Session 4 Flashcards
Vlans - Trunk - NAT
why do you create vlans?
isolate network Group users together enhance security increase traffic flow it is scalable
what is ACL used for
allow/deny access to subnets/host.
If PC1 on vlan 1 and PC3 on vlan 3 - can they talk? if so what do you need to to allow that
it will need a router
will a switch forward a packet that is destined to a different vlan
NO - Router do that
what is the total # of vlans
1 thru 4094
vlans #2 - 1001 are consider what?
standard type vlans
vlans #1006 - 4094 are consider what?
extended type vlans
If a switch gets a frame for a vlan it does not know about, what does it do?
Traffic is dropped.
where is vlan stored?
vlan.dat in flash. It is not stored in running or start so not in nvram.
what is a trunk port
allow interface to essentially make virtual tunnels for each vlans is allowed.
what command you can use to see vlan and trunking info
show interfaces ### switchport
what type of encapsulations do cisco switches support?
ISL (inter switch link) and 802.1q which cisco recommends
how does the switch know what vlans belongs to?
802.1q - adds a tag (4 byte to frame)
how can see native vlan?
show interfaces trunk
why does native vlan exist and what is it use for?
only used in 802.1q.
at one point in time, not everything could be tag. so if traffic could not be tag it still could go through the trunk port untag.
if you change the native vlan on 1 switch, what else do you need to do?
match on both sides.
Native vlan should never be what #
vlan 1.
config t
vlan 99
name v99-Native
go to the turnk port
int ###
switchport trunk native vlan 99
end
show int ### switchport - you will see trunk info
how do you get the sys log
config t
terminal monitor
how to prevent from an access port to send DTP messages?
you have to change the administrative mode to static access. This will prevent all the access ports from converting to a trunk port.
command:
config t
int range int#####
switchport mode access
how to do you convert administrative mode on a trunk port from dynamic access to static
put in following command:
switchport nonegotiate
the max # of vlans on any given switch is determine by what?
Switch
STP version
VTP version
IOS / Switch and protocols working on that switch
Interface will not show up under show vl br for 2 reason. what are they?
If the port is trunk and if the vlan has been removed
Each vlan has its own unique what?
subnet
what is required to forward traffic between vlans
router
vlans create their own what?
broadcast domain or segments
Router on a stick is called that?
you have 1 physical connection between router and switch.
You will take that 1 link and add a sub interfaces which is a virtual interfaces in a physical interface.
when configuring a sub interface on a router, how do you config it?
config t
int ##.10
encapsulation
what do you have to do before adding an IP address to a sub interface ?
you need to add the enapsulation and vlan # first
example:
encapsulation dot1q 10
The status of the sub interface is determine by what?
the physical interface is under. If down then all the sub interface would be down.
When you have an IP address on an interface and status is up up. What does that mean?
There should be an entry in the routing table
command:
show ip route
what would show vlans on a router?
it will show you the vlan# and the interface that vlan is set up with.
cisco router would use the physical address of the physical interface for all sub interfaces, how is that possible?
different vlans - so you can use the same mac address in multiple different vlans.
what is one use of ACLs?
Filter traffic. It provides traffic identification.
when traffic is identified, a variety of actions can be applied.
what are ACEs?
access control entries within the ACL
what statements are usually used in a ACL?
permit - deny
what is the processing of an ACL?
top down entries. So you have to be very specific entries are higher than generic entries.
Stand ACL match only what?
only filters based on the source IP address.
Extended ACLs match what?
Can filter based on Source/Destination IP address
filter based on different type of layer 4 protocols and port #s.
E for Everything
what are the 2 ways to ID you ACLs?
named and numbered.
Numbered stand range for standard acl?
1 - 99, 1300-1900
so they will only look at the source IP address
Numbered stand range for extended acl?
100 - 199, 2000 - 2699
Named ACLs are good because they allow you to do what?
modify on the fly. no need to delete it.
what is a wild card mask?
identify the range of addresses that this entry applies to.
when you care about the bits in the wild card mask, what does that mean?
it could not change. So the bits of the IP that cannot change.
In a wild card mask - how do you find the minimum value?
X = all 0s
In a wild card mask - how do you find the maximum value?
X = all 1s then you add it up to get the decimal format.
when doing a wild card as a range of addresses how can you figure it out?
- change the first subnet into binary only the part that changes with the other subnets.
- change the last subnet into binary only the part that actually different.
- Everything toward the left = all 0s which we know we care about since it does not change
- Everything to the right of the line = all 1s.
- All up all the ones and you will have your wild card range for the range of addresses.
what does host mean in acl = ?
0.0.0.0 so that means its specific to that IP address
what does ANY mean in acl ?
basically means 255.255.255.255 which means it allows any host.
how can you verify an ACL is written?
show access-list
how can you verify an acl is on the in/out bound of an interface?
show ip interface ###
What does Inside Local address mean in NAT?
Specifies a private IP inside the LAN - basically the private IP address that you will be translating
what does Inside Global address mean in NAT?
Public IP assigned by ISP & allow outside access - basically the public address that you will be translating to. - basically means who you are trying to reach out in the internet (destination)
what does outside Global address mean in NAT?
specifies a host outside the LAN
where can you use NAT?
Private to Public
Public to private
Public to Public
Private to private (when 2 companies merge)
What are the 3 types of NAT
static nat - uses one to one address mapping
Dynamic Nat - uses many to many address mapping - basically allows the router to dynamically set up a route with a public address. still is 1 to 1
PAT - use many to one address mapping
commands to set up static nat?
find out which interface that connects to the ISP
config t
int gi0/0
ip nat outside
find the interface that faces the inside
config t
int gi0/1
ip nat inside
IN GLOBAL CONFIG MODE
config t
ip nat inside source static #.#.#.# $.$.$.$
# = inside private host $ = your public IP address
what command can you put to see any translation on the router?
show ip nat translation
how can you verify which interface has NAT enable?
show ip nat statistics
how do you set up dynamic nat
global config
ip nat pool #### where # = name of nat
ip nat pool ### @.@.@.@ $.$.$.$
what is prefix-length
is the subnet mask of the pool that you are setting up in dynamic nat
typically is the subnet mask of the subnet that your ISP gave you.
what word is needed to enable PAT?
overload
what are needed to set up NAT
Inside interfaces
Outside interface
NAT access-list
