Getting started with Cisco IOS: Course notes. To be read in conjunction with the excellent course run by Brian McGahan of INE, https://www.youtube.com/playlist?list=PLA0AF9A1586D50544 , available free of charge on You Tube. Note: The full course can be purchased here: http://www.ine.com/self-paced/ccna/bootcamps.htm
Another free course: https://www.youtube.com/playlist?list=PLmdYg02XJt6QRQfYjyQcMPfS3mrSnFbRC
Cisco commands are in blue.
LESSON 5
————————————————————————————————————-
Getting Started
If not going through the setup wizard:
Prompt looks like this: Router>
This means that you are in user mode. No changes can be made.
To make changes you need to switch to privilege mode: enable
To go back to user mode: disable
Prompt looks like this: Router#
To determine your privilege level: show privilege
Familiarise yourself with context sensitive help and tab completion
———————————————————————————————————-
Erase current configuration: (if desired)
write erase or clear start
Restart the router: reload Do not save configuration, so that the configuration you have running is not saved.
———————————————————————————————————–
Check the status of the interfaces
show ip interface brief
———————————————————————————————————
Setting enable password and encrypting it:
(here the password is cisco) From config:
enable password cisco
Encrypt: service password-encryption
——————————————————————————————————
Enable telnet
conf t
line vty 0 4
password ciscopass
Or remove password with no password
————————————————————————————————————
Configure an IP address
See the available interfaces using sh ip int brief and choose an interface.
conf t
int fastethernet0/0
ip address 192.168.0.1 255.255.255.0
no shut
———————————————————————————————————-
Show and save the current configuration:
show running-config
copy running-config startup-config
————————————————————————————————————
LESSON 6: PING, TRACEROUTE AND TFTP
————————————————————————————————————
Prevent Translating domain error when you type in an incorrect command
conf t
no ip domain-lookup
Prevents annoying delay when typing in an unrecognised command. http://www.cisco.com/c/en/us/support/docs/routers/10000-series-routers/46253-ipdomain-lookup.html
—————————————————————————————————————————
Ping multiple times (to test connectivity for a long period)
Default is 5. ping 192.168.0.1 repeat 1000 (Note: from privileged mode)
A ping indicates that the stack is working up to layer 3 (Network)
—————————————————————————————————————————-
A useful tip: Looking at the logs,
Link up means Layer 1 working
Line proto up means layer 2 is working.
————————————————————————————————————————-
More useful commands
sh ip int brief
write terminal = sh run
write erase = erase start
write = copy running-config startup-config
CTRL-R = REFRESH LINE
CTRL-Z = “END”
CTRL-D = DELETE PREVIOUS CHARACTER
CTRL-W= DELETE PREVIOUS WORD.
CTRL-A =JUMP TO BEGINNING OF LINE
CTRL-E= JUMP TO END OF LINE
—————————————————————————————————————————–
Fix problem where log file suddenly interrupts your command
logging synchronous
————————————————————————————————————————–
Determine the version of IOS
sh ver
Go to Cisco website: Search for ios train naming for more info on nomenclature.
Go to Cisco.com/go/fn (feature navigator) and paste in the name of your IOS version. Some versions have different features.
———————————————————————————————————————–
Copy your bin server to another router or back it up:
Determine contents of flash: dir from enable prompt
First router: conf t
tftp-server flash:filename.bin
Second router: copy tftp://192.168.0.1/filename.bin flash
To copy an IOS image to a TFTP server:
copy flash:filename.bin tftp://192.168.0.1
Set up a tftp server on a Windows machine.
————————————————————————————————————————
MD5: Later versions of IOS enable you to run a MD5 checksum which verifies that the file is unchanged. You run the same check on a Windows machine, compare hashes and thereby check that the image of IOS has uploaded correctly.
———————————————————————————————————————-
Lessons 7 and 8: IOS File and Configuration Management with TFTP
————————————————————————————————————————
Copy running config to an TFTP server:
copy running-config tftp://192.168.0.1 A useful way of backing up before you start making changes
————————————————————————————————————————–
Configuration guides available on the Cisco website. Search by version numbers
————————————————————————————————————————-
Restore from a TFTP server
copy tftp start
You need the address of the TFTP server and the filename.
————————————————————————————————————————–
Lesson 9 Local Area Networks
——————————————————————————————————————————
A LAN these days usually means an ethernet LAN. Cable length 100m approx.
NIC card is Layer 1 and Layer 2
Repeaters and Hubs extend range of LAN
Bridges: Ports separated into separate collison domains. Uses MAC addresses to identify hosts. MAC is layer 2 of OSI
Ethernet switches: are multiport bridges. Each port is a collision domain so devices do not share their own bandwidth.
CAM- Content Addressable Memory- where MAC addresses are stored.
To view contents of ARP cache: sh arp
To view mac addresses of hosts on the LAN: sh mac address-table
also sh mac address-table dynamic vlan1
————————————————————————————————————-
Useful commands:
sh int fa0/0 shows status of that interface
Show interfaces shows detailed information for all interfaces
bia means burned in address
You can configure mac address: mac address 5555.5555.5555 which changes the mac address
———————————————————————————————————
Remember:
Layer 4 Transport TCP
Layer 3 Network IP
Layer 2 Data Link Ethernet (Mac addresses)
Layer 1 Physical Cables, WIC cards etc
—————————————————————————————————————
Lesson 10: IP, ARP, MAC Address Flooding and Learning
sh arp
sh mac-address-table
————————————————————————————————————–
To view details of an individual interface or vlan: sh int fa0/0 or sh int vlan1
Typical output:#
SW1>sh int vlan1
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is c207.15d0.0000 (bia c207.15d0.0000)
Internet address is 192.168.0.6/24
MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:10, output never, output hang never
Last clearing of “show interface” counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
141 packets input, 15666 bytes, 0 no buffer
Received 131 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
20 packets output, 1734 bytes, 0 underruns
0 output errors, 1 interface resets
0 output buffer failures, 0 output buffers
—————————————————————————————————————-
To debug a service, eg ARP: (Shows what it’s doing): debug arp
To remove time stamps to make it easier to read the results: no service timestamps
To clear the ARP cache: clear arp
To switch off debugging: no debug arp
On Windows, to view arp cache: arp -a
——————————————————————————————————————
How ARP works
Switch receives packet destined for an IP address. It doesn’t know where it is, so it sends out a broadcast on ffff.ffff.ffff to every port except the port in came in on. Flooding
4 important fields
IP source
IP destination
Mac source
Mac dest
ARP resolves MAC addresses to IP addresses
———————————————————————————————————————–
Lesson 11 Collision domains, broadcast domains and VLANS
Each port on the switch is its own collision domain, so the switch does not need to broadcast. It knows the mac address and IP of each port. Hence, a request from a host to connect to another host will result in the traffic being directed directly to that port by the use of ARP. This enables full duplex because device does not need to listen before sending data.
————————————————————————————————————-
Show interfaces status shows where each port goes and type
——————————————————————————————————-
VLAN groups ports together to reduce the size of the broadcast domain. Groups ports together into separate broadcast domains.
Ports that share same VLAN are in same broadcast domain.
Often separate VLANS will have different IP subnets
So, some means must be found to move traffic between them, with a router. Hence layer 2 and 3 switches
——————————————————————————————————————
VLANS can span multiple switches. Switches will know from ethernet header that it’s part of a specific VLAN.
——————————————————————————————————————–
command VLAN (Number) from global config
to remove a VLAN: no vlan (number) eg no vlan 100-110
Note: If you are emulating switches using GNS3, the commands are different. See my GNS3 Page
———————————————————————————————————————-
defaults are 1001 on, so you can use 1-1000
In GNS3 use sh vlan-switch to see the VLANS on the switch
In GNS3 use vlan name xxxxx to rename a VLAN
———————————————————————————————————————
Note: if you are using GNS3 you need to make connections between switches trunks by using the command switchport mode trunk
To switch off, switchport mode access
—————————————————————————————————————–
Lesson 12 Cisco Discovery Protocol
CDP enables information to be exchanged between neighbours
Sh cdp neighbors
sh cdp neighbors detail
This will tell you all the mac addresses of routers in the vicinity.
holdtime: how long before router has disappeared
disable: no cdp run globally, or interface, no cdp enable.
CDP is on automatically.
As it’s cisco proprietary, it is only for Cisco kit.
———————————————————————————————————–
Lesson 13: Trunking and VTP
ISL or dot1q
VLAN trunks: Switch needs to know which vlan it belongs to so it can look up the correct MAC address
Cisco does this with ISL,(Inter Switch Link) but open format is .1q
Adds info to packet header to tell switch which VLAN number it is connected to.
To get info: sh int trunk
Tells you if .1q and also if STP is on.
You can also see which are trunks using sh int status
Some switches run DTP or Dynamic Trunking Protocol, which creates an affinity to form trunks if necesssary.
To find out about switchport modes: sh int switchport: Tells you loads of stuff like whether its in a vlan, etc.
sh int fa0/1 switchport tells you about the switchport
switchport options: switchport mode command
On some switches you can set the configuration: switchport mode dynamic desirable.
(On GNS3 you don’t have the option, only switchport mode trunk or access)
VTP is Vlan Trunking Protocol
When create vlan numbers switches agreed them. Trunks between the switches allow details to be propagated.
show vtp status
VTP database is not stored in the running config, but in flash memory. Filename is vlan.dat, which would need to be copied to your tftp server.
VTP mode transparent, means it will ignore other VTP databases.
Switches run VTP automatically, so someone on another switch could delete your VLANS
——————————————————————————————————————-
Lesson 14: Spanning Tree Protocol
Spanning tree means you can have multiple redundant paths without endless loops, which would take down the network.
3 standards:
802.1d CST Common Spanning Tree The original standard
Problem is that multiple paths – one of them may be disabled all the time.
So Cisco created
Per Vlan Spanning Tree or PVST+ (an enhancement) – runs by default
Cisco command: sh spanning-tree
—————————————————————————————————
2 other versions:
RSTP- Rapid Spanning Tree Protocol
MSTP- Multiple Spanning Tree Protocol
—————————————————————————————————-
STP works by creating a root bridge – reference point.
When switches send traffic they must send towards root bridge first
Traffic must go towards root bridge first. This stops loops
———————————————————————————————————–
How is this done? How do you choose the root bridge?
1. Switches exchange BPDU – Spanning Tree Protocol Bridge Protocol Data Unit
a stp advert.. inside there is the Bridge identifier – BID which has mac address and priority value
2. Then decides who has the best or highest priority or lowest value, but if there is a tie the lowest mac address wins. Eventually someone becomes root bridge. Priority is between 0-65535
Lowest number is higher priority
Once a link is chosen other links are disabled. Blocking link
Each sw chooses a root port which always faces upstream
Downstream links decided by BPDU – either blocking link or designated port
——————————————————————————————————
How is designated or blocking decided?
1. Cost – based on bandwidth
2. BID
To see what is likely to happen: sh int status : see which ports are running sh running-config int fa0/0
sh cdp neighbors tells you which ports are connected.
show spanning-tree will tell you which bridge is the root. Also tells you priority and mac address
Port marked as desig can send out traffic. On root all ports are designated
To remove port from vlan
no switchport vlan or switchport access vlan1 if vlan1 is the default
To clear mac addresses after you change them: Clear mac-address-table VLAN1
To see if there is a problem with STP, you can sh proc cpu and sh proc cpu history. If it gets to 100% it is almost certainly a STP failure, and a broadcast loop.
———————————————————————————————————————–
Lesson 15: STP Path Selection and RSTP
Explanation of the output of
R9-SW#sh spanning-tree
VLAN1 is executing the ieee compatible Spanning Tree protocol
Bridge Identifier has priority 32768, address c203.14a0.0000Configured hello time 2, max age 20, forward delay 15
We are the root of the spanning tree
Topology change flag set, detected flag set
Number of topology changes 1 last change occurred 00:05:29 ago
from FastEthernet1/0
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 32, notification 0, aging 0
Port 41 (FastEthernet1/0) of VLAN1 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.41.
Designated root has priority 32768, address c203.14a0.0000
Designated bridge has priority 32768, address c203.14a0.0000
Designated port id is 128.41, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 179, received 0
Port 42 (FastEthernet1/1) of VLAN1 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.42.
Designated root has priority 32768, address c203.14a0.0000
Designated bridge has priority 32768, address c203.14a0.0000
Designated port id is 128.42, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 179, received 0
Port 43 (FastEthernet1/2) of VLAN1 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.43.
Designated root has priority 32768, address c203.14a0.0000
Designated bridge has priority 32768, address c203.14a0.0000
Designated port id is 128.43, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 371, received 10
Port 45 (FastEthernet1/4) of VLAN1 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.45.
Designated root has priority 32768, address c203.14a0.0000
Designated bridge has priority 32768, address c203.14a0.0000
Designated port id is 128.45, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 184, received 0
Port 46 (FastEthernet1/5) of VLAN1 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.46.
Designated root has priority 32768, address c203.14a0.0000
Designated bridge has priority 32768, address c203.14a0.0000
Designated port id is 128.46, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 389, received 43
Root bridge decided by Bridge ID (BID) which is low priority and low mac address.
Root Port selection: – how other switches select which port to send the traffic:
Lowest cost then lowest BridgeID . If connected to same switch multiple times. Then port priority
Fast ethernet, the cost is always 19. Usually chooses the least number of hops
You can change settings for different VLANs. PVSTP
For each VLAN you can change the blocking port, by changing the priority or just tell a bridge to be the root.
eg
conf t
spanning-tree vlan 101 root primary (primary is lower cost)
or manually change priority: spanning-tree vlan 101 priority 4096
Designated port allows traffic
Root port is main port for that VLAN
Blocking port will not allow traffic
Change to RSTP Rapid Spanning Tree Protocol
spanning-tree mode rapid
Not available on GNS3
Safari O’reilly books on line is a useful online subscription library service
————————————————————————————–
Lesson 16: IP Addressing, Subnetting and VLSM (Variable Length Subnet Mask)
Here is a subnetting table which can be written out before starting the exam, which will solve nearly all subnetting issues.
Subnetting table
| Number of zeros From right (n) is hosts portion |
Number of 1s(From start of nw portion ) x | Subnet Mask | Block size (Subtract from SN to get SN below) |
| 0 | 8 | 255 | 1 |
| 1 | 7 | 254 | 2 |
| 2 | 6 | 252 | 4 |
| 3 | 5 | 248 | 8 |
| 4 | 4 | 240 | 16 |
| 5 | 3 | 224 | 32 |
| 6 | 2 | 192 | 64 |
| 7 | 1 | 128 | 128 |
Number of hosts= (2^n)-2
Number of subnets= (2^x)
| 2^0 | 1 |
| 2^1 | 2 |
| 2^2 | 4 |
| 2^3 | 8 |
| 2^4 | 16 |
| 2^5 | 32 |
| 2^6 | 64 |
| 2^7 | 128 |
| 2^8 | 256 |
| 2^9 | 512 |
| 2^10 | 1024 |
| 2^11 | 2048 |
| 2^12 | 4096 |
| 2^13 | 8192 |
————————————————————————————-
Lesson 17: IP Routing
How decisions are made as to where traffic goes.
Binary anding: when both inputs are 1 the result is true. All others combinations are false.
Routing works at layer 3
To determine if addresses are on the same subnet, router performs binary AND operation, and if network portion is the same after the operation, they are on the same network.
ARP works like this. Node a.b.c.d sends packet to w.x.y.z
Switch doesn’t know where w.x.y.z is
Sends out broadcast to ffff.ffff.ffff.ffff ARP request, asking who has IP w.x.y.z
w.x.y.z sends out reply, saying, I have that address, and my mac address is xxxx.xxxx.xxxx.xxxx
Switch stores MAC addresses in CAM table so future requests for w.x.y.z are routed to the correct port
—————————————————————————————————–
A VLAN is a broadcast domain. Switches will not broadcast to ports not on their VLAN. So devices on different VLANS will not be able to ping each other.
Troubleshooting if you can’t ping: Check if they are on the same vlan.
To determine VLAN, command is sh vlan or gns3 sh vlan-switch. Must be in the same VLAN
To check if physical connection is correct, use sh cdp neighbors
Also sh int status
—————————————————————————————————-
Also debug arp tells you what happens with ARP requests on routers
Router will decide if address is in the same subnet.
If yes, ARP for final destination
If no, arp for default gateway
——————————————————————————————————-
Where there is a router in between, the mac address changes. R1 uses the mac address of the gateway, in effect routing any traffic for different networks. Layer 2 rewrite
Switches don’t change the data but in IP routing IP header is changed at every hop.
As a test, you can turn a router into an end host using the no ip routing command. You can then put in a default gateway. ip default-gateway
(To view the default gateway, use command sh ip route
On catalyst switches you can turn on ip routing.
You can assign an ip address to the vlan. eg
conf t
int vlan 1
IP address 192.168.0.254 255.255.255.0
no shut
Take a router attached to a routing switch.
Put it in a different network, eg 192.168.1.1
Make it an end host no ip routing
Assign the default gateway as the Vlan address.
Attach each router or node to the appropriate interface.
The switch can be made to route traffic between different networks.
——————————————————————————
Lesson 18: Inter-VLAN Routing and Static Routing
Catalyst do layer 3 and layer 2 switching.
Static routing. If two switches are in the same VLAN, even if they are not on the same IP addressing subnet, they can still ping each other.
When creating VLANS, VTP will replicate them across the network. VLAN Trunking Protocol
To put a switchport into a specific LAN: Switchport access vlan 3
sh cdp neighbors tells you what is connected to the switch. CDP runs on layer 2.
sh cdp neighbor detail will tell you more about the neighboring routers.
sh ip route will show different layer 3 networks router can reach on the network.
debug ip icmp shows what’s happening to
———————————————————————————————
Creating a static route
ip route is equivalent to route add in windows. Example: ip route 0.0.0.0 0.0.0.0 192.168.254.1
or ip route 0.0.0.0 0.0.0.0 fa1/1 will create a default gateway.
———————————————————————————————–
Router will prioritise longest route.
eg 1.0.0.0/8 on port 1
1.2.0.0/167 port 2
1.2.3.0 port 3
To reach 1.2.3.4 it will use port 3 because most specific route.
Debug ip icmp will show ip packets, but processor intensive so only when not live as will crash router
u all is undebug all.
debug arp
debug ip packet dump shows you whats in a packet, you can paste it into wireshark
RIB is routing information base which is the routing table.
——————————————————————————————————-
Lesson 19: Static vs Dynamic Routing
Router on a stick
One layer 3 interface can run multiple addresses on a single interface. Naming convention is fa0/0.1, 2, etc.
On the switch, on the link to the router, change the switchport mode to trunk.
switchport mode trunk
Note, if set to auto negotiation, you need to tell it if you are using ISL or dot1q: switchport trunk encapsulation dot1q
sh int trunk shows trunks on switch
One physical interface can be divided into two. Sub interfaces. The port on the switch to which it is attached must be a trunk.
sh run int fa0/0
conf t
int fa0/0
no ip address
int fa0/0.1
Now you can tell that sub interface to look for dot1q frames from a specific VLAN:
encapsulation dot1q 1 (if vlan 1 is the one you want to use)
To look at the results, use sh run, or show running-config
To see what routes are in the router: sh ip route
In effect, the router treats each sub interface as a separate interface.
———————————————————————————–
This is not secondary addressing. (You can add additional addresses to the interface, but it is a hack)
ip address 1.2.3.4 255.0.0.0 secondary
———————————————————————————
Build routes using traceroute and ip route until each device can get to each other.
———————————————————————————–
To enable fast switching, where the router does not keep a cache of routes:
no ip route-cache
———————————————————————————–
Debugs are often very processor intensive. sh processes cpu history will show the processor use.
——————————————————————————–
Set up dynamic routing. Starting with RIP version 2
Looking at sh commands, you get all the output.
Use pipe
sh run | ?
sh run include IP route as an example.
Remove a route: no ip route 1.2.3.4 255.0.0.0 1.2.5.6
—————————————————————————————-
Turn on routing:
router rip
version 2
Router must then be told which network you want RIP to work on.
network 192.168.0.0
Router will create routes, which you can see with
sh ip route Rip routes are listed as R routes.
RIP chooses routes based on number of hops.
The timers basic command will change 4 paramaters: (all in seconds)
update, invalid, holddown, flush.
example: conf t
router
timers basic 30 60 90 120
————————————————————————-
Lesson 20: Dynamic Routing Configuration (Starting with RIP)
Rip is a Distance Vector Routing protocol – (number of hops) as opposed to a Link State Protocol.
Uses UDP port 520 Updates to reserved multicast 224.0.0.9 UDP is connectionless, so you don’t know if it has been received and acted on.
To see in action, debug ip rip
Switch time stamps on and off: no service timestamps, or service timestamps.
Will show you the destination, intermediate destination and hop count.
Not very scalable, but well supported by many vendors.
To enable RIP:
en
conf t
router rip
version
network (IP address) Obligatory
neighbor (IP address)Optional – more secure- changes updates from multicast to unicast.
offset-list optional
timers-basic optional
You can tell the difference between RIP v1 and RIP v2 by looking at the port the packets are using. V1 uses 255.255.255.255 all FFFF broadcast, V2 uses port 520 and multicast.
To see what’s happening to RIP: debug IP rip
See what’s happening, debug ip packet detail Shows who is sending RIP packets and who to.
2 versions of rip not compatible with each other.
Auto summarisation: turns VLSM into Classful networks, so if you want to use classless subnetting, you need to turn it off.
For testing, you may want to create a loopback address:
int loopback (number)
ip address etc
Add it to RIP:
router rip
network 10.0.0.0 or whatever address you have given to your loopback
RIP Auto summary problem: Auto summarises subnet mask to class boundary, so routing may not work correctly.
no auto-summary
—————————————————————————
Lesson 21: RIP v2 Overview and Configuration
RIP is a layer 3 network layer, at the transport layer it sends UDP packets.
Distance Vector. Port is 520, multilink address is 224.0.0.9
RIP V2 supports VLSM
sh ip route will show you which routes are directly connected, and (marked with an R), which ones are learned from RIP
sh ip route rip will just show the RIP updates in the table.
Routers only know what directly connected neighbors tell them. Routing by rumor.
ping 1.2.3.4 source lo1 When you ping, you can choose the source using the source command. In this case the source is loopback 1
RIP Split Horizon: Routes will not be advertised back down the interface they came in on. Helps to prevent loops.
Also uses Poison Reverse or Poisoning. Delete old bad info by advertising infinite hop count, but RIP won’t go more than 16 hops.
Routing Protocol Convergence: The length of time it takes for all routers to agree routes. Slow in RIP. For example, if a router goes down.
———————————————————————————————————
Rip convergence based on 4 timers:
Update: how often adverts sent out
Invalid: How long after hearing last update before declaring info to be no longer good
Holddown: Once route no longer good, don’t listen to adverts with worse hop count for a period of time.
Flush Timer: Router deleted from the table once this is reached
Advantages: Open standard, simple, ubiquitous. Good for small stable networks.
—————————————————————————-
debug ip routing shows you changes in the routing table
sh ip route profile (must be switched on first using ip route profile )ip sla monitor
———————————————————————————-
Lesson 22: EIGRP Overview (25 mins)
EIGRP is Enhanced Interior Gateway Routing Protocol. Proprietary Cisco implementation.
- Hybrid: Distance Vector and Link State
- Classless . Guarantees loop free.
- Diffusing Update Algorithm (DUAL)
- DUAL feasibility condition.
- Choose lowest metric.
- Reliable updates using RTP (Reliable Transport Protocol)
- Forms active neigbhbor adjacencies.
- Supports partial updates.
- Multiple routed protocol support. IPX etc. (nowadays not v important)
- Creates composite metric: bandwidth, number of hops, delay, etc. So doesn’t just count number of hops.
- Unequal cost load balancing.
- Supports MD5 encrypted authentication.
Router eigrp (ASN) Autonomous system number (so they are part of the same eigrp network)
eg router eigrp 1
Network a.b.c.d wildcard
Network statement controls which links you want eigrp to run on.
eg
10.0.1.0
10.0.2.0
10.0.3.0
10.0.4.0
10.0.5.0 (Not this one)
on different interfaces in the router.
No auto summary
————————————————————————————
Lesson 23: EIGRP Configuration
Turn RIP off
no router rip
router eigrp 1
network 192.168.0.0 0.0.255.255 (The network statement).
Least specific is 255.255.255.255
Most specific is 0.0.0.0
0 means I DO care, whether it matches, 1 means I don’t
0.0.255.255 means I don’t care about matching anything after the first 16 bits.
Hence any interface with the address 192.168. will match, because the next two octets can be anything.
—————————————————————————————–
sh ip protocols
shows what IP protocols are running, and information sources.
sh ip eigrp neighbors
SRTT: smooth round trip time: shows the delay on the link.
Q= update queue. If working ok should be 0
sh ip eigrp topology shows all the routes that it has learned, although some may be discounted, or excluded so you won’t see them in sh ip route
Topology will show you the metric.
sh ip eigrp topology all-links will show all routes, even the ones you are not using.
sh ip eigrp topology a.b.c.d will show details of individual route
Topology will tell you minimum bandwidth, total delay, reliability, load, etc, which is how it arrives at final metric. Formula is in the EIGRP documentation. Calculates composite metric.
Lowest composite metric becomes feasible distance.
Adertised distance is the way it calculates feasible successor, but only if lower. If not, it won’t be used as an alternate path.
We can set parameters manually if we want to redirect traffic.
Eg, the delay. int fa1/1 etc
delay 11
clear ip eigrp neighbours will force a rebuild.
Changing the delay will change the metric.
Traceroute will test the effects.
———————————————————————
Unequal cost load balancing:
conf t
router eigrp 1
variance (number) multiplies the current variance. If backup path is less than that value it will be used for load balancing. So backup route becomes load balancing, and both routes will be installed.
Then sh ip route (IP address) will show the traffic share
————————————————————————-
CEF command Cisco Express Forwarding. This makes the decision which link to use in load balancing. eg sh ip cef exact-route 1.2.3.4
—————————————————————————–
Lesson 24 OSPF overview and comparison with RIP and EIGRP
| EIGRP | RIP | OSPF |
| L4 RTP (Reliable Transport Protocol) | UDP 520 | OSPF |
| L3 reserved multicast address224.0.0.10 | 224.0.0.5224.0.0.5Link local address which should not be routed between subnets. Updates only via connected interfaces or subnets. | |
| IP protocol 88 | UDP protocol 17 | IP protocol 89 |
| Distance Vector Bellman Ford Routing by rumour |
Distance Vector Bellman Ford Routing by rumour |
Link state (also IS-IS) |
| Also scalability limitations | 16 router max | Use Dijkstra Shortest Path First algorithm. (Also used in GPS) |
| Split horizon possibleCisco only | Split horizon possibleCannot guarantee loop free | Advertises links not routesStandards based. |
OSPF Characteristics
- OSPF advertises LINKS not routes. Creates overall topology map.
- OSPF database is map of the topology, so that it can work out best route.
- OSPF v2 is for IPv4
- Link state and classless
- Can also auto summarise
- Offers active neighbor adjacency. Tracks adjacency through Hello protocol.
- Tracks changes, so doesn’t keep sending out entire routing table.
- Updates multicast and unicast, but more reliable.
- OSPF does not update by broadcast, hence saving bandwidth.
- Bandwidth based cost metric
Control plane security via clear text password or MD5 encryption.
Open standards means extensible. Eg MPLS traffic engineering.
On cisco go to support, configure, ip routing, ospf. FAQ is useful.
You only need to enable OSPF, create process id, and network statement with area id
Area 0 typically known as the backbone area. Area 0 will know all the routes for the non backbone areas, eg 1,2,3, etc.
——————————————————————
Lesson 25: OSPF Configuration Part 1 (30 mins)
Step 1: Remove EIGRP from the routers.
no router eigrp 1
Step 2: router ospf 1
network 192.168.0.0. 0.0.255.255 area 0 (or 0.0.0.0) as area is a 4 byte number
sh ip ospf interface
sh ip ospf neighbor
Neighbor ID Is also the OSPF router ID How to build the Shortest Path Tree-
end points are router IDs
Router chooses by highest loopback int.
You can choose your own ID
router ospf 1
router-id 1.1.1.1
Clear ip ospf process to restart OSPF
router id is not an IP address.
sh run | section router ospf
shows the running config for OSPF
sh ip ospf neighbor
sh ip ospf database
Shows you the LSA
is the equivalent of sh ip eigrp topology
sh ip ospf database router
shows individual advertisements that the routers are doing.
Transit network and stub network. Transit goes elsewhere, stub is end hosts.
Designated router is because links run ethernet.
No split horizon. One router will be the designated router. Cuts down on flooding.
OSPF creates logical star topology, even if full mesh.
———————————————————————
Lesson 26. OSPF Configuration Part 2
sh ip ospf database will be the same on all routers. Age may be different but thats all.
debug ip packet detail will show you the changes to OSPF
sh ip ospf database router 2.2.2.2
shows you the table on that router. Also shows address of designated router
SPT is shortest path tree.
Changing the costs of
int fa0/0
ip ospf cost 2
OSPF can be changed if link is serial, for example.
ip ospf network point-to-point
Tells router not to go via designated router. DR is only really needed when more than 3 neighbors.
If you then do sh ip ospf database it will remove some of the info about designated routers.
conf t
int fa 0/0
ip ospf authentication-key , or
ip ospf message-digest key 1 md5 cisco
the second will encrypt the password. (The key must match on all routers)
eg:
conf t
int fa0/0.4
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
Then you can make it a direct link
ip ospf network point-to-point
delay 11
debug ip ospf adjacency
will show what the effect is. Might show mismatch of authentication.
sh run int fa0/0 will show the configuring of the authentication. Note: The output will show the password, even if it is encrypted with MD5 when transmitted. To prevent this use service password encryption
Routing uses Administrative distance. This table is very important.
| Default Administrative Distances | |
|---|---|
| Connected | 0 |
| Static | 1 |
| eBGP | 20 |
| EIGRP (internal) | 90 |
| IGRP | 100 |
| OSPF | 110 |
| IS-IS | 115 |
| RIP | 120 |
| EIGRP (external) | 170 |
| iBGP | 200 |
| EIGRP summary route | 5 |
So if EIGRP and OSPF are running, the AD will determine which route is used.
——————————————————
Lesson 27: IPv6
Works at Layer 3.
Address is in Hex
in format
1234:5678:9abc:def1: 2345:6789:abcd:efgh
Usually network portion is first half, 64 bits. :: means everything after the first colon is a 0.
First public network address is 2001:xxxx:xxxx:xxxx: Network address.
At the end put 2 colons and a slash and the length of the network portion:
::64 ::
2 hex digits equal one byte = 16 bits: 11111111 so each part is 16 bit places
———————————————————————–
Address types:
Public routable aggregate starts on 001 in binary so in hex it will be 2000 and goes to 3FFF.
Each part between colons is 16 bits: 0000000000000000 to 1111111111111111
Unique local Unicast FC00 same as LAN addresses in IPv4 – not publicly routable.
Link Local: FE80 same as 169.254.0.0/16 addresses which Windows chooses when cant get DHCP.
Multicast: FF… equiv to 224.0.0.0 – 239.255.255.255 Class D multicast.
——————————————————————–
Modified EUI-64 Addressing
Mac address generated from MAC address. Inverts seventh MSB and then insert FFFE to generate 64 bit address. Address might then be
1034:56FF:FE78:9012 which will then be host portion of address.
On router:
conf t
int fa0/0
ipv6 address 2001:aaaa:bbbb:cccc::/64 eui-64
End hosts will set up address based on MAC address
————————————————————————-
Address resolution
ICMPv6 ND replaces ARP
Neighbor discovery
Solicitations and Advertisements
NS=Neighbor Solicitation
NA– Neighbor Advertisement
RS– Router Solicitation – request info from other routers.
RA – Router Advertisement – advertise yourself as an active router
Uses solicited mode multicast. – For Duplicate Address Detection or DAD
All hosts multicast: FF02::1 which is a kind of broadcast address for DAD
—————————————————-
Debug ipv6 packets
Debug ipv6 nd
Shows what is happening with auto assignment of addresses.
IPv6 Enable and watch the debug process.
sh ipv6 neighbors is equivalent of ARP command
FE80 addresses cannot be routed between links.
To route between links you will need to assign a 2001 address.
Neighbor process is automatic in IPv6.
sh ipv6 int
router will drop leading 0s
sequential zeros can be replaced by :: once in the address.
———————————————————————-
Tunnelling IPv6 over IPv4
Encapsulate IPv6 inside IPv4
Static Tunnels: GRE or IPv6 IP tunnel
6 to 4 tunnel embeds IPv4 address into IPv6 prefix to provide automatic tunnel endpoint determination. Over WAN
ISATAP tunnel. Microsoft tunnel within LAN
Teredo Tunnel: hides IPv6 packets inside IPv4
—————————————————————————-
You can set up one host address on one router, and it will learn the network, and then it will configure host address based on mac address conversion.
ipv6 address autoconfig
———————————————————————–
Lesson 28: Cisco Security Device Manager
—————————————————————————-
Lesson 29: DHCP
Bootstrap protocol BOOTP
Four messages:
DHCP discover
DHCP offer
DHCP Request
DHCP Ack – server assigns the address.
Client sends out req by udp broadcast port IP source 0.0.0.0 Dst is 255.255.255.255
Source is 68 Dest port is 67. UDP broadcasts, so server will only get req if in the same broadcast domain as broadcasts not routed.
If not, DHCP relay
Broadcast to UDP unicast conversion.
IOS can be server or relay. And client.
DHCP relay will tell DHCP server where it came from, or gives it some kind of identifier so it knows which type of address to give it – eg a different subnet.
Server may have multiple address pools
Pool selected could be based on
- DHCP client ID (Windows)
- DHCP hardware address
- Hardware address
- Relaying gateway IP address.
- Interface packet comes in on.
Interface can be configured with ip helper address
Server matches request with giaddress or gateway address
DHCP config guide under IP Addressing Services on Cisco website.
———————————————————————-
Configure router as DHCP server
Eg. set up Switch 1 as DHCP Server.
Configure DHCP Agent and conflict logging.
Configure IP address pool etc. ip dhcp pool
Configure Pool 192.168.0.0/24 GW is itself, DNS is R3
Command: ip dhcp pool vlan_1_Pool
network 192.168.0.0/24
Default-router 192.168.0.254
dns-server 10.3.3.3
Service DHCP so router listens for requests
On server to see what happens
debug ip dhcp server events
debug ip dhcp server packets
debug ip packet detail
Configure Windows machine to get address by DHCP
Discover Offer Request Acknowledgement
clear ip dhcp binding * will delete all assignments.
clear arp so no assignments.
To create a reservation, use client identifier: Mac address and whatever windows puts in to it.
conf t
ip dhcp pool HOSTPOOL
host 192.168.0.123
client 01oo.1234. etc
Run IP routing on all switches:
router Eigrp 1
network 192.168.0.0 0.0.255.255
no auto-summary
sh ip protocols shows which routing protocols are running
Configure router to pick up address from DHCP:
conf t
fa0/0
Ip address dhcp
Remove addresses from the pool:
ip dhcp excluded-address 192.168.0.200 192.168.0.210
——————————————————————————
Setting up DHCP relay.
To see what is going on on the router you are going to use as a DHCP server:
debug IP dhcp server events
debug ip dhcp server packet
debug ip packet detail
The last command may show too much detail, so use access list as a filter. UDP PACKETS, port 68 and 67.
conf t
access-list 100 permit udp any any eq 68
access-list 100 permit udp any any eq 67
sh access-list
now to filter: debug ip packet detail 100
Tell each server where DHCP server.
conf t
int vlan 1
ip helper-address (must be an address you can already reach)
debug ip dhcp server events
debug ip dhcp packets
——————————————————————–
Lesson 30 DNS
ip name-server <ip>
If no name server configured, router will send out a request by broadcast.
That’s why we put in no ip domain lookup
to stop it from trying to find a server when you mistype a command.
Another way to do that: stop it trying to Telnet:
eg line vty 0-4
transport preferred none
———————————————————-
IOS can be a server as well.
ip dns server
ip host <name> <ip> enables you to configure host names
ip host mail.abc.com mx user@abc.com
ip name-server 8.8.8.8 to forward to public DNS
ip domain-name abc.com
ip host R1 192.168.0.1
————————————————————————–
Lesson 31: Network Address Translation.
Cisco Terminology:
Inside Zone– addresses we are trying to hide from public
Inside Local is IP address – local LAN addreses
Inside Global: Would include external WAN address. Inside IP after translation.
Most translation is inside local to inside global.
Addresses like http://www.bbc.co.uk are outside zone.
Mostly we deal with inside local and inside global.
—————————————————————————–
Mostly we work with the IP Nat command
To check routes you may need to ping from a particular interface:
ping 1.2.3.4 source vlan 1
ip nat inside source list 1 : if packets are received from inside network, they need to be changed. Which ones may be determined by ACL
Sample ACLs:
access-list 1 permit 192.168.0.0 0.0.255.255
ip nat inside source list 1 interface fa0/0 overload
Overload allows you to do port address translation.
What interface is the traffic coming from and where is it going to?
Specified by this command:
int fa0/0
ip nat inside
int fa0/1
ip nat outside
You can specify multiple inside interfaces.
sh ip nat translations
will tell you what’s going on.
You can change eigrp config on edge router
ip route 0.0.0.0 .0.0.0.0 fa0/1 , where fa0/1 is the interface connected to the internet.
Then
router eigrp 1
redistribute static metric 100000 100 255 1 1500 (These numbers mean bandwidth , delay, reliability, load, mtu.
Must have some values there as cannot be advertised in eigrp without,.
To check: sh ip route eigrp
sh ip nat translations will tell you what’s happening on the edge router.
You can look at whats happening by using debug ip icmp and pinging
If you have a range of public IP addresses you could use ip nat pool NAME_TEST 100.0.0.1 100.0.0.10 netmask 255.255.255.0 for example, then
ip nat inside source list 1 pool NAME_TEST
Here you didn’t ask it to do a PAT, so it will use addresses 1-1. True NAT, but you could run out of public IP addresses. 1-1
You can use telnet to test reachability of layer 4. eg telnet 192.168.1.254 www
You can map a single external address to a single host in the LAN:
ip nat inside source static 192.168.1.254 100.0.0.1
if nat already exists do clear IP nat translations *
Can also be done using ports
Drawback is that all services are reachable from the outside, so we just map ports.
This is port forwarding.
ip nat inside source static tcp 192.168.0.254 80
where 80 is the port.
——————————————————————-
Lesson 32: Access Control Lists (ACLs)
Two types: Standard and Extended
Implicit deny
Standard – only filters IP source
Extended – wide range of criteria any field in IP packet or layer 3 or 4 header, eg
- ip protocl number
- source or dest addresss
- protocol options like tcp ports
- icmp type code
- Packet markings – DSCP Differentiated Servcies code point or IPP – IP precedence – types of service TOS, which makes it possible to do QOS
- Fragmentation
Access list logging
syslog server
Traffic Filtering:
ip access-group
Traffic Classification:
match access-group – used for QOS applications
Route Filtering:
distribute-list or route-map
VTY lines:
access-class in/out
———————————————————————–
On test network:
At present no access lists.
Say you want to prevent access to a particular router from the Windows machine:
access-list (Number or name) 1-99 standard or 100-199 extended
eg:
ip access-list standard Deny-traffic-from-windows-machine
deny host 192.168.0.100
deny 192.168.0.0 0.0.0.255
(with 0 you do care, 255 you don’t care)
or deny any
or deny 0.0.0.0 255.255.255.255
or deny 192.168.0.1 0.0.0.0
sh access-list will show you the list, in order, with line numbers for easy admin
To remove a line, eg
conf t
ip access list standard deny_traffic_from_windows_machine
no 20
no 30
No matches: router will deny everything. so at the end of the list add permit any
To apply access list to a particular interface:
conf t
int fa0/0
ip access-group deny_traffic_from_windows_machine in
Applies the access list to fa0/0 inbound.
List must be applied to interface that has the IP address applied. Look out for sub interfaces.
sh access list
Router will show counter
Moving lines around: conf t
ip access-list standard deny_traffic_from_windows_machine
15 deny 192.168.0.0 0.0.0.255 log
say you want just to deny a ping to a single router
One acl per interface per direction.
Here’s an extended ACL for filtering pings.
IP access-list extended deny_traffic_extended
Remark This is for filtering pings
IANA protocol numbers.
deny icmp host 192.168.0.123 host 192.168.3.3 echo log-input
permit ip any any (tells it not to drop any other packets)
Apply to interfce
conf t
int fa0/0
ip access-group deny_traffic_extended in
——————————————————————–
Filter as close to the source as possible to prevent unnecessary use of router resources.
Interrupts can be resource intensive. High CPU utilisation. ACL log can cause that.
—————————————————-
Lesson 33: WAN overview
Different types of connections are important for exams
Point to Point -HDLC OR PPP T1 or T3 (DS3) Serial links WIC-1T 1.5Mbps
Multipoint Frame relay or ATM HSSI -Frame Relay
Layer 1 could be fibre or copper or anything.
You can run PPP over ethernet or frame relay.
Metro Ethernet
HDLC: High level data link connection
Serial interface: Electrical and not optics. WIC 1t 1 port serial interface.
HSSI runs typically frame relay 45mbps
OC-3 or STM 1 fibre: 155mbps
DS0 n- 64k which is analogue phone line dialup. 56+ overhead.
T1 = 24 DS0 =1.544 mbps
T3 – 45 MBPS
OC-3 155 mbps
ATM goes at OC3 and above
OC-192 10gbps
etc
————————————————————————–
These cards will be on the WAN side eg uBR10012 SONET physical layer 1 framing.
Point to Point Connnection
————————————————————————
Frame relay and ATM are virtual circuit based technology. VCI
———————————————————————
Hub and spoke or partial mesh technologies
Multipoint: Frame relay and ATM are multipoint- can connect a mesh – multiple connections on either side.
Operate at layer 2
———————————————————-
PPP can run over a serial link or frame relay or ethernet. Often when last mile connection is DSL.
PPP adds authentication, multilink, fragmentation and reliability.
LFI Link Fragmentation Interleaving
Reliability: Layer 2 retransmission. Router itself will retransmit. Particularly a problem with dialup.
Inside PPP -Linc Control Protocol LCP
IPCP internet Protocol Control Protocol
Can be used to assign IP addresses.
On serial link: encapsulation PPP
—————————————–
Clock rate. DCE is master, DTE is slave
Most basic is 64000
will go out of sync if they don’t match.
—————————————————-
PPP and HDLC don’t need mac address because point to point.
—————————————————————————-
Lesson 34: PPP
For HDLC you just need to set clocking and it should work.
command: encapsulation PPP – must run on both sides.
LCP – Link control protocol. Will you run ppp with me?
When negotiate PPP., CONFREQ; ppp? yes, etc.
When link established, you need to set up IP so that they can negotiate IPCP (IP control protocol)
PPP can link even if they are not on the same subnet, because there may be a service provider further down the line.
To see what happens when link is started: debug ppp negotiation
Now set up authentication: PAP, CHAP, MSCHAP, etc
PPPoE
PPPoA
PPPoEoA
DSL modem is ethernet to ATM bridge
connects to DSL Aggregation Multiplexer – DSLAM
ATM operates at higher speed with OC3, OC-12 etc.
You need to translate between ethernet and ATM
PPP adds an additional header. Encapsulates frame.
PAP – Clear text
CHAP– MD5 password – runs on top of PPP
To configure negotiation:
conf t
int s1/0
ppp authentication pap
When you debug ppp negotiation, it sends endless messages to the console, as a result you can be locked out of the console. All you can do is reload.
Solution: Send to logging buffer.
conf t
logging console 6
logging buffered 7
then sh log
undebug all switches off.
You can also connect via Telnet if it’s enabled.
—————————————————
To configure PAP:
ppp pap sent-username aardvark password cisco
exit
username asdfdf pass gkjk
Whatever username 1 is sending 2 needs to have and vice versa.
With CHAP you have to have the same password on both sides.
conf t
int s0/0
no ppp authentication pap
ppp authentication pap
username r2 password cisco
on the other side can be different user, but pass must be the same.
——————————————————————–
Lesson 34: Frame Relay Overview
Some acronyms to be aware of:
NBMA – Non-Broadcast Multi Access
DLCI – Data Link Connection identifier
LMI Local Management Interface
DTE – Data terminating equipment (Client)
DCE – Data Circuit-terminating equipment
VC – virtual circuit
LMI…..
LMI automatically enabled with Frame Relay.
encapsulation frame-relay
Types automatically detected.
frame-relay lmi type
sh frame-relay lmi
LMI advertises VC status
sh frame-relay PVC
(Permanent Virtual Circuit)
Status can be
- Active
- inactive (something wrong)
- deleted (vc doesn’t match number)
- static (rare)
PPP and HDLC are point to point.
Frame relay doesnt need physical circuits between sites, but VCs. Using DLCIs
Hub and spoke or partial mesh.
—————————————————————-
Frame Relay Address Resolution
We can achieve full connectivity across the network, although can use bandwidth.
A router shares a physical connection with multiple connections.
Layer 2 to layer 3 resolution is a problem.
ARP is not available. DLCI address to IP resolution instead:
1. Dynamically with inverse arp
or 2. Statically via frame-relay map
We resolve local DLCI with remote IP. (DLCI is always locally significant only)
Hence it is an inverse ARP type resolution.
REsolution occurs:
- Dynamically via inverse-ARP
- Statically via frame-relay map
Resolution verification:
- show frame-relay map
- same logic as show arp
INverse ARP is enabled automatically when a supported protocol is configured.
Request can be disabled: no frame-relay inverse-arp [protocol] [dlci]
We cant disable reply.
Automatically includes broadcast support. Means you can use routing protocols which use broadcasts eg RIP v2
frame relay map is the same as a static ARP entry, but uses DLCI number
Static mappings override dynamics.
Broadcast support must be manually configured.
If you run point to point you don’t need layer 3 to layer 2 resolution.
-=———————————————————-
Lesson 36: Frame Relay Configuration
Configure Router 3:
conf t
int s1/0
no ip address
encapsulation frame-relay
clock rate 64000
frame-relay intf-type dce (tells the router that it is going to be the server)
frame-relay switching (enable frame relay switching)
clock rate [rate] (DCE end of link provides clocking)
show controllers serial
frame-relay intf-type dce Frame Relay Switch is logical DCE
connect [name] [interface-1] [DLCI-1] [interface-2] [DLCI-2]
——————————————————————
Frame relay route is the same as connect – newer syntax
Sample syntax:
Connect R2_to_R1 serial1/1 201 serial 1/0 102
201 and 102 are locally significant DLCI number, which you configured yourself.
Router 2 will use 201 to get to router 1
Router 1 will use 102 to get to router 2
Sh frame-relay pvc
We will need dlci number to IP address resolution.
————————————————————-
On Router :
sh int serial 0/0
we will see that encapsulation is HDLC, and other side is running frame relay, and not compatible.
conf t
int s0/0
encapsulation frame-relay
now it will be up.
Is LMI being sent and received? see dlci number.
sh frame-relay pvc will show active connection
ON the other side, sh frame-relay pvc , will show all circuits by dlci number.
Now configure protocols so that the virtual circuit works. Assign IP addresses.
Virtual circuits have to be in all directions to enable connectivity, unlike a TCP/IP network where, once connected, they all can talk to each other.
On R2: The hub:
conf t
int s0/0
ip address 10.0.0.2 255.255.255.0
Routers will now run inverse ARP, associate dlci number with IP
sh frame-relay map will tell you all the resolutions
debug ip packets
debug frame-relay packets
will tell you what is happening – encapsulation failed tells you that there is not frame relay link
You can only do a mapping to someone you have a direct link to.
limitation of inv arp.
eg tell router5: if you want to reach 10.0.0.1 you need to use dlci 502
frame relay map ip 10.0.0.1 502
sh frame-relay map
will tell you if it has worked. You need to do this on the other side.
Alternatively tell router that one PVC should be used to connect – using P2P Subinterface
Example:
R4:
conf t
int s0/0
no ip addres
int s0/0.1 point-to-point
ip address 10.0.0.4 255.255.255.0
frame-relay interface-dlci 402
Hub cannot use p2p subinterface, because it has multiple connections.
R2 the hub has to have IP address on main interface or multipoint subinter
IT Support Blog 