of 49
8/11/2019 CCNA Certification Training - Session 4-2012_04
1/49
Cisco Confidential 1 2010 Cisco and/or its affiliates. All rights reserved.
CCNA Certification PreparationSession 4 of 4April, 2012
Jaskaran Kalsi & Bogdan Doinea
Assoc. Technical Managers
Europe/CEE/RCIS
Cisco Networking Academy
8/11/2019 CCNA Certification Training - Session 4-2012_04
2/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
NAT
PPP
Frame Relay
Access Lists
Troubleshooting
8/11/2019 CCNA Certification Training - Session 4-2012_04
3/49
Cisco Confidential 3 2010 Cisco and/or its affiliates. All rights reserved.
8/11/2019 CCNA Certification Training - Session 4-2012_04
4/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
8/11/2019 CCNA Certification Training - Session 4-2012_04
5/49
8/11/2019 CCNA Certification Training - Session 4-2012_04
6/49
Cisco Confidential 6 2010 Cisco and/or its affiliates. All rights reserved.
8/11/2019 CCNA Certification Training - Session 4-2012_04
7/49 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
WAN connections are often leased lines, PPP, Frame Relay, ATM workson OSI level 2.
Instead of MAC addresses, they have own 2ndlayer addressingtechnology (DLCI, VPI/VCI etc).
8/11/2019 CCNA Certification Training - Session 4-2012_04
8/49 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
HDLC (High level Data Link Control)
Cisco proprietary (enabled by default)
Low overhead
PPP (Point to Point) Open protocol
Moderate overhead
Features: Authentication, compression etc.
8/11/2019 CCNA Certification Training - Session 4-2012_04
9/49 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Router(config)#interface serial 0/0
Router(config-if)#encapsulation ppp
Router#show interfaces serial 0/0
Link ControlProtocol is open.
LCP handles all
the features,
services and
service messages
of PPP
IP Control Protocol allows
IP to work over PPP
CDP Control Protocol
allows Cisco Discovery
Protocol to work over PPP
Network Control Protocol family (NCP)
8/11/2019 CCNA Certification Training - Session 4-2012_04
10/49 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
PPP can use PAP or CHAP authentication methods PAP (Password Authentication Protocol) uses encrypted password,
like below
encrypted passwords can be decrypted (cracked)
CHAP (Challenge Handshake Authentication Protocol) useshashed password
HASHED passwords can not be decrypted
8/11/2019 CCNA Certification Training - Session 4-2012_04
11/49 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Notes: sent-usernameand passwordmust match remote username
andpassword. Passwordsare case-sensitive, but usernames are not.
Hostnamesare not involved.
172.25.3.0/24Serial .1/S0.2/S0
DCEDTE
hostname SantaCruz
username HQpassword HQpass
interface Serial0
ip address 172.25.3.2 255.255.255.0
encapsulation pppppp authentication pap
ppp pap sent-username SantaCruz
password SantaCruzpass
hostname HQ
username SantaCruzpassword SantaCruzpass
interface Serial0
ip address 172.25.3.1 255.255.255.0
encapsulation pppppp authentication pap
ppp pap sent-username HQ
password HQpass
8/11/2019 CCNA Certification Training - Session 4-2012_04
12/49 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Notes: Hostnamesare involved unless theppp chap hostname
command is used, and must match remote routers username
command (not case-sensitive). Passwordsare case-sensitive and
must match
172.25.3.0/24
Serial .1/S0.2/S0
DCEDTE
hostname SantaCruz
username HQpasswordboardwalk
ppp chap hostname SantaCruz (optional)
interface Serial0
ip address 172.25.3.2 255.255.255.0
encapsulation ppp
ppp authentication chap
hostname HQ
username SantaCruzpasswordboardwalk
ppp chap hostname HQ (optional)
interface Serial0
ip address 172.25.3.1 255.255.255.0
encapsulation ppp
ppp authentication chap
8/11/2019 CCNA Certification Training - Session 4-2012_04
13/49 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Do a Router#debug ppp authentication
And re-enable the interface (shutdown/no shutdown)
8/11/2019 CCNA Certification Training - Session 4-2012_04
14/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Layer 1
Cable problems results in
Serial0/0/0 is down, line protocol is down
Layer 2
Clock rate, encapsulation or authentication error results in
Serial0/0/0 is up, line protocol is down
Layer 3
Serial0/0/0 is up, line protocol is up
Still does not work? PPP is not involved here. Check IP addressing!
8/11/2019 CCNA Certification Training - Session 4-2012_04
15/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Which of the following are key characteristics of PPP (choose two)?
PPP can work with several routed protocols
PPP provides error correction and compression
PPP supports only IP
PPP works on Layer 3 OSI model
8/11/2019 CCNA Certification Training - Session 4-2012_04
16/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Which PPP sub-protocol is responsible for establishing and terminatingconnection?
o NCP
o IPCP
o CDP
o LCP
o DLCI
o VPI/VCI
8/11/2019 CCNA Certification Training - Session 4-2012_04
17/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
o Incorrect ip addressing
o Wrong type of cable
o Incorrect encapsulation onLayer 2
o Link reliability is too poor
The PPP link
between RTAand RTB
seems to be
down. What
could be the
problem?
8/11/2019 CCNA Certification Training - Session 4-2012_04
18/49
Cisco Confidential 18 2010 Cisco and/or its affiliates. All rights reserved.
8/11/2019 CCNA Certification Training - Session 4-2012_04
19/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Packet Switched X.25 => Frame Relay => ATM => MPLS
Can be more flexible than Leased Lines, bandwidth may vary
Point to Point or multipoint
8/11/2019 CCNA Certification Training - Session 4-2012_04
20/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
CIR(Commited Information Rate)min bandwidth guaranteed by ISP
LAR(Local Access Rate)Local physical link maximum bandwidth (like100Mb/s for FastEthernet)
LMI (Local Management Interface)language used between ISP and enddevice. Purposemanage service parameters of connection (quality, statistics,
etc)
DLCI(Data Link Connection Identifier)analog of MAC address used in FR
PVC(Permanent Virtual Circuit)your dedicated virtual link, the way thru acloud
Your serial link can have many PVCs, each of them has its own agreed CIRand DLCI. You can have many PVCs until their summary bandwidth fits LAR.
8/11/2019 CCNA Certification Training - Session 4-2012_04
21/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
FECN(Forward Explicit Congestion Notification)indicates frames that theswitch receiveson the congested link,
BECN(Backward Explicit Congestion Notification)packets that switchplaces
onto the congested link
DE(Discard Eligibility) flag is set on less important packets that can bedropped in case of congestion
8/11/2019 CCNA Certification Training - Session 4-2012_04
22/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
In FR DLCIs are used instead of MAC address
DLCIs are locally significant
You only know your local (own) DLCI, and you never knowdestination DLCI
PVC is your path through a FR cloud, but you dont care how its
elected. This is ISPs responsibility, not yours
You should only care of your DLCI
8/11/2019 CCNA Certification Training - Session 4-2012_04
23/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
8/11/2019 CCNA Certification Training - Session 4-2012_04
24/49
8/11/2019 CCNA Certification Training - Session 4-2012_04
25/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Frame Relay
Network
Headquarters
Hub City
Satellite Office 1
Spokane
Satellite Office 2
Spokomo
Serial 0
172.16.3.1
Serial 0
172.16.3.2
Serial 0
172.16.3.3
DLCI 301
DLCI 103
DLCI 302
DLCI 203
Notes
Highly scalable solutionDisable Split Horizon on Hub router when
running a distance vector routing protocol
Interface Serial0 (for all routers)
encapsulation frame-relay
no ip address
HubCity
interface Serial0.1mulitpoint
ip address 172.16.3.3 255.255.255.0
frame-relay interface-dlci 301
frame-relay interface-dlci 302
no ip split-horizon
Spokane
interface Serial0.1point-to-point
ip address 172.16.3.1 255.255.255.0frame-relay interface-dlci 103
Spokomo
interface Serial0.1point-to-point
ip address 172.16.3.2 255.255.255.0
frame-relay interface-dlci 203
Multipoint Subinterface at the Hub and Point-to-Point Subinterfaces at the Spokes
One subnet
8/11/2019 CCNA Certification Training - Session 4-2012_04
26/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Point-to-Point Subinterfaces at the Huband Spokes
Each subinterface on Hub router
requires a separate subnet (or network)
Each subinterface on Hub router is
treated like a regular physical point-to-
point interface, so split horizon does not
need to be disabled.Interface Serial0 (for all routers)
encapsulation frame-relay
no ip address
HubCity
interface Serial0.1point-to-point
ip address 172.16.1.1 255.255.255.0
encapsulation frame-relayframe-relay interface dlci 301
interface Serial0.2point-to-point
ip address 172.16.2.1 255.255.255.0
encapsulation frame-relay
frame-relay interface dlci 302
Spokane
interface Serial0.1point-to-point
ip address 172.16.1.2 255.255.255.0
frame-relay interface dlci 103
Spokomo
interface Serial0.1point-to-point
ip address 172.16.2.2 255.255.255.0frame-relay interface dlci 203
Frame Relay
Network
Headquarters
Hub City
Satellite Office 1
Spokane
Satellite Office 2
Spokomo
Serial 0.1
172.16.1.2/24
Serial 0.1
172.16.2.2/24
Serial 0.1
172.16.1.1/24
DLCI 301
DLCI 103
DLCI 302
DLCI 203
Serial 0.2
172.16.2.1/24
Two subnets
8/11/2019 CCNA Certification Training - Session 4-2012_04
27/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
With multipoint subinterface you can have:
canhave multiple DLCIs assigned to it.
canuse frame-relay map & interface dlci statements
canuse Inverse-ARP
Remember, with point-to-point subinterfaces you:
cannothave multiple DLCIs associated with a single point-to-pointsubinterface
cannotuse frame-relay map statements
cannotuse Inverse-ARP
(canuse the frame-relay int erface dlcistatement for both point- to-po in tand mult ipo int)
8/11/2019 CCNA Certification Training - Session 4-2012_04
28/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
What are three Frame Relay congestion management mechanisms?(Choose three.)
BECN
DLCI
DE
FECN
LMI
Inverse ARP
8/11/2019 CCNA Certification Training - Session 4-2012_04
29/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Based on the output of the Router connected to a FR cloud, what is
the meaning of dynamic statement?
DLCI 102 has been dynamically allocated by ISP
Interface S0/0/0 was dynamically configured with the help of DLCI102
IP address 10.0.0.2 is configured via DHCP
The remote IP address 10.0.0.2 was mapped to a local DLCI 102dynamically via inverse-ARP
Router#show frame-relay mapSerial0/0/0 (up): ip 10.0.0.2 dlci 102, dynamic, broadcast,
CISCO, status defined, active
8/11/2019 CCNA Certification Training - Session 4-2012_04
30/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
What are the three possible LMI types?
PAgP
IETF
CDPCP
Cisco
ANSI
inARP
Q.933 A
8/11/2019 CCNA Certification Training - Session 4-2012_04
31/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Why this FR network is failing?
o Split horizon must be disabled.
o The LMI type must be specified.
o Logical subinterfaces must be used instead.
o The frame-relay mapcommands are using incorrect DLCIs.
8/11/2019 CCNA Certification Training - Session 4-2012_04
32/49
Cisco Confidential 32 2010 Cisco and/or its affiliates. All rights reserved.
8/11/2019 CCNA Certification Training - Session 4-2012_04
33/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
ACLs are for identifyingtraffic. Permitting, Denying, enabling ordisabling smth.
Not just a traffic filter or firewall. Can be used in:
Traffic control
Access control
NAT
Quality of ServiceDemand dial routing
Route filtering
and more
ACLs are read from TOP to BOTTOM and STOP at the FIRSTmatch
Invisible implicit deny any at the end
Applied to an interface Inbound or Outbound, assuming that youare inside of a router
8/11/2019 CCNA Certification Training - Session 4-2012_04
34/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
STANDARD
Matches based on source address
# 199
Applied to port closest to destination
EXTENDED
Matches based on source/destination address, port number,protocol
# 100199
Applied to port closest to source
REFLEXIVE
Allows return traffic from internal request (established)
8/11/2019 CCNA Certification Training - Session 4-2012_04
35/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Network mask is a way to understand where the network portion of the IP
address ends and where host portion begins Wildcard mask is a tool for filtering IP address bits.
What bits should go through a security control?
IP address 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 1 0 0 1 1 0
Subnet mask 1 1 1 1 1 1 1 1 . 1 1 1 1 1 1 1 1 . 1 1 1 1 0 0 0 0 . 0 0 0 0 0 0 0 0
LOGICAL ANDing process
Net. address 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0
Reference IP 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 1 0 0 1 1 0
Wildcard mask 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 . 1 1 1 1 1 1 1 1
Subject 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 0 0 0 0 0 0
Network portion Host portion
Check these bits Dont care
Subnet mask
Wildcard mask
8/11/2019 CCNA Certification Training - Session 4-2012_04
36/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Wildcard mask 0.0.1.128
Will require the first 23 and the last 7 bits of IP to be checked Given the reference IP 192.168.2.38
192.168.2.38ok
192.168.2.166ok
192.168.3.38ok
192.168.3.166ok
All others will not match!
Reference IP 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 1 0 0 1 1 0
Wildcard mask 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 . 1 0 0 0 0 0 0 0
192.168.2.38 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 1 0 0 1 1 0
192.168.2.166 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 0 . 1 0 1 0 0 1 1 0
192.168.3.38 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 1 . 0 0 1 0 0 1 1 0
192.168.3.166 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 1 . 1 0 1 0 0 1 1 0
192.168.3.39 1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . 0 0 0 0 0 0 1 0 . 0 0 1 0 0 1 1 1
Check these bits Dont care check
8/11/2019 CCNA Certification Training - Session 4-2012_04
37/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Example: 172.16.32.0 255.255.240.0
RouterB(config)#access-list 10 permit 172.16.32.0 0.0.15.255
We can calculate the Wildcard Mask by:
255 . 255 . 255 . 255Subnet Mask: - 255 . 255 . 240 . 0
---------------------Wildcard Mask: 0 . 0 . 15 . 255
Remember:
Wildcard mask for the given continuous network is always invert ofa subnet mask, NOT vice versa.
If not sure, Think in binary! Twice!
8/11/2019 CCNA Certification Training - Session 4-2012_04
38/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Standard ACL
Extended ACL
Named ACL
8/11/2019 CCNA Certification Training - Session 4-2012_04
39/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
8/11/2019 CCNA Certification Training - Session 4-2012_04
40/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Network administrator would like to permit access to the internet for onlyhosts that are assigned an address in the range 172.16.8.0172.16.15.255. Which wild card mask should be used?
o 0.0.0.255
o 0.0.255.255
o 0.0.3.255
o 255.255.248.0
o 0.0.7.255
8/11/2019 CCNA Certification Training - Session 4-2012_04
41/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
There is a need to restrict telnet access
to R2sLAN, for all R1sLAN users.
Which ACL can be used in this caseand where should it be applied?
R1(config)#access-list 101 deny tcp 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 23
R1(config)#access-list 101 permit ip any anyR1(config)#interface fa 0/0
R1(config-if)#ip access-group 101 in
R1(config)#access-list 101 deny tcp 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255 eq 25
R1(config)#access-list 101 permit ip any any
R1(config)#interface fa 0/0
R1(config-if)#ip access-group 101 in
R1(config)#access-list 101 deny tcp 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255 eq 23
R1(config)#access-list 101 permit ip any any
R1(config)#interface fa 0/0
R1(config-if)#ip access-group 101 in
R2(config)#access-list 101 deny tcp 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255 eq 23
R2(config)#access-list 101 permit ip any any
R2(config)#interface fa 0/0
R2(config-if)#ip access-group 101 in
8/11/2019 CCNA Certification Training - Session 4-2012_04
42/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
The access list below was applied on the e0/0 interface connected to
192.168.1.16/29 LAN in the outbound direction:Access-list 129 deny tcp 192.168.1.16 0.0.0.7 eq 20 any
Access-list 129 deny tcp 192.168.1.16 0.0.0.7 eq 21 any
What is the effect of such ACL?
FTP traffic from 192.168.1.38 will be deniedFTP traffic from 192.168.1.28 to any host will be denied
no traffic except FTP will be allowed to exit e0/0
All traffic exiting e0/0 will be denied
All FTP traffic to network 192.168.1.16/20 will be denied
Comment: this ACL will deny all traffic, because of implicit DENY
ANY. Do avoid it, the statement access-list 129 permit ip any any
should have been added below.
8/11/2019 CCNA Certification Training - Session 4-2012_04
43/49
Cisco Confidential 43 2010 Cisco and/or its affiliates. All rights reserved.
8/11/2019 CCNA Certification Training - Session 4-2012_04
44/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Use common approach
Bottom-up approach using the OSI Model
Check all LEDs on your hardware
Use Windows Service Utilitiesipconfig; ping; trace route;
Remember possible SHOW commands
CDP can help, do not forget about it!
Be confident with DEBUG commands and what they represent
Be very careful when subnetting, think twice!
8/11/2019 CCNA Certification Training - Session 4-2012_04
45/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
General
sh running-configLayer 1
sh ip interface brief
sh interfaces
Layer 2
sh cdp neighbors detail
sh frame relay ?
debug ppp ?
L2 Switching
Sw#sh mac-address-table
Sw#sh vlan brief
sw#sh spanning-tree
Sw#sh vtp status
Sw#sh interfaces [trunk, swithport]
Layer 3sh ip routesh ip protocolssh ip interface
sh ip [routing protocol name] ?sh ip nat ?sh access-listssh ip dhcp ?
8/11/2019 CCNA Certification Training - Session 4-2012_04
46/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
debug ip rip
8/11/2019 CCNA Certification Training - Session 4-2012_04
47/49
Cisco Confidential 47 2010 Cisco and/or its affiliates. All rights reserved.
8/11/2019 CCNA Certification Training - Session 4-2012_04
48/49
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
PPP
Understanding PPP
PPP authentication
PPP configuration
Frame Relay
Understanding Frame Relay and terminology Frame Relay topologies
Point-to-Point and Multipoint Frame Relay
Access Lists
What are ACLs
Understanding and calculation Wildcard mask
Configuring ACLs
Troubleshooting
Frequently used commands
8/11/2019 CCNA Certification Training - Session 4-2012_04
49/49
Thank you.