Jose Luis Flores / Amel Walkinshaw CCNA 200-120 Training 2.4 Verify network status and switch operation using basic utilities such as Aug, 2015 Jose Luis Flores / Amel Walkinshaw
2.0 LAN Switching Technologies 2.4 Verify network status and switch operation using basic utilities such as 2.4.a ping 2.4.b telnet 2.4.c SSH
2.4.a ping The ping command uses Internet Control Message Protocol (ICMP) Echo Request and Echo Reply messages. Packet filtering policies on routers, firewalls, or other types of security gateways might prevent the forwarding of this traffic.
2.4.a ping DOS
2.4.a ping
2.4.a ping
2.4.a ping Warning: Using the debug ip packet detail command on a production router can cause high CPU utilization. This may result in a severe performance degradation or a network outage. We recommend that you carefully read Use the Debug Command before issuing debug commands.
2.4.a ping Router1#debug ip packet detail IP packet debugging is on (detailed) Router1#ping 12.0.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.0.0.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms Router1# Jan 20 15:54:47.487: IP: s=12.0.0.1 (local), d=12.0.0.2 (Serial0), len 100, sending Jan 20 15:54:47.491: ICMP type=8, code=0 !--- This is the ICMP packet 12.0.0.1 sent to 12.0.0.2. !--- ICMP type=8 corresponds to the echo message. Jan 20 15:54:47.523: IP: s=12.0.0.2 (Serial0), d=12.0.0.1 (Serial0), len 100, rcvd 3 Jan 20 15:54:47.527: ICMP type=0, code=0 !--- This is the answer we get from 12.0.0.2. !--- ICMP type=0 corresponds to the echo reply message. !--- By default, the repeat count is five times, so there will be five !--- echo requests, and five echo replies.
2.4.a ping
2.4.a ping
2.4.a ping Router1#ping 34.0.0.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds: Jan 20 16:00:25.603: IP: s=12.0.0.1 (local), d=34.0.0.4, len 100, unroutable. Jan 20 16:00:27.599: IP: s=12.0.0.1 (local), d=34.0.0.4, len 100, unroutable. Jan 20 16:00:29.599: IP: s=12.0.0.1 (local), d=34.0.0.4, len 100, unroutable. Jan 20 16:00:31.599: IP: s=12.0.0.1 (local), d=34.0.0.4, len 100, unroutable. Jan 20 16:00:33.599: IP: s=12.0.0.1 (local), d=34.0.0.4, len 100, unroutable. Success rate is 0 percent (0/5)
2.4.a ping Router1#ping 34.0.0.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) Jan 20 16:05:30.659: IP: s=12.0.0.1 (local), d=34.0.0.4 (Serial0), len 100, sending Jan 20 16:05:30.663: ICMP type=8, code=0 Jan 20 16:05:30.691: IP: s=12.0.0.2 (Serial0), d=12.0.0.1 (Serial0), len 56, rcvd 3 Jan 20 16:05:30.695: ICMP type=3, code=1 Jan 20 16:05:30.699: IP: s=12.0.0.1 (local), d=34.0.0.4 (Serial0), len 100, Jan 20 16:05:30.703: ICMP type=8, code=0 Jan 20 16:05:32.699: IP: s=12.0.0.1 (local), d=34.0.0.4 (Serial0), len 100, Jan 20 16:05:32.703: ICMP type=8, code=0 Jan 20 16:05:32.731: IP: s=12.0.0.2 (Serial0), d=12.0.0.1 (Serial0), len 56, Jan 20 16:05:32.735: ICMP type=3, code=1 Jan 20 16:05:32.739: IP: s=12.0.0.1 (local), d=34.0.0.4 (Serial0), len 100, Jan 20 16:05:32.743: ICMP type=8, code=0 Now let us add a static route to Router1: Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip route 0.0.0.0 0.0.0.0 Serial0 We now have: Router1#debug ip packet detail IP packet debugging is on (detailed)
2.4.a ping From the CCNA ICND2 Exam book: “Routers decrement the TTL by 1 every time they forward a packet; if a router decrements the TTL to 0, it throws away the packet. This prevents packets from rotating forever. ” I want to make it clear that before the router forwards a packet, the TTL is still remain the same. For example in the topology above, pings to S0/1 and S0/0 of Router 2 have the same TTL. The picture below shows TTL values for each interface of each router and for Host B. Notice that Host A initializes ICMP packet with a TTL of 255: Host A pings interface S0/0 on router 3. What is the TTL value for that ping? A. 252 B. 253 C. 254 D. 255
2.4.a ping Interface Down This is a situation where the interface stops working. In the example below, we try to ping Router4 from Router1: Router1#ping 34.0.0.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 34.0.0.4, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) Since the routing is fine, we will do the troubleshooting step-by-step. First, let us try to ping Router2: Router1#ping 12.0.0.2 Sending 5, 100-byte ICMP Echos to 12.0.0.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
2.4.a ping From the above, we see that the problem lies between Router2 and Router3. One possibility is that the serial interface on Router3 has been shut down: Router3#show ip interface brief Serial0 34.0.0.3 YES manual up up Serial1 23.0.0.3 YES manual administratively down down This is quite simple to fix: Router3#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router3(config)#interface s1 Router3(config-if)#no shutdown Router3(config-if)# Jan 20 16:20:53.900: %LINK-3-UPDOWN: Interface Serial1, changed state to up Jan 20 16:20:53.910: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to up
2.4.a ping
2.4.a ping When a host needs to reach a device on another subnet, the ARP cache entry will be that of the Ethernet address of the local router (default gateway) for the physical MAC address. The destination IP address will not change, and will be that of the remote host (HostB).
2.4.a ping Which command can be used from a PC to verify the connectivity between hosts that connect through a switch in the same LAN? A. ping address B. tracert address C. traceroute address D. arp address
2.4.a ping Explanation: ICMP pings are used to verify connectivity between two IP hosts. Traceroute is used to verify the router hop path traffic will take but in this case since the hosts are in the same LAN there will be no router hops involved.
2.4.b Telnet
2.4.b Telnet The network administrator normally establishes a Telnet session with the switch from host A. However, host A is unavailable. The administrator's attempt to telnet to the switch from host B fails, but pings to the other two hosts are successful. What is the issue? A. Host B and the switch need to be in the same subnet. B. The switch interface connected to the router is down. C. Host B needs to be assigned an IP address in VLAN 1. D. The switch needs an appropriate default gateway assigned. E. The switch interfaces need the appropriate IP addresses assigned.
2.4.b Telnet Explanation: Ping was successful form host B to other hosts because of intervlan routing configured on router. But to manage switch via telnet the VLAN32 on the switch needs to be configured interface vlan32 along with ip address and its appropriate default-gateway address. Since VLAN1 interface is already configure on switch Host A was able to telnet switch.
2.4.b Telnet A network administrator needs to allow only one Telnet connection to a router. For anyone viewing the configuration and issuing the show run command, the password for Telnet access should be encrypted. Which set of commands will accomplish this task? A. service password-encryption access-list 1 permit 192.168.1.0 0.0.0.255 line vty 0 4 login password cisco access-class 1 B. enable password secret line vty 0 login password cisco C. service password-encryption line vty 1 login password cisco D. service password-encryption line vty 0 4 login password cisco
2.4.b Telnet Explanation: Only one VTY connection is allowed which is exactly what's requested. Incorrect answer: command. Line vty0 4 would enable all 5 vty connections.
2.4.b Telnet Which command shows your active Telnet connections? A. show cdp neigbors B. show session C. show users D. show vty logins
2.4.b Telnet Explanation: The “show users” shows telnet/ssh connections to your router while “show sessions” shows telnet/ssh connections from your router (to other devices). The question asks about “your active Telnet connections”, meaning connections from your router so the answer should be B.
2.4.c SSH
2.4.c SSH Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices. Communication between the client and server is encrypted in both SSH version 1 and SSH version 2. Implement SSH version 2 when possible because it uses a more enhanced security encryption algorithm.
2.4.c SSH
2.4.c SSH Test Authentication aaa new-model Authentication Test without SSH First test the authentication without SSH to make sure that authentication works with the router Carter before you add SSH. Authentication can be with a local username and password or with an authentication, authorization, and accounting (AAA) server that runs TACACS+ or RADIUS. (Authentication through the line password is not possible with SSH.) This example shows local authentication, which lets you Telnet into the router with username "cisco" and password "cisco." !--- The aaa new-model command causes the local username and password on the router !--- to be used in the absence of other AAA statements. aaa new-model username cisco password 0 cisco line vty 0 4 transport input telnet !--- Instead of aaa new-model, you can use the login local command.
2.4.c SSH Authentication Test with SSH In order to test authentication with SSH, you have to add to the previous statements in order to enable SSH on Carter and test SSH from the PC and UNIX stations. ip domain-name rtp.cisco.com !--- Generate an SSH key to be used with SSH. crypto key generate rsa ip ssh time-out 60 ip ssh authentication-retries 2 At this point, the show crypto key mypubkey rsa command must show the generated key. After you add the SSH configuration, test your ability to access the router from the PC and UNIX station.
Bibliography http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html http://www.cisco.com/c/en/us/td/docs/ios/12_2/termserv/command/reference/ftersv_r/trfsltn.html#wp998287 http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html
Q&A