To pass the BSCI exam and become a CCNP, you have to be aware of the proper use of passive interfaces.
You learned about passive interfaces in your CCNA studies, but here we’ll review the basic concept and clear up one misconception regarding passive interfaces and OSPF.
Configuring an interface as passive will still allow the interface to receive routing updates, but the interface will no longer transmit them.
While the command itself would make you think this command will be applied at the interface level, that is not the case. Below, we’ll configure ethernet0 as a RIP passive interface.
Ethernet0 will no longer send RIP routing updates, but will accept them.
The passive interface concept is clear enough with RIP, IGRP, and EIGRP – all rotocols that send routing update packets. But OSPF doesn’t send routing update ackets – OSPF sends link state advertisements.
It’s the inability of the passive interface command to stop LSAs that lead many o think that passive interfaces cannot be used with OSPF.
Even though OSPF does not sent “routing updates” in the form that RIP, IGRP, and IGRP do, you can still configure an OSPF-enabled interface as passive in order o prevent OSPF traffic from exiting or entering that interface.
No OSPF adjacency can be formed if one of the interfaces involved is a passive nterface, and if you configure an OSPF-enabled interface as passive where an djacency already exists, the adjacency will drop almost immediately.
Let’s see that in action. R1 and R2 have an existing OSPF adjacency over their thernet interfaces. In an effort to reduce routing traffic, R1’s e0 interface s configured as passive. The adjacency drops right away.
R1(config)#router ospf 1
18:31:11: %OSPF-5-ADJCHG: Process 1, Nbr 220.127.116.11 on Ethernet0 from FULL to DOWN,
Neighbor Down: Interface down or detached
Knowing how to use the passive interface command is a vital part of being a CNP, and of being a master networker. Good luck to you in both of these pursuits!
CCNA exam success depends on mastering many technologies that are new to you, and few exam topics have more details than ISDN.
ISDN isn’t just for your CCNA exam studies, though. While ISDN is dismissed by many, the fact is that there are many small and mid-size networks out there that use ISDN as their backup to frame relay. Some of these companies have spoke networks that use ISDN to connect to their hub as well, so it’s a great idea to know ISDN configuration and troubleshooting for your real-world career as well as passing the CCNA. With that in mind, let’s take a look at five common ISDN errors and how to avoid them.
With dialer map statements, remember that the phone number you put in the dialer map is the phone number of the remote router, not the local one. Look at it this way – if you want to call a friend on your cell, you don’t pick up your cell and dial your own number!
Speaking of dialer map statements, don’t forget the all-important broadcast option at the end of the command:
R1(config-if)#dialer map ip 18.104.22.168 name R2 broadcast 5555555
The router will accept that command without the “broadcast” option, but routing protocol updates and hellos would not be able to travel across the line. (This command is also needed in frame relay map statements to allow broadcasts and multicasts to be transmitted.)
PAP is PPP’s clear-text authentication scheme, and clear text is a really bad idea. But if you do have to configure it, don’t forget that PAP requires additional configuration -the ppp pap sent-username command.
R1(config-if)#ppp pap sent-username R1 password CISCO
Must set encapsulation to PPP before using PPP subcommands
The error message we got while configuring the sent-username command is another important reminder – by default, a BRI line is running HDLC, not PPP. Since HDLC doesn’t allow us to use either PAP or CHAP, we’ll need to set the link to PPP with the encapsulation ppp command.
R1(config-if)#ppp authentication pap
R1(config-if)#ppp pap sent-username R1 password CISCO
But before we configure any of this information, we should configure the ISDN switch-type. Why? Because without the switch-type configuration, it doesn’t matter that we avoid the other four errors – the line will not come up. Configure the switch-type with the “isdn switch-type” command, and then verify it with “show isdn status”.
R1(config)#isdn switch-type basic-ni
R1#show isdn status
Global ISDN Switchtype = basic-ni (output of this command cut here for clarity)
If you forget this part of the configuration, the output of show isdn status wastes no time in reminding you!
R1#show isdn status
**** No Global ISDN Switchtype currently defined ****
ISDN is an important part of your CCNA studies, and this knowledge still comes in handy in production networks as well. Keep studying, notice the details, run those debugs, and you’ll be a CCNA before you know it
CCNA exam success depends on mastering the fundamentals, and two important fundamentals are knowing exactly what the terms “collision domain” and “broadcast domain” mean.
In this free Cisco tutorial, we’ll take a look at the term “collision domain” and how a collision domain is defined.
A collision domain is an area in which a collision can occur. Fair enough, but what “collision” are we talking about here?
We’re talking about collisions that occur on CSMA/CD segments, or Carrier Sense Multiple Access with Collision Detection.
If two hosts on an Ethernet segment transmit data at exactly the same time, the data from the two hosts will collide on the shared segment.
CSMA/CD exists to lessen the chances of this happening, but collisions can still occur. To lessen the chances of collisions occurring, we may decide to create multiple, smaller collision domains.
Lets say we have four hosts on a single Ethernet segment. The entire segment is a collision domain; any data sent by one of the hosts can collide with data sent by any of the other hosts. We have one collision domain containing four devices.
To create smaller collision domains, we’ll need to introduce some type of networking device into this example.
Hubs and repeaters have their place as far as extending the reach of a network segment and cutting down on attenuation, but these OSI Layer One devices do nothing to define collision domains. We could connect each host into a separate port on a hub (a hub is basically a multiport repeater) and we’d still have one single collision domain with four hosts in it.
The most common and most effective way to create multiple collision domains is to use a switch.
If we connect each of these four hosts to their own separate switch port, we would now have four separate collision domains, each with one host; each switch port actually acts as a single collision domain, making collisions between these four hosts impossible.
Passing the CCNA is all about knowing the details of how things work, and knowing CSMA/CD theory and how to define collision domains is one of the many details youve got to master.
In the next part of this CCNA tutorial, we’ll take a look at broadcast domains, and how defining broadcast domains in the right places can dramatically cut down on unnecessary traffic on your network.
The BSCI exam and CCNP certification requires that you be well versed in the basics of IP Version 6, or IPv6.
If youre new to IPv6, youll quickly learn that its not exactly just two more octets slapped onto an IPv4 address! IPv6 addresses are quite long, but there are two ways to acceptably shorten IPv6 address expression. To pass the BSCI exam, become a CCNP, and get that all-important understanding of IPv6, youve got to understand these different methods of expressing an IPv6 address. My last IPv6 tutorial discussed zero compression; today well take a look at leading zero compression.
Leading zero compression allows us to drop the leading zeroes from every field in the address. Where we could only use zero compression once in an IPv6 address expression, leading zero compression can be used as often as is appropriate. The key with leading zero compression is that there must be at least one number left in each field, even if that remaining number is a zero.
You sometimes see books or websites refer to leading zero compression as “dropping zeroes and replacing them with a colon”, but that explanation can be a little confusing, since the blocks are separated with a colon to begin with. Youre not really replacing the leading zeroes, youre dropping them.
Lets look at an example of leading zero compression. Taking the address 1234:0000:1234:0000:1234:0000:1234:0123, we have four different fields that have leading zeroes. The address could be written out as it is, or drop the leading zeroes.
Original format: 1234:0000:1234:0000:1234:0000:0123:1234With leading zero compression: 1234:0:1234:0:1234:0:123:1234
Theres no problem with using zero compression and leading zero compression in the same address, as shown here:
Original format: 1111:0000:0000:1234:0011:0022:0033:0044
With zero and leading zero compression: 1111::1234:11:22:33:44
Zero compression uses the double-colon to replace the second and third block of numbers, which were all zeroes; leading zero compression replaced the “00” at the beginning of each of the last four blocks. Just be careful and take your time with both zero compression and leading zero compression and youll do well on the exam and in the real world. The keys to success here are remembering that you can only use zero compression once in a single address, and that while leading zero compression can be used as often as needed, at least one number must remain in each field, even if that number is a zero.
You remember from your CCNA studies that when a port goes through the transition from blocking to forwarding, you´re looking at a 50-second delay before that port can actually begin forwarding frames.
Configuring a port with PortFast is one way to get around that, but again, you can only use it when a single host device is found off the port. What if the device connected to a port is another switch?
A switch can be connected to two other switches, giving that local switch a redundant path to the root bridge, and that´s great – we always want a backup plan! However, STP will only allow one path to be available, but if the available path to the root switch goes down, there will be a 50-second delay due to the STP timers MaxAge and ForwardDelay before the currently blocked path will be available.
The delay is there to prevent switching loops, and we can´t use PortFast to shorten the delay since these are switches, not host devices. What we can use is Uplinkfast.
The ports that SW3 could potentially use to reach the root switch are collectively referred to as an uplink group. The uplink group includes the ports in forwarding and blocking mode. If the forwarding port in the uplink group sees that the link has gone down, another port in the uplink group will be transitioned from blocking to forwarding immediately. Uplinkfast is pretty much PortFast for wiring closets. (Cisco recommends that Uplinkfast not be used on switches in the distribution and core layers.)
Some additional details regarding Uplinkfast:
The actual transition from blocking to forwarding mode takes about three seconds.
Uplinkfast cannot be configured on a root switch.
Uplinkfast is configured globally. You can´t run Uplinkfast on some ports or on a per-VLAN basis – it´s all or nothing.
The original root port will become the root port again when it detects that its link to the root switch has come back up. This does not take place immediately. The switch uses the following formula to determine how long to wait before transitioning back to the forwarding state:
( 2 x FwdDelay) + 5 seconds
Uplinkfast will take immediate action to ensure that the switch upon which it is configured cannot become the root switch. First, the switch priority will be set to 49,152, which means that if all other switches are still at their default priority, they´d all have to go down before this switch can possibly become the root switch. Additionally, the STP Port Cost will be increased by 3000, making it highly unlikely that this switch will be used to reach the root switch by any downstream switches.
And you just know there´s got to be at least one option with this command, right? Let´s run IOS Help and see.
SW2(config)#spanning-tree uplinkfast ?
max-update-rate Rate at which station address updates are sent
When there is a direct link failure, dummy multicast frames are sent to the MAC destination 0100.0ccd.cdcd. The max-update-rate value determines how many of these frames will be sent in a 100-millisecond time period.
Mastering the details of UplinkFast, BackboneFast, BPDU Guard, and Loop Guard are vital to your success on the CCNP exams, and one or more of these features are in use on almost every network in the world. Learn these features for success in both the exam room and the real world!
This involves manipulating the router´s configuration register, and that is enough to make some CCNA candidates and network administrators really nervous!
It´s true that setting the configuration register to the wrong value can damage the router, but if you do the proper research before starting the password recovery process, you´ll be fine.
Despite what some books say, there is no “one size fits all” approach to Cisco password recovery. What works on a 2500 router may not work on other routers and switches. There is a great master Cisco document out on the Web that you should bookmark today. Just put “cisco password recovery” in your favorite search engine and you should find it quickly.
The following procedure describes the process in recovering from a lost password on a Cisco 2500 router. As always, don´t practice this at home. It is a good idea to get some practice with this technique in your CCNA / CCNP home lab, though!
The password recovery method examined here is for 2500 routers.
An engineer who finds themselves locked out of a router can view and change the password by changing the configuration register.
The router must first be rebooted and a “break” performed within the first 60 seconds of the boot process. This break sequence can also vary depending on what program is used to access the router, but is the usual key combination.
The router will now be in ROM Monitor mode. From the rom monitor prompt, change the default configuration register of 0x2102 to 0x2142 with the o/r 0x2142 command. Reload the router with the letter i. (As you can see, ROM Monitor mode is a lot different than working with the IOS!)
This particular config register setting will cause the router to ignore the contents of NVRAM. Your startup configuration is still there, but it will be ignored on reload.
When the router reloads, you’ll be prompted to enter Setup mode. Answer “N”, and type enable at the router> prompt.
Be careful here. Type configure memory or copy start run. Do NOT type write memory or copy run start!
Enter the command show running-config. You’ll see the passwords in either their encrypted or unencrypted format.
Type config t, then use the appropriate command to set a new enable secret or enable password.
Don’t forget to change the configuration register setting back to the original value! The command config-register 0x2102 will do the job. Save this change with write memory or copy run start, and then run reload one more time to restart the router.
This process sounds hard, but it´s really not. You just have to be careful, particularly when you´re copying the startup config over the running config. You don´t want to get that backwards! So take your time, check the online Cisco documentation before starting, get some practice with this procedure with lab equipment, and you´ll be ready for success on the CCNA exam and in your production network.
When you´re studying for the BSCI exam on the way to earning your CCNP certification, it´s safe to say that BGP is like nothing you’ve studied to this point.
BGP is an external routing protocol used primarily by Internet Service Providers (ISPs). Unless you work for an ISP today or in the future, you may have little or no prior exposure to BGP. Understanding BGP is a great addition to your skill set – and you have to know the basics well to pass the BSCI exam.
Note that I said “the basics”. BGP is a very complex protocol, and when you pursue your CCIE, you’ll see what I’m talking about. As with all things Cisco, though, when broken down into smaller pieces, BGP becomes quite understandable. You will need to know the basics of BGP as presented in this chapter to pass your BSCI exam – so let’s get started.
“An Internet protocol that enables groups of routers (called autonomous systems) to share routing information so that efficient, loop-free routes can be established. BGP is commonly used within and between Internet Service Providers (ISPs).”
There are a couple of terms in there that apply to the protocols you’ve mastered so far in your studies. The term “autonomous system” applies to IGRP and EIGRP as well as BGP; you’ll be indicating a BGP AS in your configurations just as you did with IGRP and EIGRP. And we’re always looking for efficient, loop-free routes, right? As it did with IGRP and EIGRP, “autonomous system” simply refers to a group of routers that is managed by a single administrative body. An autonomous system will use an Interior Gateway Protocol (IGP) such as OSPF or EIGRP to route packets inside the AS; outside the AS, an Exterior Gateway Protocol (EGP) such as BGP will be used.
BGP shares some characteristics with some routing protocols you’ve already studied. BGP supports VLSM, summarization, and CIDR. Like EIGRP, BGP will send full updates when two routers initially become neighbors and will send only partial updates after that. BGP does create and maintain neighbor relationships before exchanging routes, and keepalives are sent to keep this relationship alive.
BGP has some major differences from the IGPs we’ve studied to this point. You’ll hear BGP referred to as a path-vector protocol. As opposed to distance-vector protocols that exchange relatively simple information about available routes, BGP routers will exchange extensive information about networks to allow the routers to make more intelligent routing decisions. This additional BGP path information comes in the form of attributes, and these path attributes are contained in the updates sent by BGP routers. Attributes themselves are broken up into two classes, well-known and optional.
BGP also keeps a routing table separate from the IP routing table.
We´ll take a look at BGP attributes in future BSCI tutorials. In the meantime, keep studying!
In my last ISIS tutorial, I mentioned that while ISIS and OSPF are both link state protocols, their actual operation differs greatly.
To pass the BSCI exam and earn your CCNP, you´ll need to know these differences! Today, we´ll take a look at ISIS Hello types and the adjacency types that form through the use of these Hellos.
Hello packets have been mentioned several times with ISIS, and with good reason. Hello packets are the heartbeat of OSPF and ISIS when heartbeats are no longer heard from a neighbor, that adjacency will be dropped. A major difference between OSPF and ISIS is that OSPF has one type of Hello packet, where ISIS actually has three!
An ES Hello (ESH) is send by all End Systems, and all IS devices listen for this Hello. This is how a router (IS) discovers a host (ES).
An IS Hello (ISH) announces the presence of an IS. An IS Hello is sent by all IS devices, and End Systems listen for these hellos.
An IS-to-IS Hello (IIH) is used by an IS to discover other ISes and to form adjacencies with them.
An interesting side note: A router will send an IIH to another router on the link to form or maintain an adjacency, but it will still send an ISH as well in case there are end systems located on that segment.
ISIS and OSPF both create and maintain adjacencies with the Hello packet. Let´s take a look at the rules regarding ISIS adjacencies as well as the adjacency types.
L1 and L2 Hellos are different messages, so an L1 router must exchange Hellos with another L1 router to form an adjacency, just as L2 routers form adjacencies with L2 routers. L1 routers can only form an adjacency with an L2 router if one of the two routers involved is actually an L1/L2 router.
L1 routers must be in the same area in order to form an adjacency. The Hello timers, as well as the MTU, must match between the interfaces used to form the adjacency.
That´s a lot of L1, L2, and L1/L2, isn´t it? Let´s review the adjacencies each router type can form:
L1: Can form adjacency with any L1 in the same area and any L1/L2 in the same area.
L2: Can form adjacency with any L2 in any area, and with an L1/L2 in any area.
L1/L2: Can form adjacency with any L1 in the same area, L1/L2 in any area, and L2 in any area.
Knowing the similarities and differences regarding ISIS and OSPF is vital for CCNP exam success. Take your time, master the fundamentals, and before long the magic letters “CCNP” are behind your name and on your resume!
To pass the CCNA exam, you’ve got to master quite a few services and routing protocols that may be new to you.
Between RIP, IGRP, EIGRP, OSPF, and switching, there are hundreds of details you’ve got to absorb! It’s easy to spend all your time on those topics and not pay proper attention to “easier” technologies, and then all of a sudden on exam day you can’t quite remember the details of those particular services.
One setup you’ve got to be more than familiar with is directly connecting serial interfaces on Cisco routers. This is also a valuable skill to have in your home lab, since it allows you to add segments to your network setup.
A Cisco serial interface is operating as a DTE by default. The problem is that when you take a cable and connect two routers directly by their serial interfaces (with a DTE/DCE cable, that is!), they’re both waiting for the other to send them a clock rate. One of the interfaces must act as the DCE and that interface must send the clock rate.
If you can see the DTE/DCE cable, you can tell by looking which router has the DCE interface connected to it – the letters “DTE” or “DCE” will either be molded into the connector itself, or if it’s an older cable there should be a little piece of tape on the cable that tells you what the interface type is. But what if you have no access to the cable, or there are other cables all around it and you can’t see what type it is?
Run the command “show controller serial x”, with x representing the interface number the cable’s connected to. There will be quite a bit of output from this command, but the information you need is right at the top:
R1#show controller serial 1
HD unit 1, idb = 0x1DBFEC, driver structure at 0x1E35D0
buffer size 1524 HD unit 1, V.35 DTE cable
I left off the 16 or so rows of information that comes after this, but this is the information we need right now. If R1’s got the DTE cable end, the other router should have the DCE end:
R3#show controller serial 1
HD unit 1, idb = 0x1C44E8, driver structure at 0x1CBAC8
buffer size 1524 HD unit 1, V.35 DCE cable
We know now that R3 needs to supply a clock rate to R1. There’s a hint of a problem in just that little bit of command output – do you see what it is? Let’s run show interface serial1 to get more information.
R3#show int s1
Serial1 is up, line protocol is down
The line protocol is down because there is no clockrate being supplied by R3. If there has been, we would have seen that in the output of show controllers serial 1.
This is simple enough to fix, though! We’ll use the command clockrate 56000 on R3’s serial1 interface, and the line protocol will soon come up.
1w2d: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up
This is a simple concept, but there are a few details you must keep in mind! For a home lab configuration, you’ll need a DTE/DCE cable to make this work. If you cannot see the cable connectors, run show controllers serial x to see if the router has the DTE or DCE end of the cable attached. On the interface with the DCE attached, use the clockrate command to bring the line protocol up. It’s just that simple!
To pass your CCNA exam and earn this coveted certification, you must understand the details of port-based authentication.
This knowledge has a great deal of value in production networks as well, since this authentication scheme is regularly implemented. Let’s take a look at this particular CCNA skill.
Consider a situation where you have a server that will be connected to your switch, and you want the port to shut down if a device with a different MAC address that that of the switch attempts to connect to that port. You could also have a situation where you have someone who has a connection to a switch port in his office, and he wants to make sure that only his laptop can use that port.
Both of these examples are real-world situations, and there are two solutions for each. First, we could create a static MAC entry for that particular switch port. I don’t recommend this, mainly because both you and I have better things to do than manage static MAC entries. The better solution is to configure port-based authentication on the switch.
The Cisco switch uses MAC addresses to enforce port security. With port
security, only devices with certain MAC addresses can connect to the port successfully. This is another reason source MACs are looked at before the destination MAC is examined. If the source MAC is non-secure and port-based authentication is in effect, the destination does not matter, as the frame will not be forwarded. In essence, the source MAC address serves as the password.
MAC addresses that are allowed to successfully communicate with the switch port are secure MAC addresses. The default number of secure MAC addresses is 1, but a maximum of 132 secure MACs can be configured.
When a non-secure MAC address attempts to communicate with the switch port, one of three actions will occur, depending on the port security mode. In Protect mode, frames with non-secure MAC addresses are dropped. There is no notification that a violation has occurred. The port will continue to switch frames for the secure MAC address.
In Restrict mode, the same action is taken, but a syslog message is logged via SNMP, which is a messaging protocol used by Cisco routers.
In Shutdown mode, the interface goes into error-disabled state, the port LED will go out, and a syslog message is logged. The port has to be manually reopened. Shutdown mode is the default port-security mode.
Port-based authentication is just one of the many switching skills you’ll have to demonstrate to earn your CCNA certification. Make sure you know the basics shown here, including the action of each particular mode, and you’re on your way to CCNA exam success!