network guide 1


NETWORKS 1

introduction and terms overview


Router, Gateway, + Default Gateway are all the same thing.


A router separates two different networks


A MAC (Media Access Control) address is a unique manufacturer number assigned to a device to identify it on a network.


A router uses two MAC addresses which are hardcoded in hexadecimal.

Hexadecimal format is 24 bits for 6 values.


MAC 1 = Inside home (Local Area Network/Intranet)

MAC 2 = Outside home (The Internet)


DLL stands for Data Link Layer, not to be confused with a Dynamic Link Library

(even though they function similarly as java web resources) contain both code that can be accessed by multiple applications at once, as well as links to other resources that may be called.


A frame is a data link layer component.

The DLL (data link layer) is responsible for local network communication

passing information and data in the form of frames through the local network.


NIL stands for Network Interface Layer which uses the Network Interface Card to convert the physical digital signal into a DLL frame.


Digital signal converted to Binary 1s and 0s converted to Frame

Frame converted to Binary 1s and 0s converted to Digital Signal.


MAC: Unique device ID on network

IP ADDRESS: DHCP address assigned to device by the router

HOSTNAME: DNS address registered on domain controller

SUBNET MASK: For isolating local network traffic

DEFAULT GATEWAY: Router address

BINARY TO HEXADECIMAL


BASE 10 - numbering system for money, fingers on our hands, etc. (how we count) 0-1-2-3-4-5-6-7-8-9 - deeply engraved in our brains

BINARY - numbering system for computers, on vs off) 0-1, binary counting 1-2-4-8-16-32-64-128


0

1

01

10

11

100 4s

101

110

111

1000 8s

Converting binary to decimal


512 256 128 64 32 16 8 4 2 1


1x the place holder and add up all values = Decimal.

For instance A from ASCII is 0100 0001 in binary.


128 64 32 16 8 4 2 1 - place

0 1 0 0 0 0 0 1 - binary

_____________________ - times/x (the placeholder)

0 64 0 0 0 0 0 1 - sum


Add 64 + 1 = 65


converting decimal to binary


Can I subtract and end up with 0 or a positive number?


210

128 64 32 16 8 4 2 1 - place

can I subtract 128 from 210? y = 82 = 1

can I subtract 64 from 82? y = 18 = 1

can I subtract 32 from 18? n = 18 = 0

can I subtract 16 from 18? y = 2 = 1

can I subtract 8 from 2? n = 2 = 0

can I subtract 4 from 2? n = 2 = 0

can I subtract 2 from 2? y = 0 = 1

can I subtract 0 from 0? n = 0 = 0

if yes = 1 if no - 0

11010010 = 210


Hexadecimal is base 16

every hexadecimal value can always be converted to 4 binary bits.


Binary is a code of 8 bits or two sets of 4 bits so each hex value when converted to binary is two 4 bit values


10-11-12-13-14-15 - place

0-1-2-3-4-5-6-7-8-9-A-B-C-D-E-F

example: hex 1A5F

1 A 5 F

0001 1010 0101 1111 - binary

8421 8421 8421 8421 - place holder

1 10 5 15 - place value in hexadecimal


2 10 16

Binary Decimal Hexadecimal

1001 9 9

1010 10 A

1011 11 B

1100 12 C

1101 13 D

1110 14 E

1111 15 F

16

Subnet Calculator


If 2bits equals a network (2 to the number of bits)

Each network needs a router, unless its a virtual network. For hosts - 2

If there are 5 bits in the network portion - you can make 32 unique networks, bits networks hosts


0 1 0

1 2 0

2 4 2

3 8 6 - you need 3 bits for 8 networks

4 16 14 - if you need 10 networks you need 4 bits

5 32 30

6 64 62

7 128 126 - 7 bits only gives us 126 hosts

8 256 254

9 512 510

10 1024 1022

11 2048 2046

12 4096 4094

13 8192 8190


This is helpful when deciding how many bits you need in a subnet mask


VLSM - Variable Length Subnet Masking, basically means different subnet lengths to allow for different hosts amounts as required.

So, if two subnets need different amount of devices (available IPs) Then different subnet numbers/VLANS should be applied.

Data link layer encapsulation


In order to move a packet with an IP addresses in it,

It must first be placed inside a frame which can only move on the local network.

The frame is sent to the router which places the packet inside into a new frame before sending it out across the internet.


This repacking of packets, happens each time a packet reaches a router.


255.255.255.0

255.255.255 = network .0 = host


Network = group of devices

Host = single device


if you change the network field IP of a device it will then be on the network.


working example:

device one 192.168.104.1

device two 192.168.104.2


non working example:

device one 192.168.102.1

device two 192.168.104.2


IP and Subnets


IPV6 is generally converted on IP4 networks through "network adapters" tunneling.


cmd/ipconfig will s (how tunneling adapters

ping 192.168.104.2 (packet inter net gropper)


unreachable reasons "turned off" - "bad ip" "broken ethernet" - "broken router"


ipconfig /all - for mac address, which is the same as the physical address.

you cannot have two devices on the same local network with different global ip addresses that just doesn't work

the outside global network is determined by the gateway (router) IP.


203.0.113.10

203.0.113 = network portion - network name

.10 = host portion - machine name


Each number is an octet and each contain 8 bits (4 sets of 8 bits)

203-0-113-10

11001011-00000000-01110001-00001010


The subnet mask was hacked/add/edited to IPV5 after 1995

it added a separate number to all IP4 addresses which is called the subnet mask

it basically adds 1's to network portions and 0 to hosts.


11111111-11111111-1111111-00000000

225-255-255-0


But with current classless IP4 we can change the network portion to any part of our network.

you can change the network portion to host portion ration by changing the subnet mask for example you can change the number to 255 200 120 0 which would change the amount of host (the last numbers.


Understanding pre-1995 IP4:

classful IP addressing was split into 4 potions (no subnet mask just the address deciding the ration of net to host)

the range is what is determining the portions


class A 0.0.0.0 - 127.255.255.255 8bit net 24bit host

class B 128.0.0.0 - 191.255.255.255 16 net 16 host

class C 192.0.0.0 - 223.255.255.255 24bit net - 8 bit host

class D 224.0.0.0 - 239.255.255.255 - network portion - this is multi-cast - all network like a bridge


What kind of IP address is this?

Break it into binary and look at the host portion of the IP address, net-net-net-host


203 0 113 10

11001011 00000000 01110001 00001010 binary ip addy (look here)

11111111 11111111 1111111 00000000 subnet mask

225 255 255 0


if the host is all binary zeros then it is a network address

if it's all 1's in the host portion it is a broadcast IP address and cannot be assigned to any devices.

if host is a mix of zeroes and ones it is a host address that can be assigned

for example most network ip addresses end in zero but there are exceptions:


10.128.224.64

255.255.255.224 - this mask has changed the net to host ratio of the IP

00001010 10000000 11100000 010|00000 - the last 5 are now the host which are all zeros making this a network IP.

11111111 11111111 11111111 111|00000


another example - most host addresses do not end in zero but

10.128.225.0

255.255.254.0

00001010 10000000 1110000|1 00000000 the host portion contains a 1 making this a device/host ip that can be assigned.

11111111 11111111 1111111|0 00000000


Private IP ranges (can only be on internal networks)


10.0.0.0 10.255.255.255

172.16.0.0 172.31.255.255

192.168.0.0 192.168.255.255

127.0.0.1 = loop back address or home

01111111.00000000.00000000.00000001

CISCO Introduction and terms overview


BOOTSTRAP - This is basically the routers BIOS.

IOS - Internetworking Operating System (Cisco's Router OS)

STARTUP-CONFIG - The Routers Startup File

RUNNING-CONFIG - The Routers Running Config (non saved settings)

VSAN - Virtual Storage Area Network (combined virtual disk storage usually mounted as a shared ((H:/)) drive)

- Each VSAN server needs 2 storage drives, 1 SSD used for the cache, and 1 SSD or HD used for storage.

TRAIN - This is what Cisco calls it's major IOS releases. (12.2 and 12.4 are different "trains")

THROTTLE - This is what Cisco calls minor releases 12.2(10b) 10b is a "throttle".

REBUILD - This is what Cisco calls its patched/rebuilt versions (generally to address issues).


For example, the IOS file: c1841-adventerprisek9-mz.124-24.T5.bin

Should be read as: Cisco 1841, adventure enterprise, k9, (SSH) 12.4(Train) 24 (Throttle)T5 (Rebuild ).bin (binary file system)


The RUNNING-CONFIG file is the file that contains all the configuration for how we access or process traffic through the router.

It is for in use protocols and to create configuration changes in.


The STARTUP-CONFIG file loaded upon boot, when config changes are made to running config that are meant to be permanent, the running-config file should be copied and renamed startup-config to overwrite existing/old startup. To do this, simply make a copy of the running.config file and save it as the startup.config file.

Router Connection


Cisco routers come out of the box blank with all the interfaces turned off.

- to jump start a config and get the interface configured with the

Two cables are needed to connect your laptop and configure a router.


A CROSS-OVER CABLE is needed to establish a network connection between your laptop and the router.

- even though modern routers can convert a normal cable to a cross over, the CCNA exam requires the use of a cross over cable.


Tip: To connect two PCS together with a cross over cable, turn on network discovery on each device, then log into the device with an authorized account on the other pc. (the folder will be empty once connected unless there are "shared" folders or drives).

A ROLLOVER CABLE AKA CONSOLE CABLE is needed to gain command prompt/terminal access to the router and configure it.

Rollover cables are connected to the console port on the router and to either a USB or RS232 (serial) port on PC.

ROUTER Configuration


Use putty with a roll over cable connected) to gain access to the CLI (command line interface) aka access to the router.


Putty allows SSH (an encrypted version of Telnet) connections as well as Serial (cabled) connections.

Select "Serial" to connect via your console cable.

Once the SSH terminal window opens it will be blank.


You must hit ENTER for it to respond:


"% please answer 'yes' or 'no'.

Would you like to enter the initial configuration dialog? [yes/no]:"


(the initial config dialog - is a built in config/wizard from cisco)

- this is not a recommended program to use.


enter "no".

it will return "press return to get started!"

once enter is pressed it will return with a prompt:


Router> (user mode)


To get into privileged mode: type in the command "enable"

this will change the prompt from (Router> to Router#)


Router# (privileged mode)


To enter configuration mode, type "configure terminal"


Router(config)# (configuration mode)



Basic Config Command Recap:


Enter

No

Enter

Router> (user mode)

Router>enable (privileged mode)

Router#

Router#configure t

Router(config)# (configuration mode)


adding a hostname, domain, and banner


Router(config)#

Router(config)#hostname Routername

Routername(config)#

Routername(config)#ip domain-name, domain.com or domain.local (we use the domain name to generate certs for SSH connection)

Routername(config)#

Routername(config)#banner motd # Authorized Use Only! (enter for more lines)

Unauthorized access will be punished at the full extent of the law #

SECURING ACCESS - SETTING PASSWORDS


Routername>

Routername>enable

Routername#

Routername#config terminal

Routername(config)#

Routername(config-line)#line console 0 (the console port)

Routername(config-line)#password newpassword (sets the password - stored as plain text in config)

Routername(config-line)#login (enable the login-required)

Routername(config-line)#line aux 0 (the aux port)

Routername(config-line)#password newpassword (sets the password - stored as plain text in config)

Routername(config-line)#login (enable the login-required)

exit

Routername(config)#

exit

Routername#


setting admin passwords for privileged mode

Routername>

Routername>enable

Routername#

Routername#config terminal (or config t)

Routername(config)#

Routername(config)#enable secret newpassword

(the secret command sets the password for privileged mode) (this password is stored as an MD5hash)

(this makes a password prompt popup after using the "enable" command)


(to show the running-config file type the below command in privileged mode)

Routername>

Routername>enable

Routername#

Routername#show running-config (or Routername#show run)

to hide the plain-text passwords for the console and aux ports


Routername>

Routername>enable

Routername#

Routername#service password-encryption

The router will begin to how updated information in the terminal .

This is annoying because it cuts you off when you're typing. to correct this enter the following:


Routername>

Routername>enable

Routername#

Routername#line con 0

Routername#logging sync

Routername#line Aux 0

Routername#logging sync

enable SSH for remote access


Routername>

Routername>enable

Routername#config t

Routername(config)#

Routername(config)#crypto key generate rsa general-keys (to generate an rsa key)

"how many bits in the modulus [512]:" (for ssh version 2 - the minimum is 768 - a good standard though is 1024)

%Generating 1024 bit RSA keys, keys will be non-exportable...

*DATE TIME STAMP: %DDH-5-ENABLED: SSH 1.99 has been enabled

Routername(config)#

Routername(config)#ip ssh version 2 (enable ssh v2)

Routername(config)#username name secret password (change name/password to the ones you want to use to authenticate on ssh)

Routername(config)#line vty 0 4 (virtual "ssh" connections to the router - max is 808 but we limit it to a smaller number for security = in this example the value 4 will allow 5 simultanious ssh connections)

Routername(config)#transport input ssh (only allow ssh connections to the device)

Routername(config)#login local (use the local username/password on the router to validate)

Routername(config)#login sync (when we receive log messages via ssh - it wont interupt our command prompt)


SSH is now enabled and configured but the router is still going to be unreachable until IP has been configured.


Routername#terminal monitor (to see log messages when connecting via SSH)

fastethernet interface configuration


Routername(config)#interface fastethernet 0/0

Routername(config-if)#ip address 10.0.0.1 255.255.255.128 (add to interface 0/0)


(by default the cisco interfaces are turned off)


Routername(config-if)#no shutdown (this turns the interface on)

Routername(config-if)#shutdown (this turns the interface off)


(enter the below to configure interface 1)

Routername(config)#interface fastethernet 0/1

Routername(config-if)#ip address 10.0.0.129 255.255.255.128 (add to interface 0/0)

Routername(config-if)#no shutdown


(to save the config "incase the power goes out or something)

Routername#copy running-config startup-config (save running config as startup)


To test you can ping the IPs of the fastethernet ports via command prompt when on a closed network as the router.

To test connecting, open PUTTY, (ignore the security warning popup since the security certificate was self generated)

Select SSH, The IP of the router, and port 22 in Putty to Connect.

To erase and reset the router to default settings


Password:

Routername>enable

password:

Routername#

Routername#show startup-config (to view the current startup)

Routername#erase startup-config (to delete the startup-config)

Erasing the nvram filesystem will remove all configuratio files! Continue? [confirm] (this message just means it's deleting the startup-config file

(you cant delete the running config file out of ram without rebooting)

Routername#reload

Proceed with reload [confirm] (yes)

(router will reboot and load to the "would you like to enter the initial configuration dialog? [yes/no] again)

No (yes enters the weird wizard)


configuring a router from scratch quicker method


Router>

Router>en

Router#

Router#config t

Router(config)#hostname Routername

Routername(config)#banner motd # Authorized Use Only! #

Routername(config-line)#line con 0

Routername(config-line)#password newpassword

Routername(config-line)#login

Routername(config-line)#logging sync

Routername(config-line)#line aux 0

Routername(config-line)#password newpassword

Routername(config-line)#login

Routername(config-line)#logging sync

Routername(config-line)#exit

Routername(config)#

Routername(config)#enable secret newpassword

Routername(config)#service password-encryption

Routername(config)#ip domain-name domain.com

Routername(config)#username newname secret newpassword

Routername(config)#crypto key generate rsa general-keys - ((how many modulus (1024))

Routername(config)#ip ssh version 2

Routername(config)#line vty 0 4

Routername(config-line)#login local

Routername(config-line)#transport input ssh

Routername(config-line)#logging sync (not needed since ssh has logging off by default)

Routername(config-line)#exit

Routername(config)#

Routername(config)#interface f0/0 (the f = fastethernet)

Routername(config-if)#

Routername(config-if)#ip address 10.0.0.1 255.255.255.128

Routername(config-if)#no shut

Routername(config-if)#interface f0/1

Routername(config-if)#ip address 10.0.0.129 255.255.255.128

Routername(config-if)#no shut

Routername(config-if)#exit

Routername(config)#

exit

Routername#

Routername#copy run start

"Destination filename [startup-config]?

Routername# (enter/return key)



Routername#terminal monitor (to see log messages when connecting via SSH)


to enable IPV6 and manually add ipv6 addresses


Router>

Router>enable

Router#

Router#config t

Router(config)#ipv6 unicast-routing (turns on ipv6)

Router(config)#interface fastethernet 0/0 (or int f0/0)

Router(config-if)#ipv6 address 2001:db8:4:B::1/64

Router(config-if)#int f0/1

Router(config-if)#ipv6 address 2001:db8:4:A::1/64

how to upgrading IOS


The internetworking operating system files are .bin (binary) files stored in NVRAM


To update IOS we'll need an ethernet cable or roll over (console) cable and a TFTP server.

(A free TFTP server is available at http://tftpd32.jounin.net)


Router>

Router>enable

Router#

Router#show version (to see the IOS version we are currently using)

Router#show flash (shows the dir of flash and bytes available)

Router# (copy new version of IOS from work station to router - e.g if available bytes = 123456789/ (123)gig(456)meg(789)kilo)


In the TFTP server: set the directory to the one with the IOS file in it, that's it. There's no need to set anything else.


Router#copy tftp flash

(whats the addrress or name of remote host [])

(enter the ip of the computer the tftp server is on)

source filename:[]? c1814-advipservicesk9-mz.124-15.T8.bin

Destination filename [c1814-advipservicesk9-mz.124-15.T8.bin]? (hit enter/return - do not type "yes" or the file will be named "yes")


This will begin the transfer of the IOS file from the PC to the router

once it's been transferred you need to load it.


Router#config t

Router(config)#

Router(config)#boot system flash:/c1814-advipservicesk9-mz.124-15.T8.bin

Router(config)#exit

Router#copy running-config

Router#run start

Building configuration.....

Router#show version (should show old version/ once rebooted - new version should load)

Router#reload

Router# (once rebooted run the show version command again to confirm)

password recovery procedure


(Boot process)

- Power on self test

- Load Bootstrap (bios)

- Load IOS (OS)

- Load Configuration (startup-config)


To enter password recovery - you need to interrupt the boot process

- Just after the bootstrap is loading we need to issue a "break" command. (via putty/SSH)

- This will stop the remainder of the bootup process and leave you in "ROMmon" mode which is the command line interface

- This allows access to the "Configuration Register" which is a bunch of on/off switches written in hexdecimal.

The default mode for "Configuration Register" is 0x2102 - (the 0x = hex)

(the 2102 = 0010 0001 0000 0010)


(0010 = boot fields = boot as configured in the startup-config file)

If we changed it to 0001 instead of 0010 - the router will no longer boot from the startup config file, but instead will boot the first IOS in flash memory

If we change it to 0000 instead, the router will boot into ROMmon mode and not load any IOS.


0000 = 0 but the 7th bit, or the second 0 our of the four

controls NVRAM, when it is set to 0, it will "load the contents of NVRAM / load startup-config aka copy the startup-config into running-config

if we change the 0 to a 1 (0000 to 0100)

It will not load the contents of NVRAM and it will not load the startup-config file regardless of it if exists or not.

This is how we get past the password that we do not know.


This can be changed by swapping the original 0x2102 to 0x2142


To accomplish this (resetting the password) you will need access to the power of the router and a console/roll over cable to access the router.

Turn off the router and turn it back on and once you see it booting, issue the "break" command.


In Putty the "break" command lives in the drop down menu.

To access it click on the 2-pc icon in the top left corner

scroll down to "special commands" and select "break".


This will enter ROMmon mode, in ROMmon mode issue the confreg command:


romon 2>

romon 2>confreg 0x2142 (remember the default is 0x2102 = load startup-config, and 0x2142 = do not load startup-config )

*you must reset or power cycle for new config to take effect

romon 2>

romon 2>reset


This will boot the router to the "would you like to enter the initial configuration dialog [yes/no]:"

answer "no" and press return to get started.

You can now move to "privileged" mode without a password.


Router>

Router>enable

Router#


Router#show startup-config (to view the config file that wasn't loaded.)

Router#

Router#copy startup-config running-config (copy the startup to running config which loads the config but keeps you in privileged mode)

Destination filename [running-config]? (return)

Routername# (the prompt has changed back to the hostname but stays in privileged mode)

Routername#config terminal (to reset the password)

Routername(config)#

Routername(config)#enable secret newpassword (make a new password)

Routername(config)#exit

Routername#

Routername#copy run start (copy running-config into startup-config)

Routername#


(if you reboot at this point, the router will reboot into "would you like to enter the initial configuration dialog"

since you haven't yet reset the 0x2142 to 0x2102)


Routername#

Routername#config t

Routername(config)#

Routername(config)#config-register 0x2102 (different command than the one issued in ROMmon)

Routername(config)#exit

Routername#

Routername#copy run start (This will now boot the original startup config with the new password.)


At this point it is normal to see a red-x on your network connection. To investiage:


Routername#

Routername#show ip interface brief (show the ip addresses and status of connected devices)


Interface IP-Address OK Method Status Protocol

FastEthernet0/0 10.0.0.1 YES TFTP administratively down down

FastEthernet0/1 10.0.0.129 YES TFTP administratively down down


*interfaces a can be in up, down, or admin down mode, when interfaces are in the "administratively down" state - it means they are on the "shut down" state. This is what shows when you enter the (shutdown) command on a interface.

We will need to manually turn the interfaces back on.

This happens because when we issued the command copy startup-config to running-config, it doesn't auto run the no-shut command.


Routername#

Routername#config t

Routername(config)#

Routername(config)#int f0/0

Routername(config-if)#

Routername(config-if)#no shut

Routername(config)#int f0/1

Routername(config-if)#no shut

Routername(config)#exit

Routername#exit

Routername#

Routername#copy run start (to keep the interface changes)


That should do it.

router booting without an IOS / troubleshooting the boot process


Login into router via putter/serial with a rollover cable


Routername>

Routername>en

Routername#

Routername#show flash: (to see the current operating system)

Routername#

Routername#erase flash: (will remove all files (the IOS) files saved in flash memory but will not work at this screen)

Routername#format flash: (this will erase all data in flash -)

Routername#reload (to reset the router - will ask to say "yes")

Routername# (the router will reboot but be unable to load any operating system as there is now none)

The router will then boot into ROMmon mode with no OS. (you could remove the flash card from the router, copy the IOS.bin to it and load it back or use TFTP or BBS protocols to transfer the file over serial.)

It depends on the type of device, since some do not allow TFTP in ROMmon, - best bet it to use google to find out which way is best with your specific device.

Rommon 1>

useful ISO commands


Routername>

Routername>en

Routername#

Routername#show running-config (shows all the config we've already entered - the info the router is currently using)

Routername#show version (shows the IOS version, shows the configuration-register setting (eg 0x2102)

Routername#show flash ( shows us all the files in our flash memory - aka .bin IOS files)

Routername#show ip interface brief (shows the state of all interfaces)


Interface IP-Address OK Method Status Protocol

FastEthernet0/0 10.0.0.1 YES TFTP up up

FastEthernet0/1 10.0.0.129 YES TFTP up down


when a device shows status up and protocol down, you should investigate the cabling.

If the router cable looks good, look at the other end, if both look good, swap the cable.


Routername#do (the do command allows you to use elevated commands from config or config-if commands.


The two commands below are the same as one another.

Routername#do show verison

Routername(config-if)#do show version


Routername#show interface (shows all interfaces - can be a very long list)

Routername#show interface f0/0 (shows all info for interface f0/0)

This command will show a lot of info including the mac address of the hardware.

Hardware is Gt96k FE, address is 0018.bad1.c7d6 <-- mac address

Internet address is: 10.0.0.1/25

MTU 1500 bytes, BW 100000 kbit/sec, (bandwidth) DLY 100 usec,

Full-duplex, 100MB/s 100BaseTX/FX (100 mg connection on twisted pair)


By default when a command is entered wrong, or a bad command entered,

the router will attempt to locate a DNS server to make a telnet connection before timing out,

To correct this (it will instead return a "unknown command" error)


Routername>

Routername>en

Routername#config t

Routername(config)#no ip domain-lookup


when pinging devices from the router

..... = timeout

!!!!! = successful

uuuuu = unreachable)


Routername#terminal monitor (to see log messages when connecting via SSH)


VLAN Configuration


Routername>

Routername>en (Enable)

Routername#config V (Configure VLAN)

Router(config-vlan)#


Routername>

Routername>en (Enable)

Routername#config VD

Switch(vlan)#


Twisted pair cabling LAYER 1 - Physical layer

Cat 1 = Doorbell

Cat 2 = Token Ring - Obsolete

Cat 3 = Telephone 10Mb Ethernet - 1/2 Duplex

Cat 4 = Token Ring - Obsolete

Cat 5 = 100Mb Ethernet

Cat 5e = 1Gb Ethernet

Cat 6 = 1 Gb Ethernet - 500 Mhz Max - Has a plastic piece in the middle to separate the twisted pairs. - Max signal length of 100 Meters (300 feet).

Cat 7 = Proprietary not an IEEE Standard

Cat 8 = 1 Gb Ethernet - 2000 Mhz Max (short range)


Why is it twisted?

When wires are not twisted the magnetic field traveling down one will/can induce an electric current onto another wire it's next to.

This is called Cross Talk. To prevent cross talk, we twist the pairs of wires to greatly reduce cross talk.

Cat 6 Cabling - Layer 1

RJ45 Ethernet Connectors

General Standard is - 568 B


Orange White 1 Transmit +

Orange 2 Transmit -

Green White 3 Receive +

Blue 4 - Apps use this

Blue White 5 - Apps use this

Green 6 Receive -

Brown White 7 - Apps use this

Brown 8 - Apps use this


A Cross over Cable swaps the Transmit and Receive pins

2 to 6 and 1 to 3. (Otherwise known as 568-B at one end and 568-A at the other side of the cable)

Shielded twisted pairs help protect cables that are ran close to other cables that can cause signal disruption.

EMI (Electric Magnetic Interference) - florescent lights or

RFI ( Radio Frequency Interference) -

Cross over cables are generally used to connect devices which are the same as one another (PC to PC, Router to Router, Switch to Switch) etc.

Modern network interface cards generally do not need cross over cables to do this (they can auto match pins).


PC to Router = Cross Over Cable

PC to Switch = Straight Cable

Switch to Router = Straight Cable

COAX Cable - Layer 1

Cable TV/Cable Internet

Cable TV and Cable Internet

RG-6 and F-type connector


Antenna connectors

LMR-200

LMR-400

LMR-900

+ many many more (wireless AP)

Serial Cable - Layer 1

V.35 Cables

Several connector types


DS1 Cable

Twisted pair cable

RJ-45

Fiber optics cabling - Layer 1


There are two types of Fiber Cable.

Single Mode Fiber = long distance - Yellow Cable

Multi Mode Fiber = short distance but longer than copper - Orange Cable

SFP = Small Form Pluggable laser, are used to connect fiber to network devices like switches.

Network Interface Card (NIC) and Fiber Optics


LX Laser, Wavelength 1270 - 1355nm, Distance 70KM (43.5 Miles)

SX Laser, Wavelength 770-860nm, Distance 1 to 1/2 km (1500 to 3000ft)

Wireless Ethernet (802.11) - layer 1


WIFI uses the Electro Magnetic Spectrum to transmit data.

Extremely Low Frequency (ELF) is used for Submarine communication,

(there is a buried base in Northern Wisconsin with a giant antenna used to talk to subs all around the world).


Ionizing radiation at high frequencies is harmful to humans (radiation exposure).


WIFI uses the Microwave (same as cooking food) section of the spectrum for data network communications.

The part of the spectrum we use for 2.4 gig WIFI is around the 10-9 part of the spectrum.

When we divide the spectrum into smaller parts, we call the parts channels


In the 2.4 Giga Hertz Spectrum (2.400 to 2.499 GHz) there are 14 channels

Only 3 of these channels operate correctly to transmit and receive data over 2.4GHz (1, 6, and 11)

Each of these channels (1, 6, and 11) are 22 MHz long.

5.0 GHz WIFI (5.170 to 5.835 GHz) provides many more channels although most (channels 52-140) are utilized by Military applications and Doppler Radar. These channels require the use of DFS (Dynamic Frequency Selection) which detect the use of a channel by a military application and reroutes the non-military/enterprise traffic to free up the channel.

At home, you'll generally only see the non DFS channels 36, 40, 44, 48, 149, 153, 157, 161 on the 5GHz spectrum.

Ethernet - LAYER I1 - Data Link Layer Technologies


Layer 2/the Data Link Layer - handles data similarly to a package being mailed.

It protects the package regardless of how it is being sent. (like mail via plane/truck or data via ethernet/fiber)


Ethernet is one of the oldest protocols still working on the internet.

It was established in 1982 with protocol IEEE 802.3 (IEEE = Institute of Electrical and Electronics Engineers)

IEEE 802.3 can operate over Copper or Fiber.


Copper - 10Base5 - Frozen Garden Hose (first version 10mg per second)

Copper - 10Base2 - Coax

Copper - 10BaseT - Cat3 (T stands for Twisted Pair)

Copper - 100BaseT - Cat5

Copper - 1000BaseT - Cat6

Fiber - 1000Base-SX - Multi Mode (different speed and temp range than SR)

Fiber - 1000Base-LX - Single Mode (can be used for Single or Multi)

Fiber - 10GBase-SR (short reach) - Multi Mode

Fiber - 10GBase-LR (long reach) - Single Mode


ieee Wireless protocols - LAYER I1


802.11 1997 - Original - 1Mb per second w/no encryption


802.11a 1999 - Enterprise Market - Business - Encryption + 54Mbps

802.11n 2009 - Enterprise Market - Business

802.11ac 2013 - Enterprise Market - Business - Uses 5.0 GHz only + up to 1.3Gbps with MIMO and beamforming


802.11b 1999 - Consumer Market - Home - Encryption + 11Mbps

802.11g 2003 - Consumer Market - Home - Encryption + 54Mbps

802.11n 2009 - Consumer Market - Home - Can use 2.4 and 5.0 GHZ + 300Mbps (MIMO = Multiple in and Multiple Out aka 2 antennas instead of 1)

802.11ax 2020 - Consumer and Enterprise Markets - Uses 2.4Ghz 5Ghz and 6Ghz + up to 9.6Gbps (9608Mbps)

802.11be TBD - Unknown Markets - Uses 2.4Ghz 5Ghz and 6Ghz + up to 40Gbps (40000Mbps)

Telephone line internet (dsl) protocol - LAYER I1

Telephone company access to Ethernet

Cable Company internet (docsis) protocol - LAYER I1

Data Over Cable Service Interface Specification

satellite internet protocol - LAYER I1

Starlink - 22,000 miles aka 35,000 kilo in space.

Round trip takes about a quarter of a second for latency.

This amount makes telephone calls over the internet pretty bad but it provides high speed access to the web and email.

serial communications (ppp) protocol - LAYER I1

This is what was used with modems back in the 80s to provide internet via rotary phone + modem.

Point to Point Protocol (PPP) is reliable but slow, it is still used for remote sites.

Cisco has it's own version of PPP called HDLC (High Level Data Link Control) however this is generally understood as never used.

Frame Relay is another version of PPP which is rarely in use but still active.

ethernet

A brief history of Ethernet operation.


1973 - First Version of Ethernet - Bob Metcalf

1978 - First pre-standard ethernet - Installed in the US White House

1982 - Ethernet II - IEEE 802.3 - Rich Seifert DEC, Dave Redell Xerox, Rob Ryan Intel.

1995 - FastEthernet/100Mb

1999 - 1GigE/1000Mb

2002 - 10GigE/10000Mb

2010 - 40GigE/40000Mb

2011 - 100GigE/100000Mb

CSMA/CD

Carrier Sense Multiple Access with Collision Detection


  • This is from a time when multiple computers/devices would access Ethernet by a shared central wire instead of each having a dedicated run.

  • These were called "Bus" networks, computers would have to "listen" to the wire to see if there was traffic on it or not before utilizing the connection.

  • Aka - Multiple people are using the same wire (like an old school home-phone setup). Multiple phones but only 1 wire/home phone number.


Collision domain

When two computers try to put data on the same wire at the same time, twice the amount of power than usual will be pushed to the wire.

This will prompt a "Collision" on the network, the workstations should then wait a period of time before trying to send their message/data again.

A Collision Domain is a group of networked devices that will simultaneously detect a voltage spike.


In modern Ethernet networks we don't generally use or see collision domains.

When we do see them they only happen on Half Duplex connections to a switch.

Where a computer is sending data to the switch and the switch tried to send data to the computer at the same time causing a collision.

Duplex and Speed


Half duplex - One device can communicate on a wire at a time. (similar to how a walkie-talkie works)

Full duplex - allows both devices to communicate on a wire at the same time. (similar to how a telephone conversation works)

On Full duplex systems we no longer need collision domains as traffic has more than one channel to travel on.



Ethernet 10 Mbps

Fast Ethernet 100 Mbps

Gigabit Ethernet 1 Gbps - Requires Full Duplex

10Gigabit Ethernet 10 Gbps - Requires Full Duplex

40Gigabit Ethernet 40 Gbps - Requires Full Duplex



Ethernet II frame - Network layer iii and Data link layer ii


A Packet is a chunk of data with a network layer header.


Example of contents of packet: - Network Layer III

Source IP Address / Destination IP Address / TTL / Other


This packet of information is then put into a Data Link Layer II, Frame



A Frame is a chuck of data with a data link layer header.


Example of contents of Frame: - Data Link Layer II

Destination MAC Address / Source MAC Address / Layer 3 Protocol / Payload (packet)


Ethernet II Frame Contents Detail:

  • a.) Destination MAC Address: 48 bits

  • Source MAC Address: 48 bits

  • b.) Type: 16 bits

  • Data (packet): Max of 1500 Bytes (Layer III or other info)

  • c.) FCS: 32 bits (Frame Check Sequence)


a.) Destination MAC Address Detail: (MAC Address assigned by the IEEE)

Manufacturer ID = (00:10:D9:D7:53:7A) = Serial Number

00:10:D9:D7:53:7A = 0000 0000 0001 0000 1101 1001 1101 0111 0101 0010 0111 1010 = 48 bits.

This example was Manufactured by IBM Japan. 00:10:D9


b.) The Type filed is used to identify the type of message being carried in the frame.

This is generally the layer II protocol but not always.

If the packet being carried is an IPv4 the type field will have 16 bits of data 0000 1000 0000 0000 which = 0800 in Hex.

This is displayed as IPv4 - 0x0800 because 0x identifies it as Hex.


IPV4 = 0x0800

IPv6 = 0x86DD

ARP = 0x0806


c.) The Frame Check Sequence Field contains the value of a calculation done by an algorithm.

The FCS algorithm uses the frame bits to create a new 32bit value that is unique to the frame.

Once the frame has been sent from one computer to another, the computer receiving the frame repeats

this algorithm to ensure the 32bit value received matches the one that was sent.

This 32bit value is called a Cyclical Redundancy Check or CRC Value.


If the values match, the packet will be removed from the frame a processed.

If the values do not match the receiving device throws the frame away.

Devices never ask for junk frames to be resent, we need other technologies to recover lost frames.

Network topologies


Bus Topology All computers hooked into the same half-duplex ethernet wire

Only 1 device talking at a time, all devices receive the message being broadcasted. 10Base2 Network

In Bus networks when one device talks, everyone hears the message.



Ring Topology Daisy chain of computers

Each node in a Ring network connects to exactly two other nodes forming a single continuous pathway for signals/frames.

Frames travel from node to node with each one handling every packet.

Ring networks can be unidirectional or bidirectional as in SONET/SDH

Token ring is an IBM technology that phased out in the late 90s being replaced by ethernet.

An example: IBM Token Ring MAU (Media Access Unit)


Star Topology Computers each have their own wire that plugs into a central device

A network hub is a brainless device that repeats signals.

When one device sends data to the hub, the hub repeats it to all connected devices.

When two devices attempt to send data to the hub at the same time a Collision will be caused

instructing the workstations to wait a period of time before trying to send their message/data again.


In modern networks most all central devices will be connected to a switch.

Star Topology with a Switch allows for one computer to send information to one other device at a time instead of the entire network.


ethernet switch

The switch operates by keeping track of MAC addresses that are assigned to each port.

It does this by building a MAC Address Table which contains two columns, 1 for ports and 2 for the MAC.


Each port on the switch has it's own chip called an ASIC - Application Specific Integrated Circuit (ASIC chips are all over (smart phones), they are not only in switches.) The ASIC assigned to a switch port is used to read a Frame Header It uses this to populate the MAC Address Table.


Example MAC Address Table:


Port MAC

1 00:10:D9:D7:53:7A

2 00:10:D9:D7:53:7B

3 00:10:D9:D7:53:7C

4 00:10:D9:D7:53:7D


If the device on port 2 wants to send a packet to the device on port 4.

It will create a Frame to encapsulate the packet in and assign the frame a header containing the to and from MAC addresses.


Destination MAC Address: 00:10:D9:D7:53:7D

Source MAC Address: 00:10:D9:D7:53:7B

Type: Static

Data:

FCS:


The switch will create a circuit connecting Port 2 and Port 4 and forward the message on.

This is an isolated communication between the two devices.

The switch will create multiple circuits for multiple frames asking for multiple isolated paths of traffic.


Bus, Ring, and Star networks utilizing a hub instead of a switch are unable to process different communications simultaneously.

Only a Star network utilizing a switch is able to do this by utilizing the MAC address table and on the fly circuit building/frame forwarding.


MAC ADDRESS AGING


The Mac Address table will be continuously updates as long as the interface is up and receiving frames from the connected devices.

If a device does not send a message into the switch for 300 seconds it will timeout and be removed from the MAC Address table.


When a switch cannot locate a device in the MAC address table, it sends the frame to all connected devices except the one that originally sent it.

For example: if port 4 no longer had a MAC address assigned to it, the switch would send (flood) the frame to Port 1, Port 3, and Port 4.


Port MAC

1 00:10:D9:D7:53:7A

2 00:10:D9:D7:53:7B

3 00:10:D9:D7:53:7C

4 00:00:00:00:00:00


The device attached to port 4 should reply to the device on port 2 and send it's MAC address back to the switch who will repopulate the MAC Address table and build a circuit for the two devices.


Port MAC

1 00:10:D9:D7:53:7A

2 00:10:D9:D7:53:7B

3 00:10:D9:D7:53:7C

4 00:10:D9:D7:53:7D

Flooding

When the destination MAC address of the frame is not in the MAC address table.

The switch sends the Frame to all active interfaces except the receiving interface.

If the MAC address of the device is not on the network all other interfaces who received the frame will delete it.


Another way of saying this is:

When a Frame contains a destination header of a MAC of a computer that is not connected to the switch or network.

The switch floods/sends it to all connected devices except the one that originally sent it to attempt to locate the device.

All devices that receive it that are not the correct device will purge the packet.


Flooding looks a lot like a broadcast message but the two are actually quite different.

BROADCAST message


Broadcast Messages are always sent to a special destination MAC address which is FFFF FFFF FFFF which is essentially 48 binary 1s.

All FFFF's turns this into a Layer 2 Broadcast Address which is required for IPv4 and Ethernet to operate.


When the destination MAC address of the frame is all Fs, the frame is sent out to all active interfaces except the receiving interface (sender).

This is the same behavior as a flood.

When we have only 1 switch in a network this doesn't generally cause issues but when there are multiple daisy chained switches, a broadcast message can cause some issues.


The group of computers that will receive a broadcast message is called a Broadcast Domain.


Collision Domain is broken up by a switch.

Broadcast Domain is broken up by a router.

To check MAC address table on switch


Switch>

Switch>en

Switch#

Switch#show mac address-table (show us the table, including VLAN, MAC, TYPE, and PORT)

Switch configuration


Switches are generally Layer II devices that do not look at IP addresses. (there are some Layer III switches which do routing)

They look at MAC addresses and read Frame Headers.

However in order to access a switch via SSH an IP must be assigned to the Switch.

The switch will never use this IP address to route traffic as they do not route traffic.


Switches operate almost identical as router with the exception of NVRAM.

  • We configure VLANS on switches


Same as router - Bootstrap (Bios) stored in EEPROM - it loads the

Same as router - IOS (OS) stored in flash memory

Slightly-different - Startup-config is stored in NVRAM (except there isn't actually NVRAM on the switch like there is on a router

A switch creates "virtual" NVRAM stored on flash)

Same as router - Running-config is stored in RAM


The switch actually uses a file named config.text instead of startup-config but the switch and IOS try to make this easy by creating an alias for the startup-config and config.text file.

connecting to configure

Laptop Switch

Serial Port (RS-232) - Console Port - Rollover Cable

Ethernet Port - Switch Port - CAT6 Cable.


Open PuTTY and connect to the Serial port/open.

If the switch is new you will be prompted with the initial configuration dialog.


switch initial configuration


--- System Configuration Dialog ---

Enable secret warning

------------------------------------------------------

In order to access the device manager, an enable secret is required

If you enter the initial configuration dialog, you will be prompted for the enable secret

If you choose not to enter the initial configuration dialog, or if you exit setup without setting the enable secret,

please set an enable secret using the following CLI in configuration mode-enable secret 0 <cleartext password>

------------------------------------------------------

Would you like to enter the initial configuration dialog? [yes/no]:


no


Switch>

Switch>en

Switch#

Switch#t

Switch(config)#

Switch(config)#hostname Switch1 (set hostname)

Switch(config)#ip domain-name domain.com (set domain name)

Switch(config)#banner motd #This is a switch, stay out!# (set banner)

Switch(config)#

Switch(config)#enable secret password (set password)

Switch(config)#username user secret password (create user)

Switch(config)#

Switch(config)#crypto key generate rsa (create crypto key for SSH)


The name for the keys will be: Switch1.domain.com

Choose the size of the key modulus in the range of 360 to 4096 for your

General Purpose keys. Choosing a key modulus greater than 512 may take

a few minutes.


How many bits in the modulus [512]: 1024 (one higher than 1024 will take longer)

% Generating 1024 bit RSA keys, keys will be non-exportable...

[OK] (elapsed time was 8 seconds)


Switch(config)#

*Month 1 12:00:01:212: %SSH-5-ENABLED: SSH 1.99 has been enabled

Switch(config)#

Switch(config)#ip ssh ver 2 (update to version 2)

Switch(config)#

Switch(config)#service password-encryption (encrypt passwords in the config)

Switch(config)#

Switch(config)#line con 0

Switch(config-line)#password pass (set password for switch login)

Switch(config-line)#login

Switch(config-line)#exit

Switch(config)#

Switch(config)#line vty 0 4

Switch(config-line)#login local (use the local username and password on the switch)

Switch(config-line)#transport input ssh (SSH is enabled)

Switch(config-line)#exit

Switch(config)#

Switch(config)#interface vlan 1 (create a virtual interface - this is an SVI or Switch Virtual Interface)

Switch(config-if)#

Switch(config-if)#ip address 10.0.0.5 255.255.255.0 (assign an IP address to the virtual interface)

Switch(config-if)#no shutdown

Switch(config-if)#


Assigning an IP to a virtual interface does not assign the IP to any of the ports on the switch but all the ports on the switch can access the IP of the virtual interface. This will allow us to now SSH to the IP of the switch.


Switch(config-if)#exit

Switch(config)#

Switch(config)#exit

Switch#

Switch#copy running-config startup-config

Destination filename [startup-config]? (hit enter)

Building configuration ...

[OK]

Switch# (The config has now been saved)

Switch#

Switch#show flash: (to see the contents of the flash memory)


Directory of flash:/


2 -rwx 1583 Month 1 2022 12:00:01 +00:00 config.txt - (this is the startup-config file)

3 -rwx 676 Month 1 2022 12:00:01 +00:00 vlan.dat

590 drwx 192 Month 4 2022 12:00:01 +00:00 c2960-lanbasek0-mz.150-2.SE6

6 -rwx 1913 Month 1 2022 12:00:01 +00:00 private-config.text

589 drwx 64 Month 1 2022 12:00:01 +00:00 dc_profile.dir

591 -rwx 3096 Month 1 2022 12:00:01 +00:00 multiple-fs


Show startup-config actually shows the contents of the config.txt file.

SSH connections should now work.


switch password reset


To reset the password. Open PuTTY and connect to the console port on the switch via a serial/roll over cable.

The password is stored in the config.txt file which is stored in Flash Memory.

You can access the flash memory via ROMmon Mode.


User Access Verification

Password:

Switch>

Switch>en

Password: (unknown) (bad password entered)

% Bad secrets

Switch>



With the console port plugged into the switch.

Unplug the power cable on the switch,

Press and hold the one button on the switch down,

reinsert the power cable and continue to hold the button down until text populates on screen.

(This should take between 5 and 20 seconds)


Boot Sector Filesystem (bs) installed, fsid:2

Base ethernet MAC Address: 0C:F5:A4:71:BD:00

Xmodem file system is available.

The password-recovery mechanism is enabled.


Release the button


The system has been interrupted prior to initializing the

flash filesystem. The following commands will initialize

the flash filesystem, and finish loading the operating

system software:


flash_init

boot


Switch: (This is ROMmon Mode)

Switch: flash_init (Initialize Flash Memory)

Initializing Flash...

flashfs[0]: 570 files, 20 directories

flashfs[0]: 0 orphaned files, 0 orphaned directories

flashfs[0]: Total bytes: 65544192

flashfs[0]: Bytes used: 15992320

flashfs[0]: Bytes available: 49551872

flashfs[0]: flashfs fsck took 19 seconds.

...done initializing Flash.


Switch:

Switch: dir flash: (Look at flash memory)

Directory of flash:/


2 -rwx 1913 <date> private-config.text

3 -rwx 676 <date> vlan.dat

4 -rwx 1591 <date> config.text (This is out startup config file)

590 drwx 192 <date> c2960-lanbasek9-mz.150-2.SE6

6 -rwx 3096 <date> multiple-fs

589 drwx 64 <date> dc_profile_dir


49551872 bytes available (15992320 bytes used)


If you don't need to backup the config file, you can delete it. (not recommended)

Switch: delete flash:config.text

Switch:


If you want to keep the config file you can back it up by renaming it. (recommended)


Switch:

Switch: rename flash:config.text flash:config.bak


Now that the config.text file is gone, (renamed or deleted).

The switch will reboot, below is a large amount of text which is the boot up dialog.


Cisco IOS Ssoftware, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2)

Techinal Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2014 by Cisco systems, Inc.

Compled Wed 01-Jun-82 03:21 by pro_rel_teamInitializing flashfs...


flashfs[2]: 570 files, 20 directories

flashfs[2]: 0 orphaned files, 0 orphaned directories

flashfs[2]: Total bytes: 65544192

flashfs[2]: Bytes used: 15992320

flashfs[2]: Bytes available: 49551872

flashfs[2]: flashfs fsck took 3 seconds.

flashfs[2]: Initialization complete....done Initializing flashfs.

Checking for Bootloader upgrade..

Boot Loader upgrade not required (Stage 2)


POST: CPU MIC register Tests: Begin

POST: CPU MIC register Tests: End, Status Passed


POST: PortASIC Memory Tests: Begin

POST: PortASIC Memory Tests: End, Status Passed


POST: CPU MIC interface Loopback Tests: Begin

POST: CPU MIC interface Loopback Tests: End, Status Passed


POST: PORTASIC RingLoopback Tests: Begin

POST: PORTASIC RingLoopback Tests: End, Status Passed


POST: PortASCI CAM Subsystem Tests: Begin

POST: PortASCI CAM Subsystem Tests: End, Status Passed


POST: PortASCI Port Loopback Tests: Begin

POST: PortASCI Port Loopback Tests: End, Status Passed


Waiting for Port download...Complete


This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer, and use.

Delivery of Cisco cryptographic products does not imply third-party

authority to import, export, distribute or use encryption. Importers,

exporters, distributors and users are responsible for compliance with

U.S. and local country laws. By using this product you agree to comply

with applicable laws and regulations. If you are unable to comply with

U.S. and local laws, return this product immediately.


A summary of U.S. laws governing Cisco cryptographic products may be

found at: http://www.cisco.com/wwl/export/crypto/tool/stgrg.html


If you rewuire further assistance please contact us by sending email to

export@cisco.com


cisco WS-C2960+24TC-L (PowerPC405) processor (revision B0) with 131972k bytes of memory.

Processor board ID FCW1841B03E

Last reset from power-on

1 Virtual Ethernet interface

24 FastEthernet interfaces

2 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.


64k bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 0C:F5:A4:71:BD:00

Motherboard assembly number: 73-15620-01

Power supply part number: 341-0097-03

Motherboard serial number: FOC184034C7

Power supply serial number ALD1835B0WJ

Model revision number: B0

Motherboard revision number: B0

Model number: WS-C2960_24TC-L

System serial number: FCW1821B03E

Top Assembly Part number: 800-40261-01

Top Assembly Revision number: C0

Version ID: V01CLEI Code Number: CMMKV00ARA

Hardware Board Revision Number: 0x0B


Switch Ports Model SW Version SW Image

---------- ---------- ---------- ------------------- -----------------

* 1 26 WS-C2960_24TC-L 15.0(2)SE6 C2960-LANBASEK9-M


Press RETURN to get started!


*Jun 1 00:00:35:265: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

*Jun 1 00:00:35:265: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan

*Jun 1 00:00:35:265: %SYS-5-RESTART: System restarted --

Cisco IOS Software, C2960 Software (C2960-LANBASEK-9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2014 by Cisco Systems, Inc.

Compiled Wed 01-June-82 08:13 by prod_rel_team

*Jun 1 00:00:35:265: %LINK-3-UPDOWN: Interface FastEthernet0/1, Changed state to up

*Jun 1 00:00:35:265: %LINK-3-UPDOWN: Interface FastEthernet0/2, Changed state to up

*Jun 1 00:00:35:265: %LINK-3-UPDOWN: Interface FastEthernet0/3, Changed state to up

*Jun 1 00:00:35:265: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet 0/1, changed state to up

*Jun 1 00:00:35:265: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet 0/2, changed state to up

*Jun 1 00:00:35:265: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet 0/3, changed state to up


Press Return to get started - Back at the initial setup


--- System Configuration Dialog ---

Enable secret warning

------------------------------------------------------

In order to access the device manager, an enable secret is required

If you enter the initial configuration dialog, you will be prompted for the enable secret

If you choose not to enter the initial configuration dialog, or if you exit setup without setting the enable secret,

please set an enable secret using the following CLI in configuration mode-enable secret 0 <cleartext password>

------------------------------------------------------

Would you like to enter the initial configuration dialog? [yes/no]:


no


Switch>

Switch>en

Switch#

Switch#show flash


Directory of flash:/


2 -rwx 1913 <date> private-config.text

3 -rwx 676 <date> vlan.dat

4 -rwx 1591 <date> config.bak (we are going to rename this back to config.text)

590 drwx 192 <date> c2960-lanbasek9-mz.150-2.SE6

6 -rwx 3096 <date> multiple-fs

589 drwx 64 <date> dc_profile_dir


49551872 bytes available (15992320 bytes used)


Switch#

Switch#rename flash:config.bak flash:config.text

Destination filename [config.text]? (press return)

Switch#


Switch#show startup-config (if you want to see the file you just renamed)


Now you need to make your startup-config (startup.text) file you're running-config file.

To do this you'll need to create a running config file.


Switch#copy flash:/config.text running-config

Destination filename [running-config]?

% Generating 1024 bit RSA keys, keys will be non-exportable...

[OK[ (elapsed time was 4 seconds)


*June 1 00:04:09.468: %SSH-5-ENABLED: SSH 2.0 has been enabled[OK]

% Login disabled on line 6, until 'password' is set

% Login disabled on line 7, until 'password' is set

% Login disabled on line 8, until 'password' is set

% Login disabled on line 9, until 'password' is set

% Login disabled on line 10, until 'password' is set

% Login disabled on line 11, until 'password' is set

% Login disabled on line 12, until 'password' is set

% Login disabled on line 13, until 'password' is set

% Login disabled on line 14, until 'password' is set

% Login disabled on lin

*June 1 00:04:09.720: %PKI-6-AUTOSVE: Running configuration saved to NVRAMe 15, until 'password' is set

% Login disabled on line 16, until 'passsword' is set

1591 byte copied in 6.074 secs (262 byte/sec)


Switch#

Switch#config t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#

Switch(config)#enable secret password (password = new password)

Switch(config)#exit

Switch#

Switch#copy running-config startup-config (copy/save new password to startup config)

Destination filename [startup-config]? (enter/return)

Building configuration...

[OK]

Switch#

Switch#exit



switch IOS upgrade


This is almost identical to upgrading the IOS of a router.

To reset the password. Open PuTTY and connect to the console port on the switch via a serial/roll over cable.


Switch>

Switch>enable

Switch#

Switch#show version (to see the IOS version we are currently using)


Switch Ports Model SW Version SW Image

---------- --------- --------- ------------------ -----------------

*1 26 WS-C2960+24TC-L 15.0(2)SE6 C2960-LANBASEK9-M



Switch#show flash (shows the dir of flash and bytes available)


Directory of flash:/


3 -rwx 676 <date> vlan.dat

4 -rwx 4120 <date> multiple-fs

590 drwx 192 <date> c2960-lanbasek9-mz.150-2.SE6 (looks like the IOS but it's a DIR not the OS file)

6 -rwx 1881 <date> config.text

589 drwx 64 <date> dc_profile_dir (the d in drwx is directory)

591 -rwx 1915 <date> private-config.text


49551872 bytes available (15992320 bytes used)


Switch# dir flash:/c2960-lanbasek9-mz.150-2.SE6/


5 -rwx 534 Jun 1 1982 00:00:01 +00:00 info

7 drwx 4992 Jun 1 1982 00:00:01 +00:00 html

587 -rwx 11792247 Jun 1 1982 00:00:01 +00:00 c2960-lanbasek9-mz.150-2.SE6.bin (this is the actual IOS BINary file)


65544192 bytes total (49550848 bytes free) <- about 49 Mbs avaialble for new OS


Start up your TFTP server:


Switch#

Switch#copy tftp flash

Address of name of remote host []? 10.0.0.10 (IP of laptop)

Source filename []? c2960-lanbasek9-mz.150-2.SE7.bin (updated IOS version saved on laptops TFTP directory)

Destination filename [c2960-lanbasek9-mz.150-2.SE7.bin]? (enter/return)

Accessing tftp:/10.0.0.10/c2960-lanbasek9-mz.150-2.SE7.bin...

Loading C2960-lanbasek9-mz.150-2.SE7.bin from 10.0.0.10 (via Vlan1): !!!!!!!!!!!!!!!!!!!!!!


[OK - 11797699 bytes]

11797699 bytes copied in 128.228 secs (92006 bytes/sec) (will take a few minutes)

Switch#

Switch#config t

Switch(config)#

Switch(config)#boot system flash:/c2960-lanbasek9-mz.150-2.SE7.bin (tell the switch to load the new OS version on boot)

Switch(config)#exit

Switch#

Switch#copy running-config startup-config (save settings)

Destination filename [startup-config]? (enter)

Buidling configuration...

[OK]

Switch#verify /md5 flash:/c2960-lanbasek9-mz.150-2.SE7.bin (check this against the md5 on cisco.com of file downloaded)

(This will spit out the md5 value - check to ensure the IOS/file is not corrupt or altered)


Switch#reload (reload the switch with new version of OS)


Switch>

Switch>en

Switch#show version (to confirm change has happened)

locate port of device via ip

Know the IP Address? Find the port on the switch

e.g. 10.0.0.6


From a laptop connected to the network open Command Prompt (CMD)

The ARP command will display the MAC to IP table of all devices on the network.


C:\Windows\System32>

C:\Windows\System32>arp -a


Interface:10.0.0.10 --- 0x4

Internet Address Physical Address Type

10.0.0.5 0c-f5-a4-71-bd-40 dynamic

10.0.0.6 0c-f5-a4-71-bd-20 dynamic

10.0.0.7 0c-f5-a4-71-bd-30 static


SSH to the switch via PuTTY


Switch>

Switch>en

Switch#

Switch#show mac address-table address 0cf5.a471.bd20 (note different MAC formatting)


Vlan Mac Address Type Ports

------- --------------------------------- --------- ---------

1 0cf5.a471.bd20 DYNAMIC Fa0/3

Total Mac Address for this criterion: 1


Switch#show cdp neighbor (will show you all the connected CISCO devices to this switch and what they most likely are)


Capability Codes: $ - Router, T - Trans Bridge, B - Source Route Bridge, S - Switch, H - Host, I - IGMP, R - Repeater, P - Phone.


Device ID Local Interface HoldTime Capability Platform Port ID

Switch1.domain.com Fas 0/1 138 S I WS-C2960- Fas 0/2 (port on connected switch)

(Port on current switch)

IPv4 and IPv6 routing - ARP - Address Resolution Protocol


ARP = Address Resolution Protocol

The ARP Protocol lives between the Data Link Layer and the Network Layer.

ARP allows an IPv4 to be encapsulated inside a frame.


Devices on a network maintain an ARP Cache (Table) which contains a list of IP to MAC address associations

ARP Cache age out entries about every 90 seconds to force ARP to continually re-resolve the Cache/Table data.

  • This is not to be confused with the MAC address table of a switch, which is separate.

  • The MAC address table maps the MAC to a port on a switch.

  • The ARP cache (table) maps the MAC to IP of connected devices.

  • Switches do not need an ARP table except when using SSH.


Packets are stored within frames when passed through a network.

Below is an example of the contents of an IP packet.


The Frame: | Destination MAC Address | Source MAC Address | Layer 3 Protocol |

The Packet inside the Frame: | Source IP Address | Destination IP Address | TTL | Other | ICMP |


Detail of Frame:

Destination MAC Address: Where the frame is being sent

Source MAC Address: Where the frame came from

Layer 3 Protocol: ARP, ICMP

The IP Packet:


Detail of Packet:

Source IP address = e.g. 10.0.0.10

Destination IP address =e.g. 10.0.0.20

TTL = Time To Live or the number of routers this message can go through before being thrown away. (128 is the MS default)

ICMP = Internet Control Message Protocol = This is what Ping uses to send and receive messages

Other = other data that isn't to relative to CCNA training.

Version: IP Version

IHL: Internet Header Length

Type of Service:

Total Length:

Header Checksum:

Flags:

Fragment Offset:

Identification:

Options:

Padding:



ARP is used to find the MAC address of a connected device by using an IP address.

ARP does this by sending out a message asking "who has this IP" to FFFF-FFFF-FFFF (the broadcast address)

which forwards the message to all connected devices.


PING stands for Packet Inter-Net Groper, it uses ICMP to send an echo request. The ping response is called an echo response


When the PING command is issued via CMD/ICMP and the device is not already listed within the ARP cache, the

Address Resolution Protocol (ARP) automatically resolves the IP and updates the table.

aka - ARP is automatically ran each time a PING command is first issued, after which PING commands run through ICMP without the need for ARP unless the ARP Cache is deleted or the entries time out.


The TCP/IP Model


1.) Application Layer: DHCP, DNS, FTP, HTTP, HTTPS, POP, SMTP, SSH, Telnet, TFTP, etc.


2.) Transport Layer: TCP, UDP, Segment (Tally Compiled Program files and User Datagram Protocol)


3.) Network Layer: IPv4, IPv6, Internet, Datagram

Data Link Layer 3: Protocols that work on WANS (ICMP / ARP)

Data Link Layer 2: Protocols that work on LANS (PING) Broadcast / Flood / Multicast (IPv6)


4.) Network Interface Layer:

Data Link Layer: MAC Address, Frames

Physical Layer: Ethernet cables, wireless, fiber, coax, etc.


Private IP address include:

10.0.0.0/8

172.16.0.0/12 and

192.168.0.0/16


IP breakdown example: 10.1.2.3

10 = private, 1 = Wide Area Network, 2 = Local Area Network, 3 = Device


ARP limitation with subnets


C:\>Route Print to list all the networks your device is aware of.

On-Link = connected to the device aka we can ARP this directly.

ARP requests for addresses outside the subnet wont be sent at all, only the ARP request to gateways IP address.


C:\> Route Print

======================================================

Interface List

11...00 e0 4c 67 08 d0 ......Intel(r) Ethernet Connection (10)

7 ...00 e0 4c 67 08 d1......Realtek USB Gbe Family Controller #2

1......00 e0 4c 67 08 d2......Software Loopback Interface 1

======================================================

IPv4 Route Table

======================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.2.60.1 10.2.60.51 25

10.2.60.0 255.255.255.0 On-link 10.2.60.51 281

10.2.60.51 255.255.255.255 On-link 10.2.60.51 231

10.2.61.255 255.255.255.255 On-link 10.2.60.51 231

127.0.0.0 255.0.0.0 On-link 127.0.0.1 231

127.0.0.1 255.255.255.255 On-link 127.0.0.1 231

255.255.255.255 255.255.255.255 On-link 10.2.60.51 281

======================================================

Persistent Routes:

None


IPv6 Route Table

======================================================

Active Routes:

If Metric Network Destination Gateway

1 331 ::1/128 On-Link

2 281 fe80::/64 On-Link

2 281 fe80::acdc:1982:agc1:4321/128 On-Link

2 281 ff00::/8 On-Link

======================================================

Persistent Routes:

None


IPv4 Static Routing - Router hops


For static IPs to work across a network, each router in the network must be configured to know the next "hop" or router it's connected to.

The cables connecting the routers (which are like devices) needs to be a cross over cable unless the router is newer and has Auto MDI-X aka auto cross over.


Why this matters:

If PC-A 10.0.0.10/24 is trying to reach PC-B 192.168.10.8/24

The routers in between the two need to know how to find out what is on one another.

This means they need access to the routing table on routers that they are connected to.


PC-A 10.0.0.10 -----> (F0/0) Router-A 10.0.0.1 (F0/1) --------> (F0/0) Router-B 172.16.0.2 (F0/1) ---------> PC-B 192.168.10.8


Router A - Routing Table: Router B - Routing Table:

C F0/0 10.0.0.0/24 C F0/0 172.16.0.0/30

C F0/1 172.16.0.0/30 C F0/1 192.168.10.0/24 <- This is the Destination Prefix (network address)


The destination prefix is the "hop" address of the connected router.

It's the address entered that says "send anything with 192.168.10. to F0/1 on 172.16.0.2



Router A - Routing Table: Router B - Routing Table:

C F0/0 10.0.0.0/24 C F0/0 172.16.0.0/30 <- Router A to Router B

C F0/1 172.16.0.0/30 C F0/1 192.168.10.0/24 <- This is the Destination Prefix (network address)

S 192.168.10.0/24 via 172.16.0.2 <- This is the static route needed to reach PC-B from PC-A.

S 10.0.0.0/24 via 172.16.0.1 <- This is the static route needed to reach PC-A from PC-B


Configuring static ipv4 routes on router


What we want to configure:


Router A - Routing Table: Router B - Routing Table: <- Routers connected physically via cross over cable (unless Auto MDI-X "auto cross over")

C F0/0 10.0.0.0/24 C F0/0 172.16.0.0/30

C F0/1 172.16.0.0/30 C F0/1 192.168.10.0/24

S 192.168.10.0/24 via 172.16.0.2 S 10.0.0.0/24 via 172.16.0.1


RouterA>

RouterA>en

RouterA#

RouterA#show ip route (this will display the route codes and show the routing table)


Codes: C - Connected EX - EIGRP external E2 - OSPF external type 2

S - Static O - OSPF i - IS-IS

R - RIP IA - OSPF inter area su - IS-IS summary

M - Mobile N1 - OSPF NSSA external type 1 L1 - IS-IS level-1

B - BGP N2 - OSPT NSSA external type 2 L2 - IS-IS level-2

D - EIGRP E1 - OSPF external type 1 ia - IS-IS inter area

* - candidate default U - per-user static route o - ODR

P - periodic downloaded static route


Gateway of last resort is not set


172.16.0.0/30 is subnetted, 1 subnet

C 172.16.0.0 is directly connected, FastEthernet0/1 <- Router Hop

10.0.0.0/24 is subnetted, 1 subnet

C 10.0.0.0 is directly connected, FastEthernet0/0


RouterA#

RouterA#config t

RouterA(config)#

RouterA(config)#ip route 192.168.10.0 255.255.255.0 172.16.0.2 <- This is adding the static route needed to reach PC-B from PC-A on router A


S 192.168.10.0/24 [1/0] via 172.16.0.2 <- This is what the entry looks like in the routing table

172.16.0.0/30 is subnetted, 1 subnet

C 172.16.0.0 is directly connected, FastEthernet0/1

10.0.0.0/24 is subnetted, 1 subnet

C 10.0.0.0 is directly connected, FastEthernet0/0


Next, we need to add the route back on Router B, without this, packets/pings should reach the destination PC but the router it's connected to (Router-B) has no way of responding back to Router A. So any packet/ping will be responded to with an "Request Timed Out" instead of "Destination Host Unreachable" (which is the response we would expect if Router B was unreachable from Router A.)


To add the route back from Router B to Router A - log into Router B and repeat the above steps.


RouterB>

RouterB>en

RouterB#

RouterB#config t

RouterB(config)#

RouterB(config)#ip route 10.0.0.0 255.255.255.0 172.16.0.1



Troubleshooting ipv4 static routes - with DEMO NETWORK DIAGRAM


If we ping an address and it replies: "Request timed out".


C:\Windows\System32> ping 192.168.10.8

Request timed out

Request timed out


We can begin troubleshooting by pinging every other line in the connection to see where the failure is.


C:\Windows\System32> ping 10.0.0.1 <- Ping the gateway

Reply from 10.0.0.1: bytes=32 time=1ms TTL=255 <- The gateway is up


C:\Windows\System32> ping 172.16.0.1 <- Ping the gateway's interface to Router B

Reply from 172.16.0.1: bytes=32 time=1ms TTL=255 <- The gateway's interface is up


C:\Windows\System32> ping 172.16.0.2 <- Ping the second router

Reply from 172.16.0.2: bytes=32 time=1ms TTL=255 <- The second router is up


C:\Windows\System32> ping 192.168.10.1 <- Ping the second router's interface to devices on LAN 192.168

Reply from 192.168.10.1: bytes=32 time=1ms TTL=255 <- The second router's interface is up (this seems like the routers are both setup good)


C:\Windows\System32> ping 192.168.10.8 <- Must be off or the interface/network on this machine is off.


If instead, there was no reply from 172.16.0.2 we could assume that either Router B is down or the interface on Router B is down.

To troubleshoot this scenario we will SSH to router A via PuTTY.

Once in router A, we will attempt to run the ping command once again.


RouterA>

RouterA>en

RouterA#>

RouterA#>ping 192.168.10.8

Success rate is 100 percent (5/5/), round-trip min/avg/max =1/2/4 ms

RouterA#>


This response would mean that we can reach the computer from RouterA but why?

This could be due to the Router (RouterA) having two IP addresses assigned to it.


RouterA#>show ip int bri (Show IP Interface Brief)


Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 10.0.0.1 YES manual up up

FastEthernet0/1 172.16.0.1 YES manual up up <- yep two IP addresses

Serial0/0/0 unassigned YES unset administratively down down

Serial0/1/0 unassigned YES unset administratively down down


The issue with this, is that we do not know which of the two source IP address, our ping is leaving the router with.

By default - the ping will leave the router with and address which is the same as the interface that the message leaves from.

Luckily we can specify which interface to send the ping command from on the router.


RouterA#ping 192.168.10.8 source 172.16.0.1

Packet sent with a source address of 172.16.0.1

!!!!! <-- success


RouterA#ping 192.168.10.8 source 10.0.0.1

Packet sent with a source address of 10.0.0.1

..... <-- failure


This tells us that device 192.168.10.8 is able to route a message to 172.16.0.1 but not 10.0.0.1

This indicates that Router B is missing the static route to reach 10.0.0.0

In this scenario we most likely will not be able to SSH directly to RouterB via 172.16.0.2

However we can SSH directly from RouterA since it can ping RouterB


RouterA#ssh -l user 172.16.0.2

Password:

RouterB#

RouterB#show ip route (to view the routing table on router B and confirm there is no route back)


RouterB#config t

RouterB(config)#

RouterB(config)#ip route 10.0.0.0 255.255.255.0 172.16.0.1 (the static route is added)

RouterB(config)#

Troubleshooting ipv4 static routes - incorrectly typed hop address


RouterB(config)#ip route 10.0.0.0 255.255.255.0 172.15.0.1 <- that should be a .16

RouterB(config)#exit

RouterB#



RouterB#show run <- you can scroll through the running config file and find the route (see what the issue was) but there is another option.

RouterB#show run | i ip route <- this command (show run | include IP route) returns only the part of the running config file with IP routes.

ip route 10.0.0.0 255.255.255.0 172.15.0.1

RouterB#


When the incorrectly typed address is on router you're configuring, it will return the following.


RouterB#config t

RouterB(config)#ip route 10.0.0.0 255.255.255.0 172.16.0.2

%Invalid next hop address (it's this router) <- the next hop address has to be on a different router


Troubleshooting ipv4 static routes - many incorrect routes


When a new network analyst doesn't know the next hop they might start adding multiple guesses to the routing table.

In this example we have six unique routes to 10.0.0.0, - this is a mess


The issue with this is that if any device connects with the IP of any of the incorrect routes, the router will add it as a static hop address.


RouterB#show run | i ip route

ip route 10.0.0.0 255.255.255.0 172.15.0.1

ip route 10.0.0.0 255.255.255.0 172.18.0.5

ip route 10.0.0.0 255.255.255.0 172.118.0.1

ip route 10.0.0.0 255.255.255.0 10.0.0.1

ip route 10.0.0.0 255.255.255.0 192.168.10.8 <- technicians pc

ip route 10.0.0.0 255.255.255.0 172.16.0.1 <- correct route to router A

RouterB#



RouterB#show ip route <- so we can see which ones were added to the routing table


Codes: C - Connected EX - EIGRP external E2 - OSPF external type 2

S - Static O - OSPF i - IS-IS

R - RIP IA - OSPF inter area su - IS-IS summary

M - Mobile N1 - OSPF NSSA external type 1 L1 - IS-IS level-1

B - BGP N2 - OSPT NSSA external type 2 L2 - IS-IS level-2

D - EIGRP E1 - OSPF external type 1 ia - IS-IS inter area

* - candidate default U - per-user static route o - ODR

P - periodic downloaded static route


Gateway of last resort is not set


C 192.168.10.0/24 is directly connected, FastEthernet 0/1

172.16.0.0/30 is subnetted, 1 subnets

C 172.16.0.0 is directly connected, FastEthernet 0/0

10.0.0.0/24 is subnetted, 1 subnets

S 10.0.0.0 [1/0] via 192.168.10.8 <- there is the static IP route but there are two next hop addresses

[1/0] via 172.16.0.1 <- 192 = The technicians pc and 172 = the correct route to router A


Issue the no ip route command to remove the incorrect entries.


RouterB#config t

RouterB(config)#no ip route 10.0.0.0 255.255.255.0 172.15.0.1

RouterB(config)#no ip route 10.0.0.0 255.255.255.0 172.18.0.5

RouterB(config)#no ip route 10.0.0.0 255.255.255.0 172.118.0.1

RouterB(config)#no ip route 10.0.0.0 255.255.255.0 10.0.0.1

RouterB(config)#no ip route 10.0.0.0 255.255.255.0 192.168.10.8


RouterB(config)#exit

RouterB#

RouterB#show ip route <- look at the routing table again


Gateway of last resort is not set


C 192.168.10.0/24 is directly connected, FastEthernet 0/1

172.16.0.0/30 is subnetted, 1 subnets

C 172.16.0.0 is directly connected, FastEthernet 0/0

10.0.0.0/24 is subnetted, 1 subnets

S 10.0.0.0 [1/0] via 172.16.0.1 <- the correct route to router A is the only entry

RouterB#show run | i ip route <- check the running config

ip route 10.0.0.0 255.255.255.0 172.16.0.1 <- correct route to router A is the only entry

RouterB#


Troubleshooting ipv4 static routes - with traceroute

This is incredibly valuable to find the path a packet/our traffic is traveling.


Another utility we can use to troubleshoot IPv4 Static Routes is Traceroute via CMD

Trace route is essentially a windows Ping utility that shows every step where the ping message is traveling

Ideally this will show all the routers between you and the machine


C:\Windows\System32>tracert -d (the -d stops it from trying to lookup the addresses hostnames and speeds up the command)

C:\Windows\System32>tracert -d 192.168.10.8


Traceroute sends out an ICMP message with TTL of 1 (time to live)

When it hits the first router, the router says I can't forward this message and replies back to the work station


Then traceroute will send out a message with a TTL of 2 and forward it through the first router, to the second.

When it hits the second router, the router says I can't forward this message and replies back to the work station


Then traceroute will send out a message with a TTL of 3 and forward it through the first two routers, to the third.

In this case this reached the work station and replied back.



Tracing route to 192.168.10.8 over a maximum of 20 hops


1 1 ms <1 ms <1 ms 10.0.0.1 <- these are the IP addresses that the packet has to travel through to reach the end workstation

2 1 ms <1 ms <1 ms 172.16.0.2 <- IP of second hop

3 1 ms <1 ms <1 ms 192.168.10.8 <- workstation


Trace complete.



Cutting your arm off - accidently disconnect from remote router


RouterB#

RouterB#show run | i ip route

IP route 10.0.0.0 255.255.255.0 172.16.0.1



Network Techs PC IP: 10.0.0.10

First Router IP: 10.0.0.0

First Router send traffic through IP: 172.16.0.1


RouterB#config t

RouterB(config)#

RouterB(config)#no IP route 10.0.0.0 255.255.255.0 172.16.0.1 <- Cut off your arm


You have just cut off your arm, you are no longer able to reach either the second router nor the user PC at 192.168.10.8

how to fix your arm - reconnect to remote router


If you are physically near the router, you could use a roll over cable to connect to the router and re-add the IP route.

RouterB(config)# IP route 10.0.0.0 255.255.255.0 172.16.0.1


If you are not physically near the router, you should still be able to SSH into your default gateway aka RouterA

and then SSH from RouterA into RouterB


RouterA>

RouterA>en

RouterA#

RouterA#ssh -l user 172.16.0.2

RouterB# You are now connected to RouterB via RouterA

RouterB#config t

RouterB(config)# IP route 10.0.0.0 255.255.255.0 f0/0 <- you can use the interface instead of the next hop IP but the IP is always preferred

RouterB(config)# IP route 10.0.0.0 255.255.255.0 172.16.0.1 <- preferred method


IPv6 neighbor discovery protocol via multicast


IPv6 does not support ARP - Address Resolution Protocol which uses the Broadcast address (All F's) to build the ARP Table (IPv4 to MAC).

IPv6 instead uses a Neighbor Solicitation Message which uses a Multicast address (similar to a workgroup) to build the Neighbor Table (IPv6 to MAC).


Broadcast (ARP/IPv4) = Message is sent to MAC FFFF-FFFF-FFFF which is then forwarded to all connected workstations.

Multicast (NSM/IPv6) = Message is sent to a MAC FFeb-1234-abcd which is then forwarded to all multicast enrolled workstations.

The destination MAC address for Multicast is specific but always begins with FF


When a CISCO router is first connected it sends a Router Advertisement Message to all connected devices/workstations.

The Router Advertisement Message contains the Routers; MAC address, Network Prefix/Mask, and Client IPv6 address options.

This effectively tells devices/workstations where the router is and how to obtain an address to connect to it.


Ways the router can issue IP address include: Manual Config, DHCP Server, and Stateless Address Auto Config

By default on Cisco routers we use SLAAC - The Stateless Address Auto-Config.


When a workstation receives the Router Advertisement Message it can then, choose it's IPv6 address.

When this happens, the workstation then sends out a Neighbor Advertisement.


The Neighbor Advertisement includes: The clients MAC address, IPv6 address, and some options that are in there.

When other IPv6 connected workstations receive a Neighbor Advertisement they save the information into their Neighbor Table (IPv6 to MAC).


Neighbor Table addresses go stale and age out over time, the same as ARP addresses do.

When devices loose this info and need to know/lookup the MAC of an IPv6 device it's trying to communicate with they send out a Neighbor Solicitation Message to request the missing information (similar to an ARP request).


The difference between this and ARP is that instead of the message being broadcasted to FFFF-FFFF-FFFF it is Multicasted to only the devices joined to the multicast group.


Once a device receives a Neighbor Solicitation Message it replies with a Neighbor Advertisement.


When a workstation is first connected to a network it can send out a Router Solicitation which will tell the router

to send it it's network prefix, Mac address, and how to connect to the network.


ipv6 multicast CONFIGURATION EXAMPLE


Workstation 1: 2001:DB8:A::y/64

Workstation 2: 2001:DB8:A::x/64

Switch:

Router: 2001:DB8:A::1/64 - FO/O

First we need to configure an IPv6 address on the Router so that the workstations will use SLAAC to Stateless Address Auto Configuration to assign IPv6 addresses. To do this either SSH into the router via 10.0.0.1 or use a console cable to connect.


RouterA>

RouterA>en

RouterA#

RouterA#

RouterA#show ip int bri (show ip interface brief - to locate which interface has the IPv4 already on it)


Interface IP-Address OK? Method Statys Protocol

FastEthernet0/0 10.0.0.1 YES manual up up <- location of IPv4 interface

FastEthernet0/1 172.16.0.1 YES manual up down

Serial0/0/0 unassigned YES unset administratively down down

Serial0/1/0 unassigned YES unset administratively down down


RouterA#

RouterA#config t

RouterA(config)#

RouterA(config)#int f0/0

RouterA(config-if)#

RouterA(config-if)#ipv6 address 2001:db8:a::1/64 <- assign an IPv6 address to interface F0/0 this is the Global Unicast Address


This should of triggered a Router Advertisement and the work stations should have chosen IPv6 addresses.

This can be checked by using ipconig /all on one of the workstations



Ethernet adapter Ethernet0: (What we would see PRIOR to assigning the Router interface an IPv6 Address)


Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . . . .: fe80::248d:1d18:2ae5:40cf%4

IPv4 Address . . . . . . . . . . . . . . . . .: 10.0.0.10

Subnet Mask . . . . . . . . . . . . . . . . .: 255.255.255.0

Default Gateway . . . . . . . . . . . . . .: 10.0.0.1


Ethernet adapter Ethernet0: (What we should see AFTER assigning the Router interface an IPv6 Address)


Connection-specific DNS Suffix . :

IPv6 . . . . . . . . . . . . . . . . . . . . . . . . : 2001:db8:a:0:248d:1d18:2ae5:40cf IPv6 Address assigned by Windows

Temporary IPv6 Address . . . . . . .: 2001:db8:a:0:d5f1:174b:bab3:e154 Temporary Assigned by Windows

Link-local IPv6 Address . . . . . . . .: fe80::248d:1d18:2ae5:40cf%4 Layer 3 Address

IPv4 Address . . . . . . . . . . . . . . . . .: 10.0.0.10

Subnet Mask . . . . . . . . . . . . . . . . .: 255.255.255.0

Default Gateway . . . . . . . . . . . . . .: fe80::21d:71ff:fed7:9e5e%4 set to the link local address of the router

10.0.0.1


General consensus is that It doesn't really matter which of these gateways you use, either the Link Local or Global Unicast Address:

Although some documentation says the link local address is better.


Link Local Address - fe80::21d:71ff:fed7:9e5e

Global Unicast Address - 2001:db8:a::


You can assign the same Link Local Address to every interface on a router as well as choose a more simple address.


RouterA#

RouterA#config t

RouterA(config)#

RouterA(config)#int f0/0

RouterA(config-if)#

RouterA(config-if)#ipv6 address fe80::1 link-local <- assign new Link Local Address. fe80::1 instead of fe80::21d:71ff:fed7:9e5e%4


If we go back to our workstation and run ipconfig /all again we will see that the default gateway (router) IPv6 address has changed.


Ethernet adapter Ethernet0:


Connection-specific DNS Suffix . :

IPv6 . . . . . . . . . . . . . . . . . . . . . . . . : 2001:db8:a:0:248d:1d18:2ae5:40cf

Temporary IPv6 Address . . . . . . .: 2001:db8:a:0:d5f1:174b:bab3:e154

Link-local IPv6 Address . . . . . . . .: fe80::248d:1d18:2ae5:40cf%4

IPv4 Address . . . . . . . . . . . . . . . . .: 10.0.0.10

Subnet Mask . . . . . . . . . . . . . . . . .: 255.255.255.0

Default Gateway . . . . . . . . . . . . . .: fe80::1%4 updated to the new link local address of the router

10.0.0.1

examining the ipv6 neighbor table


With IPv4 seeing the ARP (IPv4 to MAC) table is simple on a workstation.

C:\Windows\Systems>arp -a To see the IPv4 Address Resolution Protocol table


With IPv6 seeing the Neighbor Table (IPv6 to MAC) is a bit more work.

C:\Windows\Systems>netsh int ipv6 show neighbor This displays every association to every connection there is inside the device

Windows workstations by default have a bunch of entries.


C:\Windows\Systems>netsh int ipv6 show neighbor interface="Ethernet0" Command to only display one interfaces results


Internet Address Physical Address Type

---------------------------------------------------- ---------------------------------- --------------------------------

2001:db8:a::1 00-1d-71-d7-9e-5e Stale (Router)

fe80::1 00-1d-71-d7-9e-5e Reachable (Router)

fe80::21d:71ff:fed7:9e5e 00-1d-71-d7-9e-5e Stale (Router)

fe80::651c:3ad4:17a1:804c 00-0c-29-2d-9e-00 Stale

FF02::1 33-33-00-00-00-01 Permanent

FF02::2 33-33-00-00-00-02 Permanent

FF02::c 33-33-00-00-00-0c Permanent

FF02::16 33-33-00-00-00-16 Permanent

FF02::1:2 33-33-00-01-00-02 Permanent

FF02::1:3 33-33-00-01-00-03 Permanent

FF02::1:ff00:1 33-33-ff-00-00-01 Permanent

FF02::1:ffb3:e154 33-33-ff-b3-e1-54 Permanent

FF02::1:ffd7:9353 33-33-ff-d7-9e-5e Permanent

FF02::1:ffe5:40cf 33-33-ff-e5-40-cf Permanent


To clear an ARP IPv4 Table you need to enter (arp -d *)

To clear the IPv6 Table you need a larger command:


C:\Windows\Systems>netsh int ipv6 delete neighbors interface="Ethernet0"

Ok.


C:\Windows\Systems>netsh int ipv6 show neighbor interface="Ethernet0" < - To see the change


Internet Address Physical Address Type

---------------------------------------------------- ---------------------------------- --------------------------------

2001:db8:a::1 00-00-00-00-00-00 Unreachable <- you may need to ping the router to resolve the MAC address

fe80::1 00-00-00-00-00-00 Reachable (Router)

fe80::21d:71ff:fed7:9e5e 00-00-00-00-00-00 Unreachable

FF02::16 33-33-00-00-00-16 Permanent

FF02::1:2 33-33-00-01-00-02 Permanent


The results may auto repopulate the MAC information address quickly through, Neighbor Advertisements, Neighbor Solicitations, and Router Advertisements.

or you may need to ping the router to resolve the MAC address.


C:\Windows\Systems>ping 2001:db8:a::1 <- ping the router


Pinging 2001:db8:a::1 with 32 bytes of data:

Reply from 2001:db8:a::1: time=1ms


C:\Windows\Systems>netsh int ipv6 show neighbor interface="Ethernet0" < - To see the resolved MAC address of the Router.


Internet Address Physical Address Type

---------------------------------------------------- ---------------------------------- --------------------------------

2001:db8:a::1 00-1d-71-d7-9e-5e Stale (Router) <- MAC has been resolved

fe80::1 00-1d-71-d7-9e-5e Reachable (Router) <- this is the current default gateway

fe80::21d:71ff:fed7:9e5e 00-00-00-00-00-00 Unreachable

FF02::16 33-33-00-00-00-16 Permanent

FF02::1:2 33-33-00-01-00-02 Permanent

FF02::1:ff00:1 33-33-00-01-00-01 Permanent

IPV6 STATIC Routing


For static IPs to work across a network, each router in the network must be configured to know the next "hop" or router it's connected to.

The cables connecting the routers (which are like devices) needs to be a cross over cable unless the router is newer and has Auto MDI-X aka auto cross over.

Why this matters:


If PC-A 2001:DB8:10:A::10 is trying to reach PC-B 2001:DB8:10:C::8

The routers in between the two need to know how to find out what is on one another.

This means the PCs need access to the routing table on routers that they are connected to.


Router A - Routing Table: Router B - Routing Table:

C F0/0 2001:DB8:10:A::/64 C FO/0 2001:DB8:10:B::/64

C F0/1 2001:DB8:10:B::/64 C F0/1 2001:DB8:10:C::/64

S 2001:DB8:10:C::/64 via 2001:DB8:10:B::2 S 2001:DB8:10:A::/64 via 2001:DB8:10:B::1 <- Static Routes


In this example we are using the Global Unicast IPv6 addresses,

A lot of documentation states to use the Link Local address while assigning static routes, however in practice there is literally no difference.

Adding the IPV6 Static IP


SSH into Router A 2001:db8:10:A::1

RouterA>

RouterA>en

RouterA#

RouterA#config t

RouterA(config)#

RouterA(config)#ipv6 route 2001:db8:10:c::/64 2001:db8:10:B::2 <- add the static route

RouterA(config)#exit

RouterA#

RouterA#show ipv6 route <- to see IPv6 routing table


Codes: C - Connected EX - EIGRP external E2 - OSPF external type 2

S - Static O - OSPF intra L - Local

R - RIP IA - OSPF inter area IS - IS-IS summary

M - MIPv6 I1 - IS-IS level-1 OE1 - OSPF ext 1

B - BGP I2 - IS-IS level-2 OE2 - OSPF ext 2

D - EIGRP E1 - OSPF external type 1 ia - IS-IS inter area

ON1- OSPF NSSA U - per-user static route



Gateway of last resort is not set


C 2001:DB8:10:A::/64 [0/0] via ::. FastEthernet0/0 <- Directly Connected

L 2001:DB8:10:A::1/128 [0/0] via ::, FastEthernet0/0 <- The IP configured on 0/0

C 2001:DB8:10:B::/64 [0/0] via ::, FastEthernet0/1 <- Directly Connected to Router B

L 2001:DB8:10:B::1/128 [0/0] via ::, FastEthernet0/1 <- The IP configured on 0/1

S 2001:DB8:10:C::/64 [1/0] via 2001:DB8:10:B::2 <- Static Route (hop)

L FF00::/9 [0/0] via ::, Null0 <- Multicast Address - Since it it pointed at null "garbage can" ipv6 multicast is turned off



SSH into Router B


RouterA#

RouterA#ssh -l username 2001:DB8:10:B::2

RouterB#

RouterB#config t

RouterB(config)#

RouterB(config)#ipv6 route 2001:db8:10:A::/64 2001:db8:10:B::1

troubleshooting ipv6 static routing with demo diagram

Examining Misconfigured IPv6


When you assign an IPv4 address to an interface on a router

It writes over the previous IPv4 address associated to that interface.

There can only ever be one IPv4 address assigned to an interface.


When you assign an IPv6 address to an interface on a router

It adds it and keeps all previous IPv6 addresses associated to that interface

There can be multiple IPv6 address assigned to an interface.

Best practice is to always manually remove extra IPv6 addresses.


What this means is: Whenever you incorrectly enter an IPv6 address you should manually remove it.


RouterA>en

RouterA#

RouterA#config t

RouterA(config)#

RouterA(config)#int f0/0

RouterA(config-if)#

RouterA(config-if)#do show run int f0/0 display interface f0/0


example of removing an IPv6 when there are multiples


RouterA(config-if)#no ipv6 address 2001:DB8:20:B::1/64



Examining IPv6 pings work but traffic doesn't


Without IPv6 unicast routing enabled IPv6 traffic will not work but pings and IPv6 interface configuration will.

To enable: RouterA(config)#ipv6 unicast-routing


If unicast-routing is turned off, it will cause a general failure while pinging on IPv6 networks since the default gateway will be removed from the config.

PING: transmit failed. General failure <- this message generally means the default gateway/router is not configured


To re-add the default gateway to the network interface, open Network Connections, Ethernet properties, and add the IPv6 gateway address.

If the gateway address is still on your local machine or has been re-added, The ping response will be Request timed out. Until unicast routing has been enabled.




Order of Route Selection + Loopback


Open PuTTY and SSH to 10.0.0.1

RouterA>

RouterA>en

RouterA#

RouterA#show ip route



S 192.168.10.0/24 [1/0] via 172.16.0.2 172.16.0.0/24 is subnetted, 1 subnets

C 172.16.0.0 is directly connected, FastEthernet0/1 10.0.0.0/24 is subnetted, 1 subnets

C 10.0.0.0 is directly connected, FastEthernet0/0


RouterA#

RouterA#config t

RouterA(config)#

RouterA(config)#int loopback 0 (create loopback interface 0)

RouterA(config-if)# ip address 10.8.8.1 255.255.255.0 (assign ip to loopback interface)

RouterA(config-if)#no shut (no shut down)

RouterA(config-if)#show ip route (to see the change)


S 192.168.10.0/24 [1/0] via 172.16.0.2 172.16.0.0/24 is subnetted, 1 subnets

C 172.16.0.0 is directly connected, FastEthernet0/1 10.0.0.0/24 is subnetted, 1 subnets

C 10.8.8.0 is directly connected, Loopback0 <-This one

C 10.0.0.0 is directly connected, FastEthernet0/0


Configure another loop on the second router

Open PuTTY and SSH to 172.16.0.2


RouterB>

RouterB>en

RouterB#

RouterB#show ip route


C 192.168.10.0/24 is directly connected FastEthernet0/1 172.16.0.024 is subnetted, 1 subnets

C 172.16.0.0 is directly connected, FastEthernet0/0 10.0.0.0/24 is subnetted, 1 subnets

S 10.0.0.0 [1/0] via 172.16.0.1


RouterB#

RouterB#config t

RouterB(config)#

RouterB(config)#int loopback 0 (create loopback interface 0)

RouterB(config-if)# ip address 10.9.9.1 255.255.255.0 (assign ip to loopback interface)

RouterB(config-if)#no shut (no shut down)

RouterB(config-if)#show ip route

RouterB(config)-if#exit



C 192.168.10.0/24 is directly connected FastEthernet0/1 172.16.0.0/

24 is subnetted, 1 subnets

C 172.16.0.0 is directly connected, FastEthernet0/0 10.0.0.0/24 is subnetted, 1 subnets

C 10.9.9.0 is directly connected, Loopback0 <-This one

S 10.0.0.0 [1/0] via 172.16.0.1



At this point if you sent a ping to 10.9.9.1 it would fail, we need to configure a static route for the loopback address on the routers.


RouterB(config)#ip route 10.8.8.0 255.255.255.0 172.16.0.1 (static route from B to A)

RouterA(config)#ip route 10.9.9.0 255.255.255.0 172.16.0.2 (static route from A to B)


We can now ping either loopback address, 10.8.8.0 or 10.9.9.0



Create a default route

If the router doesn't have a specific route for an address, use the default route


RouterA(config)#ip route 0.0.0.0 0.0.0.0 loopback 0 (this will also make all external ips that you ping timeout)


RouterA#show ip route


Gateway of last resort is 0.0.0.0 to network 0.0.0.0 <- gateway of last resort and default route are the same.


S 192.168.10.0/24 [1/0] via 172.16.0.2 172.16.0.0/24 is subnetted, 1 subnets

C 172.16.0.0 is directly connected, FastEthernet0/1 10.0.0.0/24 is subnetted, 1 subnets

C 10.8.8.0 is directly connected, Loopback0

C 10.0.0.0 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 is directly connected, Loopback0 <- this is the added default route


adding another router to the environment

Adding the Static Routes


Router A - needs two routes (Next hop address = 172.16.0.2 = Router B)


RouterA(config)#ip route 192.168.10.0 255.255.255.0 172.16.0.2

RouterA(config)#ip route 172.16.0.4 255.255.255.2552 172.16.0.2



Router B - needs two routes (Next hop address = 172.16.0.1 = Router A and 172.16.0.6 = Router C)


RouterB(config)#ip route 10.0.0.0 255.255.255.0 172.16.0.1

RouterB(config)#ip route 192.168.10.0 255.255.255.0 172.16.0.6



Router C needs two routes (Next hop address = 172.16.0.5 = Router B)


RouterC(config)#ip route 10.0.0.0 255.255.255.0 172.16.0.5

RouterC(config)#ip route 172.16.0.0 255.255.252.0 172.16.0.5

DUAL Stack configuration aka ipv4 and ipv6 simultaneous

This is adding IPV6 addresses


RouterA#show run | i ipv6 unicast-routing Check if IPV6 is on, if off run #ipv6 unicast-routing

RouterA#config t

RouterA(config)#int f0/0 configure interface 0

RouterA(config-if)#ipv6 address 2001:db8:10:A::1/64 assign ipv6

RouterA(config)#int f0/1 configure interface 1

RouterA(config-if)#ipv6 address 2001:db8:10:B::1/64 assign ipv6

RouterA(config-if)#ipv6 route 2001:db8:10:C::/64 2001:db8:10:B::2 assign static route to Router B


RouterB#config t

RouterB(config)#show run | i ipv6 unicast-routing Check if IPV6 is on

RouterB(config)#ipv6 unicast-routing Turn on IPV6 routing

RouterB(config)#int f0/0 configure interface 0

RouterB(config-if)#ipv6 address 2001:db8:10:B::2/64 assign ipv6

RouterB(config)#int f0/1 configure interface 1

RouterB(config-if)#ipv6 address 2001:db8:10:C::1/64 assign ipv6

RouterB(config-if)#ipv6 route 2001:db8:10:A::/64 2001:db8:10:B::1 assign static route to Router B


Reminder IPV6 and IPV4 are separate protocols, data does not move from one to another.