icnd2 -200-101 study guide (ccna)vbrownbag.com/wp-content/uploads/2014/12/icnd2-study-guide.pdf ·...
TRANSCRIPT
ICND2 -200-101 Study Guide (CCNA) SECTION I (21%) – LAN Switching Technologies 1.1 – Identify Enhanced Switching Technologies
a. Rapid Spanning Tree Protocol (RSTP); IEEE 802.1w 1) This is ability to by-pass the full 50sec 4-state STP convergence process a) RSTP States: 1. Discarding – initial state; no traffic passes through Interface in or out, except STP msgs i. NOTE: This State is different than in (default) PVST, which is called BLOCKING ii. This state also refers to an Interface that is admin disabled (is disabled state for PVST) 2. Learning – Switch does not fwd Frames; begins learning MAC of recv’d Frames 3. Forwarding – final state; traffic passes/fwd’s through Interface normally 2) STP goes from Discard > Forward convergence in a few secs (50secs for PVST) 3) NOTE: legacy STP = IEEE 802.1d 4) Other Port Types for RSTP: a) Alternate – port that will take over for the Root Port (RP) if RP link fails b) Backup – port that will take over for the Designated Port (DP) if the DP link fails; usually connects to a Hub c) Point-to-Point – port connected to another Switch, PC, Router, etc; Port runs Full Duplex 1. Edge – if PortFast is configured on the PtP port, the port is considered a PtP Edge d) Shared – port is connected to a Hub; port typically will run at Half Duplex b. Per-VLAN Spanning Tree Plus (PVSTP) 1) Ability Cisco devices provide to configure STP per VLAN instance 2) Can change Root Bridge per VLAN instance (e.g. spanning-tree vlan 1 root primary ) 3) Cisco proprietary 4) Introduced PortFast feature 5) Port States: a) Blocking – initial state; no traffic passes through Interface in or out, except STP msgs b) Listening – Switch does not fwd Frames; removes stale MAC Table entries c) Learning – Switch does not fwd Frames; begins learning MAC of recv’d Frames d) Forwarding – final state; traffic passes/fwd’s through Interface normally e) Disabled – Interface is administratively disabled c. Etherchannels 1) Aggregating between 2 to 8 Switchports such that they act as one link between two Switches 2) Frames are distributed between Switchports configured for a Port Channel (Load Balancing) 3) Helps mitigate the amount of STP Convergence on a LAN 4) Configure: a) Make Switchports identical (blank) before configuring (to check: show run int f0/0 ) b) From Config Mode: config t c) Choose range of (or individual) Switchports: int range f0/1 - 4 d) Enable Etherchannel: channel-group 1 mode on ( # has to be same on local Switch but
can be different on neighboring Switch) 5) Verify: show run | section int 6) To configure the Port Channel: int port-channel # 7) To verify Etherchannel config/Port members: show int port-channel # a) Also, can use show etherchannel # summary 8) Configuring Dynamic Etherchannel, using either PAgP or LACP a) PAgP uses Desirable & Auto parameters for the channel-group mode cmd b) LACP uses Active & Passive parameters for the channel-group mode cmd c) If PAgP Auto is used on both Switches or Passive on both Switches, EC never works (will always be in a wait State); do not use on parameter with any of PAgP/LACP parameters or EC never works d) All Ports used in EC group must be same – speed, duplex, type (Access or Trunk), VLANs, etc. d. PortFast 1) Allows Switch Port to go directly from Blocking to Forwarding state (or Discarding > Forwarding for RSTP) 2) Recommended to configure only on Access Ports: int f0/4 ; spanning-tree portfast 3) Or, from Global Config for all Ports: spanning-tree portfast default e. BPDU Guard 1) Disables an Access Port that receives BPDUs (Access Ports should never receive BPDUs) 2) Configure: int f0/4 ; spanning-tree bpduguard enable 3) Or, from Global Config for all Ports: spanning-tree portfast bpduguard default
1.2 – Configure & Verify PVSTP Operation a. Configure 1) On by default; but from Config Mode: spanning-tree mode pvst 2) To enable RPVSTP: a) From Config Mode: config t b) Enable: spanning-tree mode rapid-pvst 3) To change the Switch BID Priority: spanning-tree vlan # priority ### a) Optionally: spanning-tree vlan # root primary (or secondary to configure a Switch to be the Root if the primary fails) b) 24576 is used if current Root Priority is higher than 24576 (when using root parameter) c) If current Root’s Priority is lower than 24756, local Switch uses highest number below 24576 in multiples of 4096 that would make it the Root d) When configuring secondary , the default value used is 28672 4) To change an Interface Port Cost: a) int f0/0 b) spanning-tree vlan # cost # (NOTE: if no VLAN parameter is used, e.g. on a Trunk Port, the Cost is set for *all* VLANs on the Trunk) b. Verify 1) View Root, BID, & Interface info: show spanning-tree or show spanning-tree vlan # for a given VLAN only 2) Show Root Bridges for each VLAN: show spanning-tree root (VLAN parameter optional) 3) Show Switch BID info for a given VLAN: show spanning-tree bridge (VLAN param opt.)
4) To view STP events as they happen, on screen: debug spanning-tree events c. Describe Root Bridge Election 1) Switches receive BPDU (see Section d. below) msgs from each direct-connected Bridge/Switch 2) When the initial BPDU msgs are sent, the Root Bridge ID & Sender’s Bridge ID are the same value, of the Sender’s Bridge ID (Priority + MAC Address) a) Bridge ID – consists of 2byte (16bit) Priority and 6byte (48bit) MAC Address b) Priority – consists of Priority Field & System ID Extension (the VLAN ID) i. Priority field – 4bits and always set to 1000; counting the binary values from RIGHT to left, to include 12bit Sys ID Extension, this “one” bit value = 32,768 (the 15th bit of the 16bit string of binary values) ii. System ID Extension (i.e. VLAN ID) = 0000 0000 0001, for VLAN 1 (Default) iii. Default Priority value for a given Bridge ID is 32,769 (32,768 + 1 ; 1000 0000 0000 0001) c) MAC Address – single burned-in physical address assigned to each Switch 3) A Switch receives a BPDU & compares the Sending Switch’s Bridge ID to its own Bridge ID 4) The Switch will determine the lowest Bridge ID (Priority + MAC) & the Switch with the lowest Bridge ID will become the Root Bridge 5) Subsequent BPDU msgs will be updated with the new Root Bridge ID and the Switch’s own Bridge ID 6) To change the elected Root Bridge, the Priority can be modified by 2 methods: a) Go into Config Mode: conf t b) Make Priority change for the STP “instance” (VLAN ID) wanting to change Root for: spanning-tree vlan 1 priority 16384 or spanning-tree vlan 1 root primary , which automatically changes the priority value such that the given Switch will become the Root Bridge 1. If current Root has higher Priority value than 24576, the local Switch configuring to be Primary will use its Priority value as 24576 2. If current Root has lower Priority value than 24576, the local Switch configuring to be Primary will use its Priority value lower than 24576 but as close to 24576 as possible 3. When configuring secondary Switch, the Priority value will be 28672 on the local Switch regardless of current Root Switch Priority value c) Verify: show spanning-tree or show per VLAN: show spanning-tree vlan 10 POSSIBLE PRIORITY FIELD VALUES (Increments of 4096)
STP PORT COST VALUES BASED ON SWITCH PORT SPEED
Port Speed Port Cost
10Mbps (Ethernet) 100
100Mbps (Fast Ethernet) 19
1Gbps (Gigabit Ethernet) 4
10Gbps (10 Gigabit Ethernet) 2
d. Spanning Tree Mode – Protocol created to prevent Layer 2 Loops among Bridges & Switches 1) Topology a) Bridge Protocol Data Unit (BPDU) – msg initiated by the Root Switch to Nonroot Switches, sent every 2 seconds by default; BPDU contains: 1. Root Bridge ID 2. Sender’s Bridge ID 3. Sender’s Root Port Cost – link cost value (see values above) x number of link hops to the Root Bridge; lowest value = better Cost; i.e. best link “cost” to the Root Switch 4. Timer Values of Root Bridge i. Hello – default = 2 secs; how often Hellos are sent ii. MaxAge – default = 10 x Hello Timer (i.e. 20 secs); wait time between Hellos before considered to be a downed link; NOTE: RSTP MaxAge = 3x Hello iii. Forward Delay – default = 15 secs; time Port stays in Listening & then Learning State (15secs ea.) b) Root Bridge – Switch with lowest Bridge ID in a Spanning Tree segment (per VLAN) c) Sender’s Bridge ID – Bridge ID of an individual Switch d) Root Port (RP) – Nonroot Switch Port with lowest cost to the Root Switch 1. Determined by lowest Cost link to the Root Bridge (see Port Costs in Table above) 2. If Cost among Switches is equal, then the lowest Bridge ID is used 3. If still cannot be determined, the Port Priority is used 4. Port ID is used as last resort 5. Forwards data Frame traffic but does not send BPDUs e) Designated Port (DP) 1. All Root Switch ports, or… 2. Determined by lowest Root Port Cost among Nonroot Switches 1. If Cost is the same, then determined by lowest Bridge ID f) Non-Designated Port (Blocking Port) 1. Switch Port configured by STP process to be in Blocking State to prevent L2 Loops 2. Shown as “Alternate” under the Port ‘Role’ heading in the show spanning-tree cmd 2) Since the Priority part of the Bridge ID is partly comprised of the VLAN ID, each Switch VLAN/Broadcast Domain runs its own Spanning Tree instance 3) Three Modes: a) PVST – Per-VLAN Spanning Tree Plus; default in Cisco IOS (no spanning-tree mode cmd needed) b) RPVST – Rapid Per-VLAN Spanning Tree ( spanning-tree mode rapid-pvst ) c) MST – Multiple Spanning Tree ( spanning-tree mode mst ) 4) STP Algorithm Process a) Elect Root Bridge 1. Switch with lowest Bridge ID (Priority + MAC) b) Determine Switch Root Ports (RP)
1. Can *only* be on Nonroot Switches, & only 1 Port on a Switch 2. Determined by the Interface with the least Cost to reach the Root Switch (least Root Cost; see RP Cost defaults for Interface speed types in the Table above) c) Determine Designated Ports (DP) 1. All Ports on a Root Switch are DP 2. Determined by Interface that advertises the least Root Cost, or if Costs tie, the Switch with the lower Bridge ID (or Switch with lower Interface STP Priority, or lowest Interface Port #) d) Place DPs in Forwarding State
SECTION II (26%) – IP Routing Technologies 2.1 – Describe The Boot Process of Routers
a. Router Boot Process 1) POST process to discover hardware & verify components work properly 2) Bootstrap is copied from ROM memory into RAM & runs 3) Bootstrap decides which IOS image to load into RAM & loads it a) If no OS found, device boots into ROM Monitor Mode (ROMMON) 4) After the OS is loaded, the bootstrap sends hardware control to the newly loaded OS 5) Bootstrap then finds the Startup-config file in NVRAM then loads it into RAM a) If no Config file found, the Router broadcasts for a TFTP server containing a Config
2.2 – Configure & Verify the Operational Status of a Serial Interface a. Configure 1) int s0/0/1 2) ip address #.#.#.# #.#.#.# 3) encapsulation ppp (or another protocol; Cisco uses HDLC by default if no encapsulation cmd is used) 4) no shut b. Verify 1) show run int s0/0/0 2) show int brief
2.3 – Manage Cisco IOS Files a. Boot Preferences 1) For Router devices only, this is determined by the Configuration Register (4-digit HEX number) a) 0x = these digits mean whatever follows them are HEX (e.g. 0x2102 → 2102 are HEX) b) 16bit number (4 sets of 4 digits → ####.####.####.####, numbered 0-15 from RIGHT to left) c) 4th (last/far right) HEX field is called the Boot Field (0x2102) 1. 2 [0010] = Default; boot as what is configured in the Boot System Field in the Startup-config 2. 1 [0001] = Boot to first Image file found in Flash 3. 0 [0000] = Boot to ROMMON Mode 4. If 2 is config’d, the Router tries each boot system cmd in the startup-config file in order 5. If nothing works from Step 4, the Router loads the first IOS file found in Flash (in order if
none found) d) Console Port Speed – bits 5, 11, 12 (###012.011###.##05#.####) 1. [00 0] = Default; 9600bps 2. [00 1] = 19,200bps 3. [11 1] = 115,000bps e) NVRAM Contents = 6th bit in 3rd HEX quartet (####.####.#06##.####) 1. 0 [0000] = Default; load contents in NVRAM (i.e. the Startup-config file) 2. 4 [0100] = Ignore NVRAM contents (i.e. do not load Startup-config file i. 0x2142 Config Reg value is used for Password Recovery 2) config.text – Switch only (i.e. startup-config) 3) vlan.dat – DB file on Switches that stores VLAN IDs 1-1005; VLANs 1006-4094 in Config file b. Cisco IOS Images 1) To load a new image a) Download an image from Cisco b) Place the image somewhere reachable to the Router c) Copy the image into Flash: copy tftp flash 1. Once the above cmd is entered the Router prompts for tftp server IP & IOS Image file name 2) To verify the file was loaded to Flash: show flash 3) To boot to the newly loaded image, add a cmd to the startup-config: boot system flash:imageFilename.bin 4) Save the Config: copy run start 5) Reboot the Router to boot into new image: reload 6) Verify image loaded (check IOS version): show version c. Licensing 1) Universal Image – IOS Image containing all Cisco feature sets (i.e. technology packages) 2) Software activation – enables feature set paid for; verifies legal rights /access of the customer 3) Technology package types: a) ipbasek9 – IP Base feature set; on all Routers by default b) datak9 – Data feature set; MPLS, ATM, Multiprotocols, etc. c) uck9 – Unified Communications feature set; VoIP, IP Telephony d) securityk9 – Security feature set; Firewall, IPS, IPsec, VPN, etc. 4) Licenses can be auto-managed by Cisco License Manager – app installed on Win or other OS: a) CLM communicates with Cisco License Registration Portal via Internet b) CLM takes input info about license feature sets purchased from any reseller c) CLM communicates with the org Routers/Switches to install license keys & enable appropriate feature sets 5) Unique Device Identifier (UDI) – 2 part number that supports software licensing on Cisco devices, made up of Product ID & device S/N (e.g. CISCO2901/K9:FTX162883H0) a) To view: show license udi 6) Product Authorization Key (PAK) – “receipt” for proof of feature set license purchase 7) License key retrieval/installation: a) Go to Cisco’s License Portal b) Enter UDI (# retrieved from Step 5 above) c) Enter PAK (retrieved after license purchase; file from Cisco or reseller) d) Copy the license via email or download to use for a device e) Make license available to device via TFTP or USB
f) From CLI, install the license: license install url (e.g. license install usbflash1:FTX1628838P_201302111432454180.lic ) g) Reboot the device: reload 8) Verify: show license / show license feature (feature sets not licensed show as ‘not activated’ under Period Left column, or ‘no’ under Enabled column) 9) Change License – see Step 7 for license install (change) process 10) Right-to-use-licensing – Cisco provides ability to enable packages (features) for testing on a trial basis for 60 days; after that period those features remain enabled & license should be purchased… is based on an honor system a) Enable a feature: license boot module c2900 technology-package securityk9 b) Reboot: reload c) The ‘Period Left’ column ( show license ) counts down to 60, then reverts to ‘Permanent’
2.4 – Differentiate Methods of Routing & Routing Protocols a. Administrative Distance 1) Metric used by IOS to determine best route to use when multiple routes from differing protocols exist ADMINISTRATIVE DISTANCE DEFAULTS
Route Type Administrative Distance (Default)
Connected 0
Static 1
BGP (external) 20
EIGRP 90
IGRP 100
OSPF 110
IS-IS 115
RIP 150
EIGRP (external) 170
BGP (internal) 200
b. Split Horizon 1) Distance Vector (DV) routing protocol feature to prevent routing loops by not advertising routes that list a given Interface as the route’s outgoing Interface in which it was learned; not available in OSPF 2) Route Poisoning – also a DV feature to prevent loops by using an infinite metric to advertise failed routes a) Defaults: RIPv2 default infinity metric = 16 ; EIGRP = 232 – 1 ; OSPFv2 = 224 – 1) c. Metric 1) Computation of Routing Protocols to determine its cost (best route) to a destination network 2) Protocol Metrics: a) RIP – uses Router “hop” count to a destination as its metric b) OSPF – uses Cost; lowest Cost route for a Router gets entered into Routing Table
DEFAULT OSPF BANDWIDTH COSTS (Reference Bandwidth / Interface Bandwidth)
Interface Interface Default B/W Formula OSPF Cost
Serial 1544Kbps 100000 / 1544 64
Ethernet 10000Kbps 100000 / 10000 10
Fast Ethernet 100000Kbps 100000 / 100000 1
1. If the formula results in a fraction, the metric is rounded DOWN to nearest Integer; as such, speeds faster than Fast Ethernet (100Mbps) also result in a Cost of 1 (i.e. GbE, 10GbE) 2. To mitigate this issue, change the Reference Bandwidth default value (100Mbps) to 10000Mbps (new Cost values → FaEth = 1000 ; Gb = 100 ; 10Gb = 10) c) EIGRP – uses Bandwidth & Delay; lowest value of its metric is added to the Routing Table d. Next Hop 1) Metric used by RIP; simply, a neighboring Router in a network path
2.5 – Configure & Verify OSPF Multi-Area a. Neighbor Adjacency Requirements 1) Same Subnet/Mask 2) Matching Hello Interval – multicast msgs used to initiate neighbor relationships 3) Matching Dead Interval – time between hello’s; if length is exceeded, route considered failed 4) Same Area ID 5) Same Authentication (if used) 6) Same Stub Area Flag 7) Same MTU Size b. OSPF (Neighbor) States (“DI2EELF”) * Link State Update (LSU) packets are OSPF messages that contain Link State Advertisements (LSAs) of the Router Link State DB (LSDB) data structure 1) Down – no Hello msgs have been received 2) Init – Hello msgs have been received from Neighbors but not yet been responded to 3) 2-Way – Hello msgs have been seen & exchanged 4) ExStart – Master Router/Slave Router selected 5) Exchange – Master Router sends Database Descriptor packets, then Slave sends same packets a) Builds the LSD 6) Loading – Link State requests/Link State Advertisements (LSAs) exchanged a) Used for OSPF Topology changes 7) Full – Neighbor relationship has been established c. Configure OSPFv2 1 ) From Global Config – router ospf # (# = some process ID number 1-65535) 2) Advertise directly connected routes from OSPF sub-router config a) Enter do show ip route connect to see all directly connected routes b) Enter routes to advertise – network #.#.#.# #.#.#.# area # where 1st # = directly-connected IP Address/Route, & 2nd # = wildcard Mask (i.e. inverse of the Mask – 255.255.255.0 = 0.0.0.255)
c) Area # – use the appropriate Area number based on what Area the Interface is connected to 3) Another way to configure OSPF is per Interface (preferred way to configure moving fwd): a) e.g. int f0/0 or int s0/1/0 b) Sub-Interface cmd: ip ospf 10 area 0 4) Configure on ALL Routers so Neighbor Table can be built; Routing Table should be similar on all Routers if config’d correctly 5) To verify routes a) See if Neighbor relationships formed: show ip ospf neighbor b) Check the LSD/show LSA Types (see “f” below): show ip ospf database c) Check Routing Table: show ip route [connect] ; also can use show ip protocols 6) Designated Router (DR)/Backup Designated Router (BDR) a) Lowest “Priority” # = DR (default # = 1; if every Router has 1, highest Router-ID # is DR) b) Configured: ip ospf priority # (NOTE: if # = 0 means Router can never be a DR or BDR) c) Updates sent to DR/BDR from ancillary Routers via multicast IP of 224.0.0.6 d) Updates sent from DR to all Routers via multicast IP of 224.0.0.5 7) Router Types in Multi-Area OSPF a) Interior Router – Router has all of its Interfaces in one Area (regardless of Area #) b) Backbone Router – Router with all Interfaces in Area 0 (would be Interior Backbone Router) c) Area Border Router – Router has at least two Interfaces in 2 Areas with at least one Interface in Area 0 8) Area Types a) Backbone – Area 0 b) Stub Area – Area 0 border Area that receives LSAs only from Area 0 (via conversion to Type 3 LSA) c) Totally Stubby – only receive a Default Route from the Area Border Router 1. Purpose – reduce amount of network traffic during network topology change d) Not-So-Stubby Area – connected to a different AS d. Configure OSPFv3 1) Same as OSPFv2 but first enable IPv6 Routing (ipv6 unicast-routing ) then just remember to use ipv6 in command statements (ipv6 router ospf 1 ; then will enter OSPF Sub- config) 2) To advertise Router networks, network statements cannot be used; OSPF must be enabled on each Interface: ipv6 ospf 1 area 11 e. Router ID 1) I believe why this is here is as a reminder that OSPF must be able to determine a Router-ID or OSPF won’t work 2) router-id #.#.#.# – configured on sub-Router cmd; if not config’d, uses highest Loopback IP or highest Interface IP f. Understand LSA Types & Purpose 1) LSA Types – Purpose (LSA contents) a) Type 1 – describes a Router (LSA: RID, Interfaces, IP Address/Mask, Interface status) b) Type 2 – describes a Network with a DR (LSA: DR & BDR IP Address, Subnet ID, Mask) c) Type 3 – describes a Network in another area (LSA: Subnet ID, Mask, RID of ABR advertising LSA)
1. An Area Border Router converts a Type 1 or 2 LSA into Type 3 & propagates to the area other than the Area the LSA originated from (Type 1 or Type 2 LSAs traverse within an Area)
2.6 – Configure & Verify EIGRP Single Autonomous System (AS) a. General Info/Topology 1) Tables a) Neighbor Table – built by keeping track of adjacencies of directly-connected devices 1. Devices must be on same Subnet/Mask 2. Devices must use same AS (see #3 below) 3. Devices must use same Authentication method, if used 4. Devices must use same K Value for Metric calculation b) Topology Table – contains all routes of entire AS or network of EIGRP routers 1. Diffusing Update Algorithm (DUAL) runs against Topology Table to populate Routing Table 2. Route with lowest cost path to destination network is added to Route Table c) Routing Table – populated based off algorithm run against Topology Table 1. Successor – “best” route; route with lowest cost path to destination network 2. Feasible Successor – route in which the next hop Router’s RD to a destination route is less than the local Router’s FD 2) EIGRP Messages a) Hello – used for Neighbor Discovery b) Update – used for Route Discovery to build the Topology Database/Table c) ACK – used by Routers to acknowledge the Update message d) Query – Router uses to request missing route info (i.e. down or bad link) e) Reply – a reply to a Query message 3) Autonomous Systems (AS) – group of Routers under the control of 1 (grp) of Network Admins a) American Registry for Internet Numbers (ARIN) – assigns an AS ID number b) For EIGRP, publically assigned AS number not needed, but same number just needs to be configured on each Router using EIGRP on 4) Metric Calculation Values ( (107 /least BW in Kbps) + Cumulative Delay) * 256 a) Bandwidth – used by default; lowest used b) Delay of Line – used by default; cumulative (adds delay of incoming update msg + local Router delay) c) Reliability d) Load b. Configure 1) config t 2) router eigrp 1 , where “1” is the AS number that must be the same on all Routers partaking in EIGRP 3) eigrp router-id #.#.#.# 4) no auto-summary , to turn off Auto Summarization as it works only for Classful Networks 5) Configure Connected networks for EIGRP a) network #.#.#.#. #.#.#.# (Network then Wildcard Mask), then add remaining Connected networks from show ip route command 6) For IPv6 a) conf t b) ipv6 unicast-routing (in case not already enabled for IPv6 routing)
c) ipv6 router eigrp 1 (1 is the AS number that must be consistent on all Routers) d) eigrp router-id #.#.#.# (if no IPv4 Address is configured; Router-ID is req’d) e) int f0/0 f) ipv6 eigrp 1 g) no shut (repeat for remaining Interfaces wanting to advertise with EIGRP; repeat on additional Routers wanting to be in the EIGRP system) h) redistribute static – to distribute static routes, including Default Route, to other Routers partaking in EIGRP; only needed on Router with Default Route to Internet, e.g. c. Other EIGRP Items 1) Administrative Distance – default = 90 (internal; see Table above) 2) Feasible Distance (FD) – local Router’s calculated best cost (lowest) metric to a destination Subnet 3) Reported Distance (RD) – local Router calculation of next hop Router’s best cost metric to a destination Subnet 4) Successor Route – local Router’s route to a destination with best metric (i.e. best FD route) 5) Feasible Successors – route in which the next hop Router’s RD to a destination route is less than the local Router’s FD 6) Feasibility Condition – I think what this means is condition in which Successor Route fails causing FS Route to be used 7) Metric Composition – ( (107 /least BW in Kbps) + Cumulative Delay) * 256 a) Can configure speed and/or delay (in Kbps or tens of microseconds respectively) b) Cisco recommends changing delay on each Interface rather than speed due to less IOS features that make use of the delay setting 8) Router ID – use the eigrp router-id sub-Router cmd 9) Auto Summary – legacy feature to enable auto summarization of contiguous Classful Networks 10) Path Selection – route with best metric, called the Feasibility Distance, is added to the routing table & used (this route is called the Successor Route; a Route can have multiple Successor Routes in the routing table) 11) Load Balancing a) Equal cost – multiple routes with equal metrics, thus each becoming a successor route, are allowed to be added to the routing table b) Unequal – uses an EIGRP setting called variance, to allow routes whose metrics are close in value (but not equal) to be added to the routing table 1. Variance eigrp parameter can have a value from 1 – 128 2. Variance # x FD 3. Product of #2 above – if less than the Metric of the FS Route, the FS can be added to the routing table; NOTE: no route that is *not* a FS can be added for fear of causing loops d. Verify: 1) show ip route to display Routes 2) show ip eigrp neighbor to verify EIGRP neighbor relationships are forming/working (also can use show ip eigrp topology to view Topology Table/DB) 3) show ip eigrp int [g0/0] detail to view Interface detail for the routing protocol
2.7 – Passive Interface a. To configure for OSPF & EIGRP, simply add passive-interface f0/0 to sub-Router
command or passive-interface sub-Interface command
SECTION III (6%) – IP Services 3.1 – Recognize High Availability – First Hop Redundancy Protocol (FHRP)
a. Virtual Router Redundancy Protocol (VRRP) 1) Open source protocol 2) Highest Priority is preferred Router 3) Uses one Router as preferred then transfer to next (standby) Router if needed 4) A Virtual IP (VIP) & Virtual MAC is configured & used between 2 Routers 5) Configure a) conf t b) From Interface link is connected to: int f0/0 c) Configure VIP: vrrp # 10.0.0.1 (# doesn’t matter [0-255], but has to be consistent among HSRP Routers) d) Configure Router Priority: vrrp # priority # (default Priority = 100, so set a higher # to make Router the ‘active’ Router) e) Configure Re-Priority Ownership: vrrp # preempt 1. If, for example, R1 is config’d to be Priority (owner) Router & goes offline, R2 would take over; but when R1 comes back online, it will take over ownership of the VIP 2. Preempt cmd not needed on the secondary Router f) Configure other (standby) Router; remember the standby # has to be same as on 1st Router 6) Verify: show vrrp b. Hot Standby Router Protocol (HSRP) 1) Cisco proprietary protocol 2) Highest Priority is preferred Router 3) Uses one Router as preferred then transfer to next (standby) Router if needed 4) A Virtual IP (VIP) & Virtual MAC is configured & used between 2 Routers 5) Configure a) conf t b) From Interface link is connected to: int f0/0 c) Configure VIP: standby # ip 10.0.0.1 (# doesn’t matter [0-255], but has to be consistent among HSRP Routers) d) Configure Router Priority: standby # priority # (default Priority = 100, so set a higher # to make Router the ‘active’ Router) e) Configure Re-Priority Ownership: standby # preempt 1. If, for example, R1 is config’d to be Priority (owner) Router & goes offline, R2 would take over; but when R1 comes back online, it will take over ownership of the VIP 2. Preempt cmd not needed on the secondary Router f) standby # name SomeName to give the HSRP group a descriptive name g) Configure other (standby) Router; remember the standby # has to be same as on 1st Router 6) Verify: show standby or show standby brief c. Gateway Load Balancing Protocol (GLBP) 1) Cisco proprietary protocol
2) Balances load between two or more Routers 3) One VIP is associated with 2 (or more) MACs & traffic is load balanced between all Routers 4) If a Router goes down, traffic will be re-routed to the working Router(s), then when the downed Router comes back online, traffic will again be load balanced 5) Configure a) conf t b) From Interface link is connected to: int f0/0 c) Configure VIP: glbp # ip 10.0.0.1 (# doesn’t matter [0-255], but has to be consistent among GLBP Routers) d) Configure other Routers; remember the # has to be same as on 1st Router e) Set glbp # priority # & glbp # name as explained in HSRP setup above 6) Verify: show glbp or show glbp brief
3.2 – Configure & Verify Syslog a. Configure 1) By default, Cisco Routers/Switches send logs for all severity levels to the Console & some IOS versions also buffer the same logs by default; to enable each: a) For the Console: logging console b) For the Buffer: logging buffered 2) To disable timestamp & enable sequence number: a) no service timestamp ; server sequence-numbers 3) To send logs to a server: a) logging #.#.#.# → # = IP of syslog server) b) Set the Severity Level of msgs to retrieve (criticality of Level and lower [more severe]) → logging trap 4 SYSLOG SEVERITY LEVELS
Level Level Name Explanation
0 Emergency System may be unstable
1 Alert Immediate action may be required
2 Critical Critical event took place
3 Error Router experienced an error
4 Warning Condition might warrant attention
5 Notification Normal but significant condition occurred
6 Informational Normal event occurred
7 Debugging Output result of debug command
b. Verify 1) show logging 2) Go to Syslog Server to view incoming log messages c. Utilize Syslog Output
3.3 – Describe SNMP v2 & v3
a. General Info 1) Both are an application layer protocol providing a message format for communication between “managers” and “agents” a) Manager – Network Management Application that runs on a PC b) Agent – software that is installed on all devices to be managed 2) Retrieve or write to variables stored in the SNMP database, called Management Information Base (MIB) 3) GET messages – messages that pool info from the SNMP agent 4) SET messages – messages that write to the variables 5) TRAP messages – SNMP messages sent from the device (agent) to the Network Management Station (NMS) that also lists the state of the MIB variable (Object ID) 6) SNMPv1/v2 presents no security, whereas SNMPv3 does a) v3 provides message integrity b) v3 provides authentication c) v3 provides encryption 7) SNMPv3 Security Mode commands: a) noauth (noauthnopriv) – username auth method with no encryption b) auth (noauthpriv) – MD5 or SHA with no encryption c) priv (authpriv) – MD5 or SHA with encryption b. Configure 1) snmp-server community SomePassword RO ALC a) NOTE: The SomePassword parameter is called the Community String; RO = Read-Only parameter & can also be RW = ReadWrite; optionally create ACL for only 1 NMS to access info 2) ip access-list standard ACL-PROTECTSNMP a) permit host #.#.#.# 2) Two optional commands for SNMP Server Location and Contact info a) snmp-server location City b) snmp-server contact MyName
SECTION IV (32%) – Troubleshooting 4.1 – Identify & Correct Common Network Problems
a. LAN Switching (Data Plane) Troubleshooting – use various show commands 1) show cdp neighbors detail – will display neighboring Cisco devices to verify appropriate Interface connection (diagram may be wrong if different Interface is listed as connected to neighboring device) 2) show interface status – a Switch cmd only (status not on Routers), displays speed/duplex, vlan, & line/protocol status of all Switch Interfaces; know the line/protocol status states & possible causes (& thus how to resolve) for a state other than up/up 3) show run int f0/0 – shows configuration settings for a given Interface (Port-Security, PortFast) 4) show port-security interface f0/1 – shows Port-Security stats for an Interface; Interface may still be up/up depending on port-security type/violation mode 5) show vlan – verify VLAN creation, active (not shutdown [lshut]), VLANs allowed 6) show interface trunk – check Trunking & Trunk encapsulation mode ( dot1q or isl )
7) show spanning-tree vlan # – check to see if Interfaces are in a STP Forwarding state; if not, Frames will be discarded; Interface info at end of cmd output 5) show mac address-table [vlan #] – will show Interface upon which a device MAC was learned, & thus Frames forwarded out of; can use vlan parameter to narrow output b. I think a good idea for this task (since nothing specific is stated) is just to take a layered approach & troubleshoot to try to isolate where a problem (may) exists: 1) PC → in correct Subnet; have correct Gateway/DNS/DHCP address config’d; NIC speed/duplex 2) Switch → Int status (up/up); port-security (correct MAC); Trunking; encapsulation; VLAN Port assignment; native VLAN 3) Gateway (Router) → correct Subnet on Interface; proper inter-VLAN config (Subnet, encapsulation); DHCP ip dhcp-helper config’d; Interface status (up/up); speed/duplex; L2 encapsulation mismatch among Serial link; correct routing protocol config/enabled on Int’s
4.2 – Utilize Netflow Data NOTE: There really isn’t much referenced about “utilization” per sè; so I will just show configuration & the accompanying show commands to verify configuration a. Configure 1) config t 2) int f0/0 3) ip flow ingress 4) ip flow egress 5) (Global Config): a) ip flow-export destination #.#.#.# ## (1st # = collector IP; 2nd # = UDP Port no.) b) ip flow-export version 9 c) ip flow-export source loopback 0 6) Verify: show ip flow export [interface] ; show ip cache flow
4.3 – Troubleshoot & Resolve Spanning Tree Operation Issues a. Verify Root Switch 1) Use show commands to check settings a) show spanning-tree root (lists ALL Roots for each VLAN; use vlan parameter to view Root for a particular VLAN) b) show spanning-tree (can add vlan parameter; lists Root in output) c) Depending on exam question & how you’re required to determine Root, this may be more conceptually-based 1. When using show cmds, look for local Switch Port Role; if Port is RP, Switch opposite the RP may be the Root b. Verify Priority 1) show spanning-tree 2) show spanning-tree bridge c. Verify Correct Mode 1) show spanning-tree – at top, either shows ieee or rvstp
d. Verify Port States 1) show spanning-tree vlan # – last section of output lists STP state of local Switch Ports
4.4 – Troubleshoot & Resolve Routing Issues a. Verify Routing Is Enabled 1) show running-config | section route 2) show ip protocols 3) show ip route ospf [eigrp] 4) show ip ospf [eigrp] interface b. Verify Routing Table Is Correct 1) show ip route c. Verify Correct Path Selection 1) Look at the Administrative Distance of Route types (Static, Connected, OSPF, etc.) from show ip route cmd 2) If more than 1 route for a destination exists, the Router uses the route with the longest Mask Prefix (i.e. most specific route) and/or route with lowest Admin Dist (AD) 3) Or, to check to see what path a Router will use, verify with this cmd: show ip route #.#.#.# ( #.#.#.# = the IP address checking against) d. ACLs 1) Use show run and show ip int f0/0 commands to check ACLs & ACL policy direction 2) Standard vs Extended; do packets match statements in the ACLs? 3) If Ports are used, do the ACL statements use tcp & udp in the Extended ACL statement? 4) Does an ACL block routing traffic? (e.g. access-list 101 deny ip any host 22.0.0.10 [or .9 for OSPF] or access-list 102 deny ospf any any ) e. Troubleshooting Tools/Tips 1) Ping & Extended Ping – can use to test L3 to/from a destination 2) Traceroute – can be used to test “hops” in a path to a destination 3) Check a Host IP settings a) Default Router IP correct? b) DNS IP correct – if using the Router for DNS, look at the dns-server setting in DHCP c) IP & Mask correct – fall within range of IPs for the Subnet the Host & its Gateway are on? 4) In a Routing path from source > destination, verify several configurations on network devices a) When using VLANs, verify correct Switch & Router Ports are connected b) When using VLANs, make sure ROAS (Router) & Switch Trunking is configured correctly 1. Proper IP(s) on Router 2. Proper SwitchPort Mode on Switch 3. Encapsulation (dot1q) on Router 4. Allowed VLANs on Switch on the Trunk Port 5. Consistent Native VLAN between Switch & Router 5) If using remote DHCP server verify ip helper-address cmd in run-config is set correctly
4.5 – Troubleshoot & Resolve OSPF Problems a. Verify Neighbor Adjacencies 1) show ip ospf neighbor 2) Is Neighbor Router pingable? 3) Check adjacency requirements a) Neighbor Interfaces must be in same Subnet b) Interfaces must be up/up c) No ACLs must be blocking traffic (see “ACL” Section above) d) Neighbor Interfaces must be in same Area when using network or router Interface sub- cmd e) Interface Hello/Dead timers must match ( show ip ospf int f0/0 ) f) Authentication (if used) must match 4) Use various show cmds to check the adjacency req’s (show int , show ip ospf int , show ip protocol , etc.) b. Verify Hello & Dead Timers 1) show ip ospf int f0/0 c. Verify OSPF Area 1) show ip ospf interface brief 2) show ip ospf interface g0/0 d. Verify Interface MTU 1) show int g0/0 2) Default is 1500; if mismatched between Router Interfaces, Routers can still become Neighbors but never exchange LSDB info e. Verify Network Types 1) show ip ospf int g0/0 – shows OSPF Network Type for the Interface a) Broadcast – Type used on Ethernet links b) Point-to-point – Type used on Serial links 2) Cisco recommends never changing these defaults; if mismatched, Routers can become Neighbors but never exchange LSDB info f. Verify Neighbor States 1) show ip ospf neighbor g. Review OSPF Topology Table 1) show ip ospf database
4.6 – Troubleshoot & Resolve EIGRP Problems a. Verify Neighbor Adjacencies 1) show ip eigrp neighbor – to show listing of EIGRP Router neighbor relationships; lists neighbor Router IP, not Router-ID 2) Is Neighbor Router pingable? 3) Check adjacency requirements
a) Neighbor Interfaces must be in same Subnet b) Interfaces must be up/up c) No ACLs must be blocking traffic (see “ACL” Section above) d) Neighbor Interfaces must use same Autonomous System Number (ASN) when using eigrp router cmd e) Authentication (if used) must match 4) Use various show cmds to check the adjacency req’s (show int , show ip eigrp int , show ip protocol , etc.) b. Verify AS Number 1) show run int f0/0 – to see each Interface EIGRP config to verify consistent AS usage or show ip protocol c. Verify Load Balancing 1) show ip route eigrp or show ip route – to check multiple routes to same Subnet d. Split Horizon 1) show ip eigrp int detail g0/0 – shows if SH is enabled as well as the Hello and Hold Time Interval settings the Interface
4.7 – Troubleshoot & Resolve Inter-VLAN Routing Problems a. Verify Connectivity 1) show ip int brief ; show int f0/0.# – to check line/protocol status on Router b. Verify Encapsulation 1) show int f0/0.# – displays the encapsulation type on the Interface c. Verify Subnet 1) show run int f0/0 – to check explicit config on a given Interface 2) show int f0/0.# – if not able to use running-config file; check IP & Mask to verify Subnet d. Verify Native VLAN 1) Either an IP is configured on the ‘main’ physical Interface, or native VLAN is explicitly configured as a sub-Interface, with IP, & encapsulation native vlan ID cmd 2) show int f0/0.# – to check the cmd from #1 and verify correct VLAN ID is used e. Port Mode Trunk Status 1) show int f0/0 switchport 2) show int trunk
4.8 – Troubleshoot & Resolve WAN Implementation Issues a. Serial Interfaces 1) show int s0/0 on Serial Interfaces show a lot of info that can determine potential failure 2) If traffic not passing through, 1st step is to do a ping to the next hop Router Serial IP 3) Nicer looking line/protocol status code check can be done using show in status 4) If a link is shown as administratively down, then a simple no shut cmd may rectify the
issue (if err-disabled = shut , then no shut ) 5) If still a problem, then use cmd from Step 1 above to view other potential link issues → encapsulation mismatch, keepalive mismatch (HDLC), or authentication failure (can use debug ppp authentication cmd to view authentication log msgs) 6) If Interfaces show an up/up status, but ping fails, more than likely there’s an IP misconfiguration (one, or both IPs on each Router Serial Interface in the wrong Subnet) a) NOTE: For PPP, pings can still work even though Interface IPs are in different Subnet, but routing info (OSPF, EIGRP) will not traverse the link b. Frame Relay (see Appendix A at end of this Study Guide) c. PPP 1) Look at encapsulation configuration of Interfaces: show int s0/0 2) Look at authentication (i.e. is CHAP enabled) & if username/pwd combo is set correctly
4.9 – Monitor Netflow Statistics a. Uses/Purposes 1) General network traffic accounting for baseline analysis 2) Usage-based network billing for network services 3) Network design/redesigns to include new devices & application to meet growth needs 4) General network security design 5) Dos/DDoS detection & prevention 6) Network monitoring b. Network Flows 1) Source IP 2) Destination IP 3) Source Port 4) Destination Port 5) L3 Type 6) Type of Service (ToS) 7) Input logical Interface c. Configure 1) ip flow f0/0 – the Interface with which to monitor 2) ip flow ingress – to monitor incoming traffic to an Interface 3) ip flow egress – to monitor outgoing traffic from an Interface 4) ip flow-export destination #.#.#.# ## – 1st # is IP of Collector, 2nd # = UDP Port 5) ip flow-export version 9 (other versions = 1, 5, 7, 8) 6) ip flow-export source loopback 0 – source Interface to use as source of the packets sent to the collector d. Verify 1) Ultimate verification is to check data in the Netflow Collector 2) To check locally: show ip cache flow 3) show ip flow interface – to check Interfaces configured for Netflow
4) show ip flow export – to check configuration parameters
4.10 – Troubleshoot Etherchannel Problems a. Items to be aware of: 1) Is the channel-group number used in commands consistent among all Interfaces configured to be in the Etherchannel group (to prevent this, best to config on range of Interfaces) Etherchannel? 2) Is the channel-group mode configured correctly on each Interface (LACP = active or passive; PAgP = desirable or auto) a) Cannot have auto on both ends for PAgP or passive on both ends for LACP b) Cannot use on mode on one end & any of the PAgP or LACP modes 3) Check Etherchannel by issuing: show etherchannel summary ***Look in Appendix A at end of Guide for a clean summarization of above Troubleshooting items
SECTION V (15%) – WAN Technologies 5.1 – Identify Different WAN Technologies
a. Metro Ethernet 1) Another name for EoMPLS or Ethernet WAN b. Very Small Aperture Terminal (VSAT) 1) Satellite connection to remote offices with little/no physical cable connectivity c. Cellular 3g/4g 1) Mobile phone technology 2) 3rd Generation/4th Generation d. Multiprotocol Label Switching (MPLS) 1) Uses Ethernet or Fiber 2) Biggest difference from other WAN technologies is the promise of SP to deliver Packets, not bits or Frames e. T1 (U.S.)/E1 (Europe) 1) Uses Copper Serial 2) Other common names → Leased Lines, Point-to-Point, Serial Link, WAN Link, Circuit f. Integrated Services Digital Network (ISDN) 1) Customer side uses a Basic Rate Interface (BRI) 2) Telco side uses a Primary Rate Interface (PRI) 3) Uses two 64Kbps channels, total of 128Kbps, such that phone & Internet can be used simultaneously g. Digital Subscriber Line (DSL) 1) Uses Copper POTS
2) Speeds up to 5-24Mbps 3) Uses DLS Access Multiplexer at Telco to split digital & voice signals h. Frame Relay 1) Uses Copper Serial i. Cable 1) Uses COAX at L1 2) Uses DOCSYS at L2 PRIVATE WAN COMPARISON
Leased Line/T1 Frame Relay Ethernet WAN/EoMPLS MPLS
Physical link type TDM (T1, E1, etc) TDM (T1, E1, etc) Ethernet/Fiber Any that support IP
Router Interface Serial Serial Ethernet Any that support IP
Protocols HDLC, PPP Frame Relay Ethernet Any that support IP
WAN SP promise delivery of bits deliver FR Frames deliver Ethernet Frames deliver IP Packets
PUBLIC WAN COMPARISON
Analog Modem ISDN DSL Cable
Physical link type Phone line (local loop) Phone line (local loop) Phone line (local loop) CATV
Internet Always on No No Yes Yes
Speed 56Kbps 128Kbs 10s of Mbps 10s of Mbps
Asymmetric No No Yes Yes
j. VPN 1) Types a) Site-to-Site or Intranet VPN – connecting two sites of same org b) Extranet VPN – connecting two sites of different or partnering orgs c) Remote Access VPN – connecting individual users to enterprise network remotely 2) VPN Encryption Protocols a) IPsec – uses current default/best practice encryption algorithm Advanced Encryption Std (128/256bit encryption) b) SSL – encryption used by web browsers 3) VPN Security Functions a) Privacy/Confidentiality – prevent man-in-middle from reading data during transit b) Authentication – verify sender is legitimate device c) Data Integrity – verify packet unchanged during transit d) Anti-replay – prevent man-in-middle attacks 4) GRE Tunnel – used by 2 connected VPN endpoints (Routers) a) Encapsulates original packet in a GRE Header & Delivery IP Header b) Configuration 1. conf t 2. int tunnel# (# doesn’t matter & doesn’t have to be consistent among Routers) 3. tunnel source int s0/0/0 (or can use public IP Address of outgoing local Interface) 4. tunnel destination 2.2.2.2 (2nd Router in the tunnel config; public IP on Serial Interface) c) Verify: show int tunnel# , show ip int brief , show ip route , & can do Extended
traceroute
5.2 – Configure & Verify A Basic WAN Serial Connection (HDLC) a. Configure 1) conf t 2) int s0/0 (or whatever Serial Interface number is connected to Telco) 3) ip address #.#.#.# #.#.#.# (IP Address & Subnet Mask) 4) clock rate 64000 – on the DCE side, set the Clock Rate in bps (usually done by ISP/Telco) 5) encapsulation hdlc (if an encapsulation other than HDLC was previously set) 5) no shut b. Verify 1) View Interface statistics (L1/L2 status, IP Address/Mask, & Encapsulation): show int s0/0/0 2) View Clock Rate & Hardware (DCE vs DTE): show controllers s0/0/1
5.3 – Configure & Verify A Point-to-Point Protocol (PPP) Connection Between Routers a. Configure 1) conf t 2) int s0/0 (or whatever Serial Interface number is connected to Telco) 3) ip address #.#.#.# #.#.#.# (IP Address & Subnet Mask) 4) clock rate 64000 – on the DCE side, set the Clock Rate in bps (usually done by ISP/Telco) 5) encapsulation ppp 6) ppp authentication chap (if using authentication) a) NOTE: a Router hostname must be set, as well as username of remote Router & pwd on both connected Routers (R1: hostname R1 , username R2 password mypass ; R2: hostname R2 , username R1 password mypass ) 7) no shut b. Verify 1) View Interface statistics (L1/L2 status, IP Address/Mask, & Encapsulation): show int s0/0/0 2) View Clock Rate & Hardware (DCE vs DTE): show controllers s0/0/1 3) View PPP communication: debug ppp negotiation
5.4 – Configure & Verify Frame Relay On Cisco Routers a. Terms/General Info 1) Data Link Connection Identifier (DLCI) – Layer 2 address of Router (DTE → data terminal equip) a) Assigned by SP b) Analogous to a MAC Address c) Assigned to the WAN-connected Serial Interface on the Router d) Essentially creates a L2 route/map to remote Router (remote Router has diff assigned DLCI #) 2) Committed Information Rate (CIR) – max guaranteed bandwidth 3) Forward Explicit Congestion Notification (FECN) – warns upstream devices of congestion 4) Backward Explicit Congestion Notification (BECN) warns downstream devices of congestion 5) Discard Eligible Bit (DE) – bit set on a Frame when sending in excess of CIR 6) Virtual Circuit/Permanent Virtual Circuit (VC/PVC) – path a Frame takes between two DTEs
7) Nonbroadcast Multiaccess (NBMA) – multiple devices can access but not send Broadcasts 8) Inverse ARP – dynamically maps L3 IP to L2 DLCI address by using LMI msgs (see below) 9) Local Management Interface (LMI) – protocol between DCE (Service Provider Switch) & DTE (local/customer Router) to manage the DTE > DCE connection; sends signaling & keepalive msgs b. Configure 1) Full-Mesh, One Subnet: a) conf t b) int s0/0/0 c) ip address #.#.#.# #.#.#.# (Public IP & Mask) d) encapsulation frame-relay (nothing after frame-relay defaults encapsulation type to cisco ; other option is ietf ) e) no shut f) With Frame Relay encapsulation default of cisco , no other parameters – DLCI, LMI Type, or Inverse ARP – need to be configured g) If, for example (using a 3-Router Full Mesh) 1 of the Routers needs to use the ietf encapsulation type, but the other 2 can still use cisco default, chg R1 & R3 Interface config: 1. frame-relay map ip #.#.#.# ietf (IP is remote Rtr needing ietf encapsulation) h) If 1 of the 3 Routers requires an explicit LMI (Interfaces auto-sense if none config’d): 1. frame-relay lmi-type ansi (other options → ansi , cisco or q933a ) i) If DLCI Mapping is to be done statically, use a cmd stmt for each remote Router Serial IP but the local Router DLCI for the VC to that remote Router: 1. frame-relay map ip #.#.#.# ## broadcast (1st # is remote Rtr IP; 2nd # is local Rtr DLCI) 2) Partial Mesh Point-to-Point, One Subnet per PVC: a) conf t b) int s0/0/0 c) encapsulation frame-relay (nothing after frame-relay defaults to cisco ) d) int s0/0/0.1 point-to-point (sub-Interface needs created for each PVC the Router connects to) e) ip address #.#.#.# #.#.#.# (Public IP & Mask) f) frame-relay interface-dlci # (local Router DLCI for the given PVC) g) no shut h) int s0/0/0.2 point-to-point (sub-Interface for next PVC the Router connects to) i) ip address #.#.#.# #.#.#.# (Public IP & Mask) j) frame-relay interface-dlci # (local Router DLCI for the given PVC) k) no shut 3) Multipoint (Hybrid of 1 & 2 above) One Subnet in a PVC & 1 Subnet per remaining PVCs: a) conf t b) int s0/0/0 c) encapsulation frame-relay (nothing after frame-relay defaults to cisco ) d) int s0/0/0.1 multipoint (sub-Interface created for each PVC the Router connects to); multipoint means can send/receive to/from more than 1 VC on a given sub-Interface e) ip address #.#.#.# #.#.#.# (Public IP & Mask) f) frame-relay interface-dlci # (local Router DLCI for the given PVC) g) frame-relay interface-dlci # (multiple DLCIs need config’d for the 1-Subnet config) h) no shut i) int s0/0/0.2 multipoint (sub-Interface for next PVC the Router connects to)
j) ip address #.#.#.# #.#.#.# (Public IP & Mask) k) frame-relay interface-dlci # (local Router DLCI for the given PVC) l) no shut c. Verify 1) Get Frame-Relay statistics (DLCI #, State, Interface): show frame-relay pvc 2) See Frame-Relay DLCI > IP Mapping: show frame-relay map 3) Initiate pings to test remote network connectivity
5.5 – Implement & Troubleshoot PPPoE a. Implement 1) A dialer (virtual) Interface needs configured 2) Enable ppp encapsulation on the virtual dialer Interface 3) Configure CHAP: ppp chap hostname ISPRtrName ; ppp chap password ISPPwd 4) dialer pool # 5) On physical Interface: no ip address ; pppoe-client dial-pool-number # b. Troubleshoot 1) Two configuration parameters need to be identical for PPPoE to work a) dialer pool # ; pppoe-client dial-pool-number # (both # need to be identical)
APPENDIX A
ICND2 -200-101 Troubleshooting Overview LAN SWITCHING ISSUES
1. Confirm topology/neighbors: show cdp neighbors detail
2. Check Interfaces: a. show int status – up/up ; admin down/down ; up/down ; down/down (err-disabled) ; down/down (speed or L1 issue) ; speed/duplex auto neg or not b. show int f0/0 – checks status codes & potential encapsulation mismatches ; collision counters (duplex mismatch)
3. Check Port-Security: a. show port-security – lists all Interfaces PS is enabled on b. show int f0/1 status – an err-disabled state refers to PS violation (or admin shutdown of Interface) c. show port-security int f0/1 – shows detailed PS info for the given Interface (i.e. PS Protect Mode & last source MAC) d. show running-config int f0/1 – shows configured MAC for PS 1) switchport port-security [maximum] [violation mode] mac-address #### to change an Interface PS config
4. Check VLAN/Trunking: a. show vlan – to show VLANs, Interfaces, & Interfaces assigned to what VLANs; assign Ports to proper VLAN if need to maybe due to misconfiguration b. show interfaces trunk – display all Interfaces configured for Trunking & allowed VLANs c. show running-config int f0/2 – to check the switchport mode; if Trunking not working, could be due to differing Port modes (auto-auto won’t Trunk; Access-Trunk won’t Trunk; Access-Access won’t Trunk)
SPANNING TREE (STP)
1. Check STP info (Port states, roles, costs) for all VLANs: show spanning tree
2. Check MAC Table info (MAC, Port, & VLAN): a. show mac address-table [vlan #] – displays source MAC learned, VLAN it’s in, & Port assigned; use VLAN parameter to narrow only for a given VLAN ID
3. Check neighboring devices: show cdp neighbor [detail]
4. Check Root Bridges in all VLANs: show spanning-tree root
5. To determine RPs & DPs: show spanning-tree [vlan #]
ETHERCHANNEL
1. Etherchannel configuration # needs to be the same when configuring each Port on the local
Switch (can be different assigned # on neighboring Switch)
2. show etherchannel # summary – shows the PO# (PortChannel #) with the Switch Ports configured in the “channel group”, as well as the PO Port status (NOTE: PO Port status of ‘down’ in the PO group does not reflect the individual Interface status… i.e. is still in up/up state)
3. Ports used in an Etherchannel group must be the same→ mode (Access or Trunk), speed, duplex, allowed VLAN, native VLAN, STP settings (i.e. Port Cost, etc.)
4. Verify channel-group mode on each end of the 2 Switch’s Interfaces; for EC to work → auto-desirable ; desirable-desirable ; passive-active ; active-active ; on-on
COMMON NETWORK ISSUES
1. First step to always do is try a ping to problem destination; break down the path in the chain to try to narrow the problem location a. ping local LAN b. ping Default Gateway (DG) c. ping destination d. ping using IP vs hostname to check DNS – could be wrong static or DHCP DNS Server IP d. Test REVERSE routing by using extended ping on Router – could lead to routing protocol or Subnet advertising issue (not advertised or Interface is configured as passive)
2. Based on ping results, next step to help narrow location is to use (extended) traceroute
3. If ping fails to DG, check IP Addressing (Mask, Subnet, or correct DG) of source/Router devices
4. If ping fails in general, check Switch Port-Security violation on source device local LAN Switch
5. Check that Router & Switch Interfaces used in the network path are in up/up state
6. Check Router Interfaces for ACLs: show running-config int g0/1
7. If DHCP Server used, is it configured with correct network info → DG, DNS a. Check if ip helper-address cmd is configured on Router if DHCP is remote; if configured, is IP of DHCP Server correct
8. Check ARP Cache of local PC (arp -a) and/or on Router (show arp)
GENERAL ROUTING ISSUES
1. See “Common Networking” above
2. ROAS issues – check Router sub-Interface config for IP, VLAN, encapsulation, native VLAN); see Inter-VLAN troubleshooting section below
3. Check Interface status: show int status (Switch); show int brief (Router) ; show int f0/0 INTERFACE LINE/PROTOCOL STATUS
Interface Status Line Protocol Status Resulting Link State
Up Up (connected) Functioning
Up Down L2 issue (HDLC vs PPP); clock rate; duplex mismatch
Down Down L1 issue; remote port not enabled; speed mismatch
Administratively Down Down Locally disabled
4. Check duplex/Speed mismatch – speed will show Interface state down/down; duplex will show
up/down state
5. show ip route – verify Routing Table routes a. show running-config int f0/0 – to check Routing Protocol config on an Interface b. show ip protocol – shows detailed routing protocol config info
6. Do IPs/Subnets overlap – check IP ranges of Subnets configured on involved devices Interfaces
7. Check Serial encapsulation config, ACL configuration/direction
OSPF
1. Various OSPF settings must be consistent among Routers to form Neighbors:
a. Must be in same OSPF area b. Hello/Dead Timers – sub-Interface config; use show ip ospf interface cmd c. IP Address configured d. Neighbor Routers must be in same Subnet e. Same authentication (if used) g. Interfaces must be in up/up state h. ACLs must not filter protocol msgs i. Router ID must be unique; use show ip ospf to check Router-ID on local device j. show ip ospf neighbor – verify Neighbor relationships
2. Verify if Interfaces are enabled for OSPF (via Interface directly or Network sub-Router cmd) a. show ip ospf int [brief] – shows config via Network cmd only & lists passive
Interfaces 1) show ip ospf int g0/0 – shows OSPF network type; if mismatched, must change (ip ospf network type sub-Interface cmd) b. show run int g0/0 – check Interface config c. show ip protocol – shows detailed info for each routing protocol enabled on a Router
EIGRP
1. Various EIGRP settings must be consistent among Routers to form Neighbors: a. Must use same AS number b. IP Address configured c. Neighbor Routers must be in same Subnet e. Same authentication (if used) g. Interfaces must be in up/up state h. ACLs must not filter protocol msgs i. show ip eigrp neighbor – verify Neighbor relationships
2. Verify if Interfaces are enabled for OSPF (via Interface directly or Network sub-Router cmd) a. show ip eigrp int – shows config via Network cmd only & lists passive Interfaces b. show run int g0/0 – check Interface config c. show ip protocol – shows detailed info for each routing protocol enabled on a Router
INTER-VLAN
1. Router sub-Interfaces a. show run int f0/0.# – display ROAS (Inter-VLAN) Router configuration of sub-Interfaces that should be configured for each VLAN b. show ip int brief – displays each Interface & its state
2. Check Native VLAN (doesn’t have to be configured; if it isn’t explicitly, Native VLAN = 1) a. If used sub-Interfaces, verify if native is used at the end of the encapsulation sub-Interface cmd
3. show int trunk – (from Switch) on Port connected to the Router Interface, verify if Trunking is properly enabled; this cmds displays all Trunk Ports a. show vlan – check the Native VLAN & verify it’s 1, if none is configured on the Router b. switchport trunk native vlan # – cmd to change Native VLAN, if needed
4. If using a remote DHCP server, the ip helper-address #.#.#.# cmd needs added to each VLAN sub-Interface so hosts in each VLAN can utilize DHCP
WAN HDLC/PPP
1. Check L1 problems – if one end of the link (on other Router) is administratively disabled, the local Router Interface will show in down/down state; use no shut cmd on remote Router
2. Check L2 problems (Line/Protocol status) a. up/down (both ends) – mismatched encapsulation OR authentication failure (PPP) 1) debug ppp authentication – will show authentication logs if CHAP authentication is misconfigured b. up/down (one end) – keepalive disabled on an Interface on one device (HDLC) 1) show int s0/0/1 – displays if keepalive is set for a given Interface
3. Check L3 problems a. Does ping work b. Verify neighboring device IP/Mask (Subnet)
FRAME RELAY 1. L1 issues
a. Check if the Serial Interface in up/up state: show ip int brief ; show int s0/0/1
2. L2 issues a. show frame-relay lmi – check encapsulation on the link; i.e. check LMI type ( cisco , ansi , or q933a ) b. show int s0/0/1 – check if keepalive is disabled ( no keepalive ) on the Interface & if frame-relay encapsulation is properly configured on the Interface
3. L3 issues a. Always best to start with ping to neighboring Router b. show frame-relay pvc – check private virtual circuit (PVC) status, local DLCI, & Interface out the local Router the PVC traverses 1) Active status = PVC is up & working 2) Inactive status = PVC is not working c. show frame-relay map – verify DLCI > PVC mapping & neighboring Router IP
4. show run int s0/0/1[.#] – check encapsulation type ( cisco or ietf ); if mismatched, traffic won’t traverse link
5. show ip int brief ; show int s0/0/1 – verify IPs of neighboring Routers are in same Subnet Created by Shane Williford (twitter: @coolsport00) 24 November 2014. If you reference this Study Guide, please give credit to the author.