icnd 2 material configuring vlans until you exit out of vlan … · 2019. 10. 20. · configuring...
TRANSCRIPT
ICND 2 Material
Configuring VLANsUntil you exit out of VLAN prompt, vlan is not applied.Do sh vlan id 2 - Show vlan 2
When configuring L2 port, using switchport makes the port a L2 portNo switchport would make the port a L3 port for routing.
To make a switchport an access port, use switchport mode access.To put the switchport onto a vlan, use switchport access vlan #
By default VLAN 1 is the native vlan.
To clear the configuration on the port, default int fa1/0/12
Configuring POE phonesSh cdp neighbors or sh power inline to see what is (drawing POE power)QOS:Auto qos voip cisco-phone will setup cisco QOS on a switchport.
Trunk Port:Switchport mode trunkdo sh int f1/0/1 trunk will show the trunking status for that interface
Native vlan:switchport trunk native vlan 200
ISL:Cisco ProprietaryNo Native VLANSEncapsulates ethernet frames with ISL VLAN Header
802.1Q:Standard protocolSupports Native VLANSVLAN header is inserted in the existing ethernet frame
do sh interface 1/0/1 switchport - shows full detail fo the switchport
switchport trunk encapsulation dot1q / ISL - Switches the encapsulation method between the two modes
Trunking modes:Dynamic Desirable - Attempts to be a trunkDynamic Auto - Passively attempts to be a trunkTrunk - Always negotiates a trunkNon-Negotiate - Never negotiates a trunk
To set this, use switchport mode dynamic / trunk / access
Allowing VLANS through trunk
Switchport trunk allowed vlans 1
VTP:Cisco proprietary
You must create VTP domain for VTP to work.With VTP, any vlans configured on the VTP server could be pushed out to the switches.
Every time you make a change to vtp, the revision number changes.If the switches revision number is higher, it would update the VTP domain.If its lower, it would not update VTP
VTP Pruning:Works by switches inform each other what vlans they have working and switches can dynamically allow what vlans are allowed on a trunk port
VTP Configurations:vtp version 2vtp mode servervtp domain LABvtp password cisco
sh vtp status - good command to run after setting up VTP to double check the configurationsh vtp password - outputs the set vtp password
vtp mode transparent
STP – What Does it do?
Layered approach for redundancy with the built in ability to disable links until they are needed.It stops network loops / broadcast storms.
How does it do this?1. Elects Root Bridge2. Finds the best path to the root
a. Lowest Costb. Lowest Bridge IDc. Lowest Port Number
3. Block whatever is left over
Link Bandwidth10Mbps – 100100Mbps – 191Gbps – 4 10Gbps – 2
BPDU Protocol is used to send out Hello “pings” to neighbor switches to check if the switch is up or not. If the switch is not detected on the link and a redundant link is detected between those two switches, it brings up the secondary link.
Common Spanning Tree (CST or STP – 802.1D) 40/50 Convergence Time
Per-VLAN Spanning Tree (PVST+) Allows per vlan root bridges
Rapid Spanning Tree (RSTP – 802.1W) Much faster spanning tree convergence time. Almost no downtime.
Per-VLAN Rapid Spanning Tree (PVRST)Multiple Spanning Tree Protocol (MSTP – 802.1S)
How the root bridge is electedIt looks at the bridge priority and the bridge MAC.The bridge priority is going to be a number between 0-65535.The bridge mac address is the mac address when you pull it out of the box.
It takes both the priority and mac and creates a “Bridge ID”
** show spanning-tree **This is the command to know for spanning tree.
The easiest way to elect spanning tree root bridge is to set priority to 4096 and the backup root bridge to 8192.
Spanning tree priority numbers can only increment 4096
The ability to look at a redundant link and be able to tell what link will be active.
1) All of the switches are going to find the best way to get to the root bridge. It checks the cost ofthe link
If there is a tie, it’s going to rely on the lowest bridge ID.
Spanning tree “States” as an interface comes upListening (15 Seconds)Learning (15)Forwarding or Blocking
Spanning tree “Portfast”You can enable “Portfast” on non trunking links to bypass the listening and learning phase.
Int g0/1Spanning-tree portfastSpanning-tree bpduguard enable
Stacking and Chassis AggregationCan link multiple switches together using a stackwise cable“Show switch” – will show the current switches in the stack and their priority
When stacking switches. The switches go through a switch master election to determine who is going to get switch master.Switch master elections are based off the switch priority
802.1x – EAP Add authentication on LAN
RadiusTACACSTACACS +
An example of this is Cisco ISE.
DHCP SnoopingDHCP snooping is the ability to trust a port that they can send out DHCP addresses. Setting up DHCP snooping stops DHCP replies from ports that DHCP snooping is not setup on.You would setup trusted ports (Ports facing DHCP Servers) to pass DHCP (Per Vlan)
ip dhcp snooping - configures globally
ip dhcp snooping vlan 100 - turns on dhcp snooping for vlan 100int fa0/1 ip dhcp snooping trust (trusts the port for DHCP)
** You should trust the ports before turning on DHCP snooping)
Sh ip dhcp snooping binding
Etherchannel – A way to bond multiple connections togetherCan bond up to 8 connectionsBest practice is to connect even pair of connectionsAlso known as Lag (Link Agregation)
ProtocolsPAGP- Cisco proprietaryModes: On, Desirable, Auto Recommends one switch is Desirable and the other as Auto to form the channel
LACP – Industry StandardModes: On, Active, PassiveRecommends one switch is Active and the other as Passive to form the channel
Channel group commandChannel-Group: Active (LACP) or Desirable (PAGP)
Base interfaces must have an identical config (Speed/Duplex/Mode/Vlans)
Best Verification: “Show etherchannel summary”
Configuring Etherchannel
Configuring etherchannel:1: Default interfacesdefault int f1/0/1-2int range f0/1-2channel-group 1 mode onshow etherchannel summary
int Port-channel1Make your switchport changes here:
Show etherchannel summary
Repeat the configuration on both ends of the switch and the interface Po will come up
iOSThe iOS decompresses the .bin from Flash into RAM.
2100: Rommon2101: RXBoot2102: Boot Normally2142: Ignore NVRam
To reset iOS password, boot the server into ROMMON mode. Change register value to Ignore NVRAM (2142)
Change config-register from inside the iOS:“Conf T> Config-register 0x2100” would tell the switch to boot into Rommon on next boot.
From rommon:Confreg 2102 To get back to normal boot
The Routing TableCisco Admin Distance Chart
Connected 0
Static 1
eBGP 20
EIGRP (internal) 90
IGRP 100
OSPF 110
IS-IS 115
RIP 120
EIGRP (external) 170
iBGP 200
EIGRP summary route 5
1 – Next Hop2 – Route Specificity3 – Administrative Distance4 – Metric
Dynamic Routing protocols:Distance Vector: Ripv2 / IGRPPeriodic and triggered updatesSlow convergenceDirection (next hop and distance
Advanced Distance Vector: EIGRPSend periodic and triggered updatesFast convergence
Link state: OSPF / ISISEvent driven updatesFast convergenceConstructs map of topology
Interior Routing Protocols:RIP / EIGRP / OSPF / ISISWithin a single AS
Exterior Routing Protocols:BGPBetween multiple autonomous systemsUsed for external routing between organizations
Distance Vector vs Link State
DV:Only knows what the neighbors tell itMemory / Processor efficientLoop prevention mechanisms needed
LS:
Maintains a map of the network systemResource consumingMaintains loop free by nature
Loop Prevention:Triggered Updates – Updates when the route failsMaximum Metric – Max amount of hops that a route can go (16 Hops) Route PoisoningSplit Horizon – Will not tell a router what it told it the router in the first place.Will not send an update out an interface that it received an update on.
OSPF:Industry Standard at one pointLink StateUses AreasThis is an RFC standardTCP/IPDijkstra SPF Algorithm
Useful OSPF commands:Sh ip ospf interfaceSh ip ospf neighborsSh ip protocolsClear ip ospf process
All Areas must connect to Area 0 “Backbone”
1- Determine your own router IDa. The router ID is simply the routers name in the OSPF processb. The name is the highest active interface ip address when OSPF starts
i. Loopbacks beat physical interfaces
OSPF uses the Hello Protocol to check if their neighbor is up or not.90% of Troubleshooting is going to be down to route neighbor relationships.
To hardcode router ID:“Router-id 1.1.1.1”
The highest IP becomes the Router-ID if not hardcoded. Keep in mind that the Loopback IP always beats the IP
By default, the hello message is sent every 10 seconds.Hello and dead timers on both ends need to be the sameNetwork Mask needs to be correctArea ID needs to match
Master vs Slave:When a router neighbor is added, they go through a process called master slave election. The winner is whoever has the higher router ID.
1- Router ID2 – Hello messages to determine if they are compatible3 – They choose a master and a slave based off of highest router ID4 – The Master sends a database description (DBD) which is a summary of everything inLSD5 – From there on out the routers communicate by LSR (Link state requests) and LSU (Link state updates)At this point they are considered neighbors and only communicate via Hello
OSPF has a designated router in its area. All of the neighbor routers form a full relationship with the DR and whenever a router goes down, the first router that recieve the update that a router is down, it forwards the update to the DR. The DR is designated to share to the rest of the routers that the route has failed.
OSPF DR Selection:
DR router is elected by the OSPF priorityYou can change this by going into an interface“Conf t> int g1/0
ip ospf priority 2”
All routers out of the box have an ospf priority of 1.By leaving it to priority of 0, it will be selected randomly.
Usually you’ll want your bigger, beefier router to be the DR.
Adjusting OSPF Metrics:The formula for OSPF is: Cost=100/Bandwidth (Mbps)Keep in mind that OSPF does not see Decimals
Conf t> router ospf 1Auto-cost reference-bandwidth 100000
Setting Passive Interfaces:1. Check interface that you want to turn on passive
a. Sh ip int brief2. Open OSPF
a. Conf T> router ospf 13. Set passive interface
a. Passive-interface fa0/04. Verify this
a. Sh ip ospf interface
Or Use Cisco Preferred method, which sets all interfaces to be passive then you go through andenable interfaces that are needed.
1. In router ospf 1 modea. Passive-interface defaultb. No passive-interface serial 0/1
Adjusting HELLO timer:1. Fist see the default opsf timer
a. Sh ip ospf interface2. Open interface
a. Interface serial 0/13. Set hello interval
a. Ip ospf hello-interval 1Keep in mind, you will have to adjust the hello timer on both ends. The OSPF route will go downwhen doing this since you are changing compatibility.
Troubleshooting OSPF:
First show ip router. Check what routes we have
Second, check the OSPF configWith sh run | s ospfSh ip protocolsSh ip ospf interfaceSh run interface serial 0/1 (Interface that OSPF is on)
Keep in mind that the router ID on all routers NEED to be unique.
Debug ip ospf adj – Show neighbor interactionsClear ip ospf process – Clear OSPF processes
Multi Area OSPFRoutes from other OSPF Areas are labeled in the routing table as: IAThere is no special configuration when configuring multi areas on OSPF.You just use the network command: network 10.0.0.1 255.255.255.0 area 2
For a loopback interface to appear as an actual network, make sure you add “point-to-point” in OSPF configuration.
ERIGP:Distance VectorSimpler than OSPFUsed to be proprietary“Topology Table” used to describe ERIGPDijkstra SPF AlgorithmERIGP was cisco proprietary until recently.
Important Commands:Sh ip eigrp interfaceSh ip eigrp topology 10.2.0.0/24Sh ip eigrp neighborsSh ip eigrp interfacesSh run | Sec routerSh ip protocols
Benefits Erigp is considered an advanced distance vector protocol. Does not contain the whole routing database but it does create backup routes. This means the convergence is fast on route failure. Simple configuration. Allows route summarization anywhere. Unequal cost load-balancing
There are three tables in ERIGP - Neighbor Table- Topology Table - Routing Table
Terminology- Feasible Distance: How far it is from your router to get to a network- Advertised Distance: How far it is from the router that is telling you about that route to a
network- Successor: (Topology Table) Primary Route - Feasible Successor: (Topology Table) Backup Route- Active Route: (Topology Table) Bad, Router is actively trying to find a backup route - Passive Route: (Topology Table) Good, Router is currently using this route
Rule: To be considered a feasible successor, the AD must be less than the FD of the successor.In simple terms: In order to be considered a backup route for ERIGP, your AD must be less thanthe FD of the primary route.
How ERIGP relations form:All the routers contact the ip address: 224.0.0.10Hello: Form relationshipsUpdate: Sends UpdatesQuery: Ask about routes – If a route goes down, the router sends out a queryReply: Response to a query – All routers must reply to the query wether they have a backup route or not.Ack: Acknowledge the update, query, and reply messages
Enable ERIGPConf T > router eigrp (AS Number)Network 10.0.0.0
ERIGP uses K Values to calculate routesBrandwidth (K1)Delay (K3)Reliability (K4 and K5)Loading (K2)MTU
Configuration:router rirgp (AS#) router eigrp 1router-id 1.1.1.1
network 172.16.1.0 0.0.0.3no passive interface fa0/0no passive interface fa1/0no auto-summary (You should enable this by default)
redistribute static - This advertises the default route
ERIGP Load Balance First, you must add a secondary connection and verify that equal cost load balancing works out of the box. 1 – Sh ip int brief2 – Assign the uplink an ip address3 – Ping everything and make sure you can hit the other side
Modify the bandwidth of that secondary link to 1Mbps to fine tune equal cost load balancing. Conf t > interface s2/0
o Bandwidth 1000
You will have to clear the eigrp neighbors for that to take effect. Router# clear ip eirgp neighbors
At this point, it will reload the neighbor relationships.Verify the topology with
Router# sh ip eirgp topology
Modifying the Hello TimersYou modify the hello timers from the interfaceSh ip eirgp interface detail (Interface number) to see the current hello interval The hold down timer is the hello interval x3 so for an example, 5sec hello timer would be 15second hold down timer
The default hello values are 5 seconds with a hold down timer of 15 seconds
Interface S0/1ip hello-interval eigrp 90 (seconds)ip hold-time eigrp 90 (seconds)
IPv6Rule 1: Eliminate groups of consecutive zerosRule 2: Can drop leading zeros/64 is the most common address
You must turn on Ipv6: Ipv6 unicast-routingSh ipv6 interface briefSh ipv6 protocols IPv6 with OSPFTo enable OSPF on an interface, go to the interface and type “ipv6 ospf 1 area 0”All of the commands from IPv4 transfer over to IPv6Except for sh ipv6 route
To disable OSPF, use command No ipv6 router ospf 1
IPv6 with ERIGPConf t> router# Ipv6 router eigrp 1Router (config-rtr)# Router-id “router ID”Router (config-rtr)# No shutdown
Then you have to enable from the interfaces
Router (config) # Int s0/1Router (config-if)# Ipv6 eigrp 1
At this point, the router is configured for EIRGP.
WAN – Point to PointT1 Line – 1.5Mbps line. This is 24DSO lines (24 – 64Kbps lines)T3 Line – 44.5Mbps
E1 (Europe)E3 (Europe)
Serial connections do not have the datalink layer. Datalink is a ethernet technology.On WAN connections, PPP, HDLC, Frame Relay, MPLS, ATM, X25 are all WAN technologies
PPP – Point to Point Protocol Industry standardCompression – Trade CPU for BandwidthMultilink – True down to the bit load balancingAuthentication – PAP or Chap | PAP is cleartext, CHAP is encrypted Call back – Can connect in on a router, it will disconnect, and the router will call back
HDLC is default connection typeTo change to a PPP, go to the interface and give the commandRouter (config-if)# Encapsulation PPP
Metro Ethernet:Like a switch between you and your remote sites managed by the ISP.
E-Line(PTP)E-LAN(Full mess)E-Tree(Hub and spoke
Client VPN:SSL VPN Tunnel to have connection to the LAN.
DMVPN (Dynamic Multipoint VPN):Configure a DMVPN hub at HQ and then you just configure the remote spoke sites. The remote spokes register to the hub. The DMVPN can then form a full mesh network between each other.
PPP Authentication1) Create Account2) Assign Credentials (On a per interface basis)3) Enable PAP (This turns on authentication
Router1(config)#username “Username1” (case sensitive) secret “Password”Router1(config-if)# ppp pap sent-username “Username2” password “Password”Router1(config-if)# ppp authentication pap
Can check the debug of PPP with “debug PPP authentication”
CHAPChap’s password needs to have the same password on both sides.
PPP Multipoint LinkLCP is responsible for negotiating PPP Multilink
Change encapsulation to PPPConf t > Interface s1/0encapsulation PPP
You could do two subnets between the two routers and then set static routes between the two routers.
You could do per packet load balancing.
PPP multilink is really useful on T1 links as it combines the two lines into “one”. Exact loadbalancing. This uses a new interface called “Multilink interface”
You create this virtual interface and then do all the configuration under the multilink interface.This interface is virtual like a loopback interface.
Int s1/0 – Turn off IP address for this interfaceNo ipp address
Interface multilink 1 – This creates the interfaceEncapsulation PPP – Turn on PPP PPP Multilink – This turns on the multilink PPPIp address 172.16.1.1 255.255.255.252 – Assign the IP address to the multilink interfacePpp multilink group 1 – creates the group
This does not have a physical interface assigned to it though we must add all of the interfaces into a multilink group for this to work properly
Interface s1/0PPP multilink group 1
Interface s2/0PPP multilink group 1
This is the end of the one side of the configuration, we must do this on both sides for it to work properly.
Make sure to go in and set the bandwidth to be correct
WAN Technology
x.25 – created in 1976, needed ECFrame Relay – Faster than ECATM – MPLS – Multi protocol label switching – Uses a tagging system
PPP:To configure encapsulation, under each interface just run "encapsulation ppp".
At that point, PPP is setup.
PAP: Clear text authenticationCHAP: Encrypted authentication
To configure authentication on PPP:username R2 password ciscousername R1 password ciscoint se0/0ppp pap sent-username R1 password cisco
int se0/1ppp pap sent-username R2 password cisco
PPP Chapint se0/0ppp authentication chap
int se0/1ppp authentication chap
Multilink PPP (MLPPP):int se0/0no ip addppp multilinkppp multilink group 1
int se0/1encapsulation pppppp multilinkppp multilink group 1
int multilink 1encapsulation pppppp multilinkppp multilink group 1ip add 10.0.0.1
sh ppp multilink shows the information about PPP multilink
PPOE (Point to point protocol over ethernet):The dialer interface gets the IP address
Configuration:Server Side: ip local pool POOL 10.0.0.1bba-group pppoe CUSTOMERvirtual-template 1username customer password Cisco
interface virtual-template 1ip address 10.0.0.2 255.255.255.252peer default ip address pool POOLppp authentication chap callin
int fa0/0no shutno ip addresspppoe enable group CUSTOMER
Customer side:int fa0/0no shutno ip addresspppoe-client dial-pool-number 1pppoe enable
interface dialer1ip address negotiatedmtu 1492encap pppppp chap hostname customerppp chap password ciscodial pool 1
The client will then attempt to dial into the PPPoE server to grab an ip address.
Important commands:To verify session, use command show pppoe session interface f0/0 (interface ppp is bound to)sh int dialer1show ppp all
You want to verify that the LCP state is OPEN on the virtual interface.
GRE Tunnels (Generic routing encapsulation):
GRE is not encrypted, you have to use IPSec to encrypt.
int f0/0ip address 64.0.50.20.3 255.255.255.248interface tunnel 1no shutip address 10.0.0.1 255.255.255.0tunnel mode gre ip (here is where you would select IPSec)tunnel source f0/0tunnel destination 77.0.32.10
Just repeat on the other side but change the ip and destination
int f0/0ip address 77.0.32.10 255.255.255.248interface tunnel 1no shutip address 10.0.0.2 255.255.255.0tunnel mode gre ip (here is where you would select IPSec)tunnel source f0/0tunnel destination 64.0.50.20.3
sh interface tunnel 1
EBGP: How to bring up EBGP peering:router bgp (AS Number)neighbor 172.16.0.1 (Providers IP) 64512 (Providers AS)
This would form a peer.To advertise a network...network 10.0.0.0 mask 255.255.0.0
Understanding VPN SolutionsVPNs Objectives
Confidentiality Authentication Data Integrity Anti-Replay
BGP Lab1. Configure BGP for the MAX organization in AS 50002. Establish a neighbor relationship between the MAX and ISP routers. The ISP is running in AS2500. Confirm the MAX router is receiving BGP routes from ISP.3. Advertise the 63.1.5.0/24 network owned by MAX via BGP to the ISP router. Advertise asummary route to 63.2.0.0/16 to the ISP.4. Configure the ISP to advertise a default route to MAX.
Show ip int brief, see how its currently configured.
Conf t > router bgp 5000MAX(config-router)# neighbor 200.1.1.2 remote-as 2500
Show ip bgp summaryShow ip bgp
NETWORK COMMAND DOES NOT SEND “HELLO” MESSAGES LIKE ERIGP / OSPF / RIPBGP takes a route from the internal network and advertises it to the outside world.
Router bgp 5000Network 63.1.5.0 mask 255.255.255.0
That command advertises that specific network to the outside world.
HSRPTwo is One, one is none.FHRP – First hop redundant gateway – Creates a virtual IP address, one of them will be active,one of them will be standby. This allows more than one default gateway router. Theycommunicate using hello messages. If the other side does not respond within 3 seconds, it willlabel that route dead and take over the default gateway.
HSRP (Hot standby router protocol)Link local multicast is shared between routers.There will always be an active and standby router.
V1:Uses multicast address 224.0.0.2No IPv6Group Range 0 - 255
V2: Uses multicast address 224.0.0.102
IPv6Group range 0 - 4095
Priority values can be used to choose what router is active. Default priority is 100.
Preemption - router is able to take over role as active gateway if priority is the highestDefault is disabled.
Configuration:Router 1int f0/0ip address 10.0.0.2 255.255.255.0standby version 2standby 1 10.0.0.1 (Has to match on both routers)standby 1 priority value 105standby 1 preempt
Router 2int f0/0ip address 10.0.0.3 255.255.255.0standby version 2standby 1 10.0.0.1
sh standby brief
QOSQOS is very important in a VoIP infrastructure-Prioritization-Shaping/policing
- Delay – When there is a noticeable delay between two conversations. Sometimes users willtalk over each other. - Jitter – When packets RTT is constantly changing.
- Every VOIP packet has 20ms of audio- Packet loss
QOS ToolsAudio – DSCP EFVideo – DSCP AF41
Mission CriticalTransactionalBest EffortScavenger
Its best to do QOS closest to the connection.
If you off load the tagging onto the switch, it has acis chips to handle the off load of the tagging.However, the best way to do it would be to do it on the device.
Weighted Fair Queuing – Low traffic senders get priority over high traffic sendersClass based WFQ – Divides bandwidth among classes that you defineLow latency queuing – Combo of CB-WFQ, but adds a strict priority element
QOS:QOS queues traffic for prioritization using QOS marking
DSCP: Decimal values 0-63EF - Best for voice
COS:COS0 - WorstCOS1COS2COS3COS4COS5 - BestCOS6
You would only want to COS mark phones, that way phones get the best priority
You could ACL to classify traffic.NBAR - Network based application recognition - allows classification based off application
Congestion: Once bandwidth is saturated, network will become tail dropped. Dropping all traffic.Another way to handle congestion is buffering. It will hold the traffic. FIFO / Classed based weighed fair queuing / LLQ (Low latency queuing)
Radius and Tacacs+Triple AAAAuthentication – Validates WHO you areAuthorization – Tells what you can doAccounting – Tracks what you did.
1: Router(config)# Radius-server host 10.1.1.10 key ‘Preshared key’You must create an authentication group 2: Router(config)# aaa group server radius “name”3: Router(config-sg-radius)#server 10.1.1.104: Router(config)# aaa authentication login default group RadiusServers local
Extended ACLsip access-list extended “name” deny ip any any
int fa0/0ip access-group “name” in/out
sh ip access – show the current access list rules applied to the interfaces.
Ip access-list extended “block telnet”Deny tcp 23 192.168.1.0 0.0.0.255 192.168.2.128 0.0.0.31Deny tcp 22 192.168.1.0 0.0.0.255 192.168.2.128 0.0.0.31
IP SLA: Is the method of measuring service level by sending traffic.
Conf t> ip sla 1At this point, you can configure a couple different sensors to alert you when that sensor istriggered.
Icmp-echo 172.16.1.6Ip sla schedule 1 life forever start-time nowSh ip sla