CCNA

HC K 4

Ti liu hng dn Version 1.0

Mc Lc
(Hc k 4) Bi 1: Trin khai EIGRP... 1-1 Bi 2: X l s c EIGRP. 2-1 Bi 3: Gii thiu s hat ng ca danh sch kim tra truy cp.. 3-1 Bi 4: Cu hnh v x l s c danh sch kim tra truy cp. 4-1 Bi 5: Uyn chuyn mng vi NAT v PAT 5-1 Bi 6: Qu trnh chuyn sang IPv6.. 6-1 Bi 7: Nhp mn gii php VPN.. 7-1 Bi 8: Thit lp kt ni point-to-point WAN vi PPP.. 8-1 Bi 9: Thit lp kt ni WAN vi Frame-Relay 9-1 Bi 10: Sa li Frame Relay WANs. 10-1

Bi 1: Trin khai EIGRP

Trin khai EIGRP

11

Tng quan: Chng ny cp n nhng tnh nng ca giao thc nh tuyn EIGRP . y l giao thc nh tuyn c quyn ca Cisco , n c thit k gii quyt cc nhc im ca c giao thc nh tuyn theo vector khong cch v giao thc nh tuyn theo trng thi ng lin kt . Chng ny cng cp n nhng k thut c bn ca EIGRP trong c tin trnh chn ng i . Mc tiu: Sau khi hon thnh chng ny , bn c th cu hnh , kim tra v x l s c v EIGRP . lm c iu ny , bn phi hon thnh cc mc sau : M t c hot ng v cu hnh c giao thc nh tuyn EIGRP , bao gm cu hnh chia ti v cu hnh chng thc Ch ra cc s c thng gp khi cu hnh EIGRP v a ra phng php gii quyt s c .

1-1

Cc c im ca EIGRP

Vector khong cch nng cao Hi t nhanh chng 100% nh tuyn khng phn lp khng b lp vng Cu hnh d dng Cp nht mt phn Chia ti trn cc ng chi ph bng nhau v khng bng nhau

Thit k mng linh ng S dng a ch multicast v unicast thay v s dng broadcast H tr VLSM v cc mng con khng lin tc Cu hnh nhm tuyn bng tay ti bt c v tr no trong mng H tr nhiu giao thc lp mng
1-2

EIGRP l giao thc nh tuyn c quyn ca Cisco , n kt hp cc u im ca c giao thc nh tuyn theo vector khong cch v giao thc nh tuyn theo trng thi ng lin kt . EIGRP l giao thc nh tuyn theo vector khong cch nng cao . EIGRP cn c gi l giao thc nh tuyn lai , n bao gm cc tnh nng sau y : Tc hi t nhanh : c c tc hi t nhanh , EIGRP s dng gii thut DUAL . Mt router chy EIGRP s lu sn tt c cc ng i d phng n mt ch no , do n p ng c vic thay th nhanh chng ng i chnh ( trong trng hp ng i chnh khng s dng c na ) . Nu khng c ng i d phng no tn ti , router s i hi cc router lng ging tm ra ng i mi . S dng bng thng hiu qu : EIGRP khng thc hin cp nht nh k , thay vo , khi c s thay i v ng i hoc chi ph ca ng i , EIGRP ch gi cp nht thng tin v s thay i ch khng gi ton b bng nh tuyn . EIGRP h tr nhiu giao thc lp mng : EIGRP h tr AppleTalk , IPv4 ,IPv6 v IPX nh s dng cu trc tng phn theo giao thc (PDMs Protocol Dependent Modules ) . nh tuyn khng phn lp : V EIGRP l giao thc nh tuyn khng phn lp nn thng tin v mng ch c qung b km theo mt n mng . Tnh nng ny gip EIGRP h tr c cc mng con khng lin tc ( discontiguous subnetwork ) v cc mng con c chiu di mt n mng khc nhau ( VLSMs Variable Length Subnet Masks ) .

1-2

t hao ph : EIGRP s dng mulitcast v unicast thay v broadcast .iu ny gip cho cc thit b u cui khng b nh hng bi cc thng tin yu cu cu hnh mng v cc thng tin cp nht nh tuyn . Chia ti : EIGRP h tr chia ti trn nhng ng c chi ph khng bng nhau , cho php ngi qun tr phn phi lung d liu i trong mng c tt hn . D dng nhm tuyn : EIGRP cho php ngi qun tr d dng nhm cc tuyn li vi nhau ti bt k v tr no trong mng , trong khi , giao thc nh tuyn theo vector khong cch ch thc hin nhm tuyn ti bin gii mng chnh .

1-3

Cc bng ca EIGRP

1-4

Mi router EIGRP duy tr mt bng lng ging , bng ny bao gm danh sch cc router EIGRP lng ging kt ni trc tip v c quan h thn mt vi n . Mi router EIGRP duy tr mt bng cu trc mng tng ng vi tng giao thc lp mng . Bng cu trc mng cha thng tin v tt c cc con ng m router hc c . Router da vo bng ny la chn ra ng i tt nht v t nhng ng i tt nht ny vo trong bng nh tuyn . tm ra ng i tt nht ( successor) v ng i d phng ( feasible successor ) cho mt mng ch no , EIGRP s dng 2 thng s sau tnh ton : Advertised Distance (AD) : l chi ph i n mng ch do router lng ging qung b qua . Feasible Distance (FD) : chi ph dng i n mng ch , chi ph ny bng chi ph AD cng vi chi ph m router phi mt khi i n router lng ging . Router so snh tt c cc chi ph FD , la chn ra chi ph thp nht v a vo bng nh tuyn .

1-4

Tnh ton ng i ca EIGRP (Router C)

1-5

V D : EIGRP tnh ton ng i ( Router C ) Bng cu trc mng ca EIGRP lu tt c cc cc ng i n mng ch hc c bi cc router lng ging . Nh cc bn thy hnh trn , Router A v B gi bng nh tuyn ca chng cho Router C ( xem bng nh tuyn ca C hnh trn ) . C router A v router B u c ng i n mng 10.1.1.0/24 . Router C c 2 ng i n mng 10.1.1.0/24 trong bng cu trc mng ca mnh . Chi ph m router C dng i n router A v router B u bng 1000 . Chi ph ny cng vi mi chi ph AD m router A v router B qung b , kt qu ta s c chi ph FD m router C phi tr i n mng 10.1.1.0/24 tng ng thng qua Router A v Router C . Router C chn ra gi tr FD nh nht ( 2000 ) v t ng i tt nht ny vo trong bng nh tuyn . ng i c chi ph thp nht v c t vo trong bng nh tuyn gi l ng i chnh ( successor route ) . K tip , Router s la chn ra mt ng i d phng cho ng i chnh , gi l ng i chnh kh dng ( feasible successor route ). mt ng i tr thnh ng i d phng , router k cn phi c chi ph AD nh hn chi ph FD ca ng i chnh . Nu ng i chnh khng cn gi tr na , c th l do thay cu trc mng hoc l do lng ging thay i chi ph , gii thut DUAL s kim tra xem c ng i chnh d phng ( feasible successor - FS ) no khng . Nu c , DUAL s s dng n v khng cn phi tnh ton li ng i mi . Nu khng c ng i chnh d phng no c , router thc hin tnh ton li ng i chnh mi .

1-5

Cu hnh EIGRP
RouterX(config)# router eigrp autonomous-system

RouterX(config-router)# network network-number

1-6

CU HNH V KIM TRA CU HNH EIGRP . S dng cu lnh router eigrp v network thc hin tin trnh nh tuyn bng giao thc EIGRP . Lu rng EIGRP cn xc nh mt s hiu h t qun ( AS autonomous system ) . S hiu h t qun ny khng cn phi ng k . Tuy nhin , tt c router trong cng mt h t qun phi s dng chung mt s hiu h t qun trao i thng tin nh tuyn vi nhau . Cu lnh network nh ra vng mng chnh kt ni trc tip vi router . Tin trnh nh tuyn EIGRP s kim tra xem nhng cng kt ni no c a ch IP nm trong vng mng c ch nh bi cu lnh network v bt u thc hin nh tuyn trn nhng cng kt ni . V d : Cu hnh EIGRP . Bng sau y m t cu hnh EIGRP trn Router A Router eigrp 100: kch hot tin trnh EIGRP cho h thng t qun c s hiu 100 Network 172.16.0.0: a mng 172.16.0.0 vo tin trnh nh tuyn EIGRP Network 10.0.0.0: a mng 10.0.0.0 vo tin trnh nh tuyn EIGRP Lu : EIGRP gi thng tin cp nht ra nhng cng kt ni thuc v mng 10.0.0.0 v mng 172.16.0.0. Cc cp nht ny bao gm cc thng tin t mng 10.0.0.0 , 172.16.0.0 v cc mng khc m EIGRP hc c .

1-6

Cu hnh mc nh ca EIGRP i vi cc mng khng lin tc

Mc nh EIGRP khng h tr qung b mng con do khng h tr cc mng khng lin tc

1-7

EIGRP t ng nhm tuyn ti bin gii ca mng c phn lp . Trong mt vi trng hp , bn c th s khng mun vic nhm tuyn din ra t ng . V d , nu bn c nhng mng khng lin tc , bn cn phi tt ch nhm tuyn t ng trnh cho router khi b nhm ln .

1-7

S dng cu lnh no auto-summary cho cc mng khng lin tc ca EIGRP

S dng cu lnh no auto-summary qung b mng con , do h tr c cc mng khng lin tc

1-8

tt ch nhm tuyn t ng , s cng cu lnh no auto-summary

1-8

Kim tra cu hnh EIGRP

RouterX# show ip route eigrp

Hin th cc tuyn hin ti ca EIGRP trong bng nh tuyn

RouterX# show ip protocols

Hin th cc thng s v trng thi hin ti ca giao thc nh tuyn

RouterX# show ip eigrp interfaces

Hin th cc thng tin cu hnh trn cng kt ni ca EIGRP

RouterX# show ip eigrp interfaces IP EIGRP interfaces for process 109 Interface Di0 Et0 SE0:1.16 Tu0 Peers 0 1 1 1 Xmit Queue Un/Reliable 0/0 0/0 0/0 0/0 Mean SRTT 0 337 10 330 Pacing Time Un/Reliable 11/434 0/10 1/63 0/16 Multicast Flow Timer 0 0 103 0 Pending Routes 0 0 0 0

1-9

Cu lnh show ip route eigrp cho thy cc tuyn EIGRP trong bng nh tuyn Cu lnh show ip protocols cho thy cc thng s v trng thi hin ti ca tin trnh giao thc nh tuyn ang chy . Cu lnh ny ch ra s hiu h t qun ca EIGRP , ng thi cng ch ra thng tin v lc tuyn , phn phi tuyn , lng ging v thng tin v khong cch. S dng cu lnh show ip eigrp interfaces [type number] [ as-number] ch ra cng kt ni no ang chy EIGRP , nhng thng tin v EIGRP hc c trn cc cng kt ni ny . Nu bn ch nh ra mt cng kt ni c th bng cch s dng ty chn type number ( loi cng kt ni s th t ca cng kt ni tng ng ) , th ch c nhng thng tin lin quan n cng kt ni mi c hin th . Nu khng ch nh c th , tt c cc cng kt ni m EIGRP ang chy s hin th ln ht . Nu bn ch nh c th mt h t qun bng cch s dng as-number ( s hiu h t qun ) , th ch c cc thng tin tin trnh nh tuyn v h t qun c hin th . Nu khng ch nh c th , tt c cc tin trnh EIGRP s c hin th Hin th ca cu lnh show ip eigrp interfaces Interface: Cng kt ni m EIGRP c cu hnh trn . Peers: S lng cc router EIGRP lng ging kt ni trc tip trn cng kt ni . Xmit Queue Un/Reliable: S lng cc hng gi tin cn li trong hng i Tin Cy v Khng Tin Cy.

1-9

Mean SRTT: Khong thi gian trung bnh i v v ca gi tin ( SRTT smoothed round-trip time ) ( tnh bng mili giy ) i vi tt c cc lng ging trn cng kt ni Pacing Time Un/Reliable: S mili giy phi i sau khi gi cc gi tin khng tin cy v tin cy Multicast Flow Timer: S mili giy phi i xc nhn mt gi tin multicast t tt c cc lng ging trc khi gi gi tin multicast k tip Pending Routes: S lng cc tuyn trong cc gi tin phi ch trong hng i trc khi c gi i

1-10

Kim tra cu hnh EIGRP (tip theo.)

RouterX# show ip eigrp neighbors [detail]

Hin th ra cc lng ging c khm ph bi IP EIGRP

RouterX# show ip eigrp neighbors IP-EIGRP Neighbors for process 77 Address Interface 172.16.81.28 172.16.80.28 172.16.80.31 Ethernet1 Ethernet0 Ethernet0

Holdtime (secs) 13 14 12

Uptime (h:m:s) 0:00:41 0:02:01 0:02:02

Q Count 0 0 0

Seq Num 11 10 4

SRTT (ms) 4 12 5

RTO (ms) 20 24 20

1-11

S dng cu lnh show ip eigrp neighbors hin th ra cc lng ging c pht hin bi EIGRP v cho thy c lng ging no ang hot ng , lng ging no khng hot ng . Cu lnh ny cng hu ch trong vic g ri mt s s c v vn chuyn gi tin . Bng sau y m t cc phn quan trng ca cu lnh show ip eigrp neighbors Process 77: S hiu h t qun c ch nh bi cu lnh router Address: a ch IP ca lng ging Interface: Cng kt ni m router nhn c gi hello t lng ging Holdtime: di thi gian ( tnh bng giy ) m IOS ch v lng nghe thng tin t lng ging trc khi thng bo lng ging khng cn tn ti . Nu lng ging c cu hnh s dng gi tr thi gian ny l mc nh , th con s ny nh hn 15 giy . Nu lng ging s dng gi tr khc , th gi tr ny cng s c hin th. Uptime: Thi gian tri qua ( c nh dng gi : pht : giy ) k t khi router thy lng ging ln u tin. Q Count: S lng gi tin EIGRP ( update , query , reply ) ang ch trc khi c gi. Seq Num: S th t ca gi tin update , query , reply nhn c mi nht t lng ging

1-11

SRTT: Thi gian tnh bng mili giy cn thit mt gi tin EIGRP gi cho lng ging v nhn c xc nhn t lng ging . RTO: Retransmission timeout ( RTO ) ( tnh bng mili giy ) : l thi gian phi ch trc khi thc hin gi li gi tin nm trong hng i cho lng ging. Bng sau y m t cc phn quan trng ca cu lnh show ip eigrp neighbors detail Proces 77: S hiu h t qun c ch nh bi cu lnh router. H: Ct ny a ra danh sch th t phin lm vic thit lp trc vi lng ging . S th t c nh s bt u t 0. Address: a ch IP ca lng ging. Interface: Cng kt ni m router nhn c gi hello t lng ging. Holdtime: di thi gian ( tnh bng giy ) m IOS ch v lng nghe thng tin t lng ging trc khi thng bo lng ging khng cn tn ti . Nu lng ging c cu hnh s dng gi tr thi gian ny l mc nh , th con s ny nh hn 15 giy . Nu lng ging s dng gi tr khc , th gi tr ny cng s c hin th. Uptime: Thi gian tri qua ( c nh dng gi : pht : giy ) k t khi router thy lng ging ln u tin. Q Count: S lng gi tin EIGRP ( update , query , reply ) ang ch trc khi c gi. Seq Num: S th t ca gi tin update , query , reply nhn c mi nht t lng ging. SRTT: Thi gian tnh bng mili giy cn thit mt gi tin EIGRP gi cho lng ging v nhn c xc nhn t lng ging . RTO: Retransmission timeout ( RTO ) ( tnh bng mili giy ) : l thi gian phi ch trc khi thc hin gi li gi tin nm trong hng i cho lng ging. Version: Phin bn phn mm m lng ging ang s dng. Retrans: S ln m mt gi tin c gi li. Retries: S ln c gng gi li mt gi tin. Restart time: Thi gian tri qua ( c nh dng gi : pht : giy ) k t khi mt neighbor no khi ng li.

1-12

Kim tra cu hnh EIGRP (tip theo.)

RouterX# show ip eigrp topology [all]

Hin th bng cu trc mng ca IP EIGRP Khng s dng thng s [all], hin th ra cc ng i chnh ( successor ) v cc ng i chnh kh dng (feasible successor )
RouterX# show ip eigrp topology IP-EIGRP Topology Table for process 77 Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - Reply status P 172.16.90.0 255.255.255.0, 2 successors, FD is 46251776 via 172.16.80.28 (46251776/46226176), Ethernet0 via 172.16.81.28 (46251776/46226176), Ethernet1 via 172.16.80.31 (46277376/46251776), Serial0 P 172.16.81.0 255.255.255.0, 2 successors, FD is 307200 via Connected, Ethernet1 via 172.16.81.28 (307200/281600), Ethernet1 via 172.16.80.28 (307200/281600), Ethernet0 via 172.16.80.31 (332800/307200), Serial0

1-13

Cu lnh show ip eigrp topology hin th bng cu trc mng ca EIGRP , trng thi ch ng hay th ng ca mt tuyn , s lng cc ng i chnh ( successor ) v khong cch kh dng ( feasible distance ) dng i n ch . Hin th ca cu lnh show ip eigrp topology : Codes: Trng thi ca bng cu trc mng . Trng thi khng tc ng ( P : Passive ) l trng thi n nh, sn sng s dng c .Trng thi tc ng ( A : Active ) l trng thi ang trong tin trnh tm kim ng i mi bng cch gi v nhn cc gi Update , Query , Reply . P- Passive: Ch ra rng EIGRP khng thc hin tnh ton ng i i vi mng ch ny. A- Active: Ch ra rng EIGRP ang thc hin tnh ton tm ra ng i mi. U- Update: Ch ra rng c mt gi tin update c gi cho mng ch. Q- Query: Ch ra rng c mt gi tin query c gi cho mng ch. R- Reply: Ch ra rng c mt gi tin reply c gi cho mng ch. r- Reply status: C ny c bt ln sau khi EIGRP gi mt gi tin query v ang phi ch gi tin reply 172.16.90.0: a ch IP mng ch 255.255.255.0: Mt n mng ch

1-13

Successors: S lng cc ng i chnh . S ny tng ng vi s cng n k cn (next-hop) trong bng nh tuyn. FD: Feasible Distance l chi ph thp nht n i n ch . Gi tr ny dng kim tra trong iu kin kh dng Feasible Condition (FC) . Nu gi tr AD ca mt router nh hn gi tr FD hin ti th iu kin FC tha mn v ng i qua router s l ng i chnh kh dng Feasible Successor. Sau khi EIGRP nh ra c feasible successor , n khng cn phi gi query hi cc lng ging v mng ch na . Replies: S lng cc gi tin reply ang ch nhn c thng tin v mng ch . Thng tin trong phn ny ch xut hin khi mng ch ang trng thi ch ng ( ACTIVE ) . State: Trng thi c th ca EIGRP v mng ch , n c hin th bng s 0 , 1 , 2 , hoc 3 . Thng tin ny ch xut hin khi mng ch trong trng thi ch ng ( ACTIVE ) . Via: a ch ip ca cng n k tip dng i n mng ch , n l k t u tin ca cc dng ny , trong n l s cc ng i chnh ( successor ). Cc dng cn li l ng i chnh kh dng ( feasible successor ). (46251776/46226176): S u tin l chi ph m EIGRP dng i n ch . S th hai l chi ph ca lng ging qung b qua Ethernet0 Cng kt ni m thng tin c hc t n. Serial0: Cng kt ni m thng tin c hc t n.

1-14

Kim tra cu hnh EIGRP (tip theo.)

RouterX# show ip eigrp traffic

Hin th s lng cc gi tin EIGRP gi i v nhn vo

RouterX# show ip eigrp traffic IP-EIGRP Traffic Statistics for process 77 Hellos sent/received: 218/205 Updates sent/received: 7/23 Queries sent/received: 2/0 Replies sent/received: 0/2 Acks sent/received: 21/14

1-15

Cu lnh show ip eigrp traffic hin th s lng cc gi tin gi v nhn Bng sau m t cc phn c hin th ra Proces 77: S hiu h t qun c ch nh bi cu lnh router Hellos sent/received: S lng cc gi hello gi v nhn Updates sent/received: S lng cc gi update gi v nhn Queries sent/received: S lng cc gi query gi v nhn Replies sent/received: S lng cc gi reply gi v nhn Acks sent/received: S lng cc gi ack gi v nhn

1-15

Cu lnh debug ip eigrp

RouterX# debug ip eigrp IP-EIGRP: Processing incoming UPDATE packet IP-EIGRP: Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 256000 104960 IP-EIGRP: Ext 192.168.0.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 256000 104960 IP-EIGRP: Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 256000 104960 IP-EIGRP: 172.69.43.0 255.255.255.0, - do advertise out Ethernet0/1 IP-EIGRP: Ext 172.69.43.0 255.255.255.0 metric 371200 - 256000 115200 IP-EIGRP: 192.135.246.0 255.255.255.0, - do advertise out Ethernet0/1 IP-EIGRP: Ext 192.135.246.0 255.255.255.0 metric 46310656 - 45714176 596480 IP-EIGRP: 172.69.40.0 255.255.255.0, - do advertise out Ethernet0/1 IP-EIGRP: Ext 172.69.40.0 255.255.255.0 metric 2272256 - 1657856 614400 IP-EIGRP: 192.135.245.0 255.255.255.0, - do advertise out Ethernet0/1 IP-EIGRP: Ext 192.135.245.0 255.255.255.0 metric 40622080 - 40000000 622080 IP-EIGRP: 192.135.244.0 255.255.255.0, - do advertise out Ethernet0/1

Lu : Cc tuyn ca EIGRP ch trao i khi c s thay i v cu trc mng.

1-16

Cu lnh debug ip eigrp trong ch EXEC gip bn phn tch cc gi tin EIGRP m cng kt ni gi ra v nhn vo . Bi v cu lnh debug ip eigrp hin th ra rt nhiu thng tin , bn ch nn s dng cu lnh ny khi khng c nhiu d liu i trong mng . Bng sau m t cc hin th ca cu lnh debug ip eigrp IP-EIGRP: Ch ra rng y l gi tin EIGRP Ext: Ch ra rng cc a ch mng sau l cc a ch ngoi mng , nu l a ch ni mng th k hiu l Int Do not advertise out: Ch ra nhng interface m EIGRP s khng qung b thng tin nh tuyn ra . Cu hnh ny dng chng lp vng trong mng ( qui lut split horizon ). M: Hin th chi ph ng i , bao gm chi ph c gi i ( Sent Metric SM ) v chi ph gia router v lng ging . S u tin l chi ph tng hp , 2 s k tip l bng thng v tr . SM: Hin thi ra y l chi ph c qung b bi lng ging .

1-16

Chi ph ca EIGRP
Cc thng s mc nh dng tnh ton chi ph ca EIGRP:
Bng thng tr

Cc thng s ty chn m EIGRP c th dng tnh ton chi ph :

tin cy T i Lu : Mc d MTU c trao i gia cc gi tin EIGRP v gia cc router lng ging, MTU khng phi l yu t dng tnh ton ng i ca EIGRP
1-17

Chi ph ca EIGRP Chi ph ca EIGRP c tnh ton da trn nhiu thng s , nhng 2 thng s quan trng nht l bng thng v tr Bng thng : gi tr bng thng nh nht gia ngun v ch tr : tng tr ca cc cng kt ni trn ng i . Cc thng s sau y cng c th c s dng nhng khng c khuyn co bi v thng dn n vic thng xuyn tinh ton li bng cu trc mng tin cy : gi tr ny biu th tin cy gia ngun v ch da trn gi tin keepalives Ti : gi tr ny biu th ti ca cc ng kt ni gia ngun v ch , c tnh ton da trn tc truyn gi tin v bng thng c cu hnh trn cng kt ni . Lu : mc d n V Truyn Dn Ln Nht ( Maximum Transmission Unit MTU ) c mang trong gi tin EIGRP v trao i gia cc router lng ging , MTU khng phi l mt yu t trong vic tnh ton chi ph ca EIGRP .

1-17

Cn bng ti vi EIGRP
Mc nh , EIGRP thc hin cn bng ti trn cc ng c chi ph bng nhau: Mc nh , 4 ng c chi ph bng nhau thp nht c t vo bng nh tuyn . C th c ti 16 tuyn i v cng mt ch c lu trong bng nh tuyn : S lng tuyn ti a c th c cu hnh bng cu lnh maximum-paths.

1-18

CHIA TI TRN NHNG NG C CHI PH BNG NHAU Tnh nng chia ti trn nhng ng c chi ph bng nhau cho php router phn phi d liu trn cc cng kt ni vi cng mt chi ph i n ch . Chia ti s dng c ht hiu sut ca ng truyn v tng hiu qu s dng bng thng . i vi giao thc IP , phn mn Cisco IOS mc nh s s dng cn bng ti cho 4 ng c chi ph bng nhau . Nu s dng cu lnh maximum-paths maximum-path , c th cn bng ti c ti a cho 16 ng c chi ph bng nhau . Nu bn iu chnh maximum-path bng 1 th c ngha l bn tt ch cn bng ti . Nu mt gi tin c chuyn mch theo tng tin trnh , th cn bng ti trn nhng ng c chi ph bng nhau c thc hin i vi tng gi tin . Nu gi tin c chuyn mch nhanh , th cn bng ti s c thc hin i vi tng mng ch . Lu : Nu thc hin kim tra cn bng ti th khng thc hin ping n hoc ping t mt router c cng kt ni ang ch chuyn mch nhanh bi v nhng gi tin c to ra t cc router ny s c x l theo kiu chuyn mch theo tin trnh ,do s dn n nhng kt qu gy nhm ln .

1-18

Cn bng ti trn cc ng c chi ph khng bng nhau ca EIGRP

RouterX(config-router)#

variance multiplier

Cho php router cn bng ti trn nhng tuyn c chi ph nh hn gi tr multiplier em nhn vi chi ph nh nht i n ch . Gi tr variance mc nh l 1, ngha l cn bng ti trn nhng ng c chi ph bng nhau .

1-19

CU HNH CHIA TI TRN CC NG C CHI PH KHNG BNG NHAU EIGRP cng c th chia ti trn nhng ng c chi ph khng bng nhau , v c gi l chia ti khng cn bng ph . Mc m EIGRP chia ti trn cc cng kt ni c thc hin bng cu lnh variance Bng sau y lit k ra cc thng s trong cu lnh variance Multiplier: Gi tr ny nm trong khong t 1 n 128 . Gi tr mc nh l 1 , ch ra rng ch c cn bng ti trn nhng ng c chi ph bng nhau c thc hin . Gi tr multiplier nh ra khong gi tr chi ph chp nhn c dng thc hin cn bng ti. Lu : mc nh th d liu c phn phi trn nhng ng c chi ph khng bng nhau .

1-19

V d Variance

Router E chn router C i n mng 172.16.0.0 bi v n c khong cch kh dng nh nht bng 20 . Vi gi tr variance bng 2, router E cng chn router B i n mng 172.16.0.0 (20 + 10 = 30) < [2 * (FD) = 40]. Router D khng c chn i n mng 172.16.0.0 (v 25 > 20).

1-20

V d : Cu hnh cu lnh variance Trong hnh trn , variance c cu hnh vi gi tr l 2 , khong chi ph cn dng l t 20 n 45 , cng chnh l nhng khong cch kh dng ( FD feasible distance) m router E dng i n mng 172.16.0.0 . Khong chi ph trn ch ra nhng tuyn c th c s dng . Mt tuyn c gi l kh dng nu router k cn gn mng ch hn router hin ti v nu chi ph ca ng i d phng nm trong khong m variance nh ra . Cn bng ti ch c th s dng nhng tuyn kh dng v bng nh tuyn ch lu nhng tuyn ny thi . C 2 iu kin kh dng c lit k ra sau y : Ch ph tt nht hoc khong cch kh dng hin ti ( feasible distance ) phi ln hn chi ph tt nht c qung b t router k cn ( advertised distance ) . Ni cch khc , router k cn trn ng i phi gn ch hn l router hin ti , iu ny chng li hin tng lp vng . Chi ph ca ng i d phng phi nh hn gi tr variance nhn vi khong cch kh dng tt nht . Nu c 2 iu kin ny c tha mn th tuyn c coi l kh dng v c a vo bng nh tuyn . Trong hnh trn , c 3 ng i n mng 172.16.0.0 vi cc chi ph sau y :

1-20

ng i 1 : 30 ( qua B ) ng i 2 : 20 ( qua C ) ng i 3 : 45 ( qua D ) Mc nh , router ch t ng i th 2 ( qua C ) vo trong bng nh tuyn v n c chi ph thp nht . chi ti trn ng i th nht v ng i th 2 , s dng gi tr variance bng 2 v 20 * 2 = 40 , chi ph ny ln hn chi ph qua ng i th nht . Trong v d ny , Router E s dng router C l ng i chnh bi v n c chi ph thp nht ( 20 ) . Cu lnh variance 2 p dng trn router E , ng i qua router B tha mn chia ti . Trong trng hp ny , khong cch kh dng qua router B nh hn 2 ln khong cch kh dng ca ng i chnh ( router C ). Router D khng c s dng chi ti v khong cch kh dng qua router D ln hn 2 ln khong cch kh dng ca ng i chnh ( router C ) . Trong v d ny , router D s khng tr thnh ng i chnh kh dng vi bt k gi tr variance no . Bi v khong cch c qung b t router D l 25 , ln hn khong cch kh dng ca router E l 20 , do trnh lp vng , router D khng c coi l ng i chnh kh dng .

1-21

Chng thc EIGRP bng MD5

EIGRP h tr chng thc EIGRP. Cc router t xc nh mnh trong cc gi tin EIGRP gi i. Cc router chng thc ngun gc ca cc thng tin cp nht nh tuyn m n nhn c. Cc lng ging tham gia chng thc phi c cu hnh cng mt kha.

1-22

Bn c th cu hnh chng thc cc lng ging EIGRP , cc router c th tham gia vo qu trnh nh tuyn da trn mt khu c nh ngha trc . Mc nh , khng c chng thc c s dng trong cc gi tin EIGRP . EIGRP c th c cu hnh s dng chng thc vi thut ton MD5 . Khi bn cu hnh chng thc vi lng ging , router s thc hin chng thc ngun gc ca cc gi tin qung b thng tin nh tuyn . i vi chng thc kiu MD5 , bn phi cu hnh mt cha kho chng thc ( authentication key ) v nh danh ca kha ( key ID ) trn c router gi v router nhn thng tin nh tuyn . Cha kha c cp n nh l mt khu vy .

1-22

Cc bc cu hnh chng thc MD5 cho EIGRP

1. To ra chui kha, l mt nhm cc kha (hay cn gi l cc mt khu). 2. Gn nh danh kha cho mi kha. 3. Xc nh cc kha. 4. (Ty chn) Ch ra thi gian sng ca mt kha. 5. Bt chng nng chng thc MD5 trn cng kt ni. 6. Ch nh chui kha m cng kt ni s s dng.

1-23

Kha MD5 trong mi gi tin EIGRP chng li thng tin nh tuyn sai lch t mt ngun khng tin cy . Mi kha c mt nh danh ca kha ( Key ID ) , c lu tr ti ni b mi router . S kt hp ca nh danh ca kha v cng kt ni c mang theo gi tin ch ra mt thut ton chng thc duy nht v kha chng thc MD5 c s dng . EIGRP cho php bn qun l cc kha bng cc chui kha . Mi kha c nh ngha trong mt chui kha , v c th ch ra thi gian hot ng ca kha ( thi gian sng ) . Trong sut khong thi gian sng ca kha , thng tin cp nht nh tuyn c gi i km theo kha ny . Ch c mt gi tin chng thc c gi i , bt k l c bao nhiu kha tn ti . Phn mm s kim tra cc s kha theo th t t thp nht n cao nht , v kha u tin c gi tr s c dng . Kha khng th s dng c trong khong thi gian m n cha c kch hot . V vy , ngi ta khuyn co rng i vi mt chui kha no th thi gian hot ng ca kho phi xen k nhau trnh trng hp c mt khong thi gian m khng c kha no hot ng . Nu tn ti khong thi gian m khng c kha no hot ng , chng thc vi lng ging s khng xy ra , do thng tin cp nht nh tuyn s khng thc hin c . Lu rng : Rt quan trng router bit thi gian chnh xc xoay vng vic s dng kha ng b vi cc router khc . iu ny s chc chn c tt c cc router dng chung mt kha ti cng mt thi im .

1-23

Cu hnh chng thc MD5 cho EIGRP

RouterX(config)#

key chain name-of-chain

Vo ch cu hnh chui kha

RouterX(config-keychain)#

key key-id

Ch nh kha v vo ch cu hnh cho nh danh kha

1-24

Thc hin cc bc sau to ra chui kha : Bc 1 : G vo cu lnh key chain vo cu hnh . Bng sau m t cc thng s ca cc cu lnh ny Name-of-chain: Tn ca chui kha chng thc m mt kha thuc v . Bc 2 : S dng cu lnh key ch ra mt kha nh danh s dng . Bng sau m t thng s ca cu lnh ny Key-id: S ID ca mt kha ca mt chui kha . S ny nm trong khong t 0 n 2147483647 . S nh danh kha khng cn phi lin tc .

1-24

Cu hnh chng thc MD5 cho EIGRP ( tip theo.)

RouterX(config-keychain-key)#

key-string text

Ch nh chui k t kha ( mt khu )

RouterX(config-keychain-key)#

accept-lifetime start-time {infinite | end-time | duration seconds}

(Ty chn) ch nh thi gian m kha c s dng cho cc gi tin nhn vo

RouterX(config-keychain-key)#

send-lifetime start-time {infinite | end-time | duration seconds}

(Ty chn) ch nh thi gian m kha c s dng cho cc gi tin gi i

1-25

Bc 3 : S dng cu lnh key-string ch ra chui k t ca kha ny ( mt khu ) . Bng sau m t cc thng s ca cu lnh ny . Text: Chui k t dng chng thc cc gi tin EIGRP gi i v nhn vo . Chui k t c di t 1 n 80 , c th bao gm cc k t ch hoa , ch thng . K t u tin khng th l mt con s , chui k t ny c phn bit ch hoa v ch thng . Bc 4 : Bc ny l bc ty chn , s dng cu lnh accept-lifetime ch ra thi gian m kha c chp nhn dng cho vic xc thc mt gi tin nhn vo . Nu bn khng dng cu lnh accept-lifetime , th thi gian ny l v tn . Bng sau m t thng s ca cu lnh ny Start-time: Thi gian bt u k t khi kha c ch nh bng cu lnh key , c gi tr xc thc mt gi tin nhn vo . Infinitive: Kha c gi tr trn cc gi tin nhn vo tnh t thi im bt u v khng c thi im kt thc.

1-25

End-time: Kha c gi tr trn cc gi tin nhn vo tnh t thi im bt u n thi im kt thc . C php ny ging vi start-time. Gi tr thi im kt thc phi ng sau gi tr thi im bt u . Gi tr mc nh ca thi im kt thc l v tn. Seconds: di thi gian tnh bng giy m kha c gi tr s dng trn cc gi tin nhn vo . Khong ny t 1 n 2147483646 Bc 5 : Bc ny l bc ty chn , ch ra khong thi gian m kha ny c s dng cho vic gi gi tin i , s dng cu lnh send-lifetime . Nu khng dng cu lnh ny , thi gian mc nh l v tn . Bng ny m t cc thng s ca lnh ny Start-time: Thi gian bt u k t khi kha c ch nh bng cu lnh key , c gi tr xc thc mt gi tin gi i . Infinitive: Kha c gi tr trn cc gi tin gi i tnh t thi im bt u v khng c thi im kt thc. End-time: Kha c gi tr trn cc gi tin gi i tnh t thi im bt u n thi im kt thc . C php ny ging vi start-time. Gi tr thi im kt thc phi ng sau gi tr thi im bt u . Gi tr mc nh ca thi im kt thc l v tn. Seconds: di thi gian tnh bng giy m kha c gi tr s dng trn cc gi tin gi i . Khong ny t 1 n 2147483646 Lu : Nu cu lnh service password-encryption khng c s dng khi thc hin chng thc EIGRP , cc k t ca kha s c lu di dng khng m ha trong cu hnh ca router . Nu c s dng cu lnh service passwordencryption th kha s c lu di dng m ha v loi m ha l loi 7 .

1-26

Cu hnh chng thc MD5 cho EIGRP ( tip theo.)

RouterX(config-if)#

ip authentication mode eigrp autonomous-system md5

Ch nh chng thc MD5 cho cc gi tin EIGRP

RouterX(config-if)#

ip authentication key-chain eigrp autonomous-system name-of-chain

Kch hot chng thc cho cc gi tin EIGRP s dng kha trong chui kha

1-27

cu hnh chng thc MD5 vi EIGRP , thc hin cc bc sau : Bc 1 : Vo ch cu hnh cho cng kt ni m bn mun thc hin chng thc trn Bc 2 : S dng cu lnh ip authentication mode eigrp md5 ch ra chng thc MD5 c s dng cho cc gi tin EIGRP . Bng sau m t thng s ca cu lnh ny Autonomous-system: H s t qun ca EIGRP m chng thc c dng Bc 3 : S dng cu lnh ip authentication key-chain eigrp ch ra chui kha no c dng chng thc cc gi tin EIGRP . Bng sau m t cc thng s ca cu lnh ny Autonomous-system :h s t qun ca EIGRP m chng thc c dng Name of chain: tn ca chui chng thc m kha ny thuc v

1-27

V d cu hnh chng thc MD5 cho EIGRP

RouterX <output omitted> key chain RouterXchain key 1 key-string firstkey accept-lifetime 04:00:00 Jan 1 2006 infinite send-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006 key 2 key-string secondkey accept-lifetime 04:00:00 Jan 1 2006 infinite send-lifetime 04:00:00 Jan 1 2006 infinite <output omitted> ! interface Serial0/0/1 bandwidth 64 ip address 192.168.1.101 255.255.255.224 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 RouterXchain
1-28

V d : Cu hnh chng thc MD5 Hnh nh ny ch ra cu hnh chng thc MD5 EIGRP cho router X Chng thc MD5 c cu hnh trn cng kt ni s0/0/1 vi cu lnh ip authentication mode eigrp 100 md5 . Cu lnh ip authentication keychain eigrp 100 RouterXchain ch ra chui kha RouterXchain c s dng cho h s t qun 100 ca EIGRP Cu lnh key chain RouterXchain dng cu hnh cc thng s cho chui kha RouterXchain . y c 2 kha c nh ngha . Kha 1 c t l firstkey bng cu lnh key-string firstkey . Kha ny c p dng cho cc gi tin nhn vo bi router X t 4:00 M ngy 1 thng 1 nm 2006 n v tn . Tuy nhin cu lnh send-lifetime 04:00:00 Jan 1 2006 04:01:00 Jan 1 2006 ch ra rng kha ny ch c s dng cho cc gi tin c gi i trong vng mt pht ca ngy 1 thng 1 nm 2006 . V sau n s khng cn gi tr cho cc gi tin gi i na . Kha 2 c t l secondkey bng cu lnh key-string secondkey . Kha ny c p dng cho cc gi tin nhn c bi RouterX t 4:00 AM ngy 1 thng 1 nm 2006 , c thc hin bi cu lnh accep-lifetime 04:00:00 Jan 1 2006 infinite . Kha ny c th c s dng khi cc gi tin c gi t 4:00 AM ngy 1 thng 1 nm 2006 ,c thc hin bi cu lnh sendlifetime 4:00:00 Jan 1 2006 infinite .

1-28

Do , routerX chp nhn v c gng kim tra chng thc MD5 i vi tt c cc gi tin EIGRP vi nh danh kha bng 1 . Router X cng chp nhn gi tin c nh danh kha bng 2 .Tt c cc chng thc MD5 khc u b t chi . Router X gi tt c cc gi EIGRP s dng kha 2 v kha 1 khng cn gi tr gi cc gi tin i .

1-29

V d cu hnh chng thc MD5 cho EIGRP

RouterY <output omitted> key chain RouterYchain key 1 key-string firstkey accept-lifetime 04:00:00 Jan 1 2006 infinite send-lifetime 04:00:00 Jan 1 2006 infinite key 2 key-string secondkey accept-lifetime 04:00:00 Jan 1 2006 infinite send-lifetime 04:00:00 Jan 1 2006 infinite <output omitted> ! interface Serial0/0/1 bandwidth 64 ip address 192.168.1.102 255.255.255.224 ip authentication mode eigrp 100 md5 ip authentication key-chain eigrp 100 RouterYchain
1-30

Hnh trn ch ra cu hnh chng thc EIGRP MD5 cho routerY . Cu hnh chng thc MD5 trn cng kt ni s0/0/1 bng cu lnh ip authentication mode eigrp 100 md5 . Cu lnh ip authentication key-chain eigrp 100 RouterYchain ch ra rng chui kha RouterYchain ang c s dng cho EIGRP vi h s t qun 100 . Cu lnh key chain routerYchain dng vo ch cu hnh cho chui kha RouterYchain . C 2 kha c nh ngha . Kha 1 c t l firstkey bng cu lnh key-string firstkey . Kha ny c p dng cho cc gi tin nhn c bi router Y t 4:00 AM ngy 1 thng 1 nm 2006 , thc hin bng cu lnh accept-lifetime 04:00:00 Jan 1 2006 infinite . Kha ny c th dng khi cc gi tin gi t 4:00AM ngy 1 thng 1 nm 2006 , thc hin bng cu lnh send-lifetime 04:00:00 Jan 1 2006 infinite . Kha 2 c t l secondkey bng cu lnh key-string secondkey . Kha ny c s dng cho cc gi tin nhn c t router Y t 4:00 AM ngy 1 thng 1 nm 2006 , c thc hin bng cu lnh accept-lifetime 04:00:00 Jan 1 2006 infinite . Kha ny c th c s dng khi cc gi tin c gi t 4:00 AM ngy 1 thng 1 nm 2006 , c thc hin bng cu lnh sendlifetime 04:00:00 Jan 1 2006 infinite . Do , RouterY chp nhn v c gng chng thc MD5 vi bt k mt gi tin EIGRP no vi nh danh kha bng 1 hoc 2 . Router Y s dng kha 1 gi tt c cc gi tin EIGRP bi v n l kha c gi tr u tin trong chui kha .

1-30

Kim tra chng thc MD5

RouterX# *Jan 21 16:23:30.517: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.102 (Serial0/0/1) is up: new adjacency RouterX#show ip eigrp neighbors IP-EIGRP neighbors for process 100 H Address Interface 0 192.168.1.102 Se0/0/1

Hold Uptime SRTT (sec) (ms) 12 00:03:10 17

Q Seq Cnt Num 2280 0 14

RTO

RouterX#show ip route <output omitted> Gateway of last resort is not set D 172.17.0.0/16 [90/40514560] via 192.168.1.102, 00:02:22, Serial0/0/1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks D 172.16.0.0/16 is a summary, 00:31:31, Null0 C 172.16.1.0/24 is directly connected, FastEthernet0/0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.96/27 is directly connected, Serial0/0/1 D 192.168.1.0/24 is a summary, 00:31:31, Null0 RouterX#ping 172.17.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.17.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms

1-31

Kim tra chng thc MD5 Hnh trn hin th nhng thng s ca cu lnh show ip eigrp neighbors v show ip route trn router X . Bng lng ging hnh trn cho thy a ch ip ca router Y , n ch ra rng 2 router ny thc hin mi quan h thn mt thnh cng . Bng nh tuyn ch ra rng network 172.17.0.0 c hc bi EIGRP trn kt ni serial . Do , chng thc MD5 cho EIGRP thnh cng gia router X v router Y . Kt qu ca ping thnh cng ti a ch cng kt ni Fast Ethernet ca router Y cho thy kt ni hot ng .

1-31

Tm lc
EIGRP l giao thc nh tuyn theo vector khong cch nng cao , khng phn lp v chy gii thut DUAL trao i thng tin nh tuyn , s hiu h t qun EIGRP trn tt c cc router phi ging nhau. EIGRP c kh nng cn bng ti trn nhng ng c chi ph khng bng nhau . EIGRP h tr chng thc MD5 nhm chng li cc router gi mo , khng c quyn truy cp vo mng ca bn

1-32

1-32

1-33

1-33

1-34

Bi 2: X l s c EIGRP

Trin khai EIGRP

2-1

Tng quan: EIGRP c kh nng m rng tt i vi mng ang pht trin . Nhng kh nng m rng ny cho thy s phc tp trong thit k , cu hnh v duy tr n . Bi hc ny gii thiu mt vi vn thng gp xung quanh mng EIGRP v lu phng php x l cc vn ny . Mc tiu: Sau khi honh thnh bi hc ny , bn s ch ra c cc vn gp phi ca EIGRP v a ra cc phng php x l . c c iu ny , bn phi hon thnh cc mc sau : M t cc cng on ca vic x l s c mng EIGRP Ch ra v x l s c mi quan h lng ging EIGRP Ch ra v x l s c bng nh tuyn EIGRP Ch ra v x l s c chng thc EIGRP

2-1

Cc cng on x l s c EIGRP

2-2

Cc cng on chnh ca vic x l s c EIGRP bao gm : X l s c mi quan h lng ging X l s c bng nh tuyn X l vn chng thc EIGRP

2-2

X l s c lng ging EIGRP

2-3

V d mu sau y t cu lnh show ip eigrp neighbors ch ra rng mi quan h lng ging gia 2 router EIGRP thit lp thnh cng . RouterX# show ip eigrp neighbor IP-EIGRP neighbors for process 100 H Address 1 10.23.23.2 0 10.140.1.1 Interface Se0/0/1 Se0/0/0 Hold Uptime SRTT (sec) (ms) 13 00:02:26 29 10 00:28:26 24 RTO Q Seq Cnt Num 2280 2280 0 15 0 25

router EIGRP c th thit lp mi quan h lng ging , c 2 router phi kt ni trc tip vi nhau v c cng mt a ch mng . Nu c thng tin nht k ni rng not on com mon subnet c ngha l c a ch ip cu hnh khng ng trn cng kt ni mt trong 2 router EIGRP . S dng cu lnh show interface interface kim tra li a ch IP . Trong on hin th sau y , a ch ca cng kt ni l 10.2.2.3/24

2-3

RouterX# sh ip int fa0/0 FastEthernet0/0 is up, line protocol is up Internet address is 10.2.2.3/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Cu lnh network c cu hnh trong ch nh tuyn EIGRP ch ra rng nhng cng kt ni no tham gia vo qu trnh nh tuyn EIGRP . Phn Routing for networks ca cu lnh show ip protocols ch ra nhng mng no c cu hnh ; bt k cng kt ni no nm mng ny u tham gia vo qu trnh nh tuyn EIGRP . Trong phn hin th sau y , EIGRP chy trn nhng cng kt ni c a ch nm trong 10.0.0.0 v 192.168.1.0 Cu lnh show ip eigrp interfaces ch ra ngay trn nhng cng kt ni no EIGRP ang chy v c bao nhiu lng ging c tm thy trn cng kt ni . Trong phn hin th ny khng c lng ging no trn cng kt ni Fast Ethernet 0/0 v c mt lng ging trn cng kt ni s0/0/0 Cc router EIGRP thit lp mi quan h lng ging bng cch trao i cc gi tin hello . Cc thnh phn sau y trong gi tin EIGRP phi khp vi nhau trc khi mi quan h lng ging c thit lp . H s h t qun Gi tr K ca EIGRP Lu : Gi tr K ca EIGRP c s dng trong tin trnh la chn ng i ca EIGRP v c cp trong chng trnh CCNP Bn c th s dng cu lnh debug eigrp packets x l s c khi thng tin trong gi hello khng khp vi nhau . Trong v d ny , gi tr K khng khp vi nhau RouterX# debug eigrp packets Mismatched adjacency values 01:39:13: EIGRP: Received HELLO on Serial0/0 nbr 10.1.2.2 01:39:13:AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0 01:39:13: K-value mismatch

2-4

X l s c bng nh tuyn EIGRP

2-5

Tuyn EIGRP xut hin vi k hiu D trong bng nh tuyn , ch ra rng y l tuyn ni mng bn trong mt h t qun v nu xut hin vi k hiu D EX th chnh l mt tuyn ngoi mng nm bn ngoi h t qun . Nu khng c tuyn EIGRP no trong bng nh tuyn , ngha l c vn lp 1 hoc lp 2 hoc vn v quan h lng ging EIGRP . Trong phn hin th ny , mng 172.16.31.0/24 l mt tuyn ni mng bn trong mt h t qun , v mng 10.3.3.0/24 l mt tuyn c phn phi vo trong EIGRP RouterX# sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 Gateway of last resort is not set

2-5

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks D 172.16.31.0/24 [90/40640000] via 10.140.1.1, 00:01:09, Serial0/0/0 O 172.16.31.100/32 [110/1563] via 10.140.1.1, 00:26:55, Serial0/0/0 10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks C 10.23.23.0/24 is directly connected, Serial0/0/1 D EX 10.3.3.0/24 [170/40514560] via 10.23.23.2, 00:01:09,Serial0/0/1 C 10.2.2.0/24 is directly connected, FastEthernet0/0 Cu lnh show ip eigrp topology ch ra s nh danh router ( router ID ) ca EIGRP . Router ID ca EIGRP l a ch ip cao nht c gn cho mt cng kt ni loopback . Nu khng c cng loopback no c cu hnh , a ch ip cao nht ca bt k cng kt ni no ang hot ng s c chn lm router ID . Khng c 2 router EIGRP no c th c cng mt router ID . Nu c , bn s gp phi vn trao i thng tin nh tuyn gia 2 router c cng router ID . Trong v d ny , router ID l 192.168.1.65 RouterX# show ip eigrp topology IP-EIGRP Topology Table for AS(100)/ID(192.168.1.65) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 10.1.1.0/24, 1 successors, FD is 40514560 via 10.140.1.1 (40514560/28160), Serial0/0/0 P 10.2.2.0/24, 1 successors, FD is 28160 via Connected, FastEthernet0/0 P 10.3.3.0/24, 1 successors, FD is 40514560 via 10.23.23.2 (40514560/28160), Serial0/0/1 P 10.23.23.0/24, 1 successors, FD is 40512000 via Connected, Serial0/0/1 P 192.168.1.64/28, 1 successors, FD is 128256 via Connected, Loopback0 P 192.168.1.0/24, 1 successors, FD is 40640000 via 10.23.23.2 (40640000/128256), Serial0/0/1 P 10.140.2.0/24, 2 successors, FD is 41024000 via 10.23.23.2 (41024000/40512000), Serial0/0/1 via 10.140.1.1 (41024000/40512000), Serial0/0/0 P 10.140.1.0/24, 1 successors, FD is 40512000 via Connected, Serial0/0/0 P 172.16.31.0/24, 1 successors, FD is 40640000

2-6

Cc tuyn EIGRP c tm thy trong bng cu trc mng nhng k c trong bng nh tuyn , cn phi lin h vi Cisco Technical Assistance Center ( TAC ) ( trung tm h tr k thut Cisco ) chn on s c . K thut lc tuyn cho php thng tin nh tuyn c sng lc khi chng i vo hoc gi i n mt lng ging . B lc tuyn ny c th dn n nguyn nhn mt tuyn trong bng nh tuyn . Cu lnh show ip protocols ch ra xem c b lc tuyn no ang c p dng cho EIGRP hay khng . Mc nh , EIGRP nh tuyn c phn lp v thc hin nhm tuyn t ng . Vic nhm tuyn t ng gy ra cc vn kt ni i vi mng khng lin tc . Cu lnh show ip protocols ch ra c vic nhm tuyn t ng ang c thc hin hay khng . Trong v d sau , khng c b lc tuyn no c p dng cho h t qun EIGRP 100 v EIGRP ang thc hin nhm tuyn t ng RouterX# sh ip protocols Routing Protocol is "eigrp 100" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0 EIGRP maximum hopcount 100 EIGRP maximum metric variance 1 Redistributing: eigrp 100 EIGRP NSF-aware route hold timer is 240s Automatic network summarization is in effect Automatic address summarization: 192.168.1.0/24 for FastEthernet0/0, Serial0/0/0, Serial0/0/1 Summarizing with metric 128256 10.0.0.0/8 for Loopback0 Summarizing with metric 28160 Maximum path: 4

2-7

X l s c chng thc EIGRP

Chng thc MD5 thnh cng gia router X v router Y
RouterX# debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) *Jan 21 16:38:51.745: EIGRP: received packet with MD5 authentication, key id = 1 *Jan 21 16:38:51.745: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.102 *Jan 21 16:38:51.745: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe erQ un/rely 0/0 RouterY# debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) RouterY# *Jan 21 16:38:38.321: EIGRP: received packet with MD5 authentication, key id = 2 *Jan 21 16:38:38.321: EIGRP: Received HELLO on Serial0/0/1 nbr 192.168.1.101 *Jan 21 16:38:38.321: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 pe erQ un/rely 0/0

2-8

V d : Thc hin chng thc MD5 thnh cng Hin th ca cu lnh debug eigrp packets trn routerX trong hnh trn m t rng router X ang nhn cc gi tin EIGRP km theo chng thc MD5 v nh danh kha l 1 nhn c t router Y . Tng t , hin th ca cu lnh debug eigrp packets trn router Y trong hnh trn m t rng router Y ang nhn cc gi tin EIGRP km theo chng thc MD5 v nh danh kha l 2 nhn c t router X

2-8

X l s c chng thc MD5 ca EIGRP

Chng thc MD5 khng thnh cng gia router X v router Y khi kha 2 ca router X b thay i
RouterX(config-if)#key chain RouterXchain RouterX(config-keychain)#key 2 RouterX(config-keychain-key)#key-string wrongkey RouterY#debug eigrp packets EIGRP Packets debugging is on (UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK, STUB, SIAQUERY, SIAREPLY) RouterY# *Jan 21 16:50:18.749: EIGRP: pkt key id = 2, authentication mismatch *Jan 21 16:50:18.749: EIGRP: Serial0/0/1: ignored packet from 192.168.1.101, opc ode = 5 (invalid authentication) *Jan 21 16:50:18.749: EIGRP: Dropping peer, invalid authentication *Jan 21 16:50:18.749: EIGRP: Sending HELLO on Serial0/0/1 *Jan 21 16:50:18.749: AS 100, Flags 0x0, Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 *Jan 21 16:50:18.753: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.101 (Serial0/0/1) is down: Auth failure RouterY#show ip eigrp neighbors IP-EIGRP neighbors for process 100 RouterY#

2-9

V d : X l s c chng thc MD5 Trong v d trn , chui k t kha ca kha 2 ca router X c s dng khi gi tin EIGRP c gi i , khng ging vi chui k t kha pha router Y Hin th ca cu lnh debug eigrp packets trn router Y hnh trn ch ra Router Y ang nhn cc gi tin EIGRP km theo chng thc MD5 v nh danh kha bng 2 t router X ,nhng xc thc khng khp xy ra . Cc gi tin EIGRP t router X b t chi , v mi quan h lng ging c thng bo khng thnh cng . Hin th ca cu lnh show ip eigrp neighbors cho thy router Y khng c bt c mt lng ging no . Hai router c gng ti thit lp li mi quan h lng ging .V trong trng hp ny , mi router s dng kha khc nhau . Router X chng thc gi tin hello gi bi Router Y s dng kha 1 . Tuy nhin khi router X gi gi tin hello cho router Y li s dng kha 2 dn n chng thc khng khp . Ti router X , mi quan h ch thc hin c trong chc lt . Hin th ca cu lnh show ip eigrp neighbors trn Router X cho thy Router X lit k lng ging router Y trong bng lng ging trong mt khong thi gian ngn m thi .

2-9

RouterX# *Jan 21 Neighbor *Jan 21 Neighbor 16:54:09.821: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100:

192.168.1.102 (Serial0/0/1) is down: retry limit exceeded 16:54:11.745: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100:

192.168.1.102 (Serial0/0/1) is up: new adjacency RouterX# show ip eigrp neighbors H Address Interface Hold Uptime SRTT RTO Q Seq (sec) 0 192.168.1.102 Se0/0/1 (ms) Cnt Num 1 5000 1 0 13 00:00:38

2-10

Tm lc
C rt nhiu vn khi x l s c EIGRP , nh l x l s c mi quan h lng ging, bng nh tuyn, v s c xc thc S c lng ging EIGRP xy ra l do khai bo cu lnh network khng ng , cc thng tin mang trong gi hello khng khp vi nhau . S dng cu lnh show ip eigrp neighbors gii quyt s c ny. Nguyn nhn mt tuyn trong bng nh tuyn c th l do b lc tuyn hoc t ng nhm tuyn cc mng khng lin tc. S dng cu lnh show ip route x l s c ny. Cu lnh debug eigrp packets c th gip bn gii quyt cc s c chng thc MD5 .

2-11

2-11

2-12

2-12

Bi 3: Gii thiu hot ng ca danh sch kim tra truy cp

Danh sch kim tra truy cp

3-1

Tng quan: Danh sch kim tra truy cp c bn ( Standard ACLs ) v danh sch kim tra truy cp m rng ( Extended ACLs ) c th c s dng phn loi gi tin IP . ACLs c p dng cho nhiu tnh nng nh m ha , nh tuyn theo chnh sch , cht lng dch v , chuyn i a ch ( NAT ) , chuyn i a ch theo port ( PAT ) Bn cng c th s dng danh sch kim tra truy cp c bn v m rng trn cc cng kt ni ca router kim tra vic truy cp ( bo mt ) . H iu hnh IOS ca cisco p t danh sch kim tra truy cp trn cng kt ni theo mt hng c th no ( chiu vo v chiu ra ) . Chng ny m t hot ng ca cc loi ACLs v hng dn cch cu hnh ACLs cho IPv4 .

Mc tiu: Sau khi hon thnh chng ny , bn s bit c cch p t danh sch kim tra truy cp da trn yu cu ca mng , bit cch cu hnh , kim tra v x l s c ACLs trn mng c kch thc trung bnh . lm c iu ny , bn phi hon thnh cc mc sau : M t cc loi danh sch kim tra truy cp ca IPv4 ACLs Cu hnh v x l s c danh sch kim tra truy cp c bn , danh sch kim tra truy cp m rng , danh sch kim tra truy cp dng s v danh sch kim tra truy cp dng tn .

3-1

Ti sao phi s dng ACLs

Sng lc : Qun l d liu IP bng cch lc cc gi tin i xuyn qua router Phn loi : Xc nh d liu cho cc iu khin c bit
3-2

Sng lc Khi s lng kt ni ca router ra ngoi mng tng ln , v s lng kt ni ra Internet cng tng ln dn n vic kim sot truy cp tr nn kh khn hn . Ngi qun tr mng gp phi tnh hung lm sao cm cc truy cp khng mong mun trong khi vn m bo cho php cc truy cp hp l . V d , bn c th s dng mt danh sch kim tra truy cp cm cc mng khc truy cp vo cc d liu nhy cm mng k ton . Phn Loi Router cng s dng danh sch kim tra truy cp nh ra mt loi d liu no . Mt khi c ACL v phn loi c d liu , bn c th cu hnh hng dn router kim sot d liu . V d , bn c th s dng ACL ch ra mt mng con l d liu ngun v nh u tin ca n cao hn cc d liu khc khi i trn kt ni WAN ang b nghn .

3-2

Cc ng dng ca ACLs: Sng lc

Cho php hoc t chi cc gi tin i xuyn qua router Cho php hoc t chi truy cp vty n router hoc t router Nu khng c ACLs, tt c gi tin s c vn chuyn n tt c vng mng
3-3

ACLs cung cp mt cng c quan trng kim sot d liu i trn mng . Cng c lc gi tin gip kim sot vic lu chuyn cc gi tin i trn mng . Cisco cung cp ACLs cho php hoc cm : Cc d liu i n hoc xut pht t mt cng kt ni no , v cc d liu i xuyn qua router D liu telnet i vo hoc i ra t cng vty ca router . Mc nh , tt c d liu c cho php i ra v i vo tt c cc cng kt ni ca router . Khi router loi b gi tin , mt vi giao thc s gi tr li mt gi tin c bit dng thng bo vi ni gi rng : khng th i n ch c . i vi giao thc IP , khi mt gi tin b loi b , thng bo Destination Unreachable (U.U.U) s tr li cho gi ping v thng bo Administratively prohibited ( !A * ! A ) s tr li cho gi traceroute .

3-3

Cc ng dng ca ACLs: Phn loi

iu khin c bit d liu da trn vic kim tra gi tin

3-4

ACLs c th phn loi cc loi d liu khc nhau . Tnh nng ny cho php kim sot d liu c nh ngha trong ACLs , nh l : Ch ra d liu no s c m ha khi i trn kt ni VPN . Ch ra nhng tuyn no s c phn phi t mt giao thc nh tuyn ny vo giao thc nh tuyn kia S dng vi b lc tuyn ch ra tuyn no s c nh km trong thng tin cp nht nh tuyn gia cc router S dng nh tuyn da theo chnh sch ch ra loi d liu no s c mang trn kt ni la chn trc S dng vi NAT nh ra nhng a ch no s c chuyn i

3-4

Hot ng ca ACL theo chiu i ra

Nu khng c iu kin no tha mn , gi tin s b loi b

3-5

ACLs l mt lot cc qui lut c p t kim sot cc gi tin i vo cng kt ni , i xuyn qua router v i ra khi cng kt ni . ACLs s khng p dng cc qui lut ny i vi cc gi tin xut pht t router . Thay vo , ACLs c khai bo thnh cc iu kin m router s da vo kim tra d liu i xuyn qua cng kt ni ca n . ACLs hot ng theo 2 cch : Inbound ACLs ( ACLs theo chiu vo ) : cc gi tin i vo cng kt ni s c kim tra trc khi chng c nh tuyn ra cng kt ni ngoi Inbound ACLs hiu qu v n tit kim c vic tra cu thng tin nh tuyn trong trng hp gi tin b loi b nu khng vt qua c iu kin kim tra . Nu gi tin vt qua c iu kin kim tra , k n n s c nh tuyn . Outbound ACLs ( ACLs theo chiu ra ) : cc gi tin i vo cng kt ni c nh tuyn v y ra cng kt ni ngoi , k n chng s b kim tra bi Outbound ACL . V d : Outbound ACL Hnh trn cho ta mt v d v outbound ACL . Khi c mt gi tin i vo cng kt ni , router kim tra xem trong bng nh tuyn c thng tin v tuyn ny hay khng . Nu khng c thng tin nh tuyn v gi tin , n s b loi b K n , router s kim tra xem cng kt ni ngoi c c p t ACL hay khng . Nu cng kt ni ngoi khng b rng buc bi ACL , gi tin s c gi i .

3-5

V d hot ng ca Outbound ACL : Nu cng kt ni ngoi l S0 , khng b rng buc bi mt ACL no c , gi tin s c gi thng ra S0 Nu cng kt ni ngoi l S1, cng ny b rng buc bi ACL , gi tin khng c gi ra khi cng kt ni S1 cho n khi n vt qua c cc iu kin kim tra ca ACL b p t trn . Ty thuc vo kt qu kim tra , gi tin s c cho php hoc t chi . i vi cc danh sch kim tra p t cho cng kt ni ngoi , permit ngha l gi tin c gi thng ra cng kt ni , deny ngha l gi tin b loi b V du : Inbound ACL Vi inbound ACL , khi mt gi tin i vo cng kt ni , router kim tra xem cng kt ni ny c b rng buc bi ACL hay khng . Nu cng kt ni vo khng b rng buc bi ACL , router kim tra thng tin nh tuyn xem th gi tin ny c c nh tuyn hay khng . Nu gi tin khng th nh tuyn c , router s loi b gi tin . V d hot ng ca ACL : Nu cng kt ni vo l E0 , cng kt ni ny khng b rng buc bi ACL , gi tin c x l bnh thng v router kim tra xem gi tin ny c nh tuyn c hay khng . Nu cng kt ni vo l E0 , cng kt ni ny b rng buc bi ACL , gi tin s khng c x l nh tuyn cho ti khi n vt qua cc iu kin kim tra ca ACL p t trn cng kt ni . Da trn kt qu ca vic kim tra ny , gi tin c cho php hay t chi . i vi Inbound ACLs , permit ngha l tip tc x l nh tuyn gi tin sau khi n i vo cng kt ni , deny ngha l loi b gi tin

3-6

Danh sch kim tra: T chi hay Cho php

3-7

Danh sch cc iu kin ca ACL c th t logic t trn xung . ACL s kim tra gi tin t trn xung di , mt iu kin mt ln . Nu c mt gi tin tha mn mt iu kin trong danh sch , cc iu kin cn li s c b qua v gi tin s c cho php hoc b t chi ty theo iu kin m n tha mn . Nu gi tin khng tha mn mt iu kin , n s c kim tra bi iu kin k tip . Qu trnh kim tra tha mn iu kin khai bo c thc hin cho n khi kt thc danh sch . Cui danh sch kim tra , tn ti ngm nh mt iu kin tha mn tt c cc gi tin . iu kin kim tra cui cng ny s t chi tt c cc gi tin . Thay v chuyn gi tin vo hoc ra cng kt ni , router s loi b tt c cc gi tin cn li ny . iu kin cui cng ny thng c gi tn l iu kin implicit deny . V c iu kin ny tn ti , ACL phi c t nht mt iu kin cho php trong danh sch ca n , nu khng th ACL s loi b tt c cc gi tin . Bn c th p t ACL vo nhiu cng kt ni . Tuy nhin , ch c mt ACL c p t cho mt giao thc , cho mt hng v cho mt cng kt ni m thi .

3-7

Cc loi ACLs
ACL dng c bn
Kim tra a ch ngun Cho php hoc t chi ton b chng giao thc

ACL dng m rng

Kim tra a ch ngun v ch Cho php hoc t chi c th mt giao thc v ng dng

Hai phng php dng xc nh ACL dng c bn v ACL dng m rng :

ACL dng s s dng s xc nh ACL dng tn s dng tn m t hoc s xc nh

3-8

ACLs c th phn chia thnh cc loi sau : ACLs c bn : ACLs c bn kim tra a ch ngun ca gi tin . Kt qu kim tra dn n cho php hoc t chi ton b chng giao thc , da trn a ch mng ngun , a ch mng con hoc a ch ip ca host ACLs m rng : ACLs m rng kim tra c a ch ngun v a ch ch . N cn kim tra c th v giao thc , cng ng dng v cc thng s khc , cho php ngi qun tr kim sot chi tit v linh ng hn C 2 phng php bn c th s dng nh ngha ACL c bn v ACL m rng : ACLs dng s s dng ch s nh ngha ACLs dng tn s dng tn nh ngha

3-8

Lm th no xc nh ACLs

IPv4 ACL dng s c bn (199) kim tra iu kin cho tt c a ch ip ngun . Vng m rng (13001999). IPv4 ACL dng s m rng (100199) kim tra iu kin cho tt c a ch ngun v ch , ch ra giao thc TCP/IP , v cng ng dng ch . Vng m rng (20002699). ACL dng tn xc nh ACL dng c bn v dng m rng bng tn gi
3-9

Khi bn to ACLs dng s , bn ch ra ch s dnh cho ACL trong khai bo u tin . iu kin kim tra cho mt ACL s khc nhau da vo cc ch s nh ngha ACL c bn hay m rng . Bn c th to ra nhiu ACL cho mt giao thc . Chn ra cc ch s khc nhau cho mi ACL c to mi cho mt giao thc no . Tuy nhin bn ch c th p t c mt ACL cho mt giao thc , mt hng v mt cng kt ni . ACL c ch s t 1 n 99 hoc t 1300 n 1999 l cc ACL dng c bn . ACL c ch s t 100 n 199 hoc t 2000 n 2699 l cc ACL dng m rng . Bng trn lit k ra cc vng s ACL khc nhau cho mi giao thc Lu : K t phin bn IOS 12.0 , ACLs cho IPv4 c m rng thm . Bng ny ch ra ACL c bn cho IPv4 c cung cp thm vng s t 1300 n 1999 v ACL m rng c cung cp thm vng s t 2000 n 2699 ACL dng tn cho php bn nh ngha cc ACL c bn v m rng di dng tn gi , thay v di dng ch s . ACL dng tn cho php bn lm vic linh hot hn i vi cc iu kin trong danh sch .

3-9

Khai bo iu kin ca ACL km theo s th t

Yu cu ti thiu IOS 12.3 Cho php sp xp li th t cc khai bo bng cch s dng s th t i vi IOS phin bn 12.3 tr v trc , chng trnh son tho k t c s dng to ra cc khai bo , sau cc khai bo c copy vo router theo ng th t Cho php g b mt dng khai bo t danh sch bng cch s dng s th t Vi ACLs dng tn trong cc phin bn IOS 12.3 tr v trc, bn phi s dng no {deny | permit} protocol source sourcewildcard destination destination-wildcard g b tng khai bo Vi ACLs dng s trong cc phin bn IOS 12.3 tr v trc , bn phi g b ton b danh sch nu mun g b tng dng khai bo
3-10

C rt nhiu thun li khi s dng khai bo iu kin km theo s th t : Bn c th chnh sa th t ca cc iu kin Bn c th g b tng iu kin mt t danh sch ACL Cc iu kin khi thm vo danh sch s ph thuc vo s th t ca iu kin . i vi IOS phin bn 12.3 tr v trc , tnh nng ny khng h tr , chnh v vy , khi cc iu kin c thm vo trong danh sch , chng s c a vo cui danh sch . Tnh nng iu kin km theo s th t l tnh nng mi ca Cisco IOS cho php s dng cc s th t d dng thm , xa hoc sp xp li th t cc iu kin trong danh sch IP ACL . Vi phin bn IOS 12.3 tr v sau , iu kin thm vo sau c th nm bt k v tr no trong danh sch da vo s th t ca n . Cc phin bn IOS 12.3 tr v trc , ch c ACL dng tn mi cho php g b cc iu kin t danh sch bng cch s dng lnh no {deny | permit } protocol source source-wildcard destination destination-wildcard , trong khai bo protocol source source-wildcard destination destination-wildcard trng vi dng iu kin m bn mun g b . Vi ACL dng s , bn phi g b ton b danh sch v ti to li n bng cc iu kin khc m bn mun . Vi phin bn IOS 12.3 tr v sau , bn cng c th s dng cu lnh no sequence-number xa b mt iu kin no trong danh sch .

3-10

Khuyn co khi cu hnh ACLs

ACLs c bn hay m rng ch ra i tng no cn sng lc Ch c mt ACL cho mt cng kt ni , cho mt giao thc v cho mt hng . Th t ca cc dng khai bo iu khin vic kim tra , do , cc dng khai bo chi tit nn a ln u danh sch Ln kim tra cui cng lun lun ngm nh t chi tt c , do mi danh sch cn phi c t nht mt khai bo cho php ACLs c to ra ton cc v c p t vo cng kt ni ca router theo chiu i vo hoc i ra Mt ACL c th lc cc gi tin i qua router , i ti router hoc xut pht t router , ty thuc vo cch p t ACLs Khi p t ACLs: ACL m rng gn vi ngun ACL c bn gn vi ch
3-11

Thit k v trin khai tt ACL cung cp mt b phn bo mt quan trng trong mng chng ta . c c kt qu nh mong mun , s dng cc khuyn co sau y : Da theo iu kin kim tra s ty chn s dng ACL c bn , ACL m rng , ACL dng tn hay ACL dng s Ch s dng c 1 ACL cho 1 giao thc , cho 1 hng v cho 1 cng kt ni . C th c nhiu ACL trn mt cng kt ni , nhng mi ACL phi dnh cho cc giao thc khc nhau hoc cc hng khc nhau . ACL phi c t chc sao cho trnh t x l i t trn xung di . Cc iu kin chi tit s c t ln pha trn cc iu kin tng qut . Cc iu kin c kim tra nhiu s c t pha trn cc iu kin c kim tra t hn . ACL lun tn ti mt khai bo t chi tt c cui danh sch -Ch tr khi cui danh sch ca bn c khai bo cho php tt c , cn mc nh th ACL s t chi tt c cc gi tin khng tha mn cc iu kin kim tra pha trn -Tt c cc ACL nn c mt khai bo cho php tt c cui danh sch . Nu khng , tt c gi tin s b loi b . -Bn phi to ra ACL trc khi p t n vo cng kt ni . Vi hu ht cc phin bn Cisco IOS ,nu cng kt ni b rng buc bi mt danh sch ACL rng th tt c gi tin c cho php i qua

3-11

-Ph thuc vo bn p t ACL nh th no , ACL s lc cc gi tin i xuyn qua router , i n hoc xut pht t router v d nh cc gi tin i vo hoc i ra cng vty ca router . -Thng th bn nn t ACL m rng cng gn vi ni xut pht ca gi tin m bn mun t chi cng tt . Bi v ACL c bn khng ch ra a ch ch , bn phi ACL c bn cng gn vi ch m bn mun t chi gi tin cng tt nhm mc ch cho php gi tin c th i n c cc mng trung gian

3-12

ACLs ng

ACLs ng (lock-and-key): Ngi dng mun i qua router s b chn li cho ti khi h thc hin telnet v chng thc thnh cng ti router
3-13

Ngoi ACL c bn , ACL m rng , cn c cc loi ACL sau : Dynamic ACLs ( lock-and-key) : ACL ng Reflexive ACLs : ACL phn x Time-based ACLs : ACL theo thi gian Dynamic ACLs Dynamic ACLs ph thuc vo kt ni Telnet , chng thc ( ni b hay t xa ) , v ACL m rng . Cu hnh Lock-and-key i km vi ng dng ca ACL m rng s t chi tt c cc gi tin i qua router . Ngi dng mun i qua router s b t chi bi ACL m rng cho n khi h s dng Telnet kt ni vi Router v chng thc thnh cng . Kt ni Telnet sau s b ngt v mt dng iu kin ca ACL ng s c thm vo ACL m rng trc . N cho php gi tin i qua trong mt khong thi gian gii hn ; cng c th cu hnh thi gian nhn ri v thi gian ht hn cho ACL ng . Khi no s dng ACL ng Sau y l mt s l do ph bin s dng ACL ng : S dng ACL ng khi bn mun mt ngi dng hoc mt nhm ngi dng xa truy cp vo cc my tinh trong mng t Internet . Lock-and-key chng thc ngi dng v sau cho php truy cp khng gii hn xuyn qua tng la ca router trong mt khong thi gian gii hn

3-13

S dng ACL ng khi bn mun cc mng ni b kt ni vi cc mng xa c bo v bi tng la .Vi tnh nng lock-and-key , bn ch c th kt ni vi cc my xa bng mt s my mng ni b . Lock-and-key yu cu ngi dng chng thc thng qua mt my ch TACACS + hoc mt my ch bo mt trc khi cho php truy cp vo cc my xa . Cc thun li khi s dng ACLs ng ACL ng c cc thun li v mt bo mt hn ACL c bn v ACL m rng : S dng c ch thch thc chng thc tng ngi dng Qun l n gin hn trong mi trng mng ln Trong nhiu trng hp , gim thiu s lng x l ca router i vi ACLs Gim thiu c hi ph hoi ca Hacker To ra quyn truy cp ng cho ngi dng xuyn qua tng la m khng lm nh hng ti cc cu hnh bo mt khc V d cu hnh ACL ng : Mc d cu hnh ACL ng khng nm trong chng trnh ca phn ny , v d sau y ch ra cc bc cn thit cu hnh ACL ng . Phn cu hnh sau y to ra user v password chng thc . Thi gian nhn ri c chnh l 10 pht RouterX(config)#username test password 0 test RouterX(config)#username test autocommand access-enable host timeout 10 Cu hnh sau y cho php ngi dng thc hin telnet n router s c chng thc v loi b tt c cc loi d liu khc RouterX(config)#access-list 101 permit tcp any host 10.1.1.1 eq telnet RouterX(config)#interface Ethernet0/0 RouterX(config-if)#ip address 10.1.1.1 255.255.255.0 ip access-group 101 in Cu hnh sau to ra ACL ng v c p t cho access-list 101 . Thi gian ht hn c chnh l 15 pht

3-14

RouterX(config)#access-list 101 dynamic testlist timeout 15 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 Cu hnh sau y yu cu ngi dng phi chng thc khi thc hin kt ni telnet n router RouterX(config)#line vty 0 4 RouterX(config-line)#login local Sau khi bn thc hin cc bc cu hnh trn , khi ngi dng a ch 10.1.1.2 thc hin kt ni telnet thnh cng ti 10.1.1.1 , ACL ng c p t ngay sau . Kt ni telnet b ngt v ngi dng c th kt ni c n mng 172.16.1.0

3-15

ACLs phn x

ACLs Phn x : Dng cho php d liu t bn ngoi vo gii hn d liu t bn trong gi ra i vi phin lm vic khi to t bn trong
3-16

ACL phn x ACL phn x cho php gi tin ip b lc da trn cc thng tin phin lm vic lp trn . Chng thng c dng cho php d liu ngoi v gii hn d liu trong tr li li cc phin lm vic xut pht t mng bn trong ca router . ACL phn x ch lu cc dng tm thi . Cc dng ny c to ra t ng khi c mt phin lm vic IP mi bt u , v d , vi mt gi tin ngoi , dng khai bo c t ng g b khi phin lm vic kt thc . ACL phn x khng c p t trc tip ln cng kt ni nhng c n mnh trong mt ACL m rng m ACL m rng ny c p t vo cng kt ni ACL phn x cung cp mt hnh thc lc phin lm vic tt hn l thng s established trong Access-list m rng . ACL phn x s kh b tn cng gi mo hn bi v nhiu iu kin kim tra phi tha mn trc khi gi tin c cho php ; v d c a ch ngun v ch , v cng ng dng , ACK bits v RST bits u c kim tra . Nhng thun li ca ACL phn x . ACL phn x l mt phn quan trng ca vic bo mt mng chng li hacker v c th kt hp vi tng la phng v . ACL phn x cung cp kh nng bo mt chng li tn cng gi mo v tn cng t chi dch v . ACL phn x s dng n gin , kim sot tt hn nhng gi tin i vo mng ca bn .

3-16

V d cu hnh ACL phn x Mc d ton b cu hnh cho ACL phn x nm ngoi chng trnh , cu hnh sau y ch ra cc bc cn thit cu hnh ACL phn x . V d ny dng ACL phn x cho php gi tin ICMP mng pha ngoi v mng pha trong trong khi n ch cho php cc gi tin TCP xut pht v c khi to t bn mng pha trong . Tt c cc gi tin khc u b t chi Cu hnh sau cho router theo di du vt ca cc gi tin xut pht t mng bn trong RouterX(config)#ip access-list extended outboundfilters permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic Cu hnh sau y to ra mt chnh sch cho mng bn trong , bt buc router phi kim tra cc d liu i vo xem n c phi c khi to t vng mng trong hay khng v rng buc vo ACL phn x , tcptraffic c gn vo ACL inboundfilters RouterX(config)#ip access-list extended inboundfilters permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255 evaluate tcptraffic Cu hnh sau p t ACL cho c chiu ra v chiu vo ca cng kt ni RouterX(config)#interface Ethernet0/1 RouterX(config-if)#ip address 172.16.1.2 255.255.255.0 RouterX(config-if)#ip access-group inboundfilters in RouterX(config-if)#ip access-group outboundfilters out ACL phn x ch nh ngha km theo ACL dng tn cho giao thc IP . Chng khng th nh ngha km theo ACL dng s hoc ACL dng tn c bn hoc vi cc giao thc khc .

3-17

ACLs theo thi gian

ACLs theo thi gian: Cho php kim sot truy cp da theo thi gian trong ngy v trong tun
3-18

ACL theo thi gian ACL theo thi gian c chc nng ging vi ACL m rng , nhng chng kim sot truy cp da trn thi gian . trin khai ACL theo thi gian , bn to ra mt khong thi gian trong ngy v trong tun . Khong thi gian c xc nh bi tn gi v sau c tham chiu bng chc nng . Chnh v vy , s gii hn thi gian c nh km trong chc nng ca n Nhng thun li ca ACL theo thi gian ACL theo thi gian nhiu thun li : Ngi qun tr mng kim sot tt hn i vi vic cho php hoc t chi ngi dng truy cp vo ti nguyn . Ti nguyn c th l ng dng , xc nh bi a ch IP v mt n mng , cng ng dng ; nh tuyn theo chnh sch ; hoc l cc d liu kch hot ng kt ni quay s Ngi qun tr mng c th chnh chnh sch bo mt theo thi gian nh sau : -Bo mt bin bng cch s dng tng la ca Cisco IOS hoc ACL -Tnh ton vn d liu vi k thut Cisco Encryption hoc IPSec -nh tuyn theo chnh sch v chc nng hng i c nng cao -Khi tc truy cp t nh cung cp khc nhau vo cc thi im trong ngy , c th nh tuyn t ng li d liu hiu qu v chi ph

3-18

-Nh cung cp dch v c th thay i cu hnh CAR h tr QoS , SLAs c dng thng lng trong mt khong thi gian no trong ngy -Ngi qun tr mng c th kim sot cc thng tin nht k . Cc khai bo ACL c th ghi nht k cc gi tin cc thi im trong ngy nhng khng lin tc . Chnh v vy , ngi qun tr mng c th cm truy cp m khng phi kim tra cc thng tin nht k c to ra trong thi gian cao im V d ACL theo thi gian Mc d ton b cu hnh ca ACL theo thi gian khng nm trong phm vi ca chng trnh , v d sau y ch ra cc bc cn thit cu hnh ACL theo thi gian . Trong v d ny , kt ni telnet t mng bn trong ra mng bn ngoi c cho php trong cc ngy th 2 , th 4 v th 6 , trong thi gian hnh chnh Cu hnh sau nh ngha khong thi gian cho ACL v t tn cho khong thi gian RouterX(config)#time-range EVERYOTHERDAY RouterX(config-time-range)#periodic Monday Wednesday Friday 8:00 to 17:00 Cu hnh sau p t khong thi gian cho ACL : RouterX(config)#access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range EVERYOTHERDAY Cu hnh sau p t ACL ln cng kt ni : RouterX(config)#interface Ethernet0/0 RouterX(config-if)#ip address 10.1.1.1 255.255.255.0 RouterX(config-if)#ip access-group 101 in Khong thi gian ny da trn thi gian h thng ca router . C th s dng thi gian h thng ca router nhng tnh nng ny chy tt nht l vi giao thc NTP ( Network Time Protocol ) .

3-19

Cc bit wildcard: Lm th no kim tra cc bit a ch tng ng

0 ngha l kim tra s ph hp trong cc bit a ch tng ng 1 ngha l l i cc bit a ch tng ng

3-20

Tnh nng lc a ch c thc hin bng cch s dng mt n Wildcard ca ACL , dng kim tra hoc b qua cc bit tng ng trong a ch ip . Mt n Wildcard dnh cho cc bit a ch ip s dng cc s 0 v 1 ch ra lm sao tng tc vi cc bit a ch ip tng ng , n tun theo qui lut sau : Bit 0 ca mt n WildCard : Cc bit tng ng trong vng a ch phi ging nhau Bit 1 ca mt n WildCard : Khng cn kim tra cc bit tng ng trong vng a ch ( l i ) Lu : Mt n wildcard thnh thong c ni ti nh l mt n mng ngc Nu iu chnh mt n Wildcard mt cch cn thn , bn c th cho php hoc t chi cc gi tin ch vi mt dng khai bo .Bn c th la chn 1 a ch ip hoc nhiu a ch ip Hnh nh trn ch ra lm th no kim tra cc bit a ch tng ng . Lu : Hot ng ca mt n Wildcard khc vi mt n mng . Bit 0 trong mt n Wildcard ch ra rng cc bit tng ng trong phn a ch phi ging nhau . Bit 1 trong mt n Wildcard ch ra rng cc bit tng ng trong phn a ch khng quan trng v c th l i c

3-20

Bit wildcard dng kim tra vng mng con ip

Kim tra s ph hp ca cc a ch trong vng t 172.30.16.0/24 n 172.30.31.0/24.
a ch v mt n wildcard: 172.30.16.0 0.0.15.255

3-21

V d : thc hin tnh ton mt n Wildcard cho a ch ip mng con Trong hnh trn , ngi qun tr mng mun kim tra mt vng a ch ip mng con thc hin cho php hoc t chi truy cp . Gi s a ch ip trn thuc v lp B ( 2 octet u tin l a ch mng ) , c 8 bits dng chia mng con ( octet th 3 dng cho mng con ) . Ngi qun tr mng mun s dng mt n Wildcard biu din cc mng con t 172.30.16.0/24 n 172.30.31.0/24 S dng mt khai bo ACL biu din vng mng con ny , s dng a ch 172.30.16.0 cho ACL . Tip theo l khai bo mt n wildcard . 2 octet u tin trong phn a ch ip l ging nhau (172.30) , nn mt n wildcard s l cc bit 0 ti v tr 2 octet u tin ca n V phn a ch ca host chng ta khng quan tm, do ti v tr octet cui ca mt n wildcard s l cc bit 1 .Trong v d ny , octet cui cng ca mt n wildcard vit di dng thp phn l 255 Ti v tr octet th 3 , cng chnh l v tr c chia subnet , mt n wildcard l 15 , vit di dng nh phn l 00001111 , khp vi 4 bit u tin ca a ch ip .

3-21

Trong trng hp ny , mt n wildcard s kim tra cc mng con c a ch t 172.30.16.0/24 . 4 bit cui trong octet ny , mt n wildcard ch ra cc bit trong phn a ch ip tng ng s b l i . Ti v tr ny , cc bit a ch c th l 1 hoc 0 ty . Do , mt n wildcard s biu din c cc mng con 16 , 17 , 18 , cho n 31 . Mt n wildcard s khng biu din cc mng con khc ngoi vng ny ra . Trong v d ny , a ch 172.30.16.0 vi mt n wildcard 0.0.15.255 dng biu din cc mng con t 172.30.16.0/24 n 172.30.31.0/24 Trong mt vi trng hp , bn phi s dng nhiu hn mt khai bo ACL biu din mt vng cc mng con . V d biu din vng mng t 10.1.4.0/24 n 10.1.8.0/24 , s dng 10.1.4.0 0.0.3.255 v 10.1.8.0 0.0.0.255

3-22

Tm tt cc bit mt n wildcard
172.30.16.29 0.0.0.0 kim tra s ph hp ca tt c cc bit a ch Tm tt mt n wildcard ny bng cch s dng t kha host (host 172.30.16.29)

0.0.0.0 255.255.255.255 l i tt c cc bit a ch Biu din vn tt bng t kha any

3-23

S dng bit 0 v bit 1 trong mt n wildcard kim tra s ph hp hoc l i cc bit tng ng trong phn a ch IP . S dng ch s thp phn biu din cc ch s nh phn ca mt n wildcard c th gy nn s nhm chn . Hu ht cc trng hp s dng mt n wildcard , bn c th s dng bng cch vit tt . Cch vit tt gim s lng cc ch s phi g vo khi cu hnh iu kin kim tra V d : dng mt n wildcard biu din mt a ch ip duy nht Trong v d ny ,thay v phi g vo l 172.30.16.29 0.0.0.0 , bn c th s dng host 172.30.16.29 . Trong trng hp ny t vit tt l host V d : dng mt n wildcard biu din bt k mt a ch ip no Trong v d ny , thay v phi g vo 0.0.0.0 255.255.255.255 , bn c th s dng t kha any

3-23

Tm lc
ACLs c th c s dng cho vic sng lc cc gi tin ip hoc xc nh cc d liu cho mc ch iu khin c bit ACLs thc hin kim tra t trn xung di v c th cu hnh cho cc d liu i vo v i ra Bn c th to ra mt ACL bng cch s dng tn hoc s. ACL dng tn hoc s c th cu hnh thnh dng c bn hoc m rng, v n quyt nh ci g s c sng lc . ACL phn x , ACL ng , ACL theo thi gian cung cp thm nhiu tnh nng cho ACL c bn v ACL m rng i vi bit mt n wildcard , bit 0 ngha l kim tra s ph hp ca cc bit a ch tng ng v bit 1 ngha l l i cc bit a ch tng ng

3-24

3-24

3-25

3-25

3-26

Bi 4: Cu hnh v x l s c danh sch kim tra truy cp

Danh sch kim tra truy cp

4-1

Tng quan: Bi hc ny m t cc bc cu hnh ACL dng tn , dng s , dng c bn v dng m rng. Bi hc ny cng gii thch lm th no kim tra ACL ang hot ng ng v cp n mt s li cu hnh thng gp phi trnh . Mc tiu: Sau khi hon thnh bi hc ny , bn c th cu hnh v x l s c IPv4 ACL dng c bn , dng m rng , dng s v dng tn . lm c iu ny , bn phi hon tt cc mc sau : Cu hnh v kim tra cu hnh IPv4 ACL dng s c bn Cu hnh v kim tra cu hnh IPv4 ACL dng s m rng Cu hnh v kim tra cu hnh c IPv4 ACL dng tn c bn v dng tn m rng Xc nh v gii quyt mt s li cu hnh thng gp

4-1

Kim tra gi tin vi IPv4 ACL dng s c b n

42

IPv4 ACL dng s c bn c nh s t 1 n 99 v t 1300 n 1999. IPv4 ACL dng tn c bn lc cc gi tin da trn a ch ngun v mt n mng , v chng cho php hoc t chi ton b chng giao thc TCP/IP . Kiu lc theo dng ACL c bn c th khng cung cp cc kh nng lc m bn mun . C th bn mun lc chnh xc hn cc gi tin i trong mng .

4-2

Cu hnh IPv4 ACL dng s c bn

RouterX(config)#

access-list access-list-number {permit | deny | remark} source [mask]

S dng s ACL t 1 n 99. Khai bo u tin c gn s th t l 10 , v cc khai bo lin k c gn s th t tng thm 10 . Mt n wildcard mc nh l 0.0.0.0 (ch dng cho ACL dng c bn). no access-list access-list-number g b ton b ACL. remark cho php bn thm ch thch vo ACL. RouterX(config-if)#

ip access-group access-list-number
Kch hot ACL trn cng kt ni.

{in | out}

t kim tra theo chiu vo hoc chiu ra no ip access-group access-list-number {in | out} g b ACL ra khi cng kt ni .

43

cu hnh mt IPv4 ACL dng s c bn trn Cisco router , bn phi to ra mt IPv4 ACL c bn v kch hot n trn cng kt ni . Cu lnh access-list to ra mt khai bo trong danh sch IPv4 ACL . Hnh trn m t c php ca cu lnh ny Cu lnh ip access-group p t ACL sn c vo cng kt ni . Ch c 1 ACL cho mt giao thc , mt hng v mt cng kt ni . Hnh trn m t c php ca cu lnh ny . Lu : g b ACL ra khi cng kt ni , u tin g lnh no ip access-group trn cng kt ni v sau g cu lnh no access-list g b ton b ACL Bng ny cho ta mt v d v cc bc cn thit cu hnh v p t cu hnh cho mt ACL dng s c bn trn router Bc 1 : S dng cu lnh access-list to ra mt dng khai bo cho IPv4 ACL dng c bn RouterX(config)# access-list 1 permit 172.16.0.0 0.0.255.255 S dng cu lnh no access-list access-list-number g b ton b ACL Phn khai bo trn biu din cc a ch c dng 172.16.x.x S dng ty chn remark thm m t cho ACL

4-3

Bc 2 : S dng cu lnh interface la chn ra cng kt ni cn p t ACL RouterX(config)#interface ethernet 1 Sau khi bn g cu lnh interface vo , du nhc lnh s chuyn thnh (config-if)# Bc 3 : S dng cu lnh ip access-group kch hot ACL trn cng kt ni RouterX(config-if)# ip access-group 1 out g b ACL ra khi cng kt ni , s dng cu lnh no ip access-group access-list number trn cng kt ni V d : Thm vo cc khai bo c km theo s th t , v d sau thm mt khai bo vo danh sch ACL c sn RouterX# show ip access-list Standard IP access list 1 2 permit 10.4.4.2, wildcard bits 0.0.255.255 5 permit 10.0.0.44, wildcard bits 0.0.0.255 10 permit 10.0.0.1, wildcard bits 0.0.0.255 20 permit 10.0.0.2, wildcard bits 0.0.0.255 RouterX(config)# ip access-list standard 1 RouterX(config-std-nacl)# 15 permit 10.5.5.5 0.0.0.255 RouterX# show ip access-list Standard IP access list 1 2 permit 10.4.0.0, wildcard bits 0.0.255.255 5 permit 10.0.0.0, wildcard bits 0.0.0.255 10 permit 10.0.0.0, wildcard bits 0.0.0.255 15 permit 10.5.5.0, wildcard bits 0.0.0.255 20 permit 10.0.0.0, wildcard bits 0.0.0.255

4-4

V d 1 : IPv4 ACL dng s c bn

RouterX(config)# access-list 1 permit 172.16.0.0 (implicit deny all - not visible in the list) (access-list 1 deny 0.0.0.0 255.255.255.255) RouterX(config)# interface ethernet RouterX(config-if)# ip access-group RouterX(config)# interface ethernet RouterX(config-if)# ip access-group 0 1 out 1 1 out

0.0.255.255

Ch cho php cc mng ni b

45

V d : S dng IPv4 ACL dng s c bn Ch cho php cc mng ni b giao tip vi nhau Phn sau y m t c php cu lnh trnh by hnh trn Cc thng s km theo ca cu lnh access-list 1 : s ca ACL , ch ra rng y l ACL c bn Permit : ch ra cc gi tin tha mn iu kin khai bo s c cho php chuyn i 172.16.0.0 : ch ra y l mng ngun 0.0.255.255 : mt n Wildcard , cc bit 0 ch ra phn phi kim tra s ph hp , cc bit 1 ch ra phn khng cn phi kim tra v c th l i Ip access-group 1 out : p t ACL vo cng kt ni v thc hin lc theo chiu ra ACL ny ch cho cc gi tin t mng ngun 172.16.0.0 c chuyn ra khi cng E0 v cng E1 . Cc gi tin khng xut pht t mng 172.16.0.0 s b t chi .

4-5

V d 2 : IPv4 ACL dng s c bn

RouterX(config)# access-list 1 deny 172.16.4.13 0.0.0.0 RouterX(config)# access-list 1 permit 0.0.0.0 255.255.255.255 (implicit deny all) (access-list 1 deny 0.0.0.0 255.255.255.255) RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access-group 1 out

Cm mt host truy cp
46

V d : IPv4 ACL dng s c bn T chi mt host truy cp Phn sau m t c php cu lnh trnh by phn trn 1 : S ca ACL , ch ra y l ACL c bn Deny : ch ra cc gi tin tha mn iu kin kim tra s khng c chuyn i 172.16.4.13 : a ch ip ngun ca host 0.0.0.0 : mt n dng kim tra s ph hp ca tt c cc bit ( y l mt n mc nh ) Permit : ch ra cc gi tin tha mn iu kin kim tra s c chuyn i 0.0.0.0 : a ch ip ngun ca host 255.255.255.255 : mt n wildcard ; cc bit 0 ch ra phn phi kim tra s ph hp , bit 1 ch ra phn khng cn kim tra . Tt c cc bit 1 trong phn mt n ch ra tt c 32 bit trong phn a ch ip s khng c kim tra s ph hp . Ni cch khc , bt k a ch no cng u tha mn . ACL ny c thit k loi b cc gi tin xut pht t mt a ch c th , trong trng hp ny l 172.16.4.13 , tt c cc gi tin khc c chuyn i trn cng E0 bnh thng . Phn khai bo 0.0.0.0 255.255.255.255 cho php tt c gi tin t bt c ngun no . Phn khai bo ny c th vit tt bng t kha any

4-6

V d 3 : IPv4 ACL dng s c bn

RouterX(config)# access-list 1 deny 172.16.4.0 RouterX(config)# access-list 1 permit any (implicit deny all) (access-list 1 deny 0.0.0.0 255.255.255.255) RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access-group 1 out

0.0.0.255

Cm mt mng con truy cp

47

V d : IPv4 ACL dng s c bn T chi mt mng con truy cp Phn sau m t c php cu lnh trnh by phn trn 1 : S ca ACL , ch ra y l ACL c bn Deny : ch ra cc gi tin tha mn iu kin kim tra s khng c chuyn i 172.16.4.0 : a ch ip ngun ca mng con 0.0.0.255 : mt n Wildcard , cc bit 0 ch ra phn phi kim tra s ph hp , bit 1 ch ra phn khng cn kim tra . Cc bit 0 trong 3 octet u tin ch ra phn cc phn a ch ip phi kim tra s ph hp , 255 octet cui cng ch ra phn a ch ip khng cn phi kim tra Permit : ch ra rng cc gi tin tha mn iu kin s c chuyn i Any : vit tt cho phn a ch ip ngun . T vit tt any ch ra tt c cc a ch ngun u tha mn iu kin kim tra ACL ny dng loi b cc gi tin t mng con 172.16.4.0 , cc gi tin khc c chuyn trn cng kt ni E0 bnh thng .

4-7

ACL dng c bn kim sot truy cp VTY

RouterX(config-line)#

access-class access-list-number {in | out}

Gii hn kt ni vo v ra gia cng vty v a ch trong ACL

Example:
access-list 12 permit 192.168.1.0 0.0.0.255 (implicit deny any) ! line vty 0 4 access-class 12 in

Ch cho php cc host trong mng 192.168.1.0 0.0.0.255 kt ni n cng vty ca router

48

kim sot cc gi tin i vo v ra khi router ( khng i xuyn qua router ) , bn s bo v cc cng o ca router . Cc cng o ny gi l cc cng vty . Mc nh c 5 cng c nh s t 0 n 4 . Khi c cu hnh , Cisco IOS c th h tr nhiu hn 5 cng vty . Gii hn truy cp vty l k thut chnh nng cao bo mt mng v ch ra nhng a ch no c php telnet vo router Lc cc gi tin telnet thng c xem nh l chc nng ca ACL m rng v n lc cc giao thc lp cao . Tuy nhin , v bn s cng cu lnh access-class lc cc phin telnet vo v ra trn cng vty bng a ch ngun , nn bn c th s dng khai bo ACL dng c bn kim sot truy cp cng vty . V d : trong v d ny , bn cho php cc thit b trong mng 192.168.1.0 0.0.0.255 thit lp phin telnet vi router . D nhin l ngi dng phi bit mt khu vo cu hnh router . Lu l s gii hn truy cp c p t cho tt c cng vty t 0 n 4 , v bn khng th kim sot c ngi dng s kt ni vo cng vty no . Khai bo ngm nh t chi tt c vn c p dng cho ACL khi s dng cc khai bo access-class

4-8

Kim tra gi tin vi IPv4 ACL dng s m rng

49

kim sot chnh xc hn cc gi tin , ta s dng IPv4 ACL m rng c s t 100 n 199 v t 2000 n 2699 hoc s dng ACL dng tn kim tra a ch IPv4 ngun v ch . Thm vo , ti cui dng khai bo ca ACL m rng , bn c th ch nh giao thc , ng dng TCP hoc UDP thc hin lc gi tin chi tit hn . ch ra mt ng dng , bn c th cu hnh s cng ca ng dng . Cc cng ng dng quen thuc v cc giao thc IP 20 (TCP) FTP data 21 (TCP) FTP control 23 (TCP) Telnet 25 (TCP) Simple Mail Transfer Protocol (SMTP) 53 (TCP/UDP) Domain Name System (DNS) 69 (UDP) TFTP 80 (TCP) HTTP

4-9

Cu hnh IPv4 ACL dng s m rng

RouterX(config)#

access-list access-list-number {permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log]

Thit lp cc thng s cho dng khai bo ny

RouterX(config-if)#

ip access-group access-list-number

{in | out}

Kch hot ACL m rng trn cng kt ni

410

cu hnh IPv4 ACL dng s m rng trn thit b router Cisco , to ra mt IPv4 Acl v kch hot n trn cng kt ni . S dng cu lnh access-list to ra cc khai bo trong iu kin kim tra . Bng sau gii thch c php ca cu lnh . Access-list-number : Ch ra danh sch kim tra c s nm trong khong t 100 n 199 hoc t 2000 n 2699 Permit | deny : Ch ra dng khai bo ny cho php hay t chi gi tin Protocol : IP,TCP,UDP,ICMP, GRE hoc IGRP Source and destination: Ch ra a ch ip ngun v ch Source-wildcard and destination-wildcard : Mt n wildcard ; 0 ch ra phn a ch phi kim tra s ph hp , 1 ch ra phn khng cn phi kim tra Operator [ port | app-name ] : thng s ny c th l Lt ( nh hn ) , gt ( ln hn ) v eq ( bng ) , neq ( khng bng ) . S cng ng dng c th l ngun hoc ch , ty thuc vo v tr cu hnh trong ACL . thay th cho s port ng dng , c th s dng tn cho cc ng dng quen thuc nh l Telnet , FTP , SMTP , vv Established : Ch s dng cho giao thc TCP theo chiu vo . Cho php cc gi tin TCP i qua khi gi tin ny l gi tr li phin lm vic khi to t bn ngoi . Loi gi tin ny c bit ACK ( xem phn v d extended ACL vi t kha Established ) Log : lu li nht k ln mn hnh console Lu : c php cu lnh access-list c lit k y dnh cho giao thc TCP . Khng phi tt c cc thng s v ty chn u c lit k ra . c c c php chi tit , xin tham kho cc ti liu v Cisco IOS ti cisco.com

4-10

V d : ACL m rng vi thng s establish Trong phn v d sau , thng s established ca ACL m rng cho php tr li cho gi tin xut pht t mail host : 128.88.1.2 . iu kin c tha mn nu gi tin TCP c bit ACK hoc bit RST , ch ra rng gi tin ny thuc v kt ni c . Nu khng c thng s established trong khai bo ACL , mail host ch c th nhn cc gi SMTP v khng th gi n i c . access-list 102 permit tcp any host 128.88.1.2 established access-list 102 permit tcp any host 128.88.1.2 eq smtp interface serial 0 ip access-group 102 in Cu lnh ip access-group p t ACL m rng ln cng kt ni . Ch c mt ACL cho mt giao thc , mt hng v mt cng kt ni . Bng sau nh ngha cc thng s ca cu lnh ip access-group Access-list-number: Ch ra s ca ACL c p t ln cng kt ni In | out: ACL c p t theo chiu vo hoc chiu ra . Chiu ra l chiu mc nh Bng ny cung cp cc bc cn thit cu hnh v p t ACL m rng ln router . Bc 1: nh ngha IPv4 Acl dng m rng .S dng cu lnh access-list RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 Trong v d ny , access-list 101 t chi cc gi tin TCP t mng ngun 172.16.4.0 , s dng mt n wildcard 0.0.0.255 n ch 172.16.3.0 , s dng mt n wildcard 0.0.0.255 v cng 21 ( Cng iu khin FTP ) Bc 2 : Chn ra cng kt ni mun cu hnh bng cch s dng cu lnh interface RouterX(config)# interface ethernet 0 Sau khi cu lnh interface c g vo , du nhc lnh chuyn thnh (configif)

4-11

Bc 3 : p t IPv4 ACL m rng cho cng kt ni bng cch dng cu lnh ip access-group RouterX(config-if)# ip access-group 101 in S dng cu lnh show ip interfaces kim tra rng IP ACL c p t cho cng kt ni

4-12

V d IPv4 ACL dng s m rng

RouterX(config)# access-list 101 RouterX(config)# access-list 101 RouterX(config)# access-list 101 (implicit deny all) (access-list 101 deny ip 0.0.0.0

deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 permit ip any any 255.255.255.255 0.0.0.0 255.255.255.255)

RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access-group 101 out

Cm d liu FTP i t mng 172.16.4.0 qua 172.16.3.0 ra khi E0 Cho php tt c d liu cn li
413

V d : IP ACL m rng dng s - Cm d liu FTP t mng con Phn sau m t c php cu lnh trnh by hnh trn 101 : S ca ACL , ch ra y l IPv4 ACL m rng Deny : Ch ra cc gi tin tha mn iu kin kim tra s khng c chuyn i Tcp : giao thc lp vn chuyn 172.16.4.0 0.0.0.255 : a ch ip ngun v mt n ; 3 octet u tin phi ging nhau , trong khi octet cui cng th khng cn 172.16.3.0 0.0.0.255 : a ch ip ch v mt n ; 3 octet u tin phi ging nhau , trong khi octet cui cng th khng cn Eq 21 : cng kt ni ch ca FTP iu khin Eq 20 : cng kt ni ch ca d liu FTP Out : Ap t ACL 101 vo cng kt ni E0 theo chiu ra Khai bo deny s t chi cc d liu FTP t mng 172.16.4.0 n mng 172.16.3.0 Khai bo permit cho php cc d liu khc i ra khi cng kt ni E0

4-13

V d IPv4 ACL dng s m rng

RouterX(config)# access-list 101 deny tcp 172.16.4.0 RouterX(config)# access-list 101 permit ip any any (implicit deny all) RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access-group 101 out

0.0.0.255

any eq 23

Cm d liu telnet t mng 172.16.4.0 ra E0 Cho php tt c cc d liu cn li

414

V d : IP ACL m rng dng s - Cm d liu telnet t mng con Phn sau m t c php cu lnh trnh by hnh trn 101 : S ca ACL , ch ra y l IPv4 ACL m rng Deny : Ch ra cc gi tin tha mn iu kin kim tra s khng c chuyn i Tcp : giao thc lp vn chuyn 172.16.4.0 0.0.0.255 : a ch ip ngun v mt n ; 3 octet u tin phi ging nhau , trong khi octet cui cng th khng cn any : Tha mn bt k a ch ip ch no Eq 23 hoc eq telnet : cng ch hoc ng dng ; trong v d ny n ch ra cng ng dng telnet = 23 Permit : ch ra rng cc gi tin tha mn iu kin kim tra s c chuyn i Ip any : bt k giao thc ip no xut pht t bt k ngun no Any : bt k ch n no Out : Ap t ACL 101 vo cng kt ni E0 theo chiu ra V d ny t chi cc gi tin telnet i t mng 172.16.4.0 ra cng kt ni E0 .Tt c cc gi tin IP khc c cho php i ra khi cng E0

4-14

Cu hnh IP ACL dng tn

RouterX(config)# ip access-list {standard | extended} name Chui k t tn gi phi l duy nht RouterX(config {std- | ext-}nacl)# [sequence-number] {permit | deny} {ip access list test conditions} {permit | deny} {ip access list test conditions} Nu nh khng cu hnh , s th t c to ra t ng , bt u t 10 v tng dn thm 10 no sequence number g b mt khai bo trong ACL dng tn RouterX(config-if)# ip access-group name {in | out} Kch hot ACL dng tn trn cng kt ni

415

ACL dng tn cho php bn ch nh ACL dng c bn v dng m rng bng tn gi thay v bng cc con s ACL dng tn cho php bn xa tng dng khai bo trong ACL . Nu bn ang s dng IOS phin bn 12.3 , bn c th s dng s th t chn v cc khai bo bt c u trong ACL dng tn .Nu bn ang s dng IOS phin bn tr v trc , bn ch c th chn vo cc khai bo pha cui ACL dng tn . Bi v bn c th xa tng dng khai bo trong ACL dng tn , bn c th chnh sa ACL m khng phi xa v cu hnh li ton b ACL . To IP ACL dng tn c bn to ra IP ACL dng tn c bn , lm theo cc bc sau y . Bc 1 : ip access-list standard name nh ngha ra mt IP ACL dng tn c bn v gn tn cho n Bc 2 : G vo mt trong cc dng sau

[sequence-number] deny {source [source-wildcard] |any} [sequence-number] permit {source [source-wildcard] |any} Trong ch cu hnh ACL , ch ra mt hoc nhiu khai bo permit hoc deny , n s quyt nh gi tin c i qua hay b loi b Bc 3 : exit Thot khi cu hnh access-list
To IP ACL dng tn m rng

4-15

 to ACL dng tn m rng , lm theo cc bc sau y Bc 1 : ip access-list extended name nh ngha IP ACL dng tn m rng v gn tn cho n Bc 2 : G vo mt trong cc dng sau y : sequence-number] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] sequence-number] {deny | permit} protocol any any sequence-number] {deny | permit} protocol host source host destination Trong ch cu hnh access-list , ch ra iu kin cho php hoc t chi . T kha any c th c dng thay th cho a ch 0.0.0.0 v mt n wildcard 255.255.255.0 cho a ch ngun , a ch ch hoc c 2 . Bn c th s dng t kha host vit tt cho wildcard 0.0.0.0 ca a ch ngun hoc ch . t t kha host pha trc a ch . Bc 3 : exit Thot khi ch cu hnh access-list V d : Thm vo cc khai bo km theo s th t : v d sau , c mt dng khai bo mi c thm vo ACL RouterX# show ip access-list Standard IP access list MARKETING 2 permit 10.4.4.2, wildcard bits 0.0.255.255 5 permit 10.0.0.44, wildcard bits 0.0.0.255 10 permit 10.0.0.1, wildcard bits 0.0.0.255 20 permit 10.0.0.2, wildcard bits 0.0.0.255 RouterX(config)# ip access-list standard MARKETING RouterX(config-std-nacl)# 15 permit 10.5.5.5 0.0.0.255 RouterX# show ip access-list

4-16

Standard IP access list MARKETING 2 permit 10.4.0.0, wildcard bits 0.0.255.255 5 permit 10.0.0.0, wildcard bits 0.0.0.255 10 permit 10.0.0.0, wildcard bits 0.0.0.255 15 permit 10.5.5.0, wildcard bits 0.0.0.255 20 permit 10.0.0.0, wildcard bits 0.0.0.255

4-17

V d IPv4 ACL dng tn c bn

RouterX(config)#ip access-list standard troublemaker RouterX(config-std-nacl)#deny host 172.16.4.13 RouterX(config-std-nacl)#permit 172.16.4.0 0.0.0.255 RouterX(config-std-nacl)#interface e0 RouterX(config-if)#ip access-group troublemaker out

Cm mt host truy cp

418

Phn sau gii thch c php cu lnh th hin hnh trn Standard : ch ra rng y l access-list dng tn c bn Troublemarker : tn ca ACL Deny : ch ra cc gi tin tha mn iu kin kim tra s b loi b Host 172.16.4.13 : a ch ip ngun , host thay th cho mt n wildcard 0.0.0.0 Permit : Ch ra cc gi tin tha mn iu kin kim tra s c gi i 172.16.4.0 0.0.0.255 : a ch ip ngun v mt n ; 3 octet u tin phi ging nhau v octet cui cng th khng cn phi ging nhau Ip access-group troublemarker out : p t ACL troublemarker vo cng kt ni E0 theo chiu out

4-18

V d IPv4 dng tn m rng

RouterX(config)#ip access-list extended badgroup RouterX(config-ext-nacl)#deny tcp 172.16.4.0 0.0.0.255 any eq 23 RouterX(config-ext-nacl)#permit ip any any RouterX(config-ext-nacl)#interface e0 RouterX(config-if)#ip access-group badgroup out

Cm telnet t mt mng con

419

Phn sau gii thch c php cu lnh c trnh by trong hnh trn Extended : ch ra y l ACL dng tn m rng Badgroup : tn ca ACL Deny : cc gi tin tha mn iu kin kim tra s b loi b Tcp : giao thc lp vn chuyn 172.16.4.0 0.0.0.255 : a ch ip ngun v mt n , 3 octet u tin phi ging nhau , octet cui cng khng cn ging nhau Any : tha mn vi bt k a ch ip no Eq 23 hoc eq telnet : port ch hoc tn ca ng dng . Trong v d ny , n ch ra s ca cng ng dng cho telnet , l 23 Permit : Ch ra rng cc gi tin tha mn u kin kim tra s c gi i Ip : giao thc lp mng Any : t kha tha mn tt c ngun v ch Ip access-group badgroup out : p t ACL badgroup vo cng kt ni E0 theo chiu i ra .

4-19

Khai bo ch thch trong ACL

RouterX(config)#

ip access-list {standard|extended} name

To ra mt ACL dng tn
RouterX(config {std- | ext-}nacl)#

remark remark

To ch thch cho ACL dng tn Or

RouterX(config)#

access-list access-list-number remark remark

To ch thch cho ACL dng s

420

Cc dng khai bo ch thch s khng c thc hin kim tra . Chng n gin ch l cc dng ch thch gip bn d nhn hn v d x l s c hn i vi ACL dng tn hoc ACL dng s Mi dng ch thch b gii hn bi 100 k t . Cc ch thch c th trc hoc sau khai bo permit hoc deny . Bn phi thng nht t ch thch u m t c cc khai bo permit hoc deny mt cch r rng . S rt kh phn bit nu nh c mt vi dng ch thch trc khai bo permit , deny ri li c mt vi dng ch thch sau khai bo permit hoc deny thm cc ch thch cho IP ACL dng tn , s dng cu lnh remark remark trong ch cu hnh ACL . thm ch thch cho ACL dng s , s dng cu lnh access-list access-list-number remark remark . V d sau y thm ch thch cho ACL dng s : access-list 101 remark Permitting_John to Telnet to Server access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet

4-20

V d sau y thm ch thch cho ACL dng tn : ip access-list standard PREVENTION remark Do not allow Jones subnet through deny 171.69.0.0 0.0.255.255

4-21

Xem cc dng khai bo ca ACL

RouterX# show access-lists {access-list number|name}

RouterX# show access-lists Standard IP access list SALES 10 deny 10.1.1.0, wildcard bits 20 permit 10.3.3.1 30 permit 10.4.4.1 40 permit 10.5.5.1 Extended IP access list ENG 10 permit tcp host 10.22.22.1 any 20 permit tcp host 10.33.33.1 any 30 permit tcp host 10.44.44.1 any

0.0.0.255

eq telnet (25 matches) eq ftp eq ftp-data

Hin th tt c ACL

422

Sau khi hon tt cu hnh ACL , s dng cu lnh show kim tra li cu hnh . S dng cu lnh show access-lists hin th ni dung ca ACL . Bng cch ch nh thm s hoc tn pha sau cu lnh ny , bn c th cho hin th ni dung c th ca mt ACL no . hin th ni dung ca tt c cc IP ACL , s dng cu lnh show ip access-list

4-22

Kim tra ACLs

RouterX# show ip interfaces e0 Ethernet0 is up, line protocol is up Internet address is 10.1.1.11/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled <text ommitted>

423

Cu lnh show ip interfaces dng hin th cc thng tin trn cng kt ni v xem th cng kt ni c b rng buc ACL hay khng . Trong phn hin th ca cu lnh show ip interface e0 hnh trn , IP ACL s 1 c cu hnh v p t theo chiu vo ca cng kt ni . Khng c IP ACL no c cu hnh theo chiu ra trn cng kt ni E0

4-23

X l s c mt s li thng gp ca ACL

S c 1: Host 10.1.1.1 khng kt ni c vi 10.100.100.1.

424

Phn tch hin th ca cu lnh show access-lists hnh trn v x l s c sau : S c : host 10.1.1.1 khng kt ni c vi 10.100.100.1 ERROR1# show access-lists 10 Standard IP access list 10 10 deny 10.1.1.0, wildcard bits 0.0.0.255 20 permit 10.1.1.1 30 permit ip any any Gii quyt : Host 10.1.1.1 khng kt ni c vi 10.100.100.1 bi v th t ca cc khai bo trong access-list 10 . V Router s kim tra danh sch t trn xung di , khai bo s 10 s t chi host 10.1.1.1 v khai bo s 20 s khng c kim tra . Th t khai bo 10 v 20 phi i ch cho nhau .

4-24

X l s c mt s li thng gp ca ACL ( tip theo )

S c 2: Mng 192.168.1.0 khng th s dng TFTP kt ni n 10.100.100.1.

425

Phn tch hin th ca cu lnh show access-lists hnh trn v x l s c sau : S c : mng 192.168.1.0 khng s dng TFTP kt ni ti 10.100.100.1 ERROR2# show access-lists 120 Extended IP access list 120 10 deny tcp 172.16.0.0 0.0.255.255 any eq telnet 20 deny tcp 192.168.1.0 0.0.0.255 host 10.100.100.1 eq smtp 30 permit tcp any any Gii quyt : Mng 192.168.1.0 khng th s dng TFTP kt ni ti 10.100.100.1 c v TFTP s dng giao thc UDP ca lp vn chuyn . Khai bo s 30 trong danh sch ACL 120 cho php tt c cc gi tin TCP cn li , v bi v TFTP s dng UDP nn n ngm nh b t chi . Khai bo s 30 phi i li l ip any any

4-25

X l s c mt s li thng gp ca ACL ( tip theo )

S c 3: Mng 172.16.0.0 vn telnet c n 10.100.100.1, nhng kt ni ny khng c php

426

Phn tch hin th ca cu lnh show access-lists hnh trn v x l s c sau : S c : mng 172.16.0.0 c th telnet c ti 10.100.100.1 nhng kt ni telnet ny khng c cho php ERROR3# show access-lists 130 Extended IP access list 130 10 deny tcp any eq telnet any 20 deny tcp 192.168.1.0 0.0.0.255 host 10.100.100.1 eq smtp 30 permit ip any any Gii quyt : Mng 172.16.0.0 vn telnet c n 10.100.100.1 v cng telnet trong khai bo s 10 b t sai v tr . Khai bo s 10 ang t chi bt k ngun no vi cng ng dng l telnet , kt ni ti bt k a ch ch no . Nu bn mun cm telnet i vo cng S0 , bn phi cm cng ch bng vi cng telnet , v d , deny tcp any any eq telnet

4-26

X l s c mt s li thng gp ca ACL ( tip theo )

S c 4: Host 10.1.1.1 vn telnet c n 10.100.100.1, nhng kt ni ny khng c php

427

Phn tch hin th ca cu lnh show access-lists hnh trn v x l s c sau : S c : host 10.1.1.1 c th telnet c ti 10.100.100.1 , nhng kt ni ny khng c php ERROR4# show access-lists 140 Extended IP access list 140 10 deny tcp host 10.160.22.11 10.100.100.0 0.0.0.255 eq telnet 20 deny tcp 192.168.1.0 0.0.0.255 host 10.100.100.1 eq smtp 30 permit ip any any Gii quyt : Host 10.1.1.1 vn telnet c ti 10.100.100.1 v khng c khai bo no cm host 10.1.1.1 hoc mng ca n . Khai bo s 10 ca access-list 140 cm cng router nhng a ch 10.1.1.1 khng phi l a ch ip ca cng router .

4-27

X l s c mt s li thng gp ca ACL ( tip theo )

S c 5: Host 10.100.100.1 vn telnet c n 10.1.1.1, nhng kt ni ny khng c php

428

Phn tch hin th ca cu lnh show access-lists hnh trn v x l s c sau : S c : host 10.100.100.1 c th telnet n 10.1.1.1 nhng kt ni ny khng c php ERROR5# show access-lists 150 Extended IP access list 150 10 deny tcp host 10.100.100.1 any eq telnet 20 permit ip any any Access-list 150 c t theo chiu vo ca cng kt ni S0 Gii quyt : Host 10.100.100.1 vn telnet n c 10.1.1.1 bi v hng ca ACL 150 l theo chiu vo ca cng kt ni S0 . Khai bo s 10 cm a ch ngun 10.100.100.1 nhng a ch ny ch l a ch ngun khi gi tin i ra khi cng S0 , khng phi i vo cng S0 .

4-28

X l s c mt s li thng gp ca ACL ( tip theo )

S c 6: Host 10.1.1.1 vn c th telnet n c router B, nhng kt ni ny khng c php

429

Phn tch hin th ca cu lnh show access-lists hnh trn v x l s c sau : S c : Host 10.1.1.1 c th kt ni vo Router B s dng telnet nhng kt ni ny khng c php ERROR6# show access-lists 160 Extended IP access list 160 10 deny tcp any host 10.160.22.33 eq telnet 20 permit ip any any Gii quyt : Host 10.1.1.1 c th telnet n router B v telnet n mt router khc vi s dng telnet kt ni xuyn qua router n thit b khc . Khai bo s 10 ca ACL 160 cm telnet n a ch ip gn trn cng S0 ca router B . Host 10.1.1.1 vn c th telnet n router B bng cch s dng a ch ip trn interface khc , v d , E0 . Nu bn mun cm telnet i vo v i ra trn chnh router th s dng cu lnh access-class p t ACL vo cng vty

4-29

Tm lc
IPv4 ACL dng c bn cho php bn lc a ch ip ngun IPv4 ACL dng m rng cho php bn lc a ch ip ngun , ip ch , giao thc v s port ACLs dng tn cho php bn xa tng dng khai bo trong danh sch Bn c th s dng cu lnh show access-lists v show ip interface x l cc s c thng gp khi cu hnh ACLs

430

4-30

431

4-31

4-32

Bi 5: Uyn chuyn mng vi NAT v PAT

Qun l khng gian a ch

5-1

5-1

Network Address Translation

An IP address is either local or global. Local IPv4 addresses are seen in the inside network. Global IPv4 addresses are seen in the outside network.
5-2

5-2

Port Address Translation

5-3

5-3

Translating Inside Source Addresses

5-4

5-4

Configuring and Verifying Static Translation

RouterX(config)# ip nat inside source static local-ip global-ip

Establishes static translation between an inside local address and an inside global address

RouterX(config-if)# ip nat inside

Marks the interface as connected to the inside

RouterX(config-if)# ip nat outside

Marks the interface as connected to the outside

RouterX# show ip nat translations

Displays active translations

5-5

5-5

Enabling Static NAT Address Mapping Example

interface s0 ip address 192.168.1.1 255.255.255.0 ip nat outside ! interface e0 ip address 10.1.1.1 255.255.255.0 ip nat inside ! ip nat inside source static 10.1.1.2 192.168.1.2

RouterX# show ip nat translations Pro Inside global Inside local --- 192.168.1.2 10.1.1.2

Outside local ---

Outside global ---

5-6

5-6

Configuring and Verifying Dynamic Translation

RouterX(config)# ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

Defines a pool of global addresses to be allocated as needed

RouterX(config)# access-list access-list-number permit source [source-wildcard]

Defines a standard IP ACL permitting those inside local addresses that are to be translated
RouterX(config)# ip nat inside source list access-list-number pool name

Establishes dynamic source translation, specifying the ACL that was defined in the previous step
RouterX# show ip nat translations

Displays active translations

5-7

5-7

Dynamic Address Translation Example

RouterX# show ip nat translations Pro Inside global Inside local --- 171.69.233.209 192.168.1.100 --- 171.69.233.210 192.168.1.101

Outside local -----

Outside global ----5-8

5-8

Overloading an Inside Global Address

5-9

5-9

Configuring Overloading
RouterX(config)# access-list access-list-number permit source source-wildcard

Defines a standard IP ACL that will permit the inside local addresses that are to be translated

RouterX(config)# ip nat inside source list access-list-number interface interface overload

Establishes dynamic source translation, specifying the ACL that was defined in the previous step

RouterX# show ip nat translations

Displays active translations

5-10

5-10

Overloading an Inside Global Address Example

hostname RouterX ! interface Ethernet0 ip address 192.168.3.1 255.255.255.0 ip nat inside ! interface Ethernet1 ip address 192.168.4.1 255.255.255.0 ip nat inside ! interface Serial0 description To ISP ip address 172.17.38.1 255.255.255.0 ip nat outside ! ip nat inside source list 1 interface Serial0 overload ! ip route 0.0.0.0 0.0.0.0 Serial0 ! access-list 1 permit 192.168.3.0 0.0.0.255 access-list 1 permit 192.168.4.0 0.0.0.255 !

RouterX# Pro TCP TCP

show ip nat translations Inside global Inside local 172.17.38.1:1050 192.168.3.7:1050 172.17.38.1:1776 192.168.4.12:1776

Outside local 10.1.1.1:23 10.2.2.2:25

Outside global 10.1.1.1:23 10.2.2.2:25

5-11

5-11

Clearing the NAT Translation Table

RouterX# clear ip nat translation *

Clears all dynamic address translation entries

RouterX# clear ip nat translation inside global-ip local-ip [outside local-ip global-ip]

Clears a simple dynamic translation entry that contains an inside translation or both an inside and outside translation
RouterX# clear ip nat translation outside local-ip global-ip

Clears a simple dynamic translation entry that contains an outside translation

RouterX# clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip local-port global-ip global-port]

Clears an extended dynamic translation entry (PAT entry)

5-12

5-12

Translation Not Occurring: Translation Not Installed in the Table

Verify that:
There are no inbound ACLs that are denying the packets entry to the NAT router The ACL referenced by the NAT command is permitting all necessary networks There are enough addresses in the NAT pool The router interfaces are appropriately defined as NAT inside or NAT outside

5-13

5-13

Displaying Information with show and debug Commands

RouterX# debug ip nat NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825] NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852] NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311] NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827] NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23312] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313]

RouterX# show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: Ethernet0, Serial2 Inside interfaces: Ethernet1 Hits: 5 Misses: 0

5-14

5-14

Translation Occurring: Installed Translation Entry Not Being Used

Verify:
What the NAT configuration is supposed to accomplish That the NAT entry exists in the translation table and that it is accurate That the translation is actually taking place by monitoring the NAT process or statistics That the NAT router has the appropriate route in the routing table if the packet is going from inside to outside That all necessary routers have a return route back to the translated address

5-15

5-15

Sample Problem: Cannot Ping Remote Host

5-16

5-16

Sample Problem: Cannot Ping Remote Host (Cont.)

RouterA# show ip nat translations Pro Inside global Inside local -----

Outside local -----

Outside global -----

There are no translations in the table.

5-17

5-17

Sample Problem: Cannot Ping Remote Host (Cont.)

RouterA# show ip nat statistics Total active translations: 0 (0 static, 0 dynamic; 0 extended) Outside interfaces: Ethernet0 Inside interfaces: Serial0 Hits: 0 Misses: 0

The router interfaces are inappropriately defined as NAT inside and NAT outside.
5-18

5-18

Sample Problem: Cannot Ping Remote Host (Cont.)

RouterA# show access-list Standard IP access list 20 10 permit 0.0.0.0, wildcard bits 255.255.255.0

Pings are still failing and there are still no translations in the table. There is an incorrect wildcard bit mask in the ACL that defines the addresses to be translated.
5-19

5-19

Sample Problem: Cannot Ping Remote Host (Cont.)

RouterA# show ip nat translations Pro Inside global Inside local --- 172.16.17.20 192.168.1.2

Outside local ---

Outside global ---

Translations are now occurring. Pings are still failing.

5-20

5-20

Sample Problem: Cannot Ping Remote Host (Cont.)

RouterB# sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP Gateway of last resort is not set C R R 10.0.0.0/24 is subnetted, 1 subnets 10.1.1.0/24 is directly connected, Serial0 192.168.2.0/24 is subnetted, 1 subnets 192.168.2.0/24 is directly connected, Ethernet0 192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks 192.168.1.0/24 [120/1] via 10.1.1.1, 2d19h, Serial0

Router B has no route to the translated network address of 172.16.0.0.

5-21

5-21

Sample Problem: Cannot Ping Remote Host (Cont.)

RouterA# sh ip protocol Routing Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Sending updates every 30 seconds, next due in 0 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Redistributing: rip Default version control: send version 1, receive any version Automatic network summarization is in effect Maximum path: 4 Routing for Networks: 192.168.0.0 Routing Information Sources: Gateway Distance Last Update Distance: (default is 120)

Router A is advertising the network that is being translated, 192.168.1.0, instead of the network address the router is translating into,172.16.0.0.
5-22

5-22

Solution: Corrected Configuration

5-23

5-23

Visual Objective 7-1: Configuring NAT and PAT

WG Router s0/0/0 Router fa0/0 Switch A B C D E F G H 10.140.1.2 10.140.2.2 10.140.3.2 10.140.4.2 10.140.5.2 10.140.6.2 10.140.7.2 10.140.8.2 10.2.2.3 10.3.3.3 10.4.4.3 10.5.5.3 10.6.6.3 10.7.7.3 10.8.8.3 10.9.9.3 10.2.2.11 10.3.3.11 10.4.4.11 10.5.5.11 10.6.6.11 10.7.7.11 10.8.8.11 10.9.9.11

5-24

Lab 13 ACL Note: Refer to the lab setup guide for lab instructions.

5-24

Tm tt
There are three types of NAT: static, dynamic, and overloading (PAT). Static NAT is one-to-one address mapping. Dynamic NAT addresses are picked from a pool. NAT overloading (PAT) allows you to map many inside addresses to one outside address. Use the show ip nat translation command to display the translation table and verify that translation has occurred. To determine if a current translation entry is being used, use the show ip nat statistics command to check the hits counter.

5-25

5-25

5-26

5-26

Bi 6: Qu trnh chuyn sang IPv6

Qun l khng gian a ch

6-1

Tng quan Vic m rng cho nhng nhu cu trong tng lai yu cu kh nng cung cp a ch IP khng hn ch v ci thin kh nng di ng. IP phin bn 6 (IPv6) tha mn nhu cu ngy cng phc tp m IP phin bn 4 (IPv4) khng th p ng c. IPv6 s dng mt s dng a ch khc hiu qu hn IPv4. Bi hc m t nhng dng khc nhau m IPv6 s dng v cc gn a ch. Vic chuyn t IPv4 sang IPv6 c th yu cu kh nhiu k thut bao gm c chc nng cu hnh t ng. Phng php no s c trin khai ty thuc nhiu vo h thng mng. Bi hc m t cc kiu khc nhau ca phng php chuyn ln IPv6 trong mng. Mc tiu Cung cp kh nng gii thch nh dng ca a ch IPv6 v cc thanh phn yu cu phi c trin khai IPv6, gii thch cc vn lin quan n nh tuyn v cc thng s cu hnh IPv6 c bn. - Gii thch s cn thit ca IPv6 - M t nh dng a ch IPv6 - Gii thch cc phng php t a ch IP - Gii thch cch m IPv6 nh hng n cc giao thc nh tuyn ph bin v nhng b sung cn thit cho nhng giao thc ny. - Gii thch chin lc chuyn i thc thi IPv6 - Cu hnh IPv6 vi RIPng trong mng IPv4

6-1

IPv4 v IPv6

Hin ti, c sp x khon 1.3 t a ch IPv4 cn c kh s dng

6-2

Khng gian a ch IPv4 cung cp xp x 4,3 t a ch. Vi khng gian a ch trn, c khon 3,7 t a ch tht s c trin khai, nhng a ch khc c dnh cho nhng mc ch c bit nh multicast, dy a ch dng ring (private), kim tra loopback v dng nghin cu. Da trn biu nh ngy 1 thng 1 nm 2007, c khong 2,407 t a ch c gn cho cc ngi dng u cui hay cho cc nh cung cp dch v Internet (ISP) v li gn 1,3 t a ch vn cn c th s dng trong khng gian a ch ny. a ch IPv6 di 128 bit v c th c th hin bg 32 s Thp lc phn nh c hin th hnh trn. N cung cp 3,4 * 10^38 a ch IP. Phin bn ny ca a ch IP t ra hiu qu trong vic p ng nhng nhu cu tng trng ca Internet trong tng lai. Do khng gian a ch 128 bit rng ri, a ch IPv6 cung cp dng nh l khng gii hn a ch IP.

6-2

Ti sao li cn mt khng gian a ch ln hn

Dn s trn Internet C khon 973 triu ngi dng Internet tnh n thng 11 nm 2005 Dn c trn Internet tng nhanh Ngi dng di ng PDA, pen tablet, notepad, S lng sp x 20 triu trong nm 2004 in thoi di ng c sn 1 t in thoi di ng c phn phi trong nn cng nghip. Phng tin vn chuyn D kin c khn 1 t xe hi vo nm 2008 Truy cp Internet trn my bay Thit b tiu dng Sony bt buc rng tt c cc thit b ca hng phi h tr IPv6 t nm 2005 Hng triu cc ng dng gia nh v cng nghip
6-3

Mng Internet s c thay i sau khi IPv6 hon ton thay th IPv4. Mt s ngi phn tch v cng b v kh nng qu ti ca IPv4. Tuy nhin vic c lng v thi im qu ti ca IPv4 li rt khc nhau, c th vo nm 2008, 2009 hay thm ch l 2013. Du g i na, IPv4 s khng bin mt trong vng mt m m s cng tn ti v dn b thay th bi IPv6. Qu trnh chuyn t IPv4 sang IPv6 bt u, tng phn ti Chu u, Nht, v khu vc Chu Thi Bnh Dng. Nhng khu vc ny dn qu ti nhng a ch IPv4 m h c cp, iu ny lm IPv6 tr nn hp dn v cn thit hn. Mt s quc gia nh Nht, nhanh chng chp nhn IPv6. Mt s khc nh ti Chu u th ang dn chuyn sang IPv6, Trung Quc c ghi nhn l ang xy dng mt h thng mng dnh ring cho IPv6. Ngy 1 thng 10 nm 2003, U.S DoD (Department of Defense) bt buc rng nhng trang thit b mua v phi c kh nng h tr IPv6. Thm vo , chnh ph M phi bt du s dng IPv6 trong h thng mng ca h vo nm 2008 v h ang tin hnh thc hin trin khai cho ng k hn.

6-3

Tnh nng vt tri ca IPv6

Khng gian a ch rng hn:
Linh ng v ton cu C kh nng aggregation Multihoming Autoconfiguration Plug-and-play End-to-end khng cn NAT C kh nng nh li a ch

Header n gin:
nh tuyn hiu qu Tng cng kh nng chuyn gi Khng s dng broadcast Khng kim li Nhng header m rng Dn nhn lung

Di ng v bo mt:
Tun theo chun Mobile IP ca RFC Bt buc h tr cho IPSec

Nhiu phng php chuyn tip:

Dual stack 6to4 and manual tunnels Translation

6-4

IPv6 l mt s ci tin mnh m t IPv4. Mt s tnh nng trong IPv6 mang li kh nng tin tin ny. Nhng g m cc nh pht trin hc c trong vic s dng IPv4 c ngh ph hp hn cho nhng nhu cu hin ti v trong tng lai Khng gian a ch rng hn: khng gian a ch rng hn bao gm mt s ci tin: - Ci thin kh nng lin kt v linh hot - Bng nh tuyn cha cc mng tng hp - Multihoming n mt vi ISP gian a ch. - T ng cu hnh bao gm a ch lp Data-Link trong khng - Ty chn plug-and-play - Phn nh li a ch Public-to-Private t u cui ny sang u cui khc m khng chuyn i a ch trnh chnh sa - Mang li phng php n gin trong vic t li s v qu

Header n gin: mt header n gin mang li mt s li im trn IPv4 -

6-4

Tng cng hiu sut nh tuyn v chuyn gi d liu broadcast - Khng broadcast v cng khng c him ha e da ca bo - Khng yu cu tin trnh checksum - n gin v hiu qu trong vic m rng header - Flow label cho tng lung d liu dn n vic khng cn phi m n lp transport xc nh cc lung d liu Tnh di ng v bo mt: tnh di ng v bo mt gip m bo kh nng tng thch vi mobile IP v IPSec. Tnh di ng cho php ngi dng vi cc thit b di ng, a s vi cc kt ni khng dy, c th di chuyn trong h thng mng. Mobile IP l mt chun ca IETF cho c IPv4 v IPv6. Chun ny cho php cc thit b di ng c th di chuyn m khng ph v kt ni c thit lp trc . Bi v IPv4 khng t ng cung cp tnh nng di ng ny, ta phi a vo vi nhng cu hnh cng thm. Trong IPv6, tnh di ng c tch hp sn, c ngha l bt k cc node IPv6 c th s dng tnh nng ny khi cn thit. Header ca IPv6 khin cho mobile IPv6 tr nn hiu qu hn cho cc node u cui so vi IPv4. IPSec l mt chun ca IETF cho vn bo mt trn mng, c sn cho c IPv4 v IPv6. Mc du chc nng ca IPSec l tng t cho c hai mi trng, IPv6 l bt buc i vi IPv6. IPSec c kch hot cho tt c cc node IPv6 khin cho Internet IPv6 tr nn bo mt hn. IPSec cng yu cu kha cho cc bn tham gia, iu ny bao hm vic trin khai ton cu cc t kha a dng trong vic chuyn di: c nhiu cch tch hp IPv4 c sn vi nhng tnh nng thm vo ca IPv6 - Dual-stack l mt phng php ang c tin hnh trin khai, c IPv4 v IPv6 c cu hnh trn cc interface ca thit b - Tunneling l mt k thut khc tr nn ni bt c chn trong qu trnh pht trin ca IPv6. C rt nhiu phng php tunnel a ch IPv6 trn IPv4. Mt s phng php khc yu cu cu hnh bng tay, trong khi mt s xy ra t ng hn - H iu hnh Cisco IOS 12.3.(2)T v sau , bao gm NAT PT (Network Address Translation Protocol Translation) gia IPv6 v IPv4. S chuyn di ny cho php giao tip trc tip gia nhng host s dng nhng phin bn giao thc IP khc nhau.

6-5

Biu din a ch IPv6

Dnh dng:
x:x:x:x:x:x:x:x, X l vng cha 16 bit dng s Hexa Khng phn bit ch thng, hoa cho A, B, C, D, E, F Nhng s 0 u tin trong tng vng l ty chn Nhng vng 0 lin tip c th i din bi:: v ch c dng mt ln trong mt a ch

V d:
2031:0000:130F:0000:0000:09C0:876A:130B C th c i din thnh 2031:0:130f::9c0:876a:130b Khng th biu din dng sau 2031::130f::9c0:876a:130b FF01:0:0:0:0:0:0:1 0:0:0:0:0:0:0:1 0:0:0:0:0:0:0:0 ::1 ::
6-6

FF01::1

Tm hiu a ch IPv6 Ch ny m t nh dng ca i ch IPv6 v c phng php vit tt ca a ch. Du hai chm (:) s cch ly cc chui 16 bit i din cho a ch IPv6. Nhng s thp lc phn A, B, C, D, E, F trong a ch IPv6 khng phn bit ch thng ch hoa. IPv6 khng cn k hiu chui a ch phi cu hnh r rng. S dng nhng hng dn sau cho k hiu chui a ch: - Nhng s 0 ng u trong mt trng l ty chn, do vy 09C0 tng ng vi 9C0 v 0000 tng ng vi 0 - Nhng trng 0 lin tip c th i din bi ::, v ch c dng i din ny 1 ln trong 1 a ch cha cc bit 0 - Mt a ch khng c ch ra s c vit l :: bi v n ch

S dng k hiu :: s gim rt nhiu kch c ca hu ht a ch. V d: FF01:0:0:0:0:0:0:1 s tr thnh FF01::1 Ch : ngi phn tch a ch s xc nh s lng s 0 b thiu bng cch cch ly thnh 2 phn v nhp vo 0 cho n khi no in d 128 bit. Nu 2 k hiu :: t trong a ch, khng c cch no xc nh kch c ca ci khi bit 0.

6-6

Cc loi a ch IPv6
Unicast: a ch cho 1 interface IPv6 c mt vi loi (v d, global, reserved, link-local, and site-local) Multicast: Mt n nhiu host Cho php s dng mng hiu qu hn S dng dy a ch rng hn Anycast: One-to-nearest (c cp pht t khng gian a ch unicast) Nhiu thit b chia s s dng mt a ch Cc host c chung a ch anycast th nn cung cp cng dch v Thit b gi ra gi d liu anycast Router nh ra thit b gn nht chuyn gi d liu n ch Thch hp trong vic truyn cn bng ti

6-7

Qu trnh broadcast trong IPv4 sinh ra kh nhiu vn . Braodcasr sinh ra nhiu gin on trong mi my tnh trong mng v trong mt vi trng hp kch hot sai chc nng v lm treo ton b h thng mng. Vn ny trong mng c bit n nh bo broadcast. Trong IPv6, broadcast khng tn ti. IPv6 thay th broadcast bng multicast v anycast. Multicast cho php cho php mng hot ng hiu qu hn bng cch s dng s dng nhng a ch multicast chc nng khc nhau gi yu cu n mt s lng gii hn c my tnh trn mng. Nhng a ch multicast ny ngn chn hu ht cc vn lin quan n bo broadcast nh trong IPv4. Tm a ch multicast trong IPv6 rng hn so vi tm a ch multicast trong IPv4. Trong tng lai gn, vic cp pht a ch multicast l khng b hn ch. IPv6 cng nh ra kiu a ch mi gi l anycast. Mt a ch anycast s xc nh mt danh sch cc thit b hay cc node, do vy, mt a ch anycast s xc nh nhiu interface. a ch anycast ging nh l s pha trn gia a ch unicast v multicast. Unicast gi gi d liu n mt thit b c th vi mt a ch c th, multicast gi mt gi d liu n tt c cc thnh vin trong mt nhm. Annycast gi mt gi d liu n bt b mt thnh vin no trong nhm thit b c phn nh vi a ch anycast .

6-7

 hiu qu hn, mt gi d liu gi n a ch anycast s c phn pht n interface gn nht - c nh ngha bi giao thc nh tuyn ang dng c xc nh bi a ch anycast, do vy, a ch anycast c xem l dng a ch one-to-nearest. a ch anycast v mt c php s khng phn bit vi a ch global unicast bi a ch anycast c cp pht t khng gian a ch global unicast. Ch : C kh t kinh nghim trong vic m rng, v kh ty trong vic s dng a ch anycast trn Internet. C mt s s phc tp, may ri khi s dng chng trong dng tng qut. Cho n khi c thm nhiu kinh nghim v cc gii php c a ra cho nhng vn ny, cc hn ch sau y phi c tun theo: IPv6 1. a ch anycast khng c s dng nh a ch ngun ca

2. a ch anycast khng c gn cho cc host IPv6, n ch c th c gn vo router IPv6

6-8

a ch IPv6 Unicast
Cc loi a ch unicast: Global: bt u vi 2000::/3 v c phn nh bi IANA Reserved: s dng bi IETF Private: Link local (bt u vi FE80::/10) Loopback (::1) Unspecified (::) Mt interface c th mang nhiu a ch IPv6 bt k trong cc dng sau: unicast, anycast, or multicast. Quy lut gn a ch IPv6 c cp trong nhiu RFC. Kin trc a ch c qyu nh bi RFC 4291

6-9

C mt vi loi a ch IPv6 unicast c bn: global, reserved, private (link-local v site-local), loopback v, unspecified a ch Global a ch IPv6 global unicast tng ng nh a ch global unicast ca IPv4. Cu trc ca a ch global unicast cho php tng hp phn mng (prefix) nhm gim thiu cc dng nh tuyn trong bng nh tuyn ca router. a ch global unicast c s dng trn cc ng truyn s c tng hp gi qua cc t chc hay thm ch gi qua cc ISP. a ch dnh (Reserved) IETF dnh mt phn khng gian a ch IPv6 cho nhiu mc ch s dng khc nhau cho c hin ti v tng lai. Nhng a ch dnh ny i din th t 1/256 ca khng gian a ch IPv6. Mt s dng a ch khc c xut pht t dy a ch ny. a ch Private Mt dy a ch IPv6 c dnh ring cho a ch Private nh c thc hin cho IPv4. Nhng a ch ny ch c gi tr cc b cho tng link hay tng site c th, do vy, n khng bao gi c nh tuyn ra khi h thng mng mt cng ty. a ch Private c octet u tin vi gi tr l FE v s thp lc phn k tip s chy t 8 n F.

6-9

Nhng a ch ny li c chia lm 2 loi, da trn phm vi ca a ch: a ch Site-local - Nhng a ch ny ging nh a ch Private c quy nh trong FRC 1918 ca a ch IPv4. Phm vi ca a ch ny l cho ton b site hay ton b t chc. Nhng a ch ny cho php s dng t trong mt t chc m khng cn phi s dng nhng a ch Public. Router s nh tuyn cho nhng gi d liu nm trong site ny nhng s khng th dn ra ngoi site n mi trng Internet. - Khi biu din dng thp lc phn, a ch site-local s bt u bng FE sau l mt s thp lc phn khc t C n F, do vy nhng a ch ny s c bt u t FEC, FED, FEE, hay FEF a ch Link-local - Khi nim link-local l mt khi nim mi i vi IPv6. Nhng a ch ny c phm vi nh hn a ch site-local, n ch c gi tr trong mt ng kt no vt l c th no . Router s khng nh tuyn cho nhng a ch ny. N ch c dnh cho giao tip trn mt on mng vt l. - Nhng a ch ny c s dng cho giao tip trn ng truyn nh cu hinh a ch t ng, pht hin thit b k cn, tm router. a s cc giao thc nh tuyn cng s dng a ch link-local - a ch Link-local bt u vi FE v s thp lc phn k tip chy t 8 n B, do vy nhng a ch ny bt u t FE8, FE9, FEA, hay FEB. a ch Loopback Cng nh trong a ch IPv4, IPv6 cng c cung cp nhng a ch loopback c bit cho mc ch kim tra, nhng gi d liu n a ch ny s c loopback (gi vng ngc li) cho thit b gi. Tuy nhin, trong a ch IPv6, ch c 1 a ch ch khng phi nguyn mt dy, dnh cho dng a ch ny. a ch loopback l 0:0:0:0:0:0:0:1 v thng c biu din l ::1. a ch khng c ch nh (unspecified) Vi IPv4, a ch IP bao gm ton b cc bit 0 mang mt ngha c bit, l chnh host , v n c s dng khi thit b khng bit c a ch ca mnh. Vi IPv6, khi nim ny c chnh thc ha v a ch ton 0 c gi l a ch unspecified. N c s dng trong trng a ch ngun ca gi d liu gi i bi thit b ang tm kin a ch IP ca mnh. Ta c th p dng nn a ch ny, bi a ch bao gm ton 0, a ch tr thnh ::.

6-10

a ch IPv6 Global Unicast (v Anycast)

IPv6 c cng nh dng cho a ch global unicast v cho a ch anycast.

S dng global routing prefixmt cu trc cho php tng hp a ch v hng ISP Mt interface c th mang nhiu a ch IPv6 bt k trong cc dng: unicast, anycast, or multicast Mi interface chy IPv6 cha t nht mt looback (::1/128) v mt a ch link-local. Mt tnh nng ty chn: mi interface c th c nhi62u a ch local v global duy nht
6-11

a ch global unicast c nh ngha trong phn global routing prefix, subnet IP v phn interface ID. Khng gian a ch unicast IPv6 hu nh chim ton b dy khng gian a ch tr mt ngoi l ca FF00::/8 (1111 1111) l dnh cho a ch multicast. a ch gloabal unicast hin ti c phn nh bi IANA (Internet Assigned Numbers Authority) s dng dy a ch bt u vi gi tr nh phn l 001 (2000::/3), chim 1/8 tng khng gian a ch IPv6 v l khi a ch ln nht c cp pht. a ch vi phn prefix l 2000::/3 n E000::/3 cn c 64 bit phn xc nh interface nm trong nh dng (EUI)-64 (Extened Universal Identifier) T chc IANA cp pht khng gian a ch IPv6 trong khon 2001::/16 cho cc c quan ng k. a ch global unicast bao gm 48 bit trong phn global routing prefix v 16 bit phn subnet ID. Nhng t chc c nhn c th dng 16 bit Subnet ID ny to ra kin trc a ch mng con cc b (local) cho chnh mnh. Trng a ch ny cho php mt t chc c th thit lp ti 65,535 cc subnet ring bit. bit thm thng tin, tham chiu RFC 3587, IPv6 Global Unicast Address Format, chun thay th RFC 2374.

6-11

Link-Local Addresses

Cc a ch link-local l mt khon a ch gii hn trong ng link v c t ng to trn cc interface IPv6 bng cch s dng phn prefix c bit FE80::/10 v 64 bit phn Interface ID a ch link-local c s dng cho phng php t ng cu hnh a ch, tm kim thit b lng ging hay tm kim router. a ch link-local cng c s dng bi nhiu giao thc nh tuyn a ch link-local c th phc v nh l cch kt ni trn cng mt mng cc b m khng cn nhng a ch global Khi giao tip vi a ch link-local, ta phi ch nh cng ra bi v cc interface u c kt ni vi a ch
6-12

a ch IPv6 trn cc lp Data Link IPv6 c nh ngha trn hu ht cc giao thc lp 2 (Data Link) bao gm: - Ethernet * - PPP* - High-Level Data Link Control (HDLC)* - FDDI - Token Ring - Attached Resource Computer network (ARCnet) - Nonbroadcast multiaccess (NBMA) - ATM** - Frame Relay*** - IEEE 1394 * Cisco h tr cc loi khung d liu ny ** Cisco ch h tr ATM PVC m khng h tr SVC hay LANE (ATM LAN Emulation) *** Cisco ch h tr Fram Relay PVC m khng h tr SVC

6-12

Chun RFC m t cc c tnh ca IPv6 cho mi lp Data Link khc nhau, nhng h iu hnh Cisco khng cn phi h tr tt c cc loi. Lp Datalink nh ra cch m phn interface ID ca IPv6 c to ra v lm cch no thit b k cn lin kt vi qu trnh phn gii a ch lp Data Link.

6-13

Khng gian a ch ln cho php tng hp a ch

Qu trnh tng hp cc a ch mang li nhng li im sau:

Prefix tng hp s c qun b trn cc bng nh tuyn ton cc nh tuyn hiu qu v c kh nng m rng Tng cng bng thng v cc chc nng cho lung d liu ngi dng
6-14

Khng gian a ch ln to iu kin thoi mi cho vic phn nh a ch n cc ISP hay cc t chc. ISP tng hp tt c cc prefix ca khch hng thnh mt prefix duy nht v qung b prefix n ny trn mi trng Internet. Khng gian a ch tng ln tr nn hiu qu cho php t chc nh ngha mt prefix duy nht cho ton b h thng ca h. S thng hp cc prefix ca khc hng s rt hiu qu trong vic qun l v m rng bng nh tuyn. M rng nh tuyn l cn thit vn rng hn nhng chun chc nng mi ca mng. N cng gip ci thin bng thng v m bo cc chc nng trn lung d liu ca ngi dng khi kt ni n hiu thit b v cc ng dng. Internet ngy hm nay v trong tng lai c th bao gm cc yu t sau: - S tng trng nhanh chng s lng ln cc khch hng dng bng thng rng vi ng truyn tc cao v lun c sn - Ngi dng b ra nhiu thi gian hn online v se tr nhiu hn cho cc dch v giao tip (nh ti nhc,) - Mng ti nh vi phn m rng cc ng dng mng nh VoIP khng dy, truyn hnh thi gian thc theo yu cu - Cc games s pht trin t vi s tham gia ton cu, cc chng trnh elearning cung cp cho ngi hc nhng m hnh LAB t xa hay nhng m hnh LAB gi lp.

6-14

Phn nh IPv6 global unicast

Gn tnh Gn Interface ID bng tay Gn Interface ID vi EUI-64 Gn ng T ng cu hnh DHCPv6

6-15

Qu trnh gn a ch IPv6 Ch ny m t cc phng php c dng gn a ch IPv6. Interface ID trong a ch IPv6 c dng xc nh interface trn ng truyn (link). N c th c xem l phn host ca a ch IPv6. Interface ID l duy nht trn mt link c th. Interface ID lun l 64 bit v c th t ng c ly t a ch vt l ca phng thc ng gi lp 2 Mt s phng php sau dng gn mt a ch IPv6 cho mt thit b: - Gn tnh s dng a ch Interface ID bng tay - Gn tnh s dng Interface ID dng EUI-64 - T ng cu hnh dng stateless - Dng DHCP cho IPv6 (DHCPv6) Gn Interface ID bng tay Mt cch gn tnh a ch IPv6 cho cc thit b l gn bng tay cho c phn mng (prefix) v phn host (interface ID). cu hnh a ch IPv6 trn cc interface ca Cisco router v kch hot tin trnh IPv6 trn nhng interface ny, dng cu lnh ipv6 address ipv6-address/prefix-length trong mode interface

6-15

V d sau ch ra cch kch hot tin trnh IPv6 v cu hnh a ch trn interface RouterX(config-if) ipv6 address 2001:DB8:2222:7272::72/64 Gn Interface ID dng EUI-64 Mt cch khc gn tnh mt a ch IPv6 l cu hnh phn mng (prefix) ca a ch IPv6 v s dng phn host (Interface ID) ly t phn a ch lp 2 ca thit b, c gi l Interface ID dng EUI-64 cu hnh a ch IPv6 v kch hot tin trnh a ch cho interface s dng Interface ID dng EUI-64 trong 64 bit thp, dng cu lnh ipv6 address ipv6prefix/prefix-length eui-64 trong mode interface. V d sau ch ra cch gn a ch IPv6 2001:0DB8:0:1::/64 trn interface Ethernet 0 v s dng Interface ID dng EUI-64 64 bit thp ca a ch RouterX(config)# interface ethernet 0 RouterX(config-if)# ipv6 address 2001:0DB8:0:1::/64 eui-64 T ng cu hnh dng stateless T ng cu hnh, nh ci tn ch ra, l mt phng php gn a ch IPv6 cho thit b mt cch t ng. Trong IPv6, gi s cc thit b PC hay khng phi l PC kt ni vo mng s t ng nhn c mt a ch m khng cn phi cu hnh, phng php ny kch hot chc nng plug-and-play. DHCPv6 (Stateful) DHCP cho IPv6 cho php DHCP server a cc tham s cu hnh nh a ch mng IPv6 cho cc client. N mang li kh nng t ng cp pht v s dng li a ch v thm vo mt s cu hnh linh ng. DHCPv6 cng tng t nh qu trnh t ng cp pht a ch dng stateless v c th s dng ring bit hay ng thi vi giao thc ny cp pht cc thng s a ch.

6-16

IPv6 EUI-64 Interface Identifier

Cisco c th s dng nh dng EUI-64 cho Interface ID nh dng ny m rng 48 bit a ch MAC n 64 bit bng cch chn vo 16 bit FFFE vo gia m bo rng a ch ny l duy nht, bit U/L c bt ln 1 ch ra khon global
6-17

S dng a ch IPv6 trong nh dng EUI-64 64 bit cho vng Interface ID trong a ch IPv6 nhm xc nh tnh duy nht ca interface trn ng link. Link l mt phng tin truyn dn m trn cc thit b giao tip vi nhau s dng mt dng khung trn ng link . Interface ID cng c th l duy nht trn nhng khon rng hn. Trong mt vi trng hp, Interface ID l, hoc da trn a ch MAC ca interface. Cng nh trong a ch IPv4, phn subnet prefix ca IPv6 s kt hp vi mt link. Interface ID trong a ch global unicast v trong cc dng a ch IPv6 khc phi di 64 bit v c th c cu to theo nh dng EUI-64 bit. nh dng EUI-64 bit cho phn Interface ID c ly t 48 bit a ch MAC v chn vo 4 s thp lc phn FFFE gia 3 bytes vng OUI v 3 bytes thp. m bo rng vic chn a ch l t a ch MAC duy nht, bit s 7 trong vng byte cao c t ln 1 (tng t nh IEEE bit E/L) ch ra s duy nht ca 48 bit a ch.

6-17

T ng cu hnh (Stateless Autoconfiguration)

6-18

Phng php t ng cu hnh a ch dng stateless l mt t tnh quan trng ca IPv6. N cho php d dng cu hnh c bn a ch cho thit b m khng cn server. Phng php ny s dng thng tin trong gi qung b ca router cu hnh a ch cho thit b. Phn prefix nm trong thng ip qung b ca router c s dng nh prefix /64 ca thit b. 64 bit cn li c t ng to ra Interface ID, trong trng hp mi trng Ethernet, dng EUI-64 bit Router theo chu k s gi ra ngoi RAs. Khi mt thit b khi ng ln, n s cn mt a ch trong tin trnh u ca qu trnh khi ng. Thit b khng th ch mt khong thi gian di cho mt gi RA t router, thay vo , n s gi ra mt thng ip xin cc thng tin cu hnh (solicitaion message) hi router phn hi mt RA v lc ny thit b c th t cu hnh cho mnh mt a ch IPv6. Tt c cc router s phn hi thng tin ny vi a ch multicast ca tt c cc node (all-node multicast) lm a ch ch. Chc nng t ng cu hnh ny cho php kh nng plug-and-play cho cc thit b mun cu hnh a ch IPv6 m khng cn s can thip ca ngi qun tr hay s hin din ca DHCP server. Chc nng chnh ny cho php trin khai cc thit b mi trn Internet nh cell phone, thit b khng dy,

6-18

Ch : Khi nim stateless DHCP nm gia phng php cu hnh t ng staless v stateful DHCP. Stateless DHCP cho a ch IPv6 cn c gi l DHCP-lite. Tham kho thm RFC 3736 Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6.

6-19

DHCPv6 (Stateful)
DHCPv6 l mt phin bn cp nht ca DHCP cho IPv4
H tr dng a ch mi Cho php kim sot nhiu hn so vi phng php t ng cu hnh C th s dng cho vic phn nh li a ch C th s dng cho vic t ng ng k tn min cho cc host s dng chc nng dynamic DNS

6-20

DHCPv6 l mt phin bn c cp nht ca DHCP IPv4. Chun ny h tr kin trc a ch IPv6 v nhng li im t IPv6. Nhng c im ca DHCPv6 bao gm: - Cho php iu khin nhiu hn v serverless hay phng php t ng cu hnh stateless - C th c s dng trong mi trng ch c server m khng c router stateless - C th s dng ng thi vi phng php cu hnh t ng - C th s dng nh li s a ch dynamic DNS - C th c dng t ng ng k tn min vi dch v

6-20

Qu trnh vn hnh DHCPv6

DHCPv6 hot ng tng t DHCP cho IPv4 ngoi tr nhng th nh sau:
Ban u client s phi d tm s hin din ca router trn ng truyn Nu router c tm thy, cc thng ip qun b ca router s c kim tra xc nh xem DHCP c c s dng hay khng Nu khng c router no c tm thy, hoc router ni rng s phi s dng DHCP th: Mt thng ip xin a ch s c gi ra vi a ch multicast cho ALL-DHCP-AGENTs Cc client s dng a ch link-local nh l a ch ngun

6-21

Tin trnh xin a ch ca cc DHCPv6 tng t nh client ca IPv4 vi mt vi ngoi l. Ban u client phi thc hin qu trnh pht hin router trn ng link bng cch dng thng ip pht hin lng ging. Nu c t nht mt router c tm thy, client s kim tra RA xem th IPv6 c c s dng hay khng. Nu router c kch hot dng DHCPv6 trn link hoc khng c router no c tm thy, client s tin hnh qu trnh tm DHCP server. DHCP server dng multicast cho hu ht cc gi d liu. Khi client gi ra mt thng ip xin a ch, n gi i a ch ch l ALL-DHCP-AGENT nm trong khong a ch link-local. AGENT trong trng hp ny bao gm c server v relays. Khi DHCP relay chuyn thng ip xin a ch i, n c th gi ra vi a ch multicast ALL-DHCP-SERVER nm trong khong khng gian a ch ca site-local. iu ny c ngha ta khng cn phi cu hnh cu hnh qu trnh relay vi tt c cc a ch ca DHCP server nh trong IPv4. Nu nh ch mun 1 DHCP server nhn c thng ip ny, ta c th cu hnh tnh mt danh sch cc DHCP server. Ta c th cu hnh nhng DHCP server khc nhau hoc cng DHCP server cho nhiu ng cnh khc nhau co th gn a ch theo cc chnh sch. V d, ta c th cu hnh 1 DHCPv6 server cp mt a ch global s dng mt chnh sch hn ch nh khng cp a ch cho my in, ta c th sau cu hnh mt DHCPv6 server khc hay cng l server vi ng cnh khc nhau cp pht a ch site-local vi mt chnh sch thong hn nh l cho tt c mi ngi.

6-21

Giao thc nh tuyn IPv6

Hnh thc nh tuyn IPv6: Static RIPng (RFC 2080) OSPFv3 (RFC 2740) IS-IS for IPv6 MP-BGP4 (RFC 2545/2858) EIGRP for IPv6 Cu lnh ipv6 unicast-routing l cn thit kch hot chc nng nh tuyn IPv6 trn router trc khi dng n bt k phng thc nh tuyn no
6-22

Mt s vn v nh tuyn i vi IPv6 Ch ny m t cc IPv6 nh hng n cc giao thc nh tuyn v nhng thay i cn thit gip cc giao thc nh tuyn ny h tr IPv6 IPv6 s dng khp prefix di nht (longest prefix match) ging nh CIDR (Classless InterDomain Routing) ca IPv4. Hu ht cc giao thc nh tuyn c chnh sa qun l c a ch di hn v xc nh cu trc cc header ca IPv6. Cc giao thc c cp nht v th hin trn hnh l nhng giao thc sn sng. Ta c th s dng v cu hnh nh tuyn tnh IPv6 nh cch lm vi IPv4. C nhng yu cu trong RFC 2461 buc router phi c kh nng xc nh a ch link-local cho mi router lng ging m bo rng a ch ch ca thng ip chuyn hng c th xc nh c router lng ging qua a ch link-local ca n. Yu cu ny c ngha s dng mt a ch global unicast nh l mt a ch chng k (next-hop). Cu lnh ipv6 unicast-routing ti global mode se kch hot IPv6. Ta phi kch hot chc nng ny trc khi s dng giao thc nh tuyn hay dng cc tuyn tnh cho IPv6.

6-22

RIPng (RFC 2080)

Tng t tnh nng ca IPv4:
Distance vector, bn knh l 15 chn, split horizon, v poison reverse Da trn RIPv2

Nhng tnh nng ci thin cho IPv6:

IPv6 prefix, a ch next-hop IPv6 S dng a ch multicast FF02::9 lm a ch cp nht cho qu trnh cp nht RIP Vn chuyn bng IPv6 Tn l RIPng

6-23

Routing Information Protocol next generation (RIPng) (RFC 2080) l mt giao thc nh tuyn dng distance vector vi gii hn l 15 hop, s dng split horizon v poison reverse ngn routing loop. RIPng bao gm cc tnh nng sau - Da trn IPv4 RIPv2 v tng t nh RIPv2 - S dng IPv6 vn chuyn - Bao gm phn prefix ca IPv6 v a ch next-hop IPv6 ROUTER - S dng a ch multicast FF02::9. l a ch ALL-RIP- Gi cp nht bng UDP port 521 hn. - c h tr trn h iu hnh Cisco IOS 12.2(2)T v cao

6-23

Qu trnh chuyn i IPv4-to-IPv6

C nhiu cch chuyn t IPv4 sang IPv6:

Khng c mt ngy c th chuyn i v cng khng cn phi chuyn i mt ln C nhiu phng php chuyn i: Dual stack Manual tunnel 6to4 tunnel ISATAP tunnel Teredo tunnel Cc phng php tng thch khc nhau: Proxying v translation (NAT-PT)
6-24

Cc phng php thc thi IPv6 Ch m t qu trnh IPv6 dng chuyn d liu qua mi trng IPv4 Qu trnh chuyn ln t IPv4 khng cn phi ng lot nng cp ton b cc thit b. Mt vi phng php c th gip tch hp IPv4 v IPv6 mt cch trn tru. C 3 k thut ph bin nht chuyn t IPv4 sang IPv6: Dual stack: Dual stack l phng php tch hp m trong mt node thc hin mt kt ni cho c IPv4 v IPv6, v kt qu cc node v router tng ng c 2 chng giao thc (protocol stack) Tunneling: c mt s k thut tunneling c s dng - Manual IPv6-over-IPv4 tunneling: y l mt phng php tch hp trong gi IPv6 c ng bi gi IPv4, phng php ny yu cu router phi h tr dual-stack - Dynamic 6to4 tunneling: Phng php t ng thit lp kt ni cho php mng IPv6 lm vic xuyn qua mi trng IPv4, thng l Internet. Phng php 6to4 tunneling s t ng cp pht mt a ch IPv6 c g tr v duy nht cho mi mng IPv6, do mang li kh nng trin khai nhanh nht cho IPv6 trong doanh nghip m khng cn phi ng k a ch t ISP - Intra-site Automatic Tunnel Addressing Protocol (ISATAP) tunneling: L phng php tunneling che ph t ng s dng nn tng mng IPv4 nh mt kt ni cho IPv6. ISATAP tunnel cho php nhng host IPv4 hay IPv6 dual-stack trong cng mt site giao tip vi host khc to re mt h thng mng IPv6 s dng c s h tng ca IPv6

6-24

Teredo tunneling: L mt k thut cung cp kh nng t ng tunneling gia host-to-host thay v phi tunneling qua gateway. N c s dng a d liu IPv6 khi host dual-stack (host chy c IPv4 v IPv6) nm pha sau mt hay nhiu thit b NAT ca IPv4 - Proxying v translation (NAT-PT): Ls2 phng php chuyn nmg gia mng IPv6 v IPv4. Nhim v ca thit b dch l chuyn gi IPv6 thnh IPv4 v ngc li

6-25

Cisco IOS Dual Stack

Dual-stack l k thut tch hp cho ni m mt node thc thi v kt ni n c mng IPv4 v IPv6
6-26

Dual-stack l k thut tch hp cho ni m mt node thc thi v kt ni n c mng IPv4 v IPv6, v do vy cc node cng phi h tr c Ipv4 v IPv6. Ta c th thit lp cu hnh trn cng mt interface hay trn nhiu interface. Cc tnh nng ca dual-stack c m t nh sau: - Mt dual-stack node chn ra giao thc no (IPv4 hay IPv6) s c s dng da trn a ch ch ca gi d liu. Mt dual-stack node se u tin IPv6 khi c th. Nhng ng dng ch h tr IPv4 vn tip tc hot ng nh c. Nhng ng dng mi hay nhng ng dng c chnh li c th s dng li im ca 2 dng IP. - Nhng API (Application Programming Interface) c nh ngha h tr truy vn DNS cho c hai dng a ch IPv4 v IPv6. Nhng ng dng c chuyn i c th hot ng c IPv4 v IPv6. - Nhng kinh nghim trong vic chuyn cc ng dng t IPv4 sang IPv6 khuyn ngh rng ch nn thay i t nht trong nhng phn cc b ca m ngun. K thut ny cho php vic cp nht cc ng dng mt cch tng bc mt chuyn sang IPv6

6-26

Cisco IOS Dual Stack (tt.)

Ngay khi ta cu hnh c bn IPv4 v IPv6 trn mt interface, interface c gi l dual-stack

6-27

H iu hnh Cisco IOS 12.2(2)T v cao hn c tch hp sn IPv6. Ngay khi ta cu hnh c bn IPv4 v IPv6 trn mt interface, interface c gi l dual-stack v c th chuyn c gi IPv4 v IPv6 S dng IPv6 trn Cisco IOS router yu cu cu lnh ipv6 unicast-routing trong mode configure. Cu lnh cho php chuyn kh nng gi IPv6 trn router. Ch : ta phi cu hnh tt c cc interface nhng a ch IPv6 chng c th chuyn d liu IPv6 bng cu lnh ipv6 address IPv6-address [/prefix length] trong mode interface

6-27

IPv6 Tunneling

Tunneling l mt phng php tch hp ni m gi IPv6 c ng gi trong mt giao thc khc nh l IPv4, gi d liu c cc c tnh sau:
Bao gm 20 byte khng c vng ty chn cho IPv4 header vi IPv6 header v payload Yu cu dual-stack router
6-28

Tunneling l mt phng php tch hp ni m gi IPv6 c ng gi trong mt giao thc khc nh l IPv4. Khi IPv4 c s dng ng gi IPv6, gi tr protocol type c s dng l 41 s c ch ra trong IPv4 header v gi d liu c cc c tnh sau: - Bao gm 20 byte khng c vng ty chn cho IPv4 header vi IPv6 header v payload - Yu cu dual-stack router. Qu trnh ny cho php kt ni mng IPv6 m khng cn phi chuyn i h thng mng trung gian thnh IPv6. K thut tunneling pht sinh 2 vn : + Hiu qu MTU b gim i bi 20 byte nu IPv4 header khng ch vng ty chn no + Mng c tunneling thng kh khi kim li. Tunneling ch l mt phng php trung chuyn ch khng l gii php cui cng, mt kin trc thun IPv6 mi l mc tiu cui cng

6-28

Cu hnh IPv6 Tunnel bng tay

Cu hnh tunnel yu cu:

Cc u cui h tr dual-stack a ch IPv4 v IPv6 c cu hnh cho mi u
6-29

Trong vic cu hnh tunnel bng tay, ta cu hnh tnh cho c a ch IPv4 v IPv6. Ta thc hin qu trnh ny cho cc router u cui cc tunnel. Nhng router u cui ny phi h tr chc nng dual-stack v cu hnh khng th t ng thay i khi mng hay giao thc nh tuyn cn thay i. Ta phi thit lp nh tuyn d chuyn gi gia 2 mng IPv6 Nhng thit b cui tunnel c th s dng a ch dng unnumbered, nhng se gy kh khn trong vic kim li. Vic tit kim a ch IPv4 cho cc u cui tunnel nh vy s khng cn phi l vn i vi IPv6

6-29

Kch hot IPv6 trn Cisco Router

RouterX(config)#

ipv6 unicast-routing

Kch hot kh nng chuyn gi IPv6

RouterX(config-if)#

ipv6 address ipv6prefix/prefix-length eui-64

Cu hnh a ch IPv6 trn router

6-30

Cu hnh IPv6 Ch m t qua trnh cu hnh IPv6, RIPng v cch tunneling d liu IPv6 qua mi trng IPv4. C hai bc chnh dng kch hot IPv6 trn router. u tin l kch hot chc nng chuyn gi IPv6 trn router v sau l cu hnh a ch IPv6 trn cc interface. Mc nh, chc nng chuyn gi IPv6 l khng c kch hot, kch hot chc nng ny, dng cu lnh ipv6 unicast-routing configure mode. Cu lnh ipv6 address dng cu hnh a ch IPv6. a ch link-local t ng c cu hnh khi mt a ch c gn cho mt interface. Ta phi ch ra ton b 128 bit a ch hay ch cn ch ra 64 bit phn prefix v s dng ty chn eui-64.

6-30

V d v cu hnh a ch IPv6

6-31

Ta c th hon tt vic ch nh a ch IPv6 hay tnh ton phn xc nh host t dng EUI-64. Trong v d, a ch IPv6 ca interface c cu hnh s dng dng EUI-64. Mt cch khc, ta c th hon tt vic ch nh ton b a ch IP gn cho mt interface ca router s dng cu lnh ipv6 address ipv6-address/prefix-length trong mode interface Ch : Cu hnh a ch IPv6 trn mt interface s t ng to ra a ch linklocal cho cc interface.

6-31

Qu trnh phn gii tn trn Cisco IOS IPv6

C hai cch thc hin qu trnh phn gii tn cho IPv6 trn Cisco IOS:
nh ra tn tnh cho a ch IPv6
RouterX(config)# ipv6 host name [port] ipv6addr [{ipv6addr} ...] RouterX(config)# ipv6 host router1 3ffe:b00:ffff:b::1

Cu hnh DNS server

RouterX(config)# ip name-server address RouterX(config)#ip name-server 3ffe:b00:ffff:1::10

6-32

C 2 cch thc thi vic chuyn i tn t Cisco IOS - Ta c th nh ngha mt tn tnh cho a ch IPv6 s dng cu lnh ipv6 host name [port] ipv6-address1 [ipv6-address2...ipv6-address4]. Ti a l 4 a ch cho mt hostname. Thng s port thng l port telnet vo host. - ch ra DNS server s dng bi router, s dng cu lnh ip name-server address a ch y c th l IPv4 hay IPv6. Ta c th ch ra n 6 DNS server vi cu lnh ny.

6-32

Configuring and Verifying RIPng for IPv6

RouterX(config)# ipv6 router rip tag

To v vo router configuration mode

RouterX(config-if)# ipv6 rip tag enable

Cu hnh RIP trn interface

show ipv6 rip

Th hin tin trnh ca nhiu thc th RIP

show ipv6 route rip

Xem cc route ca RIP trong bng nh tuyn

6-33

Cu hnh v kim tra RIPng cho IPv6 Hnh trn th hin c php ca mt vi cu lnh thng c dng cu hnh RIPng. C php s tng t (khng ging hon ton) so vi khi cu hnh trn IPv4. Vi RIPng, thay v phi dng cu lnh network xc nh cng no ca router s chy RIPng, ta dng cu lnh ipv6 rip tag enable trong mode interface. Tag y phi trng vi tag trong cu lnh ipv6 router rip. Ch : Kch hot RIP trn mt interface se t ng to ra tin trnh router rip. Configuring and Verifying RIPng for IPv6 The figure shows a sample of the syntax of some commands that are commonly used to configure RIPng. The syntax is similar, if not identical, to their IPv4 counterparts. For RIPng, instead of using the network command to identify which interfaces should run RIPng, you use the command ipv6 rip tag enable in interface configuration mode to enable RIPng on an interface. The tag parameter that you use for the ipv6 rip enable command must match the tag

6-33

parameter in the ipv6 router rip command. Note Enabling RIP on an interface dynamically creates a router rip process if necessary.

6-34

V d cu hnh RIPng cho IPv6

6-35

V d: Cu hnh RIPng cho IPv6 V d trn ch ra mng bao gm 2 router, router Y gn kt vo h thng mng mc nh. Trn c router X v router Y, RTO l tag xc nh tin trnh ca RIPng. RIPng c kch hot trn interface Ethernet u tin ca router Y vi cu lnh ipv6 rip RT0 enable. Router X ch ra rng RIPng c kch hot trn c hai interface Ethernet vi cu lnh ipv6 rip RT0 enable.

6-35

Visual Objective 7-2: Thc thi IPv6

6-36

6-36

Tm tt
IPv6 mang li nhiu tnh nng so vi IPv4 bao gm khng gian a ch ln hn, d6e4 dng tng hp a ch, tch hp khng nng bo mt a ch IPv6 di 128 bit v c to thnh t 48 bit vng global, 16 bit vng subnet ID v 64 bit cho Interface ID C nhiu cch gn a ch IPv6: tnh, t ng cu hnh v DHCPv6 Cisco h tr cc giao thc nh tuyn: RIPng, OSPFv3 v EIGRP Qu trnh chuyn t IPv4 ln IPv6 yu cu dual-stack, tunneling v c th l NAT-PT S dng cu lnh ipv6 unicast-routing kch hot IPv6 v cu lnh address ipv6-address/prefix-length gn a ch IPv6 cho mt interface
6-37

6-37

6-38

6-38

Bi 7: Nhp mn gii php VPN

LAN m rng sang WAN

7-1

Gii php mng ring o ca Cisco cho php thit lp kt ni cho cc vn hng xa, ngi i cng tc hoc lm vic ti nh, lin kt gia cc i tc mt cch kinh t, an ton v mm do. Mc tiu ca module ny l - nh ngha VPN - cp cc kiu VPN v cc ng dng khc nhau - Cc thnh phn ca VPN - Ipsec v cc thnh phn - Phng thc IPSec s dng m ha xc thc, bo mt v m bo tnh ton vn d liu

7-1

VPN l g?

o (Virtual): Thng tin ca mng trn c chuyn trn mng cng cng. Ring (Private): D liu c m ha m bo tnh ring t.
7-2

VPN l mt kt ni c m ha gia 2 mng ring thng qua mt mng cng cng. Tnh ring ca kt ni ny c thc hin qua m ha d liu. VPN c kh nng thay th cho mng ring tng 2

7-2

Li ch ca VPN

Gi thnh An ninh Mm do
7-3

Tit kim. VPN cho php tit kim chi ph, trnh cho cc t chc phi thu ring cc ng Layer 2 Bo mt. M ha trnh cho d liu b c bi ngi ngoi Mm do. VPN s dng mng cng cng /Internet cho php d dng khi to kt ni mi m khng phi u t qu nhiu v h tng. Tng thch vi cc cng ngh truy nhp. VPN c th trin khai d dng trn nn cc mng DSL nhanh v kinh t

7-3

Chi nhnh - n - chi nhnh VPNs

Site-to-site VPN: m rng mng WAN c in

7-4

Hai kiu VPN chnh l Chi nhnh (site) n chi nhnh v truy cp t xa n trung tm Site-to-site lin kt 2 mng ni b vi nhau, ging nh trin khai kt ni WAN ni hai mng ny

7-4

VPNs truy cp

VPN truy cp: pht trin ca mng quay s v ISDN

7-5

VPN truy cp cho php c nhn lm vic xa, vn phng nh kt ni ti trung tm Thng l cc c nhn s dng phn mm Cisco VPN client to kt ni VPN ti trung tm trn nn mt kt ni layer 1, 2 c in nh modem hoc xDSL

7-5

Cisco Easy VPN

7-6

Khi trin khai kt ni c nhn hoc vn phng nh ti trung tm, Cisco Easy VPN lm cho thit lp kt ni c n gin, d dng hn. Cisco Easy VPN c 2 thnh phn: -Cisco Easy VPN server: trin khai trung tm vi cc thit b nh PIX, ASA, VPN concentrator -Cisco Easy VPN remote: cu hnh cho cc thit b nh router, PIX, ASA xa kt ni VPN ti trung tm. Cc tham s cn thit cho hot ng mng xa nh a ch IP, netmask, a ch DNS, WINS, DHCP servers, default gateway s c y t trung tm ti. Li ch ca Cisco Easy VPN: -Qun l cu hnh cho cc mng xa tp trung v ng, mm do v an ton -c lp vi cu hnh ca nh cung cp dch v -Trin khai mng truy nhp ln, nhiu u cui rt nhanh -Ngi s dng cui khng phi ci t phn mm VPN trn my PC ca h

7-6

Hn ch -NAT/PAT khng cu hnh c bng tay m b p ch t ng -Mi ch ch c 1 VPN tunnel -Thit b trung tm phi l mt Cisco easy VPN server -Khng h tr chng th in t -Ch h tr ISAKMP gtroup 2 -Ch mt s transformset (cch thc m ho d liu) xc nh dc h tr.

7-7

Cisco IOS IPsec SSL VPN (WebVPN)

Tch hp bo mt v nh tuyn (routing) Mng truy cp SSL VPN da trn cng ngh trnh duyt

7-8

Cisco IOS IPsec SSL VPN (WebVPN) l mt cng ngh mi. N cho php ngi dng c th t bt k PC no kt ni an ton v trung tm nu c: -Kt ni mng cng cng v ti trung tm -C trnh duyt Web h tr SSL WebVPN cho php ngi s dng c th truy cp web, truy xut tp tin, nhn gi email, chy cc ng dng TCP mt cch an ton t xa. Li im -Tng thch DMCPN, Cisco IOS firwalls, IPS, NAT Hn ch -Ch s dng phn mm v nng lc CPU ca router x l. Cc phn cng chuyn dng ch h tr IPSec

7-8

VPN-Enabled Cisco IOS Routers

7-9

7-9

Cisco ASA Adaptive Security Appliances

7-10

Cisco ASA Adaptive Security Appliances h tr tt c cc loi IPSec va WebVPN khc nhau cho cc trng hp s dng khc nhau. Cisco ASA 5500 cung cp c IPSec v SSL VPN cng vi IPS

7-10

VPN khch

(legacy)

7-11

C 3 loi VPN client khc nhau ca Cisco -Verticom client. L thit b VPN u cui dng PDA -Cisco VPN 3002 hardware. S dng ni vn phng nh v trung tm. lc hu -Phn mm Cisco VPN client. Phn mm cho my tnh bn/xch tay. D dng s dng v cho php c nhn ni thit lp VPN vi trung tm.

7-11

Ipsec l g?

IPsec hot ng tng mng, bo v v xc thc gi d liu IP.

y l mt khung qui nh ca cc chun m N cho php bo mt, bo m ton vn v xc thc gc d liu.
7-12

IPSec hot ng trn tng mng, bo v v xc thc d liu trong cc gi IP gia cc bn (peer) ca kt ni. IPSec khng gn lin vi bt c mt cng ngh, thut ton c th no m ch l mt khung cng vic. V vy IPSec cho php cc k thut mi, cng ngh mi c s dng trong IPSec.

7-12

Dch v an ninh ca IPsec

Bo mt - Confidentiality Bo ton d liu - Data integrity Xc thc - Authentication Chng tn cng bng pht li tr li

7-13

Chc nng ca IPSec: -Bo mt (m ha): m ha d liu trc khi truyn -Bo ton: m bo d liu khng b thay i trn ng truyn -Xc thc: m bo tnh xc thc ca ngun thng tin -Chng tn cng pht li: vi cc s th t, Ipsec m bo tnh duy nht ca cc gi tin, trnh cho vic b tn cng bng cch ghi nhn li cc gi tin trao i v pht li n nhm chim quyn truy xut h thng.

7-13

Bo mt - Confidentiality (Encryption)

7-14

D liu truyn trn mng cng cng c th b nghe ln. bo v tnh ring t, chng ta cn m ho d liu. M ha l mt qu trnh bao gm 2 thnh phn : -Mt thut ton m ha c chng minh bng ton hc rng vic m m l kh -Mt kha c trng cho vic m ha c th bng thut ton cho. Hai bn trao i thng tin c ng dng m ha phi thng nht vi nhau bn nhn c th m thng tin c m ha (khng hiu c) thnh thng tin dng ban u (hiu c)

7-14

Thut ton m ha

Cc thut ton m ha:

DES AES 3DES RSA
7-15

Mc an ton ca mt m ha ph thuc vo di ca kha. Vi di ca kha ln, tp hp cc kho c th s ln lm cho vic th ht cc kh nng ca kha tn nhiu thi gian hn. Sau y l mt s thut ton thng dng cng chiu di ca kha -DES. Thut ton pht trin bi IBM c chiu di kho 56 bits -Triple DES. L ci tin ca DES bng cch m ho cc khi d liu di 64 bits 3 ln bi DES vi cc kha khc nhau -AES. Thut ton thay th cho DES. AES c chiu di kha l 128, 192 v 256 bits 3 loi trn u l m ho i xng, tc l s dng mt kha chung cho qu trnh m ha v gii m. RSA. M ho bt i xng, tc l kha dng m ho hon ton khc vi kha gii m. RSA khng dng m ha trong IPSec v RSA i hi tnh ton ln v tc m ha chm. RSA c dng xc thc cc bn trong IPSec.

7-15

Trao i kha DH

Thut ton Diffie-Hellman:

DH1 DH2 DH5
7-16

M ha i xng DES, triple DES hay AES u cn mt s thng nht v kha gia 2 bn. Vic thng nht ny c th c thc hin bng cch phone, email y l nhng cch khng an ton. DH l mt phng thc s dng m ho bt i xng vi kha cng khai v kha b mt cho php hai bn thng nht c kha i xng trong mi trng thng tin cng cng m vn m bo tnh b mt ca cc kha ny.

7-16

Tnh ton vn ca d liu

Thut ton bm:

HMAC-MD5 HMAC-SHA-1
7-17

Tnh ton vn ca d liu khi chuyn trong mng cng cng l rt quan trng. Hm bm vi gi tr bm gi km theo d liu cho php u nhn c th kim tra xem d liu c cn nguyn vn trong qu trnh truyn hay khng. iu ny cng tng t nh vic nim phong hng ho trc khi gi i bn nhn c th kim tra s nguyn vn ca hng ha sau khi chuyn. Cc thut ton bm l -MD5. u vo ca hm bm l thng ip di bt k cng 128 bits kha. Kt qu l 128 bits d liu. Kt qu ny c gi km theo thng ip -SHA-1. tng t MD5 vi kha 160 bits v kt qu cng di 160 bits

7-17

Authentication

Cc phng php xc thc i tc:

PSKs RSA signatures

7-18

Kt ni t xa lun i hi tnh xc thc ca thit b u xa. Cc thit b tham gia thit lp ng VPN s phi xc thc nhau trc khi thit lp ng hm VPN v trao i d liu qua . C hai cch xc thc l. -PSK. Hai bn s dng mt on k t chung thng nht trc vi nhau -Ch k RSA . S dng chng th in t xc thc nhau.

7-18

Cc giao thc bo mt IPsec

7-19

IPSec l mt khung lm vic ca cc chun m khc nhau. Hai giao thc quan trng nht ca IPSec l: -AH. L giao thc cho php xc thc ngun gc v m bo tnh ton vn ca d liu. Nhu cu bo mt d liu khng t ra. AH thng c s dng kt hp vi ESP. -ESP. giao thc cho php bo mt v/hoc xc thc d liu.

7-19

Khung mu IPsec

7-20

Tm li, IPSec l mt khung lm vic da trn cc chun an ninh thng tin c. Cc thut ton sau y c s dng nhiu trong IPSec -DES. M ho i xng -3 DES. M ho i xng -AES. M ho i xng -MD5. Hm bm -SHA-1. Hm bm -DH. Trao i kha Khung lm vic IPSec c 4 c th cha mt trong cc thut ton nh trong slide

7-20

Tm tt
T chc trin khai VPN v y l gii php r, an ton v mm do hn phng php WAN truyn thng. Site-to-site VPNs bo v dng d liu ca intranet v extranet peers. Remote access VPNs bo v ngi truy cp t xa qua mng cng cng. VPNs c th trin khai trn nhiu thit b Cisco khc nhau: Cisco IOS routers, ASA 5500 Series Adaptive Security Appliances, v phn mm Cisco VPN Client. IPsec l mt k hoch khung tch hp nhiu giao thc vi nhau v cho php VPN kh nng bo mt, xc thc v m tnh ton vn d liu. AH v ESP l hai giao thc khung chnh ca VPN.

7-21

7-21

7-22

7-22

Bi 8: Thit lp kt ni Point-to-Point WAN vi PPP

M rng LAN thnh WAN

8-1

Dch v mng din rng thng c thu t nh cung cp dch v kt ni (telco). PPP l mt giao thc ng gi nhm chuyn gi tin IP trn kt ni dng tun t (serial) im-im. Mc tiu ca bi ny l - miu t cc ng gi khc nhau ca router Cisco - Tnh nng v hot ng ca ng gi PPP - Cu hnh v kim tra PPP

8-1

Cc ng gi giao thc ca WAN

8-2

Trn mi kt ni WAN, d liu c ng thnh khung (frame) trc khi chuyn i. Ta cn xc nh v thng nht cc ng khung gia 2 thit b 2 u v hin trng thit b ng truyn thc hin kt ni. Sau y l mt s giao thc WAN thng gp -HDLC. Giao thc tng 2 p dng mc nh trn cc thit b Cisco i vi cc giao din dng tun t (serial) ng b -PPP. Giao thc kt ni 2 im trn cc giao din ng b hoc bt ng b. PPP c th h tr nhiu giao thc tng 3 khc nhau. PPP c kh nng xc thc cc u kt ni bng giao thc PAP hay CHAP. -X.25. Xc nh kt ni gia cc thit b DCE v DTE. Thng dng kt ni cc mn hnh (terminal) t xa qua mng X.25 cng cng. X.25 l tin thn ca Frame relay. -Frame Relay. Pht trin ca X.25 vi mt s thay i nh loi b cc tnh nng kim tra li ca X.25 tr nn khng cn thit trong mt h tng mng c tin cy cao hn. Frame Relay l giao thc chuyn mch tng 2. N thc hin kt ni qua cc VCs. -ATM. Chun truyn thng quc t vi phng thc s dng (cell) d liu c chiu di c nh 53 bytes. Vi c nh, vic chuyn d liu c thc hin trn phn cng v c tc cao hn. ATM c kh nng truyn ti nhiu kiu d liu khc nhau, phc v nhiu giao thc v ng dng khc nhau.

8-2

-Broadband. y l phng thc truyn d liu khi m cc khc d liu c truyn ng thi tng bng thng. Trong cng ngh truyn thng, ngi ta hay s dng cc tn hiu nhiu bng tn khc nhau truyn thng tin song song chia s trn cng mt phn cng (v d trn cng mt si cp ng). -DSL-PPP trn Ethernet hay ATM. H nhiu cng ngh cho php truyn d liu s trn 1 cp dy in thoi. Vic phi hp gia DSL vi PPPoE hay PPPoA cho php trin khai kh nng xc thc, nn d liu, m ho dng d liu vi tc cao trn mt h tng cp in thoi c sn. -Cable-Ethernet. Cng ngh cho php truyn ti d liu trn h thng cp TV c sn. Tc truyn d liu kh cao t 3-30Mbps. Cc frame c truyn l cc frame Ethernet. -Metro Ethernet. Vi s trin khai rng ri ca h thng h tng cp quang, Metro Ethernet l mt phng thc trin khai dch v kt ni im-ti-im hay im-ti-a im vi tc rt cao t 10Mbps n 10-40Gbps trn nn Ethernet trong mng LAN vn rt quen thuc vi mi ngi. Cc gii php ca Metro Ethernet c th l: -Ethernet trn si cp quang cha s dng (dark fiber) -Dch v Ethernet trn nn SONET/SDH -Dch v Ethetnet trn nn Resilient Packet Ring (RPR)

8-3

Tng quan v PPP

PPP c th chuyn tr nhiu giao thc khc nh vo NCP. PPP cho php thit lp nhiu ty chn qua LCP.
8-4

-PPP c xy dng trong RFC 1661, 1332, vi mc ch ng gi v truyn thng tin tng mng trn kt ni dng im-ti-im -PPP c th c trin khai trn giao din vt l dng -Asynchronous serial (tun t bt ng b). V d mng in thoi truyn thng -Synchronous serial (tun t ng b): ISDN hay c thu bao s imti-im -Phn Link Control Protocol (LCP) ca PPP c s dng thit lp kt ni. PPP cung cp nhiu dch v cho php thng lng v kim tra kt ni theo ng yu cu ca ngi qun tr -Network Control Protocol (NCP) qui nh cc m ca cc giao thc tng trn khc nhau c ng gi trong khung PPP.

8-4

To phin PPP

To phin PPP:
1. Giai on to kt ni 2. Giai on xc thc (ty chn) Hai giao thc xc thc ca PPP: PAP v CHAP 3. Giai on giao thc tng mng
8-5

Cng tc to phin kt ni PPP bao gm 3 giai on Giai on to kt ni. Cc thit b hai u PPP trao i cc thng tin cn thit thit lp kt ni nh kch c khung ti a, cc thng tin iu khin c nn, giao thc xc thc Nu khng c cc trao i ny, cc gi tr mc nh s c s dng Giai on xc thc (ty chn). Hai giao thc xc thc ca PPP l PAP v CHAP. Sau khi giao thc xc thc c th c xc nh trong giai on I, qu trnh xc thc xy ra trong giai on 2 ny Giai on giao thc tng mng. Trong giai on ny, cc u cui PPP gi cc gi tin thng nht v cu hnh cc giao thc tng mng (v d IP) s c h tr. Sau khi cu hnh, cc gi d liu ca cc giao thc mng c th c ng gi v chuyn trn kt ni ny. NCP c cc m ch r d liu giao thc tng mng no ang c ng gi trong tng khung PPP c th.

8-5

Giao thc xc thc ca PPP: PAP

Passwords gi dng hin u xa kim sot cc phin th xc thc

8-6

PAP l phng thc xc thc s dng 2 trao i thit b u xa xc thc nh danh ca mnh. Sau khi giai on to lin kt (link) hon tt, thit b xa gi v nhc li tn cng mt khu ca mnh cho n khi c xc nhn thit b trung tm hoc lin kt b bi b. PAP khng phi l giao thc xc thc mnh. Mt khu c truyn dng hin trn ng truyn. Mt khu s dng mt ln c th khc phc nhc im ny Khng c c ch bo v trc cc tn cng bng pht li (playback) cng nh kim sot nhp thit b u xa th xc thc. Thit b u xa kim sot s ln th cng nh tn xut th xc thc.

8-6

Giao thc xc thc ca PPP : CHAP

V d router Santa Cruz xc thc vi HQ router. Gi tr bm, khng phi l password, c gi trn mng. Chnh Router hay mt server ngoi kim sot cc ln th.
8-7

CHAP l phng thc xc thc s dng 3 bt tay thit b xc thc nhau khi bt u v c trong qu trnh kt ni. Sau khi giai on to lin kt (link) hon tt, thit b trung tm gi n thit b xa thng ip thm d (challenge). Thit b xa tnh gi tr bm ca thm d va nhn kt hp vi mt khu tng ng vi thit b trung tm c cu hnh t trc. Gi tr bm c thit b xa gi v thit b trung tm. Thit b trung tm cng thc hin tnh ton gi tr bm ca thm d m n gi i, kt hp vi mt khu tng ng vi thit b xa c cu hnh trc. Nu 2 gi tr bm trng nhau th xc thc c hon tt v kt ni c thc hin. Nu khng, kt ni s b ct. CHAP trnh c cc tn cng kiu pht li. Xc thc ngu nhin trong khi kt ni ang thc hin cho php trnh c tn cng cp kt ni (Hijacking). Thit b trung tm hoc my ch xc thc kim sot tn s cng nh s ln th xc thc ca thit b xa.

8-7

Tm lc cu hnh PPP v xc thc

8-8

cho php ng gi PPP vi xc thc PAP hay CHAP trn mt giao din, ta cn lm cc th tc sau y: -Khi to tnh nng ng gi PPP nh giao thc ca tng 2 -(ty chn) Khi to xc thc theo cc bc: -Cu hnh tn ca thit b -Cu hnh tn v mt khu ca thit b u bn kia -Chn k thut xc thc PAP hay CHAP

8-8

Cu hnh PPP v xc thc

RouterX(config-if)# encapsulation ppp

Khi ng ng gi PPP
RouterX(config)# hostname name

Gn tn cho router
RouterX(config)# username name password password

Xc nh tn v mt khu ca router u xa
RouterX(config-if)# ppp authentication {chap | chap pap | pap chap | pap}

Khi ng xc thc PAP hay CHAP

8-9

- khi ng ng gi PPP, s dng lnh encapsulation ppp - s dng xc thc trn PPP, s dng -Bc 1: cu hnh tn ca router. Ch : tn ca router phi tng thch vi router u xa s xc thc router hin ti -Bc 2: vi mi router xa, cu hnh c s d liu xc thc thng qua tn v mt khu ca router xa. -Bc 3: La chn k thut xc thc PAP hay CHAP. Nu c 2 cng c cu hnh (ppp authentication CHAP PAP) v router s ch s dng phng thc thc th 2 khi thit b u xa khng h tr phng thc u tin.

8-9

V d cu hnh PPP v CHAP

hostname RouterX username RouterY password sameone ! int serial 0 ip address 10.0.1.1 255.255.255.0 encapsulation ppp ppp authentication chap

hostname RouterY username RouterX password sameone ! int serial 0 ip address 10.0.1.2 255.255.255.0 encapsulation ppp ppp authentication chap

8-10

Trong v d ny, c hai u u yu cu thit b u kia phi xc thc trc khi kt ni hot ng

8-10

Kim tra cu hnh ng gi PPP

RouterX# show interface s0 Serial0 is up, line protocol is up Hardware is HD64570 Internet address is 10.140.1.2/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) LCP Open Open: IPCP, CDPCP Last input 00:00:05, output 00:00:05, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 38021 packets input, 5656110 bytes, 0 no buffer Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 38097 packets output, 2135697 bytes, 0 underruns 0 output errors, 0 collisions, 6045 interface resets 0 output buffer failures, 0 output buffers swapped out 482 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up

8-11

LCP open ch ra rng kt ni c thc hin

8-11

Kim tra xc thc PPP

RouterX# debug ppp authentication 4d20h: %LINK-3-UPDOWN: Interface Serial0, changed state to up 4d20h: Se0 PPP: Treating connection as a dedicated line 4d20h: Se0 PPP: Phase is AUTHENTICATING, by both 4d20h: Se0 CHAP: O CHALLENGE id 2 len 28 from left" 4d20h: Se0 CHAP: I CHALLENGE id 3 len 28 from right" 4d20h: Se0 CHAP: O RESPONSE id 3 len 28 from left" 4d20h: Se0 CHAP: I RESPONSE id 2 len 28 from right" 4d20h: Se0 CHAP: O SUCCESS id 2 len 4 4d20h: Se0 CHAP: I SUCCESS id 3 len 4 4d20h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up

Lnh debug ppp authentication ch ra xc thc CHAP thnh cng

8-12

V d kim tra khu xc thc PPP. Hnh trn hin th qu trnh c hai bn xc thc u bn kia. S dng lnh debug ppp authentication c c mn hnh trn. Se0 PPP: Phase is AUTHENTICATING, by both cho thy yu cu xc thc ca c 2 pha Se0 PPP: Phase is AUTHENTICATING, by the peer Se0 PPP: Phase is AUTHENTICATING, by this end cho thy xc thc ch c yu cu bi mt trong hai pha Se0 PPP: Phase is AUTHENTICATING, by both (Two way authentication) Se0 PAP: O AUTH-REQ id 4 len 18 from "RouterX" (Outgoing authentication request) Se0 PAP: I AUTH-REQ id 1 len 18 from "RouterY" (Incoming authentication request) Se0 PAP: Authenticating peer RouterY (Authenticating incoming)

8-12

Se0 PAP: O AUTH-ACK acknowledgement) Se0 PAP: I AUTH-ACK acknowledgement) cho thy xc thc c 2 pha qua k thut PAP K thut xc thc l CHAP nu ta thy

id id

1 4

len len

5 5

(Outgoing (Incoming

*Mar 7 21:16:29.468: BR0:1 AUTHENTICATING, by this end

PPP:

Phase

is

*Mar 7 21:16:29.468: BR0:1 CHAP: O CHALLENGE id 5 len 33 from "maui-soho-03" K thut xc thc l PAP nu ta thy *Mar 7 21:24:11.980: AUTHENTICATING, by both BR0:1 PPP: Phase is

*Mar 7 21:24:12.084: BR0:1 PAP: I AUTH-REQ id 1 len 23 from "maui-soho-01"

8-13

Kim tra m phn PPP

RouterX# debug ppp negotiation PPP protocol negotiation debugging is on RouterX# *Mar 1 00:06:36.645: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up *Mar 1 00:06:36.661: BR0:1 PPP: Treating connection as a callin *Mar 1 00:06:36.665: BR0:1 PPP: Phase is ESTABLISHING, Passive Open *Mar 1 00:06:36.669: BR0:1 LCP: State is Listen *Mar 1 00:06:37.034: BR0:1 LCP: I CONFREQ [Listen] id 7 len 17 *Mar 1 00:06:37.038: BR0:1 LCP: AuthProto PAP (0x0304C023) *Mar 1 00:06:37.042: BR0:1 LCP: MagicNumber 0x507A214D (0x0506507A214D) *Mar 1 00:06:37.046: BR0:1 LCP: Callback 0 (0x0D0300) *Mar 1 00:06:37.054: BR0:1 LCP: O CONFREQ [Listen] id 4 len 15 *Mar 1 00:06:37.058: BR0:1 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 00:06:37.062: BR0:1 LCP: MagicNumber 0x1081E7E1 (0x05061081E7E1) *Mar 1 00:06:37.066: BR0:1 LCP: O CONFREJ [Listen] id 7 len 7 *Mar 1 00:06:37.070: BR0:1 LCP: Callback 0 (0x0D0300) *Mar 1 00:06:37.098: BR0:1 LCP: I CONFACK [REQsent] id 4 len 15 *Mar 1 00:06:37.102: BR0:1 LCP: AuthProto CHAP (0x0305C22305) *Mar 1 00:06:37.106: BR0:1 LCP: MagicNumber 0x1081E7E1 (0x05061081E7E1) *Mar 1 00:06:37.114: BR0:1 LCP: I CONFREQ [ACKrcvd] id 8 len 14 *Mar 1 00:06:37.117: BR0:1 LCP: AuthProto PAP (0x0304C023) *Mar 1 00:06:37.121: BR0:1 LCP: MagicNumber 0x507A214D (0x0506507A214D)
8-14

Kim tra phin m phn, tha thun gia 2 pha ca PPP. Cc ni dung c hin th vi lnh debug ppp negotiation l The timestamp: Thi im xy ra trao i tnh bng mili giy Interface and Interface number: Tn giao din din ra trao i NCP Type of PPP message: Kiu thng ip. Thng l PPP, LCP,

Direction of the message: Hng thng ip. I m ch thng ip ti; O m ch thng ip gi i. Message: Miu t bn thn thng dip tng ng. ID: nh danh thng ip cho php lin kt thng ip hi v tr li

length: Chiu di thng ip. Thng khng quan trng cho mc ch theo di tho thun

8-14

Tm tt
PPP l giao thc tng 2 cho WAN. C 2 thnh phn chnh ca PPP l : LCP m phn kt ni v NCP ng gi d liu. Bn c th cu hnh xc thc PPP qua PAP hay CHAP. PAP gi mi thng ip dng hin. CHAP s dng hm bm MD5. Lnh kim tra cu hnh PPP show interface kim tra ng gi PPP v debug ppp negotiation kim tra trao i bt tay LCP

8-15

8-15

8-16

8-16

Bi 9: Thit lp kt ni WAN vi Frame Relay

M rng LAN thnh WAN

9-1

9-1

Tng quan Frame Relay

Kt ni c thc hin qua cc mch o (virtual circuits) Dch v hng kt ni

9-2

Frame Relay l mt k thut c tng data link hng kt ni vi hiu qu cao. bo v li, n da vo cc giao thc tng trn v ph thuc vo mng s v quang. Frame Relay nh ngha tin trnh kt ni gia router v thit b chuyn mch cc b (local acces switching) ca nh cung cp dch v. N khng nh ngha cch d liu c truyn nh th no trong m my Frame Relay ca nh cung cp dch v Nhng thit b kt ni vo mng Frame Relay c chia lm 2 lai: DTE: thng c xem nh l mt thit b cui cng ca mt mng ch nh. Thit b DTE c t pha khch hng v thuc quyn s hu ca khch hng. V d, nhng thit b DTE l (Frame Relay Access Devices - FRADs) router, v bridge. DCE: nhng thit b kt ni lin mng thuc nh cung cp. Mc ch ca DCE l cung cp tn hiu ng h v nhng dch v chuyn trong mt mng v truyn d liu ngang qua mng WAN. Trong hu ht trng hp, nhng switch trong mt mng WAN l Frame Relay Switch. Frame Relay cung cp mt phng tin cho php ghp nhiu knh d liu logic, c cp n nh l Virtual Circuits(VCs), trn mt ng truyn vt l bng cch gn s nhn din kt ni cho mi cp thit b DTE. Nhng thit b Frame Relay switch xy dng mt bng switching m n nh x mt s nhn din kt ni vi mt port i ra. Khi nhn mt frame, thit b Frame Relay Switch phn tch s nhn din kt ni v phn pht frame n giao din i ra tng ng. S v ng i y n ch c thit lp trc khi truyn frame u tin.

9-2

Thut ng ca Frame Relay

9-3

Cc thut ng sau y c s dng thng xuyn trong nhng miu t Frame Relay v c th ging hoc khc ty theo nh cung cp dch v s dng Local access rate: tc ng h (tc port) ca kt ni (local loop) n m my Frame Relay. Local access rate l tc gi d liu ra hoc vo mng, khng ph thuc vo nhng cu hnh khc VC: mch logic, c nh ngha duy nht bi DLCI, c to ra chc chn mi quan h hai chiu t mt DTE ny n DTE khc. Mt s VC c th c ghp thnh mt mch vt l n truyn ngang qua mng. Tnh nng ny lm gim phc tp ca thit b v mng m c yu cu kt ni nhiu thit b DTE. Mt VC c th c nhiu DCE trung gian. Mt VC c th l mch o c nh (PVC) hoc mch o chuyn (SVC) PVC: cung cp kt ni c nh c s dng thng xuyn v truyn d liu c nh gia cc DTE ngang qua mng Frame Relay. Cuc giao tip ngang qua PVC ko yu cu thit lp cuc gi v ngt cuc gi ging nh SVC SVC: cung cp nhng kt ni tm thi c s dng trong cc trng hp ch yu cu thnh thang mi truyn d liu gia cc DTE. SVC c thit lp ng theo yu cu v ngt khi truyn xong. DLCI: l mt s 10bit nm trong ct a ch ca Frame Relay header, dng nhn din VC. DLCI ch c ngha cc b v n ch c tham chiu gia router cc b v Frame Relay switch cc b m DLCI kt ni n. Do , nhng thit b ti 2 u mt kt ni c th s dng gi tr DLCI khc nhau cp n cng mt kt ni o.

9-3

Commited information rate (CIR): ch ra tc d liu trung bnh ti a m mng bo m phn pht d liu trong iu kin bnh thng. Khi thu dch v Frame Relay, bn ch ra local access rate 56kb/s hoc T1. in hnh, bn cng c yu cu ch ra CIR cho mi DLCI. Nu bn gi thng tin nhanh hn CIR ca DLCI, c mng ca mt vi frame c 1 bit discard eligible (DE). Mng s c gng lm tt nht phn pht tt c gi tin, nhng s hy nhng gi tin c bit DE u tin nu nh mng b tt ngn. Nhiu dch v Frame Relay r da trn CIR bng 0. CIR bng 0 ngha l mi frame l mt DE frame, mng s b bt k frame no khi n cn. Inverse Address Resolution Protocol (ARP): mt phng php kt hp ng gia a ch tng network ca router xa vi mt DLCI cc b. Inverse ARP cho php mt router t ng pht hin a ch tng mng ca thit b DTE xa m c cp vi mt VC. Local Management Interface (LMI): Mt chun tn hiu gia router (thit b DTE) v Frame Relay Switch cc b (thit b DCE) c nhim v qun l kt ni v duy tr trng thi gia router v Frame Relay switch Forward explicit congestion notification (FECN): mt bit trong ct a ch ca Frame Relay header. C ch FECN c khi to khi thit b DTE gi nhng frame vo mng. Nu mng b tt ngn, thit b DCE s cu hnh bit FECN c gi tr 1. khi nhng frame ny i n thit b DTE ch, s da vo bit ny nhn bit con ng t ngun n ch b ngn. Thit b DTE c th chuyn thng tin ny n nhng giao thc tng cao hn x l. Ph thuc vo s trin khai, flow control c th c khi to hoc du hiu c th b b qua. Backward explicit congestion notification (BECN): mt bit trong ct a ch ca Frame Relay header. Thit b DCE s xt gi tr ca bit BECN bng 1 trong nhng frame i hng ngc li ca nhng frame c bit FECN l 1. Xt bit BECN bng 1 thng bo thit b DTE nhn rng mt ng i ngang qua mng b tt ngn. Thit b DTE c th chuyn thng tin ny n nhng giao thc tng trn x l. Ph thuc vo s trin khai, flow control c th c khi to hoc du hiu c th b b qua. V d: Nh ch ra trong hnh, router A c 2 VC c cu hnh trn mt interface vt l. DLCI 100 nh ngha VC kt ni n router B, DLCI 400 nh ngha VC kt ni n router C. Ti u bn kia, mt s DLCI khc c th c s dng nh ngha VC

9-4

Chn Topology Frame Relay

Mc nh Frame Relay: NBMA

9-5

Frame Relay cho php kt ni nhng site xa theo mt trong nhng m hnh sau: Star topology: nhng site xa c kt ni n mt site trung tm thng l cung cp mt dch v hay ng dng. M hnh start, cng bit nh l mt cu hnh hub-and-spoke, l m hnh mng Frame Relay c s dng ph bin nht. y l m hnh r nht bi v n yu cu t PVC. Trong hnh v, router trung tm cung cp mt kt ni n nhiu im v n s dng mt interface vt l kt ni nhiu PVC Full-mesh topology: tt c router c VC n tt c cc router khc. S Full-mesh, cung cp kt ni trc tip t mt site n tt c cc site khc v cho php ng d phng. Khi mt ng b t, router c th nh tuyn li ngang qua site khc. Khi s site trong s tng ln, mt s full-mesh tr nn rt t. Dng cng thc n(n-1)/2 tnh tng s lin kt trin khi mt s full-mesh, n l s site. V d, mt mng full-mesh gm 10 site, yu cu 45 lin kt: 10(10-1)/2 Partial-mesh topology: khng phi tt c cc site c kt ni trc tip n tt c cc site khc. Ph thuc vo nhng vng traffic trong mng, bn c th mun to thm PVC kt ni n site xa m c nhu cu trao i d liu ln. Mc nh, mt mng Frame Relay cung cp kt ni nonbroadcast multiacces (NBMA) gia cc site xa. Mt mi trng NBMA c xem ging nh mi trng broadcast khc, nh Ethernet, tt c router trn cng subnet Tuy nhin, gim gi thnh, NBMA thng c xy dng theo s hub-andspoke. Vi s ny, s vt l khng cung cp kh nng multiaccess nh Ethernet, v th mi router c th khng c PVC ring bit n site xa trn cng subnet. Split horizon l mt trong nhng hu qu chnh m bn gp phi khi Frame Relay c nhiu PVC trn mt interface vt l.

9-5

Gii quyt vn kh nng kt ni ca NBMA

Split horizon c th ko theo vn kh nng kt ni trong mi trng NBMA

Gii quyt: subinterfaces Mt giao din vt l gi lp nhiu giao din lun l.
9-6

Trong bt k s Frame Relay, khi mt interface vt l dng kt ni n nhiu site, bn c th gp phi nhng vn bi v NBMA l tnh nng t nhin ca Frame Relay. S Frame Relay NBMA c th a ra 2 vn sau: Kh nng cp nht nh tuyn: nhng cp nht split horizon lm gim vng lp nh tuyn bng cch ngn chn cp nht nh tuyn m c nhn trn mt interface t chuyn ra ngai cng interface. Trong trng hp s dng s Frame Relay hub-and-spoke, mt router xa (mt router spoke) gi mt cp nht n router chnh (router hub) m ang kt ni n nhiu PVC trn mt interface vt l. Sau khi nhn c mt cp nht nh tuyn broadcast, Router chnh khng th chuyn cp nht ny ngang qua cng interface n nhng router xa. Split horizon khng phi l mt vn nu c mt PVC trn mt interface vt l bi v lai kt ni ny s c nhiu lai kt ni point-to-point Sao chp ng b broadcast: vi nhng router h tr kt ni n nhiu im trn mt interface vt l m ngt nhiu PVC, router phi sao chp ng b gi tin broadcast, nh cp nht nh tuyn broadcast, trn mi PVC n router xa. Nhng gi tin broadcast c sao chp ng b ny gy lng ph bng thng v nguyn nhn gy nn tr C nhiu cch gii quyt kh nng cp nht nh tuyn: Tt split horizon. Tuy nhin, c 2 vn tn ti vi cch gii quyt ny. Th nht, mc d hu ht cc giao thc tng mng, nh IP, cho php bn tt split horizon, nhng khng phi tt c giao thc tng mng u cho php iu ny. Th 2, tt split horizon lm tng kh nng routing loop trong mng Mt cch gii quyt khc l s dng s full-mesh; tuy nhin s ny lm tng gi thnh

9-6

Cch cui cng l s dng subinterface. cho php chuyn cp nht nh tuyn broadcast trong s hub-and-spoke, bn c th cu hnh router chnh c nhiu interface logic trn mt interface vy l c gi l subinterface. Trong mi trng nh tuyn split horizon, nhng cp nht nh tuyn c nhn trn mt subinterface v c th gi ra ngai subinterface khc. Trong cu hnh subinterface, mi VC c cu hnh nh l mt kt ni point-to-point., m cho php mi subinterface hat ng ging nh leased line. Khi bn s dng pointto-point subinterface, mi subinterface l mt subnet khc nhau.

9-7

nh x a ch Frame Relay

LMI nhn DLCI c gi tr a phng t Frame Relay switch. Inverse ARP nh x local DLCI ti a ch mng u xa.
9-8

Mt kt ni Frame Relay yu cu , trn mt VC, DLCI cc b c nh x n mt a ch tng mng ch, nh a ch IP. Nhng router c th t ng pht hin DLCI cc b t Frame Relay switch cc b bng giao thc LMI Trn router Cisco, DLCI cc b c th c nh x n a ch tng mng ca router xa mt cch t ng bng Inverse ARP. Inverse ARP gn mt DLCI cho mt kt ni ch nh. Inverse ARP c m t trong RFC 1293 V d: nh x a ch Frame Relay Nh ch ra trong hnh, s dng Inverse ARP, router bn tri c th t ng pht hin a ch IP ca router xa, v sau nh x n DLCI cc b. Trong trng hp ny, DLCI cc b l 500 c nh x n a ch IP 10.1.1.1. do , khi router gi d liu n 10.1.1.1, n dng DLCI 500 Thay v s dng Inverse ARP nh x DLCI cc b vi a ch tng mng ca router xa mt cch t ng, bn c th cu hnh tnh bng tay.

9-8

Tn hiu Frame Relay

Cisco h tr ba chun LMI:

Cisco ANSI T1.617 Annex D ITU-T Q.933 Annex A
9-9

LMI l mt chun tn hiu gia router v Frame Relay switch. LMI c nhim v qun l kt ni v duy tr trng thi gia cc thit b. Mc d, LMI c th c cu hnh, bt u Cisco IOS phin bn 11.2, cisco router c gng t ng nhn din lai LMI no m Frame Relay switch ang dng. Router gi mt hay nhiu yu cu v trng thi LMI y n Frame Relay switch. Frame Relay switch tr li vi mt hay nhiu lai LMI, v router s cu hnh vi lai LMI cui cng nhn c. Cisco router h tr 3 lai LMI sau: Cisco: lai LMI c nh ngha bi s hp tc gia Cisco, StrataCom, Northern Telecom (Nortel), v Digital Equipment Corporation. ANSI: ANSI T1.617 Annex D Q.933A: ITU-T Q.933 Annex A Bn cng c th cu hnh bng tay lai LMI thch hp t 3 lai c h tr chc chn ph hp vi thao tc Frame Relay Khi router nhn thng tin LMI, n cp nht trng thi VC ca n vi mt trong 3 trng thi sau: Active: ch ra rng kt ni VC hat ng v cc router c th trao i d liu trn mng Frame Relay. Inactive: ch ra rng kt ni cc b n Frame Relay switch ang lm vic, nhng kt ni router xa n Frame Relay switch xa khng lm vic Deleted: ch ra rng khng c LMI no c nhn t Frame Relay switch hoc khng c dch v gia router v Frame Relay switch cc b

9-9

Cc giai on hot ng ca Inverse ARP v LMI

9-10

Sau y l tm tt v cch tn hiu Inverse ARP v LMI lm vic nh th no vi kt ni Frame Relay 1. Mi router kt ni n Frame Relay switch bng CSU/DSU 2. Khi Frame Relay c cu hnh trn mt interface, router gi mt yu cu v trng thi LMI n Frame Relay switch. Message ny thng bo vi switch v trng thi ca router v yu cu switch gi trng thi kt ni ca VC 3. Khi Frame Relay switch nhn c yu cu, n tr li vi mt message trng thi LMI gm DLCI cc b ca PVC n nhng router xa m router cc b c th gi d liu 4. Vi mi DLCI ang hot ng, mi router gi mt Inverse ARP gii thiu v n

9-10

Cc giai on hot ng ca Inverse ARP v LMI (tt.)

9-11

5. Khi mt router nhn mt message Inverse ARP, n to mt dng nh x trong bng nh x Frame Relay gm DLCI cc b v a ch tng mng router xa. Ch , DLCI l DLCI cc b, khng phi DLCI ca router xa. Mt trong 3 trng thi kt ni c th xut hin trong bng nh x Frame Relay 6. Mi ln 60 giy, cc router gi Inverse ARP n tt c DLCI ang hat ng. Mi ln 10 giy, router trao i thng tin LMI vi switch (keepalive) 7. Router thay i trng thi ca mi DLCI l active, inactive, hoc deleted da trn LMI tr li t Frame Relay switch

9-11

Cu hnh cn bn Frame Relay

9-12

Mt cu hnh Frame Relay c bn Gi s rng bn mun cu hnh Frame Relay trn mt hay nhiu interface vt l v cc router h tr LMI v Inverse ARP. Sau y m t nhng bc cu hnh Frame Relay c bn: 1. Chn interface cn cu hnh Frame Relay routerX(config)#interface serial 1 2. Cu hnh a ch tng mng routerX(config-if)#ip address 10.16.0.1 255.255.255.0 3. Chn lai ng gi Frame Relay ng gi d liu end-to-end routerX(config-if)#encapsulation frame-relay [cisco|ietf] ty chn Cisco ngha rng kiu ng gi Cisco c dng. Dng ty chn ny nu bn ang kt ni n mt router Cisco khc. y l gi tr mc nh. Chn ietf khi kt ni n mt router khc cisco. 4. Cu hnh lai LMI routerX(config-if)#frame-relay lmi-type {ansi|cisco|q933a} lnh ny ch cn nu bn ang dng cisco IOS phin bn 11.2. Sau ny, lai LMI t ng nhn bit v khng cn cu hnh cisco l gi tr mc nh lai LMI c xt trn interface v dng lnh show interface xem thng tin 5. Cu hnh bng thng ca kt ni routerX(config-if)#bandwidth 64 lnh ny nh hng n thao tc nh tuyn ca cc giao thc nh IGRP, EIGRP, OSPF, cng nh nhng tnh tan khc 6. Cho php Inverse ARP nu n tt trn router routerX(config-if)#frame-relay inverse-arp ip 16 inverse ARP l mc nh v khng hin th khi xem cu hnh

9-12

Cu hnh tnh bng nh x ca Frame Relay

Cu hnh tnh bng nh x ca Frame Relay khi:

im cng kt ni (peer) Frame Relay khng h tr Inverse ARP Bn mun t kim sot lu lng qua mt PVC Bn mun s dng ng gi khc ca Frame Relay qua cc PVCs
9-13

Khi router xa khng h tr Inverse ARP, nhng router Frame Relay c la ng gi d liu khc nhau. Hoc, khi bn mun iu khin broadcast v multicast traffic trn PVC, bn phi nh x gia DLCI cc b v a ch tng mng ca router xa bng tay. Nhng dng nh x tnh c xem nh l static map S dng lnh sau nh x tnh gia DLCI cc b v a ch tng mng ca router xa

RouterX(config-if)# frame-relay map protocol protocol-address dlci [broadcast] [ietf | cisco | payload-compress packet-bypacket]
ngha cc bin: Protocol: nh ngha nhng giao thc c h tr, bridging, hoc logical link control. Nhng chn la gm Apple Talk, DECNet, Data-Link Switching (DLSW), IP, IPX, Logical Link Control Protocol-address: nh ngha a ch tng mng ca interface trn router ch Dlci: nh ngha DLCI cc b dng kt ni n a ch xa Broadcast: (ty chn) cho php broadcast v multicast trn VC. iu ny cho php s dng dynamic routing protocol trn VC Ietf|cisco: cho php ng gi d liu ietf hay cisco Payload-compress packet-by-packet: (ty chn) cho php nn, dng phng php Stacker. y l mt cch nn ca Cisco

9-13

Cu hnh giao din con Frame Relay

im ni im (Point-to-point) Giao din con ging nh ng thu bao ring (leased lines) Mi giao din con point-to-point cn c mt subnet ring. Point-to-point p dng cho topology hub-and-spoke. a im Giao din con hot n ging nh mng NBMA, do khng gii quyt c vn split-horizon. a im tit kim khng gian a ch v ch cn mt subnet. a im ng dng cho topology li y hoc li mt phn.

9-14

Bn c th cu hnh subinterface mt trong 2 c ch sau: Point-to-point: im ni im. Mt subinterface im ni im c dng thit lp mit kt ni PVC n mt interface vt l hay mt subinterface khc trn router xa. Trong trng hp ny, mi cp router im ni im l mt subnet, v mi subinterface im ni im c mt DLCI. Trong mi trng im ni im, v mi subinterface hat ng ging nh mt interface im ni im, thng tin cp nht khng l thuc vo nhng lut ca split horizon. a im: mt subinterface a im c dng thit lp nhiu kt ni PVC n nhiu interface vt l hoc subinterface trn router xa. Trong trng hp ny, tt c interface tham gia vo u cng subnet. Trong mi trng ny, v subinterface hat ng ging nh interface Frame Relay NBMA, thng tin cp nht ph thuc vo lut ca split horizon

9-14

Cu hnh giao din con Frame Relay Point-to-Point

9-15

Trong hnh v, router A c 2 subinterface im ni im. Subinterface s0.110 kt ni n routerB, v s0.120 kt ni n router C. mi subinterface l mt subnet. Nhng bc sau y hng dn cu hnh subinterface trn mt interface vt l step 1: chn interface m bn mun to subinterface v g vo mode cu hnh interface Step 2: xa tt c a ch mng gn n interface vt l v gn a ch mng n subinterface Step 3: cu hnh ng gi d liu Frame Relay Step 4: dng lnh sau chn subinterface m bn mun cu hnh v thit k n nh l mt subinterface im ni im RouterX(config-if)# interface serial number.subinterfacenumber point-to-point} Nhng bin trong interface serial: .subinterface-number: s subinterface trong khang 14,294,967,293. s interface ng trc du (.) phu ph hp vi s interface vt l m subinterface thuc point-to-point: chn ty chn ny nu bn mun cp router im ni im c subnet ring ca n Step 5: nu bn cu hnh subinterface nh l im ni im, bn phi cu hnh DLCI cc b cho subinterface phn bit n trong interface vt l. Lnh c dng: RouterX(config-subif)# frame-relay interface-dlci dlci-number dlci-number: nh ngha s DLCI cc b m c lin kt n subinterface. Khng c cch no khc ngai lnh ny v LMI khng bit subinterface

9-15

Cu hnh giao din a im Frame Relay

9-16

Trong hnh v, tt c router cng subnet 10.17.0.0/24. router A c cu hnh vi mt subinterface a im vi 3 PVC. PVC vi DLCI 120 c s dng kt ni n router B, PVC vi DLCI 130 c s dng kt ni n router C, v DLCI 140 c s dng kt ni n router D Mc nh, split horizon tt trn nhng interface chnh a im v m trn subinterface a im. Trong hnh v, dng subinterface a im, split horizon phi tt bng tay trn router A khc phc nhng hu qu ca split-horizon ti router A Nhng bc sau hng dn cu hnh subinterface trn 1 interface vt l: Step 1: chn interface m bn mun to subinterface v a v mode cu hnh Step 2: xa tt c a ch mng gn n interface vt l v gn a ch mng n subinterface Step 3: cu hnh ng gi d liu Frame Relay Step 4: dng lnh sau chn subinterface m bn mun cu hnh v thit k n nh l mt subinterface a im RouterX(config-if)# interface serial number.subinterfacenumber multipoint Nhng bin trong interface serial: .subinterface-number: s subinterface trong khang 14,294,967,293. s interface ng trc du (.) phu ph hp vi s interface vt l m subinterface thuc

9-16

cng subnet.

multipoint: chn ty chn ny nu bn mun tt c router trong

Step 5: nu bn cu hnh subinterface nh l a im v inverse ARP c cho php, bn phi cu hnh DLCI cc b cho subinterface phn bit n trong interface vt l. Cu hnh ny khng yu cu i vi subinterface a im m c cu hnh vi nh x ng i tnh. Lnh c dng: RouterX(config-subif)# frame-relay interface-dlci dlci-number dlci-number: nh ngha s DLCI cc b m c lin kt n subinterface. Khng c cch no khc ngai lnh ny v LMI khng bit subinterface Khng s dng lnh frame-relay interface-dlci trn interface vt l

9-17

Kim tra hot ng Frame Relay

RouterX# show interfaces type number

Hin th thng tin v Frame Relay DLCIs v LMI

RouterX# show interfaces s0 Serial0 is up, line protocol is up Hardware is HD64570 Internet address is 10.140.1.2/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation FRAME-RELAY, loopback not set, keepalive set (10 sec) LMI enq sent 19, LMI stat recvd 20, LMI upd recvd 0, DTE LMI up LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0 LMI DLCI 1023 LMI type is CISCO frame relay DTE FR SVC disabled, LAPF state down Broadcast queue 0/64, broadcasts sent/dropped 8/0, interface broadcasts 5 Last input 00:00:02, output 00:00:02, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops <Output omitted>
9-18

Lnh show interface hin th thng tin v ng gi d liu v trng thi tng 1 v 2. kim tra ng gi d liu c xt l Frame Relay. Lnh cng hin th thng tin v lai LMI v LMI DLCI. LMI DLCI khng phi l DLCI m n nh ngha PVC ngang qua d liu c truyn Kt qu cng cho bit DTE hay DCE. Thng thng router s l DTE. Tuy nhin, mt router Cisco c th c cu hnh nh Frame Relay switch; trong trng hp ny, n ng vai tr l DCE

9-18

Kim tra hot ng Frame Relay (tt.)

RouterX# show frame-relay lmi [type number]

Hin th thng k LMI

RouterX# show frame-relay lmi LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO Invalid Unnumbered info 0 Invalid Prot Disc 0 Invalid dummy Call Ref 0 Invalid Msg Type 0 Invalid Status Message 0 Invalid Lock Shift 0 Invalid Information ID 0 Invalid Report IE Len 0 Invalid Report Request 0 Invalid Keep IE Len 0 Num Status Enq. Sent 113100 Num Status msgs Rcvd 113100 Num Update Status Rcvd 0 Num Status Timeouts 0

9-19

Dng lnh show frame-relay lmi hin th nhng thng k v thng tin LMI. V d, lnh ny ch ra s message trng thi c trao i gia router v Frame Relay switch Sau y m t mt vi ct trong lnh show frame-relay lmi LMI type: tn hiu hoc tiu chun LMI, nhng ty chn l cisco, ANSI, ITU-T Num status Enq Sent: s message LMI gi Num status Msgs Rcvd: s message LMI nhn

9-19

Kim tra hot dng Frame Relay (tt.)

RouterX# debug frame-relay lmi Frame Relay LMI debugging is on Displaying all Frame Relay LMI data RouterX# 1w2d: Serial0(out): StEnq, myseq 140, yourseen 139, DTE up 1w2d: datagramstart = 0xE008EC, datagramsize = 13 1w2d: FR encap = 0xFCF10309 1w2d: 00 75 01 01 01 03 02 8C 8B 1w2d: 1w2d: Serial0(in): Status, myseq 140 1w2d: RT IE 1, length 1, type 1 1w2d: KA IE 3, length 2, yourseq 140, myseq 140 1w2d: Serial0(out): StEnq, myseq 141, yourseen 140, DTE up 1w2d: datagramstart = 0xE008EC, datagramsize = 13 1w2d: FR encap = 0xFCF10309 1w2d: 00 75 01 01 01 03 02 8D 8C 1w2d: 1w2d: Serial0(in): Status, myseq 142 1w2d: RT IE 1, length 1, type 0 1w2d: KA IE 3, length 2, yourseq 142, myseq 142 1w2d: PVC IE 0x7 , length 0x6 , dlci 100, status 0x2 , bw 0

Displays LMI debug information

9-20

Dng lnh debug frame-relay lmi xem router v frame relay switch ang gi v nhn gi LMI ph hp khng 4 dng u tin m t mt trao i LMI. Dng u tin m t yu cu LMI m router gi n switch. Dng th 2 m t tr li LMI m router nhn t switch. Dng th 3 v 4 m t tr li t switch. S trao i LMI ny c cho php bi trao i 2 LMI ging nhau. Su dng cui cng gm c message trng thi LMI y m gm mt m t v 2 PVC ca router. Sau y m t ngha cc ct chnh trong hnh Serial0(out): ch ra rng yu cu LMI c gi ra bi interface serial 0 StEnq: lai message, c th l mt trong 2 lai sau: Stenq: yu cu trng thi Status: tr li trng thi Myseq 140: bin m Myseq, n nh x n bin m CURRENT SEQ ca router Yourseen 139: bin m Yourseen, n nh x n bin m LAST RCVD SEQ ca switch DTE up: trng thi ca line protocol (bt hoc tt) ca cng DTE

9-20

RT IE 1: gi tr ca thnh phn thng tin lai bo co Length 1: chiu di ca thnh phn thng tin lai bo co, tnh bng byte Type 1: lai bo co l RT IE KA IE 3: gi tr ca thnh phn thng tin keepalive Length 2: chiu di ca thnh phn thng tin keepalive, tnh theo byte Yourseq 142: bin m Yourseq, n nh x n bin m CURRENT SEQ ca switch Myseq 142: bin m myseq, n nh x n bin m CURRENT SEQ ca router PVC IE 0x7: gi tr ca lai thnh phn thng tin PVC Length 0x6: chiu di ca PVC IE tnh bng byte Dlci 100: gi tr DLCI ca PVC ny Status 0x2: gi tr trng thi; c th l mt trong nhng gi tr sau: 0x00: added/inactive 0x02: added/active 0x04:deleted 0x08:new/inactive 0x0a:new/active Bw 0: CIR ca DLCI Kt qu out l mt message trng thi LMI c gi bi router. Kt qu in l message c nhn t frame relay switch Kt qu type 0 ch ra mt message trng thi LMI y . Kt qu type 1 ch ra mt trao i LMI Kt qu dlci 100, status 0x2 c ngha rng trng thi ca DLCI 100 l active. Nhng gi tr thng thng ca trng thi DLCI nh sau: 0x0: added v inactive ngha rng switch c DLCI ny c lp trnh nhng c mt vi l do, v d nh u bn kia ca PVC l down, n khng c s dng 0x2: added v active ngha rng switch c DLCI v mi th ang hat ng. Bn c th bt u gi thng tin vi DLCI ny trong header 0x4: deleted ngha rng switch khng c DCLI ny c lp trnh cho router nhng n c lp trnh ti mt vi im trong qu kh. Trng thi ny cng c th xy ra bi v DLCI c gi li trn router hoc do PVC b xa bi nh cung cp dch v

9-21

Kim tra hot ng Frame Relay (tt.)

RouterX# show frame-relay pvc [type number [dlci]]

Hin th thng k PVC

RouterX# show frame-relay pvc 100 PVC Statistics for interface Serial0 (Frame Relay DTE) DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0 input pkts 28 output pkts 10 in bytes 8398 out bytes 1198 dropped pkts 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 10 out bcast bytes 1198 pvc create time 00:03:46, last time pvc status changed 00:03:47

9-22

Dng lnh show frame-relay pvc [interface interface] [dlci] hin th trng thi ca mi cu hnh PVC cng nh nhng thng k v traffic Sau y m t ngha ca cc ct trong lnh ny: DLCI: mt trong nhng s DLCI ca PVC DLCI USAGE: hin th SWITCHED khi router hoc access server c dng nh l mt switch hoc LOCAL khi router hoc access server c dng nh l thit b DTE PVC STATUS: trng thi ca PVC. Thit b DCE thng bo trng thi, v thit b DTE nhn trng thi. Khi bn tt c ch LMI trn interface bng lnh no keepalive, trng thi ca PVC l STATIC. Nu khng, trng thi ca PVC c trao i bng giao thc LMI, nh sau: STATIC: LMI tt trn interface ACTIVE: PVC ang hat ng v c th truyn gi tin INACTIVE: PVC c cu hnh nhng b down DELETED: PVC khng c cu hnh (ch thit b DTE), ngha l khng c trng thi c nhn t giao thc LMI Nu lnh frame-relay end-to-end keepalive c dng, trng thi end-toend keepalive(EEK) c bo co thm n trng thi LMI. Hai v d sau: ACTIVE(EEK UP): PVC hat ng y theo LMI v end-to-end keepalive

9-22

ACTIVE(EEK DOWN): PVC ang hat ng theo LMI, nhng endto-end keepalive b li INTERFACE: ch ra subinterface tng ng vi DLCI ny LOCAL PVC STATUS: trng thi ca PVC c cu hnh mt cch cc b trn Network-to-Network interface (NNI) NNI PVC STATUS: trng thi ca PVC m c hc trn ng NNI Input pkts: s gi tin c nhn trn PVC ny Output pkts: s gi tin c gi trn PVC ny In bytes: s byte c nhn trn PVC ny Out bytes: s byte c gi trn PVC ny Dropped pkts: s gi tin vo v ra b hy bi router ti tng Frame Relay In pkts dropped: s gi tin n b hy. Gi tin n c th b hy vi mt trong nhng l do sau: Trng thi ca PVC l inactive Chnh sch Nhng gi tin nhn trn c bit DE Nhng fragment hy Li phn pht b nh Li cu hnh Out pkts dropped: s gi tin i ra b hy, v trt t v tr Out bytes dropped: s byte i ra b hy Late-dropped out pkts: s gi tin i ra b hy bi v mt chnh sch QoS, nh hng i VC hoc trt t traffic. Ct ny khng hin th khi gi tr =0 Late-dropped out bytes: s byte i ra b hy bi v mt chnh sch QoS, nh hng i VC hoc trt t traffic. Ct ny khng hin th khi gi tr =0 In FECN pkts: s gi tin nhn c bit FECN c xt In BECN pkts: s gi tin nhn c bit BECN c xt Out FECN pkts: s gi tin gi c bit FECN c xt Out BECN pkts: s gi tin gi c bit BECN c xt In DE pkts: s gi tin DE c nhn out DE pkts: s gi tin DE c gi Out bcast pkts: s gi tin broadcast i ra Out bcast bytes: s byte broadcast i ra

9-23

Kim tra hot ng Frame Relay (tt.)

RouterX# show frame-relay map

Hin th ni dung hin hnh nh x (map) Frame Relay

RouterX# clear frame-relay-inarp

Xo nh x Frame Relay to bi Inverse ARP

RouterX# show frame-relay map Serial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic, broadcast,, status defined, active RouterX# clear frame-relay-inarp RouterX# show frame map RouterX#

9-24

Dng lnh show frame-relay map hin th nhng dng nh x hin hnh v thng tin v kt ni Thng tin sau din gii v kt qu xut ca lnh show frame-relay map trong hnh: 100 l s DLCI cc b di dng c s 10 0x64: s DLCI cc b di dng c s 16 0x1840 l gi tr khi n xut hin on the wire, DLCI c biu din trong ct a ch ca Frame Relay frame 10.140.1.1 l a ch IP ca router xa (mt dng ng c hc thng qua Inverse ARP) Broadcast v multicast c cho php trn PVC Trng thi PVC l active xa nhng nh x Frame Relay c to mt cch t ng, c to bi Inverse ARP, dng lnh clear frame-relay-inarp

9-24

Hin th bi 8-1: thit lp mt mng WAN bng Frame Relay WG Router s0/0/0
A B C D E F G H 10.140.1.2 10.140.2.2 10.140.3.2 10.140.4.2 10.140.5.2 10.140.6.2 10.140.7.2 10.140.8.2

9-25

9-25

Tm tt
Frame Relay PVCs xc nh bi DLCIs, v trng thi ca PVCs c thng bo bi giao thc LMI. Giao din con point-to-point Frame Relay yu cu dnh ring mi subnet cho tng PVC, v giao din con a im chia s cng mt subnet vi cc im lin kt (peers). xem tnh trng kt ni vi nh cung cp Frame Relay, s dng lnh show frame-relay lmi. hin th tnh trng kt ni vi im lin kt xa Frame Relay, s dng cc lnh show framerelay pvc v show frame-relay map.

9-26

9-26

9-27

9-27

9-28

Bi 10: Sa li Frame Relay WANs

M rng LAN thnh WAN

10-1

10-1

Cc thnh phn ca cng tc sa li Frame Relay

10-2

Khi chn an v sa li Frame Relay, quan tm n nhng kha cnh chnh sau: Chn an v sa li mt kt ni Frame Relay b t (down), c th l tng physical hoc tng data link Chn an v sa li router xa, l kt ni gia 2 router Frame Relay Chn an v sa li kt ni end-to-end, l kt ni gia cc my trm ngang qua mng Frame Relay

10-2

Sa li khi kt ni Frame Relay b t (Down)

10-3

Bc u tin ca vic chn an v sa li kt ni Frame Relay l kim tra trng thi ca interface. Dng lnh show interface serial number[/number] kim tra trng thi ca interface Kt qu ca lnh show interface serial hin th interface down/line protocol down, ch ra rng tng physical c vn . Ngha rng bn c vn v cp, CSU/DSU, hoc serial line u tin, dng lnh show controllers serial khng nh router nhn dng ng cp K tip, bn cn chn an v sa li vi mt kim tra loopback Thc hin nhng bc sau y kim tra loopback: Step 1: cu hnh encapsulation ca cng serial l HDLC v keepalive c gi tr 10giy. lm iu ny, dng lnh encapsulation hdlc v keepalive trong mode cu hnh interface Step 2: t CSU/DSU hoc modem trong local-loop mode. Kim tra ti liu km thit b cu hnh ci ny. Nu line protocol up khi CSU/DSU hoc modem cu hnh local-loop mode, c ch bi thng ip line protocol is up (looped), n gi rng c mt vn ang xy ra trn CSU/DSU. Nu line protocol khng thay i trng thi th c th l mt vn trong router, kt ni cp, CSU/DSU, modem. Trong hu ht cc trng hp, li CSU/DSU hoc modem.

10-3

Step 3: ping n a ch IP ca interface m bn ang sa li trong khi CSU/DSU hoc modem trong local-loop mode. Mt ping m rng vi mu d liu 0x0000 l hu ch trong vic gii quyt li ca ng truyn v nhng thit b kt ni T1 hoc E1 bm gi t d liu v yu cu truyn mi ln 8bit. Mt mu d liu vi nhiu s 0 gip nhn bit nu vic truyn thch hp trn ng trunk. Mt mu vi nhiu s 1 c s dng m phng mt ti s 0 cao trong trng hp c mt cp i d liu trn ng truyn. Mu 0x5555 biu din mt mu d liu in hnh. Nu ping li hoc nu bn nhn c li CRC, cn phi c mt kim tra thch hp t cng ty in thai. Step 4: khi bn han thnh kim tra, bn cu hnh encapsulation ca interface tr li Frame Relay nh ngha DLCI tnh trn subinterface khng ng cng c th l nguyn nhn lm subinterface down/down, v trng thi PVC c th l deleted. chc chn rng s DLCI c cu hnh ng, dng lnh show framerelay pvc RouterX#sh frame-relay pvc PVC Statistics for interface Serial0/0/0 (Frame Relay DTE) Active Inactive Deleted Static Local 0 0 1 0 Switched 0 0 0 0 Unused 0 0 0 0 DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = DELETED, INTERFACE = Serial0/0/0 input pkts 9 output pkts 8 in bytes 879 out bytes 1024 dropped pkts 0 in pkts dropped 0 out pkts dropped 0 out bytes dropped 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 2 out bcast bytes 138 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec pvc create time 00:00:27, last time pvc status changed 00:00:27 Trong kt qu trn, s DLCI l 100 v trng thi l deleted. Chng t rng cu hnh DLCI khng ng. Nu kt qu ca lnh show interface serial hin th interface up/line protocol down, ch ra rng c li tng Data Link. Nu iu ny xy ra, serial interface khng nhn c LMI keepalive t nh cung cp dch v Frame Relay. kim tra LMI message ang c gi v nhn, v kim tra lai LMI ca router ph hp vi LMI ca nh cung cp, dng lnh show framerelay lmi

10-4

RouterX#sh frame-relay lmi LMI Statistics for interface Serial0/0/0 (Frame Relay DTE) LMI TYPE = CISCO Invalid Unnumbered info 0 Invalid Prot Disc 0 Invalid dummy Call Ref 0 Invalid Msg Type 0 Invalid Status Message 0 Invalid Lock Shift 0 Invalid Information ID 0 Invalid Report IE Len 0 Invalid Report Request 0 Invalid Keep IE Len 0 Num Status Enq. Sent 236 Num Status msgs Rcvd 31 Num Update Status Rcvd 0 Num Status Timeouts 206 Last Full Status Req 00:00:38 Last Full Status Rcvd 00:00:38 Kt qu ch ra rng LMI gi LMI 236 v nhn LMI 31, v lai LMI l cisco

10-5

Sa li khi kt ni Frame Relay vi router xa trc trc

10-6

n router ch xa ngang qua mng Frame Relay, phi nh x a ch IP ca router xa vi DLCI cc b. Lnh show frame-relay map ch ra vic nh x gia a ch IP v DLCI v n c cu hnh tnh hay ng c hc bi Inverse ARP RouterX#sh frame-relay map Serial0/0/0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic, broadcast, CISCO, status defined, active Nu bn thay i a ch IP ca router xa, bn cn dng lnh clear framerelay-inarp xa bng nh x Frame Relay ca router cc b. iu ny gip cho Inverse ARP nh x li a ch mi vi DLCI Nu a ch IP ca interface ca router xa khng xut hin trong bng nh x, router xa khng h tr Inverse ARP. C gng nh x bng tay bng lnh frame-relay map protocol protocol-address dlci [broadcast] Thm vo , c th Access Control List (ACL) c cu hnh trn interface lm nh hng n kt ni. kim tra c ACL c cu hnh n interface hay khng dng lnh show ip interface Xa tm thi mt ACL t mt interface kim tra xem nu n c nh hng n kt ni, dng lnh no ip access-group acl_no {in/out} trong interface mode.

10-6

Sa li khi kt ni Frame Relay gia 2 u cui (End-to-End) trc trc

10-7

Kt ni end-to-end tn ti gia cc my trm ngang qua mng Frame Relay ph thuc vo nhng yu cu nh tuyn. Nu bn l ngi c kinh nghim trong vic sa li kt ni end-to-end trong mng Frame Relay, kim tra bng nh tuyn thy nu cc router c mt con ng i n ch m bn ang sa li kt ni. Dng lnh show ip route kim tra bng nh tuyn. RouterX#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 1 subnets C 172.16.2.0 is directly connected, Loopback1

10-7

10.0.0.0/24 is subnetted, 3 subnets C 10.23.23.0 is directly connected, Serial0/0/1 C 10.2.2.0 is directly connected, FastEthernet0/0 192.168.1.0/24 is variably subnetted, 3 subnets, 3 masks C 192.168.1.64/28 is directly connected, Loopback0 Nu ch c nhng con ng kt ni trc tip xut hin trong bng nh tuyn, li c th l mng Frame Relay ngn chn nhng cp nht ca giao thc nh tuyn. Bi v tnh nng ca Frame Relay l NBMA, bn phi cu hnh router cho php chuyn nhng cp nht nh tuyn broadcast hoc multicast ngang qua mng Frame Relay. Vi s dng Inverse ARP, kh nng ny t ng c tc dng. Vi nh x Frame Relay tnh, bn phi cu hnh sao cho h tr gi tin broadcast. Lnh show frame-relay map hin th c hay khng kh nng broadcast, cho php nhng cp nht nh tuyn ngang qua mng Frame Relay RouterX#sh frame-relay map Serial0/0/0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic, broadcast, CISCO, status defined, active

10-8

Hnh v cho bi 8-2: Sa li mng WANs Frame Relay

WG A B C D E F G H Router s0/0/0 10.140.1.2 10.140.2.2 10.140.3.2 10.140.4.2 10.140.5.2 10.140.6.2 10.140.7.2 10.140.8.2

10-9

10-9

Tm tt
C 3 kha cnh khi sa li frame relay: sa kt ni, sa nh x (map) t mt router n router khc, v sa nh tuyn qua mng Frame relay. S dng lnh show interface serial v show frame-relay lmi kim tra tnh trng trc trc ca Layer 1 v Layer 2 ca kt ni. S dng lnh show frame-relay map v show frame-relay pvc kim tra kh nng kt ni gia cc routers.

10-10

10-10

10-11

10-11

10-12