CCNAX| IInterconnecting Cisco Networking Devices: Accelerated Student Guide Volume 4 Version 3.0 Part Number: 97-3839.03cisco! ‘emergas Headquarters ‘Asia Paci Headquarters Europe Headquarters (isco Systems, ne Cisco Systane (USA) Pe Led. Cisco Systane intrnationl BY Sandose, OA ‘Singapore Kratedar, ‘he Netaronss Cisco has more than 200 offices ordvde, Adresses, phone numbers, and fax numbers ae listed onthe Cisco Website at enti comigetmces Cisco andthe Cisco logo are rademars or roger ademas of isco andlor is silts in he US. and other curtis. To a It of Caco vademarks, go fo fis URL; vnv.cisc.comgairadsarks. Third-party vademarks fat are eon ae the Property of har rspecave ones. Theuse othe word pare doesnot imply a parinershisretonship betwean Cisco an ty her oomeary. (11108). DISCLAIMER WARRANTY: THS CONTENT IS BEING PROVIDED“AS IS" AND AS SUCH MAY INCLUDE TYPOGRAPHICAL, GRAPHICS, OR FORMATTING ERRORS, CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WT TH CONTENT PROVIDED HEREUNDER EXPRESS IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT ‘GR.CCMMUNICATION BETWWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPUED WARRANTIES, INCLUDING INARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND ETTNESS FOR A PARTICULAR PURPOSE, (GRARISING FROW A COURSE OF DEALING. USAGE OR TRADE PRACTICE. Tic lemirg product may conan ay rlaze content, and whic Cisco Geleves to be accurate, falssubjet ote disclaimer above (©2017 Cisco Systems, ne.Table of Contents 1 Lesson 1: Understanding WAN Technologies ... = z = 3 Introduction to WAN Technologies Z Z Z Z 3 WAN Topology Options... Z Z Z Z 6 WAN Conneciivity Options... Z Z Z Z 8 Provider-Managed VPNS...... Z Z Z Z 10 Enterprise-Managed VPNs... Z Z Z Z 1 WAN Devices... . . . . . 15 Challenge. z = z = z = 19 ‘Answer Key. = z = 20 Lesson 2: Understanding Point-to-Point Protocols = = = 24 ‘Serial Point-to-Point Communication Links... . . . a Point-to-Point Protocol... - . - 24 Discovery 47: Configure Serial Interface and PPP - . - 26 Discovery 48: Configure and Verify MLP...... = z = a4 Discovery 49: Configure and Verify a PPPoE Client... . . 58 Challenge. . - . - - - 66 Answer Key. - - - - 68 Lesson 3: Configuring GRE Tunnels 2 = 2 = 69 GRE Tunnel Overview ........ . . . 69 Discovery 50: Configure and Verity a GRE Tunnel. - - - n Challenge. - - . - - - at Answer Key. - - - - 83 Lesson 4: Configuring Single-Homed EBGP = = = 85 Interdomain Routing, . . . . . 85 Introduction to EBGP. . - - 87 Discovery 51: Configure and Venty Single-Homed EBGP.. - - 88 Challenge.. Introducing Sysiog - . - - - 103 ‘Syslog Message Format... - - - - 105 ‘Syslog Configuration. - - - - - 107 Discovery 52: Configure Syslog - z - - 108 ‘SNMP Overview... . - . - 112 Discovery 53: Configure SNMP - - - - 115 Challenge. - - - - - - 121 Answer Key. = - - 1 Lesson 2: Leaming About the Evolution of inteligent Networks : . 13 ‘Switch Stacking... - - 123, Cloud Computing and Its Effect on Enterprise Networks... - - 126 ‘Overview of Network Programmability in Enterprise Networks, - - 130 Application Programming Interfaces - - - - 1Cisco APIC-EM z i : i : oon 134 Cisco Intelligent WAN... - - - - on BT Challenge. - - - - - _. 138 Answer Key - = - - _ 139 Lesson 3: introducing QoS. - - 141 Traffic Characteristics... - : - : wn 144 Need for QoS - . - . cn 144 ‘QoS Mechanisms Overview... = - - 145 Trust Boundary = - - _. 146 ‘Qos Mechanisms—Classification and Marking... - - 147 Classification Tools... - . cn 149 (QoS Mechanisms—Policing, Shaping, and Re-Marking...... - 154 Tools for Managing Congestion... - - - ce 153 Tools for Congestion Avoidance... - - . son 156 Challenge. - - - - - _. 157 Answer Key = - - — 158 Lesson 4: Managing Cisco Devices.. - _. 159 Router Intermal Components... - - - on 159 ROM Functions . . - . sn 162 ‘Stages of the Router Power-On Boot Sequence... - - ce 163 Configuration Register... - - - sn 185 Changing the Configuration Register - - - so 189 Locaiing Cisco 10S Image Files... - - - son 470 Loading Cisco IOS Image Files ... - - - soe 472 Loading Cisco 10S Configuration Files - - - son TB Cisco IOS Integrated File System and Devices... - - coon TT Managing Cisco IOS Images... - - - — 180 Deciphering Cisco IOS Image Filenames. - - - co 184 Creating the Cisco 10S Image Backup. - z - — 183 Uporading Cisco IOS Images - - - 186 Managing Device Configuration Files. - - - on 189 Password Recovery....... - = - - 193 Challenge. - - - - - _. 196 Answer Key - - = - - 198 Lesson 5: Licensing... - - _. 199 Introducing Licensing..... - - os 199 Licensing Verification .... - - - - sn 208 Permanent License Installation... . - . sn 204 Evaluation License Installation... . - . so 206 Backing Up the License . - - - - so 209 Uninstalling the License. - - - - sn 210 Cisco Smart Software Manager... - - - a 212 Challenge. - - - - - a 213 ‘Lesson 4: Troubleshooting Scalabl Challenge. . . . . . a 217 Answer Key . : 7 : 7 os 219Lesson 2: Implementing and Troubleshooting Scalable Multiarea Network. 201 Challenge - - - 2a Answer Key. - - - 223 Glossary 225 e207jevoas:Accaloratad (CCNA (© 2017 Cisco Systems neModule 1/1: Implementing Wide-Area Networks Introduction WANS are most often fee-for-service networks, providing the means for users to access resources ACTOSS 2 ‘wide geographical area. Some services are considered Laver 2 connections between your remote locations, typically provided by a telephone company over its WAN switches. Some of these technologies include a setial point-to-point (leased line) connection and Frame Relay connections. Other connections leverage the Intemet infrastructure, a Layer3 altemative, to intercomnect the remote locations of an organization. To provide security across the publie Intemet, you can implement a VEN solution.Intesconnactng Cisco Network jevoas:Accaloratad (CCNA (© 2017 Cisco Systems neLesson 1| Understanding WAN Technologies Introduction Inorderto continue to advance in your career, you have asked Bob if you can get more involved in WAN deployments. Although Bob is glad that you want to expand your skills and lmowledge, he wants to assess your level of preparedness before taking you with him on WAN deployment jobs. To gauge your level of preparedness for WAN deployments, CCS provides atest. Bob tells you that the test will require you to demonstrate your knowledge of WAN devices, WAN cabling, WAN protocols, and WAN technologies. Introduction to WAN Technologies A.WAN is a data communications network that operates beyond the geographic scope of LAN. WANs wse facilities that a service provider or carrier, such as a telephone or cable company, provides. The provider comnects the locations of an organization to each other, fo locations of other organizations, to extemal services, and to remote users. WANs cary various traffic types such as voice, data, and video.‘The following are three major characteristics of WANs: + WANs generally connect devices that are separated by a broader geographic area than a LAN can serve. + WANS use the services of carriers such as telephone companies, cable companies, satelite systems, and network providers. + WANS use connections of warious types to provide access to bandwidth over large geographic areas. Introduction to WAN Technologies (Cont.) a acer ‘There are several reasons why WANs are necessary in 2 communications environment 4 Irtexconnectng isco Networking Davies: Accelerated (CCNA) 2017 Cisco Systems, neLAN technologies provide speed and cost efficiency for the transmission of data in organizations in relatively small geographic areas. You need WANS in a communications environment because some business needs require communication among remote sites for many reasons, including the following + People in the regional or branch offices of an organization need to be sble to communicate and share ata. + Organizations often want to share information with other organizations across large distances. + Employees wino travel on company busines: frequently need to access information that esis on their ‘corporate networks, Because itis not feasible to connect computers across a country or around the world in the same way that computers are connected in a LAN environment with cables, different technologies have evolved to support this need, Increasingly, the Intemet is being used as an inexpensive altemative to an enterprise WAN for some applicationsWAN Topology Options A physical topology describes the physical arranger(@)vof network devices that allows for data to move from a source to a destination network. There are three basic topologies for a WAN design. WAN Topology Options Sia, or Huang Spoke, Topology enefita: Network snp. ow number of crests {Drawoseks: Sutoptinal tate Rou. no reeundsncy Futy Meshes Toptony: tia: Anjan covectty,hgh ew otredundancy qb “Drawoacks: Confiqusion complenty number treats Pactiay Meshod Topoleny “A compromse between stand uly meshed Star or hub-and-spoke topology: This topology features a single hub (central router) that provides aocess from remote networks to a Core router. All communication among the networks goes through the core router. The advantages ofa star approach are simplified management and minimized tariff costs. However, the disadvantages are sigificant +The central router (hub) represents a single point of failure +The central router limits the overall performance for access to centralized resources. The central router is.a single pipe that manages al trafic thet is intended either forthe centralized resources or for the other regional routers, Fullly meshed topology: In this topology, each routing node on the periphery ofa given packet-switching network has a direct path to every other node om the cloud. The key rationale for creating a fully meshed environment is to provide a high level of redundancy. A fully meshed topology is not viable in large packet- switched networks. The following are the key issues of a fully meshed topology. + Many virtual circuits are required (one for every conection between router). + Configuration is complex for routers without multicast support in nonbroadcast environments, (isco Networking Davies:Partially meshed topology: This topology reduces the number of routers within a region that have direct ‘connections to all other nodes in the region, All nodes are not commected to all other nodes, There are many forms of partially meshed topologies. In genera, partially meshed approaches provide the best balance for regional topologies, which are based on the number of virtual circuits, redundancy, and performance Note Large networks usually deploy layered combination ofthese teshnologies—for example, spatial mesh in the network core, redundent hub-ang-spoke for larger branches, and simple hub-anc-speke for noneiical remote looatons| ‘Network downtime can be very expensive in terms of decreased productivity and potential loss of revenue. To increase network availability, many organizations deploy a dual-carrier (VAN design to increase redundancy and path diversity ‘Single-carrier WANs are simpler and easier to support and manage. However, network outages can be catastrophic. You should perform an analysis ofthe downtime cost. You should make sure that there are adequate penalties inthe contract with the service provider to cover the cost of downtime. Duel-carrier WANs provide better path diversity with better fault isolation between providers. The cost of downtime to your organization usually exceeds the additional cost of the second provider and the complexity of managing redundancyWAN Connectivity Options ‘You have many options for implementing WAI solutions. These options differ in technology, speed, and cost. WAN connections can be either over a prvate(@@\astructue or over a public infrastructure such asthe Intemet. WAN Connectivity Options Ee Internet Private WAN connections include dedicated and switched communication link options: + Dedicated communication links: When permanent dedicated connections are required, point-to-point lines are used with various capacities that are limited only by the underlying physical facilities andthe ‘willingness of users to pay for these dedicated lines. A point-to-point link provides a pre-established WAN communications path from the customer premises through the provider network to a remote destination. You usually lease point-to-point lines from a carrier, so they are also called leased lines Leased lines were more popular in the past. Now a company may use a provider-managed VPN or enterprise: managed VPN over the Intemet. Companies prefer enterprise- or provider-managed VPNs because leased lines are by far the most expensive solution. + Switched communication links: Switched communication links can be either circuit-switched or packet-switched, — Cirevit.switched communication links: Cireuit switching dynamically establishes a dedicated virtual comnection for voice or data between a sender and a receiver. Before communication can start, the connection through the network of the service provider must be established. Examples of circuit-switched communication links are analog dialup (PSTN) and ISDN. ~ Packet-switched communication links: Many WAN users do not make efficient ure ofthe fixed ‘bandwidth that is available with dedicated, switched, or permanent circuits because the data flow ‘fluctuates. Communications providers have data networks that are available to more appropriately service these users. In packet-switched networks, the data is transmitted in labeled frames, cells, or packets. Packetswitched communication links include Frame Relay, ATM, and X25. Intaconnacting isco Networking Davies: Acca 1d (CONAN 2017 Cisco Systems, nePublic connections use the global Internet infrastructure. Until recently, the Internet was not a viable networking option for many organizations because of the significant security risks and lack of adequate performance guarantees in an end-to-end Intemet connection. With the development of the VPN fechnology, however, the Intemet is now an inexpensive and secure option for connecting to teleworkers and remote offices where performance guarantees are not critical. Intemet WAN connection links go through broadband services such as DSI. cable modem, and broadband wireless, and they are combined with VEN technologies (for example, DMVPN, GET VPN) to provide privacy across the Internet. Broadband comection options are typically used to connect telecommuting employees to a corporate site over the Intemet | Service providers build networks by using different underlying technologies, the most popular being IVPLS. Examples of provider-manazed VPNs are Layer 3 MPLS VPN and Layer 2 MPLS VPNs (VPWS and \VPLS). MPLS is an IETF standard that defines a packet label-based switching technique, which was onginally devised to perform fast switching in the core of IP networks. This technique helped carriers and lage enterprises scale their networks as increasingly large routing tables become more complex to manage ‘The industry began using MPLS over a decade ago 28 a way to allow enterprises to ereate end-to-end circuits scross any type of transport medium using any available WAN technology ‘WAN Connectivity Options (Cont.) SPs use several diferent WAN technologies to connect their subscribers. The comnection type that is used onthe local loop, or last mile, may not be the same as the WAN comnection type that the ISP employs ‘within the ISP network or between various ISPs. Each of these technologies provides advantages and disadvantages for the customer. Not all teclmologies are available at all locations. When a service provider receives data, it must forward this data to other remote sites for final delivery to the recipient. These remote sites either connect to the ISP network or pass the data from ISP to ISP and to the recipient. Long-range communications are usually these connections between ISPs or among branch offices in very large companies.Provider-Managed VPNs Provider-managed VPNs can either offer Layer ? or Layer 3 connectivity. IMPLS is a tecimology that was designed to support efficent forwarding of packets (G\ss the network core that is based om a simplified header Provider-Managed VPNs Ha 4 Layer 2 MPLS VPN (VPLS and VPWS}: © Customer routers exchange routes directly. Some applications need Layer 2 connectivity to work Layer 3 MPLS VPN: Customer routers exchange routes with service provider routers, Ihprovides Layer 3 service aeross the backbone, Layer 2MPLS VPN is useful for customers who rin their own Layer 3 infrastructure and require Layer 2 connectivity from the service provider. In this case, the customer manages its own routing information. One advantage that Layer 2 VPN has over its Layer 3 counterpart is that some applications do not work if nodes are not in the same Layer 2 network Some typical examples of Layer 2 VPN are VPLS and PWS. Ifyou look from the customer perspective, with Layer 2 MPLS VPN, you can imagine a whole service provider network as one big virtual switch, Layer 3 MPLS VPN provides Layer 3 service across the backbone. A separate IP subnet is used on each customer site, When you daploy a routing protocol over this VPN, the service provider needs to participate inthe exchange of routes. Nejzhbor adjacency is established between your CE router and PE router (which the service provider owns). Within the service provider network, there are many P routers (service provider core routers). The job of P routers is to provide comectivity between PE routers. What this situation means is tha the service provider becomes the backbone of your (customer) network. Layer 3 VEN is appropriate for customers who prefer to outsource their routing to a service provider. The service provider maintains and manages routing forthe customer sites, Ifyou look from the customer perspective, with Layer 3 MPLS VPN, you can imagine the whole service provider network as one big virtual router. (isco Networking Davies:Enterprise-Managed VPNs Organizations need secure, reliable, and cost-effective ways to comnect corporate headquarters, branch offices, and teleworkers working in home offices and other remote locations. A VPN is usually a bridge betnveen two private networks. You build that bride((@ era public network, typically th Intemet. VEN enables headquarters and branch office devices to send and receive dats as if they were directly connected. Enterprise-Managed VPNs = alle ate © Regen Once win Home Oise win Mbe Worker wh ‘SEacoRcuer Chaco AmySonnact en aapinp Compt | Ea Aoworscomon A.VPN is a virtual private network that is constructed within a public network infrastructure, such as the ¢global Internet. VPNs provide an inexpensive altemative to private WAN connections. They are particularly: hhelpfil in organizations whose workforce is highly mobile and frequently needs to connect remotely to the conporate network and access sensitive data. ‘As shown in the figure, there are two types of VPN networks: + Site-to-site VPN: A siteto-site VPN is an extension ofa classic WAN network. End hosts send and receive traffic through 2 VPN device, which could be a router or Cisco Adaptive Security Appliance (Cisco ASA). This device is responsible for encapsulating and encrypting outbound traffic for all traffic ‘rom a particular site and sending it through a VPN tunnel over the Interzet to a peer VPI device on the ‘target site. Upon receipt, the peer VPN gateway strips the headers, decrypts the content if it was ‘encrypted, and relays the packet toward the target host that is inside its private network. Many site-to- site VEN options are available + Remote-access VPN: Remote-access VPNs can support the needs of telecommuters, mobile users, and ‘extranet, consumer-to-business traffic. In a remote-aocess VPN, each host typically uses the Cisco AuyComnect VPN Client software, Whenever the host ties to send any traffic, the Cisco AnyConnect ‘VEN Client software encapsulates the traffic before sending it over the Internet to the VEN gateway at the edge of the target network. The VEN client may also encrypt the traffic before sending it over the Intemet to the VPN gateway. Upon receipt, the VEN gateway behaves as it does for site-fo-site VENs.‘VPNs provide the following benefits: + Cost savings: VPNs enable organizations to use a cost-effective, third-party Intemet transport to conmect remote offices and remote users to the main corporate site. The use of VPNs therefore eliminates expensive, dedicated WAN links, Furthermore, with the advent of cost-effective, bandwidth technologies such as DSL organizations can use VPNs to reduce their connectivity costs ‘while simultaneously increasing remote comection bandwidth. + Scalability: VPNs enable comporations to use the Internet infrastructure, which makes new users easy to add. Therefore, comporations can adil large amounts of cepacity without adding sienificant infrastructure. For example, « corporation with an existing VPN between a branch office and the headquarters can securely connect new offices by simply making a few changes to the VPN configuration and ensuring that the new office has an Internet connection. Scalability is a major benefit of VPNs, + Compatibility with broadband technology: VPNs allow mobile workers, telecommuters, and people ‘who want to extend their work day to take advantage of high-speed, broadband connectivity, such as DSL and eable, to gain access to their corporate network. This ability provides workers with significant flexibility and efficiency. Furthermore, high-speed, broadband comections provide a cost-effective solution for connecting remote offices + Security: VPNs can provide the highest level of security by using advanced encryption and authentication protocols that protect deta from unauthorized access. The two available options are [Psec and SSL. ‘There are many site-to-site VPIN options. However, each option isa litle bit different than the other. Enterprise-Managed VPNs (Cont.) Site-to-site VPN options: = IPsec tunnel: IPsoc is a tameworkf open secunty standards, + GRE over IPsec: ‘Addlton of GRE to HPeac enables routing and multicast + DMVPN (Cisco proprietary): Simple hub-and-spoke configuration. —Zero-touch caniguraton or naw spokes. ¥¢c VT (Cisco proprietary): = Sinpliiad [Pees tunnel mode configuration ~_Natively supports features that previously equied GRE (outing, multicast) (isco Networking Davies:IPsec Tunnel Psee provides a tunnel mode of operation that enables you to use it as a standalone connection method. ‘This option isthe most fndamental IPsec VPN design model. IPsec provides four important security services: + Confidentiality (encryption): The sender can encrypt the packets before transmitting them across 2 network. By doing so, nobody can eavesdrop on the communication. If nother device intercepts the ‘communication, it cannot reat + Data integrity: The receiver can verify thatthe data was transmitted through the path without being ‘changed or altered in any way. IPsec ensures dats integrity by using checksums, which isa simple sedmdancy check, + Authentication: Authentication makes sure that the comnectiom is made with the desired ‘communication partner. The receiver can authenticate the source ofthe packet by guaranteeing and ‘certifying the source of the information. IPsec uses IKE to authenticate users and devices that can carry ‘out commuication independently. IKE uses several types of authentication including usemames and. passwords, one-time passwords, biometrics, PSKs, and digital certificates. + Antireplay protection: Antireplay protection verifies that each packet is unique and not duplicated ‘IPsec packets are protected by comparing the sequence number of the received packets with a sliding ‘window on the destination host. A packet that has 2 sequence number that is before the sliding window 4s considered either a late or duplicate packet. Late and duplicate packets are dropped. GRE over IPsec Although IPsec provides a secure method for tunneling data across an IP network, it has limitations. Psec does not support IP broadcast or IP multicast, preventing the use of protocols that rely on these features, such as routing protocols. Psec also does not support the use ofthe multiprotocol traffic. GRE is protocol that can be used to cary other passenger protocols, such as IP broadcast or IP multicast, and non-[P protocols. Using GRE tunnels with IPsec will give you the ability to nm a routing protocol, IP multicast, or rultiprotoeol traffic seross the network between the headend or headends and branch offices, With a generic huib-and-spoke topology, you can typically implement static tumnels (typically GRE over Psec) between the central hub and remoie spokes. When you want to add a new spoke to the network, you need to configure it on the hub router. Also, the trafic between spokes has to traverse the hub, where it must eit one tumnel and enter another. Static tunnels may be an appropriate solution for small networks, but this solution becomes unacceptable as the mumber of spokes grows larger and larger.Cisco DMVPN The Cisco Dyuamie Multipoint Virtual Private Network (DMVPN) enables you to better scale large and small IPsec VPNs. The Cisco DMVPN provides simple provisioning of maniy VPN peers. It also easily supports dynamically addressed spoke routers by its design, if you use an appropriate peer authentication method, such as PKI-enabled peer authentication, The DMPVN enables you to configure a sinzle mGRE, tunnel interface and a single IPsec profile on the hub router to manage all spoke routers. Thus, the size of the configuration on the Hub router remBins constant even if you add more spoke routers to the network. The DMIVEN also allows IPsec to be immediately triggered to create point-to-point GRE tunnels without any IPsec peering configuration. Cisco IPsec VTI ‘The VII mode of an IPsec configuration simplifies a VPN configuration. There are two types of VII— static and dynamic. With VTI, you implement the IPsec session as an interface. Simple configuration and routing adjacency directly over the virtual interface are great benefits. But keep in mind that all traffic is encrypted and thet it supports, like standard IPsec, only one protocol ([Pvd or IPv6), The IPsec tunel protects the routing protocol and multicast traffic, like with GRE over IPsec. The only difference is that with ‘VII, you do not need GRE and the overhead that it brings. (conan Cisco SystemsWAN Devices Several types of devices are specific to WAN envire(@\nts, including CSUDSU devices, modems, and certain types of routers and switches, WAN Devices + Router: A router provides internetworking and WAN access interface ports that are used to connect to ‘the service provider network. These interfaces may be serial connections or other WAN interfaces. With some types of WAN interfaces, you need an extemal device such as a CSU/DSU or modem (analog, ‘cable, or DSI) to connect the router to the local POP of the service provider. + Core router: A core router resides within the middle or backbone of the WAN, rather than at its periphery. To full the role of the core router, a router must be able to support multiple ‘telecommunications interfaces of the highest speed in use in the WAN core. It must also be able to ‘forward IP packets at wire speed on al these interfaces. The router must support the routing protocols ‘that are being used in the core. + CPE: Devices on subscriber premises are referred to as CPE. A subscriber to a service provider owns ‘the CPE or leases the CPE from the service provider. A copper or fiber cable comnects the CPE to the nearest exchange or OO of the service provider. This cabling is often called the local loop or last mile. ‘CSUIDSU devices, DSL modems, and optical fiber converters are just three of many WAN connection ‘pes (Cisco Systems, Ine Intrconnectng isco Networking Devioes: Accelerated (CCNAWAN Devices (Cont.) ore) cayosu igtal cater tine tephone o Coma Cale) CSUMDSU: A CSUDSU is a device thatis used to connect DTE to a digital ciruit, suchas a TI carrier line. A device is considered DTE ifitis either a source or destination for digital data. Examples of DTE, include PCs, servers, and routers. In the figure, the router is considered DTE because it passes data to the CSUDSU, which will forward the data to the service provider. Although the CSUIDSU connects to the service provider infrastructure using a telephone or coaxial cable, such as a TI or El line, it connects to the router with a serial eable. A CSU:DSU is actually two devices in one box. The CSU provides termination forthe digital signal and ensures connection integrity through error correction and line monitoring. The DSU converts the T-carier line frames into frames that the LAN can interpret and vice versa. You can also implement a CSU/DSU as a module within a router, so that a serial cable is not necessary. A CSUDSU is sometimes referred to as DCE because it provides a path for communication. DCE is amore general label for devices that provide interfaces for DTE into communication links on the WAN cloud: When the links are digital, the DCE is 2 CSU-DSU. When analog telephone lines are used, the DCE is amodem. (isco Networking Davies:WAN Devices (Cont) Telephone Cobee + Modem: A modem is a device that interprets digital and analog signals, enabling data to be transmitted ‘over voice-grade telephone lines. At the source, digital signals are converted to 3 form that is suitable ‘for transmission over analog communication facilities. At the destination, these analog signals are xetumed to their digital form. There are various types of modems. Inthe figure, a DSL modem (which is ‘wed in DSL broadband environments) connects fo a router with an Ethernet cable and comnects to the service provider network with a telephone cable. You can also implement a modem as a router module WAN Devices (Cont.) + Optical fiber converters: Optical ber converters are used where a fiber-optic link terminates in order ‘to convert optical signals into electrical signals and vice versa. You can also imaplement the converter a2 router or switch module. (Cisco Systems, Ine Intrconnectng Cisco Networking Devioes: Accolerated (CCNA) 17+ Wireless router: Wireless routers are used when you are using the wireless medium for WAN connectivity. You can also use an access point instead of a wireless router. 118 lneroonnecing Cisco Networking Devices: Acalrated (CONAK} 2017 Cisco Systems, neChallenge 1. Which two statements about WANs are true? (Choose two) A. WANs generally connect devices that are located over a broader geographical area B. WANs generally connect devices that are close to each other. C. WAN stands for World Around Networks. 1D. WANs use connections pf various types to provide access to bandwidth over large geographical 2. Which WAN topology option provides the highest level of redundancy? A. Imuband-spoke B. partially meshed C. filly meshed D. point-to-point Which two VPNs are examples of service provider-managed VPNs? (Choose two) A. remote-access VPN, Bl Layer? MPLS VPN C. Layer3 MPLS VPN D. DMVPN 4. Which two technologies are examples of Layer 2 MPLS VPN technologies? (Choose two.) A. VPLS B. DMVPN C. GETVEN D. VPwS 5. Which protocol should be used with IPsec to give you the ability to num 2 routing protocol or IP ‘multicast across the network between two site-to-site VPN peers? A. GRE B. Psectumel c WAN D. MPLS 6. Which protocol provides confidentiality, data integrity, authentication, and antireplay protection? AL GRE Bo Prec c. ISDN D. MPLS 7. Which service ensures that transmitted data has not been changed or altered in any way? confidentiality data integrity authentication antireplay protection voyAnswer Key Challenge 1 AD 2 3. BC 4.A,D 5 6 A B . B: Understanding Point-to-Point Protocols Introduction ACCS customer is adding two new branch offices. At one branch, the customer is running HDILC for the WAN protocol for the connection back to the corporate site. At the other branch, itis rmning PPPoE. You ‘wil be the primary technician forthe deployment. Would you like to go onsite now to complete the job or study the training before the deployment? Serial Point-to-Point Communication Links ‘A poluto-poit (or seria) communication ink provides sil, established WAN communication path from the customer premises through a carrier network to a remote network. ‘Serial Point-to-Point Communication Links Serial point-to-point links use leased lines to provide a dedicated connection. sence Pro —— —D won :‘When permanent dedicated connections are required, a point-to-point link is used to provide a pre- established WAN communications path from the customer premises through the provider network to a remote destination. A serial line can connect two geographically distant sites, such as a corporate office in ‘New York and 2 regional office in London. Point-to-point lines are usually leased from 2 carrier and are therefore often called leased lines. For a point-to-point line, the carrier dedicates fixed transport capacity and facility hardware to the line that the customer is leasing. However, the carrier will still se multiplexing teclologies within the network, Point-to-point links are usually more ekpensive than shared services such as Frame Relay. The cost of leased-line solutions can become significant if you use them to connect many sites over increasing distances. However, there are times when the benefits outweigh the cost ofthe leased line. The dedicated capacity removes latency or jitter between the endpoints. Constant availability is essential for some applications such as VolP or video over IP. ‘You need a router serial port for each leased-line connection, Ifthe underlying network is based on the ‘North American (T-care”) or European (Fcarzie) technologies, the leased line comects to the network of the carrer through CSU/DSU. The purpose of the CSU:DSU is to provide a clocking signal to the customer equipment interface ffom the DSU and terminate the chamnelized transport media of the carrier on the CSU. The CSU also provides diagnostic fimctions such as a loopback test. Most Tl or El TDM interfaces on current routers include approved CSU/DSU capabilities, Leased lines provide permanent dedicated capacity and are used extensively for building WANs. They have been the traditional choice of connection but have several disadvantages. Leased lines have a fixed capacity However, WAN traffic is often variable and leaves some of the capacity unused. In addition, each endpoint needs a separate physical interface on the router, which increases equipment costs. Any change tothe leased line generally requires a ste visit bythe carrier persomel. Bandwidth Bandwith refers to the rate at which data is transferred over the communication link. The underlying carrier technology depends on the bandwidth that is available. There isa difference in bandwidth points between the T-carrier specification and the E-camrier system, as shown in the table, Bandwidth Ne Tae oe Nene ee on rea Ta i ECR ET mre teste eee 2s (1 Dae ir Eeecee Oe ome ereptetnas a (isco Networking Davies:Leased lines are available in different capacities and are generally priced based on the bandwidth that is required and the distance between the tio connected pots,Point-to-Point Protocol PEP criginally emerged as an encapsulation protocol for transporting IP traffic over point-to-point links. PPP also established a standard for the assignment and management of IP adiiresses, asynchronous (start and stop bit) and bit oriented synchronous encapsulation, network protocol multiplexing, link configuration, link quality testing, error detection, and option negotiation for such capabilities as network layer address, negotiation and data compression negotiation. PPP provides router-to-router and host-to-network comections over both synchronous and asynchronous cireuts. An example of an asynchrong)s conection is a dialup connection. An example of @ synchronous connection is a leased line. ‘There are many advantages to using PPP, including the fact that it is not proprietary. Moreover, it includes many features thet are not available in Cisco High-Level Data Link Control (Cisco HDLC), including the link-quality management feature. If too many errors are detected, PPP takes down the link. PPP also supports PAP and CHAP authentication, Point-to-Point Protocol Overview of PPP: PPP provides a standard method for transporting datagrams over point-to- point links, PPP supports PAP and CHAP authentication Pe PPP Cisco HDLC is a data link layer protocol that can be used om leased Lines between two Cisco devices. For communicating with a device from another vendor, synchronous PPP isa better option. PPP provides a standard method for transporting multiprotocol datagrams (packets) over point-to-point Tinks, Intaconnacting isco Networking Davies: Acca (Conny 2017 Cisco Systems, nePoint-to-Point Protocol (Cont.) PPPis a layered architecture: + PPP can eanty packets from several protocol suites by using NCP. + PPP controls tho setup of several ink options by using LCP. PEP includes these three main components: + Amethod for encapsulating multiprotocol datagrams + Extensible LCP to establish, configure, and test the WAN data-link connection +A family of NPs for establishing and configuring different network layer protocols; PPP allows the ‘simultaneous use of multiple network layer protocols, LCP provides versatility and portability to-a wide varity of environments. LCP is used to automatically determine the encapsulation format option, to manage varying limits on sizes of packets, and to detect a loopback link, and terminate the link: Other optional facilities that LCP provides are authentication of the identity of its peer on the lik and the determination of wien a link is functioning comectly o failing ‘The authentication phase of a PPP session is optional. After the link has been established and the authentication protocol is chosen. the peer can be authenticated. Ifthe authentication option is used, authentication takes place before the network layer protocol configuration phase begins Cisco offers CHAP and PAP for PPP authentication. (©2017 Cisco Systems, ne Intrconnectng isco Networking Devioes: Accelerated (CCNA) 25Discovery 47: Configure Serial Interface and PPP. Introduction This discovery will guide you through the configuration of the clock rate on the DCE side of a serial link and the configuration of PPP encapsulation on both sides of a serial link between twwo Cisco IOS routers. ‘The virtual lab is prepared with two routers as depicted inthe topology diagram and the connectivity table. RI has the DCE side ofthe serial link, jhile R2 has the DTF side. Both routers have their basic configurations in place, including hostnames, IP addresses, and EIGRP asthe routing protocol. First you will configure and verify a serial interface to use PPP encapsulation, and then you will configure PAP and CHAP authentication for PPP. Topology Topology Loo Loo Lot Lot (conan Cisco Systems‘The configuration is as follows: + Both routers have their basic configurations in place, including hostmames and TP addresses. + EIGRP is configured on both routers, making them aware of other loopback interface networks. Device Details Device lntertace Netghtbor lip Address Rt [serait 2 hovares Rt Leosbecko L 102.1681.104 Rt lLocsbeckt L 172.10.1.1124 re [Serisi1 Rt horas Re Loopback L 02.1882. 1704 Re lLeceteckt L ra.re.204Task 1: Configure Serial Interface for PPP Activity F Configure Serial Interface for PPP To configure a serial interface for PPP, perform the following actions: Enter serial interface configuration mode. ‘Set bandwidth on the intorface (this setting does not physically change the bandwidth of the interface). 4 nat ban ~ 9 Set the clock at oa spoctiod valve. This action shouldbe sat on DCE cable ony o.oo 0 Configure Serial Interface for PPP (Cont.) ‘Set the interface encapsulation to PPP (the defauit is HDLC). 2e-b01) mowenctation re Interconnectng Cisco Networking Devios: Accserted (CCNA) 2017 Cisco Systems, neTo configure a serial interface, follow these steps: 1. Enter the global configuration mode, and use the configure terminal commend, 2. When in you are in the global configuration mode, enter the interface configuration mode. In this, ‘example, you would use the interface serial 0/0/0 command. ‘Ifa DOE cable is atached, use the clock rate Js interface configuration command to configure the ‘lock rate for the hardware connections on serial interfaces, such as network interface modules and ‘interface processors, to an accfptable bit rate. Be sue to enter the complete clock speed. For example, a ‘lock rate of 64,000 cannot be abbreviated to 64. On serial links, one side ofthe link acts as the DCE, ‘and the other side ofthe link acts as the DTE. By default, Cisco routers are DTE devices, but you can ‘configure them as DCE devices. In a "back-to-back" router configuration in which a modem is not used, ‘yoummst configure one ofthe interfaces as the DCE to provide a clocking signal. You must specify the ‘lock rate for each DCE interface that is configured inthis type of environment. The clock rates in bits per second are as follows: 1200; 2400: 4800; 9600; 19,200; 38,400; 56,000; 64,000; 72,000: 125,000; 148,000; 500,000; 800,000; 1,000,000; 1,300,000: 2,000,000; and 4,000,000. Note Some ofthe routers donot require clock rate configuration anymore, + Enter the specified bandwidth forthe interface. The bandwidth Kips command overrides the defrult ‘bandwith that the show interfaces command displays. It is used by some routing protocols, such as EIGRP, for routing metric calculations. The router also uses the bandwidth for other types of ‘calculations, such as those calculations that are required for RSVP. The default bandwidth for serial ‘ines is the T1 speed (1 544 Mbps). The entered bandwidth has no effect on the actual speed ofthe line Note The attached serial cable determines the OTE or OCE mode ofthe Cison router. Choose the cable to match tha network requirement ‘The table provides a description of the commands that you use to configure a serial interface. ‘Commanct Description ‘interface serial interface_number [Enters the serial interface configurtion mode forthe specified interface, ‘bandwidth Barnciviath [Sets the interface bandwith metric in klbits per seoond clock vate clock rene [sets the interiace clock rae in bits per second. You use this command on DCE interiaces ony ‘encapsulation ppp |Seis the interface encapsulation to PPP.Note A comnman misconception for students who are new to networking and Cisco IOS Software is to assume {hat the Bandwidth command changes the physosl Bandiith ofthe ink. The bandwidth command ‘adifes only the banciieth mri that routing proteoals such 2s EIGRP and OSPF use. Sometimes, 2 network scministrator changes the bancvidth value o have more control over the chosen eutgcing interfece ‘The encapsulation ppp command has ho arguments, but you mus fist configure the router with an IP routing protocol to use the PPP encapsulation. Ifyou do not configure PPP on a Cisco router, the default encapsulation for serial interfaces is Cisco High 1 evel Data Link Control (Cisco HDLC). Step 1 Access the console of R1. The Seriall/l interface on R.1 has the DCE cable. Configure it for a clock rate of 64,000 bps and define the bandwidth as 64 kbps. On Ri, enter the following commands: Rilconfig)# interface Seriali/t (configif]® clock eate 64000 (configif]# bendeidth 68 (config-i)# end ‘The clock rate command controls the actual speed at which the serial link runs. The banchwidth command does not affect the rmning speed of the interface, but instead sets the information that is provided to dynamic routing protocols for determining the metrics thet are associated with the link. ‘The clock rate command expects its argument in bits per second, while the bandwidth command expects its argument in kilobits per second. (isco Networking Davies:Verify Serial Interface Verity Serial Interface ‘To-verity a serial interface for PPP, perform the following actions: Display information about the physical interface and to determine the type of cable. Verify the encapsulation method that is configured on the serial interface. ‘The show controllers command displays information about the physical interfaces. This command is useful ‘with serial interfaces to determine the type of cable that is comuécted without the need to physically inspect ‘the cable itself, Use the show interfaces command to verify thet the proper encapsulation is enabled om the serial interface. ‘The output shows which encapsulation is enabled on the serial interface Step 2 Use the show controllers command to verify the configuration of Serial1/1 and to verify that the status indicators are all up. (Oni, enter the following command: 17 Cisco Systems, Inc Intrconnectng Cisco ring Devices selaatad (OMAK)Step 3 Rif chow contwollers Serieli/1 MAT: show controle 7 lime eenfegron200 Line stave: op cable oype : V1 (i.23) CENRSEleyiSnecesred TeXEREaSeySS000 Eunningei, port 4=0811750) Use the show interfaces command to verify the bandwith setting thatthe routing protocols will use, along with the current serial encapsulation method, (On RI, enter the following command: iE show inteefoces Sevialt/t Sessati/a is up dine pretecel 42 up IG LEG) byesss BWediisfaes, atx 20000 usee, relisbilicy 200/00" ealona 1/208, reload 1/28 Qceusing serstagy: £162 Oatper queue: 0/40 (site/man) S minute input ace 0 bize/oec, 0 san, 0 ignored, 0 abort bytes, 0 underruns 0 satpur buffer Zailares, 0 ourpuc buffers swapped our 3 carrier transitions | OCD=up OSR-up DIR-up RTSup CTS-up Both R1 and R2 are using the default Cisco HDLC encapsulation method. Step4 — EIGRP is preconfigured on both RI and R2. Verify the content of the routing table on RI.Step 5 Step 6 On RI, enter the following command: Loopback) ‘The marked networks have been leamed via the EIGRP protocal. From R1, ping the Loopback0 interface (192.168.2.1) of R2. On Ri, enter the following command: Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds: UE Success rate is 100 percent (6/8), round ‘The ping should succeed. On the R1 Seriall interface, set the encapsulation protocol to PPP. On Ri, enter the following command: Rit conf Enter configuration somas iz) one per line. End with GNTL/2, (Sonfig)? snterface Seriali/2 198: apuai~s-nERcHRN nolding eine exp: Ris using PPP for encapsulation while R2 is using HDLC. These encapsulation protocols are incompatible, which is why the protocol on the Ri Seriall/l interface went down and the BIGRP neighbor relationship with R2 kas timed out.Step 7 Step 8 Step 9 Display the status of the Seriall/'1 interface on R1 with the show ip interface brief command. (On RI, enter the following command: Rit chow Sp interface brief Seriala/t Interface wPlkddsess OR? Mechod Status Bravocol Serdali/1 ota YES manual up dom ‘The administrative status ofthe interface is up, but the protocol is down, ‘Access the console of R2. Configure its Seriall/1 interface to use PPP encapsulation and ‘configure its bandwidth setting to 64 (On R2, enter the following command: Rat cone Enver configurstion comnde, one per line. End wich CNTE/2 Ra (config) anterface Sevinli/1 RZ (config-s£)¥ Dandhricth 68 2 (config-s2)¥ encmprulation PEP Rolconfigeisit 296: SLINEFROTO-S-UFLOW: [Sse PROBSESINSHIUREEESSES) Dec 3 14 Baiconfig-s2) Shee 2 ie AGO: ODURL-S-1SRCEONGE: RIGRRSIRS TA OUSNGSGHESENIONSIO 2 new adjacency Ricnfigad)? ord Ree ‘When the encapsulation protocol is compatible with its peer, the line protocol state changes to up. With the line protecel up, the EIGRP neighbor relationship with R 1 is able to reestablish ‘You did not need the clock rate command on R2 because the router it is connected with the DTE. side of the cable. Use the show interface command on R2 to verify the serial encapsulation method. (On R, enter the following command: (isco Networking Davies:Ret chow Snterfaces Seviali/t MU 1500 byces, BN 68 Hbic/eec, OLY 20000 usecy 8, exleed 1/288, exload 1/255 open hang neve 2 2); Total curpar drops: 0 Guevesng sracegy S minute inpus eave O bits/sec, S minute outpot rate 0 bis 28088 packets input, 13 Receaved 0 brosdensts (0 7 failures, 0 output bus Sirtier transitions DCD=up Di Both Ri and R2 are using the PPP encapsulation method Step 10 For one last verification of connectivity, fom R2, ping the Loopback interface (192.168.1.1) of RL (On R2, enter the following command: Ret ping 192.168.2.2 Type aneape sequence to shore Sending &) 100-byee TMP Echos co 192.168.1.1, timeout iz 2 seconds Task 2: Configure PAP Authentication for PPP Activity To improve security mitigation, the PPP protocol suite was designed to offer the optional feature of user authentication, Devices that initiate « PPP session must pass a strict identity verification before the link establishment is approved. The lnk is activated only after the proper eredentials have been given and accepted. IF PPP authentication fails for any reason, access is denied and the lik is prompt terminated. Although you may configure proprietary authentication methods to work with PPP. the two main types of PPP authentication methods are PAP and CHAP. PAP is a two-way handshake that provides 2 simple method for a remote node to establish its identity. PAP is performed only upon initial link establishment, There sno encryption. The usemame and password are sent in plaintext. After the PPP link establishment phase is complete, the remote node repeatedly sends a username and password pair to the router until authentication is acknowledged or the connection is terminated.PAP is not a strong authentication protocol, but it may be adequate in environments that use token-type passwords that change with each authentication, PPP is not secure in most environments. Also, there is no from playback or repeated trial-and. ‘remote node is in control ofthe ffequency and timing of the login attempts. Configure PAP Authentication for PPP PAP authentication for PPP works in the following manner: Usemame HO Username Branch Password Ciscot23 Pasaword Ciscot23 Inthe example, the Branch router frst sends its PAP usemame and password to the HO router. The HQ router evaluates the Branch router credentials azaint its local database. Ifthe Branch router credentials match, the FQ router accepts the connection. Ifnot, the HQ router rejects the connection. This process isthe ‘two-way handshake in which the Branch router authenticates to the EIQ router. Then the reverse process ‘occurs With the HQ router authenticating to the Branch router. Configure PAP Authentication for PPP (Cont.) To configure PAP authentication for PPP, perform the following actions: Define the username and password that the lacal router uses to authenticate the PPP peer in the global configuration mode. aciocntsg\¢ uanmame usernane paovon ‘Set the authentication type to PAP on the Serial interface, (Optional) Enable outbound PAP authentication. To authenticate itself to a remote device, the local router uses the usemame and password that the ppp pap sent-usarname command specifies. 26 _Interconnectng Cisco Networking Davies: Accelerated (CCNA) 2017 Cisco Systems, ne‘The router that the ppp authentication pap command is configured on will use PAP to verify the identity ofthe other side (peer). Itmeans that the other side (peer) must present its usemame and password to the local device for verification ‘Usernames and passwords thatthe local router uses to authenticate the PPP peer are defined by using the username password command. When the peer sends its PAP usemame and password, the local router will check hader that usemame and password are configured locally. If there is a successful match, the peer is authenticated ‘The ppp pap sent-username username password password command enables outbound PAP authentication, The local router uses the tsemame and password that the ppp pap sent-usermame command specifies in order to authenticate itself toa remote device. The other router must have this same username and password configured by using the username password command. Step 1 OnRI, define the usemame User? that uses the cisco password. On RI, enter the following command: cont t (config)? uremane User? password cisco ‘The usemame value is not case-sensitive, but the password value is case-sensitive Step 2 OnR2, define the usemame User] that uses the cisco password. (On R2, enter the following command: Rot cont © Ra (config)? username Useri pessword cisco Step 3 Configure PAP authentication on the Serial 1/1 interface on RI. Set User] as the sent usemame and cisco as the password, (On RI, enter the following commands: (config) # anterface Seriali/1 Ri lconfigeif]# ppp authentication pap (sontigéit] Eee # Ieitosee.204: QLINEEROTO-S-UEDOM: Line protocol on Tntestacs Seeiali/1y changed stare vo down “Dec 4 14:10:48.997: SDIRL-S-NERCIANGE: ELGRESIDSHNO0=SNGSGHESETAOSIEISZ] (Serieli/2) ap sown: incesface dows (configrif)$ ppp pep zentwuremane User! pasword cisco (configeif)# enet ‘The line protocol for the Serial1/1 interface goes down because R2 is not configured for PAP authentication yet. The result is a lost EIGRP neighbor relationship Step 4 Configure PAP authentication on the Serial 1/1 interface on R2. Set User? as the sent usemame and cisco as the password (On R2, enter the following command:Ra (config)? antexface Serial! /1 Ru (cenfig-té)$ ppp suthentaestion pap Ra (cenfig-i2)$ ppp pep sent-username User? paseword cizco Ra icontig-e2i Dec 4 14:11747_057: $LINEFROTO-S-UFDOM: [Sisal SEStSHSHl/SaUIREEESSES! Seriall/1, changed state te up Rejeenfigei2) Sbec. 4 14:11:42.911: 4DURL-S-NERCHANGE: EIGRE-1Pvé 100: MENGHEGETAOUNEIES Rat ‘The PPP session is reestablished with PAP authentication. The results that the line protocol on the Seriall/I interface goes up and the EIGRP neighbor relationship is reestablished. Verify PPP Ses: n Verify PPP Session Verify the PPP session establishment and authentication type. ‘The show ppp all command verifies that the PPP session is established. It also displays information about the authentication used, peer name, and IP address, Step 5 On R2, verify that the PPP session is established, (On R2, enter the following command: Raf chow ppp all as. Cp} FAP4 IECE+ COSC InseiT OSUSEIN) = aa ‘The PPP session is established with PAP authentication on the Seriall/! interface to the peer that ismamed RI by using the peer IP address 10.1.1.1 17 Cisco yet (isco Networking Davies:Task 3: Configure CHAP Authentication for PPP Activity (CHAP isthe preferred authentication method and is considered superior to PAP. CHAP involves a three- ‘way exchange ofa shared secret. When authentication is established with PAP, it essentially stops working, ‘which leaves a network vulnerable to attacks. Unlike PAP, which only authenticates once, CHAP conducts periodic challenges to make sure thatthe remote node still has a valid password value. CHAP, which uses 2 ttyee-way handshake, occurs at the startup of ink and periodically thereafter to verify the identity ofthe remote node, ‘After the PPP link establishment phase is complete the local router sends 2 challenge message to the remote node. The remote node responds with a value that is calculated using a one-way hash fmction, typically D5, based on the password and challenge message. The local router checks the response azainst its own calculation of the expected hash value, the values match, the authentication is acknowledged. Otherwise, the comection is terminated immediately CHAP protects against a playback attack by using a variable challenge value that is unigue and unpredictable. Because the challenge is unique and random, the resulting hat value will also be unique and random. The use of repeated challenges is intended to limit exposure to any single attack. The local router ora third-party authentication server is in contol of the frequency and timing ofthe challenges. ‘Configure CHAP Authentication for PPP. CHAP authentication for PPP works in the following manner: Usemame Branch Inthe example, the HQ router sends a challenge message to the Branch router. The Branch router responds to the HQ router by sending its CHAP usemame and password. The HQ router evaluates the Branch router credentials agains its local databace. Ifthe credentials match, it accepts the comection, If they do not, it rejects the connection. This process is 2 three-way handshake of the HQ router authenticating the Branch router. A three-way handshake ofthe Branch router authenticating the HQ router follows, 17 Cisco Systems, Inc Intrconnectng Cisco ring Devices Aosslaatad (CCNAX) 30Configure CHAP Authentication for PPP (Cont.) To configure CHAP authentication for PPP, perform the following actions: Configure the router hostname to identify it. Configure the username and password in the global configuration ‘mode to authenticate the PPP peer. ‘Set the authentication type to CHAP on the Serial interface, ‘To configure PPP authentication, you must configure the interface for PPP encapsulation. Follow these steps to enable CHAP authentication: ‘Verify that each router has a hostname assigned to it. To assign a hostname, enter the hostname Jostname command in the global configuration mode. This name must match the usemame that the authenticating router expects at the other end ofthe link. On each router, define the username and password that are expected from the remote router with the username username password password global configuration command. Add a usemame entry for cach remote system thatthe local router communicates with and that requires authentication. Note that the remote device must have a corresponding usemame entry Zor the local router with a matching password (Configure PPP uthentication with the ppp authentication {chap | chap pap | pap chap | pap} ‘interface configuration command. — Tfyou configure ppp authentication chap on an interface, all incoming PPP sessions on that inierface are authenticated via CHAP. ~ Hfyou configure ppp authentication pap, all incoming PPP sessions on that interface are authenticated via PAP. ~ Ifyou configure ppp authentication chap pap, the router attempts to authenticate all incoming PEP sessions via CHAP. If the remote device does not support CHAP, the router tries to authenticate the PPP session via PAP. Ifthe remote device does not support either CHAP or PAP, the authentication fils, and the PPP session is dropped, ~ Ifyou configure ppp authentication pap chap. the router attempts to authenticate all incoming PPP sessions via PAP. Ifthe remote device does not support PAP, the router tries to authenticate the PPP session via CHAP. If the remote device does uot support either protocol, the authentication fails and the PPP session is dropped. (isco Networking Davies:Note Ifyou enable both methods, the frst method tht you speci is requested during link negotisbon. Ifthe pear sugges using the second method or refuses the fist methed, the second method is ried ‘The table describes the commands that you use to configure CHAP authentication. ‘Command [Description ‘hostname hostrizme [Sets s device hostname ‘username usermume password password — [Configures anew userto the deviow ‘interface interface_name Enters the interface configuration made for the specified interface. ‘encapsulation ppp [Configures s ink with the PPP-type encapsulation, ‘ppp authentication chap [Enebles CHAP suthentiostion en the interface with PPP fencepsuistion Step 1 Step 2 Step 3 OnRI, define the usemmame R2 and the cisco password. On Ri, enter the following command: ‘The usemame value is not case-sensitive, but the password value is case-sensitive On R2, define the usemame RI and the cisco password. On R2, enter the following command: 228 cont Ra (config)? username Ri password cisco Change the PPP authentication type to CHAP on the Serial1/1 interface on RI. You also need to remove all configuration related to PAP authentication On RI, enter the following commands cont © (config)? anterface Seriali/1 (configrit]# no ppp authentication pep (configrif)i ne ppp pap cent-ureenama Ureel paccword eizes (config-it)# ppp suthentication chapstep 4 Step 5 (Change the PPP authentication type to CHAP on the Seriall/1 interface on R2. You also need to remove all configuration related to PAP authentication, (On, enter the following commands: Rat cont £, R2[config)? interface Serial! /t Rl(config-is)¥ no ppp authentication pop Rilconfig-i2)$ no ppp php sentwasername User? pasword cizco Ra (configi#)# ppp authentication chap RZ [configiZ)# east Ra (centig)# Enable debugging of PPP authentication on R2. Then disable and re-enable the Seriall/1 interface to reinitiate PPP session establishment. Observe the debug messages that are associated with the CHAP authentication process. (On R2, enter the following commands: Ri (config) intertace Serial 1/1 Rilconfig- it) ao aebug ppp suthentication R2(config-if)# shutdown - “Dec 7 09:37:08.0892 SDURLS-NORCHANGE: RIGRESIEO0=9ISGHES ASSEN 0.099: 4LINEFROTO-S-UFDOM: (Se SESESESNSSTISEEESSES! RZleenfignis)£ ne chutdoum Re (centig-iz]# Raiconfagi2i 8 Dec 7 08:27, fecialt/1, changed stave to up Teenting connection as 3 deaicztad 1 Session handle [P000012] Session ad Dee “Dee bee “Dee bee “Dee Ra icontigsz) Sbee 7 o9e4 {LINEFROTO-S-UFIOWG: [SHSROESESINSRIURESESEEST B2iconfag"s2i® ys naw adjacency Rajcenfig-s2)¥ end Rat ‘The debug output shows the bidirectional CHAP authentication procedure. Both sides challenge each other, respond to each other, and pass each other. After successful authentication, the line protocol comes back: up and the EIGRP neighbor relationship is establishedStep 6 For one last verification of connectivity, from R2, ping the R1 Loopback0 interface (192.168... (On R2, enter the following command: Ret ping 192.168.2.2 Type eecape sequence to skort Sending §, L00-zyee TQ@ Echos vo 192.162.1.2, vineour iz 2 seconds: Step 7 — OnR2, verify that the PPP session is established On R2, enter the following command: R2t chow ppp all ‘The PPP session is established by using the CHAP authentication method on the Seriall/1 interface to the peer that is named RI with the peer IP address 10.1.1.1 ‘This is the and ofthe ciscovery lab.Discovery 48: Configure and Verify MLP Introduction This discovery will guide you through the configuration of the Multilink PPP, also mown as MLP. MLP provides « method for spreading traffic across multiple distinct PPP comnections. You can use it, for example, either to connect a home computer to an ISP by using two traditional modems or to comnect a company through two leased lines ‘You will configure an MLP bundle on R1 and R2, which are connected by two serial interfaces. Topology Topology — Se112) eT Set Cisco Systems (conan‘The configuration is as follows: + Both routers have their basic configurations in place, including hostmames and TP addresses. + PPP encapsulation is configured om all serial interfaces. Device Details Device lintertace Neighbor l> Address Rt [seratt lee frora.w2e Rt [seriait:2 Re Hror.2o4 Rt Loopback L 192 168.1.1124 Rt Loopback L jivet04.124 Re [seratt lea hor1206 Re [serait:2 lea hor2204 Re loopback | j192-188.21704 Re Loopback | lrr2ta2ve4Task 1: Configure and Verify MLP Activity F Multilink PPP o MLP overview: Multilink PPP bundlo. 4 Point-to-Point + MLP combines mutiple physical links into a logical bundle called a ———. OO 0 Multilink PPP (Cont.) MLP overview: functionalities: ~ Load balancing — Increased redundancy Link fragmeriation and intreaving (LF) +The MLP over serial interfaces feature provides the following ‘The MLP feeture provides 2 load-balancing fimetionalty over multiple WAN links while providing imultvendor interoperability and support for packet fragmentation, proper sequencing, and load calculation on both inbound and outbound traffic. The MLP feature supports the fragmentation and packet-sequencinz specifications that are described in RFC 1990. Interconnectng Cisco Networking Devios: Accserted (CCNA) 2017 Cisco Systems, neMLP allows packets to be fragmented and fragments to be sent atthe same time over multiple point-to-point links to the same remote adress. Multiple links come up in response to a defined dialer load threshold. The load can be calculated on inbound or outbound traffic, as required, for the traffic between specific sites. MLP provides bandwidth on demand and reduces transmission latency across WAN links, MLP can work over synchronous and asynchronous serial types of single or multiple interfaces that have been configured to support both dial-on-demand rotary groups and PPP encapsulation. MLP combines multiple physical finks into a logical bundle that is called an MLP bundle. An MLP bundle isa single, virtual interface that connects to the peer system. Having a single interface (MLP bundle interface) provides a sinale point to apply hierarchical queueing. shaping, and policing to traffic flows. Individual links in a bundle do not perform any hierarchical queueing. None ofthe links have any Innowledge about the traffic om parallel links. Hierarchical queueing and QoS cannot be applied uniformly to the entire ageregate traffic between 2 system and its peer system. A single, virtual interface also simplifies the task of monitoring traffic to the peer system (for example, all traffic statistics rum on one interface). MLP works with fully functional PPP interfaces. An MLP bundle can have multiple links connecting peer devices. These links can be serial links or broadband links (Ethemet or ATM). As long as each link behewes like a standard serial interface, mixed links work properly in a bundle ‘The MLP over serial interfaces feature enables you to bundle interfaces into a single, logical connection called an MLP bundle. This feature also provides the following imctionalities: + Load balancing: MLP provides bandwidth on demand and uses load balancing across all member links ‘ap to ten) to transmit packets and packet fragments. MLP mechanisms calculate the load on inbound or ‘outbound trafic between specific sites, Because MLP splits packets and fragments across all member ‘inks during transmission, MLP reduces transmission latency across WAN links, Ideally, all member ‘inks ina bundle would be ofthe same bandwidth (for example, Ts). Load balancing and ‘fragmentation and interleaving also allow for a mix of unequal cost member links for situations where a ‘suall increment in the bundle bandwidth is required. + Increased redundaney: MLP allows traffic to flow over remaining member lines when 2 port fails. ‘When you configure an MLP bundle that consists of T! lines from more than one line card and if one ‘ine card stops operating, a part of the bundle on other line cards continues to operate. + Link fragmentation and interleaving: The MLP fagmenting mechanism fregments large, nonreal- ‘time packets and sends fragments at the same time over multiple point-to-point links to the same remote address. Smaller, real-time packets remain intact. The MLP interleaving mechanism sends real-time packets betveen fragntents of nonreal-time packets, thus reducing real-time packet delay. Step 1 Access the console of RI and verify the status of serial interfaces that are connected to R2 On Ri, enter the following commands: Rif chow Snterfaces Sexiali/t Hardvare is MST 255/285, cxload 1/255, reload 1/255 open Open: ECP; CDPCE, ceo 16) loopback nov serStep 2 Step 3 Rit show intexfacer Serial3/2 MI 1500 byces, BW 2044 Fbit/eec, DLY 20000 usec, welishiliey 255/258, exised 1/255, exlead 1/255 speciation FPF, LCP Open Open: IFCP, CDECP, cre 16, Loopback not set ‘The Serial1/1 and Seriall 2jnterfaces are connected to R2. Both interfaces are up and have IP addresses assigned. Encapsulation is set to PPP on serial interfaces that commect Rl and R2 EIGRP is preconfigured on both Ri and R2. Verify the content ofthe routing table on RI. On Ri, enter the following command: show 3p route IS sumazy, 12 ~ 1 o> OR, P - periodic downloaded seatic source, $+ geplicated route, #~ nexe hop override yy subnetied, § subnet: [y connected, y tennected, ‘The highlighted networks are leamed via EIGRP. Traffic to these networks is load-balanced via. Seriall’1 and Serial1/2 links. From RI, ping the Loopback0 interface (192.168.2.1) on R2. (On RI, enter the following command: Rif ping 152.260.2.1 Eipe escape sequence £0 abore preen Saccene rate 4s 100 percent (8/8), sound sip min/avg/max = 21/21/24 me ‘The ping should be successful NetworkingConfigure a Multilink Bundle Configure a Multilink Bundle To.canfigure a multiink bundle, perform the following actions: ‘Assign a multlink bundle group number and enter the interface configuration mode. Assign an IP address to the muitiink interface. a-t0n4 Ap tena Enable MLP. Configure a Multilink Bundle (Cont.) Restrict a physical link to join only the designated multlink group intertace. When you configure MLP, you need to first configure a multilink bundle by creating a multilink interface, ‘You need to assign an IP address to this multlink interface, enable the MLP feature, and restrict a physical link to join only the designated multilink group interface Step 4 Create a multilink interface on R1 with the following specified characteristics: + Set the group mumiber as 1. + Setthe IP address as 10.1.1.1/24. (©2017 Cisco Systems, ne Intrconnectng isco Networking Devioes: Accolerated (CCNA) 49Step 5 + Enable the MLP feature + Restrict physical links with the multlink group 1 only to join this bundle. OnRi, enter the following commands: RiP cone & Create a multilink interface on R2 with the following specified characteristics. + Set the group mumber as 1 + Set the IP addrese as 10.1.1.2/24. + Eneble the MLP feature, + Restrict physical links with the multilink group 1 only to join this bundle. (On R2, enter the following commands: Rat cone Enea configuestion remands, Relccafig)# antevfuce Maitalinx? Releentig-ssit 2 ALL: ALTNK-6-UFDOM: RRS MSNA SE ESESTESY Re (config i2)$ sp adders 10.2.4.2 255.255.255.0 Ra (config-s#)$ ppp meltilink Ra (config-i2)$ ppp meltilink group 2 Re (config-if)# end Ro per line. End with CHTE/2 (isco Networking Davies:Assign an Interface to a Multilink idle: Assign an Interface to a Multilink Bundle ‘To.assign an interface to a multitink bundle, perform the following actions: Enter the interface configuration mode for the serial interface. Remove any specified IP address. Enable PPP encapsulation, Enable MLP. Assign an Interface to a Multilink Bundle (Cont.) Restrict a physical link to join only the designated muttlink group interface. After you create the multilink interface, you need to assign a serial interface to the multilink interface To designate 2 link to a specified bundle, use the ppp multilink group command for configuring the Link ‘This command restricts the link to join only the specified bundle. When a link negotiates to join an MLP bundle, the link must provide proper identification that is associated with the MLP bundle. If the negotiation is successful, the links assigned to the requested MLP bundle If te link provides identification that coincides with the identification that is associated with a different MLP bundle in the system or ifthe Linke fails to match the identity of an MLP bundle that is already active on the multilink group interface, the connection terminates. (Cisco Systems, Ine Ietrconnectng Cisco Networking Devioes: Accelerated (CCNA) 51A link joins an MLP bundle only if it negotiates to use the bundle when a conection is established and the identification information that is exchanged matches thet of an existing bundle. ‘When you configure the ppp multilink group command on link, the command applies the following restrictions on the link: + The link is not allowed to join any bundle other than the indicated group interface, + The PPP session must be terminatell ifthe peer device attempts to join a different bundle, Step 6 Remove the IP addresses from the Seriall/1 and Serial 1/2 interfaces on both RI and R2. On Ri and R2, enter the following commands: (config)? interface Serinlt/1 (seafig-if)# no ap addeeas contig #2] amare: "down Rat cone & Enter configuration comands, one per line. End with CNTE/Z Ra(config)? antexface Serinli/t R2(config-i#)¥ no ip addeess Ra (configs#)# exits Ri (config)? interface Seriall/2 Ra (config-i#)¥ no Sp addeess Ra (config-s#)¥ end Re After you remove the IP adress fiom the interfaces on R1, the EIGRP neighbor relationship immediately goes down, Step 7 Assign the Seriall/1 and Seriall/2 interfaces to the interface Multilink on R1 On Ri, enter the following commands: (isco Networking Davies:Step & Enter cenfigueation commands, one per line. End with CVTL/Z contig) # antevénce Sevanli/2 (configeit)# ppp maltilank all/l, changed sezee to down @ ib:gare8. 276, SUINEGROTO-S-CEDOM: Line pratocst (config if)? ppp maltalank group 2 (contigyét) | INEEROTO-S-UFDORK: Line protocal 44:08.031: SLINEEROTO-S-UEDOMN: Line protocol, Seriali/1, changed state to wp (conig"if)# ext (config)? anterface Seriati/2 Ri lconfig-if]# ppp mlbilisle (contignit)$ Dac 9 10:34:76.984: SLINEEROTO-S-UEDOMN: Line peotocsl, Sesiali/2, changed stave vo wp (configif)# ppp maltalank group 2 (contignis)# Dee 9 10:24:29.999: @LINEEROTO-S-UEDOMH: Line peotecsl Seziali/2, changed stare to down cendignif}# end Assign the Seriall/1 and Serial1/2 interfaces to the interface Multilink on R2. On R2, enter the following commands:Rat cone Enter cenfiguestion comands, on per Line Relccnfig)# antevfuce Sevinli/? Ra (config-s#)$ ppp meltilink changed state te dem “ "4o:98249.840: SLINEFROTO-S-UFLOMY: Line provecol on Inte End wieh CMTE/Z SS: ALIMEFROTO-S-UPDOMI: Line peotecel on Ince RZ (config-ifl ppp multilink group 1 Re(config-se]$ Dec § 10:48251.050: SLINEPROTO-S-UEDOM: Line protocol on Inves Aecesel, changed suate vo down Shee" 10:98201.062: ALINEFROTO-S-UPDOMT: Line peatecal on Ines Seriati/2, changed staie to dora Dac 9 10:28:31 087: #LINK-2-UEDONN: ([SSRSSSHRMGIES SWE Ty UERSRSEMSEESTESIES Relecntignslé co Vizeual- stax 9 10:28+01-104: #cINEPROTO-S-UPDOMN: Line pectorol en Ines Seriali/2, changed stave to up “Dex 10:25291.216: $DURL-S-NBRCHANGE: BEGRESERSA)AU0=N=SGRESETZOSESISHS Ri(confignaf)# exit Ra(config)? interface Sexialt/2 Ra (config-s2)$ ppp meltilink Dec # 10:25:86 861: ALINEFROTO-S-UPDOM: Line protocel, Seriali/2, changed state to dom Bec § 1ovaerse.so2: sETEsRGTO-S-veLom: Line pestesol Dec § 10:48:56,512: SLINEPROTO-S-UEDOM: Line protocol Seriaii/2, changed state ro dom, Ralconfig-if)® ppp multilink group 2 Geriali/2, changed state to up “Dec # 10:26700.78: 4LINEFROZO-S-UPDOM: Line provocel, Seriali/2, changed state to upVerify Multilink Bundle ‘Verify Multilink Bundle Display the multtink PPP bundle information. ‘The show ppp multilink command verifies that all the desired interfaces are in the multilink PPP bundle Step 9 Verify the multilink PPP bundle information by using the show ppp mulilinks command on RI On RI, enter the following command: Rig show ppp multalink Bundle name: R2 Remove Enapoint Discriminator: [1] RZ Eoual Endpoint Discriminsrer! [1] RE Bundle up Zor 02:97:05, total Bandwidth 3088, Joad 2/255, Receive buffer Linit 24000 byses, frag vimeous 1000 me 0/0 fraguents/bytes in reassenbly List 0/0 discarded Seagence/ayzen, 0 lost received OxS6E saceivad sequence, OwS72 sane sequence No insevive muleilank anterSsces ‘The Serial 1 and Serial) interfaces are members of the logical interface bundle Multilink {. Step 10 Shut down the Serial1/1 interface on Ri to simulate a failure om this lik. On RI, enter the following commandsStep 11 Step 12 Rit cone Enear configuestion comands, ons per line. End with CHTE/2 Rijecafig)? anterfuce Sevinli/? Rilconfig-s2)# shutdown te dom CHANGED: Incerface Seriaii/2, changed state co Riicotigaa? cna ‘Verify the status ofthe interface Multilink! on RI. (On RI, enter the following command: chow inte les Maltilinkd MPO 1500 byces, BW A844 Rbic/eec, BLY 20000 usec, relisbilisy 255/258, cxiead 1/255, rxlead 1/255 aprcisvion FPP, LCP Open, multizink Open Open: IFCP, CLECP, Isopback oz ser Heepalive set (10sec) <-> eutpus cmisted o> ‘The logical interface Multilink is still up, even though one of the members of the bundle was shut down. ‘Verify the content ofthe routing table on RI again, (On RI, enter the following command: ey R~ RIP, > mobi OSEr, ZA ~ OUEF inter arcs 2 EIGRE, EX ~ EIGRF = 212 semary, ea, ~~ candid ay connected, Malitinil Toopeacko ‘The outgoing interface in the routing table for networks that are leamed via EIGRP points to the logical interface Multilink 1 Neto Systems, InStep 13 From R1, ping the Loopback0 interface (192.168.2.1) on R2. (Oni, enter the following command: Type escape sequence +0 aboss Sending $y 100nyee IME Echos vo 192.168.2.1, timeout is 2 seconds Hae Succees rate is 100] percent (6/8), ron ‘The ping should be successful despite the Seriall/1 interface on R being shut down. Note: You may have to wait a couple of seconds for the ping to werk, ‘This is the and ofthe ciscovery lab.Discovery 49: Configure and Verify a PPPoE Client Introduction ‘This discovery will guide you through the configuration of 2 PPPoE client, PPoE provides an emulated (and optionally authenticated) point-to-poinf link across a shared medium, typically @ broadband agaregation network such as the ones that you can find in DSI. service providers. A very common scenario is to run a PPPoE client on the customer side, which connects to and obtains its configuration from the PPPOE server (headend router) atthe ISP side, ‘You will configure RI as a PPPCE client, while R2 is preconfigured as the PPPoE server. Topology Topology Cisco Systems (conan‘The configuration is as follows: + Both routers have ther basic configurations in place, including hostames and JP addresses. + Ris preconfigured as the PPPOE server. Device Details Device lntertace Neighbor hp Address Rt lEthemes0'1 Ro - Rt Leopbecko! | 02 188.1108 Rt Loopback L fra. t6.1.1126 re themeso/1 Rt jor 124 Re Loopback: | 102 168.21708 Re Loopback | lrraso2026Task 1: Configure and Verify a PPPoE Client PPPoE Client PPPoE client overview: ‘PPPOE is a commonly used application in the deployment of DSL. + ACisco router can act as a PPPOE client. + You can connect muitiple PCs on the Ethemet segment that is connected to the Cisco 10S router hat acts as a PPPOE cient ‘The PPPCE client feature provides PPPoE client support on routers on customer premises, Before the introduction ofthis feature, Cisco TOS Software supported PPPoE on the access server side only. The figure shows a typical network topology for PPPoE client deployment PPPOE is 2 commonly used application in a DSL deployment. The PPPOE client feature expands the PPPoE functionality by providing support for PPPoE on both the client and the server. ISPs often provide their customers with a DSL modem that has one Ethemet interface to comnect to the customer Fthemet segment, and another interface for DSL line connectivity. ATM is typically rm between the customer modem and the DSLAM Tn such acase, the DSL modem acts as abridge only when the CPE isnot configurable for any IP connectivity or enhanced features over DSL. This situation limits your connectivity to only one PPPoE client PC. With the addition of a Ciseo 10S router that connects tothe Ethemet of the DSL modem, you can run the PPPoE client IOS feature on the Cisco router. This way, you can connect multiple PCs on the Ethemet segment that is connected to the Cisco 10S router. With the use of the Cisco 108 router, you can enhance your DSL connectivities and all IOS features, such as Security, NAT. and DHCP to internal hosts ‘The PPPoE client initiates a PPPoE session. Ifthe session has a timeout or is disconnected, the PPPoE client ‘will immediately attempt to reestablish the session. The following four steps describe the exchange of packets that occurs when a PPPoE client initiates a PPPoE session: 1, The client broadeaste a PADI packet 2. When the access concentrator receives a PADI that it can serve, itreplies by sending 2 PADO packet to the client (isco Networking Davies:3. Because the PADI was broaclcast, the host may receive more than one PADO packet. The host looks ‘through the PADO packets that itreceives and chooses one. The choice can be based on the arcess ‘concentrator name or on the services that ae offered. The host then sends a single PADR. packet tothe ‘access concentrator that it has chosen, 4. The access concentrator responds to the PADR by sending aPADS packet. At this point, a virtual access interface is created that will ten negotiate the PPP, and the PPPOE session will run on this, ‘virtual access Ifa client does not receive a PADO for a preceding PADI, the client sends out a PADI at predetermined intervals. That interval length is doubled for every successive PADI that does not evoke a response, until the interval reaches a configured maximum. If PPP negotiation fails or the PPP line protocol is brought down for any reason, the PPPOE session and the virtual access will be brought down. When the PPPoE session is brought down, the client waits for a predetermined number of seconds before trying again to establish a PEPOE. Configure a Dialer Interface on a PPPoE Client Configure a Dialer Interface on a PPPoE Client ‘To configure a dialer interface on a PPPOE client, perform the following actions: Define a dialer interface. ‘Specify that the IP address for the dialer interface is obtained via PPP/IPCP address negotiation. ‘Set the encapsulation mode to PPP.Configure a Dialer Interface on a PPPoE Client (Cont.) ‘Specify the dialing poo! that the dialer interface uses to connect to a ‘specific destination subnetwork. ‘The PPPoE client configuration is relatively simple. You need to create a dialer interface to manage the PPPoE comnection, then tie it later to-a physical interface that provides the transport. To create a dialer interface and to enter the interface configuration mode, use the interface dialer mamber command. When you are in the interface configuration mode, you need to specify thatthe IP address for a dialer interface is obtained via PPP/IPCP address negotiation, Also set the encapsulation mode to PPP. The: last task requires you to specify the dialing pool that the dialer interface uses to comnect toa specific destination subnetwork. Step 1 Create a dialer interface to handle the PPPoE comection: + Instruct the client to use an IP adress thatthe PPPoE server provides + Set the encapsulation type to PPP. + Specify the dialing poo! that the dialer interface uses to comnectto a specific destination subnetwork to "1" On Ri, enter the following commands: Rit cone & Enter configuration comands, on per line. End with CHIL/Z. Rilconfig)? intexface Dialer! Ri(config-if)$ ip address negotiated Ri (config-s2)¥ encapralation PEP Ri (config-s#)¥ dialer pool 2 Ri lconfig EZ] 8 end Re (isco Networking Davies:Assign a Physical Interface to the PPPoE Dial Group Assign a Physical Interface to the PPPoE Dial Group To assign a physical interface to the PPPOE dial group, perform the following actions: Enter the interface configuration mode. Remove all IP addresses from the interface. Configure @ PPPOE client and connect the dialer interface configuration to a physical interface. ‘You need to connect the dialer interface configuration to a physical interface by using the pppoe-client dial-pool-mumber rmomber command, You also need to make sure that no IP address is manuelly assigned to the physical interface. Step 2 Assign the interface Ethemet0/I toa newly created PPPoE dial group 1. Also make sure that no IP address is manually assigned to the Ethernet01 interface. On RI, enter the following commands: Rit cont Enter configuration comands; one per Line. End wich QITL/Z. Ri (config) # interEace EthemctO/t Ri(configit)# no ap address Ri (configif)# pppoe-client dinl-pool-runber SBec 11 12:49:17,541. QLINE-O-UPDOM: Incerface Virtual-Access?, changed stace 0 up Ri leontagnseit Access?) changed state to up “Dec i1/12:49:17.589; Q0UAL-S-NERCHANGE: ELGAE-IPrs 100: Neighbor 10.10.19.2 (Disaert) is up: new adjacency Bi (configrée}# ene RE ‘You should see a notification indicating that the PPPoE session is successfully formed, An EIGRP neighbor relationship also gets established between R1 and R2 immediately after an IP address is assigned to the RI router (PPPoE client) from the R2 router (PPPoE server)Verify the PPPoE Client Verify the PPPoE Client To verify the PPPOE client, perform the following actions: Verify that the dialer interface is up. Verify that the PPPoE session gets established, When you verify a PPPoE client, first make sure that the dialer interface is up and running. Then also make sure that the PPPoE session is established by using the show pppoe session command. Step 3. On Ri, verify thatthe interface Dialer] has negotiated an IP address from R2. On Ri, enter the following command: Rig show ip interface brict! Eshernet0/0 wasesigned YES IVR up we Eshernet0/2 unassigned «YES NVRAM up = Loopbako s02.462.1.1 Yee WVRAM up = Hoopbacka qgas.d.i YES RAM up = Ri gets the IP address from the PPPoE server (R2) and from the pool of IP adresses starting ‘with 10,10.10.3 and ending with 10.10.10.10. Notice that the IP adress is om the dialer interface, not the physical Ethemet0)l interface Step 4 Verify that the PPPOE session is established on RI OnRI, enter the following command: (isco Networking Davies:Step 5 WA 4 ash 2e00.21 ‘You should see that th PPPoE. session is established on the interface Ethernet01 Note: The MAC addresses in your output may be different. From RI, ping the Loopback0 interface (192.168.2.1) on R2. On RI, enter the following command: ping 492.168.2.1 O0-byee TOME Echos zo 182 168.21, cinesut is 2 seconde: sp min/avg/nan = 4/4/S me ‘The ping should be successful because EIGRP is preconfigured on both routers, ‘This isthe and ofthe ciscovery lab.Challenge 1. Which PPP authentication protocol authenticates a device on the other end ofa link with an encrypted password? A MDS B. PAP C. CHAR D. DES 2. Which two commands must be configured on two routers that have their serial links directly comnected ‘with DTE and DCE cables in order to ping each other? (Choose two.) A. encapsulation ppp Bo ip address C. clockrate D. no encapsulation hale Which PPP protocol controls the Layer 2 operation of PPP? A PoP BLO Cc. cDPcP D. IPXcP 4, Tworonters, RI and R2_ have 2 leased line between them. Each router had its configuration erased and ‘was then reloaded. R1 was then configured with the commands shown here: Rilconf)# hostname RL iconf)# interface =0/0 Ri (config"i#)# encapeclavion ere Rilconfig"i#)# ppp suchenticstion chap ‘Which configuration command can complete the configuration on RI so that CHAP can work correctly? Assume thet R2 has been correctly configured and that the password is "fred." A. Noother configuration is needed. BL ppp chap (global command) C. username RI password fred D._ username R2 password fred E. pppchap password fred 5. Here isthe output ofa show command. Which two statements about the $0/0/1 interface are true? (Choose two.) show interfaces serial 0/0/2 -ia10/0/0 iz vp, Line pet Internet address is 10.0-1.2/20 selisbilicy 258/258, cxload 1/255, reload 1/285, spealation EPP, LCP Open Open: TRCE,CORCP, loopback mot set Bee «a0 222) CAC checking enabled (isco Networking Davies:‘The interface uses HDLC. ‘The interface uses PPP. ‘The link should be able to pass PPP frames. ‘The interface curently cannot pass [Pv traffic. 6. Heres an excerpt from the output of a show interfaces command on an interface that is configured to ‘use PPP. A ping of the IP address on the other end ofthe link fails. Which two options are reasons for the failure, ming thatthe problem that is listed inthe answer is the only problem with the link? (Choose two.) yop overs Internet address 42 10.0.2.1/20 A. The CSU/DSU that is connected to the other router is not powered on. B. The IP address on the router at the other end of the link is not inthe subnet 192.168.2.0/24, C. CHAP authentication failed. 1D. The router on the other end of the link is configured to use HDLC. 7. Which usemame must be configured on routers for PPP CHAP authentication? ausemame that matches the hostname of the local router ausemame that matches the hostname of the remote router ‘ausemame that matches neither hosmame xo restriction on usemames exists vowAnswer Key ChallengeLesson 3 Tunnels : Configuring GRE Introduction A customer wants to comect a branch office to its headquarters. Because the comnection is over the Intemet ‘and running 2 routing protocol, CCS has determined thatthe customer needs a GRE tunnel. You are the technician Who is assigned to do the deployment and you need to know how to establish a GRE tunnel and ‘verify its proper operation. Would you like to go onsite now to complete the job or would you like to finish the traning? GRE Tunnel Overview Generic Routing Encapsulation, also known as GRE, is a tmeling protocol which provides a secure path for transporting packets over a public network by encapsulating packets inside a transport protocol. GRE supports multiple Layer 3 protocols such as IP, [PX, and AppleTalk. It also enables the use of multicast routing protocols across the tunnel. GRE adds a 20-byte IP header and a 4-byte GRE header, hiding the existing packet headers. The GRE header contains 2 flag field and a protocol type field to identify the Layer 3 protocol being transported. It may contain a tunnel checksum, tunnel key, and tunnel sequence number. GRE does not encrypt traffic or use any strong security meanures to protect the traffic. GRE can be used along with IPsec to provide data source authentication and data confidentiality and ensure data integrity. GRE over IPsec tumels are typically comfigured in a hub-and-spoke topology over anGRE Tunnel Overview The following are the main GRE characteristics: + GRE is one of many tunneling protocols. + IP protocol 47 dofines GRE packets, + Itallows routing information to pass between connected networks, * No eneryption is used. Note GRE, developed by Cisco, is designed fo encapsulate arbivary types of network layer packets inside ‘arbitrary types ef network layer packets, 2s defined in RFC 1701, Generic Routing Encapsulation (GRE) RFC 1702, Generic Routing Encapeulaton over IPv4 Networks; and RFC 2784, Generic Routing Enogpaulation (GRE). A tunnel interface supports a header for each of the follow + A passenger protocol or encapsulated protocol such 2s IP\4 or [Pyf; this protocol is the one that is ‘beng encapsulated + A carrier or encapsulation protocol (GRE, im this case) +A transport delivery protocol, such a8 IP, which is the protocol that caries the encapsulated protocol GRE has these characteristics: + Ttusesa protocol-type field in the GRE header to support the encapsulation of any OSI Layer 3 protocol + Itis stateless. It does not include any flow control mechanisms, by default + It does not include any strong security mechanisms to protect its payload. + The GRE header, together with the tunneling IP header, creates at least 24 bytes of additional overhead for tumneled packets. Note Youray have to adjust the [TL] on GRE tunnels by using the ip mtu interface configuration command, ‘Tris MTU must match on both sides, 70 Inteconnactng isco Networking Davies: Accalerated (CCNA) 2017 Cisco Systems, neDiscovery 50: Configure and Verify a GRE Tunnel Introduction This discovery will guide you through the configuration, verification, and usage of a GRE tunnel to comnect IP networks by using a completely different IP network as a transit link. The live virtual lab is prepared with the devices that are represented in the topology diagram and the connectivity table. All devices have their basic configurations in place, including hostnames and [P adclresses on the Ethernet and loopback interfaces. EIGRP is configured on R and R3 forthe 10.0.0.018 network. R2 and R3 are not aware of any of the 172.16.0.0/16 networks that exist on R1 and R4. The tunnel interfaces have not been configured yet, Configuring them is one of your tasks during this discovery. Once the tunnel interfaces are up and operational, you will verify commectivity between the 172. 16.0.0/16 networks through the GRE tunnel. Topology 7‘The configuration is as follows: +All devices have their basic configurations in place, including hosmames and IP addresses. + EIGRP is configured on R2 and R3. + A static route is configured for 10,0.0.0/8 on RI and R4. + OSPFis configured on Rl and Ré after the tunnel is configured Device Information Device Details Device lnterace Neighbor lp Aderess Ri ethemeo0 Ro H0.10.1.1708 Ri lthemetor | fra set.ve8 RA Locrbecks | jz2seti.t4 Ri [rune Re i721600.1 R2 ethemeoo ea 10.10.1276 R2 lthemetor ks Ho.10.2.1008 R2 loopbecko | jo-10.12.4728 17 Cisco yet (isco Networking Davies:Device Interface Neighbor lp Address, Ra lEtrerneto10 Re Horos.s2 Ra letnernetort Re horo2.206 RS Leopbeckcl L- lroro.13.124| Re lEtrernet010 Rs horo3.206 Re fEthermetort L 1172, 10.4.1124 Re Leopbacka. L l72.10.14.1108 Re [runnato Ra l172.10.002 Task 1: Configure and Verify a GRE Tunnel Activity Complete the following steps: Step 1 In the first few steps ofthis discovery, you will veriff the status of the network as it has been prepared. Start by accessing the console of R1 and displaying its routing table Enter this command on Ri: show ip route Wi ~ OSEF NSSA external ie route, H-TERE, 1 10-10.1.0/24 a2 directly connected, Behernet0/0 20.20.1.4/22 dz aizectiy connected, Eeherner0/0 372126.1.0/24 is dareaciy connected, Eshernet0/1 Connected, Eehernet0/1 iy connected; Leoposckd i Rl is not nimning any dynamic routing protocols, Other than the locally connected routes, the only other route isa static route for the 10.0.0.0/8 network. Ré-is configured ina similar fashion. Verify that R1 can ping the R4 Ethemet010 interface (10.10.3.2)Step 3 Bending 5, 100-byte ICMP Echos to 10.10.9.2, timeout is 2 seconds Rl and R4 can reach each ofher by using the 10.0.0.0'8 network. Access the console of R2 and display its routing table. Enter this command on R2: Rat show sp route Codes: Z - local, C - connected, = OSEF excernal ype 1) E2 ~ OSPF excernal 2) 3, gu 1S-I3 summary, 11 - ISIS aevel-1, $0.0.0.0/8 3010.2.0/24 as directay connect 20-10.2.1/22 is directly connect subnets, 2 masks 4, Eeherner0/0 a, Behernes0/4 R2 ismming EIGRP and is peering with R3. Between them, they are aware ofthe entire 10.0.0.018 address space within the topology. Neither R2 nor R3 is aware ofthe 172.16.0.0/16 address space that is behind R1 and Ra. (isco Networking Davies:Configure a GRE Tunnel Configure a GRE Tunnel To implement a GRE tunnel, perform the following actions: Create a tunnel interface, Configure the GRE tunnel mode. This mode is @ default tunnel mode So itis not necessary to configure I. v4 ema mae ge Configure an IP address for the tunnel interface. sted abn Spradic Configure a GRE Tunnel (Cont.) ‘Specify the tunnel source IP address, ‘Specify the tunnel destination IP address, ‘The mininauma GRE tunnel configuration requires specification of the tumnel source address and destination address. You must also configure an IP subnet to provide IP connectivity across the tumne! link. Note Ateach end ofthe tunnel, you must use symmetrical, reechable sddresses. You can use lnepbeck ‘adcresses ifthey sre reachable (©2017 Cisco Systems, ne Intrconnectng isco Networking Devioes: Accelerated (CCNA‘Command Description tunnel source ip-adahecs |specifes the tunnel source IP adress in interface tunnel configuration rede, This IP ederess isthe ene that is assigned tthe local intrisce tunnel destination jp-adiress] | Species the tunnel destination IP cress in interface tunnel oofiguetion Imede. This IP edcress isthe one that is assigned to the local interface or lhe remote router ip address ip-adress mask |Specifes the I ecéress ofthe tunnel intrtsce tunnel mode gre ip |specifes the GRE tunnel mode asthe funnelinterfce mode in interisce funnel eanfiguraon made. The GRE tunnel mode is the defaut tunnel rede on Gisco routers, so you do not need fo enter his command. Step 4 Access the console of RI and define the interface Tunel0. Assign it the IP address 172.16.99.1/24. The RI Ethernet00 interface (10.10.1.1) should be the source and the R4 Ethemet 0:0 interface (10.10.3.2) should be the destination. Enter these commands on Rl Rit cont t Enter configuration commande, ons per Line. End with CNTL/Z (config)? smtexface tannel0 Rileonfig-i2) Step 5 ‘The Tunnel0 interface was administratively up immediately after being defined, and its line protocol came up immediately after being fully configured. Access the console of R4 and define the peer Tunnel0 interface. Assign it the IP address 172.16.99.2/24. The Rd Ethernet0i0 interface (10.10.3.2) should be the source and the RI Ethemet 0,0 interface (10.10.1.1) should be the destination. Enter these commands on Rd: Networking Systems, InRet cont Enter configuestion comands, one par line. End wih CVTL/Z. Re |contag)# antereace tunnelO Re (contigs)? changed sezea co deve BM (configeit)? ip sdieass 172.46.99.2 285.258.285.0 RG (config'é#)# tunnel eource 10.10.3.2 RG (config'st)# tonnel destination 10.10.4.2 Bi (contigs) 4] /-TIEEROTO“S-UEEOMT: Line protocol on Tnvesface TunnelO, hanged state So up BA lconfigrif}# end Be Again, the Tunnel0 interface was administratively up immediately after being defined, and its lime protocol came up inamediately after being fully configured Verify a GRE Tunnel Verify a GRE Tunnel ‘To-verity a GRE tunnel, perform the following actions: Determine whether the tunnel interface is up or down. ify the stato of the GRE tunn Verify that the tunnel network is seen as directly connected in the routing table. To determine whether the tunnel interface is up or down, use the show ip interface brief command. ‘You can verify the state of a GRE tunel by using the show interface tunnel command. The line protocel, ona GRE tunnel interface is up as long as there isa route to the tunnel destination, By issuing the show ip route command, you can identify the route between the GRE tunnel-enabled routers. Because a tunnel is established between the two routers, the path is seen as directly connected, Step 6 Verify that the Turnell interface on Rl is up. Enter this command on Ri:Step 7 Step & Step 9 Rit chow Sp interface brief Tennel 0 Interface iEhidvess OK? Mached Seatus ‘The status and line protocol for the Tuanel0 interface are up. ‘Verify that the Tunnel0 intefface on RA is up. Instead of using the show ip interface brief command on R4, use the show interface command: RAP chow intexface Tenrel 0 jes; BW 100 Rbit/aec, DLY 50000 sec, y 255/255, exioad 1/295, reload 1/285 ‘The status and line protocol for the Tunel0 interface are up. You can also see the IP adress of the tunel interface, the source and destination IP addresses, and the tunnel mode. Display the routing table on RL. Enter this command on R1: RIG haw sp route 3 10.0-0.0 "2.16.1.0/24 = ainest 2.46 411/42 is divect Connaccad, Eehernetl/1 Connected, Eeheznes0/1 272.46.11.1/22 is dizectly connected, Loopback® © 172.16.98.0/24 is dizecsty connected, Tunnel0 (Ec eraeaisess 8/82 Ss Sisestiy Sennestesy Tennela As you can see, the traffic that is destined for 172.16.99.0/24 enters the GRE tunnel interface. Ping the IP address of the R4 Tumnel0 interface from RL Enter this command on R1: Rif ping 172.26.99.2 Type eetape sequence to sbort preen Saccene rate 4s 100 percent (8/8), sound NetworkingStep 10 Step 11 Step 12 ‘The ping was successful through the GRE tunnel. The ICMP echo and echo reply packets were encapsulated in the GRE tunnel, That is, ftom R1 to R4, the IP packet from 172.16.99.1 and destined for 172.16.99.2 was encapsulated with 2 second IP header from 10.10.1.1 and destined to 10.10.32. This packet was sent out the R1 Bthemet 0/0 interface and was forwarded by R2 and R3 to the Rd Ethemet0/0 interface. R4 then stripped the outer IP header to reveal the encapsulated IP packet that is destined for 172.16.99.2. R3 and R2 did not know that that other IP packets were embeded in the packets that they forwarded, The 10.0.0)/8 network was used to forward packets for 172.16.0.0/16 even though the transitrouters had no awareness of 172.16:0.0/16 Being able to forward packets between the two tunnel interfaces is good. But you can also ru a dynamic routing protocol through the tunnel. Configure the OSPF process ID 1 on R4. Assign Ra the router ID 0.0.0.4. Include the network 172.16.0.0/16 (which cludes the interfaces Ethemnet(/1, Loopback0, and Tunel0) in Area 0. Enter these commands on R4: REP cont Ri (contig)# wouter ope 1 Ré(config-router)$ router-id 0.0.0.4 BE (config-souter)# network 272/16.0.0 0.0.255.255 aren 0 BS (contigresuter) # end Rae Access the console of RI to configure it for OSPF. Configure the OSPF process ID 1. Assign the router ID 0.0.0.1, Include the network 172.16.0.0/16 (which includes the interfaces Ethemet0'l Loopback, and TumnelO) in Area 0. Enter these commands on RI ait cont Enter configuestion comands, one per line End vith CWTL/2 (config)? vente o=pe 1 (configrsoutes) # routerid 0.0.0.2 (config-souter) # network 272/16.0-0 0.0.255.255 aren 0 configeeouter] £ Nov 4 14:44:61.080: S0SPF-S-ADJCHG: Process 1, Nex 0.0.0.4 on [SRWSLONSSSI (configrzsurer) # end Display the routing table on RI. Enter this command on R1:Step 13 Step 14 Rit chew Sp route ++ usps emiteed --> 2 30-0.0.0/8 (2/0) » a 10110.1-0/24 is directs Eeherner0/0 ¢ 392.26.1.0/24 i> aivecciy connected, Eeheme=0/1 L S02116.111/32 fis dizeccly connecsed, Bthernes0/1 L Ly connected, Loopback 1 has leamed about the networks that are running belaind the R4 Loopback0 and Ethemet0/L interfaces via OSPF. The traffic that is destined to the R4 Loopback0 and Ethemet0'l interfaces will enter the GRE Tunnel0 interface. Ping the R4 Ethemet0/1 interface (172.16.4.1) from R1. Enter this command on R1: ping 172.6.4.2 gp min/avg/max = 1/2/1 ms Again, this traffic and al other 172.16.0.0/16 trafic between Rl and Re traverses the GRE tunel. This traffic is forwarded by R2 and R3, but they are unaware of it. They see it as traffic between the Ri Ethemet0/0 interface (10.10.1.1) and the Ré Ethemet00 interface (10.10.3.2) Display the OSPF neighbors of RI Enter this command on R1: Rif chew Sp oxpe neighbor Neighbor 1D Pri address Invexface Rd is an OSPF neighbor of R1, using the GRE tumel. ‘hiss the and ofthe ciccovery lab, (isco Networking Davies:Challenge 1. Which ofthe following statements is true regarding the GRE tunnel mode? A. GRE isthe default tame! interface mode in Cisco IOS Software. B. GRE tunnel mode is a protocol that encapsulates any network layer packet C. GRE tunel mode works by encapsulating only Cisco router payload that needs to be delivered to a destination network| 2. Which two statements describe GRE characteristics? (Choose two.) A. GRE encapsulation uses a protocol-type field in the GRE header to support the encapsulation of any OSI Layer 3 protocol B. GRE itselfis stateful. It includes flow control mechanisms, by defauit. C. GRE includes strong security mechanisms to protect its payload. D. The GRE header, together with the tumeling IP header, creates atleast 14 bytes of additional overhead for tunneled packets. GRE tunnel is lapping with the following error message: Ton Jenporarily disabled dus to secursi: SLINEPROTO~£~UEDOM: Eine protecel on Interface Tunnel, changed state ro down ‘What could be the reason for the tunnel flapping? A. routing has not been enabled on the tunel interface. B) There is an MTU issue om the tunel interface. C. The router is trying to route to the tunnel destination address by using the tumnel interface itself 1D. An access lists blocking traffic om the tunnel interface 4. Isa GRE tunnel secure? A. AGRE tumnel isnot secure B ‘AGRE tummel with point-to-point links is considered secure C. AGRE tumel is secure. 5. Which command does not tell you whether the GRE tunnel X isin an "up'up" state? A. show ip interface brief B. show interface tunnel X C. show ip interface tunnel X D. show run interface tunnel X 6. Which of the following statements is accurate regarding functionality forthe loopback adress asthe ‘tumel source IP address? A. Youcan have the tum! source address as the loopback address. B. Only the main or sub-interface can be the tunnel interface. C. Only the main interface can be the tunnel interface.A B. c. 7. Which of the following represents the correct description of the GRE tunnel for multicast? GRE tunnels will not support multicast and can not be used to send multicast trafic across a network. GRE supports multicast, 20 you can nun the routing protocals, GRE supports multicast, and the only requirement is to enable PIM sparse mode on the GRE ‘interfaces between source and destination (conan Cisco SystemsAnswer Key Challenge A AD c A D A BIntesconnactng Cisco Network jevoas:Accaloratad (CCNA 2017 Cisco Systems, neLesson 4; Configuring Single-Homed EBGP Introduction [BGP is the routing protocol that is one of the underlying foundations ofthe Intemet. This protocol is complex and scalable, but itis also reliable and secure. ER.GP is 2 part of the BGP that you use for exchanging routes between different autonomous systems. Interdomain Routing ‘The Intemet is a collection of autonomous systems that are interconnected to allow communication between them, An autonomous system is by definition a collection of networks under a single technical administration domain, EGP provides the routing between these autonomous systems. To understand BGP, you must frst mderstand how it differs from other routing protocols,Interdomain Routing : eof “AS IGP © Optimum nea AS routing ~ OSPF, RiP, EIGRP, ISS, et Cotecton of networks under a single technical administration OS Interdomain Routing (Cont.) coe = Runa bebmen sdonomove naar Enables routing poles = Improves secuty (One way you can categorize routing protocols is whether they are interior or exterior. is a routing protocol that exchanges routing information within an, ‘examples of IGP EGP isa routing protocol that exchanges routing infomation between different autonomous systems, BGP isan example ofan EGP. Interconnectng Cisco Networking Devios: Accserted (CCNA) 2017 Cisco Systems, neIntroduction to EBGP Introduction to EBGP EBGP characteristics: = Rollable updates: TCP port 179 —s = nterdomsin routing —EGP (eee Neer + Customer exchanges routes with intemet the ISP. ISPs exchange routes with other ISPs ‘Scalable Secure ‘Supports routing policies BGP uses TCP as the transport mechanism, which provides reliable commection-oriented delivery. BGP uses TCP port 179. Two routers that are using BGP form a TCP connection with one another. These two BGP routers are called peer routers, or neighbors, When BGP is ruming between routers in different autonomous systems, it is called EBGP. When BGP is running between routers inthe same autonomous system, it 8 called IGP. IBGP is used between routers in the same autonomous system mostly for redundancy and load-balancing purposes, Different customers are using EBGP for route exchanges between their local environments and their ISPs. The IANA is responsible for the global coordination and assignment of AS numbers and public IP addresses (usualy through a local ISP). Each customer has to place a request for an AS number and a set of public space IP prefixes. The customer then establishes an EBGP session with its ISP and they exchange routing information ISPs are also interconnected, Each ISP has its owm AS number. ISPs can communicate directly or they can use IXP for route distribution ‘The Intemet is expanding with high speed and the size of all outing information is extremely large. In 2015, more than $70,000 routes exist in a fall BGP table, and the number of routes is still expanding ‘Therefore, scalbility isa very important feature of BGP. BGP enables reliable information exchange and is capable of batching the routing updates. These two characteristics allow BGP to-scale to large, Intemet- sized networks. BGP also has security features. You can configure peer authentication and route filtering. For more advanced networks, BGP also provides routing policies for route update manipulationsDiscovery 51: Configure and Verify Single-Homed EBGP Introduction In this discovery, you will leam how to configure extemal BGP between the service provider and customer. ‘The service provider (ISP!) has two different customers (Ri and R2). It has to establish a separate EBGP session with each ofthe customers. All devices have their basic configurations in place, including hhostnames and IP addresses. R1 and R2 are also preconfigured with BGP. Topology Topology 188 ——_Interconnectng Cisco Networking Davies: Acoserated (CCNA) 2017 Cisco Systems, ne‘The configuration is as follows: ‘+ All devices have their basic configurations in place, including hostnames and IP addresses. + Ri and R2 are preconfigured with BGP. Ri has BGP AS 100. — R2has BGP AS 200. = Both routers are announcing @ loopback interface network. Device Information Device Details Device lntertace WP Address Description IsP1 thereto H1e2.108.1.1024 |connection to Fe Isp letnemnetor2 l1e2.1082.106 |connection to R2 IsPt Looptecko hooo74 Lcoptecks simulate LAN Jrctworcs RI Ethernet l1e0.108.1.11708 [connection to ISPt RI Leopbacko Hoor.724 Lconbacks simulste LAN Jrstworcs 17 Cisco Systems, Inc Interconnectng isco Networking Devioes: Accolerated (CCNA) 89Device lintertace lp Address [Description R2 letnernetor2 he2.t0a2.19128 [connection to ISPs R2 Leopbecko: hoozs2s Lcopbacks simulcte LAN networks Device AS Information| Device las Number Isp lass RI las 100 R2 las 200 Task 1: Configure and Verify Single-Homed EBGP Configure EBGP Intemet | WEBS lea a ee] Ea 49 100 Define the BGP process. Establish a BGP neighbor retaionship. Advertise the networks, ‘The requirements to configure basic EBGP include the following details: ‘+ AS numbers (your own and all remote AS numbers, which must be different) + Allthe neighbors (peers) that are involved in BGP, and IP addressing that is used among the BGP neighbors + Networks that need to be advertised into BGP (isco Networking Davies:Note IGP is the routing protocol that rung inside an AS, An IGP is not run between the ESGP neighbors that are rasicing n ferent autonomous aystems. Therefore, te IP acliress that is used in the BGP neighbor ‘coramand must be reschable without using an IGP. which can be eccomplished by peinting stan ederess thats reachable tough © craciy connected network or by using state Foutes to thet IP adress A typical BGP configuration involves configuring BGP between a customer network and an ISP. This process is called EBGP. ‘The basic BGP configuration requires three main steps 1. Define the BGP process. 2. Establish one or more neighbor relationships, 3. Advertise the networks into BGP. Configure EBGP (Cont.) ‘To.canfigure EBGP, perform the following actions: ‘Start the BGP routing process, | routar bap nto BO erg es et rox hme Define an extemal neighbor. Advertise networks into BGP. 1. To start the BGP process on 2 router, use the router bgp command. Each process must be as. ‘ocal AS number. There can be, at most, one BGP process in a router, which means that exch router can ‘only be in one AS at any given time. Note ‘The AS numbers @ 16-bt integer inthe range From 11065.504. When the AS-number pool rom [ANA ‘pproschad exhaustion, new 22-bit AS numbers were created2. Because BGP does not automatically discover neighbors like other routing protocols do, you have to enplicitly configure them by using the meighbor peer-ip-acdress remote-as peer-" character in the left column, ISPI has the following networks in the BGP table: + 10.0.0.0/24, which has beem locally configured on ISP. + 10.0.1.0/24, which has been announced from the 192.168.1.11 (RI) neighbor + 10.0.2.0024, which has been announced from the 192.168.2.11 (2) neighbor Because the command displays all routing information, the network 10.0.0.0/24, with the next- hop attribute set to 0.0.0.0, is displayed. The next-hop attribute is set to 0.0.0.0 when you view: the BGP table on the router that originates the route in BGP. The 10.0.0.0/24 network is the network that you locally amnounced on ISP1 inte BGP. Each path is marked as the best path, because there is only one path to each of the networks, ‘This is the and ofthe ciscovery lab.Challenge 1. Which ofthese is an EGP? A. EIGR Bo OSPF C RP D. BGA When BGP nus between two peers in the same AS, what is it referred to as? A EBGP B. IBGP Cc. MBGP In the following output, the AS number 65200 is for which router? Rilconfig-sourer)# neighbor 10.108-200.1 rencte-as 65200 A. the local router R1 B. theneighhor router with the IP address 10.108.200.1 CC. both routers D. none of the above Which TCP port does BGP use to establish a BGP session? Au Bal Cc 179 D. 441 Refer to the output. Is the BGP session established between the peers? 10.1.1.) local AS mumber 6 BGP table version is 1, main rousing table version 1 Neighbor v AS Meagher Ue ing Outg Up/De seate/PEaRed A. Yes, itis active B. No, active means that the router is trying to establish a BGP session, but is still nat established, C. No, itis on the “never” stage 6. Which command can you use to know the hold time on the two BGP peers? AL show ip bgp BL show ip bgp summary C. show ip bgp all show ip bgp neighbor D. (conan Cisco Systems7. What does a next hop of 0.0.0.0 mean in this show ip bgp command output? Rowvest show Sp bgp Seacue codes: » suppressed, d damped, h hietory, ~ valid) > best, 4 ~ intemal, 2 RIB Eailure origin codes: i 162, b - 26, 7 - incomplece Network Next Hop Metric LocPs= Weight Path +> tto/26 0.0.0.0 ° +> 10.13.32.0/28 0.0.0.0 ° +> 10115.18.0/28 0.0.0.0 ° A. The router does not know the next hop. B. The network is locally originated via the network command in BGP. C. The network isnot valid D. The next hop is not reachable.Answer Key Challenge D wowomDModule 12: Network Device Management Introduction ‘The network staf is responsible for managing each device on the network according to industry best practices and in an effort to reduce device downtime. This module describes the commands and processes that are sed to determine network operational status, eather information about remote devices, and manage Cisco 10S Software images, configuration files, and devices on anetwork. The module also explains how to enable Cisco IOS Software feature sets by obtaining and validating a Cisco software license.182__Iterconnecng Cisco Network jevoas:Accaloratad (CCNA (© 2017 Cisco Systems neLesson 1}: Implementing Basic Network Device Management Introduction ‘Your boss sends you to your customer to enable device management using system logging and SNMP. You ‘will need to explain to the customer how to configure and verify syslog and SNMP. Introducing Syslog ‘Syslog is a protocol that allows a machine to send event notification messages across IP networks to event message collectors. By default, a network device sends the output fiom system messages and debug- privileged EXEC commands to a logging process. The logging process controls the distribution of logging messages to various destinations, such as the logging buffer, terminal lines, ora syslog server, depending on your configuration. The process also sends messages to the console. Logging services provide a means to gather logging information for monitoring and troubleshooting, to select the type of logging information. that is captured, and to specify the destinations of captured syslog messages.Introducing syslog Characteristics of syslog are as follows: + Syslog is @ protocol that allows a network device to send event notification messages across IP networks to event message collectors, + You ean configure a device so that it generates a sysiog message and forwards ito various destinations, as follows: Loggig buter Congo tine Terminal toes Syslog server ‘Youcan set the severity level ofthe messages to control the type of messages thet the consoles display and cach ofthe destinations. You can time-stamp log messages or Set the syslog source adress to enhance real- ‘time debugging and management ‘Youcan access logged system messages by using the device CLI or by saving them to a comectly: configured syslog server. The switch or router software saves syslog messages in an intemal buffer. ‘You can remotely monitor system messages by viewing the logs on a syslog server or by accessing the device through Telnet, SSH, or through the console port. 10% _lnterconnectng Cisco Networking Devices: Acca 1d (CONAN 2017 Cisco Systems, neSyslog Message Format Following isthe general format of sslog messages thatthe syslog process on Cisco 10S Software generates by default: seq no:tine stanp: @fscility severity WEIENIC:deseription Syslog Message Format ‘Tne general format of syslog messages thatthe syslog process on Ciseo IOS Software generates by defaut follows: {An example ofa syslog message that is informing the administrator that FastEthernet0/22 came up follows: This table explains the items that a Ciseo TOS Software syslog message contains. Syslog Message Format (Cont.) CS an ‘Sums lg messopa wha sequce ‘mie oaruthesardce sequence: ‘numbers git congestion carwnand is ‘nied tine stamp ‘Dae aed te of he manage or event wich Sipccrs oly fhe service tne stamps 1a) {atetme og gb cotton ‘command is cone tacany severity ‘Single gt code om 0107 Bat tb ‘Sey ofthe message (©2017 Cisco Systems, ne Intrconnectng isco Networking Devioes: Accoleated (CCNA) 105,—__f Syslog Message Format (Cont.) se NEMO ‘Tha ext ing at ulcaly dose the message desertion “The et sg contanng diated efonmabon out te event hatte mestage fs roporing OS OO ‘This table explains the eight message severity levels from the most severe level to the least severe level. Syslog Message Format (Cont.) Emergency (seventy 0) System's unsabie| ‘Alert (soveriy 1) immediate acon needed (cial (every 2) cetes! conatan Error (soventy 3) eer cnaten Waming (very 4) Wai contin otteation seventy 8) Nema but sprifeant conten Aetormational (ove 6) Informational message ‘Oxbuosing serrty 7) ebupgna message Ifeeverity level 0 is configured, it means that only emergency-level messages will be displayed. For example, if severity evel 4 is configured, all messages with severity levels up to 4 will be displayed (Emergency, Alert, Critical, Error, and Warning), ‘The highest severity level is level 7, which is the debugging-level message. Much information can be displayed at this level, and it can even hamper the performance of your network. Use it with caution. 1108 lnteroonnecing Cisco Networking Devices: Acalrate (CONAK} 2017 Cisco Systems, neSyslog Configuration To implement a syslog configuration, specify a sysl@Wrver host as a destination for syslog messages and limit the syslog messages that are sent to the syslog server based on the severity. Syslog Configuration |. Speciy the syslog server host as a destination for syslog messages. 2 Limit syslog messages that aro sent to the syslog server based on sever sas es 10.110.100 101.104 “The configuration of systog on Rt follows: Configuration of syslog is based on the commands that the following table describes ‘Command leserption logging (hosouzme | ip-aciressy cents «syslog server hot to receive fogging messages, logging trap severity Limits the eytog massages that are sent othe aston eens ap “ [server. It limits the messages besed an severity. The figure shows configurations for logging syslog messages toa syslog server with IP address 10.1.10.100, ‘where you can observe syslog messages. ‘The logging command identifies a syslog server host to receive logging messages. By issuing this command more than once, you build alist of syslog servers that receive logging messages. You can limit the syslog messages that are sent to the syslog server based on severity, using the logging trap command.Discovery 52: Configure Syslog Introduction The objective ofthis discovery lab isto provide you with some experience with the syntax of basic syslog configuration to facilitate the management of Cisco 0S devices. This lab is prepared with the router and server that are represented inthe topology diagram and the connectivity table. The devices have their basic configurations in place, including hostukmes and IP addresses, Inthe discovery lab, you will configure the syslog server address ofthe router and set the severity threshold for messages that are forwarded to the earver. You will also use show commands to verify the syslog configuration and examine the syslog messages inthe local logging buffer of the router Topology Topology Job Aids Device Information Information Table Device |characteristio. Wvatue RVI Hostname lspvi RVI IP deeee hor.1s08 RI Hostname ea RI JEtherneto"t description Lins te Sv (conan Cisco SystemsDevice |characteristic Jvatue RI ethernet IP adcress horases ‘SRV im the virtual lab environment is simulated as a router, so you should use Cisco IOS commands to configure it or make verifications. Task 1: Configure| Syslog Activity Step1 Access the R1 console. Define RVI (100.1.1.10) as the R1 syslog server. Oni, enter the following commands: Rit conf Enter configuration comands, one per ine. End with GVTL/Z Rileonfig)# logging 10-1.2.20 ‘The most commonly used commands are abbreviated in this guided discovery. For example, you use conf t for configure terminal, If there is any confusion, you can perform tab completion of commands to see the full commands during the discovery execution. For example, conf=tab> {tetab> would expand to configure terminal. Step 2 Set “informational” asthe threshold for the minimum severity level for messages to send to syslog servers. On RI, enter the following commands 2 (contig)? legging teap anfemational e982 aavs-s-conruG Configuead console by console ‘There is 2 syslog message that is displayed to the console indicating that logging has started to the server at 10:1.1.10. The first message is of severity 5 (Notification), andthe second message is of severity 6 (Informational). Setting the threshold to "informational means that messages of severity 0 through 6 will be forwarded to the syslog server. Both ofthese messages are forwarded. Step 3 Enter the show logging command to display the syslog status and the local logging bute. On RI, enter the following command:Step 4 Syslog legging: enabled (0 messages despped, 2 messages eat ies, Q overturns, wal disabled, filtering disabled) messages logged) sl disables, Mo active Silver modules. Tagging t= Tint opi 0 message Lines deopped-by-, Bec 1 07:49:59.544 cable No such file or di rr entpur emieed => ‘The output indicates that R1 is now sending syslog messages to 10.1.1 10, with the minimum severity threshold set to "informational." The output also indicates that two messages have been sent to the syslog server. Syslog uses UDP for transport and is inherently not reliable. If these thvo messages are lost somewhere in the transport path, there is no mechanism to recognize the lost message or to request a retransmission. ‘There is 2 local logging buffer. It isin its default state, with a severity threshold of "debugging" (Severity 7) and sized at 4096 bytes. In the eample transcript, 32 messages have been logged in the local buffer. The end of the show logging command output displays the contents of the buffer. At this point inthe discovery, the buffer is mostly filled with the messages that were produced when R1 booted. At the end of the buffer, however, are the two syslog messages that ‘were produced as a result ofthe syslog configuration activity” ‘The output of the show logging command documents that tivo messages were sent to 10.1.1.10 Initiate some activity thet will generate more syslog messages on RU. Enter the configuration ‘mode, enable the Ethernet()3 interface, then disable the interface back down, and leave the configuration mode. On Ri, enter the following commands: NetworkingStep 5 ait cont Enter cenfigueation commands, one per line. End with CVTL/Z Rifecntig)? ant 2 0/3 Ri (config'st)# no chat Ri (contigs? Dee 1 08:10:64.261 0/2, changed stzee es Ri (eontages}# adninistratively down “bec 1 09:11:03.061: @LINEEROTO~: Ri (config"if)# enc Re “Dec 1 08:11:06.063: #S¥S-S-CONTIG_I: Configured from console by console Re Line protocol on Inte: This sample activity caused the generation of five syslog messages, Display the logging status and the local logging buffer. On RI, enter the following command: REE chow Jogging <.-- cusps embed > ad tine stamp egging nezeages: disabled Yo active Eileer modules “Dee 1 08:10:55.265: SLINEEROTO-S-UEDOMK: Line protocol on Interface Dee 1 08:11:02.057: SLINK-S-CHANGED: Interface Echernet0/2, changed state to ‘Dee 1 08:11:03.061: SLINEEROTO-S-UEDOMK: Line protocol on Interface Evhernet0/3, changed state co down Dec 1 08:12:06.063: #8zs-S-CONFIG_t: Configured from console by console Additional messages were logged to 10.1.1.10. ‘The five syslog messages that were produced in response to your previous activity are at the end of the local logging buter. This isthe end ofthe discovery lab.SNMP Overview Inthe complex network of routers, switches, and servers today, it can seem like a daunting task to manaze all devices on your network and make sure that they are not only up and running but also perfonming optimally. This area is where SNMP can help. SNMP was introduced to meet the growing need fora standard of managing IP devices. SNMP exposes the environment and pe}formance parameters of a network device, allowing an NMS to collect and process data. SNMP Overview ‘SNMP is a management protocol mono that supports message exchange: | + SNMP manager: Polls agents on the network and displays information, ===, + SNMP agent: Siores information ‘and responds to manager requests, It generates traps, — "You can set thresholds to tigger iteaion procoas when they fare exceeded. MIB: Contains a database of ‘objects (information variables), ‘SNMP is an application layer protocol that defines how SNMP managers and SNMP agents exchange ‘management information. SNMP uses the UDP transport mechanism to retrieve and send management information, such as MIB variables. SNMP is broken down into these three components: + SNMP manager: Periodically polls the SNMP agents on managed devices by querying the device for data, The SNMP manager can be part of an NMS such as Cisco Prime Infrastructure. + SNMP agent: Runs directly on managed devices, collects device information, and translates it info a compatible SNMP format according to the MIB. + MIB: Represents a virtual information storage location that contains collections of managed objects. ‘Within the MIB, there are objects that relate fo different defined MIB modules (for example, the interface module). 12 Interconnectng isco Networking Davies: Acca 1d (CONAN 2017 Cisco Systems, neRouters and other network devices keep statistics about the information of their processes and interfaces locally. SNMP ona device nuns a special process that is called an agemt. This agent can be queried, using SNMP. SNMP is typically used to gather environment and performance data such as device CPU usage, memory usage, interface traffic, inferface error rate, and so on. By periodically querying or “polling” the SNMP agent on a device, an NMS can gather or collet statistics over time. The NMS polls devices periodically to obtain the values of the MIB objects that it is setup to collect. It then offers a look into historical data and anticipated trends. Based on SNMP values, NMS triggers alarms to notify network operators. | To obtain information from the MIB on the SNMP agent, you can use several different operations: ‘+ Get: This operation is used to get information from the MIB to an SNMP agent + Get-next: This operation is used to get the next object from the MIB to an SNMP agent. + Get-bulk: This operation allows a management application to retrieve a large section of a table at once, + Sets This operation is used to get information to the MIB from an SNMP manager. + Trap: This operation is used by the SNMP agent to send a triggered piece of information to the SNMP manager + Inform: This operation is the same as a trap, but it adds an acknowledgment that a trap does not provide. SNMP Versions ‘New fimetionalities have been added to SNMP. There are currently three versions of SNMP, SNMP Versions ‘SNM Planted avmentcaton th No onan erage ‘sume Panto athetcalon mth Yee ‘oneneniy mg umes ‘Seong matenscaten, Yar content, ar negity 17 Cisco Systems, Inc Intrconnectng Cisco ring Devices Aosslaratad (CCNAX) 119‘The following list describes the different versions of SNP. + SNMP version 1: SNMPv is the initial version of SNMP. SNMPv1 security is based on communities that are nothing more than passwords: plaintext strings that allow any SNMP-based application thet [now the strings to gain aoceas to the management information of a davice. There are typically three communities in SNMPv'I: reacLonly, read-write, and trap, A key security flaw in SNMPv! is thatthe only authentication available is through @ community string. ‘Anyone who knows the community string is allowed access. Adding to this problem is the fact that all SNMPv1 packets pass across the nbtwork unencrypted. Therefore, anyone wito can sniffa single SNMP packet now has the community string thet is needed to get access + SNMP version 2c: SNMPv? was the first attempt to fix SNMPv'I security laws. However, SNMPv2 never really took off. The only prevalent version of SNMPv2 today is SNMP 2c, which contains SNMP\2 protocol enhancements but leaves out the security features that no one could agree on. The "c" designates v2c as being "community based," which means thet it uses the same authentication mechanism as vl—community strings + SNMP version 3: SNMPv’ is the latest version. Itadds support for strong authentication and private communication between managed entities. You can define 2 secure policy for each group, and optionally you can limit the IP addresses to which its members can belong. You have to define encryption and hashing algonthms and passwords for each user. The key security additions to SNMPv3 areas follows: ~ Can use MDS or SHA hashes for authentication ~ Can encrypt the entire packet Can guarantee message integrity SNMPV3 introduces three levels of security: + noAuthNoPriv: No authentication is required, and no privacy (encryption) is provided. + anthNoPriv: Authentication is required, but no encryption is provided. + authPriv: In addition to authentication, encryption is also used. Note Neither SNMPW nor SNMFVZe ofer secunityfestures. Specifealy, SNFv1 and SNNFV2e can neither _alihantioate the source of a management message ner provide encryption. (conan Cisco SystemsDiscovery 53: Configure SNMP Introduction This discovery will provide you with some experience with the syntax of a basic SIWMP configuration that facilitates the management of Cisco IOS devices. The live virtual lab is prepared with the router and server that are represented in the topology diagram and the connectivity table. The devices have their basic configurations in place, including hostnames and IP addresses. In the discovery, you will configure the router SNMP system contact and location variables. You wall alzo define a read-only and a read-write community string and an SNMP server as the destination for SNMP traps. Topology Topology eo eon] Rt SRV!Job Aids Device Information ‘The configuration is as follows: All devices have their basic configurations in place, including hostnames and IP addresses. Device Details Device Interface Neighbor lP Address RI lEtrerneto10 lsevs ho.s.ar24 RVI Ethernet Ra Horssone Note PC and SRWin the vitual lab environmvant are simulated as reuters, <0 you should use Ciste IOS ‘commands fo configure them or make veifistions, Task 1: Configure SNMP. To implement SNMP access to the router, you must do the following: nthe router, set the system contact and location of the SNMP agent onthe router. Configure a community access string with a read-write privilege to permit access to the SNMP. 17 Cisco yet (isco Networking Davies:Configure SNMP 1. Configure the system contact 2 Configure the system location, 2: Define the community access string ‘SNMP configuration is based on the steps that are described inthe table. Command Description snmp-server contact contact_name Sets the system oontect tring. sump-server location location Sets the system locaton sting sump-server community string [ro | rw] Deine he oman ces tig wh read Note The frst snmp-server command thet you ssue enables SNMP on the device, A community string authenticates access to MIB objects and can have one of these attributes: + Read-only: Gives read access to authorized management stations to all objects in the MIB, except the ‘community strings, but it does not allow write access. + Read-write: Gives read and write access to authorized management stations to all objects in the MIB, ‘but it does not allow access to the community strings. ‘The system contact and the location of the SNMP agent are also set on the router so that you can access these descriptions through the configuration file. Configuring the basic information is recommended because it may be useful when troubleshooting your configurationActivity Step 1 Step 2 Step 3 Access the R1 console. Set the R1 SNMP system contact to [email protected] and set the R SNMP system location to Remote Lab Facility Rit cone & Enver configurstion commande, one per Line. End wich CNTE/2 (Gonfig)# srap-server| contact admindicnd? tab (Config)? nep-seever location Renate Lab Facility Not All devices that support SNMP management must support MIB-2. IMIB-? stores data that is generically applicable to all IP devices. The three basic objects in MIB-2 are the system name, system contact, and system location, You just defined the later two. The SNMP system name automatically inherits the value of the hostname setting on a Cisco 10S device, so the R1 SNMP system name was already RI. Define Ciscol as a read-only community string and Cisco? as a read-write community sting, (config)? erap-server comunity Ciccot xo (config)? armp-server comunity Cizco? ow ‘SNMP community strings should be treated with the same care as passwords. The read-only community string has privileges that are similar toa login password, andthe read-vrite community string has privileges that are similar tothe enable secret. The strings that are used in this example are too easy to guess to use ina production environment. Define SRV1 (10.1.1.10) as the SNMP destination forthe traps that Rll generates. Specify (Ciseo3 2s the community string to be included in the traps, To specify the recipient of the SNMP notification operation, use the smmp-server host i- adress community command. (config)? erap-seever Hest 10-1.2.10 Cizco3 (contig)? exit ‘Traps provide the facility for the managed device to send unsolicited alerts to the SNMP system. Itallows for faster response times than would be practical with periodic polling by the ‘management system. (isco Networking Davies:Verify SNMP Verity SNMP Display SNMP community access stings. Display SNMP system location string, Display SNMP system contact information, Display the SNMP host details. ‘The following table represents the commands that are used to verify SNMP. ‘Command Description show snmp community biselays SNMP community socess sings. ‘show snmp location Displays SNMP system locaton sting show snmp contact Displays SINUP system contactinfermation show snmp host Disoiays the recipient detsls for SNMP notiiction lopertions. Step 4 Use the show snmp community command to verify that the three community strings that you just defined are active.ALP chow srmp community Community name: TEE sesragereypa: sesdvenly 2 Community Index: c1scol] Gonmunity SecuritjWane: Ciscod The ILDMI community string is defined within Cisco 10S Software. You camot configure it Itis read-only community string that is associated with the LMI protocol that is running between a router and an ATM switch,Challenge 1 “How can you access the syslog of a router? A. oma remote router that is receiving the syslog B. ona router that is placed between the router that is sending the syslog messages and a syslog server that is receiving the log messages C. ona syslog server that ib receiving the syslog D. onaremote switch that is receiving the sys . Look atthe format of the following syslog message: seq no: time stamp: Séfacility-severity-MNEMONIC:descviption ‘What is the MNEMONIC? A. the text string or code that uniquely describes the message B. the text that isa fill senfence-like description of the event C. away of remembering previous events 1D. amumber that is part event mumber and part MAC address ‘You want to contol the severity of the event that determines when a syslog should be sent. Which command do you use? A. logging hostname | ip address? Blogging trap severity C. logging severity D. logging level severity Which of the following severity levels is used whem a system is unusable? A. Emergency Bo Alert C. Critical D. Enor Severity level "Emergency" has which number assigned to it? Ao Boa © 6 D7 A router is configured with the snmp-server community Cisco RO command. An NMS is trying to Communicate to this router via SNMP. Which action can be performed by the NMS? A. The NMS can only read obtained results, B. The NMS can read obtained results and change the hostname of the router. C. The NMS can only change the hostame of the router. D. None ofthe above, ‘Match the operations that are used by an SNMP agent to their explanations Trap ‘Used to get information ftom the MIB to an SNMP agent Set ‘Used to send a triggered piece of information to the SNMP manager Get ‘Used to get information to the MIB from an SNMP manager Is the same asa trap, but it adds an acknowledgment that a trap does not Inform provideAnswer Key Challenge c Al B A A A Get Used to get information from the MIB fo an SNMP agent Trp Used to send a triggered piece of information tothe SNMP mensger Set Used to pet information to the MIB from sn SNMP mansger Inform isthe serne as aap, butt adds an acknowledgment that a trap does nat provideLesson 2; Learning About the Evolution of Intelligent Networks Introduction Bob, the senior engineer at CSS, asks you fora favor. He is really busy this week, so_he would like you to explain to one of the customers what switch stacking is and also discuss its benefits. Bob also informs you that the manager heard that intelligent networks are becoming increasingly popular, so the customer is ‘wondering if you can use them in the corporate networks. Bob asks you sit down with the manager and explain what an intelligent network really means—including cloud computing, “You can decide when during ths week you will nish thee two taske—you can either doit today, or you ccan first do some research about the topics. Switch Stacking A typical switch topology on the access and the distribution layers has two (or more) access switches that are placed next to each otter in the same rack in order to provide enough access ports forall network. devices. Each access switch has two redundant comections to each of the distribution switches. This topology introduces certain ovethead in terms of management, resiliency, and performance. The Cisco StackWise technology is typically used to unite access suitches that are mounted in the same rack, Multiple switches are used to provide enough access ports. The stack, which consists of up to nine switches, is managed as a single unit, reducing the mumber of units you have to manage in your network, All switches in the tack share configuration and routing information, creating a single switching wait. You can add and delete switches on a working stack without affecting the perfomanceStackWise can join mutiple physical switches into a single logical ‘switching uni Switches are united by special interconnect cables. + The master switch is elected + Tow sacks managed as ange objet and has ange management ress, ‘You unite switches into @ single logical unit by using special tack interconnect cables that create @ bidirectional closed-loop pati. The network topology and routing information are updated continuously through the stack interconnect. All stack members have full access to the stack interconnect bandwidth. A master switch manages the stack as a single unit. The master switch is elected from one ofthe stack member switches. You can join up to nine separate switches. Each stack of switches has a single IP adress and is managed 2s a single object. This single IP management applies to activities such as fault detection, VLAN creation and modification, security, and QoS controls. Each stack as only one configuration file, which is distributed to each member in the stack. ‘When you add anew switch to the stack, the master switch automatically configures the unit with the currently ruming [OS image and the configuration of the stack. You do not have to do anything to bring up the switch before itis ready to operate. :24_Inerconnasing Cisco Networking Devices Aalst (©CNAX) 2017 Cisco Systems, neSwitch Stacking (Cont.) lowe cows Switch Stacking (Cont) Typical switch topology = Management overhead, ‘STP blocks hatf of the uplinks. ‘No direct communication between access switches, ‘Topology using StackWise: ‘Mutiple accass switches in the same rack. Reduced management overhead. ‘Stack interconnect “Muttiple switches can create an EtherChannel connection. Multiple switches in a stack can create an EtherChannel connection. You might therefore avoid STP, doubling the available bandwidth of the uplink ofthe existing distribution switches. (©2017 Cisco Systems, ne Intrconnectng isco Networking Devioes: Accelerated (CCNA 25Cloud Computing and Its Effect on Enterprise Networks Cloud computing is a general term that describes a way of using resources: processing, storage, network, and so on. The term "cloud and its deployment are (om bewhat new concepts, but the base concepts have been used for decades. Cloud Computing and Its Effect on Enterprise Networks + IT resources and services are abstracted from the underlying infrastructure Computing s delivered as a service rather than as a product ‘Acloud can be an off-premises hosted model, either application hosting or storage hosting. se business conenars | ‘Servces ‘Consumer vind niasncure >) — Gerwces (Compute Storage, Netwekig) ee ) oF lor [-ones> On lor [ese cero On lon [znat> of fen [ene + Bit 13 determines the response of the router to a bootload failure. Setting bit 13 causes the router to load ‘operating software from ROM after six unsuccessful attempts to load a boot file, Clearing bit 13 causes, ‘the router to continue ‘indefinitely to attempt loading a boot file. By factory default, bit 13 is set to 0 Configuration Register (Cont.) 0 Stymatthe ROM nontor on aeaad oc pom oa 1 Boots the ft iage in fash memory a sate nage 2F Enables deautoating tom fash memary [Enables Boot ayatem corns tat over detaut toatng tom fash marry ‘The boot field specifies a mumber in binary form. Ifyou set the boot field value to 0, you must have console port access to boot the operating system manually. If you set the boot field to a value of ? to F, and there is a valid boot system command thatis stored in the configuration file, the router software processes each hoot command in sequence until the process is successful or the end of the list is reached. If there are no boot commands in the configuration file, the router attempts to boot the first file in the flash memory Bit5, bit 11, and bit 12 of the configuration register determine the baud rate of the console terminal. The table shows the bit settings for the eight available rates. The default baud rate is 9600 bps. 17 Cisco Systems, Inc Intrconnectng Cisco ring Devices: Aoelaratd (CCNAX)Configuration Register (Cont.) CCorsie Teint Baud Rate Stings 1 Interconnectng Cisco Networking Davies: Accserted (CONAN) (© 2017 Cisco Systems, Ine.Changing the Configuration Register Before altering the configuration register, you should use the show version command to determine the curent configuration register value. The last line of the show version command output shows the configuration register value Note Record he configuration fegister sating, whichis ypically G2 102, so you can change back tothe enginal seting necessary ‘You can use the config-register command in the global configuration mode to set the configuration register value. The syntax for this command is eonfig-register value. The value argument is 2 hexadecimal number. Changing the Configuration Register First, erly the current configuration register valve ion register value. Set the configur Verify the new configuration register value : wzi02 (wid be exzish at sect eons) ‘You shouldbe careful when using the config-register command because the value argument sets all 16 bits of the configuration register. Only the lowest 4 bits of the configuration register (bits 3,2, 1, and 0) forma the boot field. For example the default value of Ox2102 not only instructs the router to boot the system image from flash memory but also instructs the router to load the startup configuration with 2 console speed of {9600 baud (for most platforms), ignore the console Break key, and boot mo ROM if the initial boot fails. If you modify the configuration register value, the change takes effect when the router reloads. Inthe example, the configuration register value is changed from the default setting to Ox2101, and the configuration is saved to NVRAM. The new configuration register value will cause the router to load the bootstrap code. If you issue the show version command again after changing the configuration register value, the command output shows both the currently configured value of the configuration register and the value that will be used at the next reloadLocating Cisco IOS Image Files When a Cisco router boot, it searches forthe Cisco(@)image in aspeciic sequence. It searches forthe location that is specified inthe configuration register, Nash memory, a TFTP server, and ROM. Locating Cisco lOS Image Files =" ‘The bootstrap code is responsible for locating Cisco 10S Software. It searches forthe Cisco IS image in the following sequence: 1. The bootstrap code checks the boot field ofthe configuration register. The boot field tells the router how to boot up. The boot field can point to flash memory for the Cisco 1OS image, the startup configuration. file (if one exists) for commands that tell the router hove to boot, or a remote TFTP server Alternatively, the boot field can specify that no Cisco 1OS image will be loaded, and the router should start a Cisco ROM monitor. 2. The bootstrap code executes the specifications of the configuration resister boot field value as described in the following bullets. Ina configuration register value, the "Ox" indicates thatthe digits that follow are in hexadecimal notation. A configuration register value of (x2102 has a boot field value of 0x2. The right-most digit inthe register value is 2 and represents the lowest 4 bits of the register. + Hfthe boot field value is Ox0, the router boots to the ROM monitor a the next power cycle or reload. + tthe boot field value is Gx, the router searches flash memory for Cisco IOS images. + the boot field value is Ox? to OxF, a the next power cycle or reload, the bootstrap code parses the startup configuration file in NVRAM for boat system commands that specify the name and location ofthe Cisco10S Software image to load. (Examples of boot system commands will follow.) If ‘boot system commands are found, the router sequentially processes each boot system command in the configuration. If there are no boot system commands in the configuration, the router searches the flash memory for @ Cisco IOS image. If the router searches for and finds valid Cisco IOS images in flash memory it loads the first valid ‘mage and nuns it. 7TO_lterconnecng Cisco Networking Devices: Accelerated (CONAN) 2017 Cisco Systems, ne4. Tit does not find a valid Cisco 10S image in flash memory, the router attempts to boot from a network ‘TETP server using the boot field value as part of the Cisco 1OS image filename. 5. After six msuccessful attempts at locating a TFTP server, the router loads the ROM monitor. Note The procadure for locating the Cisco IOS image depends on the Cisco router platform and defauit ‘configuration register values. The procedure thatis deseried here enpies tothe Cisco Integrated Services Routers] Entering boot system commands in sequence in a router configuration can create 2 fault-tolerant boot plan. ‘The boot system command is a elobal configuration command that allows you to specify the source forthe Cisco 10S Software image to load. For example, the following command boots the system boot image fle that is named 2900-universalk9-anz.SPA.152-4_Ml.bin from the flash memory device: Beanch(configl# ‘boot system flash: <2900-universelki-ms SPA.152-4.1 bin This next example specifies a TFTP server as a source of a Cisco IOS image, with a ROM monitor as the backup Beanch (config) boot system tftp: //c2900~aniversalkS-me-SPA.152-4.10 bin Beach (config) boot system rom 7Loading Cisco IOS Image Files When the router locates a valid Cisco 10S image file in the flash memory, the Cisco 10S image is normally loaded into RAM to run. Ifthe image needs to be loaded from the flash memory into RAM it must first be decompressed. After the file is decompressed into R@Myit is started. When Cisco IOS Software begins to load, you may see a string of pound signs (#), as shovin in the figure, while the image decommpresses. Loading Cisco IOS Image Files OS OO Loading Cisco 10S Image Files (Cont.) "72 Inerconnacing Cisco Networking Devices Aalst (©CNAX)Loading Cisco IOS Image Files (Cont.) ‘The Cisco 10S image file is decompressed and stored te RAM. The ‘output shows the boot process on a router. ‘The show version command can be used to help verify and troubleshoot some of the basic hardware and software components ofthe router. The show version command displays information about the version of Cisco 10S Software that is currently rumning on the router, the version of the bootstrap program, and information about the hardware configuration, including the amount of system memory. Loading Cisco IOS Image Files (Cont.) Displays information about the currently loaded software, hardware, ‘and device information, ‘The output from the show version command includes the following: + Cisco 10S version Cisco 105 softuare, C2900 Sofeware (C2S00-UNIVERSALKS-M), Version 15.2(4)Mi, RELERSE SOFTWARE (221) (©2017 Cisco Systems, ne Intrconnectng isco Networking Devioes: Accolerated (CCNA) 173This line from the example output shows the version of Cisco [OS Software in RAM that the route is using. + ROM bootstrap program ROM: System Boscateap, Version 16 0(1z/MIS, RELEASE SOFTWARE (c1) ‘This ine from the example output shows the version ofthe system bootstrap software that is stored in ROM and was intially used to boot up the rote. + Location of Cisco IOS image "ELash0: <2800-univers: System image £1 ‘This line from the example output shows where the Cisco IOS image is located and loaded as well as its complete filename. + Interfaces This section ofthe output displays the physical interfaces on the router. In this example, the Cisco 2901 router has two Gigabit Ethernet interfaces and one zerial interface + Amount of NVRAM 255 HB of REM ‘This line from the example output shows the amount of NVRAM on the router. + Amount of Flash This line ftom the example output shows the amount of flash memory’ou the router + Configuration register Configuration register is oxzi02 ‘The last line of the show version command displays the current configured value of the software configuration register in hexadecimal format. This value indicates that the router will attempt to load a Cisco IOS Software image fiom flash memory and load the startup configuration file from NVRAM, (isco Networking Davies: