hardware
version
What command displays the UDI?
Router# show license udi
What command installs the license?

Router# license install stored-location-url
License Verification and Management

After installing a license, you must reboot the router before the technology package is active
and ready to use.
What two commands are used in Example 9-1 to verify the licenses installed?
Example 9-1 Verifying License Installation

Router# show version | begin License Info:
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1941/K9 FTX163283RZ
Technology Package License Information for Module:'c1900'
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 EvalRightToUse securityk9
data None None None
Configuration register is 0x2102

Router# show license

Index 1 Feature: ipbasek9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 2 Feature: securityk9
Period left: 8 weeks 1 day
Period Used: 2 days 0 hour
License Type: EvalRightToUse
License State: Active, In Use
License Priority: Low
Index 3 Feature: datak9
Period left: Not Activated
Period Used: 0 minute 0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
License Priority: None
<output omitted>
In Example 9-1, the datak9 technology package is not in use. Record the commands, including
the router prompt, to accept the EULA and activate the datak9 package.
Router(config)# license accept end user agreement
Router(config)# license boot module c1900 technology-package securityk9
What message do you receive when activate a package?

% use 'write' command to make license boot config take effect on next boot
To back up your license files, save them to flash. Record the command, including the router
prompt, to save the license files to flash.
Router(config)# license save flash0:R1_license_files
Complete the following steps to uninstall a license:

Step 1. Disable the technology package. Record the command, including the router prompt,
to disable the datak9 technology package.
Router(config)# license boot module c1900 technology-package datak9 disable
Step 2. After reloading the router, clear the license from storage. Record the commands,
including the router prompt, to clear the datak9 technology package.
Router# license clear datak9
Router# configure terminal
Router(config)# no license boot module c1900 technology-package datak9
disable

Packet Tracer
Packet Tracer - EIGRP Capstone (SN 9.3.1.2/RP 10.3.1.2)
Activity
Packet Tracer - OSPF Capstone (SN 9.3.1.3/RP 10.3.1.3)
Video
Video Demonstration - Working with IOS 15 Image Licenses (SN 9.2.2.5/RP 10.2.2.5)
Demonstration

CHAPTER 10
Part of your job as a network administrator is understanding how to build networks that are flexible,
resilient, and manageable. Even if your direct responsibilities do not include actually designing the net-
work, you still need a firm grasp of the benefits incurred from using a systematic design approach.

Hierarchical Network Design Overview

Networks come in all sizes. The size of the network is directly proportional to the complexity
of the design. However, structured engineering principles can help guide the designer in for-
mulating a plan even for the most complex networks.
Enterprise Network Campus Design

What are the three main categories of network sizes and how are they distinguished?
Small network for up to 200 devices
Medium-sized network for 200 to 1000 devices
Large network for 1000+ devices
In Table 10-1, indicate the structured engineering principle that is best described by the char-
acteristic.
Table 10-1 Structured Engineering Principles

Characteristic Hierarchy Modularity Resiliency Flexibility
Is available to users regardless of the X
current conditions
High-level tool for designing a reliable X
network
Can be easily modified X
Examples include the data center and the X
Internet edge

Briefly describe the three layers of the hierarchical network design.
Access layer: Provides workgroup/user access to the network
Distribution layer: Provides policy-based connectivity and controls the boundary
between the access and core layers
Core layer: Provides fast transport between distribution switches within the enterprise
campus
In Table 10-2, indicate the layer that is best described by the function
Table 10-2 Hierarchical Network Layer Functions

Layer Function Access Distribution Core
Highest speed switching of the three layers X
Policy-based security X
Port security X
Redundancy and load balancing X
Broadcast domain control X
Spanning tree X

Chapter 10: Hierarchical Network Design 139
Layer Function Access Distribution Core

Layer 2 switching X
Avoid CPU-intensive packet manipulation X
Aggregates traffic from distribution devices X
Aggregating LAN and WAN links X
Briefly explain the concept of a collapsed core.

Small networks and many medium-sized networks are not large enough to justify the expense
and complexity of different devices at each of the three layers. A collapsed core design incor-
porates the distribution and core layer functions in one device. This reduces the costs of the
design while still maintaining the benefits of a hierarchical design.
Cisco Enterprise Architecture

Hierarchical network design is fine for campus network implementations. But the networks for
many organizations span larger areas than just a campus to include teleworkers, branch sites,
and data centers. These networks call for design approach where functions can be separated
into modules.
Modular Network Design

Briefly describe three benefits for using a modular approach to network design.
Failures that occur within a module can be isolated from the remainder of the network.
Network changes, upgrades, or the introduction of new services can be made in a controlled
and staged fashion.
When a specific module no longer has sufficient capacity or is missing a new function or ser-
vice, it can be updated or replaced by another module.
Security can be implemented on a modular basis.
In Table 10-3, indicate which module is described by the feature.
Table 10-3 Features of Modules in the Enterprise Architecture

Module Feature Access- Services Data Enterprise
Distribution Center Edge
Provides resources necessary to employees X
so that they can effectively create, collabo-
rate, and interact
Could include wireless controls, policy gate- X
ways, and unified communications services
Fundamental component of a campus design X
Consists of the Internet Edge and WAN Edge X
Provide connectivity outside the enterprise X
Originally called the server farm X

In Figure 10-1, label the modules of the Enterprise Architecture.
Figure 10-1 Identify Modules of the Enterprise Architecture
Services Block
Data Center
MetroE HDLC
Figure 10-1a Identify Modules of the Enterprise Architecture (answer)
Access
Distribution
Services Block Internet

Edge
Core
Data Center
WAN Edge
MetroE HDLC
Cisco Enterprise Architecture Model

What are the three primary modules of the Cisco Enterprise Architecture model?
Enterprise Campus
Enterprise Edge
Service Provider Edge

Which module provides connectivity to the data center, branches, and teleworkers?
Service Provider Edge
What are the submodules of the Enterprise Campus module?
Building Access
Building Distribution
Campus Core
Data Center
What are the submodules of the Enterprise Edge module?
E-Commerce
Internet Connectivity
Remote Access and VPN
WAN Site-to-Site VPN
What is the main purpose of the Service Provider Edge module?
The Service Provider Edge module provides connectivity between the Enterprise Edge module
and submodules of the Remote module (Branch Locations, Teleworkers, Data Center).
In Table 10-4, indicate the service provider solution described.
Table 10-4 Service Provider Designs

Service Provider Connectivity Solution Single- Dual- Multihomed Dual-
Homed Homed Multihomed
Connections to 2 or more ISPs X
A single connection to 1 ISP X
Multiple connections to 2 or more ISPs X
2 or more connections to 1 ISP X
What are the submodules of the remote module?

Enterprise Branch
Enterprise Teleworker
Enterprise Data Center
In Table 10-5, indicate which module is best described by the function.
Table 10-5 Cisco Enterprise Architecture Model Functions

Cisco Enterprise Architecture Enterprise Enterprise Service Remote
Feature Campus Edge Provider Edge
Aggregates connectivity from vari- X
ous functional areas.
Allows employees to work at non- X
campus locations.
Provides cost-effective access X
across large geographic areas.

Cisco Enterprise Architecture Enterprise Enterprise Service Remote

Feature Campus Edge Provider Edge
Could use high-end Cisco Catalyst X
switches or just a ISR G2, depend-
ing on size of location.
Authenticates remote users and X
branch sites.
Incorporates the enterprise WAN X
links.
Uses multicast traffic and QoS to X
optimize network traffic.
Connects users with campus, server X
farm, and enterprise edge.
Mobile users connect using a local X
ISP.
High availability through resilient X
hierarchical network design.
Converges voice, video, and data X
across a single IP communications
network.
Offsite data center to provide disas- X
ter recovery and business continu-
ance services.
Devices located here include fire- X
wall and firewall routers, and net-
work intrusion prevention systems.
Routes traffic into the Campus Core X
submodule.
Access management with VLANs X
and IPsec.
Supports security over Layer 2 and X
Layer 3 WANs.
Provides internal users with secure X
connectivity to Internet services.
In Figure 10-2, label the modules and submodules of the Cisco Enterprise Architecture model.

Figure 10-2 Cisco Enterprise Architecture Model
E-Commerce

ISP A
ISP B Enterprise
Teleworker
PSTN
WAN Site-to-site VPN
Frame Relay,
ATM, MAN, ...
Network
Management
Figure 10-2a Cisco Enterprise Architecture Model (answer)

Provider Edge
Building Access Enterprise

E-Commerce Branch
ISP A
Internet
Connectivity
ISP B Enterprise
Teleworker
Campus Core
Remote Access and

VPN
PSTN
Server Farm and Data Enterprise

Center Data Center
WAN Site-to-site VPN
Frame Relay,
ATM, MAN, ...
Network
Management

Evolving Network Architectures

Network architectures need to rapidly evolve to meet the needs of users. Traditionally, employ-
ees and students alike used devices provided by the organization. However, you more than
likely currently use some type of mobile device to conduct some of your business or school
work. Todays enterprise networks should seamlessly provide services to users of all modes of
access.
Cisco Enterprise Architectures

What are the top trends that are impacting networks?
Bring your own device (BYOD)
Online collaboration
Video communication
Cloud computing
What network architectures has Cisco introduced to address these trends?
Cisco Borderless Network Architecture
Collaboration Architecture
Data Center/Virtualization Architecture
Emerging Network Architectures

What are the two primary sets of services provided by the Cisco Borderless Network
Architecture?
Borderless end-point/user services
Borderless network services
What are the three layers of the Cisco Collaboration Architecture?
Application and Devices
Collaboration Services
Network and Computer Infrastructure
What are the three components of the Cisco Data Center/Virtualization Architecture?
Cisco Unified Management Solutions
Unified Fabric Solutions
Unified Computing Solutions
In Table 10-6, indicate the emerging network architecture described by the feature or service.

Table 10-6 Emerging Network Architectures

Emerging Network Architecture Functions and Cisco Cisco Cisco Data
Services Borderless Collaboration Center/
Networks Architecture Virtualization
Architecture
Comprehensive set of technologies that bring X
together the network, computing, and storage
platforms.
Applications include WebEx Meeting, WebEx X
Social, Cisco Jabber, and TelePresence.
Any device must be able to connect securely, X
reliably, and seamlessly from anywhere.
Portfolio of products, applications, and soft- X
ware development kits that provide a compre-
hensive solution to allow people to cooperate
and contribute to the production of something.
Unified approach to deliver application services X
to users in a highly distributed environment.
Network infrastructure and services are united X
via Cisco unified system services options.
Packet Tracer
Packet Tracer - Skills Integration Challenge - OSPF (CN 1.4.1.2)
Challenge
Packet Tracer - Skills Integration Challenge - EIGRP (CN 1.4.1.3)

CHAPTER 11
Connecting to the WAN
Wide-area networks (WANs) are used to connect remote LANs together. Various technologies are used
to achieve this connection. This chapter reviews WAN technologies and the many WAN services avail-
able.

WAN Technologies Overview

WAN access options differ in technology, speed, and price. Each has advantages and disadvan-
tages. Selecting the best technology depends largely on the network design.
Network Types and Their Evolving WAN Needs

The WAN needs of a network depend greatly on the size of the network. These network types
run the spectrum from small offices that really only need a broadband connection to the
Internet all the way up to multinational enterprises that need a variety of WAN options to sat-
isfy local, regional, and global restrictions.
In Table 11-1, indicate the network type that fits each of the descriptions. Some descriptions
may apply to more than one network type.
Table 11-1 Identify the Network Type

Network Description Small Office Campus Branch Distributed
Network Network Network Network
Outsourced IT support X
Very large sized busi- X
ness
Connectivity to the X
Internet
Converged network and X
application services
Hundreds of employees X X
Home, branch, and X
regional offices, tele-
workers, and a central
office
Limited number of X
employees
In-house IT staff and X X X
network support
Thousands of X
employees
Several remote, branch, X
and regional offices
(one central office)
Small-sized business X
LAN focus of opera- X
tions with broadband
Small to medium-sized X
business
Multiple campus LANs X
Medium-sized business X

Chapter 11: Connecting to the WAN 149
WAN Operations and Terminology

WANs operate at which layers of the OSI model?
Data link (Layer 2) and physical (Layer 1)
Which organizations are responsible for WAN standards?
Telecommunication Industry Association and the Electronic Industries Alliance (TIA/EIA)
International Organization for Standardization (ISO)
Institute of Electrical and Electronics Engineers (IEEE)
What are some of the Layer 2 WAN technologies?
Frame Relay, Point-to-Point Protocol (PPP), MetroEthernet, VSAT, MPLS, Broadband
Why is the Layer 2 address field not usually used in WAN services?
WAN links are normally point to point. Therefore, there is no need for a data link layer address.

Match the definition on the left with a term on the right. This exercise is a one-to-one matching.
Definitions Terms
a. The boundary between customer equipment g. Packet-switched network
and service provider equipment n. WAN switch
b. Devices inside the enterprise edge wiring b. Customer premises equipment (CPE)
closet that are owned or leased by the organi-
h. Central office (CO)
zation
o. Dialup modem
c. Provider equipment that resides in the WAN
p. Access server
backbone capable of supporting routing pro-
tocols f. Data communications equipment (DCE)
d. Digital modem used by DSL or cable Internet l. Router
service providers m. Data terminal equipment (DTE)
e. Dynamically establishes a dedicated circuit i. Local loop
before communication starts j. CSU/DSU
f. Provides an interface to connect subscribers to e. Circuit-switched network
a WAN link
a. Demarcation point
g. Splits traffic so that it can be routed over the
d. Broadband modem
shared network
k. Toll network
h. Local service provider facility that connects
the CPE to the provider network c. Core multilayer switch
i. Physical connection between the CPE to the

CO
j. Required by digital leased lines to provide ter-
mination of the digital signal and convert into
frames ready for transmission on the LAN
k. Consists of the all-digital, long-haul commu-
nications lines, switches, routers, and other
equipment in the provider network
l. Customer device that provides internetwork-
ing and WAN access interface ports
m. Customer device that transmits data over the
WAN link
n. Multiport device that sits at the service pro-
vider edge to switch traffic
o. Legacy technology device that converts digital
signals into analog signals transmitted over
telephone lines
p. Legacy technology device that can support
hundreds of dial-in and dial-out users

Selecting a WAN Technology

The WAN access connections your small to medium-sized business purchases could use a public
or private WAN infrastructureor a mix of both. Each type provides various WAN technolo-
gies. Understanding which WAN access connections and technologies are best suited to your
situation is an important part of network design.
Varieties of WAN Link Connections

Your ISP can recommend several WAN link connection options that based on your specific
requirements. These options can be classified in various categories. Use the list of WAN access
options to label Figure 11-1.
Figure 11-1 WAN Access Options

WAN
Public
Dedicated Internet

Figure 11-1 WAN Access Options (answer)
WAN
Private Public
Dedicated Switched Internet
Leased Circuit- Packet- Broadband

Lines Switched Switched VPN
T1/E1 PSTN Metro Ethernet DSL

T3/E3 ISDN MPLS Cable
Frame Relay Wireless
ATM
Labels
T1/E1/T3/E3 ATM Switched

Frame Relay Circuit switched Packet switched
Metro Ethernet Cable Wireless
MPLS PSTN DSL
VPN Private Broadband
ISDN Leased lines
Private and Public WAN Access Options

As shown in Figure 11-1, WAN access options can first be classified as either private or public.
Table 11-2 lists descriptions for various private WAN access options. Indicate which one is
described. Some options are described more than once.
Table 11-2 Private WAN Access Options

Private WAN Access Options Leased MPLS Ethernet ATM ISDN VSAT Dialup Frame
Lines WAN Relay
Considered the most expensive X
of all WAN access technologies.
Analog telephone lines are used X
to provide a switched WAN con-
nection.
A permanent, dedicated WAN X
connection which uses a T- or
E-carrier system.

Private WAN Access Options Leased MPLS Ethernet ATM ISDN VSAT Dialup Frame
Lines WAN Relay
Satellite to router communica- X
tions for WAN connections.
Delivers data using fixed 53-byte X
packet cells over permanent and
switched virtual circuits.
Service providers and short-path X
labeling are used for leased lines,
Ethernet WANs, and Frame
Relay WANs.
Connects multiple sites using X
virtual circuits and data-link con-
nection identifiers.
Includes MetroE, EoMPLS, X
and VPLS as WAN connection
options.
Converts analog to digital signals X
to provide a switched WAN con-
nection over telephone lines.
A popular replacement for tra- X
ditional Frame Relay and ATM
WAN access technologies.

Match the definition on the left with a public WAN access option on the right. This exercise is a one-to-one
matching.
Definitions Public WAN Access Options
a. Radio and directional-antenna modem WAN d. 3G/4G Cellular

access option provided to public organizations f. VPN Remote
b. WAN access option that uses telephone lines c. WiMax
to transport data via multiplexed links e. Satellite Internet
c. High-speed long-distance wireless connections b. DSL
through nearby special service provider towers
h. Cable
d. Cellular radio waves WAN access option used
a. Municipal WiFi
with smartphones and tablets
g. VPN site-to-site
e. Dish and modem-based WAN access option
for rural users where cable and DSL are not
available
f. Secure Internet-based WAN access option
used by teleworkers and extranet users
g. Entire networks connected together by using
VPN routers, firewalls, and security appliances
h. A shared WAN access option that transports
data using television-signal networks
Lab - Researching WAN Technologies (CN 2.2.4.3)

CHAPTER 12
Point-to-Point Connections
Point-to-point connections are the most common type of WAN connections. These connections are
also called serial or leased lines. This chapter reviews the terms, technology, and protocols used in
serial connections.

Serial Point-to-Point Overview

Understanding how point-to-point serial communication across a leased line works is impor-
tant to an overall understanding of how WANs function.
Serial Communications
Briefly explain the difference between serial and parallel communications.
In serial communications, the data is sent 1 bit at a time down one link. In parallel communica-
tions, bits are transmitted simultaneously over multiple links.
What is clock skew issue in parallel communications?
Clock skew is when the bits do not arrive at the same time causing synchronization issues.

Chapter 12: Point-to-Point Connections 157
Match the serial communications definition on the left with a term on the right. This is a one-to-one matching
exercise.
Definitions Terms
a. Cable that allows two WAN end devices to be h. Physical
directly connected together k. DCE
b. Signals sent sequentially 1 bit after another f. Demarc
c. A networking device that converts signals into n. CPE
an ISP WAN circuit format
i. ISDN
d. Universal ports that have replaced both
l. DTE
RS-232 and parallel ports on newer PCs
j. Variable
e. A WAN connection that interconnects two
LANs directly m. Parallel
f. The point at the customer site where the ISP c. CSU/DSU

network ends d. USB
g. A technique that reassembles multiple data e. Leased line
transmissions a. Null modem
h. The OSI layer where time-division multiplex- b. Serial
ing (TDM) operates g. Bit interleaving
i. A WAN technology that uses TDM
j. The way that STDM divides bandwidth into
multiple slots for data transmission
k. Provides a clocking signal for the WAN circuit
l. LAN/WAN routers at the customer location
m. Transmission signals split between multiple
wires concurrently
n. The network equipment connected to the
WAN circuit at the customer location

WAN Protocols
Just like LANs, data is encapsulated into frames before transmission onto a WAN link. Various
encapsulation protocols can be used to achieve the framing. In Table 12-1, indicate which pro-
tocol best fits the description.
Table 12-1 WAN Encapsulation Protocols

WAN Protocol Description HDLC PPP SLIP X.25/LAPB Frame Relay ATM
Provides connections over synchro- X
nous and asynchronous circuits
International standard for cell relay X
Predecessor to Frame Relay X
Default encapsulation on a serial X
link between two Cisco devices
Eliminates the need for error correc- X
tion and flow control
Forms the basis for synchronous X
PPP
Built-in security with PAP and X
CHAP
Transfers data 53 bytes at a time so X
that processing can occur in hard-
ware
Next-generation protocol after X.25 X
Largely replaced by PPP X
An ITU-T standard that defines con- X
nections between a DTE and DCE
HDLC Encapsulation
What is the major difference between the ISO 13239 HDLC standard and Ciscos implementa-
tion of HDLC?
Ciscos implementation of HDLC uses a Protocol field to support multiple protocols.
In Figure 12-1, label the fields of Cisco HDLC frame.
Figure 12-1 Cisco HDLC Frame Format
Figure 12-1a Cisco HDLC Frame Format (answer)
Flag Address Control Protocol Data FCS Flag

List the three different formats of the Control field.

Information (I) Frame
Supervisory (S) Frame
Unnumbered (U) Frame
HDLC Configuration and Troubleshooting

Although High-Level Data Link Control (HDLC) is the default encapsulation on Cisco synchro-
nous serial lines, you may need to change the encapsulation back to HDLC. Record the com-
mands, including the router prompt, to change the first serial interface on a 1900 series router
to HDLC.
R1# configure terminal

R1(config)# interface serial 0/0/0
R1(config-if)# encapsulation hdlc
Troubleshooting Serial Interfaces

Troubleshooting the cause of a serial interface issue usually begins by entering the show inter-
face serial command. This command can return one of six possible statuses for the line. In
Table 12-2, indicate what status would display for each of the conditions of the serial interface.
Some statuses are used more than once.
Table 12-2 Line Conditions and Status Indicators

Condition of the Serial Serial Serial X Serial Serial X Is Serial X Is Serial X Is
Interface X Is Up, Is Down, X Is Up, Up, Line Up, Line Administratively
Line Line Line Protocol Protocol Down, Line
Protocol Protocol Protocol Is Up Is Down Protocol Is
Is Up Is Down Is Down (Looped) (Disabled) Down
A high error rate has X
occurred due to a WAN
service provider problem.
Keepalives are not being X
sent by the remote router.
The router configuration X
includes the shutdown
interface configuration
command.
Cabling is faulty or incorrect. X
The clockrate command X
is not configured on the
interface.
This is the proper status X
line condition.
The router is not sensing a X
carrier detect (CD) signal.
The same random sequence X
number in the keepalive is
returned over the link.

What command will show whether a DTE or DCE cable is attached to the interface?
show controllers
Packet Tracer
Packet Tracer - Troubleshooting Serial Interfaces (CN 3.1.2.7)
Activity
PPP Operation
PPP encapsulation has been carefully designed to retain compatibility with most commonly
used supporting hardware. PPP encapsulates data frames for transmission over Layer 2 physi-
cal links.
PPP Components
Briefly described the three main components of PPP.
HDLC-like framing for transporting multiprotocol packets over point-to-point links
Link Control Protocol (LCP) for establishing, configuring, and testing the data-link
connection
Network Control Protocols (NCPs) for establishing and configuring different network
layer protocols
In Figure 12-2, fill in the missing parts of the PPP layered architecture.
Figure 12-2 PPP Layered Architecture
IPv4 IPv6
IPCP IPv6CP
Network Layer
PPP
Data Link Layer
Physical Layer
Figure 12-2a PPP Layered Architecture (answer)
IPv4 IPv6
IPCP IPv6CP
Network Layer
Network Control Protocol (NCP)
PPP
Authentication, Other Options
Data Link Layer
Link Control Protocol (LCP)
Synchronous or Asynchronous
Physical Layer
Physical Media

List the type of physical interfaces supported by PPP.

Asynchronous serial
Synchronous serial
HSSI
ISDN
What automatic configurations does the Link Control Protocol (LCP) provide at each end of
the link?
Handling varying limits on packet size
Detecting common misconfiguration errors
Terminating the link
Determining when a link is functioning properly or when it is failing
Briefly describe how PPP uses Network Control Protocol (NCP).
PPP uses NCPs to negotiate the Layer 3 protocols that will be used to carry data packets. They
provide functional fields containing standardized codes to indicate the network layer protocol
type that PPP encapsulates.
In Table 12-3, indicate whether each characteristic describes LCP or NCP.
Table 12-3 LCP and NCP Characteristics

Characteristic LCP NCP
Can configure authentication, compression, and error detection X
Bring network layer protocols up and down X
Encapsulate and negotiate options for IPv4 and IPv6 X
Negotiate and set up control options on the WAN circuit X
Handles limits on packet size X
Establish, configure, and test the data link connection X
Uses standardized codes to indicate the network layer protocol X
Determine if link is functioning properly X
Terminate the link X
Manage packets from several network layer protocols X
Figure 12-3 shows the PPP frame format. Answer the following questions about the specific
features and purpose of each field.
Figure 12-3 PPP Frame Format
Field Length, in Bytes
1 1 1 2 Variable 2 or 4 1
Flag Address Control Protocol Data FCS Flag

What is the bit pattern for the Flag field?

01111110
Why is the Address field all 1s or 0xFF?
On a point-to-point link, the destination node does not need to be addressed.
What is the purpose of the Control field?
The Control field calls for transmission of user data in an unsequenced frame, providing a
connectionless link that does not require data links to be established.
What is the purpose of the Protocol field?
The Protocol field uses a 2-byte value to identify what network layer protocol is encapsulated
in the data.
What is the default size of the information stored in the Data field?
1500 bytes
What does FCS stand for and what is the purpose of this field?
The Frame Check Sequence field is used by the receiver to test the integrity of the frame
received. If the FCS calculated by the receiver doesnt match, the frame is silently discarded.
PPP Sessions
What are the three phase for establishing a PPP session?
Phase 1: Link establishment and configuration negotiation
Phase 2: Link quality determination (optional)
Phase 3: Network layer protocol configuration negotiation
Figure 12-4 shows a partially labeled flowchart for the LCP link negotiation process. Complete
the flowchart by properly labeling it with the provided steps.
Figure 12-4 Steps in the LCP Link Negotiation Process
Sends Yes
All options
Configure-
acceptable?
Request
No
Yes Yes
All options Authentication
recognized? option?
No No
Determine new
Link is
negotiation
established
parameters

Figure 12-4a Steps in the LCP Link Negotiation Process (answer)
Sends Process Yes

All options Send Receive
Configure- Configure-
acceptable? Configure-Ack Configure-Ack
Request Request
No
Yes Yes
Send All options Authentication Authentication
Configure-Nak recognized? Phase option?
No No
Determine new Send

Link is
negotiation Configure-
established
parameters Reject
Missing Labels for Figure 12-4

Send Configure-Reject
Receive Configure-Ack
Process Configure-Request
Send Configure-Ack
Authentication Phase
Send Configure-Nak
PPP can be configured to support optional functions, including the following:
Authentication using either PAP or CHAP
Compression using either Stacker or Predictor
Multilink that combines two or more channels to increase the WAN bandwidth
After the link is established, the LCP passes control to the appropriate NCP. Figure 12-5 shows
the NCP process for IPv4. Complete the figure by properly labeling it with the provided phas-
es and steps.
Missing Labels for Figure 12-5
IPv4 Data Transfer
NCP Termination
IPCP Configure-Request
IPCP Configure-Ack
IPCP Terminate-Request
LCP Maintenance
IPCP Terminate-Ack
NCP Configuration

Figure 12-5 The NCP Process
LCP Configuration
IPv4 DATA
Exchange
LCP Termination
Figure 12-5a The NCP Process (answer)
LCP Configuration
IPCP Configure-Request
NCP Configuration IPCP Configure-Ack
IPv4 Data Transfer

IPv4 DATA
and
Exchange
LCP Maintenance
IPCP Terminate-Request
NCP Termination IPCP Terminate-Ack
LCP Termination

Configure PPP
PPP is a robust WAN protocol supporting multiple physical layer and network layer implemen-
tations. In addition, PPP has many optional features the network administrator can choose to
implement.
Basic PPP Configuration with Options

Figure 12-6 shows the topology and Table 12-4 shows the addressing we will use for PPP con-
figuration.
Figure 12-6 PPP Topology
S0/0/0
S0/0/0
RTA .2
.1 RTB
172.16.1.0/30
2001:DB8:1:F::/64
Table 12-4 Addressing Table for PPP

Device Interface IPv4 Address Subnet Mask
IPv6 Address/Prefix
RTA S0/0/0 172.16.1.1 255.255.255.252
2001:DB8:1:F::1/64
RTB S0/0/0 172.16.1.2 255.255.255.252
2001:DB8:1:F::2/64
Assume that the router interfaces are already configured with IPv4 and IPv6 addressing. RTB
is fully configured with PPP. Record the commands, including the router prompt, to configure
RTA with a basic PPP configuration.
RTA# configure terminal

RTA(config)# interface serial 0/0/0
RTA(config-if)# encapsulation ppp
RTB is configured for software compression using the Stacker compression algorithm. What
happens if RTA is not configured with compression?
During the LCP negotiation phase, RTA and RTB will negotiate to not use compression.
Record the command, including the router prompt, to configure the same compression on RTA.
RTA(config-if)# compress stac
RTB is configured to take down the link if the quality falls below 70 percent. Record the com-
mand, including the router prompt, to configure the equivalent on RTA.
RTA(config-if)# ppp quality 70
In Figure 12-7, RTA and RTB are now using two serial links to transfer data. RTB is already con-
figured with PPP multilink to load balance the traffic to RTA. Record the commands, including
the router prompt, to configure the RTA multilink interface including IPv4 and IPv6 addressing
and the necessary commands for the serial interfaces. Use the addressing in Table 12-4 for the
multilink interface rather than Serial 0/0/0.

Figure 12-7 PPP Multilink Topology
S0/0/0
S0/0/0
RTA S0/0/1 RTB

S0/0/1
172.16.1.0/30
2001:DB8:1:F::/64
RTA(config)# interface multilink 1

RTA(config-if)# ip address 172.16.1.1 255.255.255.252
RTA(config-if)# ipv6 address 2001:db8:1:f::1/64
RTA(config-if)# ppp multilink
RTA(config-if)# ppp multilink group 1
RTA(config-if)# interface serial 0/0/0
RTA(config-if)# no ip address
RTA(config-if)# no ipv6 address
RTA(config-if)# interface serial 0/0/1
RTA(config-if)# no ipv6 address
You can verify the operation of PPP using the following show commands. Record the com-
mands used to generate the output on RTA.
RTA# show interface serial 0/0/0

Hardware is WIC MBRD Serial
Internet address is 172.16.1.1/30
Encapsulation PPP, LCP Open
Open: IPCP, IPV6CP, CCP, CDPCP, loopback not set
Keepalive set (10 sec)
<output omitted>
RTA# show ppp multilink
Multilink1
Bundle name: RTA
Remote Endpoint Discriminator: [1] RTB
Local Endpoint Discriminator: [1] RTA

Bundle up for 00:01:20, total bandwidth 3088, load 1/255

Receive buffer limit 24000 bytes, frag timeout 1000 ms
0/0 fragments/bytes in reassembly list
0 lost fragments, 0 reordered
0/0 discarded fragments/bytes, 0 lost received
0x2 received sequence, 0x2 sent sequence
Member links: 2 active, 0 inactive (max 255, min not set)
Se0/0/0, since 00:01:20
Se0/0/1, since 00:01:06
No inactive multilink interfaces
PPP Authentication
Briefly explain the difference between PAP and CHAP.
PAP uses a two-way process to authenticate with unencrypted plain-text passwords. CHAP
uses a three-way process with an encrypted hash value generated by the MD5 algorithm. The
password is never sent.
PAP is not interactive. When you configure an interface with the ppp authentication pap com-
mand, the username and password are sent as one LCP data package. You are not prompted
for a username. The receiving node checks the username and password combination and either
accepts or rejects the connection.
List three situations where PAP would be the appropriate choice for authentication.
A large installed base of client applications that do not support CHAP
Incompatibilities between different vendor implementations of CHAP
Situations where a plain-text password must be available to simulate a login at the
remote host
Once PAP authentication is established, the link is vulnerable to attack. Why?
PAP does not reauthenticate. So, a hacker can piggyback on an open connection.
CHAP challenges periodically to make sure that the remote node still has a valid password.
Complete the missing information in the following steps as RTA authenticates with RTB using
CHAP.
Step 1. RTA initially negotiates the link connection using LCP with router RTB, and the two
systems agree to use CHAP authentication during the PPP LCP negotiation.
Step 2. RTB generates an ID and a random number, and sends that and its username as a
CHAP challenge packet to RTA.
Step 3. RTA uses the username of the challenger (RTB) and cross references it with its local
database to find its associated password. RTA then generates a unique MD5 hash
number using the RTBs username, ID, random number, and the shared secret pass-
word.
Step 4. RTA then sends the challenge ID, the hashed value, and its username (RTA) to RTB.

Step 5. RTB generates its own hash value using the ID, the shared secret password, and the
random number it originally sent to RTA.
Step 6. RTB compares its hash value with the hash value sent by RTA. If the values are the
same, RTB sends a link established response to RTA.
When authentication is local (no AAA/TACACS+), what is the command syntax to configure
PPP authentication on an interface?
Router(config-if)# ppp authentication {chap | chap pap | pap chap | pap }
Assume that both PAP and CHAP are configured with the command ppp authentication chap
pap on the interface. Explain how authentication will proceed.
The first method specified, CHAP, will be requested during link negotiation. If the receiving
node is not configured for CHAP, the second method specified, PAP, will be used.
PAP Configuration
In Figure 12-6, RTB is already configured with PAP authentication with the password cisco123.
Record the commands to configure PAP on RTA.
RTA(config)# username RTB password cisco123

RTA(config)# interface s0/0/0
RTA(config-if)# ppp authentication pap
RTA(config-if)# ppp pap sent-username RTA password cisco123
CHAP Configuration
CHAP uses one less command than PAP. Now record the commands to remove PAP and con-
figure RTA to use CHAP authentication.

RTA(config-if)# no ppp authentication pap
RTA(config-if)# no ppp pap sent-username RTA password cisco123
RTA(config-if)# ppp authentication chap
Packet Tracer - Configuring PAP and CHAP Authentication (CN 3.3.2.7)
Lab - Configuring Basic PPP with Authentication (CN 3.3.2.8)
Troubleshoot WAN Connectivity

If you cannot ping across a PPP link and you have checked the physical and data link layer
issues reviewed in the Troubleshooting Serial Interfaces section earlier, the issue is probably
the PPP configuration. You can use the debug command to troubleshoot PPP issues using the
debug ppp {parameter} syntax. Based on the descriptions in Table 12-5, fill in the correspond-
ing parameter you would use with the debug ppp command.

Table 12-5 Parameters for the debug ppp Command

Parameter Usage
error Displays issues associated with PPP connection negotiation and operation
compression Displays information specific to the exchange of PPP connections using
MPPC
negotiation Displays PPP packets transmitted during PPP startup
packet Displays PPP packets being sent and received
authentication Displays authentication protocol messages
cbcp Displays protocol errors and statistics associated with PPP connection
negotiations using MSCB
Lab - Troubleshooting Basic PPP with Authentication (CN 3.4.1.5)
Packet Tracer
Packet Tracer - Troubleshooting PPP with Authentication (CN 3.4.1.4)
Activity
Packet Tracer - Skills Integration Challenge (CN 3.5.1.2)

CHAPTER 13
Frame Relay
Although newer services are rapidly replacing it in some locations, Frame Relay has been a popular
alternative to expensive dedicated leased lines. Frame Relay provides a cost-efficient solution for WAN
access between multiple sites. This chapter reviews Frame Relay technology, configuration, verification,
and troubleshooting.

Introduction to Frame Relay

Frame Relay is a high-performance WAN protocol that operates at the physical and data link layers of the OSI
reference model. Unlike leased lines, Frame Relay requires only a single access circuit to the Frame Relay pro-
vider to communicate with other sites connected to the same provider.
Frame Relay Concepts and Terminology

Match the definition on the left with a term on the right. Terms are only used once.
Definitions Terms
a. Bandwidth borrowing from other PVCs m. Access rate
when available n. ANSI
b. Read Frame Relay was popular when com- k. Black hole
pared to private leased lines
a. Bursting
c. A preconfigured logical path between two
f. CIR
endpoints and assigned a DLCI
b. Cost savings
d. A logical connection that is established
dynamically for the time needed p. DE
e. The equivalent of 24 DS0 channels h. Disable
f. Guaranteed bandwidth for a specific PVC l. DLCI
g. Downstream notification that there is conges- r. DTE

tion on a Frame Relay switch g. FECN
h. Manual configuration will do this to the auto- q. Inverse ARP
sensing of LMI-type feature on Cisco routers j. LMI
i. Holding frame in a buffer before sending c. PVC
j. Frame Relay extension that allows the DTE to i. Queuing
discover the list of available DLCIs configured
o. Status
on the access link
d. SVC
k. A PVC that no longer exists
e. T1
l. Used to identify each Frame Relay circuit
s. X.25
endpoint
m. Port bandwidth of the local loop
n. One of the three LMI types other than cisco
and q933a
o. LMI provides these updates about Frame
Relay connectivity
p. Identifies the frames to be dropped in times of
congestion
q. Process used by LMI to associate network
layer addresses to data link layer addresses
r. The end of the Frame Relay connection that
initiates requests about the status of its Frame
Relay links
s. Protocol replaced by Frame Relay

Chapter 13: Frame Relay 173
Frame Relay Operation

Frame Relay networks use permanent virtual circuits (PVCs), which uniquely define a logical
path between two endpoints. Frame Relay is a more cost-effective option than leased lines for
two reasons:
The cost of a leased line includes the cost of a full end-to-end dedicated connection. The cost
of Frame Relay includes only the cost to the local loop.
Frame Relay shares bandwidth with other customers across the same physical circuit.
The end of each PVC uses a number to identify it called the data link connection identifier
(DLCI). What does it mean to say that these numbers are locally significant?
Locally significant DLCIs means that only the local devices need to know this number. That
way, the DLCI number can be reused on other equipment throughout the network.
Frame Relay is statistically multiplexed, meaning that it transmits only one frame at a time, but
that many logical connections can coexist on a single physical line.
In Figure 13-1, label the missing fields in a standard Frame Relay frame.
Figure 13-1 Fields of the Standard Frame Relay Frame
8 bits 16 bits Variable 16 bits 8 bits
Flag Address Data FCS Flag
C/R EA EA
Byte 1 Byte 2
Figure 13-1a Fields of the Standard Frame Relay Frame (answer)
8 bits 16 bits Variable 16 bits 8 bits
Flag Address Data FCS Flag
DLCI C/R EA DLCI FECN BECN DE EA
Byte 1 Byte 2

Identify and briefly describe each of the three Frame Relay topologies.
Star topology: Also known as a hub-and-spoke topology with a central site connected to
branch sites. All branch-to-branch communication is sent through the central (hub) site.
Therefore, branch sites are only configured with one VC.
Full mesh: Every node is configured with a VC to every other node in the network. However,
each node usually only has one physical link to the local Frame Relay switch.
Partial mesh: Nodes may have more than one VC configured to remote locations. But all nodes
are not configured with all VCs, as in full mesh. This works better for larger networks where a
full-mesh topology would be cost prohibitive.
A router must know what remote Layer 3 address maps to the locally configured DLCI before
it can send data over the link. This mapping can be achieved statically or dynamically.
Briefly describe the IPv4 protocol that provides dynamic mapping.
Dynamic address mapping relies on Inverse ARP to resolve a next-hop network layer IPv4
address to a local DLCI value. The Frame Relay router sends out Inverse ARP requests on its
PVC to discover the protocol address of the remote device connected to the Frame Relay net-
work.
On Cisco routers, what must you do to make sure Inverse ARP is operational?
Nothing; Inverse ARP is enabled by default.
What is the command syntax to disable Inverse ARP?
Router(config-if)# no frame-relay inverse-arp
What is the command syntax to override dynamic mapping and statically configure the map?
Router(config-if)# frame-relay map protocol protocol-addressdlci [broadcast] [ietf]
[cisco]
Why would you use the keyword ietf?

Use the keyword ietf when connecting to a non-Cisco router.
Why would you use the keyword broadcast?
The keyword broadcast allows broadcast and multicast traffic to be sent over the VC, which
can greatly simplify the configuration of routing protocols like OSPF.
What command can you use to verify Frame Relay maps?
show frame-relay map
Briefly describe the Local Management Interface (LMI).
LMI is an extension of Frame Relay that provides additional capabilities including the ability
for DTEs to dynamically acquire information about the status of the network.
LMI uses reserved DLCIs in the range from 0 to 1023 to exchange LMI messages between the
DTE and DCE.
What are the three LMI types supported by Cisco routers?
CISCO, ANSI, Q933A
With Cisco IOS software release 11.2, the LMI type does not need to be configured because
it is autosensed.

In Figure 13-2, RTA and RTB are both configured to use Frame Relay with the IPv4 addressing
and DLCIs shown. RTA has just booted up. Fully explain how RTA will dynamically learn the
DLCIs from the local Frame Relay switch and then dynamically learn the IPv4 address of RTB.
Figure 13-2 Frame Relay Topology
S0/0/0 S0/0/0
10.10.10.1/30 Frame 10.10.10.2/30
Relay
RTA RTB
DLCI 201 DLCI 102
PVC
After booting, RTA will autosense the LMI type used on the local loop. Then RTA will send
an LMI status inquiry message to the local Frame Relay switch. The local Frame Relay switch
replies to the query with all the VCs configured on the access link. This will include the DLCI
201, which the Frame Relay network has mapped internally to reach RTB. Once RTA has the
DLCIs for the access link (only 201 in this example), it sends an Inverse ARP message which
is forwarded by the Frame Relay network to RTB. RTB responds to the Inverse ARP message
with its IPv4 address. When RTA receives the response from RTB, it will map the local DLCI
201 to the IPv4 address of RTB.
From the customers point of view, Frame Relay is one interface configured with one or more
PVCs. The rate at which data will be accepted by the local Frame Relay switch is contracted.
The access rate is the actual speed of the port connected to the service provider. It is not pos-
sible to send data any faster. The committed information rate (CIR) is the rate at which the cus-
tomer can send data into the Frame Relay network. All data at or below this rate is guaranteed.
What does the term oversubscription mean in relation to Frame Relay? What problems can it
cause?
A service provider may decide to oversell an access link on the assumption that everyone that
is subscribed on the link will not need to use the link for their full subscription all the time.
Traffic will be dropped in situations where a link is oversubscribed and then subsequently
overutilized.
When the Frame Relay network is underutilized, customers can burst over their CIR at no addi-
tional cost. The committed burst size (Bc) is a negotiated rate above the CIR that the customer
can use to transmit for short bursts, and represents the maximum allowed traffic under normal
working conditions. When sending at a rate higher than the CIR, the Discard Eligibility (DE)
bit is set to 1 in every frame so that the Frame Relay network can discard the frame if conges-
tion is occurring.
However, when there is congestion on the Frame Relay network, the switch that is experienc-
ing congestion will begin setting the Forward Explicit Congestion Notification (FECN) bit to
1 to inform downstream devices that there is congestion on the network. It will also set the
Backward Explicit Congestion Notification (BECN) bit to 1 and send a message to the source
to throttle back the speed at which it is sending data. In addition, the Frame Relay switch expe-
riencing congestion will discard every frame that has the DE bit set to 1.

Configure Frame Relay

Frame Relay connections are created by configuring customer premise equipment (CPE) routers
or other devices to communicate with a service provider Frame Relay switch. The service provider
configures the Frame Relay switch, which helps keep end-user configuration tasks to a minimum.
Configure Basic Frame Relay

Because so many of the features of Frame Relay are enabled by default, configuration is
straightforward. Assuming the interface is correctly addressed, the basic configuration is simply
a matter of changing the encapsulation on the interface.
In Figure 13-3, RTB is configured and ready to send traffic on the Frame Relay network.
Assume RTA is already configured with IPv4 and IPv6 addressing. Record the commands,
including the router prompt, to enable Frame Relay.
Figure 13-3
S0/0/0 S0/0/0
10.10.10.1/30 10.10.10.2/30
2001:DB8:1:F::1/64 2001:DB8:1:F::2/64
Link Local: FE80::1 Frame Link Local: FE80::2
Relay
RTA RTB
DLCI 201 DLCI 102
PVC
RTA(config-if)# encapsulation frame-relay
Connectivity between RTA and RTB should now be operational for IPv4 traffic. However, in
our example, IPv6 requires static mapping. You will need to map both the globally unique and
link local IPv6 addresses. Because the link local address is used for multicasts, you will need
to add the keyword broadcast to your frame relay map configuration. Record the commands,
including the router prompt, to statically configure RTA with IPv6 frame relay maps.
RTA(config-if)# frame-relay map ipv6 2001:db8:1:f::2 201
RTA(config-if)# frame-relay map ipv6 fe80::2 201 broadcast
Record the command used to generate the following output verifying the IPv4 and IPv6 maps.
RTA# show frame-relay map
Serial0/0/0 (up): ipv6 FE80::2 dlci 201(0xC9,0x3090), static,
broadcast,
CISCO, status defined, active
Serial0/0/0 (up): ipv6 2001:DB8:1:F::2 dlci 201(0xC9,0x3090), static,
Serial0/0/0 (up): ip 10.10.10.2 dlci 201(0xC9,0x3090), dynamic,
broadcast,
Packet Tracer
Packet Tracer - Configuring Static Frame Relay Maps (CN 4.2.1.4)
Activity

Configure Subinterfaces
When configuring a hub-and-spoke topology with Frame Relay, you must create subinterfaces
so that each PVC can have its own Layer 3 addressing. In a Frame Relay nonbroadcast multi-
access (NBMA) topology like the one shown in Figure 13-4, this can cause reachability issues
without proper configuration.
Figure 13-4 Frame Relay NBMA Topology
S0/0/0
10.10.10.2/30
DLCI 102
S0/0/0.201
10.10.10.1/30
DLCI 201 RTB
Frame Relay
NBMA
RTA
S0/0/0.301
10.10.10.5/30 RTC
PVC S0/0/0
DLCI 301 10.10.10.6/30
DLCI 103
Briefly describe the three reachability issues caused by NBMA topologies.

Split horizon: This rule states that an update received on a physical interface should not be
retransmitted out that same physical interface.
Broadcast and multicast replication: Broadcast and multicast traffic must be replicated for
each PVC that is configured on the interface. This can consume considerable bandwidth which
might impact user traffic if the path already has low bandwidth.
Neighbor discovery: In OSPF, the DR/BDR election must result in the hub router as DR
because it is the only router that has PVCs to all other routers.
What are the three ways to solve these reachability issues?
One or more of the following: disable split horizon, build a full mesh topology, configure sub-
interfaces.
In Figure 13-4, RTA is the hub router and RTB and RTC are spokes. Given the information
shown in Figure 13-4, record the commands, including the router prompts, to configure RTA
with Frame Relay using point-to-point subinterfaces.

RTA(config-if)# encapsulation frame-relay
RTA(config-if)# no shutdown
RTA(config-if)# exit
RTA(config)# interface serial 0/0/0.201 point-to-point
RTA(config-subif)# ip address 10.10.10.1 255.255.255.252
RTA(config-subif)# frame-relay interface-dlci 201
RTA(config-fr-dlci)# exit
RTA(config-subif)# exit

RTA(config)# interface serial 0/0/0.301

RTA(config-subif)# ip address 10.10.10.5 255.255.255.252
RTA(config-subif)# frame-relay interface-dlci 301
RTA(config-fr-dlci)#
Lab - Configuring Frame Relay and Subinterfaces (CN 4.2.2.7)
Packet Tracer
Packet Tracer - Configuring Frame Relay Point-to-Point Subinterfaces (CN 4.2.2.6)
Activity
Troubleshoot Connectivity
Frame Relay is generally a reliable service. Nonetheless, sometimes the network performs at
less-than-expected levels, and troubleshooting is necessary.
Record the Frame Relay verification commands that generated the following output:
RTA# show frame-relay pvc
PVC Statistics for interface Serial0/0/0 (Frame Relay DTE)
Active Inactive Deleted Static

Local 1 0 0 0
Switched 0 0 0 0
Unused 0 0 0 0
DLCI = 201, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/0
input pkts 1 output pkts 1 in bytes 34

out bytes 34 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 0 out DE pkts 0
out bcast pkts 1 out bcast bytes 34
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
pvc create time 00:02:12, last time pvc status changed 00:01:38
RTA# show frame-relay lmi
LMI Statistics for interface Serial0/0/0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 14 Num Status msgs Rcvd 15

Num Update Status Rcvd 0 Num Status Timeouts 0

Last Full Status Req 00:00:23 Last Full Status Rcvd 00:00:23
RTA# show interface serial 0/0/0
Hardware is WIC MBRD Serial
Encapsulation FRAME-RELAY, loopback not set
Keepalive set (10 sec)
LMI enq sent 15, LMI stat recvd 16, LMI upd recvd 0, DTE LMI up
LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0
LMI DLCI 1023 LMI type is CISCO frame relay DTE
FR SVC disabled, LAPF state down
Broadcast queue 0/64, broadcasts sent/dropped 1/0, interface
<output omitted>
RTA# show frame-relay map

Serial0/0/0 (up): ip 10.10.10.2 dlci 201(0xC9,0x3090), dynamic,
broadcast,
Serial0/0/0 (up): ipv6 2001:DB8:1:F::2 dlci 201(0xC9,0x3090), static,
Serial0/0/0 (up): ipv6 FE80::2 dlci 201(0xC9,0x3090), static,
broadcast,
RTA#
In Table 13-1, indicate which command enables you to verify the described information. Some
information can be verified with more than one command.
Table 13-1 Frame Relay Verification Commands

Frame Relay Information show interface show frame- show frame- show frame-
Verified serial relay lmi relay pvc relay map
Broadcast status for the PVC X
PVC status X X
Number of LMI status que- X X
ries sent and received
Layer 1 and Layer 2 status X
information
LMI type X X
Invalid LMI types X

Frame Relay Information show interface show frame- show frame- show frame-
Verified serial relay lmi relay pvc relay map
Number of ECN packets in X
and out
DLCI assigned to the PVC X X
The encapsulation type X
Frame Relay DTE/DCE type X

Packet Tracer
Challenge

CHAPTER 14
Network Address Translation for IPv4
All public IPv4 addresses that transverse the Internet must be registered with a Regional Internet
Registry (RIR). Only the registered holder of a public Internet address can assign that address to a
network device. With the proliferation of personal computing and the advent of the World Wide Web,
it soon became obvious that 4.3 billion IPv4 addresses would not be enough. The long-term solution
was to eventually be IPv6. But for the short term, several solutions were implemented by the IETF,
including Network Address Translation (NAT) and RFC 1918 private IPv4 addresses.
NAT Operation
There are not enough public IPv4 addresses to assign a unique address to each device connected to the
Internet. Networks are commonly implemented using private IPv4 addresses.
NAT Characteristics
Fill in the table with the private addresses defined by RFC 1918.
Class Address Range CIDR Prefix

A 10.0.0.010.255.255.255 10.0.0.0/8
B 172.16.0.0172.31.255.255 172.16.0.0/12
C 192.168.0.0192.168.255.255 192.168.0.0/16
Briefly explain the following terms:

Inside local address: The address of the source as seen from inside the network.
Inside global address: The address of source as seen from the outside network.
Outside global address: The address of the destination as seen from the outside network. Most
often the outside local and outside global addresses are the same.
Outside local address: The address of the destination as seen from the inside network. Although
uncommon, this address could differ from the globally routable address of the destination.

In Figure 14-1, label each type of NAT address.
Figure 14-1 Identify NAT Address Types

203.0.113.11
192.168.51.5
198.51.100.2
WWW PC1
R1
ISP 192.168.51.1
Web Server
Figure 14-1a Identify NAT Address Types (Answer)

203.0.113.11
192.168.51.5
198.51.100.2
WWW PC1
R1
ISP 192.168.51.1
Web Server
Outside Outside Inside Inside

Local Global Global Local
Types and Benefits of NAT

Briefly describe the three types of NAT:
Static address translation (static NAT): One-to-one address mapping between local and
global addresses.
Dynamic address translation (dynamic NAT): Many-to-many address mapping between
local and global addresses.
Port Address Translation (PAT): Many-to-one address mapping between local and global
addresses. This method is also known as overloading (NAT overloading).
When is it appropriate to use static NAT?
Static NAT is particularly useful for web servers or devices that must have a consistent address
that is accessible from the Internet, such as a company web server. It is also useful for devices
that must be accessible by authorized personnel when offsite, but not by the general public
on the Internet.
What is the difference between dynamic NAT and PAT?
Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served
basis. PAT maps multiple private addresses to one or a few public addresses using the source
port number to track connections.
List and explain at least three advantages and three disadvantages to using NAT.
Advantages
Conserves the legally registered addressing scheme
Increases the flexibility of connections to the public network

CHAPTER 14: Network Address Translation for IPv4 183
Provides consistency for internal network addressing schemes

Provides network security
Disadvantages
Performance is degraded.
End-to-end functionality is degraded.
End-to-end IP traceability is lost.
Tunneling becomes more complicated.
Initiating TCP connections can be disrupted.
Packet Tracer
Packet Tracer - Investigating NAT Operation (RSE 11.1.2.6/WAN 5.1.2.6)
Activity
Configuring NAT
Configuring NAT is straightforward if you follow a few simple steps. Static NAT and dynamic
NAT configurations vary slightly. Adding PAT to a dynamic NAT is as simple as adding a
keyword to the configuration.
Configuring Static NAT

Use the following steps to configure static NAT:
Step 1. Create a map between the inside local IP address and the inside global IP address
with the ip nat inside source static local-ip global-ip global configuration com-
mand.
Step 2. Configure the inside interface of the LAN the device is attached to participate in
NAT with the ip nat inside interface configuration command.
Step 3. Configure the outside interface where NAT translation will occur with the ip nat
outside interface configuration command.
Refer to the topology in Figure 14-2 to configure static NAT.
Figure 14-2 Static NAT Configuration Topology

Inside Network Outside Network
S0/0/0
S0/1/0
Internet
R2
Web Server Client
172.16.1.10 209.165.201.254
Static NAT
Translation
http://64.100.10.1
The web server uses an inside local address 172.16.1.10 that needs to be translated to the inside
global address 64.100.10.1. Record the command including router prompt to configure the
static translation on R2.
R2(config)# ip nat inside source static 172.16.1.10 64.100.10.1

Record the commands including router prompt to configure the inside interface.
R2(config)# interface Serial0/0/0

R2(config-if)# ip nat inside
Record the commands including router prompt to configure the outside interface.

R2(config-if)# ip nat outside
Packet Tracer - Configuring Static NAT (RP 11.2.1.4/WAN 5.2.1.4)

Packet Tracer
Activity
Configuring Dynamic NAT

Use the following steps to configure dynamic NAT:
Step 1. Define the pool of addresses that will be used for dynamic translation using the
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
global configuration command.
Step 2. Configure an ACL to specify which inside local addresses will be translated using a
standard ACL.
Step 3. Bind the NAT pool to the ACL with the ip nat inside source list ACL-number pool
name global configuration command.
Step 4. Configure the inside interface of the LAN the device is attached to participate in
NAT with the ip nat inside interface configuration command.
Step 5. Configure the outside interface where NAT translation will occur with the ip nat
outside interface configuration command.
Refer to the topology in Figure 14-3 to configure dynamic NAT.
Figure 14-3 Dynamic NAT Configuration Topology

172.16.1.0/24
PC1

172.16.1.10
S0/0/0
S0/1/0
Internet
R1 R2
Server
PC2 NAT POOL: 64.100.10.0/30
172.16.2.10 Dynamic NAT
172.16.2.0/24
The pool of available addresses is 64.100.10.0/30. Record the command including router
prompt to configure the NAT pool with an appropriate name.
R1(config)# ip nat pool NAT 64.100.10.0 64.100.10.3 netmask 255.255.255.252

The two LANs, 172.16.1.0/24 and 172.16.2.0/24, need to be translated. No other addresses are
allowed. Record the command including router prompt to configure the ACL.
R1(config)# access-list 1 permit 172.16.1.0 0.0.0.255

R1(config)# access-list 1 permit 172.16.2.0 0.0.0.255
Record the command including router prompt to bind the NAT pool to the ACL.
R1(config)# ip nat inside source list 1 pool NAT
Record the commands including router prompt to configure the inside interface.

R2(config-if)# ip nat inside
Record the commands including router prompt to configure the outside interface.

R2(config-if)# ip nat outside
Lab - Configuring Dynamic and Static NAT (RP 11.2.2.6/WAN 5.2.2.6)
Packet Tracer Packet Tracer - Configuring Dynamic NAT (RP 11.2.2.5/WAN 5.2.2.5)
Activity
Configuring Port Address Translation

Configuring Port Address Translation (PAT) is just like configuring dynamic NAT except you
add the keyword overload to your binding configuration:
Router(config)# ip nat inside source list ACL-number pool name overload
However, a more common solution in a small business enterprise network is to simply overload
the IP address on the gateway router. In fact, this is what a home router does out of the box.
To configure NAT to overload the public IP address on an interface, use the following
command:
Router(config)# ip nat inside source list ACL-number interface type number overload
In this case, of course, there is no pool configuration.

Refer to the topology in Figure 14-4 to configure PAT.
Figure 14-4 Dynamic NAT Configuration Topology

172.16.1.0/24
PC1

172.16.1.10
S0/0/0
S0/1/0
Internet
R1 R2
Server
PC2
172.16.2.10 64.100.10.1
172.16.2.0/24

R1 is using the public IP address 64.100.10.1 on the Serial 0/1/0 interface. Record the command
including router prompt to bind the ACL you configured for dynamic NAT to the Serial 0/1/0
interface.
R1(config)# ip nat inside source list 1 interface s0/1/0 overload
Thats it! The rest of the commands are the same as dynamic NAT. However, the process of
translating inbound and outbound packets is a bit more involved. PAT maintains a table of
inside and outside addresses mapped to port numbers to track connections between the source
and destination.
The series of Figures 14-5 through 14-8 illustrate the PAT process overloading an interface
address. Use the options in Table 14-1 to fill in the source address (SA), destination address (DA),
and corresponding port numbers as the packet travels from source to destination and back.
Table 14-1 Addresses and Port Numbers

64.100.10.2 192.168.51.5 1268 209.165.201.11
1150 53 192.168.51.1 80
Figure 14-5 Hop 1: PC1 to NAT-Enabled R1

209.165.201.11
192.168.51.5 192.168.51.1 ISP
PC1
Internet
R1
64.100.10.2
Web Server
SA DA
Source Port Destination Port
1150 80
Figure 14-5a Hop1: PC1 to NAT-Enabled R1 (Answer)

209.165.201.11
192.168.51.5 192.168.51.1 ISP
PC1
Internet
R1
64.100.10.2
Web Server
SA DA
192.168.51.5 209.165.201.11
1150 80

Figure 14-6 Hop 2: NAT-Enabled R1 to Web Server

209.165.201.11
192.168.51.5 192.168.51.1 ISP
PC1
Internet
R1
64.100.10.2
Web Server
SA DA
1268
Figure 14-6a Hop 2: NAT-Enabled R1 to Web Server (Answer)

209.165.201.11
192.168.51.5 192.168.51.1 ISP
PC1
Internet
R1
64.100.10.2
Web Server
SA DA
64.100.10.2 209.165.201.11
1268 80
Figure 14-7 Hop 3: Web Server to NAT-Enable R1

209.165.201.11
192.168.51.5 192.168.51.1 ISP
PC1
Internet
R1
64.100.10.2
Web Server
SA DA

Figure 14-7a Hop 3: Web Server to NAT-Enable R1 (Answer)

209.165.201.11
192.168.51.5 192.168.51.1 ISP
PC1
Internet
R1
64.100.10.2
Web Server
SA DA
209.165.201.11 64.100.10.2
80 1268
Figure 14-8 Hop 4: NAT-Enabled R1 to PC1

209.165.201.11
192.168.51.5 192.168.51.1 ISP
PC1
Internet
R1
64.100.10.2
Web Server
SA DA
Figure 14-8a Hop 4: NAT-Enabled R1 to PC1 (Answer)

209.165.201.11
192.168.51.5 192.168.51.1 ISP
PC1
Internet
R1
64.100.10.2
Web Server
SA DA
209.165.201.11 192.168.51.5
80 1150

Lab - Configuring NAT Pool Overload and PAT (RP 11.2.3.7/WAN 5.2.3.7)
Packet Tracer Packet Tracer - Implementing Static and Dynamic NAT (RP 11.2.3.6/WAN 5.2.3.6)
Activity
A Word About Port Forwarding

Because NAT hides internal addresses, peer-to-peer connections work only from the inside
out, where NAT can map outgoing requests against incoming replies. The problem is that NAT
does not allow requests initiated from the outside. To resolve this problem, you can configure
port forwarding to identify specific ports that can be forwarded to inside hosts.
The port forwarding configuration is commonly done in a GUI. However, you can also
configure port forwarding in the Cisco IOS adding the following command to your NAT
configuration:
Router(config)# ip nat inside source {static {tcp | udp local-ip local-port global-ip
global-port} [extendable]
Packet Tracer - Configuring Port Forwarding on a Linksys Router (RP 11.2.4.4/WAN

Packet Tracer
Activity 5.2.4.4)
Configuring NAT and IPv6

IPv6 includes both its own IPv6 private address space and NAT, which are implemented
differently than they are for IPv4. IPv6 uses a unique local address (ULA) for communication
within a local site.
In Figure 14-9, label the missing parts of the IPv6 ULA address structure.
Figure 14-9 IPv6 Unique Local Address Structure

Bits
L Subnet ID
Pseudo-
EUI-64, Random, or
Random
Manual Configuration
Algorithm
1 or 0

Figure 14-9a IPv6 Unique Local Address Structure (Answer)

Bits
7 1 40 16 64
/64
Prefix L Global ID Subnet ID Interface ID
Pseudo-
EUI-64, Random, or
FC00::/7 Random
Manual Configuration
Algorithm
1 or 0
ULAs are also known as local IPv6 addresses. Briefly describe three characteristics of ULAs.
Allow sites to be combined or privately interconnected, without creating any address
conflicts or requiring renumbering of interfaces that use these prefixes
Independent of any ISP and can be used for communications within a site without
having any Internet connectivity
Not routable across the Internet, but if accidentally leaked by routing or DNS, there is
no conflict with other addresses
What is the main purpose of NAT for IPv6?
To provide a translation mechanism between IPv6 and IPv4 networks
Briefly describe the three transition strategies to move from IPv4 to IPv6.
Dual stack is when the devices are running protocols associated with both the IPv4 and IPv6.
Tunneling for IPV6 is the process of encapsulating an IPv6 packet inside an IPv4 packet. This
allows the IPv6 packet to be transmitted over an IPv4-only network. Translation strategies
include NAT-PT, which is now replaced with NAT64.
Troubleshooting NAT
When there are IPv4 connectivity problems in a NAT environment, it is often difficult to
determine the cause of the problem. The first step in solving the problem is to rule out NAT as
the cause. Follow these steps to verify that NAT is operating as expected:
Step 1. Review the purpose of the NAT configuration. Is there a static NAT implementa-
tion? Are the addresses in the dynamic pool actually valid? Are the inside and out-
side interfaces correctly identified?
Step 2. Verify that correct translations exist in the translation table using the show ip nat
translations command.
Step 3. Use the clear ip nat translations * and debug ip nat commands to verify that NAT
is operating as expected. Check to see whether dynamic entries are re-created after
they are cleared.
Step 4. Review in detail what is happening to the packet, and verify that routers have the
correct routing information to move the packet.

Lab - Troubleshooting NAT Configurations (RP 11.3.1.5/WAN 5.3.1.5)
Packet Tracer Packet Tracer - Verifying and Troubleshooting NAT Configurations (RP 11.3.1.4/WAN
Activity 5.3.1.4)
Packet Tracer - Skills Integration Challenge (RP 11.4.1.2/WAN 5.4.1.2)

CHAPTER 15
Broadband Solutions
With the advent of broadband technologies like digital subscriber line (DSL) and cable, working from
home has become a popular option for both employees and companies alike. Virtual private networks
(VPN) allow workers to securely connect to the business from remote locations. There are several fac-
tors to consider when choosing a broadband solution. This chapter reviews DLS, cable, wireless, VPN,
and the factors to consider when implementing broadband solutions.

Teleworking
Teleworking is working away from the traditional workplace by using telecommunication tech-
nologies such as broadband and VPN security.
Benefits of Teleworking
The groups that benefit from teleworking include employees, employers, local governments,
and communities. In Table 15-1, indicate which group primarily receives the benefit described.
Table 15-1 Benefits of Teleworking

Benefit Employer Government/ Individual
Community
Improves employee morale X
Decreases recruitment and retention costs X
Reduces local infrastructure costs X
Attracts local employment and development X
Saving time or earning more in the same time X
Increases available time to care for dependents X
Reduces absenteeism levels X
Reduces the impact of urban drift X
Reduces costs associated with commuting X
Can reduce regional traffic delays X
Flexibility to deal with personal tasks X
Customers experience improved response times X
Costs of Teleworking
Teleworking does have some costs, as well. List at least two costs from the employers perspec-
tive and two costs from the employees perspective.
Employer
It may be difficult to keep track of employee progress on work.
Managers must use a different management style to oversee teleworkers.
Employees
Teleworkers can feel isolated working alone.
Lack of technology support and services compared to colleagues that are in the office.
Teleworking can have its own set of distractions like household chores or leisure pursuits like
watching TV.
Business Requirements for Teleworker Services

Both the teleworker and the business must meet certain minimum requirements to implement
teleworking services for the organization. In Table 15-2, indicate whether the teleworker or the
company is responsible for each requirement.

Chapter 15: Broadband Solutions 195
Table 15-2 Teleworker Services Requirements

Responsibility Teleworker Company
Usually uses cable or DSL to access the VPN. X
Manages VPN authentication procedures. X
Uses client software for network access. X
Determines link aggregation and VPN termination methods. X
Uses network access while traveling. X
Maintains VPN concentrators and security appliances. X
Comparing Broadband Solutions

Depending on the location of the teleworker, connecting to the corporate network can be done
in one of three ways: cable, DSL, or broadband wireless.
Cable
Cable broadband uses a coaxial cable that carries radio frequency (RF) signals across the net-
work. What portion of the electromagnetic spectrum do these signals occupy?
Radio frequencies occur between 1 KHz and 1 THz on the electromagnetic spectrum.
Traditionally, cable communications was one way. Modern cable systems now provide two-way
communication. What three main telecommunication services are offered by todays cable
companies?
Cable companies now offer digital cable TV, residential phone service, and high-speed Internet
access.
Two-way communications occurs downstream in the 50- to 860-MHz range and upstream in
the 5- to 42-MHz range.
The Data-over-Cable Service Interface Specification (DOCSIS) is the international standard
developed by CableLabs that cable operators use to provide Internet access over their existing
hybrid fiber-coaxial (HFC) infrastructure.
What two types of equipment are required to send digital modem signals upstream and down-
stream on a cable system?
Cable Modem Termination System (CMTS) at the headend of the cable operator
Cable Modem (CM) on the subscriber end

Definitions Terms
a. Combining both fiber-optic and coax cabling d. CMTS
together into a hybrid cabling infrastructure b. DOCSIS
b. Defines the communications and operation c. Downstream
support interface that permits the addition of
e. Frequency
high-speed data transfer to a traditional cable
TV system a. HFC
c. The direction of a signal transmission from f. Upstream

the headend to subscribers
d. Located in the headend (and communicates
with CMs located in subscriber homes)
e. The rate at which current (voltage) cycles
(computed as the number of waves per sec-
ond)
f. The direction of a signal transmission from
subscribers to the headend

DSL
Digital subscriber line (DSL) technology takes advantage of the additional bandwidth available
in telephone networks between 3 KHz and 1 MHz.
Briefly describe the two main types of DSL.
Asymmetric DSL (ADSL) provides higher downstream bandwidth than upload speed.
Symmetric DSL (SDSL) provides the same bandwidth in both directions.
The local loop connection to the CO must be less than 3.39 miles (5.46 km).
What two components are required to provide a DSL connection to the teleworker?
Equipment required includes a transceiver (DSL modem), which connects the teleworkers net-
work to the DSL network and a DSL access multiplexer (DSLAM) located at the CO to com-
bine individual DSL subscribers into one link to an ISP.
The analog voice and ADSL signals must be separated to avoid interference. What two devices
can separate the signals?
There are two ways to separate ADSL from voice at the customer premises: using a microfilter
or using a splitter.

Definitions Terms
a. Located at the CO, a device that combines c. ADSL
individual DSL connections from subscribers f. DSL
into one high-capacity link to an ISP
a. DSLAM
b. Sometimes referred to as the DSL modem,
d. Microfilter
a device that connects the subscriber to the
DSL network e. SDSL
c. The category of DSL technology that provides b. Transceiver

high-speed downstream data capacity value
with a lower upstream capacity value
d. Device with one end connecting to a tele-
phone device and the other end connecting to
the telephony wall jack
e. Category of DSL technology that provides
equal high-speed downstream and upstream
data capacities
f. A means of providing high-speed connections
over pre-existing installed copper wire infra-
structure

Broadband Wireless
Of the three broadband technologies, wireless offers the largest variety of ways to connect. Whether from your
laptop or from a smartphone, urban or rural, broadband wireless has a solution.
Definitions Terms
a. Uses a point-to-multipoint topology to pro- c. 3G/4G Wireless
vide wireless cellular broadband access at b. LTE
speeds up to 1 Gbps
d. Municipal WiFi
b. Newer and faster technology for high-speed
f. VSAT
cellular data (considered to be part of 4G)
a. WiMAX
c. Cellular broadband access that gets faster with
each generation e. Wireless Internet
d. Employs a mesh network with an access

points at each node for 802.11 connections
e. A general term for Internet service from a
mobile phone or any other mobile device that
uses the same technology
f. Two-way satellite Internet using IP multicast-
ing technology

Selecting Broadband Solutions

Ideally, a teleworker would have a fiber-optic cable directly connected to the home office.
When selecting the broadband solution that is right for you, you want to consider several fac-
tors. In Table 15-3, indicate the factors for each broadband solution.
Table 15-3 Broadband Solutions: Factors to Consider

Factor to Consider Cable DSL Fiber- Cellular/ Wi-Fi WiMAX Satellite
to-the- Mobile Mesh
Home
Requires fiber installation X
directly to the home.
Coverage is often an issue, X
bandwidth is limited, and data
may not be unlimited.
Bit rate is limited to 2 Mbps X
per subscriber, cell size is 1 to
2 km (1.25 mi).
Bandwidth is shared by many X
users, and upstream data rates
are often slow.
Limited bandwidth that is X
distance sensitive, and the
upstream rate is proportion-
ally quite small compared to
downstream rate.
Expensive, limited capacity X
per subscriber; often provides
access where no other access
is possible.
Most municipalities do X
not have a mesh network
deployed; if it is available and
the SOHO is in range, it is a
viable option.
Configuring xDSL Connectivity

The underlying data-link protocol commonly used by Internet service providers (ISPs) to send
and receive data across DSL links is PPP over Ethernet (PPPoE).
PPPoE Overview
For the ISP, what are the benefits of using PPP?
PPP supports the ability to assign IP addresses to the remote end of the link. PPP with CHAP
authentication allows the ISP to check the customers records to make sure that the bill is paid.

What are the three stages of evolution in teleworker connections from the home that use PPP?
First there was analog dialup, which was later replaced with ISDN, which was then replaced by
DSL.
Configuring PPPoE
Although PPPoE configuration is beyond the scope of the course, understanding how PPPoE
is implemented will help solidify your skills in configuring PPP.
The two steps to configure PPPoE are as follows:
Step 1. Create a PPP tunnel using dialer interface with the following settings:
Encapsulation is PPP.
IP address is negotiated.
MTU size is set to 1492. Why?
To allow for the additional 8-byte PPP header, the MTU is reduced from the maxi-
mum Ethernet size of 1500 bytes to 1492.
Dialer interface is assigned a pool.
CHAP authentication with username and password assigned by ISP.
Step 2. Enable PPPoE on the interface attached to the DSL modem and assign it as a PPPoE
client using the dialer pool defined in Step 1.
You can verify the dialer interface was assigned an IP address with the show ip interface brief
command.
In Figure 15-1, the ISP router is already configured. Record the commands to configure the
Customer router using the following CHAP information:
Figure 15-1 PPPoE Configuration Topology
Internet
G0/0 G0/0
Customer ISP
DSL Modem DSLAM
Username is CustomerBob.
Password is Bob$connect.
Customer(config)# interface dialer 1

Customer(config-if)# ip address negotiated
Customer(config-if)# encapsulation ppp
Customer(config-if)# ip mtu 1492
Customer(config-if)# dialer pool 1

Customer(config-if)# ppp chap hostname CustomerBob

Customer(config-if)# ppp chap password Bob$connect
Customer(config-if)# no shutdown
Customer(config-if)# interface g0/0
Customer(config-if)# no ip address
Customer(config-if)# pppoe enable
Customer(config-if)# pppoe-client dial-pool-number 1
Customer(config-if)# no shutdown
If you want to configure this on lab equipment, connect two routers through a switch or with a
crossover cable and use the following configuration for ISP:
username CustomerBob password Bob$connect

!
bba-group pppoe global
virtual-template 1
!
no ip address
pppoe enable group global
no shutdown
!
interface Virtual-Template1
mtu 1492
ip address 64.100.1.254 255.255.255.0
peer default ip address pool CUSTOMER_POOL
ppp authentication chap callin
!
ip local pool CUSTOMER_POOL 64.100.1.1 64.100.1.253
Lab - Configuring a Router as a PPPoE Client for DSL Connectivity (CN 6.3.2.3)

CHAPTER 16
Securing Site-to-Site Connectivity
Up to this point in our WAN discussions, we have covered access options, including leased lines, Frame
Relay, cable, digital subscriber line (DSL), and wireless. Now it is time to turn our attention toward a
popular solution for linking two sites or a teleworker to the corporate office. With the use of generic
routing encapsulation (GRE) and IP security (IPsec), virtual private networks (VPNs) play an important
role in todays network implementations.

VPNs
With the proper implementation at that central site, VPNs provide the flexibility of having safe
and secure connections regardless of the underlying access technology. This is increasingly
important as more users need or want access to their corporate networks no matter their cur-
rent location.
Fundamentals of VPNs
VPNs are used to create a private tunnel over the Internet regardless of the WAN access option
used to make the connection.
Briefly describe three different scenarios in which VPNs are a viable solution.
VPNs are ideal for connecting teleworkers, remote/branch offices, and business partners to the
corporate network at the central site.
What is the difference between VPN and secure VPN?
Secure VPNs are implemented with data encryption using IPsec.
To implement a VPN, a VPN gateway is needed. List three devices can serve as a VPN gateway.
A router, a firewall, and Ciscos Adaptive Security Appliance (ASA) can all serve as VPN gate-
ways.
Briefly describe four benefits to using VPNs.
Cost savings: VPNs allow organizations to replace expensive dedicated WAN links or modem
banks by using Internet connections to connect end users.
Scalability: It is easy to add branches, partners, or users because ISP choices can be made
locally.
Compatibility with broadband technology: Home, branch, and mobile workers can take advan-
tage of whatever broadband technology they are using to connect to the Internet.
Security: VPNs use advanced encryption technology to secure data as it travels across the
Internet.
Types of VPNs
There are two main types of VPN networks. Site-to-site VPNs support connections where the
two locations are permanent and contain more than one user. For example, a branch site or a
business partner site most likely would benefit from a site-to-site VPN. Remote-access VPNs
are best used for single user connection needs such as teleworkers and mobile users.
In Table 16-1, indicate the type of VPN described by each characteristic.
Table 16-1 Comparing Site-to-Site and Remote-Access VPNs

Characteristic Site-to-Site Remote-Access
VPN VPNs
VPN is dynamically enabled when needed. X
Most likely uses VPN client software to establish VPN X
connection and encrypt data.
Users have no knowledge of the VPN. X

Chapter 16: Securing Site-to-Site Connectivity 205
Characteristic Site-to-Site Remote-Access

VPN VPNs
Connects networks together through peer VPN gateways. X
Uses a client/server model. X
Connects teleworkers and mobile users. X
VPN connection is static. X
Packet Tracer Packet Tracer - Configuring VPNs (Optional) (CN 7.1.2.4)

Activity
Site-to-Site GRE Tunnels

Generic routing encapsulation (GRE) is a site-to-site VPN tunneling protocol developed by
Cisco. GRE can encapsulate a wide variety of protocol packet types inside IP tunnels.
Fundamentals of Generic Routing Encapsulation

List three protocols that GRE can encapsulate.
IPv4, IPv6, AppleTalk, DECnet, or IPX
Figure 16-1 shows the basic fields in a GRE encapsulated packet.
Figure 16-1 GRE Encapsulated Packet
IP GRE IP TCP Data
Figure 16-2 shows the topology we will use to configure GRE later in this section. Notice how
the protocol packet, IP, is encapsulated with GRE, then encapsulated in an IP packet for trans-
port across the Internet. The inside IP packet is using private addressing and the outside IP
packet is using public addressing.
Note: The public addressing is on the same subnet. This is uncommon on real networks. However, we are
doing it here so that you can easily attach to routers and use this configuration for practice.
Figure 16-2 GRE Topology
64.100.1.2/30 64.100.1.1/30
S0/0/0 S0/0/0
G0/0
PC1 G0/0
Tunnel
RTB RTA
10.1.1.2/30 10.1.1.0/30 10.1.1.2/30
10.10.2.10/24 Tunnel1 Tunnel1 10.10.1.10/24
IPv4
Original Packet
IP GRE Payload
Header Header Packet

GRE is defined by IETF RFC 2784. In the outer IP header, 47 is used in the Protocol field to
indicate that a GRE header follows. In the GRE header, a Protocol Type field specifies the OSI
Layer 3 protocol that is encapsulated (IP in Figure 16-2). GRE is stateless, meaning that it does
not include any flow-control mechanisms. Also, GRE does not include any security mecha-
nisms to protect the payload. The GRE header and additional IP header creates at least 24
bytes of additional overhead for tunneled packets.
Configuring GRE Tunnels

In Figure 16-2 shown earlier, assume the physical interfaces on RTA and RTB are configured
and active. Also assume that RTA is already configured with a GRE tunnel and OSPF routing.
To configure GRE on RTB, complete the following steps:
Step 1. Create a tunnel interface using the interface tunnel number command. The interface
numbers do not have to match between RTA and RTB.
Step 2. Configure an IP address for the tunnel interface. The two routers on the tun-
nel should use addresses from the same subnet. In our topology, the subnet is
10.1.1.0/30.
Step 3. Specify the tunnels source IP address in the public part of the network with the
tunnel source ip-address command. The IP address must match the other sides
configuration for tunnel destination ip-address. For RTB, this address is the
64.100.1.2 IP address configured on its S0/0/0 interface.
Step 4. Specify the tunnels destination IP address in the public part of the network with
the tunnel destination ip-address command. The IP address must match the other
sides tunnel source ip-address. For RTB, this address is the 64.100.1.1 IP address
configured on RTAs S0/0/0.
Step 5. Configure routing to use the tunnel to advertise the private LANs at each site.
Note: These steps do not include configuring the tunnel mode command because the
default, GRE IP, is what is needed here. However, in the future, the GRE tunnel will most
likely be IPv6.
Using these steps, record the commands including the router prompt to configure RTB with a
GRE tunnel to RTA.
RTB(config)# interface tunnel 1

RTB(config-if)# ip address 10.1.1.2 255.255.255.252
RTB(config-if)# tunnel source 64.100.1.2
RTB(config-if)# tunnel destination 64.100.1.1
RTB(config-if)# router ospf 1
A number of commands can be used to verify the GRE tunnel is operational. Of course, the
ultimate test is that PC1 should now be able to ping the server attached to the RTA LAN. If
connectivity fails, use the following commands to troubleshoot the issue.

Record the commands and command filtering used to generate the following output.
RTB# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface

64.100.1.1 0 FULL/ - 00:00:34 10.1.1.1 Tunnel1
RTB# show ip interface brief | include Tunnel
Tunnel1 10.1.1.2 YES manual up up
RTB# show ip route ospf | begin Gateway

O 10.10.1.0/24 [110/1001] via 10.1.1.1, 00:23:49, Tunnel1
RTB# show interface Tunnel 1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 64.100.1.2, destination 64.100.1.1
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
<output omitted>
RTB#
In the output from the last command shown, why is the maximum transmission unit (MTU) set
at 1476 bytes?
The overhead for GRE is 24 bytes, which limits the encapsulated packet from the normal 1500
bytes to 1476 bytes.
Lab - Configuring a Point-to-Point GRE VPN Tunnel (CN 7.2.2.5)
Packet Tracer
Packet Tracer - Configuring GRE (CN 7.2.2.3)
Activity
Packet Tracer - Troubleshooting GRE (CN 7.2.2.4)

Introducing IPsec
Although GRE is excellent for creating a tunnel across the Internet, it does not include any
kind of security. This section reviews basic IPsec concepts. IPsec configuration is not a CCNA
Routing and Switching exam topic. So, any practice you do is purely optional.
Internet Protocol Security

RFC 4301, Security Architecture for the Internet Protocol, defines IP security, or simply
IPsec. Briefly describe each of the four critical functions of IPsec security services.
Confidentiality (encryption): IPsec provides strong algorithms used to encrypt the data
before it is sent across the VPN tunnel.
Data integrity: When data is received on the other end of the tunnel, IPsec has uses a
hash to ensure that the packet has not been changed.
Authentication: IPsec uses Internet Key Exchange (IKE) to authenticate that the connec-
tion is made with the desired communication partner.
Anti-replay protection: This is the ability to detect and reject replayed packets and helps
prevent spoofing. Late and duplicate packets are dropped.
IPsec Framework
Encryption protects data confidentiality and integrity. Authentication ensures that the sender
and receiver actually know and trust each other.
Encryption
What two factors impact the degree of confidentiality in an encryption algorithm?
The shorter a key used in the encryption, the easier it is to hack. Therefore, longer keys (such
as 256-bit) provide stronger encryption and data confidentiality. In addition, the sophistication
of the algorithm impacts confidentiality.
What is the main difference between symmetric and asymmetric encryption?
In symmetric encryption, the source and destination use a pre-shared key, whereas in asym-
metric encryption, the source and the destination use two different keys.
In what scenarios are symmetric and asymmetric encryption used?
Symmetric encryption is commonly used to encrypt the contents of a message, and asymmet-
ric encryption is commonly used for digital certificates.
What is the main purpose of the Diffie-Hellman (DH) algorithm?
DH is a method for two parties to establish a shared secret key that will be used by encryption
and hash algorithms.
Hash-based Message Authentication Code (HMAC) is a mechanism for message authentication
using hash functions. A keyed HMAC is a data integrity algorithm that guarantees the integ-
rity of a message.
What are the two common HMAC algorithms?
MD5 and SHA

Briefly describe the operation of an HMAC algorithm.

A shared secret key and variable-length message are combined and run through the algorithm.
The result is a hash that is appended to the original message. The receiving end reverses the
process to decrypt the variable-length message.
Authentication
Encryption is crucial, as we have seen. However, a VPN tunnel must also authenticate the
device on the other end before the path can be considered secure. Briefly describe the two
main peer authentication methods.
PSK: A secret key that is shared between the two parties using a secure channel before it
needs to be used. It is manually configured and used to authenticate at each end.
RSA signatures: Digital certificates are obtained from a certificate authority and then are
exchanged to authenticate peers.
Figure 16-3 is a depiction of the IPsec framework with all the possible algorithm choices for
each piece in the framework.
Figure 16-3 IPsec Framework
IPsec Framework
Choices
ESP +
IPsec Protocol AH ESP
AH
Confidentiality DES 3DES AES SEAL
Integrity MD5 SHA
Authentication PSK RSA
Diffie-Hellman DH1 DH2 DH5 DH...
Briefly describe each of the following:

IPsec framework protocol: The protocol used to encapsulate the full packet. Most likely, the
Encapsulating Security Payload (ESP) is used.
Confidentiality: The selection of an encryption algorithm to encrypt and decrypt the original
message.
Integrity: A hash algorithm is used to guarantee that the data has not been altered in transit.
Authentication: A method is used to authenticate the two ends of a tunnel, either PSK or RSA.
DH algorithm: The method in which a shared secret key is established between peers.

Packet Tracer
Packet Tracer - Configuring GRE over IPsec (Optional) (CN 7.3.2.8)
Activity
Remote Access
As discussed earlier in this chapter, VPNs are an ideal remote-access solution for many reasons.
Secure communications can easily be implemented, scaled, and tailored to the access rights of
the individual. This section briefly reviews types of remote-access VPN solutions.
Remote-Access VPN Solutions

What are the two primary methods for deploying remote-access VPNs?
IPsec and SSL
List three benefits or features of Cisco SSL VPN solutions.
Web-based, clientless access, and complete network access without preinstalled desktop soft-
ware
Protection against viruses, worms, spyware, and hackers on a VPN connection by integrating
network and endpoint security in the Cisco SSL VPN platform
Use of a single device for both SSL VPN and IPsec VPN
In Table 16-2, label the two columns with the Cisco SSL VPN solution that is best described
by the statements.
Table 16-2 Cisco SSL VPN Solutions

Cisco SSL VPN Solution Description Cisco AnyConnect Secure Cisco Secure Mobility
Mobility Client with SSL Clientless SSL
Non-corporate-managed devices are X
provided VPN remote access
Provides access to corporate resources X
for devices that are not managed by
the corporation
Provides clients with a LAN-like full X
network access
Remote users establish the SSL session X
using a web browser
A client application must be installed X
on the end-user device
Requires a standalone application be X
installed on the end-user device
Access to services is limited to brows- X
er-based file-sharing resources

IPsec Remote-Access VPNs

The Cisco Easy VPN solution feature offers flexibility, scalability, and ease of use for both
site-to-site and remote-access IPsec VPNs. The Cisco Easy VPN solution consists of three
components. Label each based on the following descriptions.
Cisco Easy VPN Remote: A Cisco IOS router or Cisco ASA firewall acting as a VPN
client
Cisco VPN Client: An application supported on a PC used to access a Cisco VPN server
Cisco Easy VPN Server: A Cisco IOS router or Cisco ASA Firewall acting as the VPN
headend device in site-to-site or remote-access VPNs
IPsec exceeds SSL in many ways. In Table 16-3, indicate whether the characteristic belongs to
SSL or IPsec.
Table 16-3 Comparing SSL and IPsec

Characteristic SSL IPsec
40- to 256-bit key-length encryption. X
Access to all IP-based applications. X
Any device can connect. X
One- or two-way authentication. X
Specifically configured devices can connect. X
Shared secrets or digital certificates for authentication. X
Web applications and file sharing. X
56 to 256-bit, key-length encryption. X
Packet Tracer
Activity

CHAPTER 17
Monitoring the Network
Most of your CCNA studies have focused on implementing networking technologies. But what if there
is currently no design or implementation to do in your job as network administrator? What if the net-
work is already up and running? Then chances are you will be responsible for monitoring the network.
Over the years, several tools have evolved to help you do just that. This chapter focuses on three popu-
lar monitoring tools: Syslog, Simple Network Management Protocol (SNMP), and NetFlow.

Syslog
The most common method of accessing system messages that networking devices provide is to
use a protocol called syslog.
Syslog Operation
Developed in the 1980s and documented as RFC 3164, syslog used UDP port 514 to send
notifications across IP networks to a syslog server. Briefly describe the three main syslog
functions.
Gathers logging information for monitoring and troubleshooting
Can be configured to select the type of logging information that is captured
Can be configured to send captured syslog messages to a destination IP address
List the four destinations these messages can be sent to.
RAM (logging buffer)
Console line
Terminal line
Syslog server
Because you have configured many routers by now, one of the more common messages you
have seen is the interface up and up message, as shown in Example 17-1.
Example 17-1 Syslog Message: Interface Is Up and Up
000039: *Nov 13 15:20:39.999: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed

state to up
000040: *Nov 13 15:20:40.999: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/0, changed state to up
In Table 17-1, use the second line of output from Example 17-1 to provide an example of each
field in the syslog message format.
Table 17-1 Syslog Message Format

Field Example
Sequence Number 000040:
Timestamp *Nov 13 15:20:40.999:
Facility %LINEPROTO
Severity 5
Mnemonic UPDOWN
Description Line protocol on Interface GigabitEthernet0/0, changed state to up
By default, the Sequence Number field is not shown. Record the command, including the rout-
er prompt, to add this field to syslog messages.
Router(config)# service sequence-numbers

Chapter 17: Monitoring the Network 215
What are the two different methods to make sure the timestamp is accurate?
Manually set the date and time using the clock command.
Configure the router to get its date and time from an NTP server using the ntp server
ip-address command.
Configuring Syslog
Using the topology and addressing shown in Figure 17-1, record the commands including the
router prompt to configure the logging service on RTA with the following requirements:
All logging messages should be sent to the console and to the buffer as well as the syslog
server.
Only log messages with severity 5 or lower.
The source interface for logged messages should always be the G0/0 interface.
Figure 17-1 Syslog Configuration Topology
G0/0
Syslog
RTA Server
10.10.10.1 10.10.10.10

RTA(config)# logging console
RTA(config)# logging buffer
RTA(config)# logging 10.10.10.10
RTA(config)# logging trap 5
RTA(config)# logging source interface g0/0
What command will display the messages logged to RAM?

RTA# show logging
Lab - Configuring Syslog and NTP (CN 8.1.2.6)
Packet Tracer - Configuring Syslog and NTP (CN 8.1.2.5)

Packet Tracer
Activity
SNMP
SNMP began with a series of three RFCs back in 1988 (1065, 1066, and 1067). The SNMP
name is derived from RFC 1067, A Simple Network Management Protocol. Since then, SNMP
has undergone several revisions.
SNMP Operation
SNMP is an application layer protocol that provides a standardized way of communicating
information between SNMP agents and SNMP managers using UDP port 162. The SNMP
manager is part of a network management system (NMS). The SNMP manager can collect

information from agents using get messages. Each agent stores data about the device in the
Management Information Base (MIB) locally so that it is ready to respond to these messages
from the NMS. Agents can also be configured to forward directly to the NMS using trap
messages.
In Table 17-2, indicate the SNMP message type for each of the descriptions provided.
Table 17-2 SNMP Message Type

Operation Description
get-request Retrieves a value from a specific variable.
get-next-request Retrieves a value from a variable within a table. The SNMP manager does
not need to know the exact variable name; a sequential search is per-
formed to find the needed variable from within a table.
get-bulk-request Retrieves large blocks of data, such as multiple rows in a table; only
works with SNMPv2 or later.
get-response Replies to messages sent by an NMS.
set-request Stores a value in a specific variable.
trap An unsolicited message sent by an SNMP agent to an SNMP manager
when some event has occurred.
Although SNMPv1 is legacy, Cisco IOS supports all three versions. All versions of SNMP
use SNMP managers, agents, and MIBs. In todays networks, you will most likely encounter
SNMPv3 or SNMPv2c. In Table 17-3, indicate whether the SNMP characteristic applies to
SNMPv2c, SNMPv3, or both.
Table 17-3 Comparing SNMPv2c and SNMPv3

Characteristic SNMPv2c SNMPv3 Both
Used for interoperability and includes message integrity X
Provides services for security models X
Uses community-based forms of security X
Includes expanded error codes with types X
Provides services for both security models and security levels X
Authenticates the source of management messages X
Cannot provide encrypted management messages X
Supported by Cisco IOS software X
In SNMPv1 and SNMPv2c, access to the MIB is controlled through the use of two types of
community strings:
Read-only(ro): Access to MIB variables but no changes allowed
Read-write(rw): Access and manipulation of MIB variables allowed
Why is this type of access no longer considered best practice?
Community strings are sent in plain text across the network. They are easy to intercept, read,
alter, and resend.
The MIB defines a variable using a MIB object ID. These IDs are derived hierarchically using
the scheme shown in Figure 17-2. Label Figure 17-2 with the most common public variables.

Figure 17-2 Management Information Base Object ID Scheme
cisco (9).
local variables (2). cisco mgmt (9).
interface group (2). cisco flash group (10).
Management Information Base Object ID Scheme (answer)
iso (1).
org (3).
dod (6).
internet (1).
private (4).
enterprises (1).
cisco (9).
local variables (2). cisco mgmt (9).
interface group (2). cisco flash group (10).

Lab - Researching Network Monitoring Software (CN 8.2.1.8)
Configuring SNMP
In Figure 17-3, RTA is an SNMP agent and NMS is an SNMP manager. Record the commands
to configure SNMPv2 on RTA with the following requirements:
Use an ACL to allow NMS read-only access to the router using community string
NMS_eyesonly.
Location is Aloha_Net and the contact is Bob Metcalfe.
Specify that 10.10.10.10 is the recipient of traps and explicitly configure the router to
send traps.
Figure 17-3 SNMP Configuration Topology
Gets
G0/0
NMS
RTA
10.10.10.1 10.10.10.10
Traps
RTA(config)# ip access-list standard SNMP

RTA(config-std-nacl)# permit 10.10.10.10
RTA(config-std-nacl)# exit
RTA(config)# snmp-server community NMS_eyesonly ro SNMP
RTA(config)# snmp-server location Aloha_Net
RTA(config)# snmp-server contact Bob Metcalfe
RTA(config)# snmp-server host 10.10.10.10 version 2c NMS_eyesonly
RTA(config)# snmp-server enable traps
Record the commands that generate the SNMP verification output for RTA shown in Example
17-2.
Example 17-2 SNMP Verification Commands
RTA# show snmp

Chassis: FTX163283RZ
Contact: Bob Metcalfe
Location: Aloha_Net
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables

0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
0 Input queue packet drops (Maximum queue size 1000)
0 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
0 Trap PDUs
SNMP Dispatcher:
queue 0/75 (current/max), 0 dropped
SNMP Engine:
queue 0/1000 (current/max), 0 dropped
SNMP logging: enabled

Logging to 10.10.10.10.162, 0/10, 0 sent, 0 dropped.
RTA# show snmp community
Community name: ILMI

Community Index: cisco0
Community SecurityName: ILMI
storage-type: read-only active
Community name: NMS_eyesonly

Community SecurityName: NMS_eyesonly
storage-type: nonvolatile active access-list: SNMP
Community name: NMS_eyesonly@1

Community SecurityName: NMS_eyesonly@1
storage-type: nonvolatile active access-list: SNMP
NetFlow
Although syslog and SNMP are powerful tools for collecting information about networking
devices, owners of networks were looking for a tool to measure TCP/IP flows. So, Cisco engi-
neers developed NetFlow, which quickly gained popularity in the marketplace.

NetFlow Operation
What is the latest version of NetFlow called?
Flexible NetFlow
What improvements does it make over the original version?
Flexible NetFlow adds the capability to customize the traffic analysis parameters for the
specific requirements of a network administrator.
Briefly describe four reasons to use NetFlow.
Measuring who is using what network resources for what purpose
Accounting and charging back according to the resource utilization level
Using the measured information to do more effective network planning so that resource
allocation and deployment is well aligned with customer requirements
Using the information to better structure and customize the set of available applications
and services to meet user needs and customer service requirements
NetFlow is not a replacement for SNMP. Both have their purposes in network monitoring. In
Table 17-4, indicate whether the characteristic describes SNMP or NetFlow.
Table 17-4 Comparing SNMP and NetFlow

Characteristics SNMP NetFlow
Agents can send traps to a network management system when defined X
events occur.
Access to the MIB is controlled through community string settings. X
An external server (collector) is used to record IP network monitored X
cache changes.
Interface errors, CPU usage, and memory usage are not recorded. X
A Management Information Base (MIB) is used to record network moni- X
tored events.
Collects IP data to record who used network resources and for what pur- X
pose those resources were used.
Define a TCP/IP flow.

A flow is a unidirectional stream of packets between a source and a destination.
What fields in a packet are used to determine that the packet is from a different flow?
Source IP address, destination IP address, source port number, destination port number, Layer
3 protocol type, ToS marking, and input logical interface
Configuring NetFlow
To implement NetFlow on a router, complete the following steps:
Step 1. Configure NetFlow to capture inbound and outbound packets.
Step 2. Configure where to send NetFlow data.
Step 3. Verify NetFlow is operational.

Using Figure 17-4 as a reference, record the commands configure RTA to capture and send
NetFlow data from interface G0/0 to the collector using Version 9.
Figure 17-4 NetFlow Configuration Topology
NetFlow
Collector
G0/0
RTA
10.10.10.1 10.10.10.10
RTA(config)# interface g0/0

RTA(config-if)# ip flow ingress
RTA(config-if)# ip flow egress
RTA(config-if)# exit
RTA(config)# ip flow-export destination 10.10.10.10 2055
RTA(config)# ip flow-export version 9
Record the commands that generated the NetFlow verification output on RTA shown in
Example 17-3.
Example 17-3 NetFlow Verification
RTA# show ip flow interface

GigabitEthernet0/0
ip flow ingress
ip flow egress
RTA# show ip cache flow
IP packet size distribution (132959 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.998 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes

1 active, 4095 inactive, 32 added
728 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
1 active, 1023 inactive, 28 added, 28 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never

Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
UDP-other 13 0.0 10225 32 37.4 17.6 15.5
ICMP 18 0.0 1 181 0.0 0.1 15.0
Total: 31 0.0 4288 32 37.4 7.5 15.2
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Gi0/0 10.10.10.10 Local 10.10.10.1 01 0000 0303 1
RTA# show ip flow export
Flow export v9 is enabled for main cache
Export source and destination details :
VRF ID : Default
Destination(1) 10.10.10.10 (2055)
Version 9 flow records
63 flows exported in 29 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
Lab - Collecting and Analyzing NetFlow Data (CN 8.3.3.3)

CHAPTER 18
Troubleshooting the Network
In an ideal world, networks would never fail. But mechanical failures happen. Users of the network do
unexpected things. So, issues will arise that require a network administrators effective troubleshooting
skillsone of the most sought after skills in IT. This chapter reviews network documentation, general
troubleshooting methods, and tools.

Troubleshooting with a Systematic Approach

Documentation is the starting point and is a crucial factor in the success of any troubleshoot-
ing effort. With documentation in hand, a network administrator can choose a troubleshooting
method, isolate the problem, and implement a solution.
Network Documentation
List three types of documentation a network administrator should have to effectively trouble-
shoot issues.
Configuration files
Physical and logical topology diagrams
Baseline performance measurements
List at least four pieces of information that could be included in a network devices configura-
tion documentation.
Type of device, model designation
IOS image name
Device network hostname
Location of the device (building, floor, room, rack, panel)
Module types and in which module slot they are located
Data link layer addresses
Network layer addresses
List at least four pieces of information that could be included in an end systems configuration
documentation.
Device name (purpose)
Operating system and version
MAC addresses
IPv4 and IPv6 addresses
Subnet mask and prefix length
Default gateway, DNS server, and WINS server addresses
Any high-bandwidth network applications that the end system runs
In Table 18-1, indicate whether the feature is part of a physical topology document or logical
topology document.

Chapter 18: Troubleshooting the Network 225
Table 18-1 Physical and Logical Topology Features

Feature Physical Topology Logical Topology
WAN technologies used X
Interface identifiers X
Connector type X
Device identifiers or names X
Cable specification X
Operating system version X
Cabling endpoints X
Device type X
Data-link protocols X
DLCI for virtual circuits X
Site-to-site VPNs X
Static routes X
Cable type and identifier X
Routing protocols X
Connection type X
IP address and prefix lengths X
Model and manufacturer X
As you learned in Chapter 17, Monitoring the Network, the purpose of network monitoring
is to watch network performance in comparison to a predetermined baseline.
What is the minimum duration for capturing data to establish a baseline?
7 days
When is the best time to establish a baseline of network performance?
During the hours when the network is used the most
In Table 18-2, indicate which statements describe benefits of establishing a network baseline.
Table 18-2 Benefits of Establishing a Network Baseline

Statements Benefit Not a Benefit
Enable fast transport services between campuses X
Investigate if the network can meet the identified policies and use X
requirements
Combine two hierarchical design layers X
Locate areas of the network that are most heavily used X
Identify the parts of the network that are least used X
Identify where the most errors occur X
Establish the traffic patterns and loads for a normal or average day X

When documenting the network, it is often necessary to gather information directly from routers and switches
using a variety of show commands. Match the information gathered on the left with the show command on the
right.
Information Gathered Command
a. Contents of the address resolution table e. show ip route
b. Uptime and information about device soft- a. show arp
ware and hardware g. show vlan
c. Detailed settings and status for device inter- f. show ip interface brief
faces
h. show running-config
d. Summary of the NetFlow accounting statistics
b. show version
e. Contents of the routing table
c. show interface
f. Summarized table of the up/down status of all
d. show ip cache flow
device interfaces
g. Summary of VLANs and access ports on a
switch
h. Current configuration of the device

Packet Tracer
Packet Tracer - Troubleshooting Challenge - Documenting the Network (CN 9.1.1.8)
Activity
Troubleshooting Process and Methodologies

All troubleshooting methodologies have four stages they share in common: three stages to find
and solve the problem and a final important stage after the problem is resolved. In Figure 18-1,
label the four major stages in the troubleshooting process.
Figure 18-1 Major Troubleshooting Stages
Stage 1:
Stage 2:
Stage 3:
No Yes
Problem Fixed?
If it did not fix the problem or if it

created another problem, undo Stage 4:
corrective action and start again.
Figure 18-1a Major Troubleshooting Stages (answer)
Stage 1: Gather Symptoms
Stage 2: Isolate the Problem
Stage 3: Implement Corrective

Action
No Yes
Problem Fixed?
If it did not fix the problem or if it

Stage 4: Document solution and
created another problem, undo
save changes.
corrective action and start again.

Note: The Academy curriculum does not label the last stage as Stage 4. However, that is most likely an
oversight. Stage 4 is indeed the final and arguably most important stage.
The gathering symptoms stage can be broken into five steps:

Step 1. Gather information
Step 2. Determine ownership
Step 3. Narrow the scope
Step 4. Gather symptoms from suspect devices
Step 5. Document symptoms

In Step 1, you will most likely use a variety of commands to progress through the process of gathering symp-
toms. In the following activity, match the information gathered with the testing command.
Information Gathered Testing Command
a. Displays a summary status of all the IP h. show running-config
Version 6 interfaces on a device e. debug ?
b. Shows the path a packet takes through the b. traceroute
networks
a. show ipv6 interface brief
c. Displays the IP version 6 routing table
f. show protocols
d. Connects remotely to a device by IP address
c. show ipv6 route
or URL
g. ping
e. Offers a list of options for real-time diagnos-
tics d. telnet
f. Shows global and interface specific status of

Layer 3 protocols
g. Sends an echo request to an address and waits
for a reply
h. Shows the current configuration of the device

In Table 18-3, identify the troubleshooting methodology described by each statement.
Table 18-3 Troubleshooting Methodologies

Statements Bottom Top Divide Shoot from Spot the Move the
Up Down Conquer the Hip Difference Problem
Disadvantage is it requires X
you to check every device
and interface
Begins at the OSI applica- X
tion layer
Use an experienced trou- X
bleshooting guess to inves-
tigate a possible cause
Used for problems that X
likely involve software
settings
Compare a working and X
nonworking situation
while looking for the sig-
nificant differences
Use when suspected prob- X
lem is cabling or device
failure
Begins at the OSI physical X
layer
Swap the problematic X
device with a known-
working device
Start with an informed X
guess for which OSI layer
to begin troubleshooting
Disadvantage is it requires X
you to check every net-
work application
Network Troubleshooting
Effective troubleshooting requires good tools and systematic approaches. The section reviews
some of the tools used in todays networks and some specific troubleshooting symptoms at
various OSI layers.

Troubleshooting Tools
A wide variety of software and hardware tools is available to make troubleshooting easier. You can use these
tools to gather and analyze symptoms of network problems. Match the description on the left with the tool on
the right.
Description Software and Hardware Tools
a. Online repositories of experience-based infor- h. Host-based protocol analyzer
mation e. Cable tester
b. Discovers VLAN configuration, average and b. Portable network analyzer
peak bandwidth utilization using a portable
c. Baseline establishment tool
device
j. Cable analyzer
c. Tools that document tasks, draw network
diagrams, and establish network performance i. Network Management System Tool
statistics f. Cisco IOS Embedded Packet Capture
d. Measures electrical values of voltage, current, a. Knowledge Base
and resistance g. Network Analysis Module
e. Tests data communication cabling for broken d. Digital multimeter
wires, crossed wiring, and shorted connec-
tions
f. Powerful troubleshooting and tracing tool that
provides traffic tracking as it flows through a
router
g. Provides a graphical representation of traffic
from local and remote switches and routers
h. Analyzes network traffic, specifically source
and destination frames
i. Includes device-level monitoring, configura-
tion, and fault management
j. Tests and certifies copper and fiber cables for
different services and standards via a handheld
device

Network Troubleshooting and IP Connectivity

A network administrator should be able to quickly isolate the OSI layer where an issue is most
likely located. In Table 18-4, indicate the most likely layer associated with each issue.
Table 18-4 Isolating the OSI Layer Where an Issue Resides

Network Problems and Issues OSI Layers
1 2 3 4 5, 6, and 7
A computer is configured with the wrong default gateway. X
The DNS server is not configured with the correct A X
records.
Traffic is congested on a low capacity link and frames are X
lost.
STP loops and route flapping are generating a broadcast X
storm.
A cable was damaged during a recent equipment install. X
ACLs are misconfigured and blocking all web traffic. X
SSH error messages display unknown/untrusted certificates. X
The show processes cpu command displays usage way X
beyond the baseline.
A VPN connection is not working correctly across a NAT X
boundary.
A static route is sending packets to the wrong router. X
The routing table is missing routes and has unknown X
networks listed.
On a PPP link, one side is using the default Cisco encapsula- X
tion.
SNMP messages are unable to traverse NAT. X
Knowing which command to use to gather the necessary information for troubleshooting is
crucial to effectively and efficiently resolving problems. All the commands you have mastered
over the course of your CCNA studies are part of your troubleshooting toolkit. This next exer-
cise only highlights a few.

Match the command output on the left with the command on the right.
Command Output Command
a. Displays all known destinations on a Windows e. show ipv6 neighbors
PC h. ipconfig
b. Displays all known IPv6 destinations on a b. show ipv6 route
router
c. telnet
c. Can be used to verify the transport layer
f. show mac address-table
d. Clears the MAC to IP address table on a PC
d. arp -d
e. Displays the MAC to IP address table for other
a. route print
IPv6 devices
g. show interfaces
f. Displays the known MAC addresses on a
switch
g. Displays input and output queue drops
h. Displays the IP addressing information on a
Windows PC

Note: No book or study guide will effectively teach you how to troubleshoot networks. To get proficient
at it, you must practice troubleshooting on lab equipment and simulators. This practice works best with
a partner or a team because (1) you can collaborate together to resolve issues and (2) you can swap roles,
taking turns breaking the network while the other person or team resolves the issue. For those readers
with access to the Academy curriculum, the Packet Tracer activities in this chapter are great resources for
just such practice sessions with your team. But you also know enough now that you can create your own
troubleshooting scenarios to try out on each other. There is no doubt that you will be asked to trouble-
shoot several issues on the CCNA exam. So, practice as much as you can now in preparation for the test.
You might be surprised how fun and rewarding it can be.
Packet Tracer
Packet Tracer - Troubleshooting Enterprise Networks 1 (CN 9.2.3.12)
Activity
Packet Tracer - Troubleshooting Challenge - Using Documentation to Solve Issues

(CN 9.2.3.15)
Packet Tracer - CCNA Skills Integration Challenge (CN 9.3.1.2)


CCNA Routing and Switching: Scaling Networks Practice and Study Guide ICND2 200-101 (Instructor&#39;s Version)

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

CCNA Routing and Switching: Scaling Networks Practice and Study Guide ICND2 200-101 (Instructor&#39;s Version)

Diunggah oleh

Hak Cipta:

Format Tersedia

CCNA Routing and Switching

Practice and Study Guide:

Instructors Answer Key

instructor.indb i 3/12/14 7:51 AM

Published by: Senior Development Editor

instructor.indb ii 3/12/14 7:51 AM

instructor.indb iii 3/12/14 7:51 AM

About the Author

instructor.indb iv 3/12/14 7:51 AM

About the Technical Reviewer

instructor.indb v 3/12/14 7:51 AM

instructor.indb vi 3/12/14 7:51 AM

instructor.indb vii 3/12/14 7:51 AM

Part I: Scaling Networks

Chapter 1 Introduction to Scaling Networks 1

Chapter 2 LAN Redundancy 13

Chapter 3 Link Aggregation 31

Chapter 4 Wireless LANs 41

Chapter 5 Adjust and Troubleshoot Single-Area OSPF 57

Chapter 6 Multiarea OSPF 77

Chapter 8 EIGRP Advanced Configurations and Troubleshooting 109

Chapter 9 IOS Images and Licensing 127

Part II: Connecting Networks

Chapter 10 Hierarchical Network Design 137

Chapter 11 Connecting to the WAN 147

Chapter 12 Point-to-Point Connections 155

Chapter 13 Frame Relay 171

Chapter 14 Network Address Translation for IPv4 181

Chapter 15 Broadband Solutions 193

Chapter 16 Securing Site-to-Site Connectivity 203

Chapter 17 Monitoring the Network 213

Chapter 18 Troubleshooting the Network 223

instructor.indb viii 3/12/14 7:51 AM

Part I: Scaling Networks

Chapter 1 Introduction to Scaling Networks 1

Chapter 2 LAN Redundancy 13

Chapter 3 Link Aggregation 31

instructor.indb ix 3/12/14 7:51 AM

Link Aggregation Configuration 33

Chapter 4 Wireless LANs 41

Chapter 5 Adjust and Troubleshoot Single-Area OSPF 57

instructor.indb x 3/12/14 7:51 AM

Chapter 6 Multiarea OSPF 77

Chapter 8 EIGRP Advanced Configurations and Troubleshooting 109

instructor.indb xi 3/12/14 7:51 AM

Chapter 9 IOS Images and Licensing 127

Part II: Connecting Networks

Chapter 10 Hierarchical Network Design 137

Chapter 11 Connecting to the WAN 147

Chapter 12 Point-to-Point Connections 155

instructor.indb xii 3/12/14 7:51 AM

Configure PPP 165

Chapter 13 Frame Relay 171

Chapter 14 Network Address Translation for IPv4 181

Chapter 15 Broadband Solutions 193

instructor.indb xiii 3/12/14 7:51 AM

Chapter 16 Securing Site-to-Site Connectivity 203

Chapter 17 Monitoring the Network 213

Chapter 18 Troubleshooting the Network 223

instructor.indb xiv 3/12/14 7:51 AM

Icons Used in This Book

Router Bridge Hub DSU/CSU

Catalyst Multilayer ATM ISDN/Frame Relay

Communication Gateway Access Server

CCNA Routing and Switching: Scaling Networks Practice and Study Guide ICND2 200-101 (Instructor's Version)

CCNA Routing and Switching: Scaling Networks Practice and Study Guide ICND2 200-101 (Instructor's Version)