CCENT 11, 12, 13, 14, 15 IOS Modes Internetworking Operation System User mode Switch> Basic Show

ow commands Privilege Mode Switch# Full show commands Configuration Mode Switch(config)# Full configuration commands Switch>enable Switch#disable Switch#configure terminal Switch(config-if)#exit Switch(config-if)#end Switch(config-if)#do show

Enable Configure Terminal Switch# Switch> Switch(config)#

To enter Privilege mode To enter User mode To enter Configuration mode To go back one level To go back to privilege mode

To execute the show command from any mode

Switch(config)#enable password [password] To set Privilege mode password (shows in running-config) Switch(config)#no enable password To remove Privilege mode password Switch(config)#enable secret [password] To set Privilege mode secret (encrypted) Switch(config)#no enable secret To remove Privilege mode secret If both password and secret are enabled, then password < secret Switch(config)#line console 0 Switch(config-line)#password [password] Switch(config-line)#login To enter console configuration mode To set password for console To enable login for console (prompts for password)

Switch(config)#line vty 0 2 To enter virtual terminal configuration mode (telnet) Switch(config-line)#enable password [password] To set password for virtual terminal (telnet) Switch(config-line)#no login To disable login for telnet (will connect with no password) If no password set, its not possible to telnet to the switch There are 16 lines on a switch. Vty 0 2 configures the virtual terminal for lines 1, 2, and 3 To telnet, IP, Subnet Mask, and Default Gateway must be setup Not recommended because it uses clear text that is retrievable using simple packet sniffers. Switch(config)#username [username] password [password] To create username/password for SSH Switch(config)#ip domain-name [domain] To set domain name for generating encryption certificates Switch(config)#crypto key generate rsa 1024 To generate keys Switch(config)#ip ssh version 2 To set the version of SSH we wish to use Switch(config)#line vty 0 2 To enter virtual terminal configuration Switch(config-line)#transport input ssh To set virtual terminal to use ssh instead of telnet Switch(config-line)#transport input telnet ssh To set virtual machine to use telnet and ssh Ssh is preferred to telnet, because unlike telnet, ssh is fully encrypted Switch(config)#service password-encryption To encrypt all the passwords on the system Uses type 7 encryption which is easily cracked. Only used for Line of Sight (hard to remember) Switch(config)#banner motd %[message]% To create a message of the day banner for everything Switch(config)#banner login %[message]% To create a login banner for virtual terminal (telnet) If both motd and login banners are enabled, motd banner comes first and then login banner Switch(config)#hostname [name] Switch(config)#no hostname Switch(config)#interface vlan [#] Switch(config-if)#ip address [#.#.#.#] [#.#.#.#] Switch#show interface vlan [#] Vlan[#] is administratively down o Switch(config-if)#no shutdown Line protocol is down To set the name for the switch To remove hostname and reset to default (Switch) To enter vlan configuration mode To set the ip and subnet mask for the interface To show the interface Interface is shutdown (Physical Layer) To turn on the interface Data Link Layer

Switch(config)#ip default-gateway [#.#.#.#] Switch#show running-config Switch#copy running-config startup-config Switch#show startup-config Switch#show version

To set the default gateway for the entire device To show what we are running on the switch (in RAM) To copy settings from RAM to NVRAM (non-volatile RAM) To show hard-coded/saved config on the NVRAM To show over view of the device

Switch#show ip interface brief To show all the ips and interfaces on the system Switch#terminal monitor To show real time changes to the switch Switch#show mac address-table To show a list of all learned mac addresses Switch(config)#interface fastEthernet 0/5 To enter port 5 configuration mode Switch(config)#interface range fastEthernet 0/2 - 48 To enter port 2 - 48 configuration mode Switch(config-if)#switchport mode access To hardcode this port to a computer Switch(config-if)#switchport port-security maximum [#] To set limit to the number of mac address Switch(config-if)#switchport port-security violation shutdown To set port to shut down in violation cases Protect it will prevent the other mac addresses from connecting Restrict it will prevent the other mac addresses from connecting and it logs them Shutdown fully shuts down the port and has to be manually turned on Switch(config-if)#switchport port-security mac-address [H.H.H] To define mac address for the port Switch(config-if)#switchport port-security mac-address sticky To hardcode the current mac to the port Switch#show port-security interface fastEthernet 0/5 To show port 5 security information Switch#show port-security To show all defined port security information Switch(config)#interface fastEthernet 0/2 Switch(config-if)#duplex half To set duplex to half to match the other side Switch(config-if)#speed 10 To set port speed to 10Mbps, cause interface to restart Always make sure to hardcode the speed and duplex for servers, printers, switches, routers, and Optimizing Switch(config-line)#logging synchronous Prevents from typing at the end of system messages Switch(config-line)#exec-timeout [min] [sec] To set the idle timer Switch(config-line)#no exec-timeout To disable idle timer completely, so you wont get kicked out This has to be done for all the virtual terminals such as ssh and telnet separately Switch(config)#no ip domain-lookup To prevent system from trying resolve bad commands Switch(config)#alias exec [shortcut] [command] To create shortcuts for long commands Switch(config)#alias exec save copy running-config startup-config Troubleshooting Switch#show ip interface brief Switch#show interface fastEthernet [#] Runts packet doesnt have enough information to be considered a real packet Giants packet that get dropped because they are way bigger than what they are supposed to be Collisions happen if there is a duplex mismatch Late Collisions happen if the cable is too long Switch#show running-config Broadcast Storm broadcasts fall in a loop in between switches Spanning-Tree Protocol blocks redundancies until they are needed (how is in ICDN2)

CCENT 16 PAN Personal Area Network (Bluetooth headset, Wireless mouse) LAN Local Area Network (Wireless networks) MAN Metropolitan Area Network (Building to building) WAN Wide Area Network (Cellular Networks, cell phones) Wireless LAN Facts: WAP Wireless Access Point communicates like a HUB o More people = less bandwidth o Shared Signal o Half Duplex Uses unlicensed bands of radio frequency (First come, first serve) o 900 MHz Range: 902 - 928 o 2.4 GHZ Range: 2.400 - 2.483 o 5 GHz Range: 5.150 - 5.350 o Lower frequency = less bandwidth = lower data rates = better range o Walls absorb signals and metals reflect signals Wireless is a physical and data link standard o IPs o MACs Uses CSMA/CA instead of CSMA/CD o Collision Avoidance o Wireless cant handle collision and cant detect collision Connectivity Issues coz of interference o Microwaves

Ethernet 802.3 Wireless Standards: 802.11B (2.4GHz) o September 1999 o Up to 11 MBps o Most popular standard o 3 Clean Channels 802.11G (2.4GHz) o June 2003 o 54 MBps o Backward compatible with 802.11B o 3 Clean Channels 802.11A (5.4GHz) o September 1999 o 54 MBps o Not Cross-compatible with 802.11B and 802.11G o 12 to 23 Clean Channels 802.11N (2.4GHz and 5.4GHz) o More than 100 MBps o MIMO - Multiple Input/Multiple Outputs - Uses many antennas

Wireless Channels:

Wireless Coverage:

Wireless Regulators: ITU-R (Internationa Telecommunication Union Radiocommunication Sector) Regulates the radio frequencies used for wireless transmission IEEE (Institute of Electrical And Electronic Engineers) Maintains the 802.11 Wireless transmission standards WIFI Alliance Ensures certified interoperability between 802.11 wireless vendors

CCENT 17 Wireless Dangers: WarDriving Driving around to find open wireless networks Hackers Employees (rogues) employees setting up and using wireless under the table (ignorance)

Wireless Security: Authentication Requires username and password to connect to the wireless network Encryption Encrypts the data so others cant read them IPS (Intrusion Prevention System) Detects illegal access points and behaves as designed.

Encryption and Authentication Combinations: Originally: Pre-Shared Key WEP o Everyone used 1 key to access the access point Evolution 1: Pre-Shared Key WPA1 (Wi-Fi Protected Access) o Uses the same hardware as WEP, but different software and firmware o Uses TKIP encryption method (Temporal Key Integrity Protocol) Evolution 2: WPA1 and 802.1x Authentication o A username and password which is authenticated by a server is used to create a session o Both sides create a unique encryption key that used only for that session o Username and password can be disabled on the server to prevent authentication Evolution 3: WPA2 (802.11I) and 802.1x Authentication o Removal all the old hardware and methods o AES requires all set of new hardware

Understanding the SSID: SSID (Service Set Identifier), uniquely identifies and separates wireless networks When a wireless client is enabled: 1. Client issues a probe Hello! Who is out there? 2. Access Point(s) respond with a beacon We are here with these SSIDs that you can join! 3. Client associates with the chosen SSID I want to join the public SSID 4. Access Point adds client MAC to association table The closes AP takes responsibility for the client and all of its traffic as long as the client is not moving. If the client moves and the signal weakens, the client will start sending out probes again

Correct design of WLAN: RF service areas should have a 10-15% overlap on different channels Repeators should have a 50% overlap, also on different channels Boardering access points shoud use different channels Use wireless sniffers to fogure out the coverage area and the range BSS (Basiv Service Set) - Signel access point with all the service area that its able to reach ESS (Extended Service Set) - Two or more BSSs that are unified and work together

Setting up a Wireless Network: 1. 2. 3. 4. 5. Pre-test the switch port with a laptop and make sure everything is good Connect the wireless access point and make sure its glowing Set up and test SSIDs with no security Add and test security and test using a simple pre-shared key Add and test authentication (802.1x) if needed

CCENT 19 Network Subnetting: 1. 2. Determine the number of networks and convert it to binary 5 networks = 00000101 (It takes 3 bits to make the number 5) Reserve bits in subnet mask and find your increment 255.255.255.0 = 11111111.11111111.11111111.00000000 We add 3 bits to the network to represent 5 subnets 11111111.11111111.11111111.11100000 = 255.255.255.224 Increment is lowest network bit converted to decimal = 32 11111111.11111111.11111111.11100000 = 128 64 32 16 8 4 2 1 Bit notation is 255.255.255.224/27 Use increment to find your network ranges 216.21.5.0 - 216.21.5.31 216.21.5.32 - 216.21.5.63 216.21.5.64 - 216.21.5.95 216.21.5.96 - 216.21.5.127 216.21.5.128 - 216.21.5.159 216.21.5.160 - 216.21.5.191 216.21.5.192 - 216.21.5.223 216.21.5.224 - 216.21.5.255 Highest number that we can get from 3 bits is 8, which is why we came up with 8 networks as a result. We dont have to use all of them. And if we used 2 bits instead of 3, we could get only maximum 4 networks from it which is less than 5, hence not good enough for our company.

3.

CCENT 20 Host Subnetting: 1. 2. Determine the number of hosts and convert it to binary 30 hosts = 00011110 (It takes 5 bits to make the number 30) Reserve bits in subnet mask and find your increment 255.255.255.0 = 11111111.11111111.11111111.00000000 We add 5 bits to the host to represent subnets of 30 hosts 11111111.11111111.11111111.11100000 = 255.255.255.224 Increment is lowest network bit converted to decimal = 32 11111111.11111111.11111111.11100000 = 128 64 32 16 8 4 2 1 Bit notation is 255.255.255.224/27 Use increment to find your network ranges 216.21.5.0 - 216.21.5.31 216.21.5.32 - 216.21.5.63 216.21.5.192 - 216.21.5.223 216.21.5.224 - 216.21.5.255 Cant use the first host coz its the networks identifier Cant use the last host coz its used for broadcasting

3.

CCENT 21 Reverse Engineering Subnets: 1. 2. Break the subnet mask into binary 255.255.255.240 = 11111111.11111111.11111111.11110000 Find your increment Increment is the lowest network bit in subnet mask so 11110000 = 16

The Great Exception: 1. 2. Networks, when finding networks subtract 1 Hosts, when finding hosts add 1

CCENT 22 Cisco invented the router as we know it enable configure terminal interface range fastEthernet 0 3 no shutdown enable interface vlan 1 ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

CCENT 23 SDM = Security Device Manager Setting up for SDM is very similar to setting up for SSH 1. Generate Encryption Keys (used in SSH and HTTPS) configure terminal ip domain-name zoo.local crypto key generate rsa general-keys (RSA is used for SSH and HTTPS) The name for the keys will be ZOORouter.zoo.local 1024 Turn on the HTTP/HTTPS servers for your router configure terminal ip http server (this for port 80) ip http secure-server (this is for port 443) Create a privilege level 15 user account (15 is the highest possible on a Cisco device) configure terminal username kamranf privilege 15 secret Password1 (privilege 15 will log you straight into privilege mode)s Configure your VTY and HTTP access ports for privilege level 15 and to use the local user databases configure termina ip http authentication local line vty 0 4 login local (this will ask for the username in addition to password) Install Java and access the router using a web browser (if SDM installed on router) OR access the router using SDM (if SDM installed on the computer)

2.

3.

4.

5.

Transport Protocol enable configure terminal line vty 0 4 transport input ? (all, none, ssh, telnet) transport input telnet ssh

CCENT 24 Using SDM to configure DHCP DHCP (Dynamic Host Configuration Protocol) 1. 2. 3. PC: DHCP Discover Packet (Broadcast) Hi anybody, I need an IP address... Server: DHCP Officer (Unicast) Here is my offer of an IP address for you PC: DHCP Request (Unicast) Okay, looks good to me. I dont have an IP so this looks great. I accept your offer. Thank you for this. I will use this. Server: DHCP ACK (Unicast) Got you, now I have assigned you that IP address. I have added to that IP address for you in my database.

4.

SDM Configuration Delivered to the Router ip dhcp pool LAN_Addresses network 192.168.1.0 255.255.255.0 domain-name home.local dns-server 4.2.2.2 default-router 192.168.1.1. import all lease 3 exit ip dhcp excluded-address 192.168.1.1 192.168.1.19 ip dhcp excluded-address 192.168.1.101 192.168.1.254 show ip dhcp binding (shows all the leased ip addresses)

CCENT 25 Implementing Static Routing On Router 1: ip route 192.168.3.0 255.255.255.0 192.168.2.2 show ip route ping 192.168.3.1 YAY On Router 2: ip route 192.168.1.0 255.255.255.0 192.168.2.1 show ip route ping 192.168.1.2 YAY Default Routing (for internet access) ip route 0.0.0.0(any ip) 0.0.0.0(any subnet) 68.110.171.97(ISP) DNS on a Router ip name-server 4.2.2.2 ping google.com Static Route both ways, otherwise ping wont work

CCENT 26 Implementing Dynamic Routing with RIP Routing Protocols: Tell your friends what you know Distance Vector o Easy to configure o Not many futures (slow at detecting problems) o RIP, perfect for small environments, uses hop counts (number of routers) o IGRP Link State o Difficult to configure o Feature-rific o OSPF (OSPF > RIP) o IS-IS Hybrid o The best of both Worlds o Proprietary (Required all Cisco routers) o EIGRP (Easy to configure and full of futures)

RIP Algorithm first developed in 1969 Comes in 2 versions o RIPv1 Classful Version (Does not support VLSM - Variable Length Subnet Masks) It advertises Networks, but not Subnet masks It could assume its of the wrong class because its over interface is of that class We HAVE TO stick to the same subnet mask wherever we go! Required no Authentication It didnt need a password to join the RIP routing network (Fake networks were created) Broadcasts (once every 30 seconds) Thats a lot of network traffic o RIPv2 (We only use this today) Classless Version (Supports VLSM) Subnet masks were advertised with networks Authentication Routers required authentication to accept routing updates Multicast If networks were setup properly, only RIP routers would receive RIP updates Configuring RIP 1. Turn on RIP: router rip 2. Change the Version: version 2 3. Enter Network Statements: network 192.168.1.0 / network 192.168.2.0 Tells RIP what networks to advertise Tells RIP what interfaces to send advertisements on 4. Check your configuration: show ip protocols / debug ip rip

FOR THE ROUTER CONNECTION TO INTERNET, ADVERTISE THE INTERNET SIDE AS CLASS A router rip / version 2 / network 68.0.0.0

CCENT 27 Internet Access with NAT and PAT NAT (Network Address Translation) Allows multiple devices to share an internet IP address NAT Overload - PAT (Port Address Translation) Allows sharing of a public address using source port numbers Static NAT Used for Serves and allows one to on translations Basic PAT Configuration Allows internal computers to communicate with internet with our public address access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.1.0 0.0.0.255 interface Vlan 1 ip nat inside exit interface FastEthernet4 ip nat outside exit ip nat inside source list 1 interface FastEthernet4 overload (if no overload, only 1 pc could access internet) show ip nat translations (shows the routers NAT table)

CCENT 28 WAN Connectivity WAN links define a new type of Layer 1 and Layer 2 connectivity o Layer 1: Physical --> Serial Physical Connections No more Ethernet cables, CAT5, RJ45 connectors o Layer 2: Data Link --> Frame Relay, ATM, PPP, HDLC No more MAC addresses (now we have Data Link Connection Identifier or DLCI) Allows links to the other internet or other offices Many different types, prices, and speeds (Metro Internet)

Styles of WAN Connections Leased Lines: Dedicated bandwidth between locations Most expensive of the all o T1 CAS, T1 is just measure of speed (1.544Mbs) o E1 CAS Circuit Switched: On-Demand bandwidth connection between locations Least expensive, but takes long to setup and least amount of bandwidth o Dial-Up Modems, o ISDN Packet Switched: Shared, but Guaranteed, bandwidth between locations You get at least what you are paid for if not more, uses virtual circuit through clouds o Frame Relay o ATM o X25, older version but common over seas

HDLC (High level Data Link Control) Layer 2 protocol that runs between routers instead of Ethernet Cisco ONLY Benefit: simplicity, you just plug the cables in and it starts working Alternative: PPP

PPP (Point-to-Point Protocol) for non Cisco devices Layer 2 protocol that runs between routers instead of Ethernet Cisco and other brands Benefit: simplicity, you just plug the cables in and it starts working Alternative: HDLC Setup: configure terminal interface serial 0/0 encapsulation ppp

For home just use a cross-over serial cable with 2 heads (DTE/DCE) show controller serial 0/1/0 If DCE you can set the clock rate by typing configure terminal int s0/1/0 clock rate 1536000 (speed in bits per second, so T1) In the real world the ISP will setup clock rate for you At home if you dont setup clock rate, the WAN wont come online!

CCENT 29 Managing TELNET and SSH Sessions Ctrl + Shift + 6 then X - Suspend Telnet/SSH session o Exit - does the same Show Sessions - Shows open sessions from your router o Resume 1 - Sends you back to connection 1 o 1 - Sends you back to connection 1 o Enter - Sends you back to the most recent connection Show Users - Shows open sessions to your router Disconnect - Kills one of your open telnet sessions Clean Line <x> - Kills an open Telnet session to you

Cisco Discovery Protocol Allows you to see directly connected Cisco Devices (Only Cisco!) show cdp neighbours show cdp entry CBTRouter (same as show cdp neighbours details) no cdp enable (can be done under a specific interface, used for cutting off the outside world) no cdp run Useful for building accurate network diagrams

CCENT 30 Memory Components RAM - Random Access Memory o Pro: Extremely Fast o Con: Its volatile. On shut down all memory is gone o Size: Its big, around 256 MB o Used for: running-config NVRAM o Pro: Non-Volatile RAM o Size: Very small, around 100 KB o Used for: Storing the startup config o Copy running-config startup-config, which copies from RAM to NVRAM FLASH o Size: Around 60 MB o Used for: Storing the IOS o On boot, the IOS is copied and decompressed from Flash to Ram

TFTP Server - Trivial File Transfer Protocol Server Uses UDP port 69 Used for: o Backing up files copy running-config tftp://192.168.1.50/CBTRouter-config.txt copy flash iso.bin tftp://192.168.1.50/ios-backup.bin o Restoring files copy tftp://192.168.1.50/CBTRouter-config.txt startup-config o Booting from boot system tftp://192.168.1.50/iso-backup.bon If files doesnt exist the router will use Flash to boot Recommended: TFTP32 Attention: Copying from TFTP to RAM will merge the files! (and override) Attention: Copying from TFTP to NVRAM will replace the files!