CCNA certification (1)
I. CCNA Learning Outline 1. OSI Layer 7 model, network devices involved in each layer (such as routers and switches) 2. Working Principles of network devices and basic IOS system commands 3. Routing Technology (RIP, IGRP, VPN, OSPF) 4. Switching Technology (VLAN, STP) 5. network security technology (ACL) 1. What is the definition of a network? A group of intermediate systems (network devices) and terminal systems (PCs and servers) that use media (cables) to interconnect ). 2. What is the network implementation? You can share resources by transmitting information between applications. 3. How do I build a network? Network topology. All intermediate systems: signals are amplified or reconstructed to evaluate network availability: bandwidth delay networks are classified by scope: common LAN networking technology: Ethernet licensing ring FDDI Ethernet is based on shared media, there are three main methods for LAN Media Access Control: Carrier listening Multi-Channel Access/conflict detection (CSMA/CD), card ring access control, and Token Bus access control. Hub (devices that work on the OSI physical layer): A hub can be understood as the earliest switch. It is a layer-1 Device of layerand cannot identify any control information, the forwarding mechanism is signal amplification or reconstruction + flood processing, and does not split frames. All devices connected to the hub are in the same conflict domain. The half-duplex mode and the Pan-flood mode cause conflicts. Resolution: CSMA/CD mechanism. CSMA/CD helps the device balance the shared bandwidth to avoid conflicts between the two devices when transmitting data on the network media at the same time. The principle of CSMA/CD has determined that it can only work in half duplex mode. All devices connected to the hub can only work in half duplex mode, but not in full duplex mode. I think the physical structure of a hub or bus network determines that it can only adopt half-duplex communication, and CSMA/CD should be used to avoid conflicts! There is no necessary connection between CSMA/CD and the communication method! In full duplex mode, each port in Layer 2 of a switch is an independent conflict domain, enabling full duplex communication. How the vswitch works: (broadcast unknown frames and forward known frames) Smart forwarding frame learning based on the MAC address table if the MAC address table cannot be found, the source MAC address (from which port) of the received frame is learned, and the physical port broadcast. If the target MAC address does not exist in the MAC address table, the vswitch broadcasts an update to a port other than this frame. The entry in the MAC address table of the vswitch usually has an aging time of 300 s, or the MAC and port are inconsistent, the CAM table is updated to HASH the PC connected to the vswitch interface (MAC address, port, and VLAN) to form a definite number table .. The table contains only 0 or 1 numbers. How to generate cam table entries? Static settings (will never expire) dynamic learning (agingtime), it is strongly recommended that the switch how to resolve conflicts: (backplane Switching Matrix + back Bus) when one port of the switch communicates with another port, there is an independent line, so there will be no conflict. When multiple ports send data to the same port, the port does not conflict because the port has a port buffer. The switch backplane Switching Matrix physically connects ports to each other. Optical port and electrical port: optical signal. Optical ports can be connected to optical fibers. The optical ports on the switch are usually paired, one TX sender and one RX receiver. An additional optical module is usually inserted into a vswitch. What is single-mode optical fiber and multi-mode optical fiber? Depending on the modulus of the transmission point, the optical fiber can be divided into single-mode optical fiber and multi-mode optical fiber. The so-called "Mode" refers to a beam of light that enters the optical fiber at a certain rate. Single-Mode Optical Fiber uses solid lasers as the light source, while Multimode Optical Fiber uses light emitting diodes as the light source. Multi-Mode Optical Fiber allows multiple bundles of light to be transmitted at the same time in the optical fiber to form a mode dispersion (because each "Mode" light enters the optical fiber from different angles and the time they reach the other end point is also different, this feature is called mode dispersion .), The Mode Dispersion Technology limits the bandwidth and distance of Multimode Optical Fiber. Therefore, the core line of multimode optical fiber is coarse, the transmission speed is low, the distance is short, and the overall transmission performance is poor, but its cost is relatively low, it is generally used within a building or in an environment adjacent to a geographical location. A single-mode optical fiber can only transmit one bundle of light. Therefore, a single-mode optical fiber has no mode dispersion. Therefore, the core of a single-mode optical fiber is smaller, and the transmission frequency, bandwidth, capacity, and distance are long, however, the cost is high because it requires a laser source. How to distinguish between single-mode and multi-mode optical fibers? In general, the simplest way to distinguish between single-mode and multi-mode optical fiber is to look at the color of the optical fiber. *** it is single-mode, while orange is multi-mode. The optical module (optical module) of an External optical module is composed of optical devices, functional circuits, and optical interfaces. The optical module consists of two parts: transmitting and receiving. Single-Mode Optical Fiber is a typical single-mode medium. Therefore, two optical fiber cables are required, one for receiving and the other for sending. Simply put, the optical module is used for photoelectric conversion. The sending end converts an electrical signal into an optical signal. After being transmitted through an optical fiber, the receiving end converts the optical signal into an electrical signal. The main function of the integrated optical transceiver module is to achieve photoelectric/electro-optic conversion, including optical power control, modulation and transmission, signal detection, IV conversion, and amplitude limiting and amplification decision regeneration, in addition, it also provides functions such as anti-counterfeit information query and TX-disable. Common functions include SFP, SFF, SFP +, GBIC, XFP, and 1x9. SFP is short for small form pluggable. It can be understood as an upgraded version of GBIC. The size of the SFP module is half the size of the GBIC module, with only the size of the thumb. You can configure more than twice the number of ports on the same panel. Other functions of the SFP module are basically the same as those of GBIC. Some switch manufacturers said SFP module for small GBIC (MINI-GBIC) Electrical port: the so-called electrical port that refers to the network port, Gigabit Switch Network port has 10 M/100 M/1000 M. 10 M Ethernet (Ethernet) 100 M fast Ethernet (FastEthernet): 10/100 M, FE1000M Gigabit Ethernet (GigabitEthernet): GBE, Gigabit, 10/100/M five category lines: Support for M Ethernet cat-5e lines: support for Gigabit Ethernet cat6: Support for Gigabit Ethernet cat6: Support for Gigabit Ethernet 10/100 M only 1, 2 (send), (receive) cores, and 8 cores for Gigabit Ethernet. It should be mentioned here that we know that the 10/100 M line only uses 12, 36 cores. When the POE switch is used for power supply, it can be powered by or cores, it varies with different manufacturers. How to Use POE for power supply if it is a gigabit line? All eight Gigabit cores can be used for data transmission and power supply. What is the interface connecting a gigabit Nic to a gigabit Nic? 1. NIC Driver problems; 2. oxidation of the crystal head; 3. Reasons for the network cable (Category 5, or only 1, 2, 3, 6) broadcast: One-to-Multiple Multicast: the difference between one-to-multiple broadcast and multicast is that broadcast is mandatory and multicast is not mandatory. Unicast because the vswitch learns the CAM table based on the source MAC address, the broadcast address and multicast address cannot be learned. Therefore, for broadcast and multicast frames, the vswitch can only process flooding. Vro: by default, broadcast and multicast traffic cannot be transmitted. Network Segment: select a network device for the broadcast domain campus: group gigabit network, which is aggregated to the core at least 10 Gigabit network. Local luxury solutions: All Cisco device access layer devices: Cisco Catalyst 2960 aggregation layer switches (L3): 1. Convergence of access layer switches. 2. Define policies for Cisco Catalyst 3560-X and Cisco Catalyst 3750-X core layer: optical port density, high-speed forwarding, no policy. Unique purpose: to forward traffic quickly. Cisco Catalyst 4500, Cisco Catalyst 6500, and diaosi solutions: the most cost-effective Huawei series access layer: S1724 convergence layer: S5700 internal component vro is very similar to a PC, just a special function PC. Similar to PC memory, running-configROM: flash: similar to PC hard disk NVRAM: the main storage configuration file startup-config, which is different from RAM, non-volatile Configuration Register: similar to some BIOS configurations, Interfaces: CPU: backplane: similar to PC motherboard Router Power-On Boot Sequence1 and Perform power-on self-test (POST) check whether the hardware is OK2, Load and run bootstrap code3, Find the Cisco IOS Software (flash-> ROM) 4, Load the Cisco IOS Software (decompress, and load the operating system to RAM) 5. Find the configuration 6. Load the configuration7 and Run the configured Cisco IOS Sosftware. We will introduce cisco's most core internetwork operating system: the Operating System software used by Cisco routers is called Cisco Internetwork operating system (IOS ). Like the operating system on a computer, Cisco IOS manages vro hardware and software resources, including memory allocation, processes, security, and file systems. Cisco IOS is a multitasking operating system that integrates routing, switching, Internet, telecom, and other functions. Although Cisco IOS in many vrouters looks the same, it is actually different types of IOS images. The IOS image is a file containing the complete IOS of the corresponding router. Cisco creates many different types of IOS images based on the vro model and features in IOS. Generally, the more functions IOS has, the larger the IOS image is. Therefore, the more flash memory and RAM are needed to store and load IOS. For example, some features include the ability to run IPv6 or allow the router to perform NAT (network address translation ). Like other operating systems, Cisco IOS also has its own user interface. Although some routers provide graphical user interfaces (guis), the command line interface (CLI) is the most common method for configuring Cisco routers. When a vro is started, the startup-config file in NVRAM is copied to RAM and stored as the running-config file. IOS then runs the configuration command in running-config. Any changes entered by the network administrator are stored in running-config and executed by IOS immediately. The startup process is divided into four main stages: 1. run POST2. load bootstrap program 3. search for and load Cisco IOS software 4. find and load the startup configuration file, or enter the setup Mode 1. executing POST power-on self-check (POST) is a process that is essential for starting each computer. The POST process is used to detect the router hardware. When the router is powered on, the software on the ROM chip will execute POST. In this self-check process, the router executes Diagnostics through ROM, mainly for several hardware components including CPU, RAM, and NVRAM. After the POST is complete, the router runs the bootstrap program. 2. After the bootstrap program POST is loaded, the bootstrap program will be copied from ROM to RAM. After entering RAM, the CPU executes the commands in the bootstrap program. The main task of the bootstrap program is to find Cisco IOS and load it to RAM. Note: If you connect to the vro console, the output content is displayed on the screen. 3. Search for and load Cisco IOS to search for Cisco IOS software. IOS is usually stored in Flash memory, but may also be stored in other locations, such as TFTP (simple File Transfer Protocol) servers. If the complete IOS image cannot be found, the lite version of IOS (ram monitor) is copied from ROM to RAM. This version of IOS is generally used to help diagnose problems, or to load the full version of IOS to RAM. Note: The TFTP server is usually used as the backup server for IOS, but can also serve as the central point for storing and loading IOS. The use of IOS management and TFTP servers will be discussed in subsequent courses. Load IOS. Some earlier Cisco routers can run IOS directly from flash memory, but today's routers will copy IOS to RAM for CPU execution. Note: Once IOS starts loading, you may see a string of BITs (#) during image decompression. 4. Search for and load the configuration file to find the startup configuration file. After IOS is loaded, the bootstrap program searches for the startup configuration file (also known as startup-config) in NVRAM ). This file contains the previously saved configuration commands and parameters, including: interface address routing information password other configurations saved by the network administrator if the startup configuration file startup-config is located in NVRAM, it will be copied to RAM as the running configuration file running-config. Note: If the startup configuration file does not exist in NVRAM, The vro may search for the TFTP server. If the vro detects that an active link is connected to the configured vro, a broadcast is sent through the active link to search for the configuration file. This will cause the router to pause, but you will eventually see the following console message: % Error opening t ftp://255.255.255.255/network-confg (Timed out) % Error opening t ftp://255.255.255.255/cisconet.cfg (Timed out) executes the configuration file. If the startup configuration file is found in NVRAM, IOS loads it to RAM as running-config and executes the commands in the file in one row. The running-config file contains the interface address, and can start the routing process and configure the vro password and other features. Enter the Setting Mode (optional ). If the startup configuration file cannot be found, the router will prompt you to enter the setup mode. The setting mode contains a series of problems, prompting you for some basic configuration information. The setting mode is not suitable for complex router configurations. network administrators generally do not use this mode. When you start a router that does not contain the startup configuration file, you will see the following problem after loading the IOS: wocould you like to enter the initial configuration dialog? [Yes/no]: no this course does not use the configuration mode to configure the router. When prompted to enter the set mode, always answer no. If you answer yes and enter the setting mode, you can press Ctrl-C to terminate the setting process at any time. If the setting mode is not used, IOS creates the default running-config. The default running-config is the basic configuration file, including the router interface, management interface, and specific default information. The default running-config does not contain any interface address, route information, password, or other specific configuration information. The show version command during vro startup helps you to test and troubleshoot basic hardware and software components of a vro. The show version command displays the version information of the Cisco IOS software currently running on the vro, the bootstrap program version information, and hardware configuration information (including the system memory size ). Outputs of the show version command include: IOS Cisco Internetwork Operating System SoftwareIOS (tm) C2600 Software (C2600-I-M), Version 12.2 (28), release software (fc5) here is the Cisco IOS software version in RAM, which is also the software version used by the router. ROM Bootstrap program ROM: System Bootstrap, Version 12.1 (3r) T2, release software (fc1) displays the Version of the System bootstrap SOFTWARE (originally used to start a router) stored in ROM memory. IOS Location System image file is "flash: c2600-i-mz.122-28.bin" here shows the location where the boostrap program loads in Cisco IOS, and the complete file name of the IOS image. CPU and RAM size cisco 2621 (MPC860) processor (revision 0x200) with 60416 K/5120 K bytes of memory the first part of this line shows the CPU type of the vro. The last part of this line shows the DRAM size. Some series routers (such as 2600) use a portion of DRAM as the data packet storage. Data Packet storage is used to buffer data packets. To determine the total DRAM size on the vro。, add two numbers. In this example, the Cisco 2621 router has 60,416 KB (kilobytes) of DRAM available for temporary storage of Cisco IOS and other system processes. The remaining 5,120 KB is dedicated for data packet storage. The sum of the two is 65,536 K, that is, a total of 64 mb dram. Note: When upgrading IOS, you may need to upgrade the RAM size. Interface 2 FastEthernet/IEEE 802.3 interface (s) 2 Low-speed serial (sync/async) network interface (s) This output shows the physical interface on the router. In this example, the Cisco 2621 router has two fast Ethernet interfaces and two low-speed serial interfaces. NVRAM size 32 K bytes of non-volatile configuration memory. This is the NVRAM size on the vro. NVRAM is used to store the startup-config file. The flash size is 16384 kb bytes of processor board System flash (Read/Write), which is the flash size on the vro. Flash memory is used to permanently store Cisco IOS. Note: you may need to upgrade the flash size when upgrading IOS. The last line of the Configuration register is 0x2102show version command displays the current Configuration value of the software Configuration register (in hexadecimal format ). If there is a second value enclosed in parentheses, this value indicates the configuration register value that will be used for the next reload. The configuration register can be used for multiple purposes, such as password restoration. The default factory settings of the configuration register are 0x2102. This value indicates that the router loads the Cisco IOS software image from the flash memory and loads the startup configuration file from NVRAM. Configuration registers can affect the order of searching for IOS. However, if there are multiple IOS versions in Flash, which one should I load? There is no way to configure registers. However, the boot system command can be used. The startup system command is saved in the nvram startup configuration file. Some of you may be confused. According to the preceding startup process, when you read the configuration file in VNRAM, IOS has already been loaded. What else can I do? In fact, the boot system command in NVRAM is special. Only the boot system command can be executed before finding the Cisco IOS Software. Loading configuration file router startup process: IOS is developed based on UNIX, so it draws on a lot of UNIX ideas and commands. IOS is heavily dependent on the hardware platform. A vswitch can only install the ios of a vswitch, while a vro can only install the ios of a vroios. A vswitch or vro of different versions can only install a specific IOS version. IOS is a hierarchical system, and the entire permission system is divided into 0-15 levels.
R1>show privilegeCurrent privilege level is 1R1>enableR1#show privilege
Current privilege level is 15 we can see [user mode: Permission 1], [privileged mode: Permission 15 ]. In privileged mode, you can perform any operations supported by IOS. User Mode: configure terminal (Abbreviation: config t) special configuration mode: interface configuration mode sub interface mode: the sub-interface allows you to create the line configuration mode of the logical interface in the vro: configure the [management] interface to verify the running status of the hardware and software of the vro by using the show command and debug command. Show interfaces and show ip interface brief are useful when verifying the router configuration and troubleshooting the router and network faults. The debug command must be used with caution. It is best not to use it. The debug alldebug ip packet detail no debug allno debug ip packet detail network device has no shutdown command.
R1 (config) # ip domain-name cisco.com # Add domain # vro and vswitch features. When we type a string that is not a command character, we think we want to resolve a domain name, the speed is extremely slow. R1 (config) # no ip domain lookup # disable domain name resolution R1 (config) # ip nameR1 (config) # ip name-server 114.114.114.114 # specify the domain name server R1 (config) # line con 0R1 (config-line) # exeR1 (config-line) # exec-tiR1 (config-line) # exec-timeout 0 0 # session never times out R1 (config-line) # logginR1 (config-line) # logging syncR1 (config-line) # logging synchronous # enable log synchronization R1 (config-line) ### Save the configuration RAM-> NVRAM (three methods are available on the actual device) R1 # copy running-config startup-config # CCNA The exam must be written in Destination filename [startup-config]? Building configuration... [OK] R1 # writeBuilding configuration... [OK] R1 # write memoryBuilding configuration... [OK] # permanently erase the startup configuration file R1 # erase startup-config
Configuration Management function: host name, flag, password, Interface description: description the above features cannot make the vro and vswitch perform better or run faster, but please trust me, as long as you spend time setting these configurations on each network device, your work will be easier, because it will be much easier to eliminate network faults and maintain the network.
R1#config tEnter configuration commands, one per line. End with CNTL/Z.R1(config)#hostname RouterRouter(config)#banner motd #hello world#Router(config)#
Password setting: five types of passwords are used to ensure the security of Cisco Routers: Console Password, Auxiliary port password, remote login (VTY) password, enable password (enable) and enable the encryption password (enable secret ). Enable the password and enable the encrypted password to control the user's access to privileged mode. the user is required to provide the password when executing the enable command. In the other 3, the password is used to control the user to enter the user mode through the Console port, Auxiliary port, and telnet. Do not forget to execute the command login. Otherwise, no authentication will be performed. We use telnet or local network management to log on to the network device. Only one password can be entered. This is convenient, but there are security risks. In addition, telnet is transmitted in plain text, and the account and password are easily intercepted. How to Improve device security? Aaa authentication: Suitable for medium-sized and large enterprises to deploy local database Authentication SSH instead of telnet to log on to the Cisco router supports centralized AAA (authentication/authorization/accounting) functions, however, you need to deploy a Cisco ACS (Access Control Server). If the number of network devices is small, you can use the local verification and authorization functions of the Cisco router for authentication and authorization, cisco ACS does not need to be deployed. the following is an example of local authentication and authorization for telnet access to router r1:
(1) set an account and password for the telnet user (the admin user level is 1 minimum): # hostname r1 # username aaa password cisco (2) set a privileged password of level 2 (15 by default, with all permissions) # enable secret level 2 CISCO (3) authorize Level 2 privileged users (only allow the execution of router and network commands) # privilege exec level 2 configure terminal allows the execution of the privileged command config t # privilege configure level 2 router allows the execution of Global commands: router # privilege router level 2 network allows the execution of Route process commands: network (4) method for verifying telnet access to Cisco router r1 (using local user database for verification) # line vty 0 4 # login local (5) When performing telnet access to r1, the system first prompts username and password. In this case, user aaa is in user mode (level 1 user ), only a few command sets can be executed (User-mode command sets ). After you run the enbale 2 command and enter the correct password, you can run the config t, router, and network commands. However, other commands cannot be executed, and local verification and authorization are successful. # Create a local user R1 (config) # username admin password ciscoR1 (config) # username admin privelege 15 password cisco # grant permission level # enable local authentication R1 (config) # line vty 0 4R1 (config-line) # login local
SSH Logon
Enable SSH on Cisco IOS, disable the Telnet command to describe username admin privilege 15 password Admin-Password to create a system administrator ip domain name MyDomain.com called admin to create a digital certificate with the name crypto key generate rsa for authentication. Use at least 768-bit Diffie-Hellman keyword line vty 0 4 enter vty configure transport input ssh only allow SSH Login 1. configure hostname and ip domain-nameRouter # configure terminalRouter (config) # hostname R2 // When configuring ssh, The vro name cannot be routerR2 (config) # ip domain-name cisco.com // configure a domain name. SSH is required. 2. configure local authentication R2 (config) # username admin password 123 or R2 (config) # username admin privilege 15 password 123 Note: Add a user: admin, password: 1233. enable local authentication R2 (config) # line VTY 0 4 // enter vty on the vty logical interface Mode R2 (config-line) # transport input ssh // set the logon mode of vty to ssh. By default, all logins are allowed. Disable telnetR2 (config-line) # login local # R2 (config) # aaa authentication login default local # enable aaa authentication and set authentication on the local server. configure SSH service: R2 (config) # crypto key generate rsa The name for the keys will be: R2.cisco.com note: The SSH keyword name is hostname +. + ip domain-nameChoose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. choosing a key modulus greater than 512 may takea few minutsHow limit B Its in the modulus [512]: Note: the number of encrypted digits is selected. cisco recommends 1024 Generating RSA keys... [OK] Or: R2 (config) # crypto key generate rsa general-keys modulus 1024 // generate the key for an rsa algorithm. The key is 1024 bits (note: in Cisoc, rsa supports 360-2048 bits. The principle of this algorithm is that the host distributes its own public keys to related clients, when the client accesses the host, it uses the public key of the host to encrypt the data. The host uses its own private key to decrypt the data, so as to implement host key authentication and determine the reliable identity of the client. Now the SSH service has been started. To stop the SSH service, run the following command: R2 (config) # crypto key zeroize rsa5. after setting the SSH parameter, run the show run command and run the show ip ssh command. SSH Enabled-version 1.9 Authentication timeout: 120 secs; Authentication retries: 3. We can see the default SSH parameter: timeout is limited to 120 seconds, the number of authentication retries is three. You can use the following command to modify it: R2 (config) # ip ssh {[time-out seconds]} │ [authentication-retries interger]} # To change the timeout limit to 120 seconds, use R2 (config) # ip ssh time-out 120 # If you want to change the number of retries to 3 times, you should use: R2 (config )# In this case, ssh authentication-retries 3 is successfully configured on the vro, And you can perform secure login through SSH. R2 (config) # ip ssh version 2 # configure SSH V26. remote ssh connection note: If you use ssh to log on to this vro from another device, the following content will appear: r1 # ssh-v 2-l best 192.168.0.2: 1. why does SSH configuration require a domain name? When configuring SSH logon, A 1024-bit RSA key is generated. The key name is the name of the router that is connected to the DNS domain name. 2. during configuration, the 7200ISO used cannot use the aaa authentication login default local command. After skipping the command, the user cannot log on. The aaa new-model --- is used to enable the new access control commands and functions. (Disable the old command ). This command is fine. After this mode is enabled, many aaa commands can be used, including the commands in the experiment. I skipped the experiment and can still log on via SSH, it seems that it is verified locally by default. In addition, after AAA is enabled, all threads except the console are authenticated by AAA. 3. how to change the ssh default port configuration is as follows: access-list 100 permit tcp any eq 9022ip domain name cisco.com # configure domain name crypto key generate rsa modulus 1024 # generate key username ciscort privilege 15 password 0 cisco @ 2012 # configure username password ip ssh port 9022 rotary 1 # modify the SSH port to 9022ip ssh version 2 # configure SSH V2line vty 0 4 # configure local authentication login localrotary 1access-class 100 intransport input telnet ssh
Rollback mode: exit is used to roll back step by step. A layer-by-layer rollback end is directly returned to the privileged mode Ctrl + Z directly back to the privileged mode router interface non-modular router. Use the command to select the interface type number modular router, use the command to select the interface: interface type slot/portISR series router. Three numbers are required. The first serial number indicates the vro itself, the second serial number indicates the slot number, and the third serial number indicates the port number. It seems a little troublesome, but it is not difficult. We recommend that you always first check the run configuration output: do show run | begin inter to enable the interface to disable the interface. We can use the interface configuration command: shutdown to start the interface, we can use the command: no shutdown
Router(config)#int f0/0 Router(config-if)#ip add 172.16.10.2 255.255.255.0Router(config-if)#no shutdown
After configuring the interface, do not forget to use no shutdown to enable the interface. Do not forget to check the output of the command: show running-config or show interface to check whether the interface is managed and disabled. Up, down logic error down, down interface bad, or line bad administratively down manual shutdown to close the port