CCNA Lab Final Review Note

[toc] ## Terms **Virtual Teletype Terminal (VTY)** 電腦網路連接到 switch 的管理界面 **Switched Virtual Interface (SVI)** - Switch does not have a physical interface to which an IP address can be assigned. - IP is configured on a virtual interface called switched virtual interface (SVI). - Switched Virtual Interface (SVI) - A single SVI can only be mapped to a VLAN. - A SVI cannot be activated unless that VLAN **associated with an active physical port**. ## Basic Cisco IOS CLI Commands ```! switch# copy running-config startup-config ``` 存檔 ```! swtich(config)# hostname SW-EC1f ```` 改 hostname ```! SW-EC1f(config)# line console 0 SW-EC1f(config-line)# password passwd1 SW-EC1f(config-line)# login ``` 設定 Console Access 密碼 (not encrypted) ```! SW-EC1f(config)# enable password passwd2 ``` 設定 Privileged EXEC Access 密碼 (not encrypted) ```! SW-EC1f(config)# service password-encryption ``` 加密 running-config 裡的密碼 (沒啥用) ```! SW-EC1f(config)# username user secret passwd3 SW-EC1f(config)# line console 0 SW-EC1f(config-line)# login local ``` 設定 Console Access 密碼 (MD5 encrypted) ```! SW-EC1f(config)# enable secret passwd4 ``` 設定 Privileged EXEC Access 密碼 (MD5 encrypted) ```! SW-EC1f(config)# banner motd ! helloworld hellloflvksdflsdk! SW-EC1f(config)# ``` set banner message ```! (config)# line console 0 (config-line)# exec-timeout 0 ``` Set executive timeout ```! (config)# ip default-gateway x.x.x.x ``` Set default gateway (for L2 devices) ## Cisco Discovery Protocol (CDP) A Cisco proprietary protocol ```! Sw-Lab1# show cdp neighbors ``` Show all neighbors ```! Sw-Lab1# show cdp entry Device-ID ``` Show details of one neighbor ```! Sw-Lab1(config)# no cdp run ``` disable CDP globally ```! Sw-Lab1(config)# interface fastEthernet 0/1 Sw-Lab1(config-if)# no cdp enable ``` disable CDP for an interface ## LLDP - IEEE standard protocol - Similar to CDP - Not enabled by default ```! Sw-Lab1(config)# lldp run ``` enable LLDP globally ```! Sw-Lab1(config)# interface fastEthernet 0/1 Sw-Lab1(config-if)# lldp receive Sw-Lab1(config-if)# lldp transmit ``` enable LLDP for an interface ```! Sw-Lab1# show lldp neighbors ``` show all neighbors ## Virtual LAN (VLAN) ```! switch# configure terminal switch(config)# vlan vlan-num switch(config-vlan)# name vlan-name (optional) ``` 建立 vlan ```! (config)# interface type interface_number (config-if)# switchport mode access (config-if)# switchport access vlan vlan-num ``` 在 interface 上 access vlan | VLANs | Range | Usage | | --------- | -------- | ----------------------------------------------------- | | 0, 4095 | Reserved | For system use | | 1 | Normal | Cisco default | | 2-1001 | Normal | For ethernet VLANs; can be modified. | | 1002-1005 | Normal | Cannot delete (Cisco default for FDDI and Token Ring) | | 1006-4094 | Extended | For ethernet VLAN only | vlan num 表格 ```! (config)# interface type interface_number (config-if)# switchport trunk encapsulation {isl|dot1q|negotiate} (config-if)# switchport trunk allowed vlan {vlan-list|except vlan-list|all} (config-if)# switchport mode trunk ``` 建立 trunk ```! (config-if)# switchport trunk allowed vlan {add|remove} vlan-list ``` 修改 trunk ```! (config)# interface vlan vlan-num (config-if)# ip address ip netmask ``` 設定 VLAN interface 的 IP ```! (config)# ip routing ``` 在 L3 switch 上啟用 routing ```! (config)# interface type interface_number (config-if)# switchport trunk encapsulation dot1q (config-if)# switchport trunk native vlan vlan-num ``` 設定 Native Vlan ， Cisco 預設為 1 ```! (config-if)# switchport mode dynamic {desirable|auto} ``` dynamic trunking ，預設為 desirable 會主動轉成 trunking mode ## Spanning Tree Protocol (STP) - set hostname other than default hostname is needed ```! (config)# no spanning-tree vlan vlan-id ``` disable STP on the specified vlan ```! (config)# spanning-tree vlan vlan-id ``` - Check the connectivity between hosts - Restore the settings | Protocol | Standard | Resources needed | Convergence | Tree Calculation | | ----------- | -------- | ---------------- | ----------- | ---------------- | | STP | 802.1D | Low | Slow | All VLANs | | PVST+ | Cisco | High | Slow | Per VLAN | | RSTP | 802.1w | Medium | Fast | All VLANs | | Rapid PVST+ | Cisco | Very high | Fast | Per VLAN | | MSTP | 802.1s | Medium or high | Fast | Per Instance | ```! (config)# spanning-tree mode mode ``` STP mode ```! (config)# spanning-tree vlan vlan-id root [ primary | secondary ] (config)# spanning-tree vlan vlan-id priority value ``` Set bridge priority - Bridge priority only allows to be in multiple of 4096 ```! (config)# interface interface (config-if)# spanning-tree vlan value cost value ``` Set interface cost ```! switch# show spanning-tree vlan 1 ``` Show tree cost **Bridge priority v.s. Cost** - If you want to affect how to the local switch elects the root port change the cost on the links. Cost is **cumulative throughout the STP domain**. The higher cost is the less preferred. - If you want to affect how downstream switch elects its root port change the priority. This is **only local significant between the two directly connected switches**. Highest priority is less preferred. - Going **away from the root** of the tree use **priority** whereas, when going **towards the root** of the tree use **cost**. ![](https://hackmd.io/_uploads/rkiHaO3Ih.png) ![](https://hackmd.io/_uploads/S1eeB6OnUh.png) **Portfast** - Allow a port to enter from blocking to forwarding state immediately, bypassing the listening and learning states. ```! (config)# interface interface (config-if)# spanning-tree portfast ``` Portfast on an interface. ```! (config)# spanning-tree portfast default ``` Portfast on all **non-trunking** interfaces. ```! (config)# interface interface (config-if)# spanning-tree bpduguard enable ``` turn on BPDU guard ```! (config)# spanning-tree portfast bpdufilter default ``` Enable BPDU filtering globally (deprecated on Packet Tracer) ```! (config)# interface interface (config-if)# spanning-tree bpdufilter enable ``` Enable BPDU filtering on a specific switch port (deprecated on Packet Tracer) ```! (config)# interface interface (config-if)# spanning-tree guard root ``` Enable root guard - If there is a superior BPDU received on the port, root guard does not take the BPDU into account and so puts the port into root inconsistent state ## Routing - Routers learn next hops from - Static routing - Manually configured into the routing table. - Must be reconfigured whenever the network topology changed. - Dynamic routing - automatically learned through dynamic routing protocols. **Administrative Distance** - The feature used by routers to select the best path. | Route Source | Administrative Distance | | ------------------- | ----------------------- | | Connected | 0 | | Static | 1 | | EIGRP summary route | 5 | | External BGP | 20 | | Internal EIGRP | 90 | | IGRP | 100 | | OSPF | 110 | | RIP | 120 | | External EIGRP | 170 | | Internal BGP | 200 | ```! Router(config)# ip route network-address subnet-mask { exit-intf | ip-address} ``` Static route configuration ```! Core# show ip route ``` Show routing table ```! (config)# ip route 0.0.0.0 0.0.0.0 {interface|ip} ``` Set default gateway (for L3 devices) ### Routing Information Protocol v2 (RIPv2) ```! Core(config)# router rip Core(config-router)# version 2 Core(config-router)# network 192.168.0.0 ! 192.168.0.0/30 Core(config-router)# network 192.168.0.4 ! 192.168.0.4/30 Core(config-router)# network 192.168.0.8 ! 192.168.0.8/30 ``` Example setting ```! Core(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.42 Core(config)# router rip Core(config-router)# version 2 Core(config-router)# default-information originate ``` Propagate a default route ```! R2(config)# router rip R2(config-router)# no auto-summary ``` Disable auto summarization ```! EC3F(config)# router rip EC3F(config-router)# passive-interface Fa0/4 ``` ```! EC3F(config-router)# passive-interface default EC3F(config-router)# no passive-interface Gi0/1 ``` Passive interface for RIP ## OSPF ![](https://hackmd.io/_uploads/BkzlPOmSh.png) ### Settings **gateway** ```! NYCU(config)# router ospf 10 NYCU(config-router)# router-id 8.8.8.8 NYCU(config-router)# network 140.113.0.1 0.0.0.7 area 0 NYCU(config-router)# network 8.0.0.1 0.255.255.255 area 0 NYCU(config-router)# passive-interface gi 0/0 NYCU(config)# ip route 0.0.0.0 0.0.0.0 gi 0/0 NYCU(config-router)# default-information originate ``` **general** ```! CS-Core(config)# router ospf 10 CS-Core(config-router)# router-id 1.1.1.1 CS-Core(config-router)# network 140.113.0.2 0.0.0.7 area 0 CS-Core(config-router)# network 140.113.0.129 0.0.0.3 area 1 ``` ```! CS-Aggr(config)# router ospf 10 CS-Aggr(config-router)# router-id 1.1.1.10 CS-Aggr(config-router)# network 140.113.0.130 0.0.0.3 area 1 CS-Aggr(config-router)# network 140.113.10.254 0.0.0.255 area 1 ``` ```! Dorm-Core(config)# router ospf 10 Dorm-Core(config-router)# router-id 2.2.2.2 Dorm-Core(config-router)# network 140.113.0.3 0.0.0.7 area 0 Dorm-Core(config-router)# network 140.113.0.113 0.0.0.3 area 2 ``` ```! Dorm-Aggr(config)# router ospf 10 Dorm-Aggr(config-router)# router-id 2.2.2.20 Dorm-Aggr(config-router)# network 140.113.0.134 0.0.0.3 area 2 Dorm-Aggr(config-router)# network 140.113.20.254 0.0.0.255 area 2 ``` **priority cost** ```! switch(config-if)# ip ospf cost 100 ``` ### Verify **multi-area OSPF advertise** ```! NYCU# show ip protocols ``` **multi-area OSPF adjacency** ```! NYCU# show ip ospf neighbor ``` **multi-area OSPF route** ```! NYCU# show ip route ``` ### Router Types **internal router** - A router has all of its interfaces in the same areas - All internal routers in the same area have identical LSDBs **backbone router** - A backbone router is a router that runs OSPF and has at least one interface connected to the OSPF backbone area. **area border router(ABR)** - A router that has interfaces attached to multiple areas - Maintain separate LSDB for each area it is connected to - Exit points of the area, which means that routing information destined for another area can get there via ABR of the local area - Can be configured to summarize the routing information from the LSDB of their areas - Distribute routing information into backbone - Backbone router forwards information to the other ABRs - In multiarea network, an area can have one or more ABRs **autonomous system boundary router(ASBR)** - A router that has at least one interface attached to an external internetwork - An external network is a network that is not part of this OSPF routing domain - An ASBR can import external network information to the OSPF network ### Link State Advertisement (LSA) **A Link State Database(LSDB) contains LSAs** - In combination, LSAs describe the entire topology of an OSPF network/area **OSPF LSA Types** | LSA Type | Description | Send | Receive | Information | | -------- | ----------- | ---- | ------- | ----------- | | 1 | Router Link | Any OSPF Router | All other routers in the same area | Link/Network information | |2|Network Link|DR|BDR/DRother|List of routers that DR connects with| |3|Summary Network Link|ABR|All other routers in the same area|Network information of other areas| |4|Summary AS Border Link|ABR|All other routers in the same area| Information of ASBR| |5|AS External Link|ASBR|All routers in OSPF routing domain| External network| |7|Router Link|ASBR|All the routers in the NSSA|External network| **verify** ```! CS-Core# show ip ospf 10 database router ``` ### Stub Area - No Type 5 LSA - ABR will send a default route (0.0.0.0) as type 3 LSA **config** ```! Dorm-Core(config-router)# area 2 stub Dorm-Aggr(config-router)# area 2 stub ``` #### Totally Stub Area - No Type 3,4,5 LSA - The only type 3 is 0.0.0.0 **config** ```! Dorm-Core(config-router)# area 2 stub no-summary Dorm-Aggr(config-router)# area 2 stub no-summary ``` ### Not So Stubby Area (NSSA) - Extension of OSPF stub areas - Must be placed at the edge of an OSPF routing domain - More flexible than stub area - Can import external routes into OSPF routing domain - Provide transit service to small routing domains that are not part of OSPF routing domain **config** ```! CS-Core(config-router)# area 1 nssa CS-Aggr(config-router)# area 1 nssa ``` #### Totally NSSA **config** ```! CS-Core(config-router)# area 1 nssa no-summary CS-Aggr(config-router)# area 1 nssa no-summary ``` ### Comparison | Area | Restriction | | ------------ | ----------- | | Normal | - None | | Stub | - No Type 5 AS-external LSA allowed | | Totally Stub | - No Type 3,4,5 LSA allowed<br> - except the default summary route| | NSSA | - No Type 5 As-external LSA allowed><br> - Type 7 LSAs that convert to Type 5 at the NSSA ABR can traverse | | Totally NSSA | - No Type 3,4,5 LSA allowed<br> - except the default summary route<br> - Type 7 LSAs that convert to Type 5 at the NSSA ABR can traverse | ## PAgP & LACP ### PAgP - Cisco-proprietary protocol for negotiating and managing EtherChannel links. - Sends PAgP packets every 30 seconds. - Checks config consistency. - Manages link additions and failures. - Combine a maximum of 8 physical links into a single virtual link. ### LACP - Industrial standard, IEEE 802.1AX (previously 802.3ad) - Performs similar to Cisco PAgP - Cisco device support both protocols - Can be used to facilitate EtherChannels in multi-vendor environments. - LAP allows for **8 active** links and **8 standby** links. - A standby link will become active when one of the current active links fails. **Deciding which links to be active or standby** - System priority - Default priority = 32768 - Switch with the lower value will become the leader. - Port priority - The master chooses which ports to be active or standby. - Port with the lower value will be chosen to be active. ```! Switch(config-if-range)# channel-group 1 mode ? ``` - **desirable** Enable PAgP unconditionally - **auto** Enable PAgP only if a PAgP device is detected - **active** Enable LACP unconditionally - **passive** Enable LACP only if an LACP device is detected - **on** Enable Etherchannel only ### Load Balance - Traffic in an EtherChannel is distributed across the physical links. - But not necessarily balanced equally across all the links. - Packets are forwarded on a specific link as a result of a deterministic method. - Use 3 bits of (src and/or dst) (MAC addr, IP addr, port) to calculate the physical link to use. - The same 5-tuple between two devices is always sent through the same physical link. - Choose the load-balancing method that provides the greatest distribution. ```! Switch(config)# port-channel load-balance method ``` **Config Steps** 1. Specify the interfaces that compose the EtherChannel group. 2. Setting LACP system priority & port priority. (Optional, Not support in Packet Tracer.) 3. Config the port-channel interface. e.g. ```! Switch(config)# lacp system-priority 100 Switch(config)# interface range Gi0/1-4 Switch(config-if)# channel-protocol lacp Switch(config-if)# channel-group 5 mode active Switch(config-if)# lacp port-priority 1024 ``` ```! Switch(config)# interface port-channel 5 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk allowed vlan 28,420 ``` Change EtherChannel setting after creation. ```! Switch(config)# spanning-tree etherchannel guard misconfig ``` Avoiding misconfiguration with EtherChannel. (Enabled by default) - If you want to change those configs, set them in the port-channel interface. ## First-Hop Router Protocol (FHRP) - The **default gateway** for end devices is called **first-hop**. - FHRP allows 2+ routers to provide backup for gateway address. - When master is dead, backup routers will take over within seconds. - FHRP is a category, there are several FHRP protocols. - Virtual Router Redundancy Protocol (VRRP) - Hot Standby Router Protocol (HSRP) - Gateway Load Balancing Protocol (GLBP) ## Virtual Router Redundancy Protocol (VRRP) - Defined in RFC 2338 - Designed to be transparently failover for an IP address. - Provides virtual router IP address for a group of routers as a gateway. - A router with **the highest priority** becomes the master. If same VRRP priority, choose the router with numerically highest IPv4 address. - VRRP advertisements are sent at 1 second intervals. - When not hearing advertisements over 3\*intervals from the master router. A backup router would take over. - By default, VRRP routers are configured to preempt if priorities are greater. - Priority should be 1-254. - 0 and 255 have special meaning. - Maximum Advertisement Interval - Indicates the time interval in centiseconds. - Default is 100 cs (1 sec). Max is 40.95 sec. ```! R1(config)# interface vlan 50 R1(config-if)# ip address 192.0.2.1 255.255.255.0 R1(config-if)# vrrp 1 priority 200 R1(config-if)# vrrp 1 ip 192.0.2.254 ``` ```! R2(config)# interface vlan 50 R2(config-if)# ip address 192.0.2.2 255.255.255.0 R2(config-if)# ! vrrp 1 priority 100 R2(config-if)# vrrp 1 ip 192.0.2.254 R2(config-if)# no vrrp 1 preempt ``` config example ```! (config-if)# vrrp group ip ip-addr ``` Makes the interface a member of the vrrp group and assign the virtual IP address. (The virtual IP address can be the same as the interface IP address of one member in the group.) ```! (config-if)# vrrp group priority priority ``` Set the VRRP router priority from 1 to 254 (Default is 100). ```! (config-if)# vrrp group timers advertise timer ``` Change the advertisement timer (Default is 1 second). ```! (config-if)# vrrp group-num timers learn ``` Learn the advertisement interval from the master router. ```! (config-if)# vrrp group preempt [delay seconds] ``` Change the preempt delay. ```! (config-if)# no vrrp group preempt ``` Disable preempting. (Default is to preempt) ```! (config-if)# vrrp group track object-number [decrement priority] ``` Track an object and decrease the priority when the object is down. ## Hot Standby Router Protocol (HSRP) - A Cisco-proprietary FHRP protocol. - Send periodic Hello messages to all-routers multicast address. - HSRP group consist of **1 active router** + **1 standby router**. - Others remain in the **speak state**. **HSRP States** - Initial: When HSRP is disabled or the interface first coms up. - Learn: The router has not determined the virtual IP address. - Listen: Waiting for Hello message from active or standby router. - Speak: Participating in the HSRP election. - Standby: The router is a candidate to become the next active router. - Active: Forwarding packets that are sent to the group's virtual IP / MAC address. Speak, Standby, Active: Sends Hello messages periodically. At most one router in: Standby, Active state. **HSRP Timers** In Hello message: - Hellotime: The frequency of routers to send hello packes. (Default 3 seconds) - Holdtime: The time that an active or standby router will be expired. Each router maintains 3 timers: - Hello Timer: Send Hello message when Hello timer expired. - Active Timer: Used to monotor the Active router. - Standby Timer: Used to monotor the Stadby router. **Election** - Determine the role of each router in HSRP group based on the priority value. - HSRP priority - Range from 0 to 255 (Default 100) - **Highest** priority in the group = Active router - If the priorities are equal, router with numerically **highest IPv4 address** is elected. ```! Switch(config-if)# standby group priority priority. ``` - By default, the active router **won't be replaced** by a router with higher priority. ```! Switch(config-if)# standby group preempt [ delay [ minimum seconds ] [ reload seconds ]] ``` - To force a new HSRP election process, preemption must be enabled. **Config Steps** 1. Configure the HSRP version 2 2. Set the virtual IP address for the group. - The IP address of interface and the virtual address should be in the same IP subnet. 4. Configure the priority for the desired active router. 5. Make the active router to be preemptive. e.g. ```! Switch(config-if)# standby version 2 Switch(config-if)# standby [ group-number ] ip [ ip-address ] Switch(config-if)# standby [ group-number ] priority priority-value Switch(config-if)# standby group preempt [ delay [ minimum seconds ] [ reload seconds ]] ``` **Interface Tracking** - HSRP would track the interface of router. - When the tracked interface goes down, HSRP reduces the router's priority. ```! Switch(config-if)# standby group track type mod/num [ interface-priority ] ``` `interface-priority`: The value is decremented when the interface goes down, and would be added back when the interface comes back. ## Gateway Load Balancing Protocol (GLBP) - Another Cisco-proprietary FHRP protocol. - Active Virtual Gateway & Active Virtual Forwarder - Support load balancing and authentication. - Load balancing modes: round-robin, host-dependent, weighted ## Remote Authentication Dial-In User Service (RADIUS) ![](https://hackmd.io/_uploads/BJmpJM6I2.png) ### RADIUS Router Configuration ```! (config)# aaa new-model ``` Enable AAA ```! (config)# radius server server-name ``` Enter radius server config mode ```! (config-radius-server)# address ipv4 server-ip [auth-port server-port] ``` Configure server IP address ```! (config-radius-server)# key secret ``` Add radius key ```! (config)# aaa authentication login list-name auth-list ``` Configure authentication method list ```! (config-line)# login authentication list-name ``` Apply the list to connections (e.g. console, vty, ...) ```! Core(config)# aaa new-model Core(config)# radius server radius Core(config-radius-server)# address ipv4 192.168.1.1 Core(config-radius-server)# key radiuskey ``` ```! Core(config)# aaa authentication login default group radius local Core(config)# line vty 0 15 Core(config-line)# login authentication default ``` RADIUS for router example ### RADIUS for 2960 Configuration ```! (config)# aaa new-model ``` Enable AAA ```! (config)# radius-server host server-ip key secret ``` Configure radius server ```! (config)# aaa authentication login list-name auth-list ``` Configure authentication method list ```! (config-line)# login authentication list-name ``` Apply the list to connections (e.g. console, vty, ...) ```! Core(config)# aaa new-model Core(config)# radius-server host 192.168.1.1 key radiuskey ``` ```! Core(config)# aaa authentication login default group radius local Core(config)# line vty 0 15 Core(config-line)# login authentication default ``` RADIUS for 2960 example ## Access Control List (ACL) - A sequential list of permit or deny statements, known as access control entries (ACEs). - Contol whether a switch/router allows or drops packets based on information found in the packet header. - ACL being applied to an interface - Router evaluates all network packets passing through the interface based on the ACL. - Compare **in sequential order**, stop when matched (first match) - Either deny or permit - **Source IPv4 address** is the main filtering criteria - The last statement of an ACL is always an **implict deny** - Block all traffic if no entries being matched **Wildcard Masking** - 32-bit string - Wildcard masks use the following rules to match binary 1s and 0s: - Wildcard mask bit 0 -- Match the corresponding bit value in the address - Wildcard mask bit 1 -- Ignore the corresponding bit value in the address - Wildcard masks are often referred to inverse mask - Usually considered as opposite of subnet mask - But actually not the same - Wildcard mask keywods - host: 0.0.0.0 - any: 255.255.255.255 **Type** - OSI layer - Standard ACLs -- Layer 3 - Only based on **source IP** address - Placed **close to the destination** due to the inability to specify destination address - Placed at source may prevent the traffic from reaching any other networks - Extended ACLs -- Layer 3&4 - Based on source IP, source port, destination IP, destination port and protocol - Placed **close to the source** to filter undesirable traffic - ACL name - Numbered ACLs - Named ACLs - Flow direction - Inbound ACLs - Outbound ACLs ### Standard ACLs - Can only check source IP address #### Numbered ACL - list-number should be 1-99, 1300-1999 ```! (config)# access-list list-number {deny|permit} source-ip [wildcard] [log] (config)# access-list list-number remark description ``` #### Named ACL ```! (config)# ip access-list [standard|extended] list-name (config-std-nacl)# [permit|deny|remark] source-ip [wildcard] [log] ``` #### Standard ACLs -- Example ```! Core(config)# access-list 20 permit 192.168.2.2 Core(config)# access-list 20 permit 192.168.2.3 ``` ### Extended ACLs - Having the ability to check source IP, source port, destination IP, destination port and protocol #### Numbered ACL - list-number should be 100-199 or 2000-2699 ```! (config)# access-list list_number {permit|deny} protocol src-ip wildcard [operator {port-num|service}] dst-ip wildcard [operator {port-num|service}] [log] ``` #### Named ACL ```! (config)# ip access-list extended list_name (config-ext-nacl)# {permit|deny} protocol src-ip wildcard [operator {port|service}] dst-ip wildcard [operator {port-num|service}] [log] ``` #### Extended ACLs -- Example ```! Core(config)# ip access-list extended PC-1-to-2 Core(config-ext-nacl)# permit ip host 192.168.1.2 host 192.168.2.2 Core(config-ext-nacl)# permit ip host 192.168.1.3 host 192.168.2.3 ``` ### Configure ACL on interface ```! (config-if)# ip access-group {list-number|list-name} {in|out} ``` Apply to interface (2960 not support) ```! (config-line)# access-class {list-number|list-name} {in|out} ``` Aply to line (e.g. console, vty) ```! Core(config)# interface GigabitEthernet 0/1 Core(config-if)# ip access-group PC-1-to-2 in ``` **Sequence Numbers** - Every time you add a new entry in ACL, it is added at the end of it. - According to **first match** rule, thath entry will be checked at last. - How to insert an entry between previous ACL entries? - Sequence numbers - Sequence numbers help you make the proper order of ACL entries ## Generic Routing Encapsulation (GRE) ```! (config)# interface tunnel 1 (config-if)# tunnel mode gre ip (config-if)# ip address 172.31.0.1 255.255.255.252 (config-if)# tunnel source gi 0/0 (config-if)# tunnel destination 172.31.0.2 ``` ```! (config)# interface tunnel 1 (config-if)# tunnel mode gre ip (config-if)# ip address 172.31.0.2 255.255.255.252 (config-if)# tunnel source gi 0/0 (config-if)# tunnel destination 172.31.0.1 ``` example on hw4 ## Others ### Windows command - ipconfig - route print - ping - tracert - nslookup - ssh ### Linux command - ip address - ip route - ping - traceroute -I - nslookup - dig - ssh