9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

You are here / / technology / ccna

[[ technology:ccna ]]

Official Cert Guide

CCNA NOTES

Subnetting Table

Base Config

Set Telnet Password

line vty 0 4
password NuggetLove
login

https://wiki.rrwo.us/technology/ccna# 1/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

Set Console Password

line console 0
password NuggetLove
login

Set Synchronous Logging

line console 0
logging synchronous

Turn Off Console Port Idle Timer

line console 0
no exec-timeout
#OR
exec-timeout 0

Set Encrypted Enable Password (Most Secure)

enable secret <password>

Encrypt All Future Passwords (Less Secure Protocol)

service password-encryption

Turn Off IP Domain-Lookup

no ip domain-lookup

https://wiki.rrwo.us/technology/ccna# 2/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

Create a Login Banner

banner motd $
*****************************
DO NOT LOGIN
*****************************
$

Configure IP Addressing

interface <interface>
ip address <ip address> <subnet mask>

Example

interface fastethernet0/1
ip address 10.0.0.10 255.255.255.0

Set Speed and Duplex

interface <interface>
speed <auto/10/100/1000>
duplex <auto/half/full>

Example

interface fa0/1
speed 100
duplex full

Make sure both connecting interfaces are the same or auto.

https://wiki.rrwo.us/technology/ccna# 3/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

Configure VLAN Interface for Remote

Management
interface <VLAN>
ip address <ip address> <subnet mask>
no shutdown

interface vlan1
ip address 10.24.0.11 255.255.255.0
no shutdown

RIPv2

Configure RIPv2

router rip
version 2
no auto-summary
network 10.0.0.0

Don't forget to turn off auto-summary or the subnet masks won't work correctly.

Turn Off RIPv2 Advertisements on an Interface

router rip
version 2
no auto-summary
network 10.0.0.0

passive-interface fa0/0

#OR

passive-interface default #Disables ALL Interfaces

no passive-interface fa0/1 #Enables RIP Advertisements on Interface

https://wiki.rrwo.us/technology/ccna# 4/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

Turn Off RIPv2 Advertisements on All Interfaces

router rip
version 2
no auto-summary
network 10.0.0.0
passive-interface default

Configure the Default Gateway Using RIPv2

On router with a static route to Internet:

router rip
default-information originate

Set Default Gateway

ip default-gateway 10.24.0.1

See above for configuration via RIPv2.

Enable Routing on L3 Switch

ip routing

Configure a Static Default Route

Sends all traffic to 188.23.163.174

ip route 0.0.0.0 0.0.0.0 188.23.163.174

https://wiki.rrwo.us/technology/ccna# 5/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

Configure a loopback Interface for Testing

interface loopback0
ip address 4.2.2.2 255.255.255.255

<fc #cd5c5c>255.255.255.255 subnet mask is known as a host interface; represents a

single IP address</fc>

VTP (VLAN Trunking Protocol)

When you configure a new VLAN on one VTP server, the VLAN is distributed through all
switches in the domain. This reduces the need to configure the same VLAN everywhere.

vtp domain CBTNUGGETS

vtp mode <server/client/transparent>

<fc #00ff00>SERVER</fc> - send & receive updates

<fc #4682b4>CLIENT</fc> - receive updates
<fc #ff0000>TRANSPARENT</fc> - disabled

Add VLANs to Switch

vlan 2 name IT
exit

Assign VLAN to Switch Interface

interface g0/0
switchport mode access
switchport access vlan 2

Configure Trunk Ports

interface g0/0
switchport mode trunk

https://wiki.rrwo.us/technology/ccna# 6/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

Restrict VLANs on Trunk Port

Only allows VLANs 1, 2 and 5:

interface g0/0
switchport trunk allowed vlan 1-2,5

May need to include VLANs 1002-1005 if on older switch

Configure Router-on-a-Stick
R-O-A-S uses sub-interfaces for routing packets between VLANs.

int fastethernet 0/0.2

encapsulation dot1q 2
ip address 10.24.5.1 255.255.255.0

int fastethernet 0/0.12

encapsulation dot1q 2
ip address 10.24.5.1 255.255.255.0

0/0.2 is sub-interface #. Doesn't have to match VLAN #, but should.

2 is VLAN # in the 2nd line (encapsulation dot1q 2)

DHCP

Configure DHCP Server

First, you must enter the IP address range which you wish to exclude

ip dhcp excluded-address 10.24.2.1 10.24.2.99

ip dhcp excluded-address 10.24.2.151 10.24.2.255

The above sets a DHCP range of .100-.150

https://wiki.rrwo.us/technology/ccna# 7/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

ip dhcp pool IT
network 10.24.2.0 255.255.255.0
dns-server 4.2.2.2 8.8.8.8
default-router 10.24.2.1
domain-name robertryan.work

Set DHCP Lease Time

Syntax

lease [days/hours/minutes]

Set Lease for 2 Hours

lease 0 2

Set Lease for 1 Day and 6 Hours

lease 1 6

Request A Lease Time

Request a Lease for 1 Day

ip dhcp client lease 1

Show DHCP IP Bindings

show ip dhcp binding

Enable DHCP Server Manually

service dhcp

https://wiki.rrwo.us/technology/ccna# 8/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

Show DHCP Statistics

show ip dhcp server statistics

Show DHCP Pool

show ip dhcp pool

NAT
First, identified outside and inside interfaces, including VLAN sub-interfaces!

int g0/0
ip nat outside

int g0/1
ip nat inside

int g0/0.2
ip nat inside

Create NAT Access List

ip access-list standard NATTABLE

permit 10.24.0.0 0.0.0.255
permit 10.24.2.0 0.0.0.255

Enable NAT

ip nat inside source list NATTABLE interface g0/0 overload

https://wiki.rrwo.us/technology/ccna# 9/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

Don't forget the <fc #ffa500>OVERLOAD</fc> command to enable PAT (Port Address
Translation). NAT is 1:1. PAT is 1:many.

ACLs
There's always an implicit deny at the end of ACLs

Create Access List

ip access-list standard LIMIT_TELNET

permit 10.0.0.0 255.255.255.0

Apply ACL to vty Port

line vty 0 4
access-class LIMIT_TELNET in

NVRAM vs Flash
Separate non-volatile partitions
NVRAM stores the startup-config
Flash stores the IOS image, and can store other arbitrary files as well

Now: on most modern Cisco IOS devices, there is not necessarily a 1:1 relationship between
these names (“NVRAM” and “flash”) and the underlying hardware storage device(s) where the
storage is implemented.

See, for example, the data sheet for the Cisco 4500X switch here. Under the “CPU and Memory”
section, you only see one entry for a 2GB “NVRAM”. This actually refers to a single 2GB flash
memory chip on the board which contains the storage for both the IOS NVRAM as well as the
IOS “flash:” file system. IOS software partitions the single hardware flash storage device into
logical “NVRAM” and “flash:” areas. If you run the IOS EXEC command “format flash:”, that
would wipe out the contents of the “flash:” partition but leave the NVRAM partition intact (i.e.
leave the startup-config intact), although both partitions reside on the same physical device, at
least in the case of the Cisco 4500X.

Flash is the area where the user is allowed to store any arbitrary files, and is subject to
operations like “format”. This usage of flash must not interfere with the startup-config - after all,
you don't want “wr mem” to fail because you've filled up the flash with your vacation photographs
- which is why it is a good idea to have the storage for startup-config reside on a separate
partition which, for historical/traditional reasons is called NVRAM.

https://wiki.rrwo.us/technology/ccna# 10/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

Spanning Tree Protocol

What does Spanning Tree Protocol do?

Block redundant links and unblock them as necessary. Only blocks one side of link.
(Blocks the side with the higher Bridge ID)
Used for stopping loops in the network
A loop is when a packet you originated comes back to you

Here's the command to know (for switch use):

show spanning-tree

How STP Finds the Best Path

Elects the Root
Root bridge = perceived center of the network; always picks oldest router on
network.

Finds lowest 'cost' to Root

If 'cost' is equal between two links,

Then go by Bridge ID
Determined by MAC Address
If still tied, go by lowest port number

BDPU
BDPU is STP sonar.
https://wiki.rrwo.us/technology/ccna# 11/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

Sends update every 2 seconds

Common Spanning Tree

CST or STP - 802.1D
30 - 50 second convergence time (really long)

Per-VLAN Spanning Tree (PVST+)

Cisco Proprietary
Allows each VLAN to have it's own independent root bridge
Slow like CST

Rapid Spanning Tree (RSTP - 802.1w)

~2 second convergence time (really fast)

Per-VLAN Rapid Spanning Tree (PVRST)

Cisco Proprietary
Allows each VLAN to have independent root bridge
Fast like RSTP

Change VLAN Spanning Tree Priority

spanning-tree vlan 1 priority <0/4096/8192/12288...> //must be in increments of

4096//

Best practice is to set primary bridge priority to 4096 and secondary bridge priority to 8192

https://wiki.rrwo.us/technology/ccna# 12/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

Spanning Tree Lab

1. Ensure switches have a base configuration and connect as shown

a. refer to base config section of wiki
2. Use the proper show commands to determine the version of STP running, port status, and
identify the Root Bridge

a. show spanning-tree

b. Version: ieee (802.1D)

I.
c. Not Root Bridge because it has a cost of 19; it costs 19 to get to the Root Bridge

I.

d. Use Port 3 to reach Root Bridge

I.

3. Cause a Root Port outage; determine how long it takes to converge

a. Shutdown interface F0/3 on S1;
b. Listening mode takes 15 seconds (listens for BPDUs); then, Learning mode takes
15 seconds; then Forwarding mode takes over; 30 second convergence time total
4. Change all switches to use RSTP; test the outage again
a. spanning-tree mode rapid-pvst

b. Convergence time takes about 2 seconds

5. Modify the bridge priority to elect S1 as the Root Bridge, S2 as the Backup Root; diagram
port results and verify your assumptions are correct on the switch
a. On S1:

https://wiki.rrwo.us/technology/ccna# 13/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

I. spanning-tree vlan 1 priority 4096

b. On S2:
I. spanning-tree vlan 1 priority 8192

Configuring BPDU Guard and Portfast

Portfast
Enable Portfast

spanning-tree portfast

Disables STP
Skips Listening & Learning modes; goes straight to Forwarding
<fc #6495ed>You only want Portfast on access ports</fc> (non-trunking ports) to
speed transition to Forwarding state

BPDU Guard
Enable BPDU Guard

spanning-tree bpduguard

Stands for Bridge Protocol Data Unit; exclusive to STP

When BPDU Guard is enabled on a port and a BPDU is received on that port, the port
gets into “<fc #ff0000>err-disabled</fc>” state (needs to be manually reset by admin.)
Basically, if a switch is plugged into an access port with <fc #6495ed>Portfast</fc> and
<fc #6495ed>BDPU Guard</fc> enabled, the port will shutdown until restarted manually
(i.e., <fc #ffa500>shutdown, no shutdown</fc> )

Cisco Stackwise
A way on combining multiple switches into one for easy management, using a stackwise
cable that plugs in the back
Stackwise cables can provide <fc #ffa500>power</fc> as well as data
One switch in the Stackwise stack will be chosen as the <fc #6495ed>master</fc> switch
(like Proxmox cluster)
Other switches adopt master settings
Interfaces will now show with preceding module number; Fa<fc
#6495ed>2</fc>/0/7 refers to module 2

https://wiki.rrwo.us/technology/ccna# 14/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

The proper way to connect Stackwise cables

Switch Security

802.1x - Extensible Authentication Protocol (EAP)

Focus is security on the <fc #6495ed>INSIDE</fc> of the network
Most attacks occur from within the network, intentional or not
Can be <fc #6495ed>EXTENDED</fc> to use additional authentication methods like
domain membership, AD user credentials, facial recognition, etc.

DHCP Snooping
ELI5
Rogue DHCP: Simple mistake or Evil intent?

The Antidote: DHCP Snooping

Manages Trust and Untrust (Trust goes in 1 direction)

Basically, the DHCP snooping feature<fc #87ceeb> FILTERS MESSAGES</fc> and <fc
#87ceeb>RATE-LIMITS TRAFFIC</fc> from untrusted sources

After configuring a <fc #008080>TRUSTED</fc> DHCP server, DHCP snooping blocks

DHCP replies from <fc #ff0000>EVIL</fc> DHCP servers on the network
Marks PORTS as trusted or untrusted to send DHCP Replies
Builds and maintains the DHCP snooping binding database
Contains information about untrusted hosts with leased IP addresses
Rate-limits traffic from trusted and untrusted DHCP servers

Non-Default VLANs
Best Practice:
Change Native VLAN to something other than 1;
DON'T USE VLAN 1 ANYWHERE
Set all unused ports to dead-end VLAN that's not in use
https://wiki.rrwo.us/technology/ccna# 15/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

Etherchannel
Cisco's Proprietary form of Link Aggregation

Etherchannel <fc #008000>BUNDLES</fc> instead of BLOCKING

Combines bandwidth of links for <fc #6495ed>load-balancing + redundancy</fc> (<fc

#ffa500>awesome</fc>)
Works between DIRECTLY CONNECTED switches

<fc #cd5c5c>If two nodes each have 2 x 1 Gbps NICs and you team them, they will
still only exchange data at 1 Gbps. A single flow cannot exceed the bandwidth of a
single interface.</fc>

Protocols
Alternative to these protocols, you may also hardcode etherchannel manually (not
recommended)

Port Aggregation Protocol (PAgP)

<fc #00ff00>Cisco Proprietary</fc>

Modes:
ON
DESIRABLE
AUTO

Link Aggregation Control Protocol (LACP)

<fc #6495ed>Industry Standard</fc>

https://wiki.rrwo.us/technology/ccna# 16/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

Modes:
ON
ACTIVE
PASSIVE

Configuration
Base interfaces must have identical configuration
Speed
Duplex
Mode [Access/Trunk]
VLANs

Use the Channel-Group command to create the Etherchannel MEMORIZE THESE

Specify <fc #f4a460>MODE</fc> not protocol
<fc #00ff00>DESIRABLE, AUTO = PAGP</fc>
<fc #6495ed>ACTIVE, PASSIVE = LACP</fc>

Syntax:

interface range <interface range>

shutdown
channel-group <channel-group #> mode [DESIRABLE/AUTO; ACTIVE/PASSIVE; ON]
no shutdown

Example:

interface range fa0/1-2

shutdown
channel-group 3 mode active
no shutdown

All configuration is done on the Virtual Port Channel Interface (VPc) after bundling

Verify:

show etherchannel summary

https://wiki.rrwo.us/technology/ccna# 17/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

Etherchannel Lab

1. <fs x-large>Beginning with a base configuration, set all ports as access ports in
VLAN1</fs>
2. <fs x-large>Configure Etherchannel on the interfaces between S2 and S3 using
PAgP</fs>
a. S1
interface range fa0/3-4
shutdown
channel-group 2 mode auto
no shutdown

b. S2

interface range fa0/3-4

shutdown
channel-group 2 mode desirable
no shutdown

3. <fs x-large>Configure Etherchannel on the interfaces between S1 and S2 using

LACP</fs>
a. S1

interface range fa0/1-2

shutdown
channel-group 1 mode active #Etherchannel Bundel 1; LACP because
mode is set to ACTIVE; channel-group is only locally significant (One
switch end can be channel-group 6 while other end is channel-group 1)
no shutdown

b. S2

interface range fa0/1-2

shutdown
channel-group 1 mode passive
no shutdown

https://wiki.rrwo.us/technology/ccna# 18/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

4. <fs x-large>Configure hardcoded Etherchannel on the interfaces between S1 and S3</fs>

a. S1

interface range fa0/3-4

shutdown
channel-group 6 mode on
no shutdown

b. S3

interface range fa0/3-4

shutdown
channel-group 38 mode on
no shutdown

5. <fs x-large>Examine the configuration using show commands to verify Etherchannel

works correctly</fs>

a. show etherchannel summary

6. <fs x-large>Misconfigure an interface in the PAgP / LACP bundle. What happens?</fs>

7. <fs x-large>Fix the issue. What happens now?</fs>

IOS Software

Fully Understanding the IOS Boot Process

Command to know:

show version

Shows:
Memory Allocation
Interfaces Available
Configuration Register (current and next reload)
https://wiki.rrwo.us/technology/ccna# 19/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

Boot Process
Loads ROM in BIOS
Decompresses image from <fc #008000>flash:\<image>.bin</fc> to RAM
flash:\ is basically a tiny SSD

<fs large>1) Check the <fc #6495ed>Configuration Register</fc></fs>

2100: <fc #ffa500>ROMMON</fc> (ROM Monitor)

Boots if flash:\ goes bad;

unfriendly cli
The goal of ROMMON mode is to get out of ROMMON mode by setting an IP
address and downloading an IOS image
2101: <fc #ffa500>RXBOOT</fc>
Friendlier version of ROMMON;

looks and feels like IOS

2102: <fc #ffa500>BOOT NORMALLY</fc>

Normal boot mode
2142: <fc #ffa500>IGNORE NVRAM</fc>
Boot IOS image, but ignore NVRAM (startup-config)
Allows someone to get around all passwords

<fs large>2) Check for <fc #6495ed»</fc><fc #00ff00>boot system</fc> commands in the
startup config</fs>

Allows booting from an alternate source like an tftp server or a non-primary image in flash
Alternate boot source configured in startup-config (stored in NVRAM)
If no BOOT SYSTEM commands found, then next step is initiated

<fs large>3) Look for the first IOS image in flash</fs>

If no IOS image is found, then next step is started

https://wiki.rrwo.us/technology/ccna# 20/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

<fs large>4) Broadcast for a tftp server</fs>

Good in theory, but never used in real world

Enter Configuration Register Mode Manually

Syntax:

config-register <0x2100/0x2101/0x2102/0x2142>

Example: Boot to ROMMON on reload

config-register 0x2100

<fc #9acd32>Looks like this upon reload,</fc>

Frequently Used ROMMON Commands

confreg - change configuration register mode

set - allows you to assign IP addresses to interfaces

tftpdnld - allows you to download an IOS image via tftp

flash:/ in the Physical

Cisco Router with CF Memory Reader

Cisco 64mb CF Compact Flash Card for Cisco Routers 2801 2811 2821 2851 3825 3845

<fs larger>Essentially, when a flash card goes bad:</fs>

Pop in a new flash card (some are external like the picture above, others are mounted
inside case)
Boot to ROMMON
Set an IP address
Download IOS image to new flash card
Run command '<fc #008080>reset</fc>' to boot to new image

https://wiki.rrwo.us/technology/ccna# 21/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

IOS Software Lab - Upgrading the IOS

Objectives:
Getting a new version of the IOS
Setting up a tftp server
Performing the backup of the old IOS / install of a new IOS

Command to remember:

<fc #6495ed» </fc><fc #00ff00>copy</fc> <fc #c0c0c0><source> <destination></fc>

Examples:

<fc #6495ed» copy flash tftp</fc>

<fc #6495ed» copy tftp flash</fc>

<fc #6495ed» copy running-config tftp</fc>

<fc #6495ed» copy tftp running-config</fc>

1. Access the device shown in the picture.

2. Backup the IOS to the TFTP server shown.

a. copy flash tftp

Source filename []? <image>.bin
Address or name of remote host []? 10.1.3.100
Destination filename []? <image>.bin

3. Backup the running configuration to the TFTP server shown.

a. copy running-config tftp

Address or name of remote host []? 10.1.3.100
Destination filename []? r1-config.txt

4. Restore both the IOS and the running configuration to the router in the proper way.

a. copy tftp flash

Address or name of remote host []? 10.1.3.100
Source filename []? <image>.bin
Destination filename []? <image>.bin
reload

https://wiki.rrwo.us/technology/ccna# 22/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

b. copy tftp startup-config

Address or name of remote host []? 10.1.3.100
Source filename []? r1-config.txt
Destination filename []? startup-config
reload

IOS Licensing
Before IOS version 15 (12.x and prior)
All-inclusive feature set (<fc #c0c0c0>MONOLITHIC</fc>)
<fc #87ceeb>Different IOS versions available</fc>, each always complete
IP BASE
IP VOICE
ADV SECURITY
ENT BASE
ADV IP SERVICES
ENT SERVICES

Post IOS version 15

Each feature individually licensed and activated (<fc #ffa500>MODULAR</fc>)
<fc #4682b4>Single IOS version</fc> with different modular components available
to license
IP BASE
DATA (MPLS, ATM, Multi-Protocol)
Unified Communications (VOIP)
Security (Firewall, VPN, Encryption)

Code to remember:

show version

Shows
License Info - Product ID (PID) and Serial Number (SN)
All activated packages (must be licensed)

show license feature

Shows
Supported Feature Names
Active Features

Install a License
https://wiki.rrwo.us/technology/ccna# 23/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

1. Contact Cisco seller; acquire .LIC license file

license install tftp://<IP>/<license>.LIC

Core Routing
<fc #ff0000>The routing table does not reveal all</fc>, ONLY THE BEST ROUTES

The Election Criteria

<fc #6495ed>Criteria to consider</fc> - First to Last
<fc #ffa500>Next Hop</fc> will be added to routing table
If you were to set a next hop address statically like: <fc #6495ed»<fc
#00ff00>ip route 0.0.0.0 0.0.0.0 10.0.0.42</fc></fc>, 10.0.0.42 is the next
hop address
If next hop is invalid, then the <fc #6495ed>most specific route</fc> will be
added to the routing table
<fc #ffa500>Route Specificity</fc> ( <fc #ff0000>MOST
FORGOTTEN CRITERIA</fc> )
Example: route <fc #9acd32>10.4.4.0/24</fc> is more specific
than route <fc #fa8072>10.4.0.0/16</fc>
The most specific route will be added to routing table
This is why an internet routed default route doesn't overrule your
internal routing
If tied, the route with the lower administrative distance will be
added to the routing table
<fc #ffa500>Administrative Distance</fc>
The route with the lowest AD will be added to the
routing table
If tied, go by metric
<fc #ffa500>Metric</fc>
How many hops away the destination
is
Route with lowest metric will be added
to the routing table

Administrative Distances
This table lists the administrative distance default values of the protocols that Cisco supports:

Route Source Default Distance

Values

Connected interface 0

Static route 1

Enhanced Interior Gateway Routing Protocol (EIGRP) summary 5

route

https://wiki.rrwo.us/technology/ccna# 24/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

External Border Gateway Protocol (BGP) 20

Internal EIGRP 90

IGRP 100

OSPF 110

Intermediate System-to-Intermediate System (IS-IS) 115

Routing Information Protocol (RIP) 120

Exterior Gateway Protocol (EGP) 140

On Demand Routing (ODR) 160

External EIGRP 170

Internal BGP 200

Unknown* 255

* If the administrative distance is 255, the router does not believe the source of that route and
does not install the route in the routing table.

Floating Static Routes

A Floating static route is a route that has a higher administrative distance then the current
route in a routing table.
Very useful when providing a backup to a primary link

<fc #cd5c5c>Basically, you would set a floating static route by setting the AD slightly
higher than the AD of the current preferred route; that way if the route goes down, the
floating static route will take over</fc>

Distance Vector vs Link State

Distance Vector (BGP, EIGRP, RIP, etc.)
Only knows what the neighbor tells it
Memory / Processor Efficient
Loop Prevention Mechanisms Needed

Link State (IS-IS, OSPF, etc.)

Maintains a Map of the Network System
Resource Consuming
Maintains Loop Free By Nature

Split Horizon
Split horizon is a method of preventing a routing loop in a network.

https://wiki.rrwo.us/technology/ccna# 25/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

The basic principle is simple: Information about the routing for a particular packet is <fc
#008080>never sent back</fc> in the direction from which it was received.

Other Loop Prevention Methods

Triggered Updates
Improves convergence time
With triggered updates, the update announcing network topology changes is sent
almost immediately rather than waiting for the next periodic announcement.
Maximum Metric
Routes with a maximum metric will be removed from the routing table
RIP has a maximum metric of 16
Route Poisoning
When the protocol detects an invalid route, all of the routers in the network are
informed that the bad route has an infinite (∞) route metric.

OSPF Protocol (Open Shortest Path First)

Overview
RFC () Standard (Supported by potentially anyone and everyone)
The only widely used Link State routing protocol
Interior protocol (run inside the network)
Maintains LSDB (Link State Database - “Topology Table”)
Uses the Dijkstra SPF algorithm
Works for simple (single area) networks and advanced (multi area)

<fc #cd5c5c>Doesn't use UDP or TCP; OSPF is its own routing protocol. Can't just
unblock TCP/UDP port in firewall, have to unblock OSPF</fc>

OSPF Area Design and Terms

<fc #cd5c5c>Basically, the only reason we break into multiple areas is because we want
to do summarization. </fc>

Area 0 is backbone; gets traffic from all other routers

Basic Configuration
Syntax:

> router ospf <process ID>

> router-id <router ID>

https://wiki.rrwo.us/technology/ccna# 26/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

> network <network> <wildcard mask> area <area #>

Example:

router ospf 1
router-id 1.1.1.1
network 10.0.0.0 area 1

Turn on OSPF (Best Practices)

Cisco Best Practices want you to get as specific as possible when turning on OSPF

network <network> <wildcard mask> area <area #>

network 10.1.1.1 0.0.0.0 area 0

<fs xx-large>Q:</fs> <fs larger>Can I have more than one OSPF process ID running on a
router?</fs>

<fs xx-large>A:</fs><fs larger> You can, but you don't want to (unless you're in some really
bizarre situation). OSPF process ID only exists on local router, so best to always set the
process ID as 1.</fs>

Show OSPF Relationships

show run | sec ospf

show ip ospf neighbors

show ip ospf interface

OSFP Neighbor Relationships

Forms relationships with neighboring routers before it exchanges routes, so it can re-
converge really quick.
Sends <fs smaller><fc #ffa500>HELLO</fc></fs> message every 10 OR 30
seconds by default; can be adjusted as low as milliseconds
Unlike RIP, which just starts yelling every 30 seconds, which is why RIP is so slow,
because the 30 seconds interval yell acts as the keep alive timer

https://wiki.rrwo.us/technology/ccna# 27/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

1. <fc #6495ed>DETERMINE YOUR OWN ROUTER ID</fc>

a. The <fc #ffa500>ROUTER ID</fc> is simply the <fc #ffa500>router's name</fc> in
the OSPF process
b. Highest ACTIVE interface <fc #ffa500>IP address</fc> when OSPF starts
(Loopbacks beat physical interfaces)
I. <fs smaller><fc #cd5c5c>IT IS BETTER TO HARDCODE THE ROUTER
ID USING THE</fc> >router-id <fc #cd5c5c>COMMAND ABOVE
INSTEAD OF LETTING AUTO-CONFIG USE HIGHEST ACTIVE
INTERFACE IP</fc></fs>
A. <fs smaller>DOESN'T HAVE TO BE A REAL IP ADDRESS BUT HAS
TO BE UNIQUE, CAUSE IT'S JUST A NAME; IT'S NOT ROUTED.
</fs>
2. <fc #6495ed>ADD INTERFACES TO THE LINK STATE DATABASES </fc><fs smaller>
(USING >network COMMAND)</fs>
3. <fc #6495ed>SEND A HELLO MESSAGE ON CHOSEN INTERFACES </fc>
a. Once every 10 seconds on <fs smaller>BROADCAST/P-2-P NETWORKS</fs>
b. Once every 30 seconds on <fs smaller>NBMA NETWORKS</fs> (Non-Broadcast
Multi-Access)
c. <fs smaller><fc #ffa500>CONTAINS ALL SORTS OF INFO: </fc>(BOLD items
below must match, otherwise neighbor relationship isn't formed; <fc #ff0000>GOOD
FOR TROUBLESHOOTING</fc> )</fs>
I. Router ID
II. HELLO and DEAD TIMERS
III. Subnet Mask
IV. Area ID
V. Neighbors
VI. Router Priority
VII. DR/BDR IP Address
VIII. Authentication Password
4. <fc #6495ed>RECEIVE HELLO</fc>
a. Check <fs smaller>HELLO / DEAD</fs> interval
b. Check <fs smaller>NETMASKS</fs>
c. Check <fs smaller>AREA ID</fs>
d. Check <fs smaller>AUTHENTICATION PASSWORD</fs>
5. <fc #6495ed>SEND REPLY HELLO</fc>
a. Am I listed as a neighbor in your hello packet?
I. If yes, <fs smaller>RESET DEAD TIMER; <fc #ff0000>STOP HERE</fc>
(Process Complete)</fs>
II. If no, <fs smaller>ADD AS NEW NEIGHBOR; <fc #00ff00>CONTINUE</fc>
</fs>
6. <fc #6495ed>DETERMINE MASTER-SLAVE RELATIONSHIP</fc>
a. Determined by <fs smaller>PRIORITY;</fs> Tie-Breaker is <fs smaller>ROUTER
ID</fs>
b. Master sends <fs smaller>DATABASE DESCRIPTION (DBD)</fs> packet
I. DBD = Cliff notes of Link-State Database
c. Slave sends its <fs smaller>(DBD)</fs> packet
7. <fc #6495ed>DBDS ARE ACKNOWLEDGED AND REVIEWED</fc>
a. Slave requests details (<fs smaller>LINK STATE REQUEST - LSR</fs>)
b. Master sends updates (<fs smaller>LINK STATE UPDATES - LSU</fs>)
https://wiki.rrwo.us/technology/ccna# 28/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

c. Master requests details (<fs smaller>LSR</fs>)

d. Slave sends updates (<fs smaller>LSU</fs>)
8. <fc #6495ed>NEIGHBORS ARE SYNCHRONIZED!</fc> - <fs smaller><fc
#ffa500>**FULL STATE**</fc></fs>
a. <fs smaller>ALL ROUTING INFO IS MIRRORED BETWEEN SYNCED
NEIGHBORS</fs>
b. <fs smaller>HAVE SAME EXACT LINK-STATE DATABASE</fs>

<fc #ffa500>FULL-STATE NEIGHBOR RELATIONSHIPS ONLY FORM WITH DR & BDR</fc>

(Otherwise, 2-way relationship is formed and no routes are exchanged.)

<fc #cd5c5c>PACKETS</fc>: <fs smaller>HELLO, DBD, LSR, LSU, LSA, LSACK</fs>

Roles of DR and BDR

DR = <fc #6495ed>DESIGNATED ROUTER</fc>

He's the man that all the routers send their updates to, so he can disseminate that
info across the network
Without the DR, the network goes crazy upon an update because all the routers
would send the update to all other synchronized routers, which forms a bit of a loop
BDR = <fc #6495ed>BACKUP DESIGNATED ROUTER</fc>
Receives updates as well, and waits for DR to die for takeover

DR and BDR listen for updates on multicast address 224.0.0.6 and send updates on
224.0.0.5
<fs smaller><fc #ffa500>LISTEN: </fc>224.0.0.6</fs>
<fs smaller><fc #ffa500>SEND: </fc>224.0.0.5</fs>

DR Selection
Usually, you would want your beefiest, most central router to be the Designated Router

<fs large><fc #ff0000>NOTE:</fc> Each Ethernet segment needs it own DR</fs> (That's why
the DR Priority is set on a per-interface basis)

The <fs smaller>DESIGNATED ROUTER</fs> is selected based in order on the following

criteria:
<fc #6495ed>Highest Priority</fc>
All routers ship with priority of 1
If you set the priority to 0, it will NEVER be a DR or BDR
Select interface or interface range then:

ip ospf priority 0

<fc #6495ed>Highest Router ID</fc>

<fs smaller><fc #cd5c5c>Point-to-Point connections don't need a DR or BDR. DR and

BDR only assigned on</fc> MULTIACCESS SEGMENTS</fs>

https://wiki.rrwo.us/technology/ccna# 29/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

OSPF Lab - Basic Configuration

Configuration Focus

1. Configure all routers shown to operate in the backbone area. Hardcode Router IDs so
they do not easily change.
2. Determine which router became the DR; elect “Tie” as the DR moving forward.
a. Set Priority on “Tie” to anything higher than 1
3. Adjust the metric of OSPF to function well with speeds up to 10G links.
a. OSPF uses <fs smaller><fc #ffa500>COST</fc></fs> as its metric, as opposed to
RIP which uses <fs smaller>HOP COUNT</fs>
b. <fs smaller><fc #ffa500>COST</fc></fs> = 100/BW (mbps)
c. OSPF doesn't see decimals in metric <fs smaller><fc #ffa500>COST</fc></fs>;
54.89 will be seen as 54.
d. Change Bandwidth on Interface:
I. >interface g0/0/0
A. >bandwidth 100000
e. <fc #cd5c5c><fs smaller>SO TO ACTUALLY ANSWER THE QUESTION:
CHANGE THE REFERENCE BANDWIDTH TO USE 10G WITH THE
FOLLOWING COMMANDS (change on every router):</fs></fc>

I. router ospf 1
auto-cost reference-bandwidth 10000

4. Ensure “Shoe” does not form OSPF neighbors on its LAN () network.

a. router ospf 1
passive-interface default
no passive-interface serial 0/1/0

5. Adjust the Hello time on the “Sock” WAN interface to send Hello messages 1/sec.

a. interface s0/1/0
ip ospf hello-interval 1

<fc #cd5c5c><fs smaller>MUST MATCH ON BOTH INTERFACES OF

CONNECTION</fs></fc>

6. Bonus: Create loopback interfaces in such a way that Router IDs are pingable from any
router.

Enter Debug:

debug ip ospf adj

Different States
https://wiki.rrwo.us/technology/ccna# 30/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

2-Way
EXSTART
EXCHANGE

Exlclude an interface from DR/BDR Election

<fc #cd5c5c><fs larger>Set Priority to 0</fs></fc>

Multi Area OSPF

Multi Area OSPF Lab

1. Configure all routers shown to operate in a multiarea configuration. Tie, Belt, and Sock will
act as ABRs (Area Border Routers).
a. Q: <fs smaller>How do you create an ABR (Area Border Router)?</fs>
I. A: <fs smaller><fc #cd5c5c>Just assign 2 different interfaces to 2
different areas, simple as that!</fc></fs>
2. Add five (5) loopback interfaces to Ring, Hat, and Shoe. They should be contiguous to
existing area subnets.
3. Add an efficient summary route for area 1, 2, and 51. Verify impact on the routing table of
other routers.
4. Add a loopback interface to Belt with the IP address 184.51.1.2/24 and a default route to
184.51.1.1. This will simulate an internet connection.
a. >ip route 0.0.0.0 0.0.0.0 184.51.1.1
5. Have Belt advertise the default route to the other routers via OSPF. The route should exist
even if Belt does not have a default route.
a. >router ospf 1
I. >default-information originate always

EIGRP Protocol Overview

Why You Would Choose to Use EIGRP

1. Backup Routes (fast convergence / DUAL (Diffused Update Algorithm))
2. Simple Configuration
3. Flexibility in Summarization
a. You can put a summary route anywhere, as opposed to OSPF where only ABRs &
ASBRs can summarize.
4. Unequal Cost Load-Balancing
a. Can intelligently load balancing among links of differing bandwidths
5. Combines Best of Distance Vector and Link-State (limited routing information, but backup
paths)

https://wiki.rrwo.us/technology/ccna# 31/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

EIGRP Tables and Terminology

A router running EIGRP maintains three tables:

1. Neighbor Table
2. Topology Table
a. List of best routes (<fs smaller><fc #cd5c5c>SUCCESSOR ROUTES</fc></fs>)
b. and second best routes (<fs smaller><fc #cd5c5c>FEASIBLE SUCCESSOR
ROUTES</fc></fs>)
c. Can switch (<fs smaller><fc #cd5c5c>FEASIBLE SUCCESSOR ROUTES</fc>
</fs>) to (<fs smaller><fc #cd5c5c>SUCCESSOR ROUTES</fc></fs>) so quick
it's unmeasurable.
3. Routing Table

Terminology

<fc #ffa500>Feasible Distance</fc> (FD)

How far it is from YOUR router to get to a network
<fc #ffa500>Advertised Distance</fc> (AD)
How far it is from the ROUTER THAT TOLD YOU ABOUT THE NETWORK (from
FD)
<fc #ffa500>Successor</fc>
Describe routes in <fs smaller>TOPOLOGY TABLE</fs> (<fc
#6495ed>Primary</fc>)
<fc #ffa500>Feasible Successor</fc>
Describe routes in <fs smaller>TOPOLOGY TABLE</fs> (<fc
#f4a460>Backup</fc>; Never in <fs smaller>Routing Table</fs>)
<fc #ffa500>Active Route</fc>
ACTIVELY TRYING TO FIND A BACKUP; <fc #ff0000>BAD</fc>
<fc #ffa500>Passive Route</fc>
CHILLIN' ON THE COUCH PASSIVE; <fc #00ff00>GOOD</fc>

<ff serif>TO BE A FEASIBLE SUCCESSOR, THE AD MUST BE LESS THAN THE FD OF THE
SUCCESSOR</ff>

EIGRP Neighbors and Metric

<fc #6495ed>All communication is sent to single multicast address: </fc>224.0.0.10
(Unlike OSPF, which has a separate address for listening and sending)

EIGRP is <fc #6495ed>its own protocol</fc>, like OSPF

<fs smaller>5 DIFFERENT MESSAGE TYPES</fs>

1. <fc #cd5c5c>HELLO</fc>
a. Forms Relationship
2. <fc #cd5c5c>UPDATE</fc>
a. Sends Updates
3. <fc #cd5c5c>QUERY</fc>
a. Asks About Routes

https://wiki.rrwo.us/technology/ccna# 32/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

4. <fc #cd5c5c>REPLY</fc>
a. Response to a Query
5. <fc #cd5c5c>ACK</fc>
a. Acknowledges the Update, Query, and Reply Messages

Form an EIGRP Relationship

Syntax:

router eigrp <autonomous system number, 1-65535>

network <network> {wild card bits optional}

Example:

router eigrp 1
network 10.0.0.0

The Autonomous System Number must match on all routers in EIGRP relationship

EIGRP METRIC CALCULATION

<fc #cd5c5c><fs smaller>THESE ARE THE K VALUES THAT WOULD SHOW UP ON A

PACKET TRACE; USED FOR METRIC CALCULATION</fs></fc>

Bandwidth (K1)
Delay (K3)
Reliability (K4 & K5)
Loading (K2)
MTU

EIGRP Lab - Core Configuration

1. Configure EIGRP routing on all routers in autonomous system 90. Use network-specific
wild card masks at the lead office.
2. Verify the impact of auto-summarization, then disable it.
3. Introduce a manual summary route at the lead office. The more specific the route, the
better tasting your eggs.
4. Add a secondary connection to the Cereal router and verify equal cost load balancing is
working.
5. Modify the bandwidth on the secondary line to 1mbps. Adjust EIGRP to enable unequal
cost load balancing.
6. Modify the HELLO/HOLD timers to Cereal so fail-over occurs in less than 5 seconds.

https://wiki.rrwo.us/technology/ccna# 33/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

IPV6

Address size moved from <fc #ffa500>32-bit (IPv4)</fc> to <fc #008000>128-bit (IPv6)
</fc>
Provides 340,282,366,920,938,463,463,374,607,431,770,000,000 addresses
Divided into 8 groups of 4 <fs smaller>HEX</fs> characters (0-F) to make it more
manageable (<fc #6495ed>16 bits per hextet</fc>)
2001:0050:0000:0000:0000:0AB4:1E2B:98AA
RULE 1: Eliminate groups of <fc #cd5c5c>consecutive zeros</fc> (can only do this
once)
2001:0050::0AB4:1E2B:98AA
RULE 2: Drop <fc #cd5c5c>leading zeros</fc>
2001:50::AB4:1E2B:98AA

/32 subnets are assigned to providers

/48, /56, /64 subnets are assigned to customers

Provider Independent Address (PI)

Go to ARIN (American Registry for Internet Numbers) and buy the network address
outright
Provider Assigned Address (PA)
Sign up for an ISP and they'll give you a network address

EUI-64
Allows the MAC address to generate the IP address
Jams the characters <fc #9400d3>FFFE</fc> in the middle of the address

IPv6 OSPF Lab

1. <fs larger>Assign IPv6 Address</fs>

a. Just like IPv4 addressing
I. ><fc #cd5c5c>ipv6 address 2001:db8:1:1::/64</fc>
2. <fs larger>Configure OSPFv3</fs>
a. Enable OSPF Routing
I. ><fc #cd5c5c>ipv6 unicast-routing</fc>
b. Manually Set router-id
I. ><fc #cd5c5c>ipv6 router ospf 1</fc>
A. ><fc #cd5c5c>router-id 53.53.53.53</fc>
c. Turn on OSPF on an Interface and Advertise Whatever Network is Assigned There
I. ><fc #cd5c5c>interface g0/0</fc>
A. ><fc #cd5c5c>ipv6 ospf area 0</fc>

https://wiki.rrwo.us/technology/ccna# 34/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

IPv6 EIGRP Lab

Heavenly Beans has decided to move away from OSPFv3 in favor of EIGRP for IPv6.

Accomplish the following objectives:

Remove the OSPFv3 configuration from all routing devices.

><fc #cd5c5c>no ipv6 router ospf 1</fc>
Configure EIGRP for IPv6 to fully route the shown network.
><fc #cd5c5c>ipv6 router eigrp 1</fc>
><fc #cd5c5c>router-id 1.1.1.1</fc>
><fc #cd5c5c>no shutdown</fc> (Note that this isn't under an interface)
><fc #cd5c5c>int g0/0</fc>
><fc #cd5c5c>ipv6 eigrp 1</fc>
Verify routing is functioning correctly with appropriate show commands and ping-based
testing.

WAN Technologies
Swaps out comfortable Ethernet network for a network of uncomfortable Serial connections

WAN links define a <fc #cd5c5c>new type of L1 and L2</fc> connectivity

Uses <fs smaller><fc #6495ed>SERIAL PHYSICAL CONNECTIONS</fc></fs>,
unlike the connections used in a LAN ()
No Data Link Layer (L2); doesn't use MAC addresses; different addressing scheme

Point to Point Terminology

WAN Link
Connects your building to something far away
Point-to-Point Link
Connects from one location directly to another location
Leased Line / Circuit / Link
Serial Line
T1 / E1 Line
Technically, a T1 line is a measure of speed (1.544mbps); E1 is the European
version (2.048mbps)
Point of Presence (POP)
Point of ISP presence
Sometimes your speed will vary depending on your distance to the POP

Point-to-Point Technologies Layer 2

PPP (Point-to-Point Protocol; feature rich)
Compression (trades CPU for bandwidth)
Callback
https://wiki.rrwo.us/technology/ccna# 35/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

Multi-link
combines multiple WAN connection into single pipe, combining bandwidth of
links
true, down to the bit, load-balancing
Authentication
PAP - Password Authentication Protocol
clear text
CHAP - Challenge Handshake Authentication Protocol
encrypted
HDLC (nothing there to unpack)
High Level Data-link Control
No features other than connecting routers together

Configure PPP

<fc #cd5c5c>Remote side first</fc>

interface s1/0
encapsulation ppp

<fc #cd5c5c>Local Interface Second</fc>

interface s1/0
encapsulation ppp

WAN Technologies Lab - PPP Configuration

1. <fs x-large>Configure the following network in its entirety using HDLC encapsulation for
the 64Kbps WAN link. Use static routing to provision full Lilo-to-Stitch office connectivity.
</fs>
a. Show encapsulation protocol and link speed
I. > show interfaces <interface>
b. Set static route
I. > ip route <to get to this network {ip & mask}> <send packets to this address
on routing table>
II. > ip route 10.1.1.0 255.255.255.0 172.16.1.1
2. <fs x-large>Convert the link to PPP encapsulation</fs>
a. >interface <interface>
I. >encapsulation ppp
3. <fs x-large>Configure PPP PAP authentication between Lilo and Stitch. Use the
appropriate debug commands to prove authentication is occurring.</fs>
a. Create Account
I. > username <hostname of other router> secret <password>
II. > username Stitch secret ninja
b. Assign Credentials
https://wiki.rrwo.us/technology/ccna# 36/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

I. > int s0/3/0

A. > ppp pap sent-username Lilo password fuzzy
c. Enable PAP
I. > ppp authentication pap
4. <fs x-large>Convert to using PPP CHAP authentication.</fs>
a. MUST HAVE SAME PASSWORD ON BOTH SIDES FOR CHAP
b. Create Account
I. > username <hostname of other router> secret <password>
c. Enable CHAP
I. > ppp authentication chap
5. <fs x-large>Add a second WAN link between Lilo and Stitch, also running at 64Kbps.
Engage PPP Multilink to double to bandwidth between the two locations.</fs>
a. Connect second WAN link
b. > interface <interface>
I. > encapsulation ppp

Internet Technology

Internet Technology Lab - PPPoE Configuration

1. Configure the Neo router fa0/0 to connect to the ISP with a PPPoE DSL connection
a. The Neo router should learn its public address dynamically
b. Use the hostname “CBTNuggets” with a password of “IsQuiteFun” to authenticate
2. Configure a default route out the Dialer interface you create on your router
3. Use the proper show commands to verify the PPPoE connection is working
4. Ping 4.2.2.2 or 8.8.8.8 to test internet connectivity

Answers

On NEO

interface dialer 1

# PPP info is shoved into the header of the Ethernet frame. PPP uses 8 bits, and a frames max
mtu (Maximum Transmission Unit) is 1500 bits. So, to account for the PPP info in the header of
the frame, we set the mtu to 1492.

mtu 1492

encapsulation ppp

https://wiki.rrwo.us/technology/ccna# 37/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

ip address negotiated

ppp chap hostname CBTNuggets

ppp chap password IsQuiteFun

dialer pool 1

int fa0/0

pppoe enable

pppoe-client dial-pool-number 1

ip route 0.0.0.0 0.0.0.0 dialer 1

show interfaces virtual-access 2

VPN Solutions
VPN is used to send data securely over a public network

Four Key VPN Objectives

Confidentiality - Stopping prying eyes
Authentication - Validate identity
Data Integrity - Preventing Change (make sure nobody modifies your data; uses
hashing)
Anti-Replay - Eliminate Deja-vu

VPN Options
Site-to-Site
Connect one location to another location permanently using public internet
Client (Remote Access - IPsec)
SSLVPN
DMVPN

GRE - Generic Routing Encapsulation

https://wiki.rrwo.us/technology/ccna# 38/39
9/5/25, 11:20 AM technology:ccna [The Tech Tavern of Turbulence]

IPSec is limited to IP-based protocols and only unicast traffic

RFC () GRE fixes that
GRE by itself is unsecure; needs IPSec if used publicly
DMVPN relies heavily on multipoint GRE tunnels

GRE Lab

<fs x-large>Fish Store 29 needs to get connected to the Corporate office. The new Fifi's
Flopping Fish CIO is convinced that network security is a scam and would like to deploy and
unencrypted tunnel between Store 29 and the corporate offices. You must set up this tunnel and
ensure routing is fully functional between the locations.</fs>

1. Implement a GRE tunnel between the Nemo and Eel routers using the 192.168.1.0/24
subnet for internal IP addressing.
2. Configure OSPF routing between the two offices. OSPF should advertise the LAN () and
WIFI networks at Store 29 to the corporate office; however, it should no send HELLO
messages out the LAN () interfaces. OSPF communications should only occur within the
GRE tunnel.
3. Verify you have achieved the objectives by confirming OSPF neighbor relationships and
routing tables.

technology/ccna.txt Last modified: by 127.0.0.1

The Tech Tavern of Turbulence

DokuWiki Appliance - Powered by TurnKey Linux

https://wiki.rrwo.us/technology/ccna# 39/39