Using Access Control List (ACL) to restrict inbound Internet access (CNA-04-004)

CCNA Exploration 4.0, Semester 4, "Using Access Control List (ACL) to restrict inbound Internet access" Packet Tracer 5.0 practice file (CNA-04-004).

• CNA-04-004.pkt, (Backup Link)
• CNA-04-004-sample-sol.pkt, (Backup Link)

In this example, I design on purpose to ask you: you must allow PING (that is, ICMP) and disallow TELNET (that is, TCP port 23) at the same time. So that you will be forced to use "Extended" ACL. This is because we have to us one ACL to allow and disallow packets in different services from the same source IP address, which is not possible in "Standard" ACL.

A sample content of ACL and its application could be like this:

interface Serial0/0/0
 ip address 10.1.1.1 255.255.255.0
 ip access-group 100 in
 clock rate 64000
!
access-list 100 deny tcp any 192.168.0.0 0.0.255.255 eq telnet
access-list 100 permit ip any any

The above sample assumes you apply it on the inbound direction of "Serial0/0/0". We can also apply the same ACL on the outbound direction of "FastEthernet0/0" and "FastEthernet0/1" to achieve the same protection.

Also remember: the question in a test about ACL always have been framed into one possible answer. In daily life, there is often more than one possible answer to your asked requirements. Be creative about the possible outcome answer for ACL!

Using TFTP to recover Cisco IOS Image file, and to backup/restore configurations (CNA-04-003)

CCNA Exploration 4.0, Semester 4, "Using TFTP to recover Cisco IOS Image file, and to backup/restore configurations" Packet Tracer 5.0 practice file (CNA-04-003).

• CNA-04-003.pkt, (Backup Link)

This Packet Tracer file is only a simple environment for you to "experience" using TFTP to recover Cisco IOS Image file, and to backup/restore configurations.

However, if you have access to physical real router/switch, especially when you are in a training course, do not waste your chance of practicing! Packet Tracer,as a simulator, is absolutely not comparable to real machines!

For example, it does not simulate all Cisco IOS behaviors. The following Packet Tracer screen captures shows many command option is still missing from the real Cisco 2960 switch.

[In Packet Tracer 5.0]

Cisco-Switch-2960>en
Cisco-Switch-2960#copy ?
  running-config  Copy from current system configuration
  startup-config  Copy from startup configuration
  tftp:           Copy from tftp: file system
Cisco-Switch-2960#copy tftp: ?
  flash:          Copy to flash: file system
  running-config  Copy configuration from system
  startup-config  Copy startup configuration from system
Cisco-Switch-2960#

[In real Cisco 2960 switch]

Cisco-Switch-2960#copy ?
  /erase          Erase destination file system.
  /noverify       Disable automatic image verification after copy
  bs:             Copy from bs: file system
  cns:            Copy from cns: file system
  flash:          Copy from flash: file system
  ftp:            Copy from ftp: file system
  null:           Copy from null: file system
  nvram:          Copy from nvram: file system
  rcp:            Copy from rcp: file system
  running-config  Copy from current system configuration
  startup-config  Copy from startup configuration
  system:         Copy from system: file system
  tftp:           Copy from tftp: file system
  xmodem:         Copy from xmodem: file system
  ymodem:         Copy from ymodem: file system

Cisco-Switch-2960#copy tftp: ?
  flash:          Copy to flash: file system
  null:           Copy to null: file system
  nvram:          Copy to nvram: file system
  running-config  Update (merge with) current system configuration
  startup-config  Copy to startup configuration
  system:         Copy to system: file system

Cisco-Switch-2960#

Repeat: simulator is not a replacement of real machine at all!

Frame Relay and RIP problem configuration and observation (CNA-04-002)

CCNA Exploration 4.0, Semester 4, "Frame Relay and RIP problem configuration and observation" Packet Tracer 5.0 practice file (CNA-04-002).

• CNA-04-002.pkt, (Backup Link)
• CNA-04-002-wrong-sol.pkt, (Backup Link)
• CNA-04-002-final-sol.pkt, (Backup Link)

Of course, I do not recommend you to use RIP anymore during my lecture. Since this is a typical RIP over Frame Relay problem in all versions of ICND materials, you might be interested to configure and observe it!

In this example, we have only two Virtual Circuit available. One is between Router 1 and Router 2, and the other is between Router 2 and Router 3. This is quite a typical deployment in "hub and spoke" scenario to minimize virtual circuit cost!

The access to Frame Relay configuration is not difficult at all for you. All you have to do is to change serial encapsulation to "frame-relay". Here is the sample configuration for Router 1:

interface Serial0/0/0
 ip address 10.1.1.1 255.255.255.0
 encapsulation frame-relay

After you configure all three interfaces on three routers, please wait a moment! Cisco IOS's Inverse ARP feature would automatically setup the correct IP addresses mapping to DLCIs. We can examine this on Router 2:

R2#show frame-relay map
Serial0/0/0 (up): ip 10.1.1.1 dlci 201, dynamic, broadcast, CISCO, status defined, active
Serial0/0/0 (up): ip 10.1.1.3 dlci 203, dynamic, broadcast, CISCO, status defined, active
R2#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/50/60 ms

R2#ping 10.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/54/91 ms

R2#

The frame relay access portion is actually done! Now we look closer at the RIP problem.

After we start RIP on all routers with default setting, we will immediately see a serious problem: Router 1 does not receive Router 3's RIP routes, and vice versa.

R1>show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, Serial0/0/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
R    192.168.2.0/24 [120/1] via 10.1.1.2, 00:00:23, Serial0/0/0
R1>

The cause for this on Router 2. We have only two virtual circuits available in this case. Therefore, only Router 2 will receive Router 3's RIP updates. Router 1 will never receive them unless Router 2 re-send those RIP updates for Router 1.

Recall the default behavior of "split horizon": both Router 1 and Router 3 are addressed in the same subnet, so any RIP updates received in Router 2's Serial0/0/0 interface connecting to this subnet will not be re-sent out through the same interface Serial0/0/0 by Router 2!

That is why Router 1 will not receive Router 3's updates, because Router 2 won't re-send them!

To eliminate this problem, we have to disable the "split horizon" function on Router 2's Serial0/0/0, like this:

interface Serial0/0/0
 ip address 10.1.1.2 255.255.255.0
 no ip split-horizon
 encapsulation frame-relay

Then RIP goes well with such Frame Relay deployment and addressing!

I want to repeat this over and over to you: this is only a sample problem of RIP on Frame Relay. I strongly suggest you to use better protocols such as EIGRP or OSPF instead. Both of them does not have such odd "split horizon" problem. You should refer to this only if you cannot remove RIP in your network!

Configuring PPP on serial interfaces and CHAP Authentication (CNA-04-001)

CCNA Exploration 4.0, Semester 4, "Configuring PPP on serial interfaces and CHAP Authentication" Packet Tracer 5.0 practice file (CNA-04-001).

• CNA-04-001.pkt, (Backup Link)
• CNA-04-001-sol.pkt, (Backup Link)

This is a simple practice for you to change the layer 2 encapsulation from defautl HDLC to PPP. And the reference answer file also contains sample CHAP authentication configurations.

You can also read my previous post so you won't get confused about the username/password and directions.

PPP with CHAP Authentication, Quick Reference

Quick reference for PPP together with CHAP authentication configuration.

hostname Left
username Right password samepassword

int serial 1/0
encapsulation ppp
ppp authentication chap
ip address 1.1.1.1 255.255.255.0
no shutdown

hostname Right
username Left password samepassword

int serial 1/0
encapsulation ppp
ppp authentication chap
ip address 1.1.1.2 255.255.255.0
no shutdown

Client PC's Redundancy: Wireless LAN, also backup Internet's traffic

His happy trip ending, and so was mine (DSC_0237),
originally uploaded by Li-Ji.

Continued from previous post. Have you come up with the answer?

The key is still the "more specific route": we only have to craft some routes more specific than the "default route"! The default route itself is indeed the least specific! Any routes with just one bit more specific, is enough to be more specific!

---

OK! Let me give you the answer: we only have to add two routes 0.0.0.0/1 和 128.0.0.0/1, pointing both of them to Wired LAN's gateway IP address, done! Now the Internet traffic will go through Wired LAN in normal time. It goes through the Wireless LAN only when Wired LAN is broken!

Why these 2 routes? We can clearly see it by looking at its binary form:

33          2          1          0       33          2          1          0
1098765.43210987.65432109.876543210       1098765.43210987.65432109.876543210

00000000.00000000.00000000.00000000, mask 10000000.00000000.00000000.00000000

10000000.00000000.00000000.00000000, mask 10000000.00000000.00000000.00000000

Of course, we can also come up with 4 routes, or even 8 routes to play the same trick! Two is the simplest one!

Interesting, isn't it! This trick is quite useful in many cases! We might see it again very often!

Client PC's Redundancy: Wireless LAN

Yellow Flowers (DSCN0947),
originally uploaded by Li-Ji.

To provide Client PCs with network backup redundancy, Wireless LAN has a unique advantage that all Wired LAN cannot provide at all: Automatic Recovery! Windows will do this by itself to find another available "Access Point", automatically! That's why I emphasize Automatic Recovery: user will not even notice the network has been down for a moment because of single network device's failure, when all the client PCs use Wireless LAN only to connect to the network!

However, Wireless LAN today still has it technical limitation of "Bandwidth". This problem would become more serious if client PCs are located densely close to each other, and each client PC runs applications consuming lots of bandwidth. Using Wireless LAN only on client PC would now be a nightmare for network administrators, if the client PCs should be arranged in this way!

I have another suggestion for you. We can use Wireless LAN as a backup redundancy to Wired LAN, so we can take both technology's benefit at the same time. In the normal scenario the whole traffic goes through Wired LAN. Once the Switch fails, client PCs divert traffic to Wireless LAN for backup. Although at this backup time the network would still be slow because of Wireless LAN's limitation, at lease we can still keep full connectivity to all client PCs.

Can the switchover be automatic, too? Sure! The trick is to make use of "more specific routes"! Assume the Intranet is within the "192.168.0.0/16" range. We first separate both Wired LAN and Wireless LAN into different network of addressing. Then we point the route to "192.168.0.0/255.255.0.0" on Windows to the gateway IP address of Wired LAN, and point the "default route" to the gateway IP address on Wireless LAN side.

You see it! In normal time traffic would go through more specific route through Wired LAN. Only when Wired LAN is down would traffic go through Wireless LAN. Automatically done!

As how to add those two routes in client PCs, we can make use of Window's AD Group Policy. Or even simpler, we just use DHCP to insert the two routes into client PCs.

I believe some of you might come up with another question: this solution only solves the "Intranet" automatic back redundancy. How about the traffic to the Internet?

The trick is very similar. Let me take a breath and you keep watching my blog! I will tell you in my next post!

Redundancy: a great lesson to me!

I believe many you have noticed about some .PKT files and some .JPG files cannot be downloaded or viewed since one day ago. In fact, a serious down time is happening to me my ONLY web hosting provider.

Their attendant of customer service of this provider said they are doing some emergency recovery, and are doing their best, but no ETA (I guess it is Estimated Time of Available)! As the time of this post, the service is still not recover yet! It is already over 24 hours and breaking their 99.9% up time promise!

I have to say sorry for your patience! Because I did not backup some of my important files, some contents would take longer to recover!

I always preached to my students about redundancy in network design . However, I did not do with my contents under this discipline. This time I am having a great (and painful) lessen to me!

Provide across 3 VLANs, Layer 3 connectivity using a router with single LAN interface (CNA-03-007)

CCNA Exploration 4.0, Semester 3, "Provide across 3 VLANs, Layer 3 connectivity using a router with single LAN interface" Packet Tracer 5.0 practice file (CNA-03-007).

• CNA-03-007.pkt, (Backup Link)
• CNA-03-007-sol.pkt, (Backup Link)

What?! Single one LAN interface to service 3 VLANs? Yes, no problem! We only have to configure it with new commands we have not learned!

Remember that in a trunk connection among switches, we have to "tag" every frame so switches can tell which frame belongs to which VLAN. If a router can also recognize and add the same tags just like switches, we can make this router "virtually" connect to all the VLANs on the switches, and thus providing across VLAN routing, using single physical LAN interface!

We usually call such router a nick name: "Router on a stick". That is, a (LAN) router with only one interface (leg)!

Since VLAN tagging is a hardware functionality, we have to remember in mind that not all routers and not all LAN interface card can support this function: router's LAN interface has to be at least 100Mbps (FastEthernet, in Cisco's term). If your router is bought recently, such as the new ISR (Integrated Service Routers) models, then this requirement is quite enough.

Our "Router on a stick" routes packets among sub-interfaces. Each sub-interface stands for a logical (virtual) interface plugged in a VLAN. The configuration is like this:

interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.100
 encapsulation dot1Q 10
 ip address 172.17.10.1 255.255.255.0
!
interface FastEthernet0/0.200
 encapsulation dot1Q 20
 ip address 172.17.20.1 255.255.255.0
!
interface FastEthernet0/0.300
 encapsulation dot1Q 30
 ip address 172.17.30.1 255.255.255.0
!

The numbers after "encapsulation dot1q 10", "encapsulation dot1q 20", and "encapsulation dot1q 30" are exactly the VLAN's ID number, used in 802.1Q tagging.

However, the number of sub-interface has no special meaning at all. I intentionally choose different sub-interface numbers (100, 200, 300) from VLAN numbers in this example.

We also have to do some configuration on switch side. We have to configure the switch port connected to the router as "Trunk mode". Router needs this to receive and send frames from and to different VLANs.

interface FastEthernet0/11
 switchport mode trunk
!

"Router on a stick" in fact solves one additional problem: scalability. No matter across how many VLANs we have to route packets, we always need only one physical LAN interface!

Consider this then you will see the problem: suppose we have to provide routing among 100 VLANs and without this function, we would be in serious trouble finding a router with 100 LAN interfaces!

Provide across 3 VLANs, Layer 3 connectivity using a router with 3 LAN interfaces (CNA-03-006)

CCNA Exploration 4.0, Semester 3, "Provide across 3 VLANs, Layer 3 connectivity using a router with 3 LAN interfaces" Packet Tracer 5.0 practice file (CNA-03-006).

 

• CNA-03-006.pkt, (Backup Link)
• CNA-03-006-sol.pkt, (Backup Link)

Previous practices we are separating PCs into different VLANs. In this practice we are going to connect them together instead using Layer 3 router!

Because only 3 VLANs, we only have to prepare a router with 3 LAN interfaces.

It wont' be difficult for you if you have get through Semester 2 well. You only have to make sure each switch ports the router's interfaces connecting to is in the same VLAN as those PCs they service. Of course, the 3 inter-switch link should also be enabled as "Trunk Link".

You can use this practice as a review of Semester 2's knowledge!

Using TELNET to backup Cisco Router and Switch's configuration

Aboriginal Art and Ponds, in Hualian County, Taiwan

I believe you agree that you hardly attach a console cable to your routers or switches in daily maintenance. Your network devices are always locked up on a rack in a room so far away! TELNET is a more frequently used software on Windows.

To backup configuration of a Cisco router or switch, I share with you a tip using TELNET. (However, this tip is only applicable on Windows XP!) If your PC comes with Windows Vista or 7, you should install TELNET client first.

Collections of my companion practice added, right second panel

Pink Flower, what is its name?(DSC_0421),
originally uploaded by Li-Ji.

Yes! I am posting a series of Packet Tracer files I prepared for my students in Cisco Network Academy. For you to find them all quickly, I listed them in the right second panel of this blog.

I believe it would be very helpful for both network students and even instructors!

I have not posted them all yet! Keep watching the coming posts!

You are welcome to use all these file as you wish! And please do not hesitate to give me your feedback!

Observe and configure designated switch as Spanning Tree Protocol's root role (CNA-03-005)

CCNA Exploration 4.0, Semester 3, "Observe and configure designated switch as Spanning Tree Protocol's root role" Packet Tracer 5.0 practice file (CNA-03-005).

• CNA-03-005.pkt, (Backup Link)
• CNA-03-005-sol.pkt, (Backup Link)

It will not be difficult for you to maintain VLAN connectivity for both VLAN 10 and VLAN 20. We have four previous examples. Practice 1, Practice 2, Practice 3, and Practice 4.

This practice is focused on the root role switch of a Spanning Tree Protocol domain.

How important is the root role switch? Because all broadcast frames in that VLAN would go through the root role switch. That is, if your root role switch's performance is modest, you will absolutely have poor network performance as a whole.

Practically, we usually choose the best performance switch (maybe also the most expensive switch!) as the root role in a Spanning Tree Protocol domain.

Root role is automatic selected according to the Spanning Tree Protocol. If all switches are using default Spanning Tree configuration, the root role is almost "randomly" chosen, because switch with the smallest MAC addresses (treat that MAC address as a long hexadecimal number) will be elected as root role.

See below the "show spanning-tree" result on "S2". It is the elected root role switch for VLAN 1.

S2#show spanning-tree 
VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     0002.4AEE.B73B
             This bridge is the root
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     0002.4AEE.B73B
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    P2p
Fa0/2            Desg FWD 19        128.2    P2p
Fa0/6            Desg FWD 19        128.6    P2p
Fa0/11           Desg FWD 19        128.11   P2p
Fa0/18           Desg FWD 19        128.18   P2p

S2#

In this practice, if we want to designate S1 as the root for VLAN 10, and S3 as the root for VLAN 20, we can issue the following commands on respective switches:

(These commands are the few exceptions of commands that won't be listed in the running-config. You have to use "show spanning-tree" command instead to observe!)

S1(config)# spanning-tree vlan 10 root primary

S3(config)# spanning-tree vlan 20 root primary

I believe you would guess there should be a "secondary" command of the same form. Exactly! This secondary command is for us to designate "backup switch" for the root role. When the root role switch dies, it will take over to be the new root role switch.

In this example we assume we also want S1 to be the backup for VLAN 20, and S3 to be the backup for VLAN 10, as root role switch. The we should issue the following commands:

S1(config)# spanning-tree vlan 20 root secondary

S3(config)# spanning-tree vlan 10 root secondary

We can use these commands to choose which switch to be the primary root role, and which switch to be the backup (secondary) root role, as the way we want!

How to get thourgh the economic slow down? You can spend more time to learn!

Open wide and full (DSCN0634),
originally uploaded by Li-Ji.

I believe many people, no matter in what business, or suffering in any condition, would absolutely have more and more "free time"!

From the brighter side of view, it is a great chance for you to "learn"! I would like to give your some advices:

1. You can spend more time on the Cisco Learning Network. It is a Cisco Official site and so many peoplpe are gathering around discussing and sharing information there about learning and certification.
2. You may invest yourself, or find sponsorship from your company, to enroll some good training courses. For example, try to type "ccnp course" in the "Google Custom Search" box above every post in my blog to find some good CCNP-related training courses.
3. Subscribe to my blog by Email, and let me know what contents you want to read! I will devote myself more to write as many useful post as I can!

To encourage more and more visitors become readers, I prepare some "secret gifts" for you if you do subscribe to my blog by Email successfully (see the top right Email subscription box), before the end of year 2009! Of course, existing readers will also have it!

It only takes 3 simple steps to subscribe to my blog by Email: (1) fill you Email address in the top right box and click submit, then (2) you will receive a confirmation Email, and finally (3) you open that Email and click the confirmation link in it. Done!

Your every readership and feedback mean a lot to me! You can share this information to your friends and colleagues, as much as possible!

Enable VTP to distribute VLAN information, and provide two Virtual LAN (VLAN), using 3 connected switches (CNA-03-004)

CCNA Exploration 4.0, Semester 3, "Enable VTP to distribute VLAN information, and provide two Virtual LAN (VLAN), using 3 connected switches" Packet Tracer 5.0 practice file (CNA-03-004).

• CNA-03-004.pkt, (Backup Link)
• CNA-03-004-sol.pkt, (Backup Link)

The diagram is in fact the same as the previous example. You must have noticed that it is really bothering to add VLANs on switches one after one. In this case, we are going to make use of a special automatic method by IOS itself: the VTP protocol.

VTP stands for VLAN Trunking Protocol. It is a proprietary protocols among Cisco switches to distribute VLAN information.

Although it is not difficult for you to "peep" at "CoreSwitch"'s configuration in this Packet Tracer file, I wish you do not try it. What I want you to feel is to enable VTP only and then observe "Switch1" and "Switch2" getting VLAN information automatically!

In this case, "Switch1" and "Switch2" can play the VTP role as "Client". That is, it listens VLAN information advertised from the VTP "Server" role switches.

Client Configs:

Switch1(config)#vtp mode client
Switch1(config)#vtp domain ccna
Switch1(config)#

Server Configs:

CoreSwitch(config)#vtp mode server
CoreSwitch(config)#vtp domain ccna
CoreSwitch(config)#

Just like the VLAN information, we cannot see them in the running configuration. We can issue "show vtp status" command to check VTP status.

Switch1:

Switch1#show vtp status
VTP Version                     : 2
Configuration Revision          : 4
Maximum VLANs supported locally : 255
Number of existing VLANs        : 7
VTP Operating Mode              : Client
VTP Domain Name                 : ccna
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x9E 0x49 0xD8 0xC7 0xED 0x7C 0xB2 0x01 
Configuration last modified by 20.1.1.101 at 3-1-93 00:01:58
Switch1#

CoreSwitch:

CoreSwitch#show vtp status
VTP Version                     : 2
Configuration Revision          : 4
Maximum VLANs supported locally : 255
Number of existing VLANs        : 7
VTP Operating Mode              : Server
VTP Domain Name                 : ccna
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x9E 0x49 0xD8 0xC7 0xED 0x7C 0xB2 0x01 
Configuration last modified by 20.1.1.101 at 3-1-93 00:01:58
Local updater ID is 20.1.1.101 on interface Vl1 (lowest numbered VLAN interface found)
CoreSwitch#

Providing two Virtual LAN (VLAN), using 3 connected switches (CNA-03-003)

CCNA Exploration 4.0, Semester 3, "Providing two Virtual LAN (VLAN), using 3 connected switches" Packet Tracer 5.0 practice file (CNA-03-003).

• CNA-03-003.pkt, (Backup Link)
• CNA-03-003-sol.pkt, (Backup Link)

This practice is continued from previous Practice 1 and Practice 2. Essentially, we must configure the two "Inter-switch Links" manually as "Trunk Link".

But that's not enough. One thing I have to point out is we also have to declare VLAN 10 and VLAN 20 in the middle switch: "CoreSwitch". We often forget about this when we implement LAN switching.

Why should we do this? This is because of the design of a hardware switch. It cannot "guess" how many VLANs could be there. Switches only separate and forward frames tagged as certain VLANs when it knows those VLANs exist. If we forget to declare them, then the "CoreSwitch" will not recognize frames tagged as VLAN 10 and VLAN 20, and thus drops all frames of them. We lose connectivity for both VLAN 10 and VLAN 20 in the end.

Then why we do not have to "declare" VLAN 10 and VLAN 20 in previous examples? This is because when we configure some switch port as access link of "VLAN 10", Cisco IOS add "VLAN 10" automatically for us. The same thing happens for VLAN 20, too. However, because we do not configure any switch ports in "CoreSwitch" as neither VLAN 10 nor VLAN 20, we have to declare them by ourselves.

CoreSwitch(config)#vlan 10
CoreSwitch(config-vlan)#exit
CoreSwitch(config)#vlan 20
CoreSwitch(config-vlan)#exit
CoreSwitch(config)#

We cannot know from "running-config" about which VLANs are added. We have to issue "show vlan" command to display the VLANs we successfully declared.


Before we add VLANs:

CoreSwitch#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gig1/1, Gig1/2
1002 fddi-default                     active    
1003 token-ring-default               active    
1004 fddinet-default                  active    
1005 trnet-default                    active    

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
1002 enet  101002     1500  -      -      -        -    -        0      0
1003 enet  101003     1500  -      -      -        -    -        0      0
1004 enet  101004     1500  -      -      -        -    -        0      0
1005 enet  101005     1500  -      -      -        -    -        0      0

CoreSwitch#

After we declared VLANs, we will see the differences:

CoreSwitch#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17, Fa0/18
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24, Gig1/1, Gig1/2
10   VLAN0010                         active    
20   VLAN0020                         active    
1002 fddi-default                     active    
1003 token-ring-default               active    
1004 fddinet-default                  active    
1005 trnet-default                    active    

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
10   enet  100010     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
1002 enet  101002     1500  -      -      -        -    -        0      0
1003 enet  101003     1500  -      -      -        -    -        0      0
1004 enet  101004     1500  -      -      -        -    -        0      0
1005 enet  101005     1500  -      -      -        -    -        0      0

CoreSwitch#

Providing two Virtual LAN (VLAN), using 2 connected switches (CNA-03-002)

CCNA Exploration 4.0, Semester 3, "Providing two Virtual LAN (VLAN), using 2 connected switches" Packet Tracer 5.0 practice file (CNA-03-002).

• CNA-03-002.pkt, (Backup Link)
• CNA-03-002-sol.pkt, (Backup Link)

Continuing from previous example, but we add one more switch to do the same thing.

Looking at the only link between the two switches in the diagram, we now have to "mix" frames in the two Virtual LANs (VLANs) going through that link. Of course, if we add up more VLANs, the same link would get more frames belonging to more different VLANs mixing in that link.

Then how can a switch tell which frame belongs to which VLAN? Yes, adding tags on each frame is a great solution! Cisco 2950s and Cisco 2960s support only one type of tagging: IEEE 802.1Q.

If a inter-switch link is mixing frames from different VLANs,  we call it a "Trunk Link". The ports of its both sides are called "Trunk Ports" Just like a real tree, while the "trunk" nourishes branches and leaves, a "trunk link" services several VLANs.

If a switch port is used for one PC or one server only, then we do not have to mix and add tags. These ports are just "normal" Ethernet switch ports without any tagging. We call them "Access Link". The switch ports of its both sides are called "Access Ports".

From the diagram and above discussion, we know we have to configure the only link as "Trunk Link". The simplest way to do so is to "manually" configure both sides of the link into mode "Trunk".

The example is like this:

interface FastEthernet0/11
 switchport mode trunk

The other configuration is just the same as the previous example. You can check the Packet Tracer files yourself!

What is a "Spanning Tree"? Learn it by her song!

The inventor of Spanning Tree algorithm, Dr. Radia Perlman, wrote this "Algorhyme", to explain the essence of "Spanning Tree algorithm" itself. It was published in her book: "Interconnections: Bridges, Routers, Switches, and Internetworking Protocols, 2nd Ed", on page 58.

In the video it also mentioned the "Piano" melody was also by her. Well, I am not sure about it!

Do you have clearer picture of what "Spanning Tree Protocols" is, now?

Algorhyme

I think that I shall never see
A graph more lovely than a tree.

A tree whose crucial property
Is loop-free connectivity.

A tree that must be sure to span
So packets can reach every LAN.

First the root must be selected.
By ID, it is elected.

Least-cost paths from root are traced.
In the tree, these paths are placed.

A mesh is made by folks like me,
Then bridges find a spanning tree.


- Radia Perlman

Go to the following URL of Google Books, then search with keyword "Algorhyme". Then you will get the source page! (On Page 58.)

http://books.google.com/books?id=AIRitf5C-QQC&pg=PA58&vq=spanning+tree&dq=book+interconnections+spanning+tree&source=gbs_search_s&cad=0

How to restore a Cisco IOS Switch back to factory defaults

River view at Tamsui, Taiwan.

Yes, you know what I am talking about! Restoring a switch back to factory defaults is a daily operation of a Cisco Partner's job!

Commands "write erase" or "erase startup-config" followed by a power-off is good enough for IOS routers to go back to factory default state. But this is not true for IOS switches.

Does Cisco's Packet Tracer software support BGP?

Tamshui View (DSC_0217),
originally uploaded by Li-Ji.

I was totally wrong on this post! Please go to this new page instead!

Show IP Protocols: BGP sample practice, in the new Packet Tracer 5.3

I tested. No!

Will BGP be added into it? I do not think so!

Cisco's Packet Tracer software is just for very entry level learners of Cisco and network technologies. It is designed for pre-CCNA or CCNA people's practicing only!

Then how to practice BGP? Maybe "Dynamips" is a good idea!