• Terms
• Basic Cisco IOS CLI Commands
• Cisco Discovery Protocol (CDP)
• LLDP
• Virtual LAN (VLAN)
• Spanning Tree Protocol (STP)
• Routing
  • Routing Information Protocol v2 (RIPv2)
• OSPF
  • Settings
  • Verify
  • Router Types
  • Link State Advertisement (LSA)
  • Stub Area
    • Totally Stub Area
  • Not So Stubby Area (NSSA)
    • Totally NSSA
  • Comparison
• PAgP & LACP
  • PAgP
  • LACP
  • Load Balance
• First-Hop Router Protocol (FHRP)
• Virtual Router Redundancy Protocol (VRRP)
• Hot Standby Router Protocol (HSRP)
• Gateway Load Balancing Protocol (GLBP)
• Remote Authentication Dial-In User Service (RADIUS)
  • RADIUS Router Configuration
  • RADIUS for 2960 Configuration
• Access Control List (ACL)
  • Standard ACLs
    • Numbered ACL
    • Named ACL
    • Standard ACLs – Example
  • Extended ACLs
    • Numbered ACL
    • Named ACL
    • Extended ACLs – Example
  • Configure ACL on interface
• Generic Routing Encapsulation (GRE)
• Others
  • Windows command
  • Linux command

Terms

Virtual Teletype Terminal (VTY)

電腦網路連接到 switch 的管理界面

Switched Virtual Interface (SVI)

• Switch does not have a physical interface to which an IP address can be assigned.
  • IP is configured on a virtual interface called switched virtual interface (SVI).
• Switched Virtual Interface (SVI)
  • A single SVI can only be mapped to a VLAN.
  • A SVI cannot be activated unless that VLAN associated with an active physical port.

Basic Cisco IOS CLI Commands

switch# copy running-config startup-config

存檔

swtich(config)# hostname SW-EC1f

改 hostname

SW-EC1f(config)# line console 0
SW-EC1f(config-line)# password passwd1
SW-EC1f(config-line)# login

設定 Console Access 密碼 (not encrypted)

SW-EC1f(config)# enable password passwd2

設定 Privileged EXEC Access 密碼 (not encrypted)

SW-EC1f(config)# service password-encryption

加密 running-config 裡的密碼 (沒啥用)

SW-EC1f(config)# username user secret passwd3
SW-EC1f(config)# line console 0
SW-EC1f(config-line)# login local

設定 Console Access 密碼 (MD5 encrypted)

SW-EC1f(config)# enable secret passwd4

設定 Privileged EXEC Access 密碼 (MD5 encrypted)

SW-EC1f(config)# banner motd !
helloworld hellloflvksdflsdk!
SW-EC1f(config)#

set banner message

(config)# line console 0
(config-line)# exec-timeout 0

Set executive timeout

(config)# ip default-gateway x.x.x.x

Set default gateway (for L2 devices)

Cisco Discovery Protocol (CDP)

A Cisco proprietary protocol

Sw-Lab1# show cdp neighbors

Show all neighbors

Sw-Lab1# show cdp entry Device-ID

Show details of one neighbor

Sw-Lab1(config)# no cdp run

disable CDP globally

Sw-Lab1(config)# interface fastEthernet 0/1
Sw-Lab1(config-if)# no cdp enable

disable CDP for an interface

LLDP

• IEEE standard protocol
• Similar to CDP
• Not enabled by default

Sw-Lab1(config)# lldp run

enable LLDP globally

Sw-Lab1(config)# interface fastEthernet 0/1
Sw-Lab1(config-if)# lldp receive
Sw-Lab1(config-if)# lldp transmit

enable LLDP for an interface

Sw-Lab1# show lldp neighbors

show all neighbors

Virtual LAN (VLAN)

switch# configure terminal
switch(config)# vlan vlan-num
switch(config-vlan)# name vlan-name (optional)

建立 vlan

(config)# interface type interface_number
(config-if)# switchport mode access
(config-if)# switchport access vlan vlan-num

在 interface 上 access vlan

vlan num 表格

(config)# interface type interface_number
(config-if)# switchport trunk encapsulation {isl|dot1q|negotiate} 
(config-if)# switchport trunk allowed vlan {vlan-list|except vlan-list|all}
(config-if)# switchport mode trunk

建立 trunk

(config-if)# switchport trunk allowed vlan {add|remove} vlan-list

修改 trunk

(config)# interface vlan vlan-num
(config-if)# ip address ip netmask

設定 VLAN interface 的 IP

(config)# ip routing

在 L3 switch 上啟用 routing

(config)# interface type interface_number
(config-if)# switchport trunk encapsulation dot1q
(config-if)# switchport trunk native vlan vlan-num

設定 Native Vlan ， Cisco 預設為 1

(config-if)# switchport mode dynamic {desirable|auto}

dynamic trunking ，預設為 desirable
會主動轉成 trunking mode

Spanning Tree Protocol (STP)

• set hostname other than default hostname is needed

(config)# no spanning-tree vlan vlan-id

disable STP on the specified vlan

(config)# spanning-tree vlan vlan-id

• Check the connectivity between hosts
• Restore the settings

(config)# spanning-tree mode mode

STP mode

(config)# spanning-tree vlan vlan-id root [ primary | secondary ]
(config)# spanning-tree vlan vlan-id priority value

Set bridge priority

• Bridge priority only allows to be in multiple of 4096

(config)# interface interface
(config-if)# spanning-tree vlan value cost value

Set interface cost

switch# show spanning-tree vlan 1

Show tree cost

Bridge priority v.s. Cost

• If you want to affect how to the local switch elects the root port change the cost on the links. Cost is cumulative throughout the STP domain. The higher cost is the less preferred.
• If you want to affect how downstream switch elects its root port change the priority. This is only local significant between the two directly connected switches. Highest priority is less preferred.
• Going away from the root of the tree use priority whereas, when going towards the root of the tree use cost.

Portfast

• Allow a port to enter from blocking to forwarding state immediately, bypassing the listening and learning states.

(config)# interface interface
(config-if)# spanning-tree portfast

Portfast on an interface.

(config)# spanning-tree portfast default

Portfast on all non-trunking interfaces.

(config)# interface interface
(config-if)# spanning-tree bpduguard enable

turn on BPDU guard

(config)# spanning-tree portfast bpdufilter default

Enable BPDU filtering globally (deprecated on Packet Tracer)

(config)# interface interface
(config-if)# spanning-tree bpdufilter enable

Enable BPDU filtering on a specific switch port (deprecated on Packet Tracer)

(config)# interface interface
(config-if)# spanning-tree guard root

Enable root guard

• If there is a superior BPDU received on the port, root guard does not take the BPDU into account and so puts the port into root inconsistent state

Routing

• Routers learn next hops from
  • Static routing
    • Manually configured into the routing table.
    • Must be reconfigured whenever the network topology changed.
  • Dynamic routing
    • automatically learned through dynamic routing protocols.

Administrative Distance

• The feature used by routers to select the best path.

Router(config)# ip route network-address subnet-mask { exit-intf | ip-address}

Static route configuration

Core# show ip route

Show routing table

(config)# ip route 0.0.0.0 0.0.0.0 {interface|ip}

Set default gateway (for L3 devices)

Routing Information Protocol v2 (RIPv2)

Core(config)# router rip
Core(config-router)# version 2
Core(config-router)# network 192.168.0.0 ! 192.168.0.0/30
Core(config-router)# network 192.168.0.4 ! 192.168.0.4/30
Core(config-router)# network 192.168.0.8 ! 192.168.0.8/30

Example setting

Core(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.42
Core(config)# router rip
Core(config-router)# version 2
Core(config-router)# default-information originate

Propagate a default route

R2(config)# router rip
R2(config-router)# no auto-summary

Disable auto summarization

EC3F(config)# router rip
EC3F(config-router)# passive-interface Fa0/4

EC3F(config-router)# passive-interface default
EC3F(config-router)# no passive-interface Gi0/1

Passive interface for RIP

OSPF

Settings

gateway

NYCU(config)# router ospf 10
NYCU(config-router)# router-id 8.8.8.8
NYCU(config-router)# network 140.113.0.1 0.0.0.7 area 0
NYCU(config-router)# network 8.0.0.1 0.255.255.255 area 0
NYCU(config-router)# passive-interface gi 0/0
NYCU(config)# ip route 0.0.0.0 0.0.0.0 gi 0/0
NYCU(config-router)# default-information originate

general

CS-Core(config)# router ospf 10
CS-Core(config-router)# router-id 1.1.1.1
CS-Core(config-router)# network 140.113.0.2 0.0.0.7 area 0
CS-Core(config-router)# network 140.113.0.129 0.0.0.3 area 1

CS-Aggr(config)# router ospf 10
CS-Aggr(config-router)# router-id 1.1.1.10
CS-Aggr(config-router)# network 140.113.0.130 0.0.0.3 area 1
CS-Aggr(config-router)# network 140.113.10.254 0.0.0.255 area 1

Dorm-Core(config)# router ospf 10
Dorm-Core(config-router)# router-id 2.2.2.2
Dorm-Core(config-router)# network 140.113.0.3 0.0.0.7 area 0
Dorm-Core(config-router)# network 140.113.0.113 0.0.0.3 area 2

Dorm-Aggr(config)# router ospf 10
Dorm-Aggr(config-router)# router-id 2.2.2.20
Dorm-Aggr(config-router)# network 140.113.0.134 0.0.0.3 area 2
Dorm-Aggr(config-router)# network 140.113.20.254 0.0.0.255 area 2

priority cost

switch(config-if)# ip ospf cost 100

Verify

multi-area OSPF advertise

NYCU# show ip protocols

multi-area OSPF adjacency

NYCU# show ip ospf neighbor

multi-area OSPF route

NYCU# show ip route

Router Types

internal router

• A router has all of its interfaces in the same areas
• All internal routers in the same area have identical LSDBs

backbone router

• A backbone router is a router that runs OSPF and has at least one interface connected to the OSPF backbone area.

area border router(ABR)

• A router that has interfaces attached to multiple areas
• Maintain separate LSDB for each area it is connected to
• Exit points of the area, which means that routing information destined for another area can get there via ABR of the local area
• Can be configured to summarize the routing information from the LSDB of their areas
• Distribute routing information into backbone
  • Backbone router forwards information to the other ABRs
• In multiarea network, an area can have one or more ABRs

autonomous system boundary router(ASBR)

• A router that has at least one interface attached to an external internetwork
• An external network is a network that is not part of this OSPF routing domain
• An ASBR can import external network information to the OSPF network

Link State Advertisement (LSA)

A Link State Database(LSDB) contains LSAs

• In combination, LSAs describe the entire topology of an OSPF network/area

OSPF LSA Types

verify

CS-Core# show ip ospf 10 database router

Stub Area

• No Type 5 LSA
• ABR will send a default route (0.0.0.0) as type 3 LSA

config

Dorm-Core(config-router)# area 2 stub
Dorm-Aggr(config-router)# area 2 stub

Totally Stub Area

• No Type 3,4,5 LSA
• The only type 3 is 0.0.0.0

config

Dorm-Core(config-router)# area 2 stub no-summary
Dorm-Aggr(config-router)# area 2 stub no-summary

Not So Stubby Area (NSSA)

• Extension of OSPF stub areas
• Must be placed at the edge of an OSPF routing domain
• More flexible than stub area
  • Can import external routes into OSPF routing domain
  • Provide transit service to small routing domains that are not part of OSPF routing domain

config

CS-Core(config-router)# area 1 nssa
CS-Aggr(config-router)# area 1 nssa

Totally NSSA

config

CS-Core(config-router)# area 1 nssa no-summary
CS-Aggr(config-router)# area 1 nssa no-summary

Comparison

PAgP & LACP

PAgP

• Cisco-proprietary protocol for negotiating and managing EtherChannel links.
• Sends PAgP packets every 30 seconds.
• Checks config consistency.
• Manages link additions and failures.
• Combine a maximum of 8 physical links into a single virtual link.

LACP

• Industrial standard, IEEE 802.1AX (previously 802.3ad)
• Performs similar to Cisco PAgP
  • Cisco device support both protocols
• Can be used to facilitate EtherChannels in multi-vendor environments.
• LAP allows for 8 active links and 8 standby links.
• A standby link will become active when one of the current active links fails.

Deciding which links to be active or standby

• System priority
  • Default priority = 32768
  • Switch with the lower value will become the leader.
• Port priority
  • The master chooses which ports to be active or standby.
  • Port with the lower value will be chosen to be active.

Switch(config-if-range)# channel-group 1 mode ?

• desirable Enable PAgP unconditionally
• auto Enable PAgP only if a PAgP device is detected
• active Enable LACP unconditionally
• passive Enable LACP only if an LACP device is detected
• on Enable Etherchannel only

Load Balance

• Traffic in an EtherChannel is distributed across the physical links.
• But not necessarily balanced equally across all the links.
• Packets are forwarded on a specific link as a result of a deterministic method.
  • Use 3 bits of (src and/or dst) (MAC addr, IP addr, port) to calculate the physical link to use.
  • The same 5-tuple between two devices is always sent through the same physical link.
• Choose the load-balancing method that provides the greatest distribution.

Switch(config)# port-channel load-balance method

Config Steps

1. Specify the interfaces that compose the EtherChannel group.
2. Setting LACP system priority & port priority. (Optional, Not support in Packet Tracer.)
3. Config the port-channel interface.

e.g.

Switch(config)# lacp system-priority 100
Switch(config)# interface range Gi0/1-4
Switch(config-if)# channel-protocol lacp
Switch(config-if)# channel-group 5 mode active
Switch(config-if)# lacp port-priority 1024

Switch(config)# interface port-channel 5
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 28,420

Change EtherChannel setting after creation.

Switch(config)# spanning-tree etherchannel guard misconfig

Avoiding misconfiguration with EtherChannel. (Enabled by default)

• If you want to change those configs, set them in the port-channel interface.

First-Hop Router Protocol (FHRP)

• The default gateway for end devices is called first-hop.
• FHRP allows 2+ routers to provide backup for gateway address.
• When master is dead, backup routers will take over within seconds.
• FHRP is a category, there are several FHRP protocols.
  • Virtual Router Redundancy Protocol (VRRP)
  • Hot Standby Router Protocol (HSRP)
  • Gateway Load Balancing Protocol (GLBP)

Virtual Router Redundancy Protocol (VRRP)

• Defined in RFC 2338
• Designed to be transparently failover for an IP address.
• Provides virtual router IP address for a group of routers as a gateway.
  • A router with the highest priority becomes the master. If same VRRP priority, choose the router with numerically highest IPv4 address.
• VRRP advertisements are sent at 1 second intervals.
  • When not hearing advertisements over 3*intervals from the master router. A backup router would take over.
• By default, VRRP routers are configured to preempt if priorities are greater.
• Priority should be 1-254.
  • 0 and 255 have special meaning.
• Maximum Advertisement Interval
  • Indicates the time interval in centiseconds.
  • Default is 100 cs (1 sec). Max is 40.95 sec.

R1(config)# interface vlan 50
R1(config-if)# ip address 192.0.2.1 255.255.255.0
R1(config-if)# vrrp 1 priority 200
R1(config-if)# vrrp 1 ip 192.0.2.254

R2(config)# interface vlan 50
R2(config-if)# ip address 192.0.2.2 255.255.255.0
R2(config-if)# ! vrrp 1 priority 100
R2(config-if)# vrrp 1 ip 192.0.2.254
R2(config-if)# no vrrp 1 preempt

config example

(config-if)# vrrp group ip ip-addr

Makes the interface a member of the vrrp group and assign the virtual IP address.
(The virtual IP address can be the same as the interface IP address of one member in the group.)

(config-if)# vrrp group priority priority

Set the VRRP router priority from 1 to 254 (Default is 100).

(config-if)# vrrp group timers advertise timer

Change the advertisement timer (Default is 1 second).

(config-if)# vrrp group-num timers learn

Learn the advertisement interval from the master router.

(config-if)# vrrp group preempt [delay seconds]

Change the preempt delay.

(config-if)# no vrrp group preempt

Disable preempting. (Default is to preempt)

(config-if)# vrrp group track object-number [decrement priority]

Track an object and decrease the priority when the object is down.

Hot Standby Router Protocol (HSRP)

• A Cisco-proprietary FHRP protocol.
• Send periodic Hello messages to all-routers multicast address.
• HSRP group consist of 1 active router + 1 standby router.
  • Others remain in the speak state.

HSRP States

• Initial: When HSRP is disabled or the interface first coms up.
• Learn: The router has not determined the virtual IP address.
• Listen: Waiting for Hello message from active or standby router.
• Speak: Participating in the HSRP election.
• Standby: The router is a candidate to become the next active router.
• Active: Forwarding packets that are sent to the group's virtual IP / MAC address.

Speak, Standby, Active: Sends Hello messages periodically.
At most one router in: Standby, Active state.

HSRP Timers

In Hello message:

• Hellotime: The frequency of routers to send hello packes. (Default 3 seconds)
• Holdtime: The time that an active or standby router will be expired.

Each router maintains 3 timers:

• Hello Timer: Send Hello message when Hello timer expired.
• Active Timer: Used to monotor the Active router.
• Standby Timer: Used to monotor the Stadby router.

Election

• Determine the role of each router in HSRP group based on the priority value.
• HSRP priority
  • Range from 0 to 255 (Default 100)
  • Highest priority in the group = Active router
  • If the priorities are equal, router with numerically highest IPv4 address is elected.

Switch(config-if)# standby group priority priority.

• By default, the active router won't be replaced by a router with higher priority.

Switch(config-if)# standby group preempt [ delay [ minimum seconds ] [ reload seconds ]] 

• To force a new HSRP election process, preemption must be enabled.

Config Steps

1. Configure the HSRP version 2
2. Set the virtual IP address for the group.
   • The IP address of interface and the virtual address should be in the same IP subnet.
3. Configure the priority for the desired active router.
4. Make the active router to be preemptive.

e.g.

Switch(config-if)# standby version 2
Switch(config-if)# standby [ group-number ] ip [ ip-address ]
Switch(config-if)# standby [ group-number ] priority priority-value
Switch(config-if)# standby group preempt [ delay [ minimum seconds ] [ reload seconds ]]

Interface Tracking

• HSRP would track the interface of router.
  • When the tracked interface goes down, HSRP reduces the router's priority.

Switch(config-if)# standby group track type mod/num [ interface-priority ]

interface-priority: The value is decremented when the interface goes down, and would be added back when the interface comes back.

Gateway Load Balancing Protocol (GLBP)

• Another Cisco-proprietary FHRP protocol.
• Active Virtual Gateway & Active Virtual Forwarder
• Support load balancing and authentication.
• Load balancing modes: round-robin, host-dependent, weighted

Remote Authentication Dial-In User Service (RADIUS)

RADIUS Router Configuration

(config)# aaa new-model

Enable AAA

(config)# radius server server-name

Enter radius server config mode

(config-radius-server)# address ipv4 server-ip [auth-port server-port]

Configure server IP address

(config-radius-server)# key secret

Add radius key

(config)# aaa authentication login list-name auth-list

Configure authentication method list

(config-line)# login authentication list-name

Apply the list to connections (e.g. console, vty, …)

Core(config)# aaa new-model
Core(config)# radius server radius
Core(config-radius-server)# address ipv4 192.168.1.1
Core(config-radius-server)# key radiuskey

Core(config)# aaa authentication login default group radius local
Core(config)# line vty 0 15
Core(config-line)# login authentication default

RADIUS for router example

RADIUS for 2960 Configuration

(config)# aaa new-model

Enable AAA

(config)# radius-server host server-ip key secret

Configure radius server

(config)# aaa authentication login list-name auth-list

Configure authentication method list

(config-line)# login authentication list-name

Apply the list to connections (e.g. console, vty, …)

Core(config)# aaa new-model
Core(config)# radius-server host 192.168.1.1 key radiuskey

Core(config)# aaa authentication login default group radius local
Core(config)# line vty 0 15
Core(config-line)# login authentication default

RADIUS for 2960 example

Access Control List (ACL)

• A sequential list of permit or deny statements, known as access control entries (ACEs).
• Contol whether a switch/router allows or drops packets based on information found in the packet header.
• ACL being applied to an interface
  • Router evaluates all network packets passing through the interface based on the ACL.
  • Compare in sequential order, stop when matched (first match)
  • Either deny or permit
• Source IPv4 address is the main filtering criteria
• The last statement of an ACL is always an implict deny
  • Block all traffic if no entries being matched

Wildcard Masking

• 32-bit string
• Wildcard masks use the following rules to match binary 1s and 0s:
  • Wildcard mask bit 0 – Match the corresponding bit value in the address
  • Wildcard mask bit 1 – Ignore the corresponding bit value in the address
• Wildcard masks are often referred to inverse mask
  • Usually considered as opposite of subnet mask
  • But actually not the same
• Wildcard mask keywods
  • host: 0.0.0.0
  • any: 255.255.255.255

Type

• OSI layer
  • Standard ACLs – Layer 3
    • Only based on source IP address
    • Placed close to the destination due to the inability to specify destination address
    • Placed at source may prevent the traffic from reaching any other networks
  • Extended ACLs – Layer 3&4
    • Based on source IP, source port, destination IP, destination port and protocol
    • Placed close to the source to filter undesirable traffic
• ACL name
  • Numbered ACLs
  • Named ACLs
• Flow direction
  • Inbound ACLs
  • Outbound ACLs

Standard ACLs

• Can only check source IP address

Numbered ACL

• list-number should be 1-99, 1300-1999

(config)# access-list list-number {deny|permit} source-ip [wildcard] [log]
(config)# access-list list-number remark description

Named ACL

(config)# ip access-list [standard|extended] list-name
(config-std-nacl)# [permit|deny|remark] source-ip [wildcard] [log]

Standard ACLs – Example

Core(config)# access-list 20 permit 192.168.2.2
Core(config)# access-list 20 permit 192.168.2.3

Extended ACLs

• Having the ability to check source IP, source port, destination IP, destination port and protocol

Numbered ACL

• list-number should be 100-199 or 2000-2699

(config)# access-list list_number {permit|deny} protocol src-ip wildcard [operator {port-num|service}] dst-ip wildcard [operator {port-num|service}] [log]

Named ACL

(config)# ip access-list extended list_name
(config-ext-nacl)# {permit|deny} protocol src-ip wildcard [operator {port|service}] dst-ip wildcard [operator {port-num|service}] [log]

Extended ACLs – Example

Core(config)# ip access-list extended PC-1-to-2
Core(config-ext-nacl)# permit ip host 192.168.1.2 host 192.168.2.2
Core(config-ext-nacl)# permit ip host 192.168.1.3 host 192.168.2.3

Configure ACL on interface

(config-if)# ip access-group {list-number|list-name} {in|out}

Apply to interface (2960 not support)

(config-line)# access-class {list-number|list-name} {in|out}

Aply to line (e.g. console, vty)

Core(config)# interface GigabitEthernet 0/1
Core(config-if)# ip access-group PC-1-to-2 in

Sequence Numbers

• Every time you add a new entry in ACL, it is added at the end of it.
  • According to first match rule, thath entry will be checked at last.
• How to insert an entry between previous ACL entries?
  • Sequence numbers
• Sequence numbers help you make the proper order of ACL entries

Generic Routing Encapsulation (GRE)

(config)# interface tunnel 1
(config-if)# tunnel mode gre ip
(config-if)# ip address 172.31.0.1 255.255.255.252
(config-if)# tunnel source gi 0/0
(config-if)# tunnel destination 172.31.0.2

(config)# interface tunnel 1
(config-if)# tunnel mode gre ip
(config-if)# ip address 172.31.0.2 255.255.255.252
(config-if)# tunnel source gi 0/0
(config-if)# tunnel destination 172.31.0.1

example on hw4

Others

Windows command

• ipconfig
• route print
• ping
• tracert
• nslookup
• ssh

Linux command

• ip address
• ip route
• ping
• traceroute -I
• nslookup
• dig
• ssh