cisco troubleshooting training 1. day ip addressing, routing and bridging basics ospf routing...
TRANSCRIPT
Cisco Troubleshooting training
• 1. day
• IP addressing, routing and bridging basics
• OSPF routing protocol
• BGP routing protocol
• 2. day
• Cisco 2600 and 7200 family overview
• Troubleshooting techniques on Cisco routers
• Configuration analysis
Synergon Informatika Rt.
IP Address Configuration
Synergon Informatika Rt.
TCP/IP Address Overview
IP Addressing
Network Host
32 Bits
8 Bits 8 Bits 8 Bits 8 Bits
172 . 16 . 122 . 204
Class A:
Class B:
Class C:
Class D: for multicast
Class E: for research
N= Network number assigned by NIC
H= Host number assigned by network administrator
IP Address Classes
N H H H
N N H H
N N N H
Recognizing Classes in IP Addresses (First Octet Rule)
High OrderBits
Octet in Decimal
AddressClass
0
10
110
1 - 126
128 - 191
192 - 223
A
B
C
Synergon Informatika Rt.
Configuring IP Addresses
Host Addresses
172.16.200.1
172.16.3.10
172.16.12.12
10.1.1.1
10.250.8.11
10.180.30.118
IP:172.16.2.1 IP:10.6.24.2
172.16
Network12 . 12
Host
. Routing TableNetwork Interface172.16.0.0 E0 10.0.0.0 E1
E0 E1
Subnetting Addressing
172.16.2.200
172.16.2.2
172.16.2.160
172.16.3.5
172.16.3.100
172.16.3.150
IP:172.16.2.1 IP:172.16.3.1
172.16
Network
2
Subnet
. New Routing TableNetwork Interface172.16.2.0 E0 172.16.3.0 E1
E0 E1
. 160
Host
Subnet Mask
IP Adresses
DefaultSubnet Mask
8-bitSubnet
Mask
172 16 0 0
255 255 0 0
255 255 255 0
Network Host
Network Host
Network HostSubnet
Use host bits, starting at the high order bit position
Broadcast Address
172.16.3.0
172.16.3.0
172.16.1.0
172.16.3.255 (Directed broadcast)
172.16.2.0
255.255.255.255(Local Network broadcast) XX
Assigns an address and subnet mask Start IP processing on an interface
ip address ip-address subnet-maskip address ip-address subnet-mask
term ip netmask-formatterm ip netmask-format
Sets format of network mask as seen in show commands
Router (config) #
Router (config-if) #
IP Address Configuration
Define statics host name to IP address mapping
ip host name [tcp-port-number] address [address] . . .ip host name [tcp-port-number] address [address] . . .
ip host tokyo 1.0.0.5 2.0.0.8ip host tokyo 1.0.0.4
ip host tokyo 1.0.0.5 2.0.0.8ip host tokyo 1.0.0.4
Hosts/interfaces selectable by name or IP address
Router (config) #
IP Host Names
Specifies one or more hosts that
supply host name information
ip name-server server-address1 [[server-address2] . . . [server-address6]
ip name-server server-address1 [[server-address2] . . . [server-address6]
Router (config) #
Name Server Configuration
DNS enables by default
Turns off the name service
ip domain-lookupip domain-lookup
Router (config) #
Router (config) #
no ip domain-lookupno ip domain-lookup
Name System
Test IP network connectivity
Router> ping 172.16.101.1Type escape sequence to abort
timeout is 2 second Success rate is 80 percent, round-trip min/avg/max = 6/6/6 msRouter>
Router> ping 172.16.101.1Type escape sequence to abort
timeout is 2 second Success rate is 80 percent, round-trip min/avg/max = 6/6/6 msRouter>
Sending 5, 100-byte ICMP Echos to 172.16.101.1,
. ! ! ! !
Simple Ping
Ping supported for several protocols
Router# ping
Repeat count [5]:Datagram size [100]:Timeout in second [2]:Extended commands [n] : zSource address:Type of service [0]:
Data pattern [0xABCD]:Loose, Strict, Record, Timestamp, Verbose[none]:Sweep range of siyes [n]:Tzpe escape sequence to abort.Sending 5, 100/bzte ICMP Echos to 192.168.101.162, timeout is 2 second:! ! ! ! !Success rate is 100 percent (5/5), round-trip min/avg/max = 24/26/28 msRouter#
Router# ping
Repeat count [5]:Datagram size [100]:Timeout in second [2]:Extended commands [n] : zSource address:Type of service [0]:
Data pattern [0xABCD]:Loose, Strict, Record, Timestamp, Verbose[none]:Sweep range of siyes [n]:Tzpe escape sequence to abort.Sending 5, 100/bzte ICMP Echos to 192.168.101.162, timeout is 2 second:! ! ! ! !Success rate is 100 percent (5/5), round-trip min/avg/max = 24/26/28 msRouter#
Protocol [ip]:Target IP address: 192.168.101.162
Set DF bit in IP header? [no] : yes
Extended Ping
Shows interface addresses used to reach the
destination
Router# trace aba.nyc.milType escape sequence to abort.
1 debris.cisco.com (172.16.1.6) 1000 msec 8 msec 4 msec 2 barrnet-gw.cisco.com (172.16.16.2) 8 msec 8 msec 8 msec 3 externa-a-gateway.stanford.edu (192.42.110.225) 8 msec 4 msec 4 msec 4 bb2.su.barrnet.net (131.119.254.6) 8msec 8 msec 8 msec 5 su.arc.barrnet.net (131.119.3.8) 12 msec 12 msec 8 msec 6 moffett-fld-mb.in.mil (192.52.195.1) 216 msec 120 msec 132 msec
Router# trace aba.nyc.milType escape sequence to abort.
1 debris.cisco.com (172.16.1.6) 1000 msec 8 msec 4 msec 2 barrnet-gw.cisco.com (172.16.16.2) 8 msec 8 msec 8 msec 3 externa-a-gateway.stanford.edu (192.42.110.225) 8 msec 4 msec 4 msec 4 bb2.su.barrnet.net (131.119.254.6) 8msec 8 msec 8 msec 5 su.arc.barrnet.net (131.119.3.8) 12 msec 12 msec 8 msec 6 moffett-fld-mb.in.mil (192.52.195.1) 216 msec 120 msec 132 msec
7 aba.nyc.mil (26.0.0.73) 412 msec * 664 msec
Tracing the route to aba.nyc.mil (26.0.0.73)
IP Trace
Summary
IP addresses are specified in 32-bit dotted decimal format
Router interface can be configured with an IP address
ping and trace commands can be used to verify IP address configuration
Synergon Informatika Rt.
IP Routing Configuration
• Static routes
• Default routes
• Dynamic routing
• Static routes
• Default routes
• Dynamic routing
IP Routing Learns Destinations
Define a path to an IP destination network or
subnet
ip route network [mask] {address | interface } [distance]ip route network [mask] {address | interface } [distance]
Router (config) #
Static Route Configuration
Cisco BCisco A
S1
S0S2 S0
E0
172.16.2.1
172.16.2.2
ip route 172.16.1.0 255.255.255.0 172.16.2.1ip route 172.16.1.0 255.255.255.0 172.16.2.1
Static Route Configuration
Define a default route
Router (config) #
ip default-network network-numberip default-network network-number
Default Route Configuration
Network 172.16.0.0Subnet Mask 255.255.255.0
Company X Public Network
192.168.17.0
router ripnetwork 172.16.0.0network 192.168.17.0ip default-network 192.168.17.0
router ripnetwork 172.16.0.0network 192.168.17.0ip default-network 192.168.17.0
Cisco A
Cisco A
Default Route Example
RIP
IGRP
Interior Routing Protocols:
Exterior Routing Protocols
Autonomous System 100 Autonomous System 200
Interior or Exterior Routing Protocols
Router (config)# router ?bgp Border Gateway Protocol (BGP)egp Exterior Gateway Protocol (EGP)eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)igrp Interior Gateway Routing Protocol (IGRP)isis ISO-IS ISiso-igrp IGRP for OSI networkmobile Mobile routerodr On Demand stub Routerospf Open Shorted Path First (OSPF)rip Routing Information Protocol (RIP)static Static routes
Router (config) # router rip
Router configuration commands: default-information control distribution of default information default-metric Set metric of redistrative router distance Define an administrative distance distance-list Filter network in routing updates exit Exit from routing protocol configuration mode--- More ---
Router (config)# router ?bgp Border Gateway Protocol (BGP)egp Exterior Gateway Protocol (EGP)eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)igrp Interior Gateway Routing Protocol (IGRP)isis ISO-IS ISiso-igrp IGRP for OSI networkmobile Mobile routerodr On Demand stub Routerospf Open Shorted Path First (OSPF)rip Routing Information Protocol (RIP)static Static routes
Router (config) # router rip
Router configuration commands: default-information control distribution of default information default-metric Set metric of redistrative router distance Define an administrative distance distance-list Filter network in routing updates exit Exit from routing protocol configuration mode--- More ---
Router (config-router) # ?
IP Routing Protocol Mode
Application
Transport
Internet
Network InterfaceHardware
Routing Information Protocols (RIP)
Interior Gateway Routing Protocols (IGRP)
Open Shorted Path First Protocols (OSPF)
Enhanced IGRP (EIGRP)
Interior IP Routing Protocols
Global configuration– Select routing protocol(s)
– Specify network(s)
Interface configuration– Verify address/subnet mask
Network 172.30.0.0
Network 172.16.0.0
IGRP
RIP
RIP
IGRP, RIP
Network 160.89.0.0
IP Routing Configuration Tasks
Defines an IP routing protocol
Router (config) #
router protocol [keyword]router protocol [keyword]
Router (config-router) #
Network network-numberNetwork network-number
The network subcommand is a mandatory configuration command for each IP routing process
Dynamic Routing Configuration
Summary
Routers can be configured to use one or more IP routing protocols
Two IP routing protocols are:
RIP
IGRP
Synergon Informatika Rt.
TCP/IP Access Lists
• Limit traffic and restrict network use
• Enable directed forwarding of broadcasts
FTP X
XBroadcast
Managing IP Traffic Overview
Access lists control packet movement through a network
Transmission of packets on an interface
Virtual terminal line access ( IP)
Access List Application
Access lists are multipurpose
Route filteringRoutingtable
Dial-on-demand routingQueueList
Priority and custom queuing
Other Access List Uses
Standard lists (1 to 99) test conditions of all IP packets from
source addresses
Extended lists (100 to 199) can test conditions of – Source and destination addresses
– Specific TCP/IP-suite protocols
– Destination
Wildcard bits indicate how to check the corresponding
address bits (0=check, 1=ignore)
Key Concepts for IP Access Lists
0 means check corresponding bit value
1 means ignore value of corresponding bit
128 64 32 16 8 4 2 1
0 0 0 0 0 0 0 0 =
0 0 1 1 1 1 1 1 =
0 0 0 0 1 1 1 1 =
0 0 0 0 0 0 1 1 =
1 1 1 1 1 1 1 1 =
Octet bit position and address value for bit
Check all address bits (match all)
Ignore last 6 address bits
Ignore last 4 address bits
Ignore last 2 address bits
Do not check address (ignore bits in octet)
Examples
How to Use Wildcard Mask Bits
Address and wildcard mask: 172.30.16.0 0.0.15.255
IP access list test conditions:Check for IP subnets 172.30.16.0 to 172.30.31.0
network.host 172.30.16.00
0 0 0 1 0 0 0 0
Wildcard mask to match bits: 0000 1111 check ignore
How to Use Wildcard Mask Bits (cont.)
Accept any address: 0.0.0.0 255.255.255.255; abbreviate the expression using the keyword any
Test conditions: Ignore all the address bits (match any)
Any IP address 0 . 0 . 0 . 0
Wildcard mask: 255.255.255.255(ignore all)
How to Use the Wildcard any
Abbreviate the wildcard using the IP address followed by the keyword host. For example, 172.30.16.29 host
Example 172.30.16.29 0.0.0.0 checks all the address bits
Test conditions: Check all the address bits (match all)
An IP host address, for example:172.30.16.29
Wildcard mask: 0.0.0.0(check all bits)
How to Use the Wildcard host
• Sets parameters for this list entry
• IP standard access lists use 1 to 99
Router (config) #
access-list access-list-number { permit | deny } source [source-mask] access-list access-list-number { permit | deny } source [source-mask]
Router (config) #
ip access-group access-list-number { in | out } ip access-group access-list-number { in | out }
• Activates the list on an interface
IP Standard Access List Configuration
For Standard IP Access Lists
Incoming packet Access list?
Next entry in list Does sourceaddress match?
Apply condition
More entries?
Route tointerfaceDeny Permit
No
No
No
Yes
Yes
Yes
ICMP Message Forward Packet
Inbound Access List Processing
For Standard IP Access Lists
Incoming packet Access list?
Next entry in list Does sourceaddress match?
Apply condition
More entries?
Deny Permit
No
No
No
Yes
Yes
Yes
ICMP Message Forward Packet
Route tointerface
Outbound Access List Processing
Permit my network only
E0 E1S0 172.16.4.13
172.16.3.0 Non- 172.16.0.0
172.16.4.0
access-list 1 permit 172.16.0.0 0.0.255.255 (implicit deny all - not visible in the list) (access-list 1 deny 0.0.0.0 255.255.255.255)
interface ethernet 0ip accress-group 1 outinterface ethernet 1ip access-group 1 out
access-list 1 permit 172.16.0.0 0.0.255.255 (implicit deny all - not visible in the list) (access-list 1 deny 0.0.0.0 255.255.255.255)
interface ethernet 0ip accress-group 1 outinterface ethernet 1ip access-group 1 out
Standard Access List Example
Allow more precise filtering conditions
– check source and destination IP address
– Specify an optional IP protocol port number
– Use access list number range 100 to 199
Extended IP Access Lists
• Activates the extended list on an interface
• Sets parameters for this list entry
• IP uses a list number in range 100 to 199
Router (config) #
access-list access-list-number { permit | deny } protocol source source-mask destination destination-mask [operator operand] [established]
access-list access-list-number { permit | deny } protocol source source-mask destination destination-mask [operator operand] [established]
ip access-group access-list-number { in | out } ip access-group access-list-number { in | out }
Extended Access List Configuration
Filters based on icmp messages
Router (config) #
access-list access-list-number { permit | deny } {source source-wildcard |any}
{destination destination-wildcard | any }
access-list access-list-number { permit | deny } {source source-wildcard |any}
{destination destination-wildcard | any } [icmp-type [ icmp-code] | icmp-message ]
icmp
ICMP Command Syntax
Filters based on tcp/tcp port number or name
access-list access-list-number { permit | deny } [ operator source-port| source-port] {destination destination-wildcard | any }
access-list access-list-number { permit | deny } [ operator source-port| source-port] {destination destination-wildcard | any }
Router (config) #
[operator destination-port | destination-port ][established]
{source source-wildcard |any}tcp
TCP Syntax
Filters based on udp protocol or udp port number or name
access-list access-list-number { permit | deny } {source source-wildcard |any}
[ operator source-port| source-port ] {destination destination-wildcard | any }
access-list access-list-number { permit | deny } {source source-wildcard |any}
[ operator source-port| source-port ] {destination destination-wildcard | any }
Router (config) #
udp
[operator destination-port | destination-port ]
UDP Syntax
Access list?
Source address
Destination address
Protocol? *
Protocol options ?
Apply condition
Deny Permit
Next entry in listNext entry in list
ICMP Message
Match
Match
Match
Match
Yes
Forward Packet
Does not match
No
* If present in access list
packet
Extended Access List Processing
Deny FTP for E0
E0 E1S0 172.16.4.13
172.16.3.0 Non- 172.16.0.0
172.16.4.0
access-list 101 deny tcp 172.16.4.0 0.0.0.255. 172.16.3.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 access-list 101 permit ip 172.16.4.0 0.0.0.255 0.0.0.0 255.255.255.255 (implicit deny all)
(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
interface ethernet0ip address-group 101 out
access-list 101 deny tcp 172.16.4.0 0.0.0.255. 172.16.3.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 access-list 101 permit ip 172.16.4.0 0.0.0.255 0.0.0.0 255.255.255.255 (implicit deny all)
(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
interface ethernet0ip address-group 101 out
Extended Access List Example
Router# show ip interface
Ethernet 0 is up, line protocol is up Internet address is 192.54.222.2, subnet mask is 255.255.255.0 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 byte Helper address is 192.52.71.4 Secondary address 131.182.115.2, subnet mask 255.255.255.0
Proxy ARP is enabled Security level is default Slit horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent Ip fast switching is enabled Gateway Discovery is disabled IP accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Router #
Router# show ip interface
Ethernet 0 is up, line protocol is up Internet address is 192.54.222.2, subnet mask is 255.255.255.0 Broadcast address is 255.255.255.255 Address determined by non-volatile memory MTU is 1500 byte Helper address is 192.52.71.4 Secondary address 131.182.115.2, subnet mask 255.255.255.0
Proxy ARP is enabled Security level is default Slit horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent Ip fast switching is enabled Gateway Discovery is disabled IP accounting is disabled TCP/IP header compression is disabled Probe proxy name replies are disabled Router #
Outgoing access list 10 is setInbound access list is not set
Monitoring Access Lists
• Display access lists from all protocols
Router #
show access-listsshow access-lists
• Display a specific IP access lists
Router #
show ip access-lists [access-list-number]show ip access-lists [access-list-number]
• Clear packet counts
Router #
clear access-lists counters [ access-list-number]clear access-lists counters [ access-list-number]
• Display line configuration
Router #
show lineshow line
Access List show Command
Router> show access-lists
Standard IP access list 19permit 172.16.19.0
Standard Ip access list 49permit 172.16.31.0 wildcard bits 0.0.0.255permit 172.16.194.0 wildcard bits 0.0.0.255permit 172.16.195.0 wildcard bits 0.0.0.255permit 172.16.196.0 wildcard bits 0.0.0.255permit 172.16.197.0 wildcard bits 0.0.0.255
Extended IP access list 101permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 23
Type code access list 201permit 0x6001 0x0000
Type code access list 202permit 0x6004 0x0000deny 0x0000 0xFFFF
Router>
Router> show access-lists
Standard IP access list 19permit 172.16.19.0
Standard Ip access list 49permit 172.16.31.0 wildcard bits 0.0.0.255permit 172.16.194.0 wildcard bits 0.0.0.255permit 172.16.195.0 wildcard bits 0.0.0.255permit 172.16.196.0 wildcard bits 0.0.0.255permit 172.16.197.0 wildcard bits 0.0.0.255
Extended IP access list 101permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 23
Type code access list 201permit 0x6001 0x0000
Type code access list 202permit 0x6004 0x0000deny 0x0000 0xFFFF
Router>
deny 0.0.0.0, wildcard bits 255.255.255.255
Monitoring Access List Statements
Synergon Informatika Rt.
Restricting Virtual Terminal Access
Standard and extended access lists will not block access from the router
For security, virtual terminal (vty) access can be blocked to or from the router
XX
Router#Router#
Virtual Terminal Access Overview
Five virtual terminal lines (0-4)
Set identical restrictions on all the virtual terminal lines
Router#Router#
01 2 3
4 Virtual port (vty 0 4)
Physical port (E0)
How to Control vty Access
Restricts incoming and outgoing connections between a particular virtual terminal line into a device (and the addresses in an access list)
Router (config) #
Line { vty number | vty-range}Line { vty number | vty-range}
• Enters configuration mode for a terminal line or a range of lines
Router (config/line) #
access-class access-list-number { in | out } access-class access-list-number { in | out }
Virtual Terminal Line Commands
Virtual Terminal Access Example
Permits only hosts in netwrok 192.89.55.0 to
connect to the virtual terminal ports on the
router
Controlling Inbound Access
Access-list 12 permit 192.89.55.0 0.0.0.255!Line vty 0 4access-class 12 in
Access-list 12 permit 192.89.55.0 0.0.0.255!Line vty 0 4access-class 12 in
Synergon Informatika Rt.
Bridging Overview
Introduction to Bridging
Bridges interconnect LANs to form the appearance of a single
larger LAN
OSI Model
7 Application6 Presentation5 Session4 Transport3 Network2 Data Link1 Physical
Nonrouted Protocol Support
Cisco routers support many bridging options including:
– Transparent bridging
– Encapsulated bridging
– Integrated routing and bridging (IRB)
– Source-route bridging (SRB)
– Source-route transparent bridging (SRT)
– Source-route translational bridging (SR/TLB)
Routing and Bridging
Network Address
MAC Address
MAC Address
Nonroutable protocols
Routable protocols4
3
2
1
4
3
2
1
Basic Route/Bridge Operation
Bridging software
Incoming packet
Routing softwareRoutable?
Network-layer
protocol running?
Configured for
Bridging?
Yes Yes
Yes
NoNo
No
Transparent Bridging
Bridge is transparent to end stations
Encapsulated Bridging
Bridge frames use serial or FDDI encapsulations
TokenRing
FDDI Dual Ring
FDDI Dual Ring
TokenRing
FrameFrame FrameSerial
Frame
C
A B
Integrated Routing and Bridging
Protocol A
Protocol A Protocol A
Protocol A Protocol AConcurrent Routing and Bridging
B
B
B
R
R
R
IRB
R = Routed Interface
B = Bridging Interface
XX
Source-Route Bridging
Source responsible for determining path to destination before sending data
Ring 500: B1: Ring 501
Source Destination
B1
Performs SRB or transparent bridging Provides no translation
Source-Route Transparent Bridging
TokenRing
TokenRing
Token Ring
Token Ring
Translates between bridging domains
Source-Route Transparent Bridging
TokenRing
Token Ring
B
SRB
TB
Ethernet
A
Summary
Cisco routers offer several kinds of nonrouted protocol support:
Transparent bridging
Integrated routing and bridging (IRB) for transparently bridged networks
Source-route bridging (SRB)
Source-route transparent bridging (SRT)
Source-route translational bridging (SR/TLB)