What you need to know about Cisco IOS access-list filtering

Let’s face it, if you don’t use Cisco IOS access lists (ACL) every day, they can be very painful to use. Why are ACLs so painful? Besides just being difficult to use, the penalty for mistake is huge. In one swift swoop, you could incorrectly permit malicious attackers onto your network or incorrectly deny all valid users from your network. Either way, the consequences could be devastating to your company and to your career. So how do you prevent this from happening? If you follow these guidelines, you will be “feeling good again” about your Cisco ACLs.

Know what an ACL can and cannot do

In the simplest of terms, a Cisco IOS ACL is used to define traffic. Once that traffic is defined, some action can then be taken on that traffic.
Commonly, an ACL is associated with the filtering of IP packets (Network Layer 3 of the OSI Model) as they pass through a router. In other words, it is used to permit or deny traffic through a router. However, if you just define the ACL only and don’t apply it to an interface using the access-group command, nothing happens.
While ACLs can be used for many functions like QoS, route filtering, and allowing access to the router, in this article, we will focus on using ACLs for filtering traffic in and out of the router.

Know the syntax of ACLs

To configure an ACL you need to include some basic information about which packets to permit or deny.

The general syntax for a standard access list is:
access-list {list number} permit | deny | [source address} [source mask]
Note that the standard ACL can only permit or deny traffic based on the source of the traffic.
The general syntax of a TCP extended access list is:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]
You should also know that extended ACL can filter IP traffic, TCP, UDP, ICMP, and other types of traffic. The syntax above is to filter TCP traffic.

Know that ACLs use wildcard masks

Cisco IOS ACLs use wildcard masks. These wildcard masks are required anytime you enter an IP address in your ACL. The only way NOT to enter an IP address (thus, using a wildcard mask) is to enter a keyword like “any” or use the keyword “host” before the absolute IP address of a host on the network.
Wildcard masks are the binary reverse of a subnet mask. Thus, to calculate a wildcard mask, you take the subnet mask of a network address or IP address, convert it to binary, turn all the 1s into 0s and the 0s into 1s, and convert it back to decimal. Sounds complicated, but it really isn’t. If the subnet mask is masked at the 8-bit subnet boundaries, then a 0 will turn into a 255 and a 255 will turn into a 0. Here are a few examples:

• SN 255.0.0.0 = wildcard 0.255.255.255
• SN 255.255.255.0 = wildcard 0.0.0.255
• SN 255.255.128.0 = wildcard 0.0.127.255
• SN 255.255.255.224 = 0.0.0.31

Do NOT use a subnet mask in a wildcard mask on a Cisco IOS router or switch, or you will end up with unintended results. (On the other hand, if you are configuring an ACL on a Cisco PIX, use regular subnet masks, not wildcard masks).

Know how to create an ACL and apply it to an interface

For example, here’s how a sample configuration might look for access list 1:
Router(config)# access-list 1 permit 172.16.30.0 0.0.0.255
Router(config-if)# interface e0/0
Router(config-if)# ip access-group 1 out
The ip access-group command is used to apply an ACL to an interface and specify the direction that it applies.
The commands above permit any traffic coming from IP network 172.16.30.0 going OUT the router’s Ethernet 0/0 interface.

Know the implicit deny

Let me ask you this: What is allowed through the ACL above? Answer: Only the traffic from the 172.16.30.0 /24 network. Why is that? That is because at the end of every ACL, whether you see it or not, ALL TRAFFIC IS IMPLICITLY DENIED.
So, what traffic is allowed through the ACL below?

Router(config)# access-list 1 deny 172.16.30.0 0.0.0.255
That’s right - NO TRAFFIC is allowed because certain traffic is explicitly denied and ALL OTHER TRAFFIC IS DENIED by the implicit deny.
How do you see the traffic being denied? You can enter your own explicit deny with the log keyword, like this:

Router(config)# access-list 1 permit 172.16.30.0 0.0.0.255
Router(config)# access-list 1 deny any log

Know that ACLs use top-down processing

Cisco IOS ACLs use top-down processing. This means that when a condition in the ACL is met, all processing is stopped. Thus, if there is a permit for network 1.1.1.0 in the fifth line of the ACL but it is denied in the third line of the ACL, then that traffic is denied.

Know the three Ps of ACLs

Remember, you can only apply ONE ACL:

• Per Interface
• Per Protocol
• Per Direction

As most of us are applying IP ACLs, the protocol doesn’t matter that much, but the important thing to know is that you can apply only ONE ACL on each interface in each direction. In other words, you can apply only one INBOUND and one OUTBOUND ACL per interface.

Know how to verify which ACLs are applied and which are configured

Showing what ACLs are created and what ACLs are applied is easy if you know just a few commands. These commands are:

• show access-lists
• show ip interface
• show running-config

Know that there are many methods and types of ACLs

The Cisco IOS supports IP Standard and Extended ACLs in both named and numbered versions. Additionally, there are reflexive, dynamic, and lock-and-key access lists, among many others.

Know how ACLs can be used in the real world

While you may understand the concept of ACLs and how to configure them, it is important to know how to use them in the real world.
Here are a few business applications for ACLs:
1. Basic packet filtering for security: Filter traffic from a host, a network, a protocol, or port.
2. Packet filtering for bandwidth control: Say that a streaming audio or video application was using network bandwidth, and it was on a certain port number. With an ACL, you could discard those video and audio packets to prevent overutilization of bandwidth.
3. Other functions with ACLs: Route filtering, QoS, controlling access to the router, etc.

Know where to find more resources to learn ACLs

There is a lot to know about ACLs, and we can’t cover it all in this short format. To learn more about ACLs, here are some links to other articles and videos I have created on this topic.

• TechRepublic.com: Use Advanced Parameters on Your Cisco IOS ACLs
• TechRepublic.com: Cisco IOS Access Lists - 10 Things You Should Know
• HappyRouter.com: Free Video - Hardening Your Router with Cisco IOS ACLs
• Petri.co.il: How to Edit Cisco IOS ACLs Using Line Numbers

Conclusion
ACLs are the least understood feature that new Cisco administrators and CCNA candidates struggle with. I hope you find this information about Cisco IOS access lists helpful, and you keep it handy to “cure those ACL pains” whenever they come up.

Set up NAT using the Cisco IOS

Takeaway: Network address translation (NAT) has become one of the key components of today's corporate networks attached to the Internet. See how to set up and manage NAT using the Cisco Internetwork operating system.

Network address translation (NAT) is one of those rare information technology buzzwords that does exactly what its name implies. In this case, it translates one network address into another network address. The most popular use for NAT is to connect an internal network to the Internet. The proliferation of hosts that now connects to the Internet is causing a shortage of IP addresses, so NAT is a key tool for connecting corporate networks using private IP addresses to the Internet. Since Cisco provides the bulk of the routers that connects to the Internet, we’re going to show you how to set up NAT using the Cisco Internetwork Operating System (IOS).

Understanding NAT

Using NAT to connect to the Internet allows you to:

* Use only one public, registered IP address for Internet access for many thousands of private IP addresses at your site.
* Change Internet service providers (ISPs) easily, without readdressing the majority of hosts on your network.
* Hide the identity of hosts on your local network behind the single public IP address to keep outside hosts from easily targeting them.

The most difficult part of using NAT in the Cisco IOS is getting a handle on these four key terms:

* Inside Local—This is the local IP address of the private host on your network (i.e., your PC’s IP address).

* Inside Global—This is the public, legal, registered IP address that the outside network sees as the IP address of your local host.

* Outside Local—This is the local IP address from the private network, which your local host sees as the IP address of the remote host.

* Outside Global—This is the public, legal, registered IP address of the remote host (i.e., the IP address of the remote Web server that your PC is connecting to).

My first reaction after reading Cisco’s definitions for these terms was nearly total confusion, so don’t feel bad if you feel the same thing. But after seeing a diagram of these terms, it started to click for me. Take a look at Figure A for a logical diagram of these terms.

Figure A

 

Configuring NAT

To configure the standard NAT scenario I mentioned in the opening paragraph, refer to Figure B and then look at the simple steps that need to be taken if you are using a Cisco router between your local network and the Internet.

Figure B

 

1. · Configure your pool of legal, public IP addresses that the router can use to represent your local addresses on the Internet. This pool can contain as few as one or as many addresses as you would like to provide. For a small to medium-size network, one address is typically fine. The syntax is:

ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}


1. Define an access-list to specify what range of IP addresses is allowed to be translated from your local network to the remote network. This is, basically, a security feature asking you, “Who (what range of IP addresses) can use the NAT service?” The syntax is:

access-list access-list-number permit source [source-wildcard]

1. Specify that you want a dynamic translation from the source IP address to the pool and that you want to overload the pool address (or addresses). The syntax is:

ip nat inside source list access-list-number pool name overload

1. · Specify which of the router’s interfaces will be the “inside” address. The syntax for the Ethernet 0 interface is:

int en0
ip nat inside

1. · Specify which of the router’s interfaces will be the “outside” address. The syntax for the Serial 0 interface is:

int s0
ip nat outside

1. · Add a static route to your router to send any traffic not destined for your local network to the Internet interface. (In our case, I will use a default route to send traffic out the serial interface.) Here’s the syntax:

ip route 0.0.0.0 0.0.0.0 serial0

Listing A shows the resulting configuration for the router. One way to examine this on your router would be to issue the command show run.

How is this possible?

This configuration would allow any host on your local network (such as a desktop PC) to connect to the Internet using the single registered IP address that is being overloaded. Thus, any traffic from that local PC will have the source IP address of the router’s external interface.

If you think about this for a minute, you might wonder how multiple hosts can share the same IP address in the overload configuration, since we are taught that one IP address is assigned to one host and there is no sharing (anymore than there is sharing of a social security number).

The answer to that question is that NAT gets around this rule by making an entry in a translation table for every host using a port. In this translation table, there is a map between the inside local, a port on the inside global, another port on the outside local, and the outside global. By assigning these ports and keeping track of them in the table, the router is able to “overload” a single IP address with multiple hosts. This allows them to share a single IP address among them.

You can learn more about NAT and how to configure the other two possible uses of NAT from the Cisco Tech Tips pages and from the online Cisco IOS documentation pages on configuring IP addressing and IP addressing commands.

 

source : www.techrepublic.com

The TCP/IP Protocol Architecture

TCP/IP defines a large collection of protocols that allow computers to communicate. Table 1.1 outlines the protocols and the TCP/IP architectural layer to which they belong. TCP/IP defines the details of each of these protocols in Requests For Comments (RFC) documents. By implementing the required protocols defined in TCP/IP RFCs, a computer that implements the standard networking protocols defined by TCP/IP can communicate with other computers that also use the TCP/IP standards.

TCP/IP Architecture Layer    Protocols

Application           -               HTTP, POP3, SMTP
Transport              -              TCP, UDP
Inter network        -               IP
Network interface -              Ethernet, Frame Relay

TCP/IP and the OSI Reference Model

As illustrated in Figure 1.2, the TCP/IP model consists of four layers, each of which can have several sublayers. These layers correlate roughly to layers in the OSI reference model and define similar functions. Some of the TCP/IP layers correspond directly with layers in the OSI reference model while other span several OSI layers. The four TCP/IP layers are:

• The TCP/IP Application Layer refers to communications services to applications and is the interface between the network and the application. It is also responsible for presentation and controlling communication sessions. It spans the Application Layer, Presentation Layer and Session Layer of the OSI reference model. Examples include: HTTP, POP3, and SNMP. 

• The TCP/IP Transport Layer defines several functions, including the choice of protocols, error recovery and flow control. The transport layer may provide for retransmission, i.e., error recovery, and may use flow control to prevent unnecessary congestion by attempting to send data at a rate that the network can accommodate, or it might not, depending on the choice of protocols. Multiplexing of incoming data for different flows to applications on the same host is also performed. Reordering of the incoming data stream when packets arrive out of order is included. It correlates with the Transport Layer of the OSI reference model. Examples include: TCP and UDP, which are called Transport Layer, or Layer 4, protocols.

• The TCP/IP Internetwork Layer defines end-to-end delivery of packets and defines logical addressing to accomplish this. It also defines how routing works and how routes are learned; and how to fragment a packet into smaller packets to accommodate media with smaller maximum transmission unit sizes. It correlates with the Network Layer of the OSI reference model. Examples include: IP and ICMP.

• The TCP/IP Network Interface Layer is concerned with the physical characteristics of the transmission medium as well as getting data across one particular link or medium. This layer defines delivery across an individual link as well as the physical layer specifications. It spans the Data Link Layer and Physical Layer of the OSI reference model. Examples include: Ethernet and Frame Relay.

Windows Error codes

  When you have enter a site and it shows site unable with an error code. You can make out that the problem is by referring to these error codes.

 
400 - Bad Request - You probably typed in a URL wrong, the server has no clue what you're looking for, or you aren't allowed to have access. Usually, it's a matter of the URL being typing in wrong. Maybe you mixed upper and lowercase letters or something.

401 - Unauthorized Request - you tried to get to something on the web server you're not allowed to play with. In other words, you ain't on the party list.

403 - Forbidden - You can't access the page. You may not have access (it may require a password), or it may be blocked from your domain.

404 - Not Found - The page you were trying to look at was not found on the server. This is probably the most common error you'll come across. What has probably happened is that the web page you were going to has been removed or re-named.

500 - Internal error - Usually caused by a CGI error. You fill out a form, but the script used to process it is not working properly.

503 - Service Unavailable - The server may be overloaded, down, or have other similar problems. Try later

Examining Network Address Translation (NAT)

Topology Diagram

Download Packet Tracer File

Objectives 

• Examine NAT processes as traffic traverses a NAT border router.

Background / Preparation

In this activity, you will use Packet Tracer Simulation mode to examine the contents of the IP header as traffic crosses the NAT border router.

Step 1: Prepare the network for Simulation mode.

Verify that the network is ready to send and receive traffic. All the link lights should be green. If some link lights are still amber, you can switch between Simulation and Realtime mode several times to force the lights to turn green faster. Switch to Simulation mode before going to the next step.

Step 2: Send an HTTP request from an inside host to an outside web server.

a. Click Customer PC. Click the Desktop tab and then Web Browser. In the URL field, type the web address for the ISP server (www.ispserver.com). Make sure that you are in Simulation mode, and then click Go.

b. In the event list, notice that Customer PC queues a DNS request and sends out an ARP request. You can view the contents of the ARP request by either clicking on the packet in the topology or clicking on the packet color under Info in the Event List window.

c. In the PDU Information at Device: Customer PC window, which IP address is Customer PC attempting to find a MAC address for?

d. In the Event List window, click Capture/Forward twice. Which device answers the ARP request from Customer PC? Which MAC address is placed inside the ARP reply?

e. In the Event List window, click Capture/Forward twice. Customer PC accepts the ARP replay and then builds another packet. What is the protocol for this new packet? If you click Outbound PDU Details for this packet, you can see the details of the protocol.

f. In the Event List window, click Capture/Forward twice. Click the packet at the www.customerserver.com server. Then click the Outbound PDU Details tab. Scroll down to the bottom to see the Application Layer data. What is the IP address for the ISP server?

g. In the Event List window, click Capture/Forward twice. Customer PC now formulates another ARP request. Why?

h. In the Event List window, click Capture/Forward 10 times until Customer PC formulates an HTTP request packet. Customer PC finally has enough information to request a web page from the ISP server.

i. In the Event List window, click Capture/Forward three times. Click the packet at Customer Router to examine the contents. Customer Router is a NAT border router. What is the inside local address and the inside global address for Customer PC?

j. In the Event List window, click Capture/Forward seven times until the HTTP reply reaches Customer Router. Examine the contents of the HTTP reply and notice that the inside local and global addresses have changed again as the packet is forwarded on to Customer PC.

Step 3: Send an HTTP request from an outside host to an inside web server.

Customer Server provides web services to the public (outside addresses) through the domain name www.customerserver.com. Follow a process similar to Step 2 to observe an HTTP request on ISP Workstation.

a. Click ISP Workstation. Click the Desktop tab, and then Web Browser. In the URL field, type the Customer Server web address (www.customerserver.com). Make sure that you are in Simulation mode, and then click Go.

b. You can either click Auto Capture/Play or Capture/Forward to step through each stage of the process. The same ARP and DNS processes occur before the ISP Workstation can formulate an HTTP request.

c. When the HTTP request arrives at Customer Router, check the packet contents. What is the inside local address? What is the inside global address?

Exploring Different LAN Switch Options

Download Packet Tracer File

Objectives

•    Determine the cable types to use to connect all devices to the switch.
•    Add appropriate modules to switches and routers.
•    Connect the devices to the switch using the appropriate cable types.

Background / Preparation

The results of a site survey for an ISP customer indicate that the customer needs to upgrade the LAN to include a new standalone switch. The network has an existing router (Router0) and a Linksys 300N router. It is necessary to determine which interfaces are needed on the new switch to provide connectivity to the router, the Linksys device, and the customer PCs. The customer wants to use copper cabling.
Note: Links created with the switch may take a minute to change from amber to green. Switch between Simulation mode and Realtime mode to speed up this process.

Step 1: Determine the required connectivity options.

a. Click Router0. Using the information in the Physical Device View window on the Physical tab, determine what type of interface is available on the router to connect to the new switch.

Hint: Place the mouse pointer on the interface to display the interface type. Click on the interface type to display a description of the interface.
b. Which interface is available on the router to connect to the new switch? What type of cable is required?

c. Click the Linksys 300N. Using the picture on the Physical tab, determine what type of cable is necessary to connect to the new switch.

d. Which interface is available on the Linksys 300N to connect to the new switch? What type of cable is required?

Step 2: Configure the new switch with the required options.

a. Click Switch0.
b. On the Physical tab, explore each switch module available under the Modules option.
c. Choose the appropriate interfaces to connect to Router0 and the Linksys 300N router.
d. Choose the appropriate interfaces to connect to the existing PCs.
e. Power down the switch using the power button in the Physical Device View window on the Physical tab.
f. Choose the appropriate modules for the switch. Add the four necessary interfaces to the switch.
g. Power up the switch using the power button shown in the Physical Device View window on the Physical tab.
h. Click the Config tab. Select each interface and ensure that the On box is checked.

Step 3: Connect the router to the switch.

a. Using the appropriate cable, connect the router port to the first available switch port. Click the Config tab on the router. Select the interface and ensure that the On box is checked. 

 

b. Verify connectivity. A green light appears on each end of the link if the cabling is correct.

Step 4: Connect the Linksys 300N to the switch.

a. Using the appropriate cable, connect the Linksys 300N to the second available port on the new switch.
b. Verify connectivity. A green light appears on each end of the link if the cabling is correct.

Step 5: Connect the PCs to the switch.

a. Using the appropriate cable, connect the existing PCs to the new switch.
b. Verify connectivity. A green light appears on each end of the links if the cabling is correct.
c. Click the Check Results button at the bottom of this instruction window to check your work.

CCNA Activities - Interpreting Ping and Traceroute Output

Topology Diagram

 Download Topology File

Objectives

• Distinguish the difference between successful and unsuccessful ping attempts.
• Distinguish the difference between successful and unsuccessful traceroute attempts.

Background / Preparation
In this activity, you will test end-to-end connectivity using ping and traceroute. At the end of this activity, you will be able to distinguish the difference between successful and unsuccessful ping and traceroute attempts.
Note: Before beginning this activity, make sure that the network is converged. To converge the network quickly, switch between Simulation mode and Real-time mode until all the link lights turn green.

Step 1: Test connectivity using ping from a host computer and a router.
a. Click N-Host, click the Desktop tab, and then click Command Prompt. From the Command Prompt window, ping the Cisco server at www.cisco.com.
Packet Tracer PC Command Line 1.0
PC>ping www.cisco.com
Pinging 64.100.1.185 with 32 bytes of data:

Request timed out.
Reply from 64.100.1.185: bytes=32 time=185ms TTL=123
Reply from 64.100.1.185: bytes=32 time=281ms TTL=123
Reply from 64.100.1.185: bytes=32 time=287ms TTL=123

Ping statistics for 64.100.1.185:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 185ms, Maximum = 287ms, Average = 251ms

PC>

b. From the output, you can see that N-Host was able to obtain an IP address for the Cisco server. The IP address was obtained using (DNS). Also notice that the first ping failed. This failure is most likely due to lack of ARP convergence between the source and destination. If you repeat the ping, you will notice that all pings succeed.

c. From the Command Prompt window on N-Host, ping E-Host at 192.168.4.10. The pings fail. If you do not want to wait for all four unsuccessful ping attempts, press Ctrl+C to abort the command, as shown below.

PC>ping 192.168.4.10
Pinging 192.168.4.10 with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 192.168.4.10:
Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
Control-C
^C
PC>

d. Click the N-Branch router, and then click the CLI tab. Press Enter to get the router prompt. From the router prompt, pings the Cisco server at www.cisco.com.

N-Branch>ping www.cisco.com
Translating "www.cisco.com"...domain server (64.100.1.242)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 64.100.1.185, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 210/211/213 ms

N-Branch>

e. As you can see, the ping output on a router is different from a PC host. Notice that the N-Branch router resolved the domain name to the same IP address that N-Host used to send its pings. Also notice that the first ping fails, which is indicated by a period (.), and that the next four pings succeed, as shown with an exclamation point (!).

f. From the CLI tab on N-Branch, ping E-Host at 192.168.4.10. Again, the pings fail. To not wait for all the failures,
press Ctrl+C.
N-Branch>ping 192.168.4.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.10, timeout is 2 seconds: ...
Success rate is 0 percent (0/4)

N-Branch>

Step 2: Test connectivity using traceroute from a host computer and a router.

a. Click N-Host, click the Desktop tab, and then click Command Prompt. From the Command Prompt window, trace the route to the Cisco server at www.cisco.com.

PC>tracert www.cisco.com

Tracing route to 64.100.1.185 over a maximum of 30 hops:

  1   92 ms     77 ms     86 ms     192.168.1.1
  2   91 ms     164 ms    84 ms     64.100.1.101
  3   135 ms    168 ms    151 ms    64.100.1.6
  4   185 ms    261 ms    161 ms    64.100.1.34
  5   257 ms    280 ms    224 ms    64.100.1.62
  6   310 ms    375 ms    298 ms    64.100.1.185

Trace complete.

PC>

b. The above output shows that you can successfully trace a route all the way to the Cisco server at 64.100.1.185. Each hop in the path is a router responding three times to trace messages from N-Host. The trace continues until the destination for the trace (64.100.1.185) responds three times.

c. From the Command Prompt window on N-Host, trace a route to E-Host at 192.168.4.10. The trace fails, but notice that the tracert command traces up to 30 hops. If you do not want to wait for all 30 attempts to time out, press Ctrl+C.

PC>tracert 192.168.4.10

Tracing route to 192.168.4.10 over a maximum of 30 hops:

  1   103 ms    45 ms     91 ms     192.168.1.1
  2   56 ms     110 ms    125 ms    64.100.1.101
  3   174 ms    195 ms    134 ms    64.100.1.6
  4   246 ms    183 ms    179 ms    64.100.1.34
  5   217 ms    285 ms    226 ms    64.100.1.62
  6   246 ms    276 ms    245 ms    64.100.1.154
  7   *         *         *         Request timed out.
  8   *         *         *         Request timed out.
  9   *         *         *         Request timed out.
  10  

Control-C
^C
PC>

The tracert command can be helpful in finding the potential source of a problem. The last device to respond was 64.100.1.154, so you would start troubleshooting by determining which device is configured with the IP address 64.100.1.154. The source of the problem might not be that device, but the trace has given you a starting point, whereas a ping simply tells you that the destination is either reachable or unreachable.

d. Click the N-Branch router, and then click the CLI tab. Press Enter to get the router prompt. From the router prompt, trace the route to the Cisco server at www.cisco.com.

N-Branch>traceroute www.cisco.com
Translating "www.cisco.com"...domain server (64.100.1.242)
Type escape sequence to abort.
Tracing the route to 64.100.1.185

  1   64.100.1.101    60 msec   32 msec   59 msec  
  2   64.100.1.6      98 msec   65 msec   65 msec  
  3   64.100.1.34     138 msec  147 msec  147 msec 
  4   64.100.1.62     189 msec  148 msec  145 msec 
  5   64.100.1.185    219 msec  229 msec  293 msec 
N-Branch>

As you can see, traceroute output on a router is very similar to the output on a PC host. The only difference is that on a PC host, the IP address is listed after the three millisecond outputs.

e. From the CLI tab on N-Branch, trace the route to E-Host at 192.168.4.10. The trace fails at the same IP address as it failed when tracing from N-Host. Again, you can use Ctrl+C to abort the command.

N-Branch>traceroute 192.168.4.10
Type escape sequence to abort.
Tracing the route to 192.168.4.10

  1   64.100.1.101    41 msec   19 msec   32 msec  
  2   64.100.1.6      33 msec   92 msec   117 msec 
  3   64.100.1.34     98 msec   102 msec  102 msec 
  4   64.100.1.62     166 msec  172 msec  156 msec 
  5   64.100.1.154    157 msec  223 msec  240 msec 
  6   *     *     *    
  7   *     *     *    
  8   *     *     *    
  9  
N-Branch>
Step 3: Practice the ping and trace route commands.

Throughout this course, you will often use ping and traceroute to test connectivity and troubleshoot problems. To practice these commands, ping and trace from W-Host and S-Host to any other destination in the network. You can also ping and trace from N-Branch to other locations.