Cheat Sheet for Cisco Certified Network Associate Study Guide to Exam 640-507 (2nd Ed.

)
originally by Todd Lammle, published by Sybex; condensed May 2001 by Robert S. with gratitude to Shankar
“Good artists copy. Great artists steal.” – Pablo Picasso I try to avoid repeating myself, so you might have to read the whole booklet to
The best way to study something is to regurgitate it in one’s own words. When find a definition you need. When I introduce terms, I often show them in bold
I studied CCNA, I wrote this thing. I reduced 700 pages to a fourteen-page face type (but, then, I use bold face type for a lot of things).
booklet so I could carry it around, reviewing everywhere I went.
To save space, I use the following conventions:
This document is color-coded, with all the IOS commands in violet arial - I refer to OSI layers as “L2,” “L3,” &c., instead of “data-link” and “network.”
narrow, for example. As I realize the minimal benefits of color when one prints - When I bother to show IOS prompts, I leave off the router names.
on black and white laser printers, I’ve tried to be sensible about my choices. I still - I shorten bandwidth to BW, virtual circuit to VC, configuration file to CF, &c.
suggest you print it in color, if possible. (Word Viewer wrongly italicizes my - The proper Latin plural of “status” is “stati” but I sometimes say “stats.”
commands.) - “Et cetera” (or “etc.,” meaning “and so forth”) can also be written “&c.”
In each chapter, Todd Lammle lists key terms with which you should be I’ve borrowed from other sources, too, because I want as much of the exam here
familiar before the exam. I haven’t tried to define every term but I have written as possible. I’ve tried to make it all self-evident. This booklet, alone, might be
them in blue, underlined in squiggles, so look at each and ask, “Can I define this?” enough to pass the exam (everything on my exam is here) but that wasn’t my goal.
An easier color code to spot is my grey shading. This indicates stuff Lammle, Although Lammle’s $140 book isn’t perfect (his Frame Relay stuff has several
instructors, and some unreliable friends have told me is not likely to be on the errors and omissions, for example, and the CD-ROMs are full of mistakes) but you
exam. Reading it might help your understanding but don’t sweat memorizing it. should still buy it and the network simulator software that comes with it.
Wiggly red lines to either side show text I’ve been strongly warned to study. My exam was 75 minutes & 65 questions. Different exams have different
I’m more careful than Lammle to show correct prompts – I didn’t want to waste passing scores, so your final score is MEANINGLESS. Buona Fortuna! R.S.
Ciscoly Yours,

space repeating config t and int s0 – so it’s up to you to notice the mode
we’re in.
Contents: [Note: Chapters II & VI are paired.] IV – router configuration basics (pg 7) VIII – IPX (pg 10)
I – LANs, OSI model, Cisco model (pg 1) V – IP routing, RIP, IGRP (pg 8) IX – access lists (pg 11)
II – switches, Spanning Tree Protocol (pg 5) VI – VLANs, tagging, VLAN Trunk Protocol (pg 5) X – WANS, HDLC, PPP Frame Relay, ISDN (pg 12)
III – IP subnetting (pg 6) VII – boot-up & connectivity tools (pg 9) Appendix B – the Catalyst 1900 switch (pg 14)
CHAPTER I – INTERNETWORKING and the OPEN SYSTEMS INTERCONNECTION MODEL or “Please Do Not Throw Sausage Pizza Around.”
(5-7 questions on the OSI model; an unknown number on general networking)
This chart summarizes the ISO Open Systems Interconnection model, laid out in more detail hereafter. A layered model reduces complexity, permits the use of
standard interfaces, lets engineers make modular changes, lets different technologies inter-operate, accelerates evolution, and is easier to learn. Although all seven
layers could be on the exam, they’re not equally critical: You can answer the basic OSI layer questions by knowing enough to tell them apart. The real reason to study
layers 2 and 3, where switches and routers work, and L4, where many big protocols appear, is these descriptions form the foundation for much of the exam. If you
don’t grasp the L2 – L4 details of this chapter well enough to write them out from memory, you’re toast.

layer L1 L2 L3 L4 L5 L6 L7
mnemonic “Please Do Not Throw Sausage Pizza Around!”
name Physical Data-Link Network Transport Session Presentation Application
Destination Navigates the Truckers & Split-Second Pasting Parts & Pieces into
functional
Drop-boxes & National hiway Teamsters Sequencing Proper Products
mnemonic
Doorsteps Network
blasts frames nails packets wraps segments chops data into
Protocol Data
into bits into frames into packets segments data
Unit (PDU)
a conveyor a mailman a navigator a loading dock a dispatcher (or talk a newspaper editor a corporate executive
This layer is
belt finding a finding a town worker boxing a show host) compiling documents issuing instructions
analogous to...
mailbox shipment sequencing tasks
The Big Picture: sending and hardware logical (network) packing & shipping timing file formats giving orders
It’s all about... receiving bits addressing addressing
physical framing routing end-to-end dialog control encryption, compression, assorted application
key concepts
topology connections translation functions
puts bits on frames data for routes between provides flow control opens / closes demands transfers; IDs
main network
the wire local network networks sessions partners; final error
operations
resolution
hardware network addresses ports / sockets
This layer filters
(physical) / protocol #s
PDUs using…
addresses
devices hubs switches routers gateways
The CISCO 3-LAYER where-you-should-spend-your-money MODEL - gatekeeper to the core layer
- determines how best to handle requests
CORE LAYER
- security, filtering, firewalls
- speed is critical
- queuing (print jobs, &c.)
- can affect all users
- transitions between routing protocols (including static routing)
- should be fault-tolerant and reliable
- definition of broadcast/multicast domains
- no filtering, security slowdowns, or inter-VLAN routing
- no workgroup access ACCESS LAYER
- could use FDDI, fast (100Mb) Ethernet, gigabit (1000Mb) Ethernet, or ATM - a.k.a. the “desktop layer”
- when improvements are necessary, upgrade; don’t expand - more specific security
- segmenting for more collision domains
DISTRIBUTION LAYER
- connectivity to distribution layer via 100Mbps links
- routing
- Dial on Demand Routing (DDR)
- inter-VLAN routing
- Ethernet switching
- WAN access
- static routing
1
- connect 10Mbps switches to workstations; 100Mbps switches to servers

2
THE UPPER LAYERS: COMMAND & CONTROL THE MIDDLE LAYERS: SHIPPING & RECEIVING

L7Application Layer L4Transport Layer – “Truckers & Teamsters”

* DATA STREAMS (MESSAGES) * * chops data into SEGMENTS *
It's all about GIVING ORDERS; the corporate executive; what you see on the It's all about PACKING & SHIPPING (either reliable TCP/SPX or unreliable
screen; interaction with the user; interaction between programs; UDP/IPX); the loading dock worker; data chopper & reassembler; creates and
communications launching. reads segments; asks, “Which port (which pipeline) do we stuff this into?” “Did
The highest level of the model. It defines the manner in which applications interact the packets get where they should?” “What belongs in this pipe?”
with the network, including database management, e-mail, and terminal-emulation Defines protocols for structuring messages and supervises the validity of the
programs. transmission by performing some error checking.

KEY CONCEPTS: file, print, message, database, and application services KEY CONCEPT: end-to-end connection

NETWORK OPERATIONS PERFORMED: NETWORK OPERATIONS PERFORMED:

- determining availability of communication partners and network resources - data segmentation and reassembly; multiplexing several streams onto one link
- coordinating partnerships between multiple applications - acknowledging packet receipt during connection-oriented transfers
- ultimate authority over data integrity and error recovery - re-sequencing of received packets following connectionless transfers
- flow control (buffering, source-quench messages, & windowing)
PROTOCOLS (network applications) FOUND AT THIS LAYER: - error checking & correction by counting segments & requesting retransmissions
- FTP (TCP - port 21) - ‘File Transfer Protocol’ full-featured, secure file - managing virtual circuits
management
- Telnet (UDP - port 23) - terminal emulator program; uses L3 IP and L4 TCP DISCRIMINATES BY:
- SMTP (TCP - port 25) - ‘Simple Mail Transfer Protocol’ e-mail sending - application port / socket numbers, by which a segment identifies which upper-
- DNS (UDP - port 53) - ‘Domain Name Service’ English-to-IP translation layer protocol will use its data (e.g. firewall filtering)
- HTTP (TCP - port 80) -‘HyperText Transfer Protocol’ World Wide Web
browsing PROTOCOLS (delivery control methods) FOUND AT THIS LAYER:
- POP3 (TCP) - ‘Post Office Protocol’ e-mail receiving - TCP - ‘Transmission Control Protocol’ reliable delivery boy creating connection-
- X.400 - alternative e-mail management oriented links
- NNTP - ‘Network News Transfer Protocol’ newsgroup post management - UDP - ‘User Datagram Protocol’ unreliable delivery boy using connectionless
- TFTP (UDP) - ‘Trivial File Transfer Protocol’ stripped-down file transfers transfers
- SNMP (TCP) - ‘Simple Network Management Protocol’ (“Are you O.K?”) - SPX - ‘Sequenced Packet eXchange’ connection management tools added to IPX
- IRC (TCP) – ‘Internet Relay Chat’ keyboard chat program for reliable, connection-oriented communication
- EDI - 'Electronic Data Interchange' for e-commerce transactions
TECHNOLOGIES:

L6
- gateways
Presentation Layer – “Pasting Parts & Pieces into
Proper Products” * DATA STREAMS * There are 65,535 application ports in both TCP and UDP flavors. (Most
It's all about FILE FORMATS; the newspaper editor; data on the hard disk; applications, however, only use one flavor or the other.) Here are a few ports:
presentation of data to the programs in binary format. TCP 6 L2TP 115
Defines the way in which data is formatted, presented, converted, and encoded. echo 7 NNTP (TCP) 119
UDP 17 NTP 123
KEY CONCEPTS:
FTP data (TCP) 20 NetBIOS file share (UDP) 137
- encryption
FTP control (TCP) 21 NetBIOS file share (UDP) 138
- compression
Telnet (UDP) 23 NetBIOS file share (TCP) 139
- translation between file formats (MIDI, MPEG, PICT, TIFF, JPEG, ASCII,
SMTP (TCP) 25 news 144
EBCDIC, &c.)
DNS (UDP) 53 SNMP 161
TFTP (UDP) 69 SNMP trap 162
L5Session Layer – “Split-Second Sequencing” finger 79 -------------------------------------------
* DATA STREAMS * HTTP (TCP) 80 NetWare IP 396
It's all about TIMING; the dispatcher / talk show host; organizes and directs POP2 (TCP) 109 HTTPS (TCP) 443
communication sessions; keeps data separate for different applications. POP3 (TCP) 110 RIP (UDP) 520
Coordinates communications and maintains the session for as long as it is needed, identification (TCP) 113 Doom (yes, the game) 666
performing security, logging, and administrative functions. Manages simplex,
half-duplex, and full-duplex modes. Ports below 1024 are called the “well known” ports and are assigned by the
Internet Assigned Numbers Authority (IANA). Of these, the ones from 1 to 254
KEY CONCEPT: dialog control are used by public applications and the ones from 255 to 1023 are used by
proprietary (‘saleable’) applications.
NETWORK OPERATIONS PERFORMED:
- opening, maintenance, and closure of sessions between devices / applications Ports 1024 and above are used as needed for addressing by the upper-layers or
- managing simplex, half-, and full-duplex modes TCP during sessions. Some examples:
- keeping data separate for different applications WINS - 1512
ICQ (UDP) - 4000
PROTOCOLS (for manipulating remote systems) FOUND AT THIS LAYER:
IRC (TCP) - 6660-6669, specifically 6667 [also: 7000, et seq. for very large
- NFS - ‘Network File System’ sharing between different file systems
chat servers]
- SQL - ‘Structured Query Language’ database sorting
ConSeal VPN (TCP) - 4995-4997
- RPC - ‘Remote Procedure Call’ for running a process on another machine
- ASP - ‘AppleTalk Session Protocol’
- X Window - remote UNIX GUI emulator
- NetBIOS - API giving programs consistent set of tools to call for network
functions
- NetBEUI - file sharing device driver for tiny Microsoft LANs (not routable)

3
L3
- PPP - ‘Point-to-Point Protocol’ fake Ethernet over modem or serial link
Network Layer – “Navigates the National Highway - HDLC - ‘High-level Data Link Control’ (generic or Cisco) error correction
Network” * wraps segments into PACKETS (data or
route update) or DATAGRAMS *
It's all about LOGICAL ADDRESSING; the long-haul navigator finding a
town; “How do we get to that network from here?”
Defines protocols for data routing to ensure that the information arrives at the
correct destination node and manages communications errors.
KEY CONCEPT: routing

NETWORK OPERATIONS PERFORMED:

- logical / network identification
- routing / network navigation
- breaking up broadcast domains

DISCRIMINATES BY:
- network (IP, IPX) addresses
- ‘protocol numbers’ in IP packets identifying which L4 protocol the data is for

PROTOCOLS (for routing and navigation) FOUND AT THIS LAYER:

- IP - ‘Internet Protocol’ connectionless network addressing and routing
- IPX - ‘Internetwork Packet eXchange’ unreliable delivery boy using
connectionless transfers, NetWare's alternative to TCP/IP
- AppleTalk
- X.25 - enables DTE use over DCE networks; precursor to Frame Relay
- ARP -‘Address Resolution Protocol’ (“What's the MAC address for this IP
address?”)
- RARP -‘Reverse Address Resolution Protocol’ (“I am diskless workstation XXX;
What is my IP address?”)
- BootP - ‘Bootstrap Protocol’ (“I am diskless workstation YYY; What is my IP
address and what should I do first?”)
- DHCP - ‘Dynamic Host Configuration Protocol’ (“I’m new here; what is ALL my
IP information?”)
- ICMP - ‘Internet Control-Message Protocol’ error-reporting, supporting:
• PING - ‘Packet Internetwork Groper’ connectivity detector
• TraceRoute - traces packet paths using ICMP timeouts
• delivery of operational messages such as “Destination Unreachable,”
“Buffer Full,” and “Maximum Hop Count Reached”
- RIP - ‘Routing Information Protocol’ routing scheme
- IGRP - ‘Interior Gateway Routing Protocol’ routing scheme for large,
heterogeneous networks
- OSPF - ‘Open, Shortest Path First’ routing scheme
- EIGRP - ‘Enhanced Interior Gateway Protocol’ routing scheme
- BGP - ‘Border Gateway Protocol’ routing scheme
- IGMP - ‘Internet Group Management Protocol’ membership manager for
multicast groups
- RSVP - ‘Resource reSerVation Protocol’ bandwidth reserver

TECHNOLOGIES:
- routers (slower, software-based)
- layer 3 switches (faster, ASIC hardware-based)

THE LOWER LAYERS: HARDWARE MANAGEMENT

L2
*
Data-Link Layer – “Destination Drop-Boxes &
Doorsteps” * nails packets into FRAMES or CELLS

It's all about HARDWARE ADDRESSING; the mailman finding a mailbox;

“Where, exactly, is this going?” “When, exactly, does it go?”
Validates the integrity of the flow of data from one node to another by
synchronizing blocks of data and controlling the flow of data.
KEY CONCEPT: framing

NETWORK OPERATIONS PERFORMED:

- physical / hardware / MAC identification
- framing data for transmission onto the local network segment
- breaking up collision domains
- CRC (Cyclic Redundancy Check) error notification (not correction)

DISCRIMINATES BY:
- hardware (MAC) addresses

PROTOCOLS (for transmission) FOUND AT THIS LAYER:

- 802.2 - defines connection-oriented & connectionless operations; L2 framing
4
- CDP - ‘Cisco Discovery Protocol’ investigation of neighbor devices
- SNAP - ‘SubNetwork Architecture Protocol’ data transfer, connection
management, and QoS
- L2TP - ‘Layer 2 Tunneling Protocol’ frame disguising

TECHNOLOGIES:
- switches (fast, application-specific integrated circuit (ASIC) hardware-based)
- bridges (slower, software-based)
- modems
- ISDN “clouds”
- Ethernet frames
- IPX frames (four varieties: Ethernet_II, 802.3, 802.2, & SNAP)
- Frame Relay frames (two varieties: Cisco & IETF)
- Token Ring frames
- ATM (Asynchronous Transfer Mode) standard for cell-switched WANS
- DSL “modems”
- cable “modems”

The TWO SUBLAYERS and THEIR SPECIFIC JOBS:

L2aLogical Link Control (LLC) sublayer handles
L2 encapsulation
- defined by 802.2
- framing
- optional flow control
- packet handling instructions
- control-bit sequencing
L2bMedia Access Control (MAC) sublayer controls
access to the media
- defined by 802.3 & 802.5
- CSMA/CD
- MAC (hardware) addresses
- logical topology
- line discipline
- ordered delivery of frames
- optional flow control
- error notification (not correction) in frames
- Token Ring
- DQDB (Don’t worry; nobody knows what this is.)

SOME FRAME FIELDS of INTEREST:

- FCS - ‘Frame Check Sequence’ field in Ethernet frame (holds the CRC value)
- SSAP - ‘Source Service Access Point’ hardware address field
- DSAP - ‘Destination Service Access Point’ hardware address field

Those Wacky IEEE Specifications: It might help to list some big ones…
802.1: bridging, switching, VLANs, STP 802.3: CSMA/CD & the Ethernets
802.2: L2 framing; connection-oriented & 802.5: Token Ring media access
connectionless operations

L1Physical Layer
* blasts frames into BITS *
It's all about SENDING AND RECEIVING BITS; the conveyor belt.
Defines the mechanism for communicating with the transmission medium and
interface hardware: voltages, wire speeds (data rates), and connector pin-outs.

KEY CONCEPT: physical topology (baseband or broadband)

PROTOCOLS (for bit sequencing) FOUND AT THIS LAYER:

- RS-232, RS-449, and other serial line protocols
- V.32 and other CCITT modem protocols

NETWORK OPERATIONS PERFORMED:

- putting bits onto the transmission medium

TECHNOLOGIES:
- active (amplifying) hubs
- passive hubs
- repeaters
- concentrators
- network interface cards (NICs)

5
- The REST of CHAPTER ONE: Big Picture Networking – Those tasks are the jobs of networking protocols like IP and IPX, TCP and UDP,
ARP and RIP. The important ones are found in my notes on each layer (pp 2 & 3).
Of CSMA/CD and ETHERNET LANs
Ethernet is a simple way of letting several computers talk on a network. It uses
a scheme called carrier sense, multiple access with collision detection or
CSMA/CD (which I like to pronounce KIZ-muh-cud). That means 1) each node
or host (each PC) listens to the wire to see if anyone’s talking, 2) anyone can
transmit at any time without waiting for permission, and 3) if two devices transmit
simultaneously (a “collision”), they back off for a while, then try again. Works
great – until you get a couple hundred chatty machines on the same wire. Their
shared collision domain can get only so busy before network traffic bogs down
because there’s no time to get a word in. Some other network schemes, like Token
Ring, solve this problem with rigidly fascist control over the wire. They make
everyone wait his turn, or they pass a ‘you-get-to-talk-now’ card (the “token”) in a
ring around the group. Ethernet is a bit more unruly but it’s cheap and popular, so
we’re stuck with it.
Luckily, Ethernet keeps improving. Standard Ethernet operates at 10Mbps and
is called 10BaseT. Now we’ve added FastEthernet at 100Mbps and Gigabit
Ethernet at 1000Mbps. One flavor of FastEthernet runs on high-quality category-5
wires where it’s called 100BaseTX, another runs on optical fiber (100BaseFX) and
a third on bundles of cruddy category-3 or -4 telephone wire (100BaseT4).
“Base,” by the way, stands for baseband, meaning, “using only one frequency.”
If a lonely device using two wires in a cable can only transmit OR receive, it’s
working in simplex mode. If it can use those same two wires to talk AND listen
but must take turns doing either, it is operating in half-duplex mode. Taking
turns this way means only ½ the available BW can be used. A clever device that
can talk and listen at the same time through a four-wire cable is using collision-
free full-duplex mode. A device using full-duplex must be attached to a switch
(not a hub) and have its collision detection and loopback turned off. Wire
quality has as
much to do with the available modes as does the sophistication of the devices.
Any high-frequency signal can only go so far down a cable before it fades out.
Old 10Base5 runs up to 500m (the “5” means 500m) on big ugly coaxial cable
nicknamed thicknet. A slimmer coax called thinnet carries 10Base2 up to 185m.
Almost nobody uses either one these days. Today’s 10BaseT runs about 100m
on 4-wire, category-3-or-better, unshielded twisted-pair (UTP) cable
connected with small plastic Registered Jack (RJ)-45 connectors. 100BaseTX
can go 100m,
and 100BaseFX can go 412m at ½-duplex or 2km in full-duplex mode. A new
device on a network checks to see the best speed and duplex mode it can use.
When we connect a bunch of devices to an Ethernet hub, we’re just attaching
all their wires together. The hub, its cables, and every device connected by them
all sense each other’s state transitions (the voltage rises and drops making up
digital messages), so each machine hears everything being said. They are all in the
same room, the same collision domain, remember? More on this in a moment.
An Ethernet network, then, is a bit like a meeting hall. We’ve described the
wires or “media” Ethernet uses, like describing the room everyone meets in. It has
to be clean and well built so everyone can find and hear everyone else. Think of
this when you study L1 of the OSI seven-layer cake. We’ve also seen how the
CSMA/CD rules-of-order apply in this room so people don’t interrupt each other.
Those rules are in L2 in the OSI model. Also at L2 is the idea that everyone has a
seat with his name on it (a hardware address – more later about these). But people
gather in a hall to do business and Ethernet has nothing to do with the business
discussed in this room, or in net-speak, the protocols.
RJ-45 Pin-to-Pin Wiring Schemes (“Pinouts”) for 10BaseT or 100BaseT Ethernet:
four-wire straight-through cable, your standard Ethernet cable
- for connecting dissimilar devices: router to hub/switch; PC to hub/switch
- each pin connects to its twin:
near end 1 2 3 6
far end 1 2 3 6
four-wire cross-over cable
- for connecting similar devices: router to router; PC to PC; hub to switch
- the pair of pairs swap partners:
near end 1 2 3 6
far end 3 6 1 2
Eight-Wire, RJ-45 Pinout for Console (“Rollover”) Cable:
- for connecting a PC to the console port of a router
- an ascending sequence segues to a descending sequence:
near end 1 2 3 4 5 6 7 8
far end 8 7 6 5 4 3 2 1
The OSI MODEL ENCAPSULATES for YOUR SINS, AMEN.
That OSI model is a way of charting the responsibilities of network components
so the people who design or operate them can enjoy some clarity. The model says,
“everyone divide your tasks the same way and there will be less confusion.”

6
This quest for simplification also underlies layered architecture, writing complex don’t alter the frames they sort, a router replaces the L2 source and destination
programs from simpler units assigned to the individual layers. addresses of each frame it handles. Neither switches nor routers change the L3
Some protocols are connectionless, meaning they send data over any addresses of passing packets.
available path, expecting no reply or confirmation of receipt. Slower but far
[The terms WAN, CSU/DSU, DCE, DTE, ISDN, & BRI are in Chapter X.]
more reliable are connection-oriented protocols establishing and reserving a
specific virtual circuit with a partner before exchanging data. These expect
acknowledgements for their messages or use flow control (buffering; source-
quench messages; and windowing, whereby the responses of the receiving
device control how much info is transferred before an acknowledgement is
required) to ensure they’re heard.
Another result of the seven-layer model is the way jobs are sent between layers.
If L4 has chopped some data into segments hoping they’ll be understood by
another machine, it wouldn’t make sense for L3 to scribble network addresses like
crazy all over those segments. Then, by the time L2 got done adding the specific
target’s physical address and L1 transmitted the result, those poor data segments
would be a real mess to untangle. The better idea is encapsulation: We leave
all segments alone, just encapsulate them in L3 packets. Then the packets are
left untouched as they, in turn, are then encapsulated in L2 frames. And when at
last we blast the frames into bits at L1, we know the patterns of the upper layers
are intact in the bit stream. Bits, frames, packets, and segments, the units passed
from layer to layer, are called protocol data units (PDUs). When one frame
type is
hidden inside another, especially for security reasons, this is called tunneling.
ADDRESSING: Flat and Lumpy Schemes
A device’s “hardware” or “physical” or MAC address is a built-in L2 address
read by switches. Every device comes from its factory bearing a unique MAC
address 48-bits long and written as 12 hexadecimal digits (each digit is 4 bits in
size), like 00e0.1e5d.2782. The first six digits are a code for the
manufacturer (in bigger words, an Organizationally Unique Identifier) and the
last 6 are unique to the device. L2 frames are addressed with MAC addresses.
Network addresses, on the other hand, are logical (made-up) addresses read by
routers. L3 packets are addressed with Network addresses. There are several
network address schemes, such as IP or IPX. (Each L3 address only works for one
L3 protocol.) L2 and L3 addresses have nothing to do with each other.
So why assign L3 addresses when every device already has a MAC address?
Because, while L2 addressing is “flat” with no address given any particular
importance, L3 schemes use hierarchical addressing, letting devices be gathered
into convenient groups we call “networks.” Packets can then be filtered by
network ‘area codes’ and routers can operate efficiently with only L3 knowledge,
blissfully ignorant of any L2 details. To work quickly, a router, stores and reads
only network addresses; that’s as smart as it gets. And that’s why each interface on
a router must attach to a different network: If two of its connections had the same
network name, the router couldn’t choose (“route”) between them. Routers read
the L3 addresses and get the packets to the right network on the Internet. From
there, switches have no trouble finding a few L2 MAC addresses in the small
meeting hall of a “flat” network segment.
LAN SEGMENTATION: Small Groups are Easier to Control
If I want to send a message to 75 recipients I could direct it several ways. I
could send 75 individual messages, one network-wide broadcast, or even one
multicast to a group of 75 members. Such are the options with logical addressing,
although there are good and bad points to each. Now we need machines that can
use this addressing power to decrease traffic.
If you have several hundred PCs linked by a bunch of hubs, you have one huge
collision domain. But insert a bridge before each hub and you keep each hub
from ever seeing traffic for the others. A bridge learns the L2 addresses of devices
it feeds and if it gets a frame not belonging to any of them, it blocks the frame.
What you’ve done is divide your big collision domain (your meeting hall) into
smaller collision domains. The only non-broadcast traffic leaving any domain is
traffic specifically intended for another. This improves both security (by keeping
private traffic private) and performance (by reducing collisions). Bridges are
mostly obsolete now because adding a bunch more ports to a bridge gets you an
even nicer device: a switch.
A switch is just like a bridge with more ports. Each port forwards only frames
addressed to the devices attached there, so the switch divides each port into its
own collision domain with fewer members. Put a single device on each port if
you like.
A different problem is with broadcasts, which use a MAC address of all ones to
reach every machine in a network. Switches don’t stop broadcasts and can do
nothing to break up broadcast domains. You need a router for that. Routers
divide broadcast domains because they direct traffic between different L3
network addresses and don’t (by default) transmit broadcasts. Routers can also
filter packets by the protocols they use. Since separate VLANs must talk through
routers, VLANs, too, are said to divide broadcast domains. Whereas switches

7
CHAPTER II – SWITCHING (15-20 questions, including VLANs) - If all required host MAC addresses are entered into a database, switch software
[Note: I’m told most of Cisco’s switches were designed by companies Cisco can create dynamic VLANs based on applications, protocols or other factors. The
purchased, so their commands vary too widely to be exam-worthy. For this reason software looks up each MAC address in a database and connects it accordingly,
I haven’t much bothered to condense Lammle’s appendix B on switches. The parts even if the device moves around the network.
of the appendix suggested to me (VLANs and trunking) are on page 14.]
- Switching is ASIC (hardware) –based, as opposed to bridges (software).
- Otherwise, a switch is like a bridge with many more ports.
- A L3 “intelligent” switch is faster than a router and can sort by L3 addresses.
- Switches perform address learning by reading frames’ source addresses.
- They make forward-or-filter decisions whereby broadcasts (all 1s), multicasts
(host address = all 1s), and frames for unknown destinations go out all ports.
- This breaks up collision domains by sending only needed frames out each port.
- BUT it does not break up broadcast domains because broadcasts go out all
ports.
- Switches practice loop avoidance to stop broadcast storms, duplicate frames, and
confusion in their filter tables caused by multiple paths.
- The key method for loop avoidance is Spanning Tree Protocol (STP) using
Bridge Protocol Data Unit (BPDU) multicasts exchanged every 2 seconds.
- STP (IEEE 802.1d) is a messy protocol that causes lots of delays and
recalculates the entire tree every time the network configuration changes.
- STP elects a root bridge based on its 8-Byte bridge ID (derived from its
device priority and its MAC ID). Priorities are compared (32,768 is the
default) and the lowest value wins. If tied, the lowest MAC address wins.
- Root bridge decides ports settings on remaining devices: open (designated) or
blocked (non-designated). Lowest cost ports leading back to the root bridge
are called “root ports” and become the path for communications with the
root.
- Designated ports are chosen by lowest cost path, using links’ accumulated
BWs.
- When network topology changes, all data stops for 50 seconds (“convergence
time”) while STP re-configures all ports. Port transitions go as follows:
1. blocking
2. listening (exchanging BPDUs and checking for loops) – “forwarding
delay”
3. learning all MAC addresses – a period also called a “forwarding delay”
4. forwarding
THREE FRAME HANDLING MODES
- cut-through: fastest possible; only destination header is checked (1st 13 Bytes)
- FragmentFree: (default mode for Catalyst 1900 switches) reads 1st 64B
checking for collision damage before forwarding
- store-and-forward: entire frame checked; rejected if too short (<64B) or long
(>1518B) or if it has a CRC failure; method with greatest “latency” (delay).

CHAPTER VI – VLANs (15-20 questions, including general switching)

- We can divide a switch’s ports into subnetworks called virtual LANs (VLANs)
organized by location, function, department, applications, or protocols.
- WHY VLANs? Each VLAN is a small scalable network segment & a separate
broadcast domain. Broadcasts are an unpleasant fact of network life but
dividing broadcast domains this way improves security and performance by
breaking up flat networks, in which every broadcast is seen by every device.
VLANs can provide automated control of each port and its resources to simplify
computer moves, adds, and changes and cut administrative costs.
- Hosts in different VLANs must communicate through a L3 device: a router with
an interface for each VLAN, an ISL-capable router (Series 2600 and up) that can
speak to all VLANs through a single interface, or a route switch module (RSM)
installed in the backplane of a 5000-Series switch to support up to 1005 VLANs.
Cisco calls a FastEthernet interface + ISL routing “a router-on-a-stick.”
- This router or other L3 device can provide inter-VLAN security.

VLANs must L3 DEVICE

Switch communicate via a
qqqqqqqqqqq Layer 3 device.
E0 E1

unassigned
VLAN 1 VLAN 2
Here, one router interface goes to each VLAN
- If the switch in the picture was a L3 switch, it could learn from the router to pass
packets between VLANs to speed their trip (“route once/switch many” or ROSM).
- VLAN numbers can range from 1 to 1004.
- Users grouped by interest are called VLAN organizations.
- A group of connected switches is called a switch fabric.
- Access controls can be established anywhere within the fabric.
- Administrators create static VLANs by hand. These are stable and secure, as
long as the network doesn’t change much.
8
- Cisco offers VLAN Management Policy Server (VMPS) software as a MAC- disabled by default on all switches. By default, only VLANs 2-1005 can prune.
address-to-VLAN mapping database. VLAN 1 can never prune because it is an administrative VLAN.
- There are two types of links (ports) in a switch fabric:
- Access link ports are any ports connected to DTE devices (hosts). Each Please see page 14, “APPENDIX B – The CATALYST 1900 SWITCH”
access port is a member of a VLAN, although a host using that port is unaware
of this because any VLAN info is stripped from arriving frames before they are
delivered. Such hosts must go through L3 devices to communicate outside their
VLANs.
- Trunk link ports connect all (or only several) VLANs from switches to
routers, servers, or other switches. A device thus ‘trunked’ can be part of up to
1005 VLANs simultaneously, meaning a trunked server can be reached by many
subnets without the need to communicate through a L3 device. Trunk links have
a default membership in VLAN 1 if the link fails. By default, all possible
VLANs are present on a trunked link between switches (unless manually
removed by an administrator) but trunk links going to routers or servers carry
only VLAN 1.

A trunked port can ISL ROUTER

Switch carry all VLANs
qqqqqqqqqqq
One ISL interface,
many VLANs E0
VLAN 1 VLAN 2
TAGGING FRAMES for TRIPS DOWN TRUNKS
- Frame tagging is a L2 means of identifying Ethernet frames by their VLAN
membership. Tagging assigns each frame a unique, user-defined VLAN ID or
‘color.’ Frames get tagged when they first go down a trunked link. Each switch
in turn reads the tag and decides whether to send it out on another trunk port or
out an access port to a host. Finally, as the frame leaves an access port, the tag is
stripped off so the host won’t reject it as deformed.
- Four VLAN trunk ID (tagging) methods are:
1) ISL (Inter-Switch Link), a Cisco proprietary method using only Fast- or
Gigabit Ethernet. ISL can be used on switch ports, router interfaces, or server
NICs. It offers low latency and full wire-speed operation in either half- or full-
duplex modes. It is an external tagging method in which the original frame is
not altered but further encapsulated in a new tagging frame with a 26-Byte
header and a 4-Byte FCS field at its end. These frames’ max size is 1,522 Bytes.
Only ISL-aware devices can read these frames; other devices reject Ethernet
frames not 64 to 1,518 Bytes long. An ISL tag is applied ONLY as a frame
leaves a trunk port and removed as the frame leaves an access port. ISL is the
only method on the exam.
2) IEEE 802.1q is an industry-standard tag that adds a field to the frame. This
method is required if sending frames from Cisco switches to another maker’s gear.
3) LAN Emulation (LANE) couples VLANs over ATM.
4) 802.10 (FDDI) Cisco’s proprietary tag for FDDI; puts SAID field in L2 header
- Newer Cisco Catalyst switches use a point-to-point protocol designed for 802.1q
called Dynamic Trunking Protocol (DTP) to control trunks in ISL or 802.1q.
VLAN TRUNK PROTOCOL (which has nothing to do with trunking...)
- VLAN Trunk Protocol is a misleading name for Cisco software that can add,
delete, and rename VLANs, and send the changes to the entire fabric. This gives
network-wide consistency, allows VLANs trunked over mixed media, permits
monitoring, dynamic reporting of added hosts, and plug-and-play VLAN addition.
- First turn one switch into a VTP server. VTP servers sharing VLAN info must
use the same domain name. VTP is unneeded if all your devices share a VLAN.
- VTP info moves between devices via trunk ports. (Maybe that’s where the name
comes from: VLAN Trunk-traveling Protocol?)
- Switches advertise VTP management info and all known VLANs to their
domains every 5 minutes or whenever a change is made to the domain. Each
advertisement carries a revision number assigned by the VTP server. When a
switch sees an announcement with a higher revision number, it accepts the new
info and overwrites its old database.
- You can add a password to control users’ adding switches to your VTP domain
but the same password must be used on every switch throughout the domain.
- The default mode for Catalyst switches is server mode. Only this mode allows a
switch to create, add, or delete VLANs or change VTP info in a VTP domain.
Changes made in server mode are advertised domain-wide.
- A switch in client mode receives and acts on VTP info but cannot change it.
Before any of its ports can join a VLAN, a client must receive instructions from a
server. Before installing a new server, first make it a client so it will be up-to-date.
- You can set a switch to transparent mode so it will forward advertisements but
not act upon them. A transparent switch can still add and delete VLANs from its
own, unshared database, as usual.
- You can turn on VTP pruning at a server to instruct all switches in a domain to
withhold unnecessary broadcasts from disinterested trunk links. Pruning is

9
CHAPTER III – IP (5 questions) Note the hosts are the magic numbers minus 2 and “networks” is just “hosts”
[Note: I moved lists of the individual protocols to Chapter I with their associated upside-down. You might be asked how many hosts you have or, similarly, to mask
OSI layers. They aren’t nearly as important as subnetting. YOU MUST just enough bits to leave a range of X hosts. Class C numbers are in the table but
ABSOLUTELY KNOW HOW TO SUBNET QUICKLY FOR THE EXAM.] counting class A and B hosts can be painful. Our example segment had 16 values
in the 3rd octet, from 192 to 207, but each of those also represents from 0 to 255 in
IP ADDRESSING
the last octet, so we’re talking about 4,096 addresses, here. Each octet you jump
An IP address is of 32 bits divided into four octets of 4 Bytes, each:
to the left represents 256 times the octet to its right.
11111111. 11111111. 11111111. 11111111 (= 255.255.255.255 in decimal)
The first four bits show the class. Classes A, B, & C use the first; first two, and Put another way, because each number in the third octet, from 192 up to and
first three octets, respectively, as their network portion. The more network ID bits, including 207, is worth 256, we multiply 16 x 256 to find out how many addresses
the fewer bits remain for any host IDs, and vice-versa. exist in our range. The short answer is 4,096 but, because we can’t use the
network or broadcast addresses, we must subtract those two to see there are 4,094
first first network host
class notes possible hosts in our range. That’s your final answer. The simplified formula is
4 bits octet addresses addresses
(magic number x 256) – 2 but if you’re instead counting steps in the second octet,
0xxx 1-126 A 126 16,777,214 (127 reserved for
it’s (magic number x 65,536) – 2. Remember that for counting in class A.
10xx 128-191 B 16,384 65,534 loopback tests)
110x 192-223 C 2,097,152 254 If 4,096 hosts are still too many, you can go on masking right into the next
111x 224-239 D multicast multicast octet, say 172.18.250.202/27. The mask is now three bits into the fourth (and
1111 240-255 E reserved reserved final) octet. This is normally class C turf, so you have to pay attention to that 172
to know it’s still a class B. Our cheater’s table has no row for the 11 bits we’re
SUBNETTING now stealing, so just ignore the third octet and pretend we’re only stealing from
Subnetting means masking-off a range of IP addresses into a smaller network the fourth. Read the table for three stolen bits (from the fourth octet). Our mask is
segment to reduce its population. This scheme improves performance, allows 255.255.255.224, our magic number is 32, and, since we’re ignoring the third octet
better management, facilitates the use of expensive WAN links, and gives planet of the mask, we’re going to apply the magic number to the fourth octet. Our IP
Earth more network addresses to work with so we don’t run out as fast. A subnet address lands between the magic number multiples 172.18.250.192 (our network
mask of 1s is applied to the IP address to mark its network portion. Let’s say a address) and 172.18.250.224 (the next network address), meaning
huge corporation died and left us its entire class B network – but we only know 172.18.250.223 is our broadcast address; everything in between,
one address in it. Here is that address in both binary and easy-to-read decimal: 172.18.250.193 through 172.18.250.222, is our host range, with 30 addresses.
10101100.00010010.1111010.11001010 = 172.18.202.10
It’s a class B, so its network address is 172.18.0.0. Its node (or host) address is Some are harder than others, especially A or B addresses using a little more or a
202.10. The normal class B mask that says where one ends and the other begins is little less than full octets. Here are some you’re glad you don’t see everyday.
11111111.11111111.00000000.00000000 = 255.255.0.0, Watch how the net address and the next net address change as another bit is stolen.
right on the “dot” between the 2nd and 3rd octets, just like usual. Now, in every address 122.67.69.10 /15 122.67.69.10 /16 122.67.69.10 /17
network segment, the 1st address, the network address, is special; it’s the address mask 255.254.0.0 255.255.0.0 255.255.128.0
we route to. The last address before the next segment is special, too; it’s the class A A A
address we broadcast to. All the dull addresses in between? Those can be magic # 2 (in 2nd octet) 1 (in 2nd octet) 128 (in 3rd octet)
assigned to hosts. Here, our broadcast address is 172.18.255.255, meaning our net address 122.66.0.0 122.67.0.0 122.67.0.0
hosts run from 172.18.0.1 to 172.18.255.254. But we know not to put 65,534 host b/c address 122.67.255.255 122.67.255.255 122.67.127.255
computers in one Ethernet network! (See the above table.) Instead, we can subnet next NA 122.68.0.0 122.68.0.0 122.67.128.0
and carve out several smaller networks if we mask out (“steal”) an additional few address 122.67.69.10 /23 122.67.69.10 /24 122.67.69.10 /25
bits from the next, empty octet to the right. Let’s change our mask by stealing four mask 255.255.254.0 255.255.255.0 255.255.255.128
more juicy bits from the third octet: class A A A
11111111.11111111.11110000.00000000 = 255.255.240.0, our new mask, or magic # 2 (in 3rd octet) 1 (in 3rd octet) 128 (in 4th octet)
“240 in the 3rd octet,” for short. [Also, instead of writing out the address and its net address 122.67.68.0 122.67.69.0 122.67.69.0
entire mask, we can use a shorthand of 172.18.250.202/20 to say we’ve got a mask BC address 122.67.69.255 122.67.69.255 122.67.69.127
20-ones-long.] We calculate new addresses by applying a “magic number” to the next NA 122.67.70.0 122.67.70.0 122.67.69.128
mask octet. The magic number equals 256 minus the mask. A new segment starts address 172.67.69.10 /23 172.67.69.10 /24 172.67.69.10 /25
with every multiple of the magic number. mask 255.255.254.0 255.255.255.0 255.255.255.128
class B B B
Our job now is to find the new network address, broadcast address and valid
magic # 2 (in 3rd octet) 1 (in 3rd octet) 128 (in 4th octet)
host address range for our one machine at 172.18.202.10. The magic number for
net address 172.67.68.0 172.67.69.0 172.67.69.0
our .240 mask is 16. Our mask is in the 3rd octet. So, as you count up the 3rd octet
BC address 172.67.69.255 172.67.69.255 172.67.69.127
from ‘0’ to ‘255’ a new segment starts at every multiple of 16, from 16x0, onward:
next NA 172.67.70.0 172.67.70.0 172.67.69.128
172.18.0.0, our first multiple,
172.18.16.0, our second multiple, Startling lessons learned:
172.18.32.0, our third, - Just because the mask is /25 doesn’t mean it’s a class C address!
172.18.48.0 ...and so on. Each multiple is the first address of a different baby - Just because the mask is 255.255.255.0 doesn’t mean it’s a class C address!
subnet.* Which multiple are we in? Our 202.10 is between multiples - Class can only be determined by looking at the first octet!
172.18.192.0 and 172.18.208.0. The broadcast address for our segment is the - Just because an address ends in .0 doesn’t mean it’s a network address!
address right before 208.0, so it’s 172.18.207.255. The range of host addresses is - Just because an address ends in .255 doesn’t mean it’s a broadcast address!
every address between the network and the broadcast addresses, like so: - Not all network addresses end in .0!
172.18.192.0 is the network address, - Not all broadcast addresses end in .255!
172.18.192.1 to 172.18.207.254 is the host range, and - Don’t let anyone tell you, “.128 masks are always illegal!”
172.18.207.255 is the broadcast address, meaning - Without the address, the mask cannot tell you how many sub-networks you get!
172.18.250.202 is valid and not reserved or illegal. The end. - You may have to crunch the numbers to find out if a given host address is valid!
Those of us who can’t do math can cope somewhat by memorizing this table: And beware these strange rules:
- *You’re can’t use first or last multiples. This keeps ‘classful’ routing protocols
stolen bits mask (binary) mask magic # hosts networks
(RIP or IGRP) from getting confused by masks that aren’t /8, /16, or /24. BUT…
1† 10000000 .128 128 126 0†
- You can waste less space by subnetting the first and last multiples even further
2 11000000 .192 64 62 2
with a variable-length subnet mask. Don’t use more than 2 VLSMs on a network.
3 11100000 .224 32 30 6
- 10.0.0.0, 172.16.0.0, 192.168.0.0 can be private networks if kept off the Internet.
4 11110000 .240 16 14 14
- †The following .128 (one bit) masks only become valid if you say ip
5 11111000 .248 8 6 30
subnet-zero
6 11111100 .252 4 2 62
For class A: 255.128.0.0; for B: 255.255.128.0; for C: 255.255.255.128.
7‡ 11111110 .254 2 0‡ 126
These let you create only two subnets and still use them both.
8‡ 11111111 .255 1 0‡ 254
- ‡You can’t steal either 7 or 8 bits from a class C address. You’d have no hosts!

10
CHAPTER IV – CONFIGURATION BASICS (10-15 questions) command ? - (with a space) gives all possible options to follow
- To configure a router, connect its console port to the serial port of a PC with a “command”
‘console’ cable and a DB9-to-RJ45 adapter. Set HyperTerminal to your COM xxxxx? - (no space before the ?) gives all possible completions of the text
port at 9600 baud and turn on the router. (You can’t Telnet to a virgin router “xxxxx”
until IP is set up, so for remote configuration use an AUX port & modem.) sh history - shows last 10 (default value) commands
Setup Mode is entered either by typing the setup command or by typing sh terminal - shows terminal configuration & size of command history buffer
erase startup-config and rebooting. The three Setup Mode options terminal history size <0-256> - resizes command history buffer
are: sh version - shows IOS version, CF names and sources, hardware config,
1) Decline the initial config dialog, skip Setup, go to the Command-Line Interface. Configuration Register code
2) Basic Management Setup allows enough connectivity for management, only.
3) Extended Setup, with configuration options for each interface. The setup 5 PASSWORDS – en secret, en password, console port, aux port, & Telnet
sequence is: hostname, en secret, en password, VTY password, SNMP, L3 - Two passwords are available to enter the Privileged Exec (“enable”) Mode:
protocols, asynch (modem) lines, BRI interface, other interfaces [connector, enable secret bozo - sets the encrypted enable password; this is the
full- or half-duplex, IP address & mask], and review. You then have three final preferred one
options: CLI, start over, or save & exit. CTRL-c terminates setup mode. enable password bozo - sets the plain-text enable password; use as a
- In User Exec Mode type > en and a password to go to Privileged Exec Mode, last resort
then one of these three options to enter Global Config Mode: The two can’t be in effect simultaneously; if you try, the ‘secret’ takes precedence.
# config terminal brings up the running-config file in RAM enable use-tacacs - sets enable password on several routers using
# config memory brings up the startup-config file in NVRAM (= TACACS server
copy start run) SETTING the OTHER PASSWORDS (& using OPTIONAL ENCRYPTION)
# config network gets a config file from a remote TFTP host (= copy - You can encrypt the 4 plain-text passwords so sh running-config won’t
tftp start) show ‘em:
- If you use either of those last two, the machine swaps the file you requested into (config)# service password-encryption - turns optional
RAM so you can work on it. This replaces your running CF, so be careful! encryption on
- From global config mode, you can visit several sub-modes, for example: (config)# enable password bozo - sets the plain-text ‘enable’
(config)# interface s0 to work on an interface (with a (config-if)# password, just like we did above; this can be included in the encryption
prompt). From there, type (config-if)# interface s0.1 to make a process if you desire
subinterface [(config-subif)#]. - Next, set the three “line” passwords, the ones used to connect to the router:
(config)# line vty 0 4 to work on a line [the new prompt = (config- (config)# line console 0 - port 0 is the only port available
line)#]. (config-line)# login
(config)# router rip to work on a routing protocol [prompt = (config- (config-line)# password bozo - sets the console port password
router)#]. also: (config-line)# exec-timeout <min> <sec> - sets session
- In global config mode, commands are called “major” or “global.” timeout; 0 0 = never
- Commands from (config-xxxx)# prompts are called “subcommands.” also: (config-line)# logging synchronous - hold pop-up messages
IOS Commands to Move Up or Down Between Different Modes/Prompts while typing
(NOTE: Chart developed in-part from simulator software; not confirmed with real routers!) (config-line)# line aux 0 - port 0 is the only port available
Mode: down: up: (config-line)# login
Prompt (config-line)# password bozo - sets the auxiliary port password; aux
enter/leave IOS: ----- ----- ---- ----- ----- ----- ----- is typically used for modems but can also be used as a console connection
none
- (config-line)# line vty 0 4 - VTY is usually lines 0-to-4; more with
user exec: return exit quit logo “Enterprise” IOS
> ----- ----- e ----- ut logo (config-line)# login
quit
privileged exec: enabl disab xit ----- ut (config-line)# password bozo - sets the Telnet password; Telnet will
# e le not operate until this is set, unless you leave access open with line vty 0 4
----- ----- ---- ----- ----- ----- ----- then no login.
- (config-line)# exit
global config: config exit en ^z (config)# no service password-encryption - turns optional
(config)# t d ----- encryption off
----- ----- ---- MESSAGE of the DAY BANNER Shown at every console, aux, or Telnet entry.
end ^z
- (config)# banner motd <dc> Any character can be the delimiting
interface: int e0 e character (DC) but the default is #. Pressing it ends the message, so it cannot
exit
(config-if)# xit ^z be used in the text.
----- ---- ----- ----- - Other banners are exec, incoming, and login. To keep multiple banners on
- separate lines, add an extra blank line before pressing the DC.
subinterface: int
INTERFACE CONFIGURATION
(config- e0.1
(config)# interface serial 0 engages an interface & changes the prompt to
subif)#
(config-if)#.
----- ----- ----- - 2500 Series routers have fixed configurations but 2600, 3600, 4000, and 7000
specify their interfaces with slots and port numbers: interface
COMAND LINE CURSOR GYMNASTICS and HELP COMMANDS fastethernet 0/0.
CTRL-w - erases a word CTRL-u - erases a line - On 7000 or 7500-Series routers with “Versatile Interface Processor” (VIP) cards,
CTRL-a - moves to start of line CTRL-e - moves to end of line define an interface by slot / port_adapter / port#, thus:
CTRL-f or → - moves fwd one CTRL-b or ← - moves back a interface ethernet 2/0/0.
character character (config-if)# media-type <100BaseX/MII> sets media type (normally
ESC-f - moves forward one word ESC-b - moves back one word auto-detected).
CTRL-p or ↑ - recalls previous CTRL-n or ↓ - steps forward to next (config-if)# no shutdown turns on an interface; (config-if)#
command newer command in history buffer shutdown turns it off
in history buffer - Interfaces are shutdown by default.
TAB - completes partial commands CTRL-c - breaks off long data (config)# hostname Chicago labels the router. (The label is case-
displays sensitive.)
CTRL-z - ends any configuration CTRL-SHIFT-6 - pauses some (config-if)# description Sales Department LAN labels the
mode and returns to privileged exec running processes (e.g. Telnet sessions) interface.
mode IP CONFIGURATION

11
(config)# int e0 engages Ethernet interface 0.
(config-if)# ip address 172.16.10.2 255.255.255.0
secondary configures IP.
(The secondary command adds this info, rather than replacing an earlier IP set
up.)
(config-if)# no shut turns on service to the interface.
SERIAL INTERFACE SPEED SETTINGS
- Serial interfaces usually attach to a CSU/DSU that provides synch clocking. If
two DTE routers are directly attached (as in a lab), the one at the DCE end of the
cable must provide clocking. Use (config-if)# clock rate 64000 with the
rate in bps.
- The default bandwidth label on an interface is set to 1544kbps (T1 speed).
IGRP, EIGRP, OSPF, & other protocols read this label to calculate routes. (RIP
ignores it.) To set it, type (config-if)# bandwidth 64 where the rate is in
kbps.
SAVING and VIEWING CONFIGURATIONS
- Saving your configuration copies the file “running-config” to NVRAM,
overwriting “startup-config.” Do this with copy running-config
startup-config.
- View the two files with sh run and sh start. (You can shorten the file
names, if you like.) Note: Each file shows the IOS version in use when it
was created.
- Erase CFs with erase run and erase start. (Boots to setup mode if no
start file.)
- A CF is an ASCII file and can be edited with any text editing program.
- You can also copy CFs to TFTP hosts. Use copy run tftp or copy
start tftp to make the backup and copy tftp run or copy tftp
start to restore the desired file.
INTERFACE DIAGNOSTICS
- Ping an interface using a specific protocol with ping <protocol>
<address>.
- Get the address of a neighbor with sh cdp neighbor detail.
- Telnet (the best tool to verify IP connectivity) telnet
<address/hostname>. (The word “telnet” is understood if you just
type the address or hostname.)
# sh running-config tells interface stati, descriptions, &c.
# sh interface e0 as above, plus tells if the interface is administratively
down (using shutdown). Shows L2 & L3 addresses, encapsulation
methods, collision stats, Maximum Transmission Unit (1500 Bytes by default),
BW label, keepalive frequency (must be same on both ends); & carrier
detect/keepalive status, thus: Ethernet0 is up, line protocol is up.
The first item shows L1 cable or interface problems, the second item shows L2
mismatched keepalives, encapsulations, or clock rates not set. I always call it
the “L1/L2 up/down stats.” Possibilities are:
up/up = operational down/down = interface problem
up/down = connection trouble administratively down/down = disabled
- If the interface is administratively off, the remote end will say down and
down.
- You can reset the counters for the above command with # clear counters
<int#>.
# sh controllers s 0 shows info about the physical interface and type of
serial cable (DTE or DCE) attached. (Note the required space between the s
and the 0.)
sh <ip/ipx> interface shows L3 address, applied lists, L1/L2 status for all
interfaces.
sh <ip/ipx> interface brief just gives the status check with L1/L2
ups/downs.

12
 CHAPTER V – IP ROUTING (6-10 questions) - Route poisoning: dead routes are explicitly updated as being unreachable (16
- The ability to route requires a knowledge of a destination address, of potential hops away) and receiving routers send explicit poison reverse updates as
routes to other networks and the best route to each, a learning relationship confirmations because, hey, sometimes rumors just aren’t good enough.
between neighboring routers, and a means to maintain and verify routing tables. - Holddowns: delays that make routers ignore updates to keep them from
- Each interface on a router must attach to a different network. reinstating a dead route; improves stability by letting changes settle first.
- Routers discard packets for unknown networks (if default routing is not enabled).
- Basic router set up (see Chapter IV) gives a hostname to the router, applies an IP
address (and clock rate, if needed) to each interface, and turns the interfaces on.
- If a network is unreachable, its entry is automatically dropped from the table.
- There are three types of routing: static, default, and dynamic:
STATIC ROUTING
 no CPU overhead  requires deeper understanding
 no network bandwidth  new routes must be added manually
 administrator oversight of security  only workable on small networks
- Syntax: ip route <dest_addr> <dest_mask> <next_hop>
<admin_dist> permanent (config)# ip route 172.16.20.0
255.255.255.0 172.16.10.2 - turns on static routing
- next_hop could also be the exit_interface for a point-to-point link (on
a WAN).
- admin_distance (AD; 0-255) is a scale of trust in routing information,
depending on its source. Some default ADs for various sources are:
connected interface 0 OSPF 110
static or default route 1 RIP 120
EIGRP 90 external EIGRP 170
IGRP 100 unknown 255 (will never be used)
- permanent keeps unreachable networks from being deleted from the
table.
- Verifying static routes using # sh ip route shows the directly connected
networks and any remote networks the router knows and can reach. Directly
connected routes have a C beside them; static routes have an S and a note
similar to [1/3] that shows [AD / hops to the particular network].
DEFAULT ROUTING
- Default routing is a variant of static routing used only on stub networks (routers
with only one port leading to another router). It replaces multiple static route
commands with a single instruction to send all packets for unknown destinations to
the same default next hop (another router’s interface) or ‘gateway of last resort.’
- similar to a static route entry but with wildcards (vs. network and mask info)
- 1st delete static route entries with no ip route 172.16.20.0
255.255.255.0 172.16.10.2
- 2nd add default entry: ip route 0.0.0.0 0.0.0.0 172.16.10.2 where
172.16.10.2 is the gateway of last resort.
- 3rd, Cisco routers are classful, allowing protocols like RIP and IGRP to expect
only /8, /16, or /24 masks on each interface. Typing ip classless, however,
keeps packets from being discarded due to unrecognized destinations. Always
use this command with default routing, even though it will sometimes work
without it. (Classless routing is set by default in newer IOS releases.)
- Verifying dynamic routes with # sh ip route shows similar information as
with static routes, except the several S entries have been replaced by one S*
entry indicating the default route “candidate.”
DYNAMIC ROUTING: RIP & IGRP DISTANCE VECTOR PROTOCOLS
- uses routing protocols to automatically update tables (at a cost of bandwidth)
- two types: Interior Gateway Protocols and Exterior Gateway Protocols
- IGPs are used within autonomous systems (AS; a set of networks under
common administration, sometimes called a domain).
- EGPs are used between autonomous systems.
- three classes of routing protocols (RIP and IGRP, only, are on the exam):
1) distance vector (RIP/IGRP) uses hop counts [but see IGRP details, below].
2) link state (OSPF) uses 3 tables: direct connections, topology, & routing;
gets a full view of the network (no rumors) by bandwidth analysis and
triggered updates, but is hard to set up and consumes much BW, itself.
3) hybrid (EIGRP) uses bits of both
The INS and OUTS of DISTANCE VECTOR ROUTING (D/V)
- passes complete tables between routers (“routing-by-rumor” vs. investigation)
- If dual routes exist to a network, the best is chosen by AD, then by other metrics.
- If two links have same hop count but different BW, you get pinhole congestion.
- Convergence occurs when all routers know the routes to all networks.
- D/V tracks changes with periodic update broadcasts to all active interfaces. Slow
convergence means discrepancies can develop between routing tables and
reality, causing routing loops wherein rumor-fed routers endlessly pass around
packets convinced their neighbors can reach a deceased link. Some cures:
- Maximum hop counts: RIP permits 15 hops before a packet is discarded.
- Split horizon rules: routing info can’t be sent via the interface it arrived on.

13
 Holddowns are cleared early if a route update arrives with a better metric than debug ip rip shows routing updates as they come & go. If you’re
the dead route had. Telnetting-in, you must type terminal monitor to get these reports.
- Triggered updates are immediate, forced (instead of periodic) updates to debug ip igrp events summarizes IGRP info running on network, all
routing tables made when things change. They reset holddown timers if requests and responses, but NO INFO ABOUT INDIVIDUAL ROUTES.
the timer expires, the router gets a processing task proportional to the debug ip igrp transactions shows detailed contents of requests and
number of links in the network (making the router effectively forget about responses, including info about individual routes.
the holddown), or a new update says network status has changed.
ROUTING INFORMATION PROTOCOL (RIP)
- RIP is a D/V protocol sending a full table every 30 seconds.
- RIP has a long convergence time.
- RIP uses only one metric: hop count, with a maximum hop count of 15.
- AD = 120
- RIP will load balance between up to 6 links of equal cost.
- good for small networks but inefficient on large ones with slow WAN links or
many routers
- RIP v1 uses only classful routing, requiring all devices to use the same subnet
because it doesn’t send subnet info in its updates.
- RIP v2 does do classless routing but is not on the exam.
- RIP uses three timers:
- update timer: sets update frequency (default = 30 seconds)
- invalid timer: sets time with no mention of route before route is declared
invalid (default = 90 seconds)
- flush timer: sets time after invalid status before the route is removed from the
table (default = 240 seconds) The flush delay is used to inform other routers
of the dead route’s impending removal.
- RIP is configured thus:
(config)# no ip route 172.16.20.0 255.255.255.0
172.16.10.2 - removes static routes; static routes have an AD of 1, so RIP
(AD = 120) would never do anything
(config)# router rip - enables RIP
(config-router)# network 172.16.0.0 - sets network to advertise
(note: no mask!)
(config-router)# passive–interface s0 - sets interface to receive but
not send updates if you wish to limit RIP broadcast traffic
- Verifying RIP with # sh ip route again shows a table of info similar to static
routing, except with an R next to each dynamically acquired RIP table entry.
INTERIOR GATEWAY ROUTING PROTOCOL (IGRP)
- IGRP is a Cisco proprietary D/V protocol designed as an improvement to RIP.
- IGRP has maximum hop count of 100 by default with a maximum setting of 255.
- AD = 100
- IGRP uses a composite metric of BW and delay by default but can also use
reliability, load, and/or MTU (maximum transmission unit), if desired.
- IGRP uses four timers: update = 90 seconds; invalid = 3 x update;
flush = 7 x update; holddown = (3 x update) + 10 seconds
- IGRP is configured thus:
(config)# router igrp 10 - enables IGRP in AS number 10; all routers in
an autonomous system must be configured with the same AS # (1-65535)
(config-router)# network 172.16.0.0 - sets network to advertise
(note: no mask!)
- IGRP can load balance up to 6 unequal routes using this command to control the
balance between the lowest cost and the highest acceptable cost:
(config-router)# variance <1-128> where the value is the metric
variance multiplier
- other commands to help control traffic distribution are:
(config-router)# traffic-share balanced meaning, “share over the
routes in proportion to their metrics,” and
(config-router)# traffic-share min meaning, “share only among routes
with the same, lowest cost”
- Verifying IGRP routes with # sh ip route again shows similar tables, now
with an I for “IGRP” next to each dynamically acquired table entry and a note
similar to [100/160360] which shows the [default IGRP AD / composite
metric].
- Note: If RIP is accidentally left on, it will continue to consume BW and CPU
cycles, but never change a routing table because of its higher cost (AD = 120).
ROUTING TABLE DIAGNOSTICS
sh ip route a table of routes to all directly connected or reachable remote
networks.
sh ip protocols shows settings: which routing protocol is in use, update
frequency, time to next update, timer settings, metric weights, max hops, load
balancing, networks advertised, gateways found, and AD to each.
sh protocols shows if routing is enabled, L1/L2 up/down stats, & L3
addresses.
sh run shows the configurations you ordered.

14
CHAPTER VII – BOOT-UP & CONNECTIVITY TOOLS (unk # questions) 2142 – boot the IOS from flash but skip the CF (for password recovery)
- Change the CR with (config)# config-register <value>, then reboot
ROUTER MEMORY COMPONENTS
ROM (a.k.a. boot ROM) - instructions encoded on EPROM chips, including: RESETTING PASSWORDS by TURNING ON BIT 6 for ACCESS:
- POST (power on self-test) - checks hardware for configuration and errors - Reboot; at the console port, interrupt the boot sequence within 30 seconds with
- bootstrap sequence - instructions to initiate a start-up when the power comes a break command (CTRL-BREAK) to get to the rommon 1> prompt
on (on some routers). [WinNT’s HyperTerminal won’t do breaks, so upgrade or
- ROM monitor - provides a user interface in the absence of any valid IOS use 95/98.]
image
- Mini-IOS - called RxBOOT or bootloader by Cisco; will help router boot if no
real IOS is present; able to load a real IOS into flash and bring up an interface
RAM (a.k.a. DRAM) - erased whenever shutdown; holds packet buffers,
routing tables, functioning software and data, and the running-config file;
some routers can keep the IOS here. Examine the CF with sh running-
config; RAM contents with sh memory, sh buffers, and sh
stacks; programs with sh processes; CPU use with sh processes
cpu.
flash - an EEPROM chip (keeps its memory when the router is off; can be
erased or overwritten by special software commands); holds the Cisco
Internetwork Operating System (IOS); Some routers protect the flash in
read-only mode unless you boot from ROM. Examine the IOS with sh
version or the size & contents of the flash memory with sh flash.
NVRAM (non-volatile RAM) - also holds its memory when shut down; stores
the startup-config file transferred to RAM at startup and the configuration
register code for boot control. Examine the CR with sh version and the
stored configuration file with sh startup-config.
SELECTING an IOS for your NEXT BOOT
(config)# boot system flash <filename> - get IOS from flash;
<filename> is optional
(config)# boot system tftp <filename> <server_addr> -
get IOS from a network file
(config)# boot system rom - use that Mini-IOS hiding in ROM
- If you add all of these lines to your CF, the router will attempt each one in turn.
The ROUTER BOOT SEQUENCE
- To reboot the router, type > reload.
- The POST loads from ROM and checks health of the machine.
- The boot sequence is engaged to issue start up instructions.
- The IOS is loaded (from flash, by default); router now has an operating system.
- If a CF exists in NVRAM, it is loaded into RAM; otherwise setup mode starts.
CONFIGURATION REGISTER MATH
- 16 binary bits / 4 hex digits; viewed with # sh version
- The CR is usually set to 0x2102. In binary that equals 0010–0001–0000–0010,
with bits 1, 8, & 13 turned on. Four bits at a time it reads “2 – 1 – 0 – 2.”
a 1 in this bit means...
dec
0 0 1 0 0 0 0 1 0 0 0 0 0 0 1 0 bin
bit

hex
(Note: Bits that are normally on are shown in bold type.)
0 0x0001 bits 0-3 control the bootfield (the source of the IOS):
1 0x0002 0x0000; CR = xxx0: ROM monitor mode (no IOS)
2

2 0x0004 0x0001; CR = xxx1: boot an IOS image from ROM

3 0x0008 0x0002 - 0x000F: use the IOS specified in NVRAM
4 0x0010 [function unknown]
5 0x0020 [function unknown]
0

6 0x0040 0 = use CF from NVRAM; 1 = ignore NVRAM

7 0x0080 OEM bit enabled
8 0x0100 keyboard break disabled
9 0x0200 [function unknown]
1

10 0x0400 IP broadcast addresses use all zeros

11 0x0800 bits 11 & 12 control the console line speed
12 0x1000
13
14 0x2000 boot the default ROM software if a network boot fails
2

15 0x4000 IP broadcast addresses use no network numbers

0x8000 enable dialog messages and ignore NVRAM contents
- Simplified: xxx0=ROM monitor mode, xxx1=IOS from ROM, xxx2=IOS from
flash, xx0x=use the CF in NVRAM, xx4x=skip the CF; Some CR examples:
2000 - RxBOOT diagnostics mode; use ‘b’ to continue booting
2100 – force ROM monitor mode with rommon> prompt
2101 – boot IOS from ROM + NVRAM with router(boot)> (for
upgrading flash)
2102 – normal boot up (i.e. with IOS from flash + NVRAM)
(2102-210F – use the default boot filename specified in NVRAM)
2141 – boot to ROM and skip the CF (for disaster recovery)

15
- Turn on bit 6 by typing (config)# config-register 0x2142, then - Close a session from the remote end’s prompt with exit. Do the same from
reload the router, your prompt with disconnect
[or, on a 2500 Series router, > o to reach the option menu, then > o/r <connection_#/connection_name>.
0x2142, then I for ‘initialize’ - To get back your own prompt without disconnecting, press CTRL-SHIFT-6,
or, on a 2600 Series router, rommon 1> confreg 0x2142, then reset.] then x.
- Decline to enter setup mode (asked because there is no startup-config in use). - # sh sessions lists current Telnet connections and their connection numbers
- Enter privileged mode with > enable; copy the startup-config file (it’s still with a * beside the most recently used. Press ENTER ENTER to go back to
there in NVRAM, even though it wasn’t used) to the running-config file with that one.
copy start run; config t then set any passwords desired (enable - All the active consoles and ports on your router are shown with # sh users.
secret bozo, &c.); save CF with copy start run; reset the CR with (It’s really more like ‘sh ports.’) Again, a * marks the user (port) of the current
config-register 0x2102. terminal session. If you’re Telnetting out, your end will show all the hosts
- Reload the router with # reload. you’re connected to. Run this command on the remote end (via Telnet) and
you’ll see all its incoming connections, yours included.
BACKING UP the IOS to a TFTP HOST
- Eject a guest with sh users to see his line number, then clear line <#> to
- By default, the IOS is stored in flash.
toss him.
- First, copy the existing operating system to a tftp host.
[To make a router a TFTP host for storing flash images, type (config)# tftp Continued on page 14 with “TWO WAYS TO RESOLVE HOST NAMES…”
server.]
- Type # sh flash. The file’s name will be similar to c25000-js-l.112-
18.bin. This will also show any room available in flash for more file storage.
- ping your intended remote host to ensure you have connectivity.
- Type # copy flash tftp. (Note: This displays the same info as the sh
flash command.) When asked, enter the IP address of the remote host, the
source filename, the destination filename, and confirm the copy. TFTF can only
copy the file to the default directory on the host, so you need to set that up, first.
RESTORING / UPGRADING the IOS from a TFTP HOST
[Note: This procedure forces a reboot and terminates any Telnet sessions.]
- Put the desired source file in the default TFTP folder on the host.
- Type # copy tftp flash. Confirm, enter the host IP address, source
filename, and destination filename, confirm the erasure of the flash (if there’s
insufficient room for both the new and old files or if this is a virgin flash),
confirm again, accept a backup of the running-config to the startup-config (if
needs be), and confirm again. The router erases the flash, transfers the data,
does a checksum verification, and reboots. Whew!
CISCO DISCOVERY PROTOCOL
- CDP gathers info about the hardware and protocols on directly connected Cisco
neighbor devices. It uses L2 SNAP multicasts.
- # sh cdp (on either routers or switches) shows your CDP timer (seconds
between your transmittals of CDP on all active interfaces; default = 60) and
your CDP holdtime (seconds you’ll hold an incoming CDP packet; default =
180.)
- To set these, type (config)# cdp timer <seconds> or cdp
holdtime <seconds>.
- Routers run CDP by default. (config)# cdp run and no cdp run turn it
on and off.
- There’s still no CDP on an interface until it’s enabled using (config-if)# cdp
enable.
- View neighbor info with # sh cdp neighbor. This lists the devices’ IDs,
your interface connected to them, your remaining holdtimes for their last
packets, what they do, what series they are, and their port or interface
connected to you.
- # sh cdp nei detail adds L3 addresses and IOS versions to the above. It’s
identical to # sh cdp entry *. Clear your table of neighbor data with #
clear cdp table.
- You can use Telnet to get CDP info from devices that aren’t your neighbors.
- # sh cdp traffic counts the CDP packets you’ve sent and received and their
errors.
- # sh cdp interface lists all your interfaces’ L1/L2 up/down stats,
encapsulations, and cdp timer & holdtime settings. But if an interface has CDP
disabled, it won’t even be mentioned!
TELNET or VTY (Virtual TeletYpe)
- Why VTY? Because the old Teletype abbreviation is “TTY.” Does that help?
- Using Telnet tests connectivity through the entire IP stack. It’s your best test.
- Telnet is preferable to debug, which can place extreme traffic loads on a router.
- By default, before you can Telnet in to a device, its VTY password must be set.
You can Telnet into (but not from) a 1900 Series switch but you must first set its
enable mode password level 15. This lets you get to the switch’s Management
Console menus or command line. (You can ping from a 1900.)
- Launch Telnet from any Cisco or DOS prompt by typing telnet and either the
address or hostname to connect to. Also, any time you simply type a name or
address into a router prompt, the Cisco IOS assumes you want to Telnet there.

16
CHAPTER VIII – IPX (4-5 questions on encap. types & how to turn on/off) IPX ENCAPSULATION
– Part 1: IPX BASICS – - Here we mean taking L3 IPX datagrams and framing them in L2 IPX frames for
Like IP, IPX is comprised of a suite of protocols. Novell’s layered protocols don’t, use on Ethernet, Token Ring, or FDDI.
however, follow the OSI model: - Because of Novell changes through the years, these L2 frames come in four
incompatible frame types for Ethernet, two for Token Ring, and three for FDDI.
IPX...
For example, the fields in the four different IPX Ethernet frames look like this:
- stands for “Internetwork Packet eXchange”
Ethernet_802.3 802.3 IPX
- is connectionless (like UDP), therefore communications using it get no
acknowledgements Ethernet_802.2 802.3 802.2 LLC IPX
- approximates L3 (mostly) and L4 functions Ethernet_II Ethernet IPX
- talks to higher layers via “sockets,” akin to TCP “ports” Ethernet_SNAP 802.3 802.2 LLC SNAP IPX
- sends everything via broadcasts (very resilient but problematic for big See why it’s a problem? Cisco has five different names for the frame types, thus:
internetworks)
NetWare name Cisco name notes
SPX... Ethernet_802.3 novell- used in NW3.x; default for Ethernet
- stands for “Sequenced Packet eXchange” ether
- adds-on connection oriented functions (akin to TCP) Ethernet_802.2 sap for NW4.0; most common (says Cisco)
- identifies individual connections as virtual circuits, each with a specific Ethernet_II arpa the best if using both TCP/IP and IPX
connection ID in the SPX header Ethernet_SNAP snap
- operates at the equivalent of L4 Token –Ring sap default for Token Ring
Novell RIP... Token –Ring_SNAP snap
- stands for “Routing Information Protocol” FDDI_SNAP snap default for FDDI
- is a distance/vector routing protocol FDDI_802.2 sap
- uses “ticks” (18ths-of-a-second) and (if there’s a tie) hop counts as metrics FDDI_RAW novell-
- I’ll label it as RIPIPX so as not to confuse it with TCP’s “RIP.” fddi
- On a serial interface, the default encapsulation remains Cisco proprietary
SAP...
HDLC.
- stands for “Service Advertising Protocol”
- Each frame type in use on a network segment constitutes a separate virtual IPX
- is used to advertise/request network services from NetWare servers
network with its own, unique IPX network address and its own broadcast traffic.
NLSP... - To display frame types and IPX network IDs in use on a NW server, type
- stands for “NetWare Link Services Protocol” CONFIG on that server.
- is a more advanced replacement for RIPIPX and SAP
– Part B: HOW TO DO IPX, ROUTER-WISE –
- is a link-state routing protocol
IPX SETUP
NCP... - Two parts to IPX setup: enabling IPX routing and enabling IPX on an interface.
- stands for “NetWare Core Protocol” - Cisco HDLC remains the default encapsulation method for each serial
- provides security, file access, synchronization, &c interface.
(config)# ipx routing - automatically starts RIPIPX
In summary, Novell provides much internetworking capability on its own.
(config)# ipx network <network_ID_#> encapsulation
CLIENT- SERVER RELATIONS <frame_type> secondary
- NetWare machines are either clients OR servers. Period. encapsulation <frame type> is optional (see default types in
- Servers almost always run the NetWare OS. above table)
- Clients can run MAC, DOS, Windows, NT, OS/2, Unix, or VMS. secondary (also optional) indicates this command is an additional
- Clients broadcast GNS (“Get nearest Server”) requests; servers answer with GNS configuration with yet another frame type to use, rather than just a
replies containing pointers to specific servers holding the requested resources; the reconfiguration of the interface.
info comes from SAP tables on the servers. - Some examples of the above command:
- Cisco routers can build their own SAP tables and respond as though they were (config)# ipx network 20
NW servers, or respond on behalf of a remote NW server in a different network. (config)# ipx network 20 encapsulation sap secondary
SERVER-SEVER RELATIONS - A warning about the secondary command: Although multiple frame types
- Servers speak to each other 2 ways: with SAP packets for service info and with can be configured on a single segment (to support different generations of Novell,
RIPIPX for routing info. say), this can be a lousy idea because each frame type generates its own, added
- Both are sent in broadcasts at 60-second intervals. broadcasts. You can avoid multiple frame types by making subinterfaces, instead.
- Broadcasts include the sender’s own info plus accumulated info about other ipx maximum-paths <1-64> - enables round-robin load sharing
servers, as well. Eventually, all NW servers become fully enlightened. over several equal-cost paths
- Cisco routers can play this IPX update game, too; this is good because broadcasts ipx per-host-load-share - always sends traffic for a specific host via the
don’t normally cross routers (keeps more traffic within individual segments). same path when load sharing

IPX ADDRESSING IPX DIAGNOSTICS

- IPX addressing is hierarchical, as in IP. The first eight hex digits are the show ipx route a table of routes to all reachable IPX segments, with ticks &
network address; the remaining twelve form the node address. Here’s an hops.
example: show ipx interfaces gives a long list: L1/L2 up/down stats, IPX
00007C80.0000.8609.33E9 addresses with encapsulation type, and other IPX settings, mostly about access
network portion node portion total lists (chapter IX).
up to 8 hex digits 12 hex digits = 20 hex digits show ipx interface e0 Same as above, but for only a single interface.
4 Bytes 6 Bytes = 10 Bytes (1/2 Byte per hex) show interface e0 DOES NOT SHOW IPX ADDRESS!
32 bits 48 bits = 80 bits (4 bits per hex) show protocols lists 3 things: routed protocols, L1/L2 up/down stats, and IP
- By convention, leading zeroes in the network address are usually not shown. and IPX addresses (with IPX encapsulation type, except on subinterfaces).
- The network portion of an IPX address is used, as with any L3 address, to route show ipx servers displays the accumulated SAP table info, including all
packets between networks. An administrator assigns the network number. known servers and their offerings.
- The node portion, however, is derived automatically by copying the device’s L2 show ipx traffic shows the number and type of IPX packets transmitted
MAC address. This means every IPX address contains both L3 and L2 info. (both RIPIPX and SAP traffic).
- Automatic IPX addressing means workstations require no DHCP or manual debug ipx routing activity displays routing updates as they occur
configuration. debug ipx sap activity displays SAP updates as they occur
- Because L2 addresses are already included within the logical addresses, there is Once you have the IPX address of a remote router (using show cdp
no need for something like ARP to provide L3-to-L2 resolution. Pretty smart. neighbor detail or show cdp entry * or by Telnetting into it), you can
ping that address three ways:
17
 ping <ipx_address> (although that wastes time trying to ping via IP,
first)
ping ipx <ipx_address>
or, for more details,
ping
ipx
<ipx_address>

18
CHAPTER IX – ACCESS LISTS (3 questions) access-list 1 deny 172.16.30.2 0.0.0.0 - deny traffic
from just this host
- Access lists limit packets to specified segments for improved operation and
access-list 1 deny 172.16.30.0 0.0.0.255 - deny traffic
simplified traffic patterns, as well as limiting access for improved security.
from all hosts in network segment 172.16.30.0
- IP and IPX lists work similarly.
access-list 1 deny 0.0.0.0 255.255.255.255 - deny
- “Inbound” means from segment to router, whilst “outbound” means from
traffic from any source (In the address, an ignored octet can contain any
router to segment. Lists are applied specifically to traffic of one direction or the
digits but is usually filled with a zero, by convention.)
other.
any similarly means, “consider packets from any source,” as in
- IP and IPX lists are either ‘standard’ or ‘extended.’ Standard lists filter only by
access-list 1 deny any - deny packets from any source
• source address or hostname <name> specifies one host: access-list 1 deny
• destination address (IPX, only). hostname RouterB
- Extended lists can filter by - Each additional access-list command adds another test line to the specified
• source address list.
• destination address - The command (config-if)# ip access-group <1-99> <in/out>
applies the specified list to this interface. For example: (config-if)# ip
• L3 ‘protocol’ field (IP, TCP, & UDP in IP lists; SAP & SPX in IPX access-group 1 in
lists)
• IP ‘port’ number (or IPX ‘socket’ number)
- Lists are first created, one test at a time. They are then applied to an interface.
- As you build a list, each new test is appended to its end. The sequence matters!
- De-apply a list with no ip access-group 1 in, then delete it with no
access-list 1; to kill just one test, type the whole line (no access-list 1…
and remaining parameters).
- Apart from that method, lists cannot be edited in the Cisco IOS but the results of
show running-config or show access-list can be copied to a text
editor and changed.
- Only one list per protocol or per direction may be placed on an interface.
- SYNTAX NOTE! access-list to create; ip access-group (or ipx )
to apply!
OPERATIONAL RULES
- The tests in a list are always considered sequentially.
- Once a packet finds a ‘permit’ or ‘deny’ match, that action is taken and no further
testing of that packet occurs.
- Each list ends with an implicit “deny everything else” statement.
- Lists filter only traffic from other routers, not traffic originating in their router.
LIST CONSTRUCTION GUIDELINES
- Place the most specific tests first.
- Apply standard lists as close to the destination as possible.
- Apply extended lists and SAP filters close to the source to reduce network traffic.
- If no ‘permit’ statement is included, no packets will pass. (Duh!)
- Unless you end a list ‘permit all others,’ any traffic not passed will be discarded.
- Slap an access list onto a port with only narrow permissions and you can
unwittingly block a lot of traffic.
ID NUMBER RANGES FOR ACCESS LISTS
1 – 99 IP standard
100 – 199 IP extended
200 – 299 Protocol Type Code
300 – 399 DECnet
400 – 499 XNS standard
500 – 599 XNS extended
600 – 699 AppleTalk
700 – 799 48-bit MAC Address standard
800 – 899 IPX standard
900 – 999 IPX extended
1000 – 1099 IPX SAP
1100 – 1199 48-bit MAC Address extended
1200 – 1299 IPX Summary Address extended
STANDARD IP LISTS
(config)# access-list <1-99> <deny/permit>
<source_address>
<1-99> is the list ID number.
<source_address> can appear in the following formats:
host <ip_address> ‘host’ is the default command & may be
eliminated:
access-list 1 deny host 172.16.30.2 - OR –
access-list 1 deny 172.16.30.2 - deny traffic from this
specific host
<ip_address> <wildcard> adds flexibility to the above. In the
wildcard each
0 means “consider the corresponding octet in the IP address,” and each
255 means “ignore the corresponding octet.” Be as specific as you like:

19
IP LIST WILDCARDS USING “BLOCKS” show ip interface - shows which interfaces bear which lists
- Rather than considering an entire octet with a 0 or ignoring it with a 255, you can show running-config - shows all lists and the interfaces using them
opt to consider “blocks” of 4, 8, 16, 32, or 64 addresses within an octet by using
the corresponding wildcards 3, 7, 15, 31, or 63, respectively. For example, in Continued on page 14 with “STANDARD IPX LISTS”
access-list 1 deny 172.16.32.0 0.0.7.255 the numeral 7 means
“deny 172.16.32.0 through 172.16.39.0.” This is the block of eight network
addresses from 32-to-39 because the wildcard to consider eight addresses is the
number “7” and the starting address given in the corresponding (third) octet is
“32.”
-The starting address (“32,” in the above example) must be always a multiple of
the block size. Here the block size is eight and because “32” is, in fact, a multiple
of eight, everything is proper. Hint: as a quick check, this rule means the starting
address must be always a multiple of four, the smallest possible block. You can’t
start a block at a value of 39, for example, nor can you start a block of 64
addresses with the value “40.” (But you can permit a block of 64 and then deny
little blocks of 4 within it!)
VTY (Telnet) ACCESS CONTROL
(config)# access-list <1-99> <deny/permit>
<source_address>
- Telnet lists are applied like other lists, but with slightly different commands:
(config)# access-list 1 deny 172.16.30.2 - creates the access list
(config)# line vty 0 4 - shifts to the Telnet line-specific prompt
(config-line)# access-class 1 in - applies the access list to that
Telnet line
EXTENDED IP LISTS
(config)# access-list <100-199> <deny/permit/dynamic>
<protocol> <source_address> <destination_address>
<option> <port>
<dynamic> signifies a dynamic list of ‘permits’ and ‘denies.’
<protocol> is a protocol sufficiently high up the OSI model to act upon
the port number you’ll specify. It’s typically TCP or UDP, because IP, ICMP,
&c. – even though they’re legitimate choices – cannot filter on L4 port
numbers!
<source_address> can appear in the following formats:
host <ip_address> as above
<ip_address wildcard> as above
any as above
<destination_address> can appear in the following formats:
host <ip_address> as above
<ip_address> <wildcard> as above
any as above
eq equal to the specified port number
gt greater than the specified port number
lt less than the specified port number
neq not equal to the specified port number
range within the specified range of port numbers
<option> can appear in the following formats:
eq equal to the specified port number
gt greater than the specified port number
lt less than the specified port number
neq not equal to the specified port number
range within the specified range of port numbers
established allow to pass (usually) if using an already-established
connection
fragments check fragments
log logs list #, protocol, source/dest. addresses, & port for any matches
log-input same as “log” also including input interface
precedence match packets with given precedence value
tos match packets with given TOS value
<port> application port, either by name (telnet) or number (23)
access-list 100 deny tcp any host 172.16.30.2 eq 23 log -
deny tcp packets from any source to host 172.16.30.2, specifically those for ports
equal to 23; log any hits
access-list 100 permit ip any any - permit remaining ip packets from
any source to any destination
ip access-group 100 out - applies the specified list to this interface
IP LIST DIAGNOSTICS
show access-list - shows all lists by ID number and their configurations
but does not show the interface to which a list is applied
show access-list <id#> - same, but for a specific list, only; also does
not show the interface to which applied
show ip access-list - shows only ip (standard and extended) lists, in
detail
20
CHAPTER X – WANs: When Ethernet Just Doesn’t Cut It (6-10 questions) - synchronous serial; 100% digital from end-to-end
CONNECTION TYPES - like dial-up but in digital format with immediate connections & higher speeds
leased serial line (a.k.a. “point-to-point dedicated line”): - can carry voice plus data, video, audio, large files, &c.
- synchronous serial (a direct, precisely timed digital link between 2 machines) - good for infrequent, high-speed transfers
- always connected; no call & setup needed; you don’t share the wire - a good alternative when you’re too far from a CO for DSL signals to reach
- expensive but the best for constant, high-speed traffic - a back-up method to Frame Relay or a T1 leased line; good for branch offices
- 45Mbps, max. - a suite of protocols designed by ITU-T telco bureaucrats, so it has weird terms
packet-switched (e.g. X.25 or Frame Relay): - often uses PPP for encapsulation, maintaining link integrity, & authentication
- line remains open into a “cloud” network of switches used by many clients - for encapsulation it can use PPP, HDLC (default on BRI interfaces), or LAPB
- best for occasional burst transfers - supports most every type of upper-layer protocol
- cheaper alternative to leased lines if you’re not constantly transmitting PPP (Point-to-Point Protocol – late-1980s):
- ATM, using equal-sized 53-Byte packets or “cells”, is called “cell-switched” - provides ‘fake Ethernet’ L2 encapsulation for L3 contents over a modem or
circuit-switched (e.g. ISDN or POTS/PSTN dial-up): serial point-to-point link, either router-to-router or host-to-network
- asynchronous serial (PPP dial-ups) or synchronous serial (ISDN) - mostly L2 with a L1 component
- connected only when needed (usually by a call through telco copper circuits) - used mostly over circuit-switched networks, either on asynchronous (dial-up)
- offers the lowest bandwidth of the three types or synchronous (ISDN) links
- toll networks are ones using the public switched telephone network (PSTN) - uses generic HDLC but uses NCP to identify the L3 protocol it encapsulates
TELECOM CONNECTION TERMS - features PAP or CHAP authentication
DCE (“the mechanisms & links of the network portion”) - It’s an ISO-standard means of identifying encapsulated L3 info, so it can be
used to connect proprietary formats.
- the successor to SLIP (Serial Line Internet Protocol) since the late 1980s
CPE C CO Frame Relay (a child of X.25; late-1980s):
DTE PO
S
P - replaces Ethernet, & other LAN frames with Frame Relay frames for
DEMARC transparent transmission across packet-switched networks
DCE = data communications equipment - L2 with some L1 functions
DTE = data terminal equipment; a router or PC LOCAL LOOP - industry-standard
CPE = customer premises equipment; the stuff on-site, no matter who owns it - connection-oriented via private or switched virtual circuits (PVCs or
DSU = data service unit; the T1 adapter & timing device, usually combined with the...
CSU = channel service unit; the digital connector
SVCs)
CO = central office, the provider’s nearest point-of-presence - originally designed for ISDN; now supports IP, DECnet, AppleTalk, IPX, &c.
Demarcation (‘Demarc’) = point (equipment closet) where the CPE and Local Loop - NBMA (Non-Broadcast, Multi-Access): will not broadcast, so routers must
meet copy routing protocols, &c. onto all VCs. All connected routers are peers.
- uses only best-effort delivery; leaves any error checking to higher layers;
– SUMMARY of WAN PROTOCOLS (except DSL, which is too new) – less error checking = less overhead than old X.25, so it has better
HDLC (High-level Data-Link Control – developed from the 1970s, onward): performance
- provides L2 encapsulation & error-checking for point-to-point links on - excellent for bursty traffic if reliable connections; not great for voice or
synchronous serial lines. video
- used over leased-line, circuit-switched, or packet-switched networks - allows dynamic bandwidth allocation, congestion control, simple flow
- L2 and a bit of L1 control
- bit-oriented - 56kbps to 2,078kbps
- uses frame characters and checksums A Word about Bit- vs. Byte-Oriented L2 Protocols:
- does not permit authentication - Bit-Oriented protocols transmit frames regardless of content; may use
- comes in many flavors; ‘Normal Response Mode’ is an ISO-standard, BUT… single bits to hold control info; more efficient and trustworthy than Byte-
- It does not identify the L3 protocol it encapsulates, THEREFORE… Oriented; can run in full-duplex; e.g. SDLC, HDLC, LAPB, LLC, TCP, IP.
- Each vendor (Cisco included) has a proprietary identification method for an
- Byte-Oriented protocols mark frame boundaries with specific characters;
encapsulated L3 protocol, making different vendor’s HDLCs incompatible.
need whole bytes for control info; generally superceded by bit-oriented
- The generic, ISO version of HDLC is used by PPP (only place you’ll see it).
protocols.
- Cisco HDLC is the default encapsulation for serial interfaces on Cisco
routers.
– The DETAILS to KNOW about PARTICULAR PROTOCOLS –
HDLC History: IBM made SDLC (Synchronous DLC) in the mid-‘70s as
PPP
part of its System Network Architecture for mainframes. Everyone copied
- Its L2 portion has three parts:
it. First the ISO made HDLC to give L2 framing to other networks. Now
- NCP (Network Control Protocol), used to identify the L3 contents
HDLC has several variants: there’s NRM for SDLC users and the ITU-T
- LCP (Link Control Protocol), used to make/break connections; LCP
bureaucrats in France made LAP for early X.25 users, LAPB for current
provides:
X.25, LAPD for ISDN D-channels, and LAPM for modems. The IEEE
• PAP or CHAP authentication
built their 802.2 specs on it and many vendors, Cisco included, have their
own flavors. Fun, huh? • ‘Stacker’ or ‘Predictor’ (for Cisco) compression
X.25 (1970s): • ‘Quality’ and ‘Magic Number’ error-checking
- hooks DTE gear to DCE networks via a Packet Assembler/Disassembler (PAD) • ‘Multilink’ load splitting
- ITU-T precursor to Frame Relay; not great for voice, video, or bursty traffic
- generic (not proprietary!) HDLC, used to encapsulate L3 contents with no
- used over packet-switched networks
ID
- the L3 component of the stack is called PLP (Packet Level Protocol)
- Its L1 portion has one part: the EIA/TIA-232C (“RS-232”) serial link standard
- uses LAPB for L2 functions; uses the X.121 international addressing standard
LAPB (Link Access Procedure, Balanced – actually “HDLC-LAPB”; 1980s): - PPP sessions are established in three phases:
- an HDLC variant providing heavy error-checking for DTE-DCE connections - a link establishment phase
- L2 and a bit of L1 - an authentication phase
- connection-oriented - a network layer protocol (L3) phase
- bit-oriented - PPP authentication methods: (You can use one, not both.)
- was developed as part of the X.25 stack but can stand alone - PAP (Password Authentication Protocol); like it sounds, clear text
- some overhead due to strict time-out and windowing requirements authentication by the exchange of a password
- an alternative to HDLC-NRM for error-prone connections - CHAP (Challenge Handshake Authentication Protocol); a three-way
ISDN (Integrated Services Digital Network – 1970s and 1980s): handshake; much more secure than PAP
- L1, L2, and L3
CONFIGURING PPP:
- used on ckt-switched networks like the “plain old telephone system” (POTS)
(config-if)# encapsulation ppp - turns on PPP for a serial link
21
(config)# hostname Chicago - name it so it can identify itself when
authenticating
(config)# service password-config - option to encrypt the password
you are setting
(config)# username Atlanta password bozo - set the name of
remote router and the password it must give; Note: both routers’ passwords
must be identical
(config-if)# ppp authentication chap - set authentication method;
Note: if you then say ppp authentication pap, CHAP will be the
default with PAP as a back up
PPP DIAGNOSTICS:
show interface s0 - gives PPP info, LCP status, as well as all the usual
stuff
debug ppp authentication - verifies your authentication setup
More…

22
 FRAME RELAY (3 questions) CHI-NY PVC 172.16.30.1 - BECN (Backward Explicit Congestion Notification) bit: Gets turned on in a
1 s0.7 special packet sent back to the source as a warning.
NY
172.16.30.17 - CIR (Committed Information Rate): A provider’s guaranteed minimum rate with
2 V if traffic is light.
faster speeds possible U Low CIRs mean more packets are NT1
1 dispensable, module
ET with their DE bits set to ‘on.’
CHI TE1
CO LT
CO NY-ATL PVC inside the
FRAME RELAY DIAGNOSTICS: TE1
ISDN switch cloud
# show frame-relay <x> where ‘x’= ip, route, traffic, or, more
importantly, V U T S
N N
2 CO 4 lmi
ET shows type, errors, LMI traffic
T details T TE1
Frame Relay
“cloud” of switches LT (up/down)
pvc stats for PVCs 1 & DLCIs, including
2 BECN and FECN
X = DLCI
counts
= CSU/DSU ATL
S
map L3 address-to-DLCI number mappings, static/IARP R
mapping, LMI
= FR Switch CHI-ATL PVC stats T TE2
4 172.16.30.18
# show interface s0 - line, protocol, LMI type, and general
A LMI stats
- DTEs in FR connect via PVCs or SVCs. Every VC is labeled at either end # debug frame-relay lmi - shows if router and switch are sharing
with a Data-Link Connection Identifier or DLCI (“DEL-see”) numbered 16- correct LMI info S/T
1007. TE1
- FR is NBMA, so routers must copy broadcasts onto all virtual circuits but Split-
ISDN switch cloud
Horizon rules stop routing info (except from RIP, IGRP, EIGRP, &c. in the IP
(NT1 stuff
suite) and service updates (IPX SPA/GNS) from coming and going via the same
inside) S/T R
interface. Separate ‘full-mesh’ connections between every router might be
TE2
complex and expensive. Instead, subinterfaces can host many VCs, each with T
its own DLCI and L3 characteristics (IP address, &c.) on one physical interface. A
(config-if)# encapsulation frame-relay <type> enables FR on
specified interface or subinterface and sets the encapsulation type used by the
provider. The default type is cisco and it’s proprietary; ietf (Internet
Engineering Task Force) is an encapsulation based on PPP and is for
connections to non-Cisco equipment.
- Create a subinterface (a common interface trick, not just a FR command) with
(config-if)# interface s0.7 <link_type>. The two link types are
point-to-point (only 1 VC connects to your interface; each connection
needs its own subnet) and multipoint (several VCs connect; all FR
interfaces use the same subnet).
(config-subif)# frame-relay interface-dlci <16-1007> applies
a DLCI to a specific subinterface; required on point-to-point subinterfaces;
optional on multipoint.
- A Link (or Local) Management Interface (LMI) tracks and maintains the
link from the router to the FR switch. It verifies flow, auto-assigns local or
global DLCIs, and reports a circuit status as active, inactive, or deleted. The
three LMI types are cisco (the default), ansi, and q933a. Since IOS
v11.2, LMI type is auto-sensed but you can set it with (config-if)#
frame-relay lmi-type <type>.
- On multipoint interfaces only, IP or IPX addresses at the distant-end must be
mapped to DLCIs at your end, either statically or (using Inverse ARP)
dynamically. [See the examples below.] Static maps are more reliable
because IARP sometimes makes nonsense mappings to unknown devices.
FRAME RELAY EXAMPLE with STATIC MAPPING on ROUTER “NY”:
(config)# int s0 - go to a serial interface zero
(config-if)# encapsulation frame-relay - turn on Frame Relay
(config-if)# int s0.7 multipoint - create a multipoint subinterface
(config-subif)# no inverse-arp - turn off Inverse ARP
(config-subif)# ip address 172.16.30.1 255.255.255.0 - set IP
address on subinterface
(config-subif)# frame-relay map ip 172.16.30.17 16 ietf
broadcast - map Chicago’s IP address to your DLCI 16; use IETF
encapsulation for this subinterface because Chicago has non-Cisco gear; let
broadcasts use this virtual circuit
(config-subif)# frame-relay map ip 172.16.30.18 17 - map
Atlanta’s IP to DLCI 17
(config-subif)# frame-relay keepalive <seconds> - set LMI
keepalive (default = 10)
- To use less-stable, automatic IARP mapping instead, enter only these commands:
(config-if)# int s0.7 multipoint - create a multipoint subinterface
(config-subif)# encapsulation frame-relay ietf - turn on Frame
Relay, IETF type
(config-subif)# ip address 172.16.30.1 255.255.255.0 - set
subinterface’s IP address
- FR switches can apply three congestion control methods:
- DE (Discard Eligibility) bit: Less-important packets have the DE bit turned
on so they may be dumped if congestion occurs.
- FECN (Forward Explicit Congestion Notification) bit: Gets turned on as a
warning to the destination if a packet encounters congestion along its trip.

23
ISDN (2-3 exam questions; expect definitions) - A full ISDN PRI setup goes: isdn switch-type <keyword>;
- ISDN has an alphabet soup of component labels. In North America/Japan: controller t1 <slot/port>; framing esf; linecode b8zs; pri-
group <timeslots/range>. (So I’m told.)
More…

In Europe & Australia:

TE1 (Terminal Equipment, type 1): an ISDN-ready device

TE2 (Terminal Equipment, type 2): an ISDN-stupid device; no ISDN capability
NT1 (Network Termination, type 1): handles L1 ISDN specs; part of the carrier
network outside North America/Japan but here packaged as a separate box (a
type of CSU/DSU) to connect to our primitive ISDN networks
NT2 (Network Termination, type 2): handles L2 & L3 ISDN specs; Lammle says
they are usually provider equipment (like a switch or PBX) and only rarely seen
as CPE gear. I think he’s clueless about NT2s because other sources show them
as in my picture (above) and they say an NT2 is often integrated with an NT1
into a single box. (Maybe that’s why Lammle didn’t see them.)
TA (Terminal Adapter): often incorrectly called an ISDN ‘modem;’ the wire-
converter thingy you must stick in front of a TE2 to get it to play ISDN games.
LT (Line Termination): a physical connection point into the telco network
ET (Exchange Termination): the telco’s ISDN switch, the first one in the cloud
R reference point: between a TE2 and its TA; 2 wires
S and T reference points: Supposedly, an NT2 connects to CPE gear by an ‘S’
and to an NT1 by a ‘T’. Sybex’s diagrams show no NT2s, so I made my
picture from other sources. We can say for sure 1) S & T are electrically and
functionally equivalent, so their names often get combined and B) they must
be the same as the 4-wire connections between European NT1s and
TE1s/TAs, because that’s where they’re always pictured. Helpful? I didn’t
think so.
U reference point: between DCE (meaning “telecom”) line termination
equipment and NT1s (only in North America and other ass-backward zones);
2 wires
V reference point: between ET and LT; I have no idea how many wires it has.
ISDN protocols starting with...
- E deal with ISDN use over existing phone systems
- I deal with concepts, aspects, and services (“Could you be more vague?”)
- Q deal with switching and signaling
BRI (Basic Rate Interface) 2B (bearer) + 1D (data) channels, total 128kbps
B = data @ 64kbps
D = control & signaling @ 16kbps
PRI (Primary Rate Interface)
In North America: 23B + 1D channels (a “T1”), total 1.544Mbps
In Europe, Australia, &c: 30B + 1D channels (an “E1”), total 2.048Mbps
B = data @ 64kbps [Since 1k=1024 and 1M=1024k, I know the above
D = control & signaling @ 64kbps totals don’t add up but try not to worry about it!]
How ISDN connects: Router connects D channel to near-end ISDN switch; switch
sets path to distant-end switch via SS7 signaling; distant-end switch connects D
channel to remote router; B channel(s) are connected from end to end.
- Use (config)# or (config-if)# isdn switch-type <keyword> to
configure the correct ISDN switch type, where the keyword tells the
manufacturer and switch type. Basic-5ess = an AT&T basic rate and
Basic-ni1 = a National ISDN-1 switch.
- BRI interface hookups may require you use isdn spid1 <spid>
<local_dial#> and isdn spid2 <spid> <local_dial#> to
configure the SPID (Service Protocol ID – like an account number) for each B
channel to let your equipment talk to the ISDN switches. The local dial number
may or may not be required.
24
DDR (Dial-on-Demand Routing) for ISDN or DIAL-UP (config-if)# vlan-membership static 4 - map only one VLAN;
- for low-volume, occasional connections via POTS/PSTN (dial-up or ISDN) repeat for other ports
- connects when ‘interesting’ packets dictate; breaks when idle time-out ends.
# sh vlan – gives names, status, port mappings
- First, set up a static route (so routing protocol traffic won’t keep you
# sh vlan 2 – as above, plus type, SAID, MTU, parent, ring#, bridge#, STP,
connected):
&c.
(config)# ip route 172.16.50.0 255.255.255.0 172.16.60.2
# sh vlan-membership - list each port, its VLAN, and whether static or
- “get to ’50 via 60.2”
dynamic
(config)# ip route 172.16.60.2 255.255.255.255 bri0 -“get
to 60.2 via bri0” PUTTING MULTIPLE VLANs through ONE PORT by TRUNKING IT
- All participating routers require full static route knowledge of the network. Add ALL the VLANs to a “trunked” port and set how it deals with the device
- Default routing can be used on stub networks (only one outlet to other networks). plugged into it: (config-if)# trunk <option> where option is one of
- Next step, specify the interesting traffic with a ‘dialer-list’ command: the following:
(config)# dialer-list 1 protocol ip permit - “List 1 says, ‘all IP auto – do trunk mode if the other device is on or desirable
traffic is interesting.’” desirable – negotiate trunk mode if other device is on, desirable, or
(config)# int bri0 - choose the interface auto
(config-if)# dialer-group 1 - apply List 1 to the specified interface on – permanent trunk port; negotiate conversion to trunked mode
- Last step, configure the dialer: nonegotiate – permanent trunk port; don’t negotiate
(config-if)# ip address 172.16.60.1 255.255.255.0 - assign the off – no trunking; try to convert other device to be on-trunk, too
interface an IP address - To selectively remove a VLAN from a trunked port (for security, broadcast, or
(config-if)# no shut - turn the interface on routing update issues): (config-if)# no trunk-vlan 5 - repeat for each
(config-if)# encapsulation ppp - select an encapsulation type VLAN to kill
(config-if)# dialer-string 8350661 - set up the number(s) to dial – OR - Multiple ports can trunk. Each is identified with a letter. Verify trunking with
– # sh trunk (for all trunking ports) or # sh trunk <letter> (for specific
(config-if)# dialer map ip 172.16.60.2 name Chicago ports) and
8350661 - map the number(s) to dial, which is more secure. (This method # sh trunk <letter> allowed-vlans to see remaining VLANs after
uses the IP address of the next hop router and the hostname of the remote some are removed.
router for authentication.)
Key Terms: auto duplex: duplex is set automatically; dynamic entries: a L2 or L3
- To tell the dialer when to bring up the second B channel, type
address table built dynamically; port security: frame restrictions on switch ports;
(config-if)# dialer load-threshold <1-255> <in/out/either>,
set-based: the older CLI for Cisco switches, as opposed to newer IOS-based types.
where 1-255 is the relative load level and the direction tells which traffic you
want used as a trigger. The default is to monitor outbound traffic.
- To set the idle disconnect time for calls, use CHAPTER VII – BOOT-UP & CONNECTIVITY TOOLS, continued from pg 9
(config-if)# dialer idle-timeout <seconds> The default is 120 TWO WAYS TO RESOLVE HOST NAMES to IP ADDRESSES:
seconds. HOST TABLES: ip host <name> <tcp_port#>
- You can extend the “interesting” list by pointing it to an access list: <ip_addresses_1-8> The default port number for TCP is 23 (so you can
(config)# dialer-list 1 list 100 -“ Use access list 100 to define dialer list skip it) and you can list up to 8 IP addresses:
1.” (config)# ip host Atlanta 172.16.10.2
(config)# access-list 100 permit tcp any any eq smtp - add to (config)# ip host Chicago 192.168.0.148, &c. To view your table,
access list 100 type # sh hosts. Manual entries will say perm; DNS entries will say
(config)# access-list 100 permit tcp any any eq telnet - add temp. Verify with ping.
to access list 100 - To remove an entry, type no ip host Atlanta.
(config-if)# dialer-group 1 - apply the dialer list to the specified interface DOMAIN NAME SYSTEM (DNS): The IOS assumes you want to use DNS any
- Note: The access list is created but not applied anywhere. The access list may time you type an unknown command. It looks for your typed gibberish in its
be of any type, 1-1299. hosts table, thinking you might be naming a device you want to Telnet to. To
turn this feature off, use no ip domain-lookup.
ISDN & DDR DIAGNOSTICS: - To set up DNS: Turn it back on with
ping or telnet - make sure ping and Telnet are designated “interesting” so the (config)# ip domain-lookup. (What? You thought you could leave it
link comes up when you try to use them! off?)
show dialer - gives diagnostic info for all the above dialer commands (config)# ip name-server 192.168.0.70 points to your DNS server.
show isdn active - shows the number called, if a call is in progress (6 servers, max.)
show isdn status - used before dialing to check SPID validity; confirms L1, (config)# ip domain-name mycompany.com (optional) appends this
L2, & L3 are talking to the provider’s switch domain name any time you type the name of a host. This is a good idea because
show ip route - displays all the known routes DNS demands FQDNs (Fully Qualified Domain Names) to operate.
debug isdn q921 - gives L2 info, only (Remember those “Q” protocols?) View your host table with # sh hosts. Test with ping.
debug isdn q931 - gives L3 info (including call set-up & tear-down)
debug dialer - display call set-up/tear-down activity as it happens PINGing and TRACEing
isdn disconnect interface bri0 - hang up the specified interface; this - ‘Ping’ requests ICMP echo packets from a target; ‘Trace’ uses TTL (time-to-live)
is the same as shutting down the interface with (config-if)# shutdown values from each router it meets to send back a list of hops along the way.
- Both ping & trace work with many protocols. To specify a particular protocol,
type ping <protocol> <target>. Same syntax for trace: trace
APPENDIX B – The CATALYST 1900 SWITCH, related to “switching,” pg 5
<protocol> <target>.
- 1900 switch passwords must be from 4 to 8 characters long (not case-
TURNING OFF DEBUG
sensitive).
- Switch ports are labeled by type slot/port (e.g. ethernet 0/16, or undebug ip <specific debug command> or no debug all or
fastethernet 0/26). Small switches have only “slot zero.” Use undebug all or just un al
(config)# int e0/16 to configure port 16.
CHAPTER IX – ACCESS LISTS, continued from pg 11
FIRST, CREATE YOUR VLANs…
(config)# hostname MySwitch - names the switch STANDARD IPX LISTS
(config)# vlan 2 name sales - creates and names VLAN 2 (config)# access-list <800-899> <deny/permit>
(config)# vlan 3 name marketing - creates and names VLAN 3 <source_ipx_address> <destination_ipx_address> For
(config)# vlan 4 name tech - creates and names VLAN 4 example:
- …Then map them to ports: (Only static mapping is on the exam.) All ports are (config)# access-list 800 permit 20 40 - creates the list
initially mapped to VLAN 1, by default; only one VLAN is allowed per port: (config-if)# ipx access-group 800 out - applies it to the specified
(config)# int e0/2 - go to Ethernet port 2 (in slot 0) interface

25
- The wildcard “-1” when used in either the source or destination address fields <service_type> can appear in the following formats:
means “any host or network.” <0-FFFF> service code: 4 = file server, 7 = print server, 24 = router
<N.H.H.H> mask for specific source address
EXTENDED IPX LISTS
0 indicates all services.
(config)# access-list <900-999> <deny/permit> <protocol>
(config)# access-list 1000 permit 9e.6666.7777.8888 4
<source_ipx_address> <source_socket>
sappy_serv - creates the list
<destination_ipx_address> <destination_socket>
(config-if)# ipx input-sap-filter 1000 - applies it to specified
IPX SAP FILTER LISTS - Must be placed on all participating routers! interface; note hyphens!
- INPUT lists stop specified SAP traffic from updating the router’s SAP table.
- OUTPUT lists stop specified SAP updates from being sent by the router. IPX LIST DIAGNOSTICS
(config)# access-list <1000-1999> <deny/permit> show ipx interface - shows IPX address, applied lists, SAP filters for all
<source_ipx_address> <service_type> interfaces
<SAP_server_name> show ipx access-list - shows lists in detail (with all Fs instead of
wildcards)
<source_ipx_address> can appear in the following formats:
(See IP LIST DIAGNOSTICS, above, for show access-list, & other
<0-FFFFFFFF> network ID, only
options.)
<N.H.H.H> fully specific source address (both network and host)
–1 indicates any network. (Note the minus sign.) * END *
SPECIAL BONUS PAGE: 10 things you should immediately dump onto your source AD
scratch paper as your exam begins (like, before you forget them). connected interface 0
7 All Application static or default route 1
6 People Presentation Data IGRP 100
5 Seem Session RIP 120
4 To Transport Segments 0 = ROM monitor mode (no IOS)
3 Need Network Packets 1 = boot an IOS image from ROM

2
2 Data Data-Link Frames 2 = use the IOS specified in NVRAM (default)
1 Processing* Physical Bits
0 = use CF (default); 4 = ignore CF

2 1 0
(* Or whatever works for you.)
CORE
DISTRIBUTION
ACCESS Novell Cisco
FTP 21 Ethernet_802.3 novell-ether (default)
Telnet 23 Ethernet_802.2 sap
SMTP 25 Ethernet_II arpa
DNS 53 Ethernet_SNAP snap
HTTP 80 1 – 99 IP standard
1-126 A 100 – 199 IP extended
128-191 B 800 – 899 IPX standard
192-223 C
stolen bits mask magic # hosts networks
1 .128 128 126 0 ISDN switch cloud
2 .192 64 62 2 V U T S
N N
3 .224 32 30 6 ET T T TE1
4 .240 16 14 14 LT 1 2
5 .248 8 6 30
6 .252 4 2 62 S R
7 .254 2 0 126 T TE2
8 .255 1 0 254 A

FILL-IN-THE-BLANKS PRACTICE SECTION: range class

A
7
B
6
C
5
4 stolen bits mask magic # hosts networks
3 1
2 2
1 3
4
3 Cisco layers
5
6
7
8
protocol port #

ISDN switch cloud

26
 source AD
connected interface
static or default route
IGRP
RIP
0=
1=
_

2=
0=
_ _ _

Novell Cisco
(default)

IP standard
IP extended
IPX standard

27