Professional Documents
Culture Documents
Chapter 1
Internetworking OSI
History:
When networks first came into being, computers could typically
communicate only with computers from the same manufacturer.
For example:
companies ran either a complete DECnet solution or an IBM
solution—not both together. In the late 1970s, the
Open Systems Interconnection (OSI) reference model
was created by the International Organization for
Standardization (ISO) to break this barrier.
The OSI model is the primary architectural model for networks.
Reference model:
_is a conceptual blueprint of how communications should take
place? The primary purpose of all such models, especially the
OSI model, is to allow different vendors’ networks to
interoperate.
_It divides the network communication process into smaller and
simpler components, thus aiding component development,
design, and troubleshooting.
_It allows multiple-vendor development through standardization
of network components.
2
Connection-Oriented Communication
5
Flow Control:
Three types of flow control are buffering, windowing &
congestion avoidance:
+ Buffering: If a device receives packets too quickly for it to
handle then it can store them in a memory section called a buffer
and proceed them later.
6
_ It uses acknowledgments.
_ It uses flow control.
Window The quantity of data segments (measured in bytes) that
the transmitting. machine is allowed to send without receiving
an acknowledgment for them is called a window. Windows are
used to control the amount of outstanding, unacknowledged data
segments.
Acknowledgments
Reliable data delivery ensures the integrity of a stream of data
sent from one machine to the other through a fully functional
data link. It guarantees that the data won’t be duplicated or lost.
This is achieved through something called positive
acknowledgment with retransmission—a technique
The Network Layer:
The Network layer (also called layer 3) manages device
addressing, tracks the location of devices on the network, and
determines the best way to move data, which means that the
Network layer must transport traffic between devices that aren’t
locally attached.
Network addresses Protocol-specific network addresses. A
router must maintain a routing table for individual routing
8
the address and simply passes that required frame to only that
machine who required it. So, it simply shows that it works node
to node without disturbing the whole network. this simply means
Switch has single broadcast and multiple collosion domain as it
works node to node in a LAN.
Routers are layer 3 devices which breaks the broadcast domains
to create multiple networks and to provide inter network
connectivity
Case Study:
Note An example for Broadcasting would be DHCP Request
from a Client PC. The Client is asking for a IP Address, but the
client does not know how to reach the DHCP Server. So, the
client sends a DHCP Discover packet to EVERY PC in the local
subnet (Broadcast). But only the DHCP Server will answer to
the Request. Another simple example is if we have LAN
segment 192.168.100.0/24, then we can say that all IP addresses
range of 192.168.100.0/24 are in the same broadcast domain.
Collision Domain on Switch:
Each connection from a single PC to a Layer 2 switch is ONE
Collision domain. For example, if 2 PCs are connected with
separate cables to a switch, so we have 2 Collision domains. If
this switch is connected to another switch or a
router, we have one collision domain more (3
collision domain in total). Please refer to figure
1.1.1.Figure Collision Domain on Switch
Ethernet Networking
Ethernet is a contention media access method that allows all
hosts on a network to share the same bandwidth of a link.
Ethernet is popular because it’s readily scalable, meaning that
it’s comparatively easy to integrate new technologies, such as
Fast Ethernet and Gigabit Ethernet, into an existing network
infrastructure.
Ethernet networking uses Carrier Sense Multiple Access with
Collision Detection (CSMA/CD), a protocol that helps devices
share the bandwidth evenly without having two devices transmit
at the same time on the network medium. CSMA/CD was
created to overcome the problem of those collisions that occur
19
_ SNAP
I’ll go over all four of the available Ethernet frames in the
upcoming sections.
Ethernet Addressing:
Here’s where we get into how Ethernet addressing works. It uses
the Media Access Control (MAC) address burned into each and
every Ethernet Network Interface Card (NIC). The MAC, or
hardware address, is a 48-bit (6-byte) address written in a
hexadecimal format. Figure 1.14 shows the 48-bit MAC
addresses and how the bits are divided.
FIGURE Ethernet addressing using MAC addresses
Organizationally Unique Identifier (OUI) (Assigned by IEEE)
24 bits 24 bits I/G G/L Vendor assigned
Bit 1011011100011110000
The Cisco Three-Layer Hierarchical Model
The following are the three layers and their typical functions:
_ The core layer: Backbone
_ The distribution layer: Routing
_ The access layer: Switching
Task of building a reliable, scalable, and less expensive
hierarchical internetwork because rather than focusing on packet
construction, it focuses on the three functional areas, or layers,
of your network:
24
End of Chapter 1
_____________________________
After mid
Chapter 2
Internet Protocols
The Process/Application Layer Protocols:
In this section, I’ll describe the different applications and
services typically used in IP networks.
The different protocols and applications covered in this section
include the following:
_Telnet
_FTP
28
_TFTP
_NFS
_SMTP
_LPD
_X Window
_SNMP
_DNS
_DHCP/BootP
Telnet
Telnet is the chameleon of protocols—its specialty is terminal
emulation. It allows a user on a remote client machine, called
the Telnet client, to access the resources of another machine, the
Telnet server.
File Transfer Protocol (FTP)
File Transfer Protocol (FTP) is the protocol that actually lets us
transfer files, and it can accomplish this between any two
machines using it. But FTP isn’t just a protocol; it’s also a
program. Operating as a protocol, FTP is used by applications.
Trivial File Transfer Protocol (TFTP)
Trivial file transfer protocol(TFTP) is a simplified version of
FTP that allows files to be transferred from one computer to
another over a network, usually without the use of client
authentication (for example, username and password). It uses
UDP.
Network File System (NFS)
Network file system (NFS) is a jewel of a protocol specializing in
file sharing. It allows two differenttypes of file systems to
interoperate. Typically example we see in virtualized
environment where files on window or unix system is used in
both sytem.
29
actively use the GET message to check the CPU usage from
time to time. In this case, the TRAP message is very suitable for
that purpose because the administrator would only be informed
from the CPU itself when that event occurs. The figure below
shows the direction of SNMP messages:
Router(config)#snmp-server
enable traps link cisco
Of course, we have to configure an SNMP Manager on a
computer with these community strings so that they can
communicate.
Domain Name Service (DNS)
Domain Name Service (DNS) resolves hostnames—specifically,
Internet names, such as www.routersim.com You don’t have to
use DNS; you can just type in the IP address of any device you
want to communicate with. An IP address identifies hosts on a
network and the Internet as well. DNS is used to resolve a fully
qualified domain name (FQDN)
for example, www.lammle.com or todd.lammle.com. An
FQDN is a hierarchy that can logically locate a system based on
its domain identifier.
Dynamic Host Configuration Protocol (DHCP)/BootP
(Bootstrap Protocol)
In IP environment, before a computer can communicate to
another one, they need to have their own IP addresses. There are
two ways of configuring an IP address on a device:
+ Statically assign an IP address. This means we manually type
an IP address for this computer
+ Use a protocol so that the computer can obtain its IP address
automatically (dynamically).
The most popular protocol nowadays to do this task is
called Dynamic Host Configuration Protocol (DHCP) and we
will learn about it in this tutorial.
37
(*)
Note: In fact, the DHCPOFFER is a layer 3 broadcast
message (the IP destination is 255.255.255.255) but a layer 2
unicast message (the MAC destination is the MAC of the DHCP
39
#domain-name
9tut.com
Router(dhcp-config)
#exit
Notice that your laptop can choose any available source port but
it must use pre-defined destination ports for well-known
services. Port numbers are defined in three ranges:
+ Well-known port numbers (0 through 1023): assigned to key
or core services that systems offer
+ Registered port numbers (1024 through 49151): assigned to
industry applications and processes. For example: 1433 is
assigned for Microsoft SQL Server process)
+ Dynamic port numbers (49152 through 65535): used as
temporary ports for specific communications. Our laptop can
use these ports for communication
The table below lists TCP ports for well-known services:
TCP Description Port
Service
Note: Both TCP and UDP use multiplexing with port numbers
for their services.
Flow-control using windowing
In the TCP header there is a field called “Window” which plays
an important role in the TCP transmission. A “Window”
specifies the number of segments the sender can forward
without receiving an acknowledgment. It is the key to transfer
data and flow control efficiently. Let’s see how it works!
After the TCP connection has been established, both the client
and server use this Window field to tell the other how many
bytes of data it is willing to receive at one time before sending
an acknowledgement to the sender. The larger the window size
number (in bytes), the greater the amount of data that the host
can transmit. For example, with a Window size of 1 (byte),
every one byte must be acknowledged before sending the next
one.
55
As you can see, the bigger the Window size, the fewer ACKs
needed to be sent and the more efficient the transmission is. So,
the receiver will try to increase the Window size after each
successful transmission so that the sender can send more. But
the Window size cannot increase forever, TCP stops increasing
56
the Window size when the receiver does not send an ACK
(within a specific time period) or when the Window size reaches
its maximum value. If a congestion occurs on the link then TCP
may decrease the Window size.
The window size is variable during the lifetime of a connection
so we often refer it as a “sliding window”.
If the sender does not receive the ACK in time, it knows that the
segments should be resent, and that the transmission rate should
be slowed down. Suppose Host A did not receive the expecting
ACK 7 then it knows segments 4, 5, 6 should be resent.
just detects it
+ Error recovery: the detection of errors and repair them
To achieve error detection, TCP adds some extra bits to the data,
called checksum. A TCP sender computes the checksum value
based on the contents of the TCP header and data fields. This
16-bit value will be compared with the value the receiver
generates using the same computation. If the values match, the
receiver can believe that segment arrived intact. If the values do
not match, the receiver indicates an error occurred and the
segment is discarded and a notification will be sent to the
receiver depending on how the TCP stack is implemented on the
receiver’s operating system.
To achieve error recovery, TCP uses the Sequence number (at
the sender’s side) and Acknowledgement fields (at the receiver’s
side) in the TCP header. These two fields are also used to find
out lost, duplicated segments. Let’s see an example.
In the transmission below, host A sends three segments 1, 2, 3 to
host B. Segment 2 was lost while segment 3 arrived to Host B.
Then Host B replied with an ACK 2, implying that it is
expecting segment 2 next. Host A can re-send another segment 2
to recover the lost segment. If Host B receive that segment it
will ask for the segment 4 (because it already has segment 3).
58
Error recovery
You may ask “what will happen if the ACK 2 sent from Host B
is also lost?” In fact, after sending each segment Host A sets a
retransmission timer, just in case the ACK is lost (or all the
sending segments are lost; Host B would not send ACK in this
case because it did not receive anything). If this timer expires,
Host A will send all the segments again.
Note: UDP does support error detection (via checksum) but it
does not support error recovery. If UDP finds a corrupted
segment, it just simply drops it.
Let’s sum up all things we learned about TCP and UDP so far.
Same:
+Both TCP and UDP operate at Transport Layer
+ Both TCP and UDP use Multiplexing via port numbers
Difference:
TCP UDP
59
Reliable Unreliable
Connection-oriented Connectionless
TCP Header
(20 bytes)
Notice about the FLAG fields (between the “Reserved” and
“Window Size” fields). If SYN bit is turned on, it is a SYN
message. If ACK bit is turned on, it is an ACK message. If both
SYN and ACK bits are turned on, it is a SYN-ACK message.
And this is the UDP header:
60
UDP Header
(8 bytes)
ICMP header:
00000000001111111111222222222233
01234567890123456789012345678901
Type Code ICMP header checksum
Data :::
66
Type. 8 bits.
Specifies the format of the ICMP message.
-
255
would then count up every bit spot because each is turned on. It
would look like this:
128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 = 255
which demonstrates the maximum value of a byte.
There are plenty of other decimal values that a binary number
can equal. Let’s work through a few examples:
10010110
Which bits are on? The 128, 16, 4, and 2 bits are on, so we’ll
just add them up: 128 + 16 +
4 + 2 = 150.
01101100
Which bits are on? The 64, 32, 8, and 4 bits are on, so we just
need to add them up: 64 + 32 +
8 + 4 = 108.
11101000
Which bits are on? The 128, 64, 32 and 8 bits are on, so just add
the values up: 128 + 64 +
32 + 8 = 232
Table 2.5 is a table you should memorize before braving the
subnetting section in Chapter 3.
TABLE 2. 5 Binary to Decimal Memorization Chart
Binary Value Decimal Value
10000000 128
11000000 192
11100000 224
11110000 240
11111000 248
11111100 252
11111110 254
11111111 255
72
0xxxxxxx
If we turn the other 7 bits all off and then turn them all on, we’ll
find the Class A range of network addresses:
00000000 = 0
01111111 = 127
So, a Class A network is defined in the first octet between 0 and
127, and it can’t be less or more. (yes, I know 0 and 127 are not
valid in a class A network—I’ll talk about illegal addresses in a
minute.)
Network Address Range: Class B
In a Class B network, the RFCs state that the first bit of the first
byte must always be turned on, but the second bit must always
be turned off. If you turn the other 6 bits all off and then all on,
you will find the range for a Class B network:
10000000 = 128
10111111 = 191
As you can see, a Class B network is defined when the first byte
is configured from 128 to 191.
Network Address Range: Class C
For Class C networks, the RFCs define the first 2 bits of the first
octet as always turned on, but the third bit can never be on.
Following the same process as the previous classes, convert
76
from binary to decimal to find the range. Here’s the range for a
Class C network:
11000000 = 192
11011111 = 223
So, if you see an IP address that starts at 192 and goes to 223,
you’ll know it is a Class C IP address.
Network Address Ranges: Classes D and E
The addresses between 224 and 255 are reserved for Class D
and E networks. Class D (224–239) is used for multicast
addresses and Class E (240–255) for scientific purposes, but I’m
not going into these types of addresses in this book (and you
don’t need to know them).
Network Addresses: Special Purpose
Some IP addresses are reserved for special purposes, so network
administrators can’t ever assign these addresses to nodes. Table
2.7 lists the members of this exclusive little club and the reasons
why they’re included in it.
Class A Addresses
In a Class A network address, the first byte is assigned to the
network address, and the three remaining bytes are used for the
node addresses. The Class A format is:
network. node.node.node.TABLE 2. 7 Reserved IP Addresses
Address Function
Network address of all 0s Interpreted to mean “this network or
segment.” Network address of all 1s Interpreted to mean “all
networks.”
_Network 127.0.0.1 Reserved for loopback tests. Designates the
local node and allows that node to send a test packet to itself
without generating network traffic.
_Node address of all 0s Interpreted to mean “network address”
or any host on specified network.
77
Ok, you are right :), in the above example we don’t see its
usefulness but you now understand the fundamental of NAT!
Let’s take another example!
Suppose your company has 500 employees but your Internet
Service Provider (ISP) only gives you 50 public IP addresses. It
means that you can only allow 50 hosts to access the internet at
the same time. Here NAT comes to save your life!
One thing you should notice that in real life, not all of your
employees uses internet at the same time. Say, maybe 50 of
them use internet to read newspaper at the morning; 50 others
use internet at noon for checking mail… By using NAT, you can
dynamically assign these 50 public IP addresses to those who
really need them at that time. This is called dynamic NAT. But
the above NAT solution does not solve our problem completely
because in some days there can be more than 50 people surfing
web at the morning. In this case, only the first 50 people can
access internet, others must wait to their turns. Another problem
is, in fact, your ISP only gives you much lesser IP addresses
than the number 50 because each public IP is very precious now.
To solve the two problems above, another feature of NAT can
be used: NAT Overload or sometimes called Port Address
Translation (PAT)
PAT permits multiple devices on a local area network (LAN) to
be mapped to a single public IP address with different port
numbers. Therefore, it’s also known as port address translation
(PAT). When using PAT, the router maintains unique source
port numbers on the inside global IP address to distinguish
between translations. In the below example, each host is
81
NAT terms:
* Inside local address – The IP address assigned to a host on
the inside network. The address is usually not an IP address
assigned by the Internet Network Information Center (InterNIC)
or service provider. This address is likely to be an RFC 1918
private address.
* Inside global address – A legitimate IP address assigned by
the InterNIC or service provider that represents one or more
inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as
it is known to the hosts on the inside network.
* Outside global address – The IP address assigned to a host
on the outside network. The owner of the host assigns this
address.
Subnetting Basics
In Chapter 2, you learned how to define and find the valid host
ranges used in a Class A, Class B, and Class C network address
by turning the host bits all off and then all on. This is very good,
but here’s the catch: You were only defining one network. What
happens if you wanted to take one Subnetting Basics
107 network addresses and create six networks from it? You
would have to do something called subnetting, because that’s
what allows you to take one larger network and break it into a
bunch of smaller networks. There are loads of reasons in favor
of subnetting. Some of the benefits include:
Reduced network traffic
We all appreciate less traffic of any kind. Networks are no
different. Without trusty routers, packet traffic could grind the
entire network down to a near standstill. With routers, most
traffic will stay on the local network; only packets destined for
84
255.240.0.0 /12
255.248.0.0 /13
255.252.0.0 /14
255.254.0.0 /15
255.255.0.0 /16
255.255.128.0 /17
255.255.192.0 /18
255.255.224.0 /19
255.255.240.0 /20
255.255.248.0 /21
255.255.252.0 /22
255.255.254.0 /23
255.255.255.0 /24
255.255.255.128 /25
255.255.255.192 /26
255.255.255.224 /27
255.255.255.240 /28
255.255.255.248 /29
255.255.255.252 /30
For subnetting, one must familiar with Binary and decimal
system.
Binary sytem:
it is base on two digits (0,1) e.g 179 = 1011 0011
How it works
(10110011) base 2 2^7 2^6 2^5 2^4 2^3 2^2 2^1 2^0
working on the place value /mapping, we add on bits to get
decimal number =179
2^7+2^5 +2^4 +2^1+2^0=
((2*2*2*2*2**2*2)+(2*2*2*2*2)+(2*2*2*2)+(2*1)+1)=128+3
2+16+2=179
Decimal System:
87
So, in fact we can say two above methods are the same!
Subnetting Class C Addresses
There are many different ways to subnet a network. The right
way is the way that works best for you. First, I’ll show you how
to use the binary method, and then we’ll look at an easier way to
do the same thing. In a Class C address, only 8 bits are available
for defining the hosts. Remember that subnet bits start at the left
93
and go to the right, without skipping bits. This means that the
only Class C subnet masks can be the following:
Binary Decimal CIDR
---------------------------------------------------------
10000000 = 128 /25
11000000 = 192 /26
11100000 = 224 /27
11110000 = 240 /28
11111000 = 248 /29
11111100 = 252 /30
We can’t use a /31 or /32 because we have to have at least 2 host
bits for assigning IP
addresses to hosts. I
Examples 1: 192.168.3.55/24
255.255.255.0 Given in exam question.
Question: In which network this host ip address belong?
Equal to decimal
192 . 168 . 3 . 0
Example 2. On which network the given ip address belong to:
192.168.3.55/28
255.255.255.240
1100000. 10101000.00000011.00110111
1111111. 11111111.11111111.11110000
After logical AND operation
----------------------------------------------------
11000000.10101000.00000011.00110000
192.168.3.48
Answer
"1" digit in the red color in the subnetmask indicates the
magic number which we will discuss later on.
Example 3:
Given IP address =192.168.1.55
N N N H
Note: N=Network, H=Host,
subnet mask =255.255.255.192/26
Solution: we know default subnetmask of Classful C address
is 255.255.255.0 so we borrow two subnet bits from host
95
So, magic number (MN) is 64 and our subnet work start from 0
and goes by increment of 64 for 4 subnetworks as listed below.
But it is started from 0 network.
Subnetwork 1: 192.168.1.0
Useable/valid Host: 192.168.1.1 - 192.168.1.62
Subnetwork 2: 192.168.1.64 192.168.1.65 - 192.168.1.126
Subnetwork 3:192.168.1.128 192.168.1.129 - 192.168.1.190
Subnetwork 4:192.168.1.192 192.168.1.193 - 192.168.1.254
96
each subnet. First, find the address of each subnet using the
block size (increment). Second, find the broadcast address of
each subnet increment (it’s always the number right before the
next valid subnet), then just fill in the host addresses. The
following table shows the available subnets, hosts, and broadcast
addresses provided from a Class C 255.255.255.240 mask.
Cisco has figured out the most people cannot count in sixteens
and therefore have a hard time finding valid subnets, hosts, and
broadcast addresses with the Class C 255.255.255.240 mask.
You’d be wise to study this mask.
Practice Example #4: 255.255.255.248 (/29)
Let’s keep practicing:
192.168.10.0 = Network address
255.255.255.248 = Subnet mask
_ Subnets? 248 in binary = 11111000. 25 = 32.
_ Hosts? 23 – 2 = 6.
_ Valid subnets? 256 – 248 = 0, 8, 16, 24, 32, 40, 48, 56, 64, 72,
80, 88, 96, 104, 112, 120,
128, 136, 144, 152, 160, 168, 176, 184, 192, 200, 208, 216, 224,
232, 240, and 248.
_ Broadcast address for each subnet?
_ Valid hosts?
Subnet 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224
240
First host 1 17 33 49 65 81 97 113 129 145 161 177 193 209
225 241
Last host 14 30 46 62 78 94 110 126 142 158 174 190 206 222
238 254
Broadcast 15 31 47 63 79 95 111 127 143 159 175 191 207 223
239 255
98
subnets= 2*2*2*2=16
Hosts = 2*2*2*2=16
subnets
1. 192.168.2.0 11. 192.168.2.160
2.192.168.2.16 12. 192.168.2.176
3. 192.168.2.32 13. 192.168.2.192
4. 192.168.2.48 14. 192.168.2.208
5. 192.168.2.64 15. 192.168.2.224
6. 192.168.2.80 16. 192.168.2.240
7. 192.168.2.96
8. 192.168.2.112
9. 192.168.2.128
10. 192.168.2.144
Valid hosts per network
Broadcast
Ntetwork (192.168.2.0):
192.168.2.1 - 192.168.2. 14 192.168.2.15
Subnetwork 2 192.168.2.17 - 192.168.2. 30 192.168.2.31
3. 192.168.2.33 - 192.168.2.46 192.168.2.47 and so on.
.224 is network address,.47 is broadcast address,.160 is network
address and .192 is also network address and we can not assign
it for host.
100
5.196.16.8.0
6.196.16.10.0
goes by increment of 2 even number
192.168.144.0 & so on.
valid hosts:
1. 196.16.0.1 - 196.16.1.254, broad cast address 196.16.1.255
2. 196.16.2.1 - 196.16.3.254 broad cast address 196.16.3.255
3. 196.16.4.1 - 196.16.5.254, broad cast address 196.16.5.255
Concluding remarks
and so on. and in between one subnet is 196.16.144.0 and valid
hosts are
196.16.144.1 - 196.16.145.254 and broad cast address will be
196.16.145.255
Hence 196.16.144.99 is a valid host.
Practice Example #2: 255.255.240.0 (/20), 10.0.0.0 ip,
Another method
255.255.240.0 gives us 12 bits of subnetting and leaves us 12
bits for host addressing.
_ Subnets? 212 = 4096.
_ Hosts? 212 – 2 = 4094.
_ Valid subnets? 256 – 240 = 16. The subnets in the second
octet are a block size of 1 and the subnets in the third octet are 0,
16, 32, etc.
_ Broadcast address for each subnet?
_ Valid hosts?
The following table shows some examples of the host ranges—
the first three and the last subnets:
103
Magic number = 2
Octet of interest in subnet =2nd (.254)
number of subnet bits = 7 bits
Number of host bits = 17 bits
increment value for next subnet =2+2=4 and so on.
Subnets = 2*2*2*2*2*2*2**2 =128
Hosts per subnet = 2^17=131072
Subnet
1. 110.0.0.0
2. 110.4.0.0
3.110.6.0.0
4.110.8.0.0
5.110.10.0.0
6.110.12.0.0 and so on '
Valid hosts:
for subnet
1. 110.0.0.1 - 110.3.255.254
2. 110.4.0.1 - 110.5.255.254
3. 110.6.0.1 - 110.7.255.254
4.110.8.0.1 - 110.9.255.254
So, 110.8.67.101 is a valid host address on subnet 110.8.0.0 (4th
subnet)
105
------------------------------------------------------------------------------
--------------------------
Variable Length Subnet Masks (VLSMs)
creating many networks from single network using subnet masks
of different lengths on different types of network designs is
called VLSM networking. Two terms are used for VLSM are,
classful and classless.
it assumes that all interfaces within the classful address space
have the same subnet mask. This is called classful routing, and
RIP and IGRP are both considered classful routing protocols.
Classless routing protocols, however, do support the
advertisement of subnet information. Therefore, you can use
VLSM with routing protocols such as RIPv2, EIGRP, or OSPF.
_ (EIGRPand OSPF) will be discussed later.
In short, all subnets will use the same subnetmask in classful
address whereas in Classful subnets will use different size of
subnets to save the addresses.
In real life scenario, some subnets may require large number of
host addresses while other may require only few addresses.
Example:
Company has three departments connected with wan links.
Development department has 74 computers.
Production department has 52 computers.
Administrative department has 28 computers.
All departments are connected with each other via
wan link.
Each wan link requires two IP addresses.
106
1 Development 74
2 Production 52
3 Administrative 28
4 Wan link 1 2
5 Wan link 2 2
6 Wan link 3 2
Requirement 74
CIDR /25
Network ID 192.168.1.0
Broadcast ID 192.168.1.127
Requirement 52
CIDR /26
Network ID 192.168.1.128
Broadcast ID 192.168.1.191
110
Requirement 28
CIDR /27
Network ID 192.168.1.192
Broadcast ID 192.168.1.223
Requirement 2
112
CIDR /30
Network ID 192.168.1.224
Broadcast ID 192.168.1.227
Wan Link 2
Segments Wan Link 2
Requirement 2
CIDR /30
Network ID 192.168.1.228
Broadcast ID 192.168.1.231
113
Wan link 3
Segments Wan Link 3
Requirement 2
CIDR /30
Network ID 192.168.1.232
Broadcast ID 192.168.1.235
End chapter 2
___________________________________________________
Topic to be covered:
3.6 List the LAN switch types and describe how they
work with
layer-2 switches
3.7 Configure and verify initial switch configuration
including remote access management
-hostname
- mgmt ip address
-ip default-gateway
-local user and password
-enable secret password
- console and VTY logins
- exec-timeout
-service password encryption
-copy run start
3.8 Describe how VLANs create logically separate
networks and the need for routing between them
- Explain network segmentation and basic traffic management
concepts
- Configure and verify VLANs
- Configure and verify trunking on Cisco switches
116
- dtp (topic)
- auto-negotiation
3.9 Identify enhanced switching technologies
- RSTP
- PVSTP
- Etherchannels
- Configure and verify PVSTP operation
- Describe root bridge election
- Spanning tree mode
Definition:
Layer-2 switching is hardware based, which means it uses the
MAC address from the host’s NIC cards to filter the network.
Switches use Application-Specific Integrated Circuits (ASICs)
to build and maintain filter tables. It is OK to think of a layer-2
switch as a multiport bridge. Layer-2 switches are fast because
they do not look at the Network layer header information,
looking instead at the frame’s hardware addresses before
deciding to either forward the frame or drop it.
Layer-2 switching provides the following:
Hardware-based bridging (MAC)
Wire speed
Low latency
Low cost
Limitation L2 Switching
Layer-2 switches (bridges) cannot break up broadcast domains,
which can cause performance issues and limit the size of your
network. Broadcasts and multicasts, along with the slow
117
10101100.00010000.11111111.11111111 172.16.255.255
Frames are sent to only specific network 172.16.
Loop Avoidance
Redundant links (multiple links) are built between switches
devices cause Loop. As a result, switch broadcast frames
(broadcast storm) to other switch device and get confused and it
can't distinguish host MAC address location. This phenomenon
is called thrashing the MAC table.
The advantage of redundant links is for failover if one link goes
down then other link takes up the responsibility of failure link.
But at the same time loop occurs.
Suppose SwB receives the broadcast frame from fa0/0 first then
it will forward that frame to the two other links ( fa0/1 and fa0/5
of SwB).
122
As you can see, SwA has sent 2 broadcast frames out of its fa0/0
and fa0/1, SwB receives each of them, creates 2 copies and
sends one of them back to SwA (the other is sent to PC B).
When SwA receives these broadcast frames it continues
broadcasting them again to its other interfaces, this will keep
going on forever until your shutdown the network. This
phenomenon is called a broadcast storm.
Broadcast storm consumes entire bandwidth and denies
bandwidth for normal network traffic. Broadcast storm is a
serious network problem and can shut down entire network in
seconds.
Other problems:
Multiple frame transmission: Multiple copies of unicast
frames may be delivered to destination stations. Many protocols
expect to receive only a single copy of each transmission.
Multiple copies of the same frame can cause unrecoverable
errors. In the above example, if the first frame is not a ARP
broadcast but a unicast and SwA and SwB haven’t learned about
the destination in that frame yet then they flood the frame on all
ports except the originating port. The same phenomenon occurs
and PC B will receive more than one copy of that frame.
123
But how STP decides which port should be blocked. The whole
process is more complex than what is shown above. We will
learn it in the next part.
How Spanning Tree Protocol (STP) works
SPT must performs three steps to provide a loop-free network
topology:
1. Elects one root bridge: one RB/netwoks
2. Select one designated port on each network segment: one
DP/Segment
3. Select one root port per nonroot bridge:
one RP/NRB
Now let’s have a closer look from the beginning, when you have
just turned on the switches…
124
Switch Cost
Formula =10^9/Bandwidth.
BPDU factory is root bridge and Root port always accept Best
BPDU on port by differenciating superior and inferior BPDU
sent by initially Root bridge.
1. Elects one root bridge
A fun thing is that when turned on, each switch claims itself as
the root bridge immediately and starts sending out multicast
frames called Bridge Protocol Data Units (BPDUs), which are
used to exchange STP information between switches.
10 Gbps 2 1
1 Gbps 4 1
100 19 10
Mbps
Now the network reaches a state called convergence.
Convergence in STP occurs when all ports on bridges and
switches have transitioned to either forwarding or blocking
states. No data is forwarded until convergence is complete so the
time for convergence when network topology changes is very
important. Fast convergence is very desirable in large networks.
The normal convergence time is 50 seconds for 802.1D STP
(which is rather slow) but the timers can be adjusted.
Example
129
Step 3
ONE RP/NRB (when BPDU enters and leaves in Switch), RP=
is a port which accepts best BPDU on port.
Switch A: will generate BPDUs
Switch B: will receive two BPDU, A/4/A/1 (from A),
A/16/C/3(from C)
Switch E: A/4/A/2(from A), A/16/D/1(From D)
Switch C: A/8/B/3(from B), A/12/D/2(From D)
Switch D: A/12/C/2(From C), A/8/E/1(from E)
D---C is blocking port as it is not DP nor RP and will shut
down in STP election after convergence.
STP switch port states
When STP is enabled, every switch in the network goes through
the blocking state and the transitory states of listening and
learning. The ports then stabilize to the forwarding or blocking
state.
* Blocking – no user data is sent or received but it may go into
forwarding mode if the other links in use fail and the spanning
tree algorithm determines the port may transition to the
forwarding state. BPDU data is still received in blocking state
but discards frames, does not learn MAC address.
* Listening – The switch processes BPDUs and awaits possible
new information that would cause it to return to the blocking
state, discards frames and MAC address.
132
When the lower link is broken, SwA must wait for Max Age
seconds before it begins to transition fa0/0 interface from
blocking to listening state. In listening state, it must wait for the
Forward Delay seconds to move to the Learning state. Next it
continues waiting for more Forward Delay seconds. If no BPDU
is received, it is then placed in forwarding state. These three
waiting periods of (by default) 20, 15, and 15 seconds create
STP’s relatively slow convergence.
Now let’s consider how BPDU are sent when there are 3
switches in the network. Cisco has a good flash to demonstrate it
so please watch it
134
at http://www.cisco.com/image/gif/paws/10556/spanning_tree1.
swf
How STP performs when a link fails
Suppose we have a topology with three switches as shown
below:
In which SwA is elected the root bridge, the link between SwB
and SwC is being blocked. When STP is converged, the port
roles are shown above.
Now suppose the link between SwA and SwB goes down, let us
see what and how STP will perform
Suppose all the switches have the same bridge priority so the
switch with lowest MAC address will become root bridge ->
Sw1 is the root bridge and therefore all of its ports will be
Designated ports (forwarding).
Two ports fa0/0 on Sw2 & Sw3 are closest to the root bridge (in
terms of path cost) so they will become root ports.
On the segment between Sw2 and Sw3, because Sw2 has lower
MAC than Sw3 so it will advertise better BPDU on this segment
-> fa0/1 of Sw2 will be Designated port and fa0/1 of Sw3 will
be Alternative port.
137
Now for the two ports connecting to the hub, we know that there
will have only one Designated port for each segment (notice that
the two ports fa0/2 & fa0/3 of Sw2 are on the same segment as
they are connected to a hub). The other port will be Backup port
according to the definition of Backup port above. But how does
Sw2 select its Designated and Backup port? The decision
process involves the following parameters inside the BPDU:
* Lowest path cost to the Root
* Lowest Sender Bridge ID (BID)
* Lowest Port ID
Well, both fa0/2 & fa0/3 of Sw2 has the same “path cost to the
root” and “sender bridge ID” so the third parameter “lowest port
ID” will be used. Because fa0/2 is inferior to fa0/3, Sw2 will
select fa0/2 as its Designated port.
138
Blocking Discarding
Listening Discarding
Learning Learning
Forwarding Forwarding
Disabled Discarding
Although the learning state is also used in RSTP but it only
takes place for a short time as compared to STP. RSTP
converges with all ports either in forwarding state or discarding
state.
RSTP Quick Summary:
RSTP provides faster convergence than 802.1D STP when
topology changes occur.
* RSTP defines three port states: discarding, learning, and
forwarding.
* RSTP defines five port roles: root, designated, alternate,
backup, and disabled.
Note: RSTP is backward compatible with legacy STP 802.1D. If
a RSTP enabled port receives a (legacy) 802.1d BPDU, it will
automatically configure itself to behave like a legacy port. It
sends and receives 802.1d BPDUs only.
LAN Switch Types:
Store and forward the complete data frame is received on the
switch’s buffer, a CRC is run, and then the destination address is
looked up in the MAC filter table.
140
Enables EtherChannel
unconditionally.
Recommended if the
Workstation/Server does not
support any negotiation
on None protocols.
Disabled EtherChannel
off None unconditionally.
Initiates negotiation by
sending LACP packets.
Recommended if the
Workstation/Server support
active LACP LACP.
Initiates negotiation by
sending PAgP packets.
Recommended if the
Workstation/Server support
desirable PAgP PAgP.
Example
Let’s take an example to see the benefits of this technology:
Suppose your company has two switches connecting with each
other via a FastEthernet link (100Mbps):
on your switches:
Example: EtherChannel on Catalyst switches
Speed settings
Duplex settings
STP settings
VLAN membership (for access ports)
Native VLAN (for trunk ports)
Allowed VLANs (for trunk ports)
Trunking Encapsulation (ISL or 802.1Q, for trunk ports)
147
----------------------------
Port-channel: Po1
Age of the Port -channel = 0d:00h:02m:37s
Logical slot/port = 2/1 Number of ports = 2
GC = 0x00010001 HotStandBy port = null
Port state = Port-channel Ag -Inuse
Protocol = LACP
Port security = Disabled
+ Destination IP address
+ Combination of Source and Destination MAC address
+ Combination of Source and Destination IP address
Note: Some old switch/router flatforms do not support all the
load-balancing methods above. To configure load-distribution
method, use the command port-channel load-balance under
global configuration mode. For example, to load-balance based
on destination MAC use the command:
Router(config)#port-channel load-balance dst-mac
End of Chapter 3
_________________________________________________
Chapter 4
Introduction to the Cisco IOS
_This chapter will cover the following topics.
Understanding and configuring the Cisco Internetwork
Operating System (IOS)
_Connecting to a router
_Bringing up a router
_Logging into a router
_Understanding the router prompts
_Understanding the CLI prompts
_Performing editing and help features
_Gathering basic routing information
_Setting administrative functions
_Setting hostnames
_Setting banners
154
_Setting passwords
_Setting interface descriptions
_Performing interface configurations
_Viewing, saving, and erasing configurations
_Verifying routing configurations
Cisco IOS
The IOS is what runs Cisco routers as well as some Cisco
switches, and it’s what allows you to configure the devices
including switches (2960.2950 etc), routers (2800 ,7200 etc) as
well as firewall such as 5400 series.
Some of the important things that the Cisco router IOS software
is responsible for include
_Carrying network protocols and functions
_Connecting high-speed traffic between devices
_Adding security to control access and stop unauthorized
network use
_Providing scalability for ease of network growth and
redundancy
_Supplying network reliability for connecting to network
resources
You can access the Cisco IOS through the console port of a
router, from a modem into the auxiliary (or Aux) port, or even
through Telnet or Console port. Access to the IOS command
line is called an EXEC session
Connecting to a Cisco Router
There are different ways to do this, but most often, the first place
you would connect to is the console
port. The console port is usually an RJ-45 (8-pin modular)
connection located at the back of the router—by default, there’s
no password set.
155
.
Bringing Up a Router or Switch
When you first bring up a Cisco router, it will run a power-on
self-test (POST). If it passes, it will then look for and load the
Cisco IOS from flash memory—if an IOS file is present. (Just in
case you don’t know, flash memory is an electronically erasable
programmable read-only memory— an EEPROM.) After that,
the IOS loads and looks for a valid configuration—the startup-
config— that’s stored by default in nonvolatile RAM, or
NVRAM.
Types of memory
Generally, Cisco routers (and switches) contain four types of
memory:
Read-Only Memory (ROM): ROM stores the router’s bootstrap
startup program, operating system software, and power-on
diagnostic test programs (POST).
Flash Memory: Generally referred to simply as “flash”, the IOS
images are held here. Flash is erasable and reprogrammable
ROM. Flash memory content is retained by the router on reload.
156
And this is the process we can see on our screen when the router
is turned on:
158
159
Router(config)#line vty 0 4
Router(config)#
Learning about modes is not difficult and you will get familiar
with them while configuring routers & switches. Just pay a little
attention to them each time you practice and surely you can
grasp them easily.
Note: By default, the enable secret password is encrypted, and
the enable password is not.
Hostname and Interface IP Address
Router(config)#hostname Comnetss
Router(config)#interface fa0/1
(show ip interface brief command on priviledge mode will
provide the details of all interfaces of the device).
Router(config)#ip add 192.168.10.1 255.255.255.0
163
enable password.
1. From the privileged EXEC (or "enable") prompt, enter
configuration mode and then switch to line configuration mode
using the following commands. Notice that the prompt changes
to reflect the current mode.
2. router#configure terminal
3. Enter configuration commands, one per line. End with
CNTL/Z.
4. router(config)#line con 0
router(config-line) #
5. Configure the password, and enable password checking at
login.
6. router(config-line) #password letmein
7. router(config-line) #login
8. Exit configuration mode.
9. router(config-line) #end
10. router#
%SYS-5-CONFIG_I: Configured from console by console
Note: Do not save configuration changes to line con 0 until
your ability to log in has been verified.
Note: Under the line console configuration, login is a required
configuration command to enable password checking at login.
Console authentication requires both thepassword and
the login commands to work.
Verify the Configuration
Examine the configuration of the router to verify that the
commands have been properly entered:
Certain show commands are supported by the Output Interpreter
Tool (registered customers only) , which allows you to view an
analysis of show command output.
165
router(config-line) #
9. Configure password checking at login.
10. router(config-line) #login local
11. Exit configuration mode.
12. router(config-line) #end
13. router#
%SYS-5-CONFIG_I: Configured from console by console
Note: In order to disable auto Telnet when you type a name on
the CLI, configure no logging preferred on the line that is
used. While transport preferred noneprovides the same
output, it also disables auto Telnet for the defined host that are
configured with the ip host command. This is unlike the no
logging preferredcommand, which stops it for undefined
hosts and lets it work for the defined ones.
Verify the Configuration
Examine the configuration of the router to verify that the
commands have been properly entered:
show running-config - displays the current configuration
of the router.
router#show running-config
Building configuration...
!
!--- Lines omitted for brevity
!
username russ password 0 montecito
username cindy password 0 belgium
168
End of chapter 4
____________________________________________
171
CHAPTER 5 IP Routing
13. Host B receives the frame and runs a CRC. If that checks
out, it discards the frame and hands the packet to IP. IP will then
check the destination IP address. Since the IP destination
address matches the IP configuration of Host B, it looks in the
protocol field of the packet to determine what the purpose of the
packet is.
14. Since the packet is an ICMP echo request, Host B generates
a new ICMP echo-reply packet with a source IP address of
Host B and a destination IP address of Host A. The process
starts all over again, except that it goes in the opposite direction.
However, the hardware address of each device along the path is
176
Example
Default Routing
Default routing is used to send packets with a remote destination
network not in the routing table to the next hop router. You can
only use default routing on stub networks, which means that
they have only one exit port out of
the network.
Verficiation
Bangor#sh ip route
The S in the routing table entries means that the network is a
static entry.
179
Protocol (EIGRP)
summary route
External Border
Gateway Protocol
(BGP) 20
Internal EIGRP 90
IGRP 100
OSPF 110
Intermediate
System-to-
Intermediate System
(IS-IS) 115
Routing Information
Protocol (RIP) 120
Exterior Gateway
Protocol (EGP) 140
On Demand Routing
(ODR) 160
External EIGRP 170
Internal BGP 200
Unknown* 255
* If the administrative distance is 255, the router does not
believe the source of that route and does not install the route in
the routing table
Routing Protocols
There are three classes of routing protocols:
181
Each router receives a routing table from its direct neighbor. For
example, Router B receives information from Router A about
network 1 and 2. It then adds a distance vector metric (such as
the number of hops), increasing the distance vector of these
routes by 1.
B also exchanges its routing table with A about network 2 and 3.
Configuring RIP
Router(config)#router rip Enter router RIP configuration
mode
ON RB
RouterB# conf ter
RouterB(config)#router igrp 10
RouterB(config-router)#network 2.0.0.0
RouterB(config-router)#network 3.0.0.0
RouterB(config-router)#^Z
ON RC
RouterC# conf ter
RouterC(config)#router igrp 10
RouterC(config-router)#network 3.0.0.0
RouterC(config-router)#network 4.0.0.0
RouterC(config-router)#^Z
Verification
RouterA#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M –
[output cut]
U - per-user static route, o - ODR
Gateway of last resort is not set
194
f0/0 – 192.168.60.13/28
R4:
s0/0 – 192.168.30.20/28
R5:
s0/0 – 192.168.30.40/28
Some important points about EIGRP:
All routers must use the same Autonomous System (AS)
number to recognize each other. In this case the chosen AS
is 100.
The major network in this lab is 192.168.30.0 &
192.168.60.0 so there will be discontiguous networks ->
need to use the “no auto-summary” command.
Now let’s begin the lab!
Step 1 – Configuring IP addresses on the routers
On R1:
R1#config t
R1(config)#int s0/0
R1(config-if)#ip address 192.168.30.12 255.255.255.240
R1(config-if)#no shut
R1(config-if)#int s0/1
R1(config-if)#ip address 192.168.30.18 255.255.255.240
R1(config-if)#no shut
R1(config-if)#int s0/2
R1(config-if)#ip address 192.168.30.35 255.255.255.240
R1(config-if)#no shut
R1(config-if)#int f0/0
205
Notice that all both the “Status” and “Protocol” of the connected
interfaces were up.
We can see all the neighbors of R1 with the “show cdp
neighbors” command on R1:
The letter “P” as the left margin of each route entry stands for
“Passive”. Passive state indicates that the route is in silent mode,
implying that the route is known to be good and that no
activities are taking place with respect to the route. When we
talk about AD for every entry for example first entry, "
2172416/28160" value , The 2172416 is FD or metric for given
route to the destination and 28160 is AD .
Q: how to calculate the metric of EIGRP
EIGRP Metric Calculation
"Sh ip protocol command" is used to see the Eigrp metric weight
values K 1, K2, K3, K4 and K5 as shown in below picture as an
example.
Neighbor Table
Check the neighbor table of Router0 with the show ip eigrp
neighbors command
212
Notice that you can see a line “IP-EIGRP neighbors for process
100”. “Process 100” here means “AS 100”.
Topology Table
we will analyze the EIGRP topology with the "show ip eigrp
topology" command. The output of Router0 is shown below
Notice that if the result is not an integer then the result will be
rounded down. For example, 10,000,000 divided by 1024 (the
speed of T1) equals 9765.625. The result will be rounded down
to 9765.
Find the delay
EIGRP also used the delay of the outgoing interfaces and it can
also be found with the “show interfaces “, the delay lies next to
the bandwidth value (for example, DLY 100usec). In this case,
the delay value of both Fa0/0 of Router0 & Fa0/1 of Router1 is
100 usec (microsecond) so the sum of delay is 100 + 100 = 200
usec. The second portion of the formula is:
216
The routing table has two parameters [90/30720] but the first
one is the administrative distance of EIGRP. EIGRP has a
default administrative distance of 90 for internal routes and it is
often the most preferred routing protocol because it has the
lowest administrative distance.
Administrative distance is the measure used by Cisco routers
to select the best path when there are two or more different
routes to the same destination from two different routing
protocols.
Below are the administrative distances of the most popular
routing protocols used nowadays. Notice that the smaller is the
better.
218
Now let’s see what will happen when we turn on EIGRP on both
of the routers. To turn on EIGRP you will use these commands:
R1(config)#router eigrp 1
R1(config-router)#network 2.0.0.0
R1(config-router)#network 10.10.1.0 (or network 10.0.0.0)
219
R2(config)#router eigrp 1
R2(config-router)#network 2.0.0.0
R2(config-router)#network 10.10.2.0 (or network 10.0.0.0)
You can try to use the more specific “network 10.10.1.0” instead
of “network 10.0.0.0”, hoping that EIGRP will understand it is a
sub-network. But if we check the configuration with the “show
running-config” command we will notice that EIGRP has auto-
summarized our network.
R1#show running-config
From the output above we learn that R1 only knows about the
directly connected 10.10.1.0/24 network but it doesn’t have any
information about the far-away 10.10.2.0/24 network and a ping
to 10.10.2.1 cannot be successful (but notice that we can ping to
that directly connected network, 10.10.1.2, for example).
So, we can conclude that if a router receives the same route with
what it is advertising then it will not learn that route. In the
above example, the “collision” occurs because both of the
routers summarize into network 10.0.0.0/8 and advertise it to
220
4. network ip-address wildcard-mask area area-id
5. end
Drawbacks
OSPF Tables
Router/s who has/have all its interfaces in area zero (area 0).
Area 0 is called backbone area and all other areas connect
directly to it. All OSPF networks must have a backbone area
0.In this area 0 ,BR router passes routing information to all other
routers .
2. IR Router: all interfaces in the particular area.
3. Area Border Router (ABR)
Router/s who have its interfaces in area 0 as well as in other area
,area 1,area 2 etc. It connects one or more other areas to
backbone area 0 .It contains multiple copies of state database in
memory to know which router is connected to which area . ABR
is always a Backbone router too.
4.Autonmous System Border Router (ASBR)
Router/s connects to more than one Atonomous system and
exchange routing information with other AS system routers. In
simple , The router which connects two or many different
networks (i.e. SPF and RIP) is called Autonomous system
border router (ASBR).
OSPF uses the concept of areas. An area is a logical grouping of
contiguous networks and routers. All routers in the same area
have the same topology table, but they don’t know about routers
in the other areas. The main benefits of creating areas is that the
size of the topology and the routing table on a router is reduced,
less time is required to run the SFP(Shortest Path First)
algorithm and routing updates are also reduced.
NOTE – in OSPF, manual route summarization is possible only
on ABRs and ASBRs.
237
All routers are running OSPF. Routers R1 and R2 are inside the
backbone area (area 0). Router R3 is an ABR, because it has
interfaces in two areas, namely area 0 and area 1. Router R4 and
R5 are in area 1 whereas Router R6 is an ASBR, because it
connects OSFP network to another routing system or domain (an
EIGRP domain in this case). If the R1’s links directly connected
to other go down, R1 will send the routing updates only to R2
and R3, because all routing updates all centralized locally inside
the area 0. Then R3 will advertise summaries address to other its
neighboring areas here router R5 and R6 are in area1.
NOTE – the role of an ABR is to advertise address summaries
to neighboring areas. The role of an ASBR is to connect an
OSPF routing domain to another external network (e.g.
Internet, EIGRP network…).
238
After configuring OSPF on both routers, routers exchange LSAs
to describe their respective topology database. Router R1 sends
an LSA header for its directly connected network 10.0.1.0/24.
Router R2 check its topology database and determines that it
doesn’t have information about that network. Router R2 then
sends Link State Request message requesting further
239
3.Point to Multipoint
Point-to-multipoint refers to a type of network topology
consisting of a series of connections between a single interface
on one router and multiple destination routers.All of the
interfaces on all of the routers sharing the point-to-multipoint
connection belong to the same network.No DR/BDR election t
takes place
4.Point-to-Point
245
Type
How routers advertise their
Type 1 - Every router in every area
connected interfaces
Router E.g A0 in A0 , A1 in A1,
Every router in the same area
LSA A20 in A20
send updates to each other.
The DR collects all the Type 1
Type 2 - LSAs and sends out a single
DRs on all non-point-to-
Type 2 representing all of the
Network point(Multi-Access Switch)
routers on the link. This is
LSA LAN broadcast network .
used to build the Shortest Path
Tree
ABRs send a single LSA
representing all of the Type 1
Type 3 - and Type 2 LSAs in an area.
This reduces the number of
Network Area Border Routers (ABRs) LSAs on the routers in other
Summary areas.ABR send this LSA3
LSA summary between one area to
other area in OSPF running
network.
AS
External that are not in a NSSA area OSPF.
LSA
Type 7 - Type 5 LSAs are not allowed
Routers with
NSSA in Stub Areas. Type 7 LSAs
the redistribute command
External allow external information to
that are in a NSSA area
LSA pass through NSSA areas.
LSA1
LSA6(MOSPF)
Multicast OSPF LSA :Use in multicast routing ; Cisco routers
do not support it.
Multicast LSA6 use in PIM,MPLS TE ,MPLS BGP etc
LSA7
Is Used in special area type Not -So-Stuby-Area (NSSA)
for external routes from ABRs.
Dont receive information of external LSA from ABR but
sends information for redistribution.
ABR tanslates the external routes to LSA type 5 to
propagate it throughout all the subsequent ABRs and
network .
LSA 8&9
Used in OSPFv3 for link-local addresses and intra-area prefix
LSA 10,11
Generic LSAs, also called opaque, which allow future
extensions of OSPF
Verification Commands R#sh ip route, R#sh ip ospf database
R#sh ip ospf database router
-------------------------------
256
Reference :
http://www.cisco.com/E-
Learning/bulk/public/ccnp/QLM_Configuring_OSPF_Special_
Area_Types_BSCI/player.html
265
Example
Let’s take an example to understand the benefits of VLAN.
Suppose you are working in a big company with many
departments, some of them are SALES and TECHNICAL
departments. You are tasked to separate these departments so
that each of them can only access specific resources in the
company.
This task is really easy, you think. To complete this task, you
just need to use different networks for these departments and use
access-list to allow/deny that network to a specific resource. For
example, you assign network 192.168.1.0/24 for SALES and
192.168.2.0/24 for TECH. At the “Company router” you apply
an access-list to filter traffic from these networks. Below is the
topology of your network without VLANs:
In this design:
269
Notice that the tag is only added and removed by the switches
when frames are sent out on the trunk links. Hosts don’t know
about this tag because it is added on the first switch and
removed on the last switch. The picture below describes the
process of a frame sent from PC A to PC B.
271
On 2950 & 2960 Switches: Switches 2950 & 2960 only have
802.1q encapsulation so to turn it on we simply use this
command:
Main_Sw(config-if)#switchport mode trunk
On 3550 & 3560 Switches: There are two encapsulation types in
3550 & 3560 Cisco switch: 802.1q and ISL but there are 3
encapsulation methods: 802.1q, ISL and negotiate.The default
encapsulation is negotiate. This method signals between the
trunk ports to choose an encapsulation method. ISL is preferred
over 802.1q so we have to configure to “dot1q” if we want to
use this standard.
Main_Sw(config-if)#switchport trunk encapsulation dot1q
Main_Sw(config-if)#switchport mode trunk
In fact, if you use VLAN Trunking Protocol (VTP) then you
only need to configure VLAN on the Main Sw, set the Main Sw
to “Server” mode and 2 other switches to “Client” mode.
VLAN Summaries
VLANs are used to create logical broadcast domains and
Layer 3 segments in a given network.
A VLAN is considered a logical segment because the
traffic it carries may traverse multiple physical network
segments
Cisco switches support two different trunking protocols, Inter-
Switch Link (ISL) and IEEE 802.1q. In 802.1q, native VLAN
frames are untagged.
The benefits of VLANs
Segment networks into multiple smaller broadcast domains
without Layer 3 network devices such as routers. VLANs
276
switch# show vlan
The following example shows the details of VLAN 13 including
its member ports:
switch# show vlan id 13
The following example shows the VLAN settings summary:
switch# show vlan summary
Output
Number of existing VLANs : 2Number of existing
VTP VLANs : 2Number of existing extended VLANs : 0
VLAN Trunking Protocol(VTP)
“VTP allows a network manager to configure a switch so
that it will propagate VLAN configurations to other switches
in the network”
VTP minimizes misconfigurations and configuration
inconsistencies that can cause problems, such as duplicate
VLAN names or incorrect VLAN-type specifications. VTP
helps you simplify management of the VLAN database across
multiple switches.
VTP is a Cisco-proprietary protocol and is available on most of
the Cisco switches.
Why we need VTP?
To answer this question, let’s discuss a real and popular network
topology.
279
Fortunately your office only has 5 floors so you can finish this
task in some hours :)
But just imagine if your company was bigger with 100-floor
office and some VLANs needed to be added every month! Well,
it will surely become a daunting task to add a new VLAN like
this. Luckily, Cisco always “thinks big” to create a method for
you to just sit at the “Main Sw”, adding your new VLANs and
magically, other switches automatically learn about this VLAN,
sweet, right? It is not a dream, it is what VTP does for you!
How VTP Works
To make switches exchange their VLAN information with each
other, they need to be configured in the same VTP domain.
Only switches belonging to the same domain share their VLAN
information. When a change is made to the VLAN database, it is
propagated to all switches via VTP advertisements.
To maintain domain consistency, only one switch should be
allowed to create (or delete, modify) new VLANs. This switch is
like the “master” of the whole VTP domain and it is operated
in Server mode. This is also the default mode.
Other switches are only allowed to receive and forward updates
from the “server” switch. They are operated in Client mode.
Switches in this mode cannot create, delete or modify VLANs.
281
By default, only hosts that are members of the same VLAN can
communicate. To change this and allow inter-VLAN
communication to be possible, you need a router or a layer 3
switch.
Configuration
3550(config)#interface fa0/1
3550(config-if)#switchport mode trunk
3550(config-if)#switchport trunk encapsulation dot1q
3550(config)#interface fa 0/2
3550(config-if)#switchport access vlan 1
3550(config)#interface fa 0/3
3550(config-if)#switchport access vlan 1
3550(config)#interface fa 0/4
3550(config-if)#switchport access vlan 2
Router configuration
Router(config-subif)#int f0/1.10
Router(config-subif)#encapsulation dot1q 1
Router(config-subif)#ip address 192.1681.129 255.255.225.224
Voice VLAN
It is a common and recommended practice to separate voice and
data traffic by using VLANs. The switch built into Cisco IP
Phone for VOIP has much of the same hardware that exists
inside of a full Cisco switch.
configuring
the port trust
state, you
must first
globally
enable QoS
by using
the mls
qos global
configuration
command.
Step 4 switchport Configure
voice {detectcisco-phone how the
[full-duplex]| vlan {vlan-id Cisco IP
| dot1p | none | untagged} Phone
} carries voice
traffic:
• detect—
Configure
the interface
to detect and
recognize a
Cisco IP
phone.
• cisco-
phone—
When you
initially
implement
the
295
switchport
voice detect
command,
this is the
only allowed
option. The
default is no
switchport
voice detect
cisco-phone
[full-
duplex].
• full-
duplex—
(Optional)
Configure
the switch to
only accept a
full-duplex
Cisco IP
phone.
• vlan-id—
Configure
the phone to
forward all
voice traffic
through the
specified
VLAN. By
default, the
Cisco IP
296
Phone
forwards the
voice traffic
with an IEEE
802.1Q
priority of 5.
Valid VLAN
IDs are 1 to
4094.
• dot1p—
Configure
the phone to
use IEEE
802.1p
priority
tagging for
voice traffic
and to use
the default
native
VLAN
(VLAN 0) to
carry all
traffic. By
default, the
Cisco IP
Phone
forwards the
voice traffic
with an IEEE
802.1p
297
priority of 5.
• none—
Allow the
phone to use
its own
configuration
to send
untagged
voice traffic.
• untagged
—Configure
the phone to
send
untagged
voice traffic.
Step 5 end Return to
privileged
EXEC mode.
Step 6 show interfaces interface- Verify your
id switchport or voice VLAN
show running-config entries.
interface interface-id Verify your
QoS and
voice VLAN
entries.
Step 7 copy running-config (Optional)
startup-config Save your
entries in the
configuration
298
file.
This example shows how to configure a port connected to a
Cisco IP Phone to use the CoS value to classify incoming traffic,
to use IEEE 802.1p priority tagging for voice traffic, and to use
the default native VLAN (VLAN 0) to carry all traffic:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# mls qos trust cos
Switch(config-if)# switchport voice vlan dot1p
Switch(config-if)# end
299
300
Chapter – IP Services
This chapter covers the following topics.
High Availability – VRRP, HSRP, GLBP
Cisco IOS NetFlow
High Availability (HA)
This Technologies provide network redundancy and fault
tolerance. Reliable network devices, redundant hardware
components with automatic failover.It providees the alternative
way for rersources (e.g software, hardware , servers ) to make
sure those are available all the time in network in case if
failover occurs in main link.In other words, If primary
gateway(router link to hosts) for hosts in network gets down ,
then alternative secondary link of another router should be
available for devices automatically to access the resources
without disruption.
Advantages of HA
301
reserved for other functions. You can use the following three
addresses with HSRP:
c000.0001.0000 (group 0)
c000.0002.0000 (group 1)
c000.0004.0000 (group 2)
Example
With HSRP, two routers Router1 and Router2 in this case will
be seen as only one router. HSRP uses a virtual MAC and IP
address for the two routers to represent with hosts as a single
default gateway. For example, the virtual IP address is
192.168.1.254 and the virtual MAC is 0000.0c07.AC0A. All the
hosts will point their default gateway to this IP address.
no shutdown interface
FastEthernet1/0
ip address 24.24.24.2
255.255.255.0
no shutdown
!
router eigrp 1
network 24.0.0.0
network 123.0.0.0
R3 R4
interface FastEthernet0/0 interface Loopback0
ip address 123.123.123.3 ip address 4.4.4.4
255.255.255.0 255.255.255.0
no shutdown !
! interface
interface FastEthernet1/0 FastEthernet0/0
ip address 34.34.34.3 255.255.255.0 ip address 24.24.24.4
no shutdown 255.255.255.0
! no shutdown
router eigrp 1 !
network 34.0.0.0 interface
network 123.0.0.0 FastEthernet1/0
ip address 34.34.34.4
255.255.255.0
no shutdown
!
router eigrp 1
network 4.0.0.0
network 24.0.0.0
311
network 34.0.0.0
HSRP Configuration
R2 R3
interface FastEthernet0/0 interface FastEthernet0/0
standby 10 ip standby 10 ip
123.123.123.254 123.123.123.254
standby 10 priority 200 standby 10 priority 150
standby 10 preempt standby 10 preempt
Note: The virtual IP address of HSRP group must be in the same
subnet of the IP address on this interface (Fa0/0)
After entering above commands we will see R2
takes Active state after going from Speak to Standby:
%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state
Speak -> Standby
*Mar 1 00:10:22.487: %HSRP-5-STATECHANGE:
FastEthernet0/0 Grp 10 state Standby -> Active
*Mar 1 00:10:22.871: %SYS-5-CONFIG_I: Configured from
console by console
The “show standby” command on R2 confirms its state:
312
Static 10
EIGRP 2560
OSPF 1
A very important note we wish to mention here is: the route for
tracking should be exactly same as displayed in the routing table
or the track would go down because no route is found. For
317
HSRP States
HSRP consists of 6 states:
Initial: HSRP is not running.
Learn: The router does not know the virtual IP address and
is waiting to hear from the active router.
A LAN client can determine which router should be the first hop
to a particular remote destination by using a dynamic process or
static configuration. Examples of dynamic router discovery are
as follows:
Proxy ARP—The client uses Address Resolution Protocol
(ARP) to get the destination it wants to reach, and a router
responds to the ARP request with its own MAC address.
Routing protocol—The client listens to dynamic routing
protocol updates (for example, from Routing Information
Protocol [RIP]) and forms its own routing table.
ICMP Router Discovery Protocol (IRDP) client—The client
runs an Internet Control Message Protocol (ICMP) router
discovery client.
The disadvantage to dynamic discovery protocols is that they
incur some configuration and processing overhead on the LAN
client. Also, if a router fails, the process of switching to another
router can be slow.
VRRP Configuration
SUMMARY STEPS
1. configure terminal
2. interface interface-type slot/port
3. vrrp number
4. shutdown
5. priority leve l [ forwarding-threshold lower lower-
value upper upper-value ]
6. no shutdown
7. (Optional) show vrrp
8. (Optional) copy running-config startup-config
324
Verification command
R#sh vrrp all
325
VRRP Benefits
The benefits of VRRP are as follows:
Unlike HSRP a Cisco Proprietary protocol, VRRP is IEEE
standard for router redundancy
In HSRP there are one active router and other backup
router but in VRRP it has only one active router (master
router) and other routers in VRRP group are backup routers
Redundancy—Enables you to configure multiple routers as
the default gateway router, which reduces the possibility of
a single point of failure in a network.
Load sharing—Allows traffic to and from LAN clients to
be shared by multiple routers. The traffic load is shared
more equitably among available routers.
Multiple VRRP groups—Supports up to 255 VRRP groups
on a router physical interface if the platform supports
multiple MAC addresses. Multiple VRRP groups enable
326
GLBP Authentication
GLBP has three authentication types:
MD5 authentication
Plain text authentication
No authentication
MD5 authentication provides greater security than plain text
authentication. MD5 authentication allows each GLBP group
member to use a secret key to generate a keyed MD5 hash that is
part of the outgoing packet. At the receiving end, a keyed hash
of an incoming packet is generated. If the hash within the
333
incoming packet does not match the generated hash, the packet
is ignored. The key for the MD5 hash can either be given
directly in the configuration using a key string or supplied
indirectly through a key chain.
You can also choose to use a simple password in plain text to
authenticate GLBP packets, or choose no authentication for
GLBP.
GLBP rejects packets in any of the following cases:
The authentication schemes differ on the router and in the
incoming packet.
MD5 digests differ on the router and in the incoming packet.
Text authentication strings differ on the router and in the
incoming packet.
GLBP Load Balancing and Tracking
You can configure the following load-balancing methods for
GLBP:
Round-robin—GLBP cycles through the virtual MAC
addresses sent in ARP replies, load balancing the traffic
across all the AVFs.
Weighted—AVG uses the advertised weight for an AVF to
decide the load directed to the AVF. A higher weight means
that the AVG directs more traffic to the AVF.
Host dependent—GLBP uses the MAC address of the host to
determine which virtual MAC address to direct the host to
use. This algorithm guarantees that a host gets the same
virtual MAC address if the number of virtual forwarders does
not change.
The default for IPv4 networks is round-robin. You can disable
all load balancing for GLBP on an interface. If you do not
configure load balancing, the AVG handles all traffic for the
334
GLBP Configuration
Assume we already have taken care of basic configuraiton and
EIGRP or any protocol is running on all routers.
R(config)#interface fa 0/0
R(config-if)#glbp 1 ip 10.1.1.250 // should not be real ip
address of AVG interface .it can be any in subnet.
R(config-if)#glbp 1 priority 200
R(config-if)#glbp 1 preempt
R(config-if)#glbp 1 timer [interval time ] msec [holdtime ] msec
R(config-if)#glbp 1 weighting 200 //set weighting for
AVF according to your choice for priority
Verification command
R#sh glbp brief
337
NetFlow
One of the most important tasks of a network administrator is to
monitor the health of our networks, learn how our bandwidth is
being used, what applications are consuming it, when it needs
upgrade… Although monitoring protocols like SNMP and
SPAN (port mirroring) can help us answer some questions but
they are not enough to give us an insightful view of our
networks. Luckily we have another amazing tool: NetFlow!
"NetFlow is a networking analysis protocol that gives the ability
to collect detailed information about network traffic as it flows
through a router interface. NetFlow helps network
administrators answers the questions of who (users), what
(application), when (time of day), where (source and destination
IP addresses) and how network traffic is flowing."
338
NetFlow components
NetFlow Monitor: a component applied to an interface and
collects information about flows. Flow monitors consist of
a record and a cache. You add the record to the flow
monitor after the flow monitor is created. In the topology
above, we can apply the NetFlow Monitors to the s0/0,
Fa0/0 and Fa0/1 interfaces of the router to collect traffic
information of these interfaces
NetFlow Exporter: aggregates packets into flows, stores
IP flow information in its NetFlow cache and exports them
in the form of flow records to the NetFlow collector
NetFlow Collector: collects flow records sent from the
NetFlow exporters, parsing and storing the flows. Usually a
collector is a separate software running on a network
339
A NetFlow reporting tool: there are many tools that can collect
NetFlow packets sent to the NetFlow Collector and display a
comprehensive view. Below is an example of what SolarWinds
NetFlow Traffic Analyzer can analyze
342
NetFlow versions
Version 1: the original format supported in the initial NetFlow
releases.
Versions 2, 3 and 4 were not released.
Version 5: an enhancement that adds Border Gateway Protocol
(BGP) autonomous system information, flow sequence numbers
and a few additional fields. This is the standard and most
common NetFlow version. Only support IPv4.
Version 6: similar to version 7
Version 7: Cisco-specific version for Catalyst 5000 series
switches but not compatible with Cisco routers
Version 8: choice of aggregation schemes in order to reduce
resource usage
Version 9: support flow-record format and it is known as
Flexible NetFlow technology. NetFlow version 9 includes a
template to describe what is being exported. It supports
extensible file export format to enable easier support. It also
supports additional fields & technologies such as MPLS, IPv6,
IPSec, NBAR protocols, Multicast, VLAN ID…
343
Configure NetFlow
NetFlow version 5 and version 9 are commonly used nowadays
so this part will show how to configure NetFlow in version 5
and 9. We only show the minimum configuration to help
NetFlow work well.
Configure NetFlow version 5
The following configuration enables NetFlow version 5 on
Fa0/1 interface and export to a NetFlow collector at 10.1.1.1 on
UDP port 2055.
Router(config)#interface fa0/1
Router(config-if)#ip route-cache flow
Router(config-if)#exit
Router(config)#ip flow-export destination 10.1.1.1 2055
Router(config)#ip flow-export source fa0/2
//NetFlow will use Fa0/2 as the source IP address for the UDP
datagrams sent to the NetFlow Collector
Router(config)#ip flow-export version 5
344
Standard ACL
Extended ACL
349
Named ACLs
Standard access lists
You can only assign one access list per interface, per
protocol, or per direction. This means that if you are
351
Organize your access lists so that the more specific tests are
at the top of the access list.
You cannot remove one line from an access list. If you try
to do this, you will remove the entire list. It is best to copy
the access list to a text editor before trying to edit the list.
The only exception is when using named access lists.
networ
k
addres
s
(binar 00001010.00000001.000000
y) 01.00000000
mask
(binar 00000000.00000000.000000
y) 00.11111111
Based on the binary mask, you can see that the first three sets
(octets) must match the given binary network address exactly
(00001010.00000001.00000001).
The last set of numbers are "don't cares" (.11111111). Therefore,
all traffic that begins with 10.1.1. matches since the last octet is
"don't care". Therefore, with this mask, network addresses
10.1.1.1 through 10.1.1.255 (10.1.1.x) are processed.
Subtract the normal mask from 255.255.255.255 in order to
determine the ACL inverse mask. In this example, the inverse
mask is determined for network address 172.16.1.0 with a
normal mask of 255.255.255.0.
255.255.255.255 - 255.255.255.0 (normal mask) =
0.0.0.255 (inverse mask) in ACL
Note these ACL equivalents.
The source/source-wildcard of 0.0.0.0/255.255.255.255
means "any".
The source/wildcard of 10.1.1.2/0.0.0.0 is the same as "host
10.1.1.2".
354
ACL Summarization
34 0 0 1 0 0 0 1 0
35 0 0 1 0 0 0 1 1
36 0 0 1 0 0 1 0 0
37 0 0 1 0 0 1 0 1
38 0 0 1 0 0 1 1 0
39 0 0 1 0 0 1 1 1
M M M M M D D D
Since the first five bits match, the previous eight networks can
be summarized into one network (192.168.32.0/21 or
192.168.32.0 255.255.248.0). All eight possible combinations of
the three low-order bits are relevant for the network ranges in
question. This command defines an ACL that permits this
network. If you subtract 255.255.248.0 (normal mask) from
255.255.255.255, it yields 0.0.7.255.
access-list 1 permit ip 192.168.32.0 0.0.7.255
Configuraiton of ACL
Standard ACL
Standard IP access lists filter the network by using the source IP
address in an IP packet. You create a standard IP access list by
using the access list numbers 1–99.
Configuration Syntax
access-list access-list-number {permit | deny} source {source-
mask}
Apply ACL to an interface
356
ip access-group access-list-number {in |
out}
Example of Standard IP Access List
Configuration:
In this example we will define a standard access list that will
only allow network 10.0.0.0/8 to access the server (located on
the Fa0/1 interface)
Define which source is allowed to pass:
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 1 out
Extended ACL
Extended IP access lists allow you to choose your IP source and
destination address as well as the protocol and port number,
which identify the upper-layer protocol or application. By using
358
Example#2
Extended ACL
Acme#config t
Acme(config)#access-list 110 deny tcp any host 172.16.10.5
eq 21
Acme(config)#access-list 110 deny tcp any host 172.16.10.5
eq 23
Acme(config)#access-list 110 permit ip any any
Acme(config)#interface E0
Acme(config-if)#ip access-group 110 out
After the lists are created, they need to be applied to the Ethernet
0 port.This is because the other three interfaces on the router
need access to the LAN. However, if this list were created to
only block Sales, then we would
have wanted to put this list closest to the source, or on Ethernet
interface 2.
Troubleshoot ACL
You can have one access-list per protocol, per direction and per
interface. For example, you can not have two access lists on the
inbound direction of Fa0/0 interface. However you can have one
inbound and one outbound access list applied on Fa0/0.
If too much traffic is denied, study the logic of your list or try to
define and apply an additional broader list. The show ip access-
lists command provides a packet count that shows which ACL
entry is hit.
The log keyword at the end of the individual ACL entries shows
the ACL number and whether the packet was permitted or
denied, in addition to port-specific information.
Note: The log-input keyword exists in Cisco IOS Software
Release 11.2 and later, and in certain Cisco IOS Software
Release 11.1 based software created specifically for the service
provider market. Older software does not support this keyword.
Use of this keyword includes the input interface and source
MAC address where applicable.
show access-list 110 Shows only the parameters for the access
list 110. This command does not show you the interface the list
is set on.
364
End of Chapter
NAT Troubleshooting
NAT Configuration with Cisco Configuration
Professional
NAT
To translate your private inside addresses to a global
outside address is called Natting
NAT allows a host that does not have a valid registered IP
address to communicate with other hosts through the
Internet
The main idea is to conserve Internet global address space,
but it also increases network
security by hiding internal IP addresses from external
networks
using Network Address Translation (NAT) we can save
tons of IP addresses for later uses
In NAT terminology, the
"inside network" is the set of networks that are subject to
translation.The "outside network" refers to all other
addresses—usually those located on the Internet
A significant advantage of NAT is that it can be configured
without requiring any changes to hosts or routers other than
to those few routers on which NAT will be configured.
NAT enables private IP internetworks that use
nonregistered IP addresses to connect to the Internet. NAT
operates on a device, usually connecting two networks, and
translates the private (not globally unique) addresses in the
internal network into legal addresses before packets are
forwarded onto another network.
366
10. ip nat outside
11. end
DETAILED STEPS
Command or Action Purpos
e
Ste enable Enables
p 1 privileg
ed
Example: EXEC
Device> enable mode.
Enter
your
passwo
rd if
prompt
ed.
Ste configure terminal Enters
p 2 global
configu
Example: ration
Device# configure mode.
terminal
Ste ip nat inside source s Establis
p 3 tatic local-ip global- hes
ip static
translati
on
371
Example: betwee
Device(config)# ip n an
nat inside source inside
static 10.10.10.1 local
172.16.131.1 address
and an
inside
global
address
.
Ste interface type numbe Specifi
p 4 r es an
interfac
e and
Example: enters
Device(config)# interfac
interface ethernet 1 e
configu
ration
mode.
Ste ip address ip-address Sets a
p 5 mask [secondary] primary
IP
address
Example: for an
Device(config-if)# ip interfac
address 10.114.11.39 e.
255.255.255.0
372
Example: interfac
Device(config)# e and
interface enters
gigabitethernet 0/0/0 interfac
e
configu
ration
mode.
Ste ip address ip-address Sets a
p 9 mask [secondary] primary
IP
address
Example: for an
Device(config-if)# ip interfac
address e.
172.31.232.182
255.255.255.240
Ste ip nat outside Connec
p 1 ts the
0 interfac
Example: e to the
Device(config-if)# ip outside
nat outside networ
k.
Ste end Exits
p 1 interfac
1 e
configu
374
Example: ration
Device(config-if)# mode
end and
returns
to
privileg
ed
EXEC
mode.
8. ip nat inside
9. exit
10. interface type number
11. ip address ip-address mask
12. ip nat outside
13. end
DETAILED STEPS
Command or Action Purpose
Step enable Enables
1 privilege
d EXEC
Example: mode.
Ente
Device> enable r your
password
if
prompted
.
Step configure terminal Enters
2 global
configura
Example: tion
mode.
Device# configure
terminal
376
Step ip nat pool name start- Defines a
3 ip end-ip {netmask net pool of
mask | prefix-length p global
refix-length} addresses
to be
allocated
as
Example: needed.
Device(config)# ip nat
pool net-208
172.16.233.208
172.16.233.223 prefix-
length 28
Step access-list access-list- Defines a
4 number permit source standard
[source-wildcard] access
list
permittin
g those
Example:
addresses
Device(config)# that are
access-list 1 permit to be
192.168.34.0 0.0.0.255 translated
.
377
Device(config-if)# ip interface.
address 10.114.11.39
255.255.255.0
Step ip nat inside Connects
8 the
interface
Example: to the
inside
Device(config-if)# ip network,
nat inside which is
subject to
NAT.
Step exit Exits
9 interface
configura
Example: tion
mode
Device(config-if)# exit and
returns to
global
configura
tion
mode.
Step interface type number Specifies
379
10 an
interface
Example: and
enters
Device(config)# interface
interface ethernet 0 configura
tion
mode.
Step ip address ip-address Sets a
11 mask primary
IP
address
Example: for the
interface.
Device(config-if)# ip
address 172.16.232.182
255.255.255.240
Step ip nat outside Connects
12 the
interface
Example: to the
outside
Device(config-if)# ip network.
nat outside
380
End of Chapter
WAN Terminology
Router: a device provides internetworking and WAN access
interfaces that connect to the provider network
Data Terminal Equipment (DTE): Typically, DTE is the
router (at the customer side)
Data Communications Equipment (DCE): provides a clocking
signal used to synchronize data transmission between DCE and
DTE devices.
Customer Premise Equipment (CPE): devices located at the
customer side. CPE often owned by the customer or hired from
the WAN provider. In the picture below, the router, LAN switch
and two computers in the house are classified as CPE
Demarcation Point: the physical point where the public
network ends and the private network of a customer begins
Local loop: A cable connects the CPE to the nearest exchange
387
WAN Protocols
we will define the most prominent WAN protocols used today.
These are Frame Relay, ISDN, LAPB, HDLC, and PPP.We use
HDLC and PPP on leased lines whereas Frame Relay on packet
switching technologies.
interface Serial0
ip address 5.0.2.1
255.255.255.0
clockrate 64000
390
no cdp enable
Spicey
interface Serial1
ip address 5.0.2.2
255.255.255.0
no cdp enable
Verify
show controllers
ping
show interfaces
The output shown below results when these commands are
issued on the devices used in this sample configuration.
The show controllers command shows that the physical
layer is working and what type of cable is connected. In the
output below, Prasit is connected at the DCE end and
Spicey at the DTE end
PPP
The Point-to-Point Protocol (PPP) provides a standard
method(non-proprietary) for transporting multi-protocol
datagrams over point-to-point links. PPP is comprised of three
main components:
A method for encapsulating multi-protocol datagrams.
391
Router#
config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int s0
Router(config-if)#encapsulation ppp
Router(config-if)#
^Z
Router#
Of course, PPP encapsulation must be enabled on both interfaces
connected to a serial line to work, and there are several
additional configuration options available by using the help
command.
RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#int s0
RouterA(config-if)#ppp authentication chap
RouterA(config-if)#ppp autherntication pap
RouterA(config-if)#^Z
394
RouterA#show int s0
To connect to these two branches, the main site router,
HeadQuarter, requires two serial interfaces which a router
can provide. But what happens when the company expands
to 10 branches, 50 branches? For each point-to-point line,
HeadQuarter needs a separate physical serial interface (and
maybe a separate CSU/DSU if it is not integrated into the
WAN card). As you can imagine, it will need many routers
with many interfaces and lots of rack space for the routers
and CSU/DSUs. Maybe we should use another solution for
this problem? Luckily, Frame Relay can do it!
By using Frame Relay we only need one serial interface at
the HeadQuarter to connect to all branches. This is also true
396
Frame Relay is a high-performance WAN protocol that
operates at the physical and data link layers of the OSI
reference model. It offers lower-cost data transfer when
compared to typical point-to-point applications, by using
virtual connections within the frame relay network and by
combining those connections into a single physical
connection at each location. Frame relay providers use a
frame relay switch to route the data on each virtual circuit to
the appropriate destination.
Maybe these terminologies of Frame Relay are difficult to
understand so we will explain them in more detail in this
article.
In general, the routers are considered DTE, and the Frame
Relay switches are DCE(DCE, also called data circuit-
terminating equipment). The purpose of DCE equipment is
to provide clocking and switching services in a network. In
our example, HeadQuarter, Branch 1 & Branch 2 are DTEs
while Frame Relay switches are DCEs.
Virtual Circuit
There are two types of VCs
DLCI
Although the above picture shows two VCs from the
HeadQuarter but do you remember that the HeadQuarter
only has only one serial interface? So how can it know
which branch it should send the frame to?
Frame-relay uses data-link connection identifiers (DLCIs) to
build up logical circuits. The identifiers have local meaning
398
only, that means that their values are unique per router, but
not necessarily in the other routers. For example, there is
only one DLCI of 23 representing for the connection from
HeadQuarter to Branch 1 and only one DLCI of 51 from
HeadQuarter to Branch 2. Branch 1 can use the same DLCI
of 23 to represent the connection from it to HeadQuarter. Of
course it can use other DLCIs as well because DLCIs are
Then the HeadQuarter will need to map Branch 1 IP address
to DLCI 23 & map Branch 2 IP address to DLCI 51. After
399
addresses.
Now all the routers have a pair of DLCI & IP address of the
router at the other end so data can be forwarded to the right
destination.
In this example you can see that each router has a DLCI first
(Layer 2) and it needs to find out the IP address (Layer 3).
This process is opposite of the ARP process (ARP translates
Layer 3 address to Layer 2 address) so it is called Inverse
ARP.
After the Inverse ARP process completes, we can use the
“show frame-relay map” to check. The word “dynamic”
indicates the mapping was learned through Inverse ARP (the
output below is not related to the above topology):
LMI includes:
A keepalive mechanism, which verifies that data is
flowing
A multicast mechanism, which provides the network
server (router) with its local DLCI.
A status mechanism, which provides PVC statuses on
the DLCIs known to the switch
In our example, when HeadQuarter is configured with Frame
Relay, it sends an LMI Status Inquiry message to the DCE. The
response from the DCE might be a small Hello message or a full
status report about the PVCs in use containing details of all the
VCs configured (DLCI 23 & 51). By default, LMI messages are
sent out every 10 seconds.
The four possible PVC states are as follows:
Active state: Indicates that the connection is active and that
routers can exchange data.
Inactive state: Indicates that the local connection to the Frame
Relay switch is working, but the remote router connection to the
Frame Relay switch is not working.
Deleted state: Indicates that no LMI is being received from the
Frame Relay switch, or that there is no service between the
403
Frame Relay does not define the way the data is transmitted
within the service provider’s network once the traffic reaches
the provider’s switch. So the providers can use Frame Relay,
ATM or PPP… inside their networks.
Layer 2 Encapsulation Protocols
Besides Frame Relay there are other Layer 2 Encapsulation
Protocols that you can implement instead:
X.25/Link Access Procedure, Balanced (LAPB): Defines
connections between DTE and DCE for remote terminal access.
LAPB is a data link layer protocol specified by X.25.
Asynchronous Transfer Mode (ATM): International standard
for cell relay using fixed-length (53-byte) cells for multiple
service types. Fixed-length cells allow hardware processing,
which greatly reduces transit delays. ATM takes advantage of
high-speed transmission media such as E3, T3, and Synchronous
Optical Network (SONET).
www.cisco.com/c/en/us/support/docs/wan/frame-relay/16563-
12.html
Configurations
Router --->Spicey
Router --->Prasit
Spicey
Spicey#show running-
config
Building configuration...
Current configuration :
1705 bytes
!
version 12.1
service timestamps debug
datetime msec
service timestamps log
datetime msec
no service password-
encryption
!
hostname Spicey
408
!
!
!
interface Ethernet0
ip address 124.124.124.1
255.255.255.0
!
interface Serial0
ip address 3.1.3.1
255.255.255.0
encapsulation frame-relay
frame-relay interface-dlci
140
!
!
router rip
network 3.0.0.0
network 124.0.0.0
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
login
!
End
Prasit
409
Prasit#show running-config
Building configuration...
Current configuration : 1499
bytes
!
version 12.1
service timestamps debug
datetime msec
service timestamps log
datetime msec
no service password-encryption
!
hostname Prasit
!
!
!
interface Ethernet0
ip address 123.123.123.1
255.255.255.0
!
!
interface Serial1
ip address 3.1.3.2
255.255.255.0
encapsulation frame-relay
frame-relay interface-dlci 150
!
!
router rip
network 3.0.0.0
410
network 123.0.0.0
!
!
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
login
!
End
debug and show Commands
Before issuing debug commands, please see Important
Information on Debug Commands.
show frame-relay map
show frame-relay pvc
show frame-relay lmi
ping <device name>
show ip route
Spicey
Spicey#show frame-relay map
R1
interface Serial1/0
no ip address
encapsulation frame-relay
serial restart-delay 0
!
interface Serial1/0.200 point-to-point
ip address 10.10.10.1 255.255.255.0
frame-relay interface-dlci 100
!
interface Serial1/0.400 point-to-point
ip address 30.30.30.1 255.255.255.0
413
!
Verification
R1#sh frame-relay map
Serial1/0.200 (up): point-to-point dlci, dlci 100(0x64,0x1840),
broadcast
status defined, active
Serial1/0.400 (up): point-to-point dlci, dlci 110(0x6E,0x18E0),
broadcast
status defined, active
R2#sh frame-relay map
Serial1/0.200 (up): point-to-point dlci, dlci 200(0xC8,0x3080),
broadcast
status defined, active
R2#sh frame-relay pvc
End of chapter
416
Chapter – IPv6
IPv6 Introduction
IPv6 Address Configuration
OSPF Version 3
EIGRP for IPv6
Summary
IPV6
Address Description
Type
Unicast One to One (Global, Link local,
Site local)
418
IPv6 uses the “/” notation to denote how many bits in the
IPv6 address represent the subnet.
The full syntax of IPv6 is
ipv6-address/prefix-length
420
where
ipv6-address is the 128-bit IPv6 address
/prefix-length is a decimal value representing how many of
the left most contiguous bits of the address comprise the
prefix.
Let’s analyze an example:
2001:C:7:ABCD::1/64 is really
2001:000C:0007:ABCD:0000:0000:0000:0001/64
+ The first 64-bits 2001:000C:0007:ABCD is the address
prefix
+ The last 64-bits 0000:0000:0000:0001 is the interface ID
+ /64 is the prefix length (/64 is well-known and also the
prefix length in most cases)
DETAILED STEPS
Command or Action Purpose
Step enable Enables privileged
1 EXEC mode.
Enter your
Example:
password if
Device> enable
prompted.
Step configure terminal Enters global
2 configuration mode.
425
Example:
Device# configure terminal
Step interface type number Specifies an
3 interface type and
number, and places
Example: the device in
Device(config)# interface interface
gigabitethernet 0/0/0 configuration mode.
Step Do one of the following: Specifies an IPv6
4 ipv6 address ipv6- network assigned to
prefix /prefix-length eui-64
the interface and
enables IPv6
ipv6 address ipv6- processing on the
address / prefix-length link
interface.
-local or
Specifies an IPv6
address assigned to
ipv6 enable the interface and
enables IPv6
processing on the
Example: interface.
Device(config-if)# ipv6
or
address 2001:DB8:0:1::/64
eui-64 Automatically
configures an IPv6
link-local address on
Example: the interface while
426
OSPFV3 Routing
SUMMARY STEPS
1. configure terminal
2. interface interface-type slot/port
3. ipv6 address ipv6-prefix/length
4. ipv6 router ospfv3 instance-tag area area-
id [ secondaries none ]
5. (Optional) show ipv6 ospfv3 instance-
tag interface interface-type slot/por t
6. (Optional) copy running-config startup-config
Example
Let's see an example of ospfv3 configred on Gns3 .
Figure 14.1
429
R1
interface Loopback0
no ip address
ipv6 address 2002:1:1::1/128
ipv6 enable
ipv6 ospf 1 area 0
!
interface Serial1/0
no ip address
ipv6 address FE80::2 link-local
ipv6 enable
ipv6 ospf 1 area 0
clock rate 64000
!
ipv6 router ospf 1
router-id 1.1.1.1
log-adjacency-changes
end
R2
interface Loopback0
no ip address
ipv6 address 2002:2:2::2/128
ipv6 enable
ipv6 ospf 1 area 0
!
interface Serial1/0
no ip address
ipv6 address FE80::1 link-local
ipv6 enable
430
ipv6 enable
ipv6 ospf 1 area 0
serial restart-delay 0
!
ipv6 router ospf 1
router-id 3.3.3.3
log-adjacency-changes
Verficiation
EIGRP IPV6
432
Restrictions
The configuration of EIGRP for IPv6 has some restrictions;
which are:
The interfaces can be directly configured with EIGRP for
IPv6, without the use of a global IPv6 address. There is no
network statement in EIGRP for IPv6.
The router ID needs to be configured for an EIGRPv6
protocol instance before it can run.
EIGRP for IPv6 has a shutdown feature. Ensure that the
routing process is in "no shut" mode in order to run the
protocol.
NOTE : USING ABOVE example and diagram 14.1 to
configure EIGRP for IPV6
R1
interface Loopback0
no ip address
ipv6 address 2002:1:1::1/128
ipv6 enable
ipv6 eigrp 1
!
interface Serial1/0
no ip address
ipv6 address 2003:1:1::1/64
ipv6 enable
ipv6 eigrp 1
serial restart-delay 0
clock rate 64000
!
ipv6 router eigrp 1
eigrp router-id 1.1.1.1
433
no shut
R2
interface Loopback0
no ip address
ipv6 address 2002:2:2::2/128
ipv6 enable
ipv6 eigrp 1
!
interface Serial1/0
no ip address
ipv6 address 2003:1:1::2/64
ipv6 enable
ipv6 eigrp 1
interface Serial1/1
no ip address
ipv6 address 2005:1:1::3/64
ipv6 enable
ipv6 eigrp 1
!
ipv6 router eigrp 1
eigrp router-id 2.2.2.2
no shut
!
end
R3
interface Loopback0
no ip address
ipv6 address 2002:3:3::3/128
434
ipv6 enable
ipv6 eigrp 1
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
no ip address
ipv6 address 2005:1:1::4/64
ipv6 enable
ipv6 eigrp 1
serial restart-delay 0
clock rate 64000
!
ipv6 router eigrp 1
eigrp router-id 3.3.3.3
no shut
!
end
RIP for IPv6(RIPng)
IPv6 RIP functions the same and offers the same benefits as
RIP in IPv4. RIP enhancements for IPv6, detailed in RFC
2080, include support for IPv6 addresses and prefixes, and
the use of the all-RIP-devices multicast group address
FF02::9 as the destination address for RIP update
messages.
R1
interface Loopback0
no ip address
ipv6 address 2002:1:1::1/128
ipv6 enable
ipv6 rip comnetss enable
!
int se 1/0
no ip address
ipv6 address 2003:1:1::1/64
ipv6 enable
ipv6 rip comnetss enable
serial restart-delay 0
clock rate 64000
!
ipv6 router rip comnetss
!
end
436
R2
interface Loopback0
no ip address
ipv6 address 2002:2:2::2/128
ipv6 enable
ipv6 rip comnetss enable
!
interface Serial1/0
no ip address
ipv6 address 2003:1:1::2/64
ipv6 enable
ipv6 rip comnetss enable
serial restart-delay 0
clock rate 64000
!
interface Serial1/1
no ip address
ipv6 address 2005:1:1::3/64
ipv6 enable
ipv6 rip comnetss enable
serial restart-delay 0
clock rate 64000
!
!
ipv6 router rip comnetss
end
R3
interface Loopback0
no ip address
ipv6 address 2002:3:3::3/128
ipv6 enable
437
Verification
Background information
Many companies have facilities spread out across the
country, or even around the world. But there is one thing
that all companies need: a way to maintain fast, secure, and
reliable communications wherever their offices are located.
Until recently, reliable communication has meant the use of
leased lines to maintain a wide-area network (WAN).
Leased lines, ranging from Integrated Services Digital
Network (ISDN, which runs at 144 Kbps) to Optical
Carrier-3 (OC3, which runs at 155 Mbps) fiber, provide a
company with a way to expand their private network
beyond their immediate geographic area.
A WAN has obvious advantages over a public network like
the Internet when it comes to reliability, performance, and
security; but maintaining a WAN, particularly when using
leased lines, can become quite expensive (it often rises in
cost as the distance between the offices increases).
440
VPN Technologies
A well-designed VPN uses several methods in order to keep
your connection and data secure.
Data Confidentiality—This is perhaps the most important
service provided by any VPN implementation. Since your
private data travels over a public network, data
confidentiality is vital and can be attained by encrypting the
data into a form that only the other computer will be able to
decode not others.
Most VPNs use one of these protocols to provide encryption.
1. IPsec(Internet protocol security )—
Internet Protocol Security Protocol (IPsec) IPSec is a
network layer security protocol.
443
Reference :
http://www.cisco.com/c/en/us/support/docs/routers/1700-series-
modular-access-routers/71462-rtr-l2l-ipsec-split.html.
IPSec - it doesn’t support multicast/broadcast traffic.The
solution of this problem is GRE VPN.
Summary steps:There are five step to configure IPSec VPN
1.Ipsec phase 1 : Configure isakmp policy
2.Ipsec phase 2 : configure Ipsec Transform set
3. Extended ACL to encrytpt interested vpn traffic
4. Create Crypto map (sequence)
5. Apply Crypto map to outgoing interface of Router.
Configurations
This document uses these configurations:
Router A
Router B
Router A
RouterA#show running-config
Building configuration...
!
!
!
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
half-duplex
!
interface Serial2/0
ip address 172.16.1.1 255.255.255.0
crypto map mymap
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
!
End
Router B
RouterB#show running-config
Building configuration...
!
crypto map mymap 10 ipsec-isakmp
set peer 172.16.1.1
set transform-set myset
match address 100
!
!
456
!
!
interface Ethernet0
ip address 172.16.2.1 255.255.255.0
!
interface Ethernet1
ip address 10.0.0.2 255.255.255.0
crypto map mymap
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip http server
!
Verify
This section provides information you can use to confirm your
configuration is working properly.
show crypto ipsec sa - Shows the settings used by current
Security Associations (SAs).
RouterA#show crypto ipsec sa
Components Used
The information in this document is based on these software and
hardware versions:
459
Configurations
This document uses these configurations.
Daphne Configuration
460
Fred Configuration
Daphne Configuration
version 12.3
service timestamps debug datetime
msec
service timestamps log datetime
msec
no service password-encryption
!
hostname daphne
!
boot-start-marker
boot-end-marker
!
enable secret 5
$1$r2sh$XKZR118vcId11ZGzhbz5
C/
!
no aaa new-model
461
ip subnet-zero
!
!
!
crypto isakmp policy 10
authentication pre-share
esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-
isakmp
!
interface Tunnel0
464
ip address 192.168.3.1
255.255.255.0
interface FastEthernet0/0
interface FastEthernet0/1
ip address 192.168.1.1
255.255.255.0
ip access-group 103 in
ip nat outside
ip inspect myfw out
speed 100
full-duplex
crypto map myvpn
!
-
ip route 172.16.1.0 255.255.255.0
192.168.3.2
ip http server
no ip http secure-server
467
!
!
Fred Configuration
470
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname fred
!
enable secret 5
$1$AtxD$MycLGaJvF/tAIFXkikCes
1
!
ip subnet-zero
!
!
ip telnet source-interface
FastEthernet0/0
!
ip inspect name myfw tcp
ip inspect name myfw udp
471
interface Tunnel0
-
ip address 192.168.3.2
255.255.255.0
tunnel source FastEthernet0/1
-
tunnel destination 192.168.1.1
!
interface FastEthernet0/0
ip address 172.16.1.1
255.255.255.0
ip nat inside
speed 100
full-duplex
!
interface Serial0/0
no ip address
clockrate 2000000
!
474
interface FastEthernet0/1
ip address 192.168.2.2
255.255.255.0
ip access-group 103 in
ip nat outside
ip inspect myfw out
speed 100
full-duplex
crypto map myvpn
!
!
475
line aux 0
line vty 0 4
password ww
login
!
End
Verify
Use this section to confirm that your configuration works
properly.
Try to ping a host in the remote subnet - 10.0.0..x from a host in
the 172.16.1.x network in order to check the VPN configuration.
This traffic should go through the GRE tunnel and be encrypted.
Use the show crypto ipsec sa command to verify that the IPsec
tunnel is up. First check that the SPI numbers are different than
0. You should also see an increase in the pkts encrypt and pkts
decrypt counters.
show crypto ipsec sa—Verifies that the IPsec tunnel is up.
show access-lists 103—Verifies that the Cisco IOS
Firewall configuration works correctly.
show ip nat translations—Verifies that NAT works
properly.
478
Note : Please note also that I have not configured any security
protection on the GRE tunnel. If you want you can configure
IPSEC on top of GRE in order to encrypt all data passing
through the GRE tunnel.
Example 2 :
Another good example for GRE tunneling is available on below
link .
http://www.slideshare.net/NetworksTraining/configuring-gre-
tunnel-through-a-cisco-asa-firewall
End of chapter
479
480
Chapter------Network Security
Network Security
Cisco Firewalls
Layer 2 Security
AAA Security Services
Secure Device Management
Secure Communications