Cisco IOS and CLI

Overview

For the Cisco CCNA you are required to know how to configure Cisco routers and Cisco switches using the command line interface or CLI. A command line interface is a command driven user shell that allows the user to interface with the operating system. The command line interface or CLI is operated with just a keyboard. In contrast a graphical user interface or GUI is an icon and menu driven user shell characterized by the use of a mouse in addition to a keyboard. The Cisco operating system, used with Catalyst switches and integrated services routers is known as the Cisco IOS, or Internetwork Operating System.

  • RAM (temporary memory) – The IOS and the config file are loaded and run in RAM when the router boots up, but they are typically saved or stored in FLASH (IOS) and NVRAM (startup-config). The routing table is run from RAM. Routers and switches execute everything in RAM which is why they are so fast. Configuration changes are immediately executed in RAM (running-config) but can be saved to NVRAM (startup-config) to be made permanent.
  • FLASH (permanent memory) – This is where the IOS is saved
  • NVRAM (permanent memory) – This is where the startup-config file is saved
  • ROM (permanent and unchangeable) – This is where the BIOS, POST, and ROMMON are stored.

The IOS and CLI

The Cisco IOS is the Cisco operating system. The IOS is specific to the Cisco device it was designed for, having different capabilities and tools included in it. In this way, the Cisco IOS comes in many different sizes, capabilities, specifications and revisions.

As part of the Cisco IOS, the CLI or command line interface is included on every Cisco device including, Cisco routers, switches, and wireless access points and bridges. Most Cisco devices also have a GUI or graphical user interface. The focus of the Cisco CCNA is learning the CLI, command line interface. The command line interface is an administrative interface used to configure the Cisco device. There are three ways to access the CLI:

Console – the console port is a direct serial connection using a console/rollover cable attached from the Cisco device’s console port to a computer serial port. Usually the initial method of configuring a router or switch, because it does not rely on networking being enabled. A console connection is also how you would recover a router with a deleted configuration file, IOS file, or forgotten password.

Telnet or SSH – the ability to telnet or SSH into a Cisco device is a remote administrative connection that can also be done from the local network. In order to telnet or SSH into a Cisco router or switch you will first need to bring up a network interface by configuring it with an IP address, subnet mask, and issuing the “no shutdown” command .

Aux – The auxiliary port is designed to connect to a modem. It is used for a dial in connection to the router or switch. This remote administrative connection can also be done locally.
The CLI has different command modes, with specific commands available in each mode. The different command modes are:

  • User exec mode – Only a few commands are available in this mode. Commands like “ping”, a few of the “show” commands
  • Privileged exec mode – All of the User exec commands plus all of the “show” and “debug” commands
  • Global config mode – Access to all of configuration commands and addition configuration modes
  • Global sub configuration modes – interface configuration mode, router configuration mode, etc.

Commands

  • Router>enable
  • Router#configure terminal
  • Router#show running-config
  • Router#show startup-config
  • Router#show version
  • Router#show flash
  • Router#copy running-config startup config

CLI Video Tutorials

In this video, I cover some CLI basics

Configure console and VTY ports for administrative access


Configure enable password, enable secret, service password-encryption, and banner motd

Configure a switch for telnet access

Backup a configuration file and IOS bin file to a TFTP server

 Restore a configuration file from a TFTP Server

Restore a startup-config file from text file

Basic switch configurations including an interface VLAN1 IP address for telnet access

Frame Relay

Frame Relay Overview

Frame Relay is a WAN protocol. A Frame Relay network is comprised of interconnected switches that make up a Frame Relay cloud. Frame Relay uses virtual circuits (PVC) to interconnect routers across the WAN.

Video Tutorials

In this series of tutorials I set up a network interconnected by Frame Relay. The first video is dedicated to setting up the network and labeling the devices and interfaces. In the second video I configure the devices and interfaces with the addressing scheme outlined in the first video. The third video is dedicated to configuring the Frame Relay cloud device which is a virtual representation of interconnected Frame Relay switches. This device is the typically the responsibility of the ISP. In the fourth video I configure the routers for Frame Relay static mappings. In the fifth and sixth videos I discuss the benefits of using subinterfaces with Frame Relay and reconfigure the network for Frame Relay subinterfaces.

 

 

 

 

 

PPP

PPP Overview

The Point-to-Point Protocol (PPP) is a layer 2 WAN protocol. PPP is used to connect a local area network (LAN) to a wide area network (WAN) through a service provider. PPP can be used as the data link layer protocol and frame for the following types of point-to-point, serial, synchronous and asynchronous network connections: Dial-Up, ISDN, Leased Line (e.g. T1 & E1), Frame Relay, DSL (PPPoE), and ATM (PPPoA). Concerning physical media, PPP can be transported over telephone lines, serial cables, fiber optic lines, twisted pair copper, satellite, and wireless.

For serial connections, Cisco routers by default use Cisco’s version of the HDLC protocol (Cisco-HDLC) but if you are going to connect to another non-Cisco router it is recommended to use the PPP protocol and frame encapsulation. The speed of PPP is limited only by the DTE and DCE interface connections it uses. It is capable of very fast speeds.

The Structure of PPP

The PPP protocol is based on, and similar to, the HDLC protocol with some important differences, in that PPP uses LCP, NCPs and supports: authentication, encryption and compression.

The PPP protocol structure

Network
Layer
 

IP, IPX, AppleTalk
IPCP, IPXCP, AppleTalkCP

NCP (Network Control Protocol)
Upwards service to layer 3 (Network Layer)
multiple layer 3 protocol support through
NCPs. PPP can exchange layer 3 addressing

LCP (Link Control Protocol)
handles link setup, termination, authentication, encryption, compression, and error detection

PPP at the
Data Link Layer
PPP at the
Physical Layer
Synchronous or Asynchronous Serial
High Speed Serial Interface
Telephone Lines
Leased Lines

LCP – Link Control Protocol handles link setup and termination as well as most of the configuration options including: authentication, compression error detection, and multilink (load balancing)

Authentication – PPP can be configured to use PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). Both protocols authenticate serial connections with a username and password but CHAP is more secure because it uses a three way handshake during the initial LCP link negotiation, and then uses three way handshake challenges at random times afterwards, insuring that the link is still trusted.
Compression – the CCNA curriculum covers two PPP compression configuration options: stacker and predictor. PPP can achieve better throughput by compressing data traveling across the links
Error detection – PPP can be configured to test and report the quality of the serial link, it can also detect interfaces in a loopback state.
Multilink – PPP can be configured to load balance across multiple serial interfaces for greater bandwidth.

 

Video Tutorials

In this video I configure PPP with PAP

In this video I configure PPP with CHAP

Inter VLAN Routing

Overview

The ability to create VLANs and establish multiple networks on a switch is useless if you cannot allow the separate VLANs to communicate with each other. For separate VLANs to communicate you need to have routing, you accomplish this by adding a router or a layer 3 switch to the network. The Cisco CCNA curriculum expects you to know how to configure inter-vlan routing using a router connected to a switch through a trunked link. Configuring Layer 3 switching is a CCNP topic and not expected in the CCNA.

To configure a router for inter-vlan routing the router’s ethernet port needs to be converted to a trunked link. As a trunk, multiple VLANs (networks) can travel across the one ethernet port. To do this the ethernet port needs to use sub-interfaces in order to become the gateway for multiple networks. The sub-interfaces also need to have the 802.1Q trunking protocol enabled and the VLAN ID or number specified in the configuration. When multiple VLANs (networks) can communicate with the router over one trunked link the configuration is called “Router on a Stick.”

In the video tutorials, below I cover the entire process of configuring VLANs, switchports and a trunk on a switch, and inter-vlan routing on a router, using Cisco’s Packet Tracer program to simulate a real network environment.

Video Tutorials

In part 1, I discuss the need for VLANs and Inter-VLAN routing in a network

If you want to follow along in Packet Tracer with the parts 2 & 3. Click here to download the start file: inter-vlan-routing-start.zip

In part 2, I lay out the “Router on a Stick” topology and begin configuring the switch for VLANs

In part 3, I configure sub-interfaces, 802.1Q encapsulation with VLAN IDs, and the native VLAN on the router

Video Tutorials

In this video, I setup inter-VLAN routing by configuring the switch VLANs, switchports, and trunk, then I configure the router the subinterfaces on the router with IP addresses and the 802.1Q protocol.

In this video, I configure the router for inter-vlan routing

STP

STP Overview

STP or Spanning Tree Protocol is a protocol used on switches that prevents Layer 2 Switching Loops and Layer 2 Broadcast Storms. This is very necessary in large networks that are designed to have redundancy like backup switches and multiple paths across the network. Redundancy is a great thing for a network to have, but it can create physical loops by having more than one physical path or link across the network. When there are redundant links or paths for data to travel, then the data can circulate back around the network repeatedly in a layer 2 switching loop. This has the potential to effectively shutdown the network, because unlike packets at Layer 3 which have TTL values and a limited lifespan on the network, Layer 2 broadcasts do not have TTL values and will therefore loop endlessly on the network.

STP solves this problem by automatically blocking redundant or duplicate paths (ports) from switch to switch, thus closing the loops. If a path to a switch becomes unavailable, STP can reopen a closed port creating a new path. For this process to work, switches in the network communicate with one another, and share STP messages, called BPDUs, or Bridge Protocol Data Units.

The Root Bridge

The root bridge is the switch that is at the top of the Spanning Tree. The Spanning Tree Algorithm (STA) calculates the costs of all the paths in the network starting from the root bridge. The root bridge is determined by an election process in which the switch with the lowest bridge ID (BID) is elected root bridge. The BID is determined by two factors:

1. The BID is the lowest bridge priority number plus the VLAN ID, which by default would be 32768 plus the default VLAN 1, would be 32768+1=32769
2. or, if the BIDs on all the switches are identical. The switch with the lowest MAC Address becomes the root bridge

How to pick the root bridge?

It is a good idea to not leave the root bridge election process up to the mere chance of a switch having the lowest MAC address. Ideally the root bridge should be a robust switch at the center of the network close to resources that users will need access to. The thing to remember is that the root bridge will block ports in order to close off loops, creating paths for traffic to flow. These layer 2 paths need to be as short as possible. For STP to function properly, the end-to-end layer 2 network diameter should be no more than 7 switches. If there are more than 7 switches for data to traverse in the network, then the STP timers will not function correctly and ports could start flapping from forwarding to blocking which would create loops in the network.

Path Cost

The root bridge calculates which paths are the best paths in the network and which paths are redundant paths, needing to be blocked. This is done by assigning a cost value based on the speed of the switchports. So, if the root bridge is connected to another switch by way of a gigabit port, the cost for that link is assigned a value of a 4, and if that switch is connected to another switch by way of a fast ethernet port then that link is assigned a value of a 19. The entire path cost is 4 + 19 = 23.

The cost of the link is based on the speed of the port. Here is the list of port costs:
10 Gig = 2,
1 Gig = 4,
100 Mb = 19,
10 Mb = 100

IOS Commands

switch#show spanning-tree
switch#debug spanning-tree events

Lowering the bridge priority number can change the root bridge election process because the switch with the lowest bridge priority number is elected the root bridge. The default bridge priority number is 32768. In the first command below, you can manually change the bridge priority number. The following two commands automatically set the priority number to a lower than default predefined number

switch(config)#spanning-tree vlan 1 priority <num>
switch(config)#spanning-tree vlan 1 root primary
switch(config)#spanning-tree vlan 1 root secondary

The following commands allow you to manually change the cost of a port, which is normally based on port speed. This can change which ports, and therefore paths, that the root bridge will elect to block in order to close a loop.

switch(config)#interface fa0/1
switch(config-if)#spanning-tree cost <num>

The following commands change the port priority number which can change which ports, between two designated ports, on the same segment, will be put into a blocking state. To do this, you will need to lower the priority number to a number lower than the default of 128.

switch(config-if)#spanning-tree port-priority <num>
or in Packet Tracer,
switch(config-if)#spanning-tree vlan <num> port-priority <num>

Video Tutorials

Click here to download the packet tracer files used in the video: STP1-begin-step4.zip , STP1-begin-step4-STP-OFF.zip

In part 1, I demonstrate how STP prevents Broadcast Storms in large networks with redundant switches

In part 2, I discuss the BID -bridge ID, and the STP root bridge election process

In part 3, I demonstrate how to force the STP root bridge election by changing the bridge priority number

VTP

Overview

VLAN Trunking Protocol allows switches to share VLAN information dynamically. This way an administrator only needs to change VLAN information on one switch and it will automatically propagate to other switches in the VTP domain. This does not replace the need to assign specific switchports to specific VLANs, but it does reduce the administrative time it would take to configure VLAN changes on all switches in a large network. {loadposition adposition5}In order to implement VTP you need to know how the protocol operates and functions and how to configure it. For VTP to begin functioning the participating switches must be configured with the same VTP domain name. A VTP domain can support only 255 VLANs. Switches running VTP can be configured for three different modes: server, client, and transparent. A switch with VTP enabled is in server mode by default. VTP advertisements are sent every 5 minutes by default, or when there is a change in configuration revision number caused by the addition or deletion of a VLAN on a server.

VTP Modes

Server Mode – In VTP server mode you can create, modify and delete vlans. VLAN information is synchronized with other VTP servers and clients on the VTP domain. You can have multiple VTP servers in the VTP domain and VLAN information is synchronized according to the server with the highest configuration revision number. VLAN information is stored in the the vlan.dat file in NVRAM/Flash memory.

Client Mode – Switches in VTP client mode receive and synchronize VLAN database information from other VTP servers and VTP clients in the VTP domain. A VTP client can update a VTP server if it has a higher configuration revision number. VLAN information is stored in the “Running-Config” or DRAM. If a switch in client mode is restarted then all VLAN information, including the VTP revision number on the switch is lost and must be relearned from the VTP server once the client has restarted.

Transparent Mode – Switches in transparent mode receive updates from other servers and clients but do not participate in the VTP Domain, rather they allow the VTP updates and advertisements, to pass through the switch on to other switches in the VTP domain. Transparent mode switches do not synchronize their VLAN information with other VTP servers and clients, but maintain their own separate VLAN configurations.

Video Tutorial

In this video tutorial, I demonstrate how VTP shares VLAN information by configuring a VTP server and a VTP client, and then connecting them together with a trunk. The demonstration is easy to follow along with, in Packet Tracer. Here are the starter files for Parts 2 and 3: VTP2-begin.zipVTP3-begin.zip

In this tutorial, I cover setting up switches as a VTP server and a VTP client

 In this tutorial, I cover setting up a switch in VTP transparent mode

In this tutorial, I demonstrate how a VTP client can actually change a VTP server if the client has the higher revision number

VLANs and Trunks

VLANs Overview

VLANs – A switches is used to set up a local area network (LAN). A VLAN stands for a virtual local area network. By default, all of the ports on a Cisco switch are part of the same default VLAN (VLAN1) and therefore the same network. A VLAN is a network and a network is a broadcast domain. If you configure various switch ports for separate VLANs, then the devices on those ports will belong to separate VLANs and therefore, will be segmented into separate broadcast domains and networks. This is effectively like dividing a switch into multiple switches. This is cost effective, because instead of having multiple switches, each for a different network, you can have one switch configured for multiple VLANs and you can assign the ports on that switch to belong to whatever VLAN you need the host to belong to.

VLAN Types

Data VLAN – A data VLAN carries only user data not management data, control data or voice data.

Default VLAN – On a Cisco switch the default VLAN is VLAN1. This means that by default, when a Cisco switch boots up for the first time all the ports are automatically assigned to the default VLAN, VLAN1. You cannot delete or rename VLAN1 but you can assign the ports on the switch to a different VLAN. It is considered best practice to make all of the user ports on the switch belong to a different default VLAN, one other than VLAN1. In this way, control data such as CDP and STP (spanning tree protocol) which are by default carried on VLAN1 would be on a separate VLAN from user data.

Native VLAN – The native VLAN, if not explicitly configured, will default to the default VLAN, (VLAN1). The Native VLAN is configured for an 802.1Q Trunk port. 802.1Q trunks carry traffic from multiple VLANs by tagging the traffic with VLAN identifiers (Tagged Traffic) which identifies which packets are associated with which VLANs, and they can also carry non VLAN traffic from legacy switches or non 802.1Q compliant switches (Untagged Traffic). The switch will place untagged traffic on the Native VLAN by using a PVID identifier. Native VLAN traffic is not tagged by the switch. It is a best practice to configure the Native VLAN to be different than VLAN1 and to configure it on both ends of the trunk.

Management VLAN – The management VLAN is any VLAN you configure to allow a host to connect to the switch and remotely manage it. The management VLAN will need to be configured with an IP address and subnet mask to allow a manager to connect to the switch by either a web interface (HTTP), Telnet, SSH, or SNMP.

VLAN ID Ranges

Normal Range

  • 1 to 1005
  • VLAN1 (default), created by default, cannot be deleted
  • VLAN1002-1005 (Token Ring and FDDI default), created by default and cannot be deleted
  • Stored in the VLAN.dat file in Flash memory

Extended Range

  • 1006 – 4094
  • Extended VLAN range used by ISPs
  • Stored in Running-Config

Trunks – If you have a switch that has ports variously configured on four different VLANs, then that switch has four different networks on it. When you connect that switch to a router or to another switch you will need four ethernet connections or links, one for each VLAN/network. A more cost effective way to connect a switch with multiple VLANs to a router or switch would be to configure a Trunk. A Trunk is a special kind of port configuration which allows multiple VLANs to travel over one link. This way multiple networks can travel over one trunk instead of wasting valuable ports to connect from switch to switch or switch to router. A Cisco trunk by default uses the 802.1Q protocol. The 802.1Q protocol places and strips VLAN tags on packets to identify which VLAN they belong to.

CLI Commands

switch#show vlan
switch#show interfaces trunk

switch(config)#vlan <vlan number>
switch(config-vlan)#name <vlan name>

switch(config)#interface fa0/x
switch(config-if)#switchport mode access
switch(config-if)#switchport access vlan <1-4096>

switch(config-if)#switchport mode trunk
switch(config-if)#switchport trunk allowed vlan <1-1005>
switch(config-if)#switchport trunk native vlan <1-1005>

Configuring VLANs and Trunks Video Tutorials

In the video tutorials below I demonstrate how to configure VLANs and Trunks on a Cisco switch using Packet Tracer.

Basic Switch Configuration and Port Security

Switch Security Overview

In the video tutorials below, I show how to use Packet Tracer to build a small LAN with a Cisco 2960 Switch, three PC clients, and two PC servers, one of the servers is placed on a separate VLAN for management purposes. Excellent review and study for the Cisco CCNA exam. The networking tasks that are accomplished in the videos are:

• Changing the management VLAN on the switch,
• Configuring the switch with an IP address,
• Configuring the switchports as access ports and assigning them to VLANs,
• Remotely connecting to the switch with telnet,
• Configuring passwords for console and virtual terminal ports,
• Configure privileged user mode with an md5 encrypted password,
• Configuring the hostname on the switch,
• Testing LAN connections with the Ping utility,
• Backing up the switch configuration file and IOS image file to a TFTP server using the copy command,
• Using the show mac-address-table command,
• Configuring switchport port-security and sticky mac address

Video Tutorials