Cisco IOS recovery : error in IOS image after upgradation.How to boot from OLD ios .

 I was upgrading my 2960 switch IOS from 12.2 to 15.0 , but after i upgrade  when i did the reboot to boot from my new IOS the switch got stuck  and could not boot properly .

in console it was not showing anything , and it was stucking before it load the new IOS .

This issue can be the wrong or invalid ios or it can be hardware issue .

Note:-I had not deleted the old ios from the flash and i was trying to reload the switch from that old IOS.

The error is given below.

It loads the image then hangs right here:

File "flash:/c2960s...." uncompressed and installed, entry point: 0x3000
executing..

Let's solve this issue.

1. plug in switch

2. hold mode button for 15 seconds

3. boot into rommon mode

4. type 'flash_init'

5. type 'dir flash:'

6. type 'delete flash:(filename of corrupted IOS)'

7. type 'boot'

Configuration given below.

switch: flash_init
Initializing Flash...
mifs[2]: 10 files, 1 directories
mifs[2]: Total bytes     :    1806336
mifs[2]: Bytes used      :     612352
mifs[2]: Bytes available :    1193984
mifs[2]: mifs fsck took 1 seconds.
mifs[3]: 0 files, 1 directories
mifs[3]: Total bytes     :    3870720
mifs[3]: Bytes used      :       1024
mifs[3]: Bytes available :    3869696
mifs[3]: mifs fsck took 2 seconds.
mifs[4]: 5 files, 1 directories
mifs[4]: Total bytes     :     258048
mifs[4]: Bytes used      :       9216
mifs[4]: Bytes available :     248832
mifs[4]: mifs fsck took 0 seconds.
mifs[5]: 5 files, 1 directories
mifs[5]: Total bytes     :     258048
mifs[5]: Bytes used      :       9216
mifs[5]: Bytes available :     248832
mifs[5]: mifs fsck took 0 seconds.
 -- MORE --
mifs[6]: 1139 files, 37 directories
mifs[6]: Total bytes     :   57931776
mifs[6]: Bytes used      :   48199168
mifs[6]: Bytes available :    9732608
mifs[6]: mifs fsck took 52 seconds.
...done Initializing Flash.

switch: dir flash:
Directory of flash:/
    2  -rwx  3096      <date>               multiple-fs
    3  -rwx  3016      <date>               vlan.dat.renamed
    4  -rwx  1591      <date>               config.text.renamed
    5  -rwx  1915      <date>               private-config.text
    6  -rwx  5         <date>               private-config.text.renamed
    7  -rwx  16312320  <date>               c2960-lanbasek9-tar.150-2.SE11-1.tar
    8  drwx  512       <date>               c2960s-universalk9-mz.122-55.SE7
  588  -rwx  12556     <date>               vlan.dat
  589  -rwx  3547      <date>               config.text
  590  drwx  512       <date>               c2960-lanbasek9-mz.150-2.SE11
 1176  -rwx  107       <date>               info
9732608 bytes available (48199168 bytes used)
switch:
switch:
switch:

switch:  delete flash:c2960-lanbasek9-mz.150-2.SE11/c2960-lanbasek9-mz.150-2.SE11.bin
Are you sure you want to delete "flash:c2960-lanbasek9-mz.150-2.SE11/c2960-lanbasek9-mz.150-2.SE11.bin" (y/n)?y
File "flash:c2960-lanbasek9-mz.150-2.SE11/c2960-lanbasek9-mz.150-2.SE11.bin" deleted
switch: ?
 
switch:
switch: boot
Loading "flash:/c2960-lanbasek9-mz.150-2.SE11/c2960-lanbasek9-mz.150-2.SE11.bin"...flash:/c2960-lanbasek9-mz.150-2.SE11/c2960-lanbasek9-mz.150-2.SE11.bin: no such file or directory
Error loading "flash:/c2960-lanbasek9-mz.150-2.SE11/c2960-lanbasek9-mz.150-2.SE11.bin"
Interrupt within 5 seconds to abort boot process.
Loading "flash:/c2960s-universalk9-mz.122-55.SE7/c2960s-universalk9-mz.122-55.SE7.bin"...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
File "flash:/c2960s-universalk9-mz.122-55.SE7/c2960s-universalk9-mz.122-55.SE7.bin" uncompressed and installed, entry point: 0x3000
executing...
              Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706


Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 12.2(55)SE7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 28-Jan-13 10:28 by prod_rel_team
Image text-base: 0x00003000, data-base: 0x01B00000
Initializing flashfs...
Using driver version 1 for media type 1
mifs[3]: 10 files, 1 directories
mifs[3]: Total bytes     : 1806336
mifs[3]: Bytes used      : 612352
mifs[3]: Bytes available : 1193984
mifs[3]: mifs fsck took 0 seconds.
mifs[3]: Initialization complete.
mifs[4]: 0 files, 1 directories
mifs[4]: Total bytes     : 3870720
mifs[4]: Bytes used      : 1024
mifs[4]: Bytes available : 3869696
mifs[4]: mifs fsck took 0 seconds.
mifs[4]: Initialization complete.
mifs[5]: 5 files, 1 directories
mifs[5]: Total bytes     : 258048
mifs[5]: Bytes used      : 9216
mifs[5]: Bytes available : 248832
mifs[5]: mifs fsck took 0 seconds.
mifs[5]: Initialization complete.
mifs[6]: 5 files, 1 directories
mifs[6]: Total bytes     : 258048
mifs[6]: Bytes used      : 9216
mifs[6]: Bytes available : 248832
mifs[6]: mifs fsck took 0 seconds.
mifs[6]: Initialization complete.

You can see , its showing that failed to load from 15.0 and then it will automatically boot from 12.0 as default.

How to delete a file in flash: -Cisco Switch 2960

 To delete a file in flash , you have to use the below command .

Switch#show flash
Directory of flash:/
    2  -rwx        3096   Mar 1 1993 00:02:54 +00:00  multiple-fs
    3  -rwx        3016  Jul 27 2023 12:29:32 +00:00  vlan.dat.renamed
    4  -rwx        1591   Mar 1 1993 00:17:21 +00:00  config.text.renamed
    5  -rwx        1915   Mar 1 1993 02:55:06 +00:00  private-config.text
    6  -rwx           5   Mar 1 1993 00:17:21 +00:00  private-config.text.renamed
    7  -rwx    16312320   Mar 1 1993 04:18:43 +00:00  c2960-lanbasek9-tar.150-2.SE11-1.tar
    8  drwx         512   Mar 1 1993 00:24:11 +00:00  c2960s-universalk9-mz.122-55.SE7
  588  -rwx       12556   Mar 1 1993 00:02:22 +00:00  vlan.dat
  589  -rwx        3547   Mar 1 1993 02:55:06 +00:00  config.text
  590  drwx         512   Jan 1 1970 00:05:00 +00:00  c2960-lanbasek9-mz.150-2.SE11
 1175  -rwx         107   Mar 1 1993 04:30:48 +00:00  info
57931776 bytes total (21661696 bytes free)

Switch#delete flash:c2960-lanbasek9-tar.150-2.SE11-1.tar
Delete filename [c2960-lanbasek9-tar.150-2.SE11-1.tar]? 
Delete flash:c2960-lanbasek9-tar.150-2.SE11-1.tar? [confirm]

Switch#show flash                                       
Directory of flash:/
    2  -rwx        3096   Mar 1 1993 00:02:54 +00:00  multiple-fs
    3  -rwx        3016  Jul 27 2023 12:29:32 +00:00  vlan.dat.renamed
    4  -rwx        1591   Mar 1 1993 00:17:21 +00:00  config.text.renamed
    5  -rwx        1915   Mar 1 1993 02:55:06 +00:00  private-config.text
    6  -rwx           5   Mar 1 1993 00:17:21 +00:00  private-config.text.renamed
    8  drwx         512   Mar 1 1993 00:24:11 +00:00  c2960s-universalk9-mz.122-55.SE7
  588  -rwx       12556   Mar 1 1993 00:02:22 +00:00  vlan.dat
  589  -rwx        3547   Mar 1 1993 02:55:06 +00:00  config.text
  590  drwx         512   Jan 1 1970 00:05:00 +00:00  c2960-lanbasek9-mz.150-2.SE11
 1175  -rwx         107   Mar 1 1993 04:30:48 +00:00  info
57931776 bytes total (38105600 bytes free)
Switch#

How to delete a directory in flash: -Cisco Switch 2960

 To delete a directory in flash , you have to use the below command .

Switch#delete /force /recursive flash:c2960-lanbasek9-mz.150-2.SE11

Cisco IOS upgradation 2960 Switch..!

 To upgrade the IOS you need to have a tftp server connected to your switch and there must be a layer-3 reachability between TFTP server and the Switch.

I am assuming you have configured the TFTP server properly and make sure, in your TFTP server The firewall and antivirus is disabled.

Step-1=Copy the IOS file from TFTP to your server.

Switch#copy tftp flash

Address or name of remote host []? 172.16.10.2

Source filename []? c2960-lanbasek9-tar.150-2.SE11-1.tar

Step-2=if its bin file you don't need to extract but if its tar file you need to extract it first.As i have a TAR file lets extract it first.

Switch#archive tar /xtract c2960-lanbasek9-tar.150-2.SE11-1.tar flash:/

Step-3=change the boot IOS .

Switch#boot system flash:/c2960-lanbasek9-mz.150-2.SE11/c2960-lanbasek9-mz.150-2.SE11.bin

Step-4=Reboot the IOS .

Switch#reload

Cisco Bandwidth Rate link on Catalyst series(3550,3750,3560,2960)

 There is a 2 way to configure the QOS bandwidth SHaping on port in CIsco L2/L3 switches.

1-SRR(Only Download traffic can be controlled )
2-Service Policy.(Only one direction you can control).

if you want to be both then you can configure the both SRR and Service policy on same port .

SRR

srr-queue bandwidth limit %

You have to set the bandwidth as a percentage of the link speed. The options are 10-99 percent. This means that if you want a limit less than 10Mb you must set the port’s physical speed to 10 and the duplex to full. You will then have to statically configure the client to 10/full. This, however, only limits the egress traffic.

int 0 /12
srr-queue bandwidth limit 10

Service Policy

We use this to match and limit our ingress traffic.

First, you must enable mls qos on your switch, otherwise your matching won’t work.

Make Sure you have enabled the mls qos command .

mls qos

1-Next we define our class map. We have it set to match ip traffic with DSCP set to 0.

class-map match-all rate-limit
  description Bandwidth Control
 match ip dscp default

2-We then create policy maps that have our desired speeds:

policy-map 8meg

 class rate-limit

  police 8192000 192000 exceed-action drop

3-Last we apply this to the interface:

int fa0/1

service-policy input 8meg

Cisco Switch Port Security..

 Port Security is a very useful feature that can be used to limit access to switch ports. It means you can bind the MAC address and also 

you can limit the mac address which are authorized .

•Maximum quantity of learned, dynamic MAC addresses can be limited.
•Static, authorized MAC addresses can be pre-configured

Port-Security Violations

If a violation occurs, you have three options with regards to the response:

•Shutdown (default)

•Protect

•Restrict

Protect:- This violent mode silently discard the frame , if the source MAC is the authorized user.

Restrict:- This Violent mode discard the frame but it logs the record .

Switch port-security:- If you only run this command , It means it will learn the first MAC address dynamically and that would be the only MAC is allowed on that port , When second MAC comes it will shutdown the port .

Switch port-security violation restrict:- If you set it to the restrict ,it will discard the frames but it will not make shutdown the port instead it will log the record of violation , means how many times there is a violation on the port .

Switch port-security maximum 3 :-if you set the maximum with a value 3, it means you are going to allowed maximum 3 mac address on the port .Statically or dynamically .

 

                        

Switch port-security mac-address sticky:-It will learn the mac address dynamically and then it will show un in running configuration , and if we save it using write memory then those MAC address will be authorized  as long as there is an entry .

 

Configurations.

interface fa0/1
switchport mode access
switchport access vlan 101
switchport port-security 
switchport port-security violation restrict
switchport port-security mac-address 0022.6732.8d32 vlan access

Verifications.

Switch#show port-security
Switch#show port-security interface fa0/1
Switch#show port-security address

 

Dynamic Trunking Protocol(DTP)

 DTP is a Cisco proprietary feature that allows Cisco switches to negotiate trunk dynamically.

DTP has Three modes:

•Auto
•On
•Desirable

Normally when you configure the command that switch mode trunk it means that port is going to become trunk whether you may have connected to a end hosts .

DTP Has three mode , Auto only responds  and dynamic initiates the trunk .DTP is a cisco proprietary.

When you configure the dynamic desirable , it starts sending the DTP messages on that port .

When you configure the dynamic auto , it does not initiate the request only respond if other end initiate the request then it will respond .

Auto is passive and desirable is Active.

When you configure the switch mode trunk , it also sends the DTP messages and if other end switch is desirable or auto it can become trunk .

If both side is AUTO it means that port cant become trunk because no one initiate the request .

But cisco recommends and suggests to make the port as desirable in both ends ,

There are lots of combinations which can become the trunk as long as someone is initiating the request. 

How T configure the  DTP

Switch(config-if)# switchport mode dynamic [desirable|auto]

How To Disable DTP

Switch(config-if)# switchport nonegotiate

Verification command

Switch# show interface trunk

Switch# show interface <interface> switchport

Cisco Device Startup/Boot Sequence

 When you power on the Cisco router or switches, The first thing they discover the device hardware like interface details, CPU details, Memory details etc etc .

Once the hardware check is ok , They will find the IOS image and load . Once the ios will be loaded then the configuration file will be loaded from NVRAM .

The whole process we called as Power on self test .

Normally there are 3 types memory we have in devices, 

1-Flash 

2-NVRAM(Non-Volatile random Access Memory).

3-DRAM(Dynamic Random Access Memory).

Flash and NVRAM both have one thing is common is that they both are nonvolatile memory , which means after being powered off the device the it can keep the information and retain those files after getting powered on . NVRAM and FLASH are slow.

NVRAM is small in size . because it stores the configuration files only .

FLASH is a little large from NVRAM , This is where it stores the CISCO IOS.

DRAM , When the power is off and the contents are lost .

DRAM is very fast .

DRAM size is large .

DRAM memory size is big , because when you make the power ON the cisco device ,It finds the IOS from FLASH and copies and run from DRAM .When you switch off the device the IOS stores in flash but it run from DRAM .And then the device will load the Startup-configuration file from NVRAM this is also copied from NVRAM to run from DRAM and the name would be running-configuration. 

And also all the table which we have in devices like MAC tables, ARP table,VLAN tables ,Routing Tables, these are the tables and databases which displayed from the DRAM .

Bandwidth Shaping on L2 port--#Cisco 2960

  To configure the bandwidth shaping on L2  Interface you can go to interface configuration Mode on the switch port, and apply the srr-queue bandwidth limit command. Here's an example:

Switch(config)# interface FastEthernet 0/1
Switch(config-if)# srr-queue bandwidth limit 90

The 90 sets the outbound bandwidth limit on the port to 90 percent of the port speed. Since this is a 100-Mb port, this should limit the outbound traffic from the port to 10 Mb.

Link Layer Discovery Protocol (LLDP)

 LLDP is a layer two discovery protocol same as CDP but The major difference between the two is that LLDP is an open standard and  CDP is a Cisco proprietary protocol that runs only on Cisco devices.

LLDP uses attributes called TLV. These are called TLVs (Type, Length, Value). Devices that support LLDP use TLVs to send and receive information to their directly connected neighbors on the network. 

Find the TLV given below.

 

1. Port description TLV
2. System name TLV
3. System description TLV
4. System capabilities TLV
5. Management Address TLV

By default, the LLDP is disabled on Cisco devices depending on IOS but you can enable it manually.

Configuration & Verification.

R1(config)#lldp run

R1#show lldp neighbors

R1#show lldp neighbors detail

CDP (Cisco Discovery Protocol)

  CDP (Cisco Discovery Protocol) will help you to discover the neighbors which are connected to each other By using cdp you can build network maps.

By-default the CDP is enabled on cisco devices.

 you can enable and disable the CDP on per interface basis and also you can configure the same in global mode.

R1#show cdp neighbors detail

R1#show cdp neighbors

CDP Configurations On interfaces Basis.

R1(config)#interface fa 0/0

R1(config-if)#no cdp enable

CDP Configurations On Global mode for all interfaces.

R1(config)#cdp enable

How TO disable the CDP

 you can disable and enable CDP for a single interface, just type no cdp enable.

 This is how you can do it globally for all interfaces:

R1(config)#no cdp run

Subnet Mask & Wildcard Mask Explanation in a Simple Way..!!

 Subnet Mask tells us the number of network bits and the number of host bit present in an IP.

Wildcard mask is used to identify which bits in an IPv4 address to match. In which binary 1 is equal to a match and binary 0 is not a match. 

A Wildcard mask is used in ACL to match the IP address in a better way to permit or deny . and also in some routing protocols, we use wildcard masks to advertise the network such as OSPF etc..!

Wildcard masks use the following rules to match binary 1s and 0s:

• Wildcard mask bit 0: Match the corresponding bit value in the address.

• Wildcard mask bit 1: Ignore the corresponding bit value in the address.

How to calculate the Wildcard mask.??.

Wildcard Mask = 255.255.255.255 - Actual Subnet Mask.

Example-1.

Network=192.168.3.0/24
Subnet Mask=255.255.255.0

Starting value	255.255.255.255
Subtract the subnet mask	–255.255.255. 0
Resulting wildcard mask	0. 0. 0.255

Example 2

Network=192.168.1.0/28
Subnet Mask=255.255.255.240

Starting value	255.255.255.255
Subtract the subnet mask	–255.255.255.240
Resulting wildcard mask	0. 0. 0. 15

Example 3

Network=192.168.1.0/23
Subnet Mask=255.255.254.0

Starting value	255.255.255.255
Subtract the subnet mask	–255.255.254. 0
Resulting wildcard mask	0. 0. 1.255

IPv4 Subnetmask and Wildcardmask Cheetsheet..!

List of wildcard masks

Slash	Netmask	Wildcard mask
/32	255.255.255.255	0.0.0.0
/31	255.255.255.254	0.0.0.1
/30	255.255.255.252	0.0.0.3
/29	255.255.255.248	0.0.0.7
/28	255.255.255.240	0.0.0.15
/27	255.255.255.224	0.0.0.31
/26	255.255.255.192	0.0.0.63
/25	255.255.255.128	0.0.0.127
/24	255.255.255.0	0.0.0.255
/23	255.255.254.0	0.0.1.255
/22	255.255.252.0	0.0.3.255
/21	255.255.248.0	0.0.7.255
/20	255.255.240.0	0.0.15.255
/19	255.255.224.0	0.0.31.255
/18	255.255.192.0	0.0.63.255
/17	255.255.128.0	0.0.127.255
/16	255.255.0.0	0.0.255.255
/15	255.254.0.0	0.1.255.255
/14	255.252.0.0	0.3.255.255
/13	255.248.0.0	0.7.255.255
/12	255.240.0.0	0.15.255.255
/11	255.224.0.0	0.31.255.255
/10	255.192.0.0	0.63.255.255
/9	255.128.0.0	0.127.255.255
/8	255.0.0.0	0.255.255.255
/7	254.0.0.0	1.255.255.255
/6	252.0.0.0	3.255.255.255
/5	248.0.0.0	7.255.255.255
/4	240.0.0.0	15.255.255.255
/3	224.0.0.0	31.255.255.255
/2	192.0.0.0	63.255.255.255
/1	128.0.0.0	127.255.255.255
/0	0.0.0.0	255.255.255.255

Port Forwarding Configuration in Cisco 800(C881-K9) Router...!!

 Hey guys...

In this lesson, i will give you a quick overview of port forwarding in cisco 800 VPN router.

The task is here that , in my diagram , I have e a web server in MY LAN with having a private IP address that is 192.168.1.10. and I want to access that web server from outside my network but as I have private IP on the web server I will not be able to access that without port forwarding .

i have one public IP which is assigned on my WAN interface that is connected to ISP . So I need to map my wan interface public IP to my Web server Private IP.

Find the configuration given below.

Syntax.

Use this command to enable port forwarding:

ip nat inside source static tcp "inside local ip" "external ip" 20 extendable
ip nat inside source static tcp "inside local ip" "external ip" 21 extendable
ip nat inside source static tcp "inside local ip" "external ip" 1020 extendable

An example of a FTP server POrt forwarding given below

router (conf)# ip nat inside source static tcp 192.168.1.20 85.84.84.45 21 extendable

My Web server Port forwarding Example..!

## You can use the same port for inside and outside users.

Router(config)# ip nat inside source static tcp 192.168.1.10 80 10x.xx.x.13 80 extendable

OR

## You Can use the different port for inside and outside users.(Recommended)

Router(config)#ip nat inside source static tcp 192.168.1.10 80 10x.xx.x.13 81 extendable

 

Cisco 800(C881-K9)WAN Through PPPoE & LAN Site Access Configuration ...!!

 Cisco 800 is an IOS-based router that is very popular in small enterprises. Let's look at the configurations and how you can configure it in your organization. 

Basically, I will show you, How you can distribute the internet in your LAN through this router(Cisco 800(C881-K9)).

In my network , I will use PPPoE connection with my ISP to build my WAN(Internet) connection.Find my Diagram Given below .

Step-1:- First You have to create the Dialer in the router for PPPoE.

interface Dialer1

 ip address negotiated

 ip mtu 1492

 ip virtual-reassembly in

 encapsulation ppp

 ip tcp adjust-mss 1452

 dialer pool 1

 dialer-group 1

 ppp pap sent-username ipnoc_isp password 0 12345

Step-2 Once the dialer is created then you have to assign that dialer under the WAN interface. The interface will be connected to the ISP modem.

interface FastEthernet4
 description CONNECTED-TO-ISP
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1

Step-3-LAN Side Configuration.

In LAN side we will create the vLAN 10 and our LAN port would be the access port of vlan 10 .

##Configure The VLAN..

!

vlan 10

!

##Configure The VLAN Interface and give the IP address ..

interface Vlan10
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in

##Configure the Fa2 As access port which will be connected to our LAN segment...!

interface FastEthernet2

 switchport access vlan 100

 switchport mode access

 no ip address

!

Step-4- NAT configuration for Internet User.

First, you create the ACL which will match your LAN IP pool and then configure a NAT.

access-list 10 permit 192.168.1.0 0.0.0.255

#

ip nat inside source list 10 interface Dialer1 overload

Once the NAT will be configured then apply on the interface.

##WAN Interface##

interface Dialer1
 ip nat outside

##LAN Interface###

interface Vlan10

 ip address 192.168.1.0 255.255.255.0

 ip nat inside

Step-5:-( Optional).

#

ip route 0.0.0.0 0.0.0.0 10.10.10.1 name ISP_gateway

#

dialer-list 1 protocol ip permit 

#

The above 2 commands are optional , because in PPPoE , The default route is injected automatically ..!

What Happens when a router receives a packet..!!..Routing Process of a router..!

 What happens, when a router receives the packet?

Upon receiving the Packet, a router has to follow three  step process before it routes the packets:

-> Routing

-> Forwarding (Switching)

-> Encapsulation

Let’s discuss each one of them in detail

Routing Process: Routing process is nothing but routers control plane. Router records a routing table listing what route should be used to forward a data packet, and through which physical interface connection. Router learns your network routes information either by static configuration or by using dynamically configure routing protocol like IGP (OSPF, EIGRP, RIP, IS-IS) or though Exterior routing protocol like BGP.

When router receives any packet it has to remove Layer 2 header information present on packet(Example:In Ethernet, source and destination Mac address present on L2 header). Once router remove L2 information it looks for Layer 3 information available on packet that is source and destination IP address.

For moving L3 packet between interfaces, router checks destination address and finds longest-prefix match in IP routing table to find outgoing interface. In IPv4 router uses longest mask to identify best routing entry for forwarding packet.

Example: Let’s assume we have configured 3 different static routes with different subnet mask.

Sh ip route 1.1.1.1

ip route 1.1.1.0 255.255.255.0 fa0/2

ip route 1.1.0.0 255.255.0.0 fa0/1

ip route 1.0.0.0 255.0.0.0 fa0/0

In above example when router does route lookup for destination address 1.1.1.1 out of 3 entries router will choose longest-prefix length match entry i.e. 1.1.1.0/24 , because destination address has most common bits matches with selected route and will forward packet out fa0/2.

Destination prefix	Binary Splitting
1.1.1.1	00000001 00000001 00000001 00000001
1St Entry 1.1.1.0/24	00000001 00000001 00000001 00000000
2nd Entry 1.1.0.0/16	00000001 00000001 00000000 00000000
3rd Entry 1.0.0.0/8	00000001 00000000 00000000 00000000

Now for any other destination prefix like 1.1.2.0 longest match is 1.1.0.0/16 and for 1.2.0.0 it would be 1.0.0.0/8

Longest match possible in IPv4 routing is /32 (255.255.255.255) and shortest match possible is default route i.e. 0.0.0.0

->If there are multiple routes with same subnet mask learned via same protocol by router then router chooses lowest metric between them.

For Example: Eigrp use composite “metric” and Ospf uses “Cost” for comparison.

->If there is multiple routes with same subnet mask learn via different protocol on router then router chooses lowest administrative distance (AD).

->Last and important point is recursive lookup: which states that whenever there is route lookup more than once it will be termed as recursive lookup. It has to be done by router till destination address point towards any physical or logical interface.

Example:

We have a network 1.1.1.1 connected somewhere and we are reaching it by interface fa0/0 having next-hop IP address 2.2.2.2.So we can configure static route in two different ways either we can define next-hop IP address i.e.2.2.2.2 or we can mention interface number fa0/0 as gateway shown below.

ip route 1.1.1.1 255.255.255.255 2.2.2.2

ip route 1.1.1.1 255.255.255.255 FastEthernet0/0

Both statements look same although both have different meaning.When you point destination address to next hop as exit interface you don’t need further route lookup as router assume destination address is directly connected to that interface. But when you point destination address to any next hop ip address, we need another route lookup also for next hop ip address is referring as recursive lookup.

To get more information on how static route work when you set gateway as Next-Hop IP address or to Next-Hop interface please refer this document.

Forwarding process: It is also known as switching process. Once router finds outgoing interface, packet move between interfaces by switching process. This is done by process switching, fast switching or cef switching. Forwarding can be done by using adjacency tables reside on the route processor or on interface cards that support switching.

-> Process switching requires the device CPU to be involved for every forwarding decision.

-> Fast switching still uses the CPU for initially packets and to fill cache table in router. Once initial packet has been forwarded, the information about how to reach the destination is stored in a fast-switching cache’s .when another packet going to the same destination, the next hop information can be re-used from the cache and so the router processor doesn’t have to look into it, but if the information is not cached the CPU will have to process entire packets.

-> When CEF mode is enabled it build the CEF FIB and adjacency tables reside on the route processor, and the route processor performs the express forwarding.

In switching process device do actual packet link load balancing depending on the methodology we use.

Encapsulation process: L3 header will remain intact unchanged except for nating, vpn etc. layer 2 headers keep changing on hop by hop basis, depending on transmission media. For transmitting L3 packet on wire router need to find out l2 information for packets and it’s depending on the type of media we are using for transmission.

To explain encapsulation process in bit detail, I have created a small topology shown as below in diagram.

As discussed above, depending on the transmission media (In this example transmission media is Ethernet) MAC address in layer 2 headers will keep changing on hop by hop basis.

To generate some traffic, Lets ping from R3 to R2 interface address.As soon as R1 receives the packet from R3, It will remove the L2 information sent by R3 and check the L3 information that is source (20.1.1.2) and destination address (10.1.1.1) available on packet. Then it will look into its routing table to find out going interface i.e. fa0/0 in above example. Once router identify outgoing interface it will attach L2 header before putting the packet on the wire. So now R1 will attach its own interface Mac address as source and R2’s as destination mac address.

Address resolution protocol (ARP) table on R1:

To get closer packet level overview, I have also attached some packet capture taken on R1's interfaces.

Packet capture on R1’s Fa0/1:

Packet capture on R1’s Fa0/0:

Multipoint Broadcast Interfaces, Routing, and ARP

 

When the router needs to route a packet which matches an entry in the routing table with a next-hop value, it performs Layer 3 to Layer 2 resolution for the next-hop address. If it matches an entry in the routing table with just the outgoing/exit local interface, without a next-hop value, it performs Layer 3 to Layer 2 resolution for the final destination of the IP packet.

From a design perspective, the ideal solution for this problem is to never configure a static route to point out a multipoint interface. Static routes should either point to the next-hop value of the neighbor on the multipoint interface or point to an interface only if it is point-to-point, such as a GRE tunnel, PPP or HDLC link.

 

When you configure a static route to use an interface attached to a broadcast media (e.g. ethernet), a Cisco router expects that the network is directly attached. As a result it has to ARP for anything that falls within the scope of your static route. Consider the following topology:

Chesterton# ip route 1.2.3.4 255.255.255.255 eth0/0

 

In this configuration, router Chesterton has to make an ARP request for 1.2.3.4/32 and broadcast it via Ethernet0/0. He is now totally reliant on one of two possiblities:

1.    A Static ARP entry

2.    Vegas will “proxy-arp” his request

 

 

If neither of these conditions exists, he won’t be able to reach his destination. The topology presented is a minor case, and as a result there’s no real problem with it. If we were to increase the load, we begin to see a greater set of problems.

Chesterton# no ip route 1.2.3.4 255.255.255.255 eth0/0

Chesterton# ip route 0.0.0.0 0.0.0.0 eth0/0

 

Now that we’ve added a little more scope for router “Chesterton” to look for, we have a higher possibility for impact. If he attempts to reach 8.8.8.8, 180.0.123.12, and 5.4.3.2 we will see arp entries for each address (all of which will have the MAC address of router Vegas’ e0/0 interface). If there is a lot of traffic from Chesterton to the internet, we have the potential to fill up the arp-cache; thus, causing memory problems that will lead to forwarding problems.

Bottom Line (TL;DR version):

Yes, you can do it and it shouldn’t be a big deal on a small deployment; However, it’s bad practice and could really backfire in a big network.

 

 

When configuring a static route, the following options are available:

 

1-specify only the next-hop value; route is valid as long as a route exists for the next-hop value.

2-Specify only the local outgoing interface; route is valid as long as the interface is in the UP/UP state.
3-Specify both next-hop value and local outgoing interface.

 

When the third option is selected, the local outgoing interface behaves like a condition for the next-hop value and should be read like: this static route is valid only if the configured next-hop value is reachable over the configured interface, which means as long as the interface is in the UP/UP state and has nothing to do with IP/ARP/NHRP functionality with the next-hop.