Upload
giles-casey
View
214
Download
0
Embed Size (px)
Citation preview
1
© 2004 Cisco Systems, Inc. All rights reserved. ICND v2.2—3-2
Introducing Routing
3
To route, a router needs to do the following:• Discover the connected networks .• Select the best paths (routes) to these networks.• Maintain and verify routing information using a routing table.
- Network traffic filtration
- Quality Of Serves .
What Is Routing?
4
• Routing table contains the best paths discovered by a “ routing protocol “
Routing table
5
• Static Route
a route (path) that a network administrator enters into the router manually
• Dynamic Route
a route (path) that a network routing protocol discovers automatically and adjusted when topology changes
Routing Protocols
6
Routing Protocols
Static Dynamic
Direct connected
Static route
Default route
IGP EGP
)EGP , BGP(
Distance vector
(RIPv1 , IGRP)
Link state
(OSPF , ISIS)
Hybrid (EIGRP , RIPv2)
7
Autonomous Systems: Interior or Exterior Routing Protocols
8
Routing table creation
Routing table contains only the decisions of the best routing protocol and the best paths to reach networks.
- The best routing protocol is elected based on its administrative distance.
- The best paths depend on its metric
9
Administrative Distanceit is a value between ( 0 – 255 ) that reflects the truthfulness of routing protocol (the best protocol has the least admin. distance)
OSPF
110
10
Selecting the Best Route with Metrics
- The best path has the least metric.
- each routing protocol use a metric type (hop count , BW , delay , load , reliability , MTU)
11
Static routing protocol1- Direct connected networks : - Direct connected networks are automatically detected
by the router without configuration
- symbol in routing table is “ C ”
- admin. Distance = 0
10.0.0.0 11.0.0.0 12.0.0.0 13.0.0.0
10.0.0.0
11.0.0.0
11.0.0.0
12.0.0.0
12.0.0.0
13.0.0.0
C
C C
C
C
C
12
Static routing protocol2- Static route : - manually you can define a path to reach a certain network
- symbol in routing table is “ S ”
- admin. Distance = 1192.168.1.0/24
192.168.1.0 S0
12.0.0.1/812.0.0.2/8
OR 192.168.1.0 12.0.0.2
Internet
13
Static routing protocol3- Default route : - This route allows the stub network to reach all known
networks beyond router A (gateway of last resort) - symbol in routing table is “ S* ”
192.168.1.0/24
12.0.0.1/8 12.0.0.2/8
12.0.0.1
Internet S0
14
Displaying the routing table
router# show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route Gateway of last resort is 0.0.0.0 to network 0.0.0.0
C 12.0.0.0 is directly connected, Serial0S* 0.0.0.0/0 is directly connected, Serial0
15
Dynamic routing protocols
Distance Vector Routing Protocols : - each router detects its direct connected networks and
form its initial routing table
- routers pass periodic copies of routing table to neighbor routers and learn the best paths to all networks ( the paths with the least metric ) and form the final routing table (convergence)
- after convergence periodic updates (full routing table) are sent to indicate any change in the topology .
16
Distance Vector Routing Protocols
10.0.0.0 11.0.0.0 12.0.0.0 13.0.0.0
10.0.0.0 11.0.0.0 12.0.0.0
11.0.0.0
12.0.0.0
13.0.0.0
12.0.0.0
10.0.0.0
13.0.0.0
13.0.0.0
11.0.0.0
10.0.0.0
17
Routing loops
10.0.0.0
10.0.0.0 E0 16 down
10.0.0.0 S0 16
10.0.0.0 S1 3
10.0.0.0 S0 2
- when network 10.0.0.0 fails , router A will mark its metric by 16 (a max. hop count value to avoid counting to infinity) and send its routing table to B after the periodic interval.
-before B sends its periodic update to C , router C sent its routing table to B containing a path to 10.0.0.0 with a better metric so B think that 10.0.0.0 can be reached by C while C
depends on B for that so loop occurs.
18
Routing loops solutions
- Split Horizon : route learned from an interface can not be
sent back on the same interface
10.0.0.0
10.0.0.0 E0 16 down
10.0.0.0 S0 16 10.0.0.0 S0 2
19
Routing loops solutions
- Hold-down Timers : - router that informed with a failed route don’t accept any
update about it for a time equal to the hold down timer so by the end of the timer all routers would know that route failed ( it is useful in flapping networks ).
- hold finish if :– The hold-down timer expires.– Another update is received with a better metric.
10.0.0.0
10.0.0.0
10.0.0.0
20
Routing loops solutions
- Triggered Updates : instead of sending updates after a time interval , router
sends the update as soon as a route fails or any change occurs so other routers immediately modify their routing tables ( this is the most used solution ).
21
Properties of Distance Vector Routing Protocols
-simple configuration -low processing / memory usage
-bandwidth waste due to the periodic updates -unreliable (no ack. for the protocol messages)
-updates are sent broadcast on all active interfaces so it may affect the hosts PCs
-classful: do not include the subnet mask with the route
advertisement and often sends a summary routes -These are examples of distance vector protocols:
• RIP version 1 (RIPv1)• IGRP
22
RIP v1- distance vector routing protocol
- symbol in routing table is “ R ”
- admin. Distance = 120
- metric is hop count , metric 16 means unreachable
- full routing tables are flooded in the network till convergence occurs (use Bellman Ford algorithm)
- after convergence , periodic updates are sent every
30 seconds
- at change , triggered update is sent
- support load balancing if many paths to the same network exist with an equal metric
- Classful
23
- Starts the RIP routing process
Router(config)#router rip
Router(config-router)#network direct connected network
- Advertise about the connected networks
RIP Configuration
24
RIP Configuration Example
25
Verifying the RIP Configuration
26
Displaying the IP Routing Table
27
28
Link-State Routing Protocols
10.0.0.1/8
12.0.0.1/812.0.0.2/8 13.0.0.2/8
13.0.0.1/8
15.0.0.1/814.0.0.1/8
14.0.0.2/811.0.0.2/811.0.0.1/8
-Operation:
-each router will discover its direct connected neighbors using the “hello protocol“ (layer-3 protocol) - each router will form a packet called link state advertisement (LSA)
10.0.0.1/8 11.0.0.1/8
12.0.0.1/8State , Cost C
AL S
29
Link-State Routing Protocols
- each router will flood its LSA to all neighbors on special multicast address then neighbors continue flooding of the LSA’s to each other.
- each router will form the link state database (LSDB) from the received LSA’s so all routers will have the same LSDB form.
10.0.0.1/8 11.0.0.1/8
12.0.0.1/8
11.0.0.2/8 14.0.0.2/8
12.0.0.2/8 13.0.0.2/8
13.0.0.1/8 14.0.0.1/8
15.0.0.1/8A
B
C
D
30
Link-State Routing Protocols
-every router will form the Link State Tree that describe the actual connection of the network topology then apply
the Dijekstra algorithm on the tree to form the routing table .
-after convergence: no periodic updates
-at change: partial triggered update for the affected route is sent so all routers repeat the link state process.
31
Link-State Routing Protocols
32
Benefits of Link-State Routing
– Fast convergence: changes are reported immediately by the source
affected (partial triggered updates)– Robustness against routing loops:
• Routers know the topology. • Link-state packets are sequenced and
acknowledged (reliable protocol)– Lower bandwidth waste: no periodic updates
– classless
33
disadvantages of Link-State Routing
– Significant demands for resources:• Memory (three tables: adjacency, topology,
forwarding)• CPU (Dijkstra’s algorithm can be intensive,
especially when a lot of instabilities are present.)– Complex configuration– Requires very strict network design (multiple areas)
34
OSPF
• Open standard• Shortest path first (SPF) algorithm• Link-state routing protocol • Use Dijkstra’s algorithm • Administrative Distance = 110• Metric called cost = 10^8 / BW• Hop-count is unlimited• Symbol in routing table is O• Loop free protocol• Classless routing protocol
35
OSPF (Cont.)• discover neighbors and maintain neighbor relationship using hello protocol
• send hello every 10 seconds in point-to-point and broadcast multi-access networks on multicast address 224.0.0.5 to reach neighbors only
• dead interval = 4 hello timer (40 sec)
• send LSA’s (updates) on multicast address 224.0.0.5 (all OSPF routers) and 224.0.0.6 (DR and BDR routers)
•Every OSPF router receives LSA updates it’s Link State Database (LSDB) by copy of this LSA and flood it to all OSPF neighbors except the one that send it, and then runs the Dijkstra OSF algorithm to the new LSDB to draw the new topology tree then form the routing table.
36
OSPF (Cont.)• After convergence :
no periodic updates are sent except a periodic refreshment message for LSDB every 30 minutes
• At change :
OSPF sends a triggered update for the affected route so OSPF process repeated again
• OSPF tables :
1- neighbor table :
contains neighbor router ID’s and maintained by Hello’s
2- topology table :
all paths to all networks
3- routing table :
best paths to all networks
37
OSPF Hierarchical Routing
• OSPF supports Hierarchical multiple area design• Multiple areas minimizes routing update traffic and limits
the frequent SPF calculations and tends scalability to infinity
• Area 0 is the backbone area and all other areas must be connected to area 0
38
Router ID
• every router in OSPF environment is identified by RID• RID is 32 bit value, it is selected to be : 1- the highest IP address of loopback interface if exist
(logical interface that is always up) to configure loopback interface : (config)# interface loopback no. (config-if)# ip address ip mask
2- if no loopback interfaces the RID will take the highest IP of the active physical interfaces when the OSPF process get started
255.255.255.255
39
OSPF operation
1- in point to point topology : - neighbor discovery : by sending hello messages periodically on multicast
224.0.0.5
• - for OSPF routers to be neighbors they must have: - the same area ID - same hello and dead intervals - same authentication password - route discovery : exchange LSA’s on 224.0.0.5 so as each router has the
same LSDB
- route selection : form the routing table
40
2 -Broadcast Multiple Access (BMA) Operation: -Neighbor Discovery : as in point to point
-DR & BDR Election:
-DR : Designated Router is a router that has
1 -highest priority (range 0 – 255 , default = 1)
2 -if equal priorities , DR is the highest RID
-BDR : Backup DR is a router that has the second highest priority or RID
Note:
- if anew router with highest priority added ,it won’t be the DR directly (non-preemptive)
- router with priority=0 can’t be the DR or BDR
- the routers that are not DR or BDR called drothers
OSPF operation
41
OSPF operation in BMA (cont.)
224.0.0.5Hello
new
Hellounicast
Unicast updatehere is my routing table
Ack.
Update to 224.0.0.6
here is my routing table
to other routers
- Route Selection:
- The router will form a topology table from all routing tables it receives.
- Then apply the Dijekstra algorithm on the tree to extract the routing table
- Route Discovery: form the adjacency with DR & BDR on 224.0.0.6
DR
Update to 224.0.0.5update
42
OSPF operation in BMA (cont.)
224.0.0.6update
new
Ack.
Ack.
- Other routers repeat the OSPF process (SPF tree)
DR
- At change :
to other routers
Update to 224.0.0.5update
Configuring Single-Area OSPF
Router(config-router)#network network wildcard-mask area area-id
• Assigns networks to a specific OSPF area
Router(config)#router ospf process-id
• Defines OSPF as the IP routing protocol
OSPF Configuration Example
00
255 area 0255 area 0
OSPF Configuration Example
Router#show ip ospf interface
Verifying the OSPF Configuration
• Displays area ID and adjacency information
Router#show ip protocols
• Verifies that OSPF is configured
Router#show ip route
• Displays all the routes learned by the router
Router#show ip ospf neighbor
• Displays OSPF neighbor information on a per-interface basis
47
OSPF debug Commands
Router#debug ip ospf events
OSPF:hello with invalid timers on interface Ethernet0hello interval received 10 configured 10net mask received 255.255.255.0 configured 255.255.255.0dead interval received 40 configured 30Router# debug ip ospf packet OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.117 aid:0.0.0.0 chk:6AB2 aut:0 auk: Router#debug ip ospf packet OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.116 aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x0
48
49
Hybrid Routing Protocols
50
© 2004 Cisco Systems, Inc. All rights reserved. ICND v2.2—3-50
Determining IP Routes
Enabling EIGRP
51
EIGRP (Enhanced IGRP)- advanced distance vector protocol.- Cisco proprietary.- maintain neighbor relationship using hello protocol.- send hello every 5 sec. on fast link (>1.54Mbps).- send hello every 60 sec. on slow link (<1.54Mbps).- dead interval = 3 * hello interval.- rapid convergence by using DUAL algorithm ( store a backup
route for each best route).- support multiple network layer protocols (IP, IPX, Apple talk).- support equal and unequal load balancing between many
paths to the same destination network.- differentiate between internal and external routes.- admin. Distance = 90 for internal routes.- admin. Distance = 170 for external routes.- symbol ( D ) in routing table.
52
- Max. hop count = 224.- Classless- Reliable protocol.- Have the same operation in all topologies.
- Use composite metric
- EIGRP routers to be neighbors:1- Must have the same AS number.2- Must have the same K-values.
EIGRP (cont.)
–Bandwidth–Delay–Reliability–Loading–MTU
53
- Neighbor table: List of all neighbors.- Topology table: list of all routes to destination networks.- Routing table: list of best routes to all destination networks.- Successor ( S ): best route to destination network , stored in
routing table and topology.- Feasible successor (FS): backup route to destination
network, stored in topology table.- Feasible distance (FD): metric between source and
destination network.- Advertised distance (AD): metric between my neighbor and
the destination network .
EIGRP terminologies
- FD = next hop metric + AD.S
FS
AD
FD
54
EIGRP operation
224.0.0.10Hello
new
Hellounicast
Unicast updatehere is my routing table
Ack.
Update to 224.0.0.10
here is my routing table
Ack.
- The router will form a topology table from all routing tables it receives.
- Then apply the DAUL algorithm on topology table to extract the routing table (S) and calculate the backup routes (FS).
-At start up:
55
-At change:
EIGRP operation (cont.)
224.0.0.10update
Ack.
1- New network appear :
-After convergence:
No periodic updates are sent
56
2 -Network failure:
EIGRP operation (cont.)
-If there is a backup route (FS):
224.0.0.10updateAck.
The FS will be the new successor for this rote
-If there is no backup route (FS):
224.0.0.10queryAck.
Yes / noAck.
reply
Does any one know another route to the failed network
57
Configuring EIGRP
Router(config-router)# network network-number [wild card mask]
• Selects participating attached networks
Router(config)# router eigrp autonomous-system
• Defines EIGRP as the IP routing protocol
58
EIGRP Configuration Example
59
Verifying the EIGRP Configuration
Router# show ip protocols
Router# show ip route eigrp
Router# show ip eigrp traffic
Router# show ip eigrp neighbors
Router# show ip eigrp topology
• Displays the neighbors discovered by IP EIGRP
• Displays the IP EIGRP topology table
• Displays the number of IP EIGRP packets sent and received
• Displays current EIGRP entries in the routing table
• Displays the parameters and current state of the active routing protocol process
60
debug ip eigrp Command
Router#debug ip eigrpIP-EIGRP: Processing incoming UPDATE packetIP-EIGRP: Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 - 256000 104960IP-EIGRP: Ext 192.168.0.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 - 256000 104960IP-EIGRP: Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 - 256000 104960IP-EIGRP: 172.69.43.0 255.255.255.0, - do advertise out Ethernet0/1IP-EIGRP: Ext 172.69.43.0 255.255.255.0 metric 371200 - 256000 115200IP-EIGRP: 192.135.246.0 255.255.255.0, - do advertise out Ethernet0/1IP-EIGRP: Ext 192.135.246.0 255.255.255.0 metric 46310656 - 45714176 596480IP-EIGRP: 172.69.40.0 255.255.255.0, - do advertise out Ethernet0/1IP-EIGRP: Ext 172.69.40.0 255.255.255.0 metric 2272256 - 1657856 614400IP-EIGRP: 192.135.245.0 255.255.255.0, - do advertise out Ethernet0/1IP-EIGRP: Ext 192.135.245.0 255.255.255.0 metric 40622080 - 40000000 622080IP-EIGRP: 192.135.244.0 255.255.255.0, - do advertise out Ethernet0/1
61
EIGRP Load Balancing
Router(config)# router eigrp
Router(config-router)#traffic share-balance
Router(config-router)# variance multiplier
- Configuration :
Metric 20
Metric 40
Metric 60
62
RIP v2• Advanced distance vector protocol.• No periodic updates, only partial triggered updates.• Updates are sent on multicast 224.0.0.9• Classless.• Admin. Distance = 120• Symbol ( R ) in routing table.• Metric = hop count.
Router(config)# router rip
Router(config-router)#network direct connected network
Router(config-router)# version 2
- Configuration :
63
© 2004 Cisco Systems, Inc. All rights reserved. ICND v2.2—3-63
Route Summarization
64
-It is grouping block of subnets and advertise them as a single network address.
) single IP address represent group of contiguous subnets.(
Route summarization
65
• Advantages of route summarization:
- reduce the size of routing table for the router who know the summary only.
- summary requires less bandwidth.
- router that know the summary don’t affected by network instability.
Route summarization (cont.)
66
-It is grouping of major networks into one address
Classless Inter domain Routing (CIDR)
8.0.0.0/8
9.0.0.0/8
10.0.0.0/8
11.0.0.0/8
0000 10 00 . 0 . 0 . 0
0000 10 01 . 0 . 0 . 0
0000 10 10 . 0 . 0 . 0
0000 10 11 . 0 . 0 . 0
CIDR 8 . 0 . 0 . 0 / 6
EX :
67
Summarizing Routes in a Discontiguous Network
– RIPv1 and IGRP do not advertise subnets, and therefore cannot support discontiguous subnets.
– OSPF, EIGRP, and RIPv2 can advertise subnets, and therefore can support discontiguous subnets.
68
© 2004 Cisco Systems, Inc. All rights reserved. ICND v2.2—3-68
Implementing Variable Length Subnet Masks
(VLSM)
69
- VLSM means that in a single class A, B, or C network, more than one subnet mask is used.
- VLSM allows some subnets to be smaller and some subnets to be larger, which reduce the waste in IP addresses.
- VLSM allows you to apply different subnet masks to the same class address.
- Steps :
- begin with the largest subnet
- continue giving addresses with the suitable subnet mask
Variable Length Subnet Mask (VLSM)
70
VLSM example
60 host
60 host
60 host
2 hosts
2 hosts
2 hosts
s1
s3
s2s5
s4
s6
- For s1, s2 , s3 to support 60 host we need 6 bits
- so subnet mask is 255.255.255.192
- hop count = 256-192 = 64
- s1 address 192.168.1.0 /26
s2 address 192.168.1.64 /26
s3 address 192.168.1.128 /26
- starting from address 192.168.1.192 give addresses to s4 , s5 , s6
- 2 hosts need 2 bits
- new subnet mask is 255.255.255.252 , hop count = 256-252 = 4
- s4 address 192.168.1.192 /30
s5 address 192.168.1.196 /30
s6 address 192.168.1.200 /30
VLSM is supported only by the classless routing protocols
Divide network 192.168.1.0 /24
71
72
© 2004 Cisco Systems, Inc. All rights reserved. ICND v2.2—4-72
Managing IP Traffic with Access Lists (ACL)
73
• Manage IP traffic as network access grows• Filter packets as they pass through the router
Access control list (ACL)
74
- ACL is a set of commands that are grouped under certain name or number to control traffic flow (permit or deny).
- Access list is configured on the router then activated on interfaces.
• ACL processing:
- statements are checked from up to down. - once a match found, no further checking. - if no match found, the packet will be dropped due to the
“ implicit deny “ statement at the end of the ACL. - ACL must contain at least one permit statement otherwise all
packets will be dropped. - in any ACL , you can not add statement between statements
(any new statements can only be added to the end of ACL). - you can have one ACL per interface per protocol per direction.
ACL Structure
75
Note : - in numbered ACL, you can not delete a certain statement ,
only delete the whole ACL. - In named ACL, you can delete a certain statement between
statements.
ACL typesACL
Standard ACL
Numbered
1 - 99
1300 - 1999
Named
Extended ACL
NamedNumbered
100 - 199
2000 - 2699
76
Standard ACLs
- Configuration :
•Activates the list on an interface•Sets inbound or outbound testing•no ip access-group ACL-number removes ACL from the interface
Router(config-if)# ip access-group ACL-number {in | out}
• IP standard ACLs use 1 to 99• default wildcard mask = 0.0.0.0 (exactly match the ip address)• 12.0.0.1 0.0.0.0 = host 12.0.0.1 & 0.0.0.0 255.255.255.255 = any• no access-list ACL-number removes entire ACL
Router(config)# access-list ACL-number {permit|deny} source ip [w.c.mask]
- It filters the packets based on the source ip address
77
Standard IP ACL example
12.0.0.0
A
- Deny traffic from host 172.16.4.13 to host A and permit all other traffic.
Note: commands order is important
= host 172.16.4.13
= any
78
• control telnet access to router :
we want to restrict the telnet access from host 10.1.1.1 to the router.
10 . 1 . 1 . 1
(config)# access-list 1 deny host 10.1.1.1
(config)# access-list 1 permit any
(config)# line vty 0 4
(config-line)# access-class 1 in
Standard ACL (cont.)
79
Router(config)# ip access-list standard nameRouter(config-std-nacl)# {permit|deny} source ip [ w.c.mask ]Router(config-std-nacl)# no {permit|deny} source ip [w.c.mask ]
Router(config-if)# ip access-group name {in | out}
Standard Named IP ACL
• Permit or deny statements have no prepended number.
• “no” removes the specific test from the named ACL.
• Activates the named IP ACL on an interface.
80
Host X
192.168.5.1/24Server
192.168.1.1/24
192.168.2.0/24
AC
B
- we want to restrict the user X from accessing the server.
C(config)# access-list 1 deny host 192.168.5.1
C(config)# access-list 1 permit any
C(config)# interface e0
C(config-if)# ip access-group 1 out
- Rule:• Standard ACL is placed as close as possible to
destination.
Placement of standard ACL
e0
81
Extended ACL
- It is more flexible than standard ACL.
- extended ACL can match on:
1- source IP , destination IP.
2- TCP/IP protocols ( IP, TCP, UDP, ICMP,…….).
3- protocol information ( port no. ).
82
Router(config-if)# ip access-group access-list-number {in | out}
Extended IP ACL Configuration
• Activates the extended list on an interface
• Sets parameters for this list entry
Router(config)# access-list access-list-number {permit | deny} protocol source ip source-wildcard [operator port] destination ip destination-wildcard [operator port]
83
• Note: - 0.0.0.0 is called host mask. - 12.0.0.1 0.0.0.0 = host 12.0.0.1 - 0.0.0.0 255.255.255.255 = any
- The operator and port values : (eq) operator means equal (Lt) operator means less than or equal. (gt) operator means greater than or equal. range 10 – 80 ---- all ports between 10 , 80
- eq 80 = eq http ---- put the port number or name
Extended ACL
84
Extended ACL example
– Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0– Permit all other traffic.
1in
internet
85
Extended ACL example
– Deny only Telnet from subnet 172.16.4.0– Permit all other traffic.
internet
1in
86
Router(config)# ip access-list extended name
Router(config-ext-nacl)# {permit | deny} {ip access list test conditions} Router(config-ext-nacl)# no {permit | deny} {ip access list test conditions}
Router(config-if)# ip access-group name {in | out}
• Alphanumeric name string must be unique.
• Permit or deny statements have no prepended number.
• “no” removes the specific test from the named ACL.
• Activates the named IP ACL on an interface.
Extended Named ACL
87
Host X
192.168.5.1/24
Server
192.168.1.1/24
192.168.2.0/24
AC
B
- We want to restrict the user X from accessing the server
-Rule:•Extended ACL is placed as close as possible to source.
Placement of Extended ACL
88
Monitoring ACL Statements
wg_ro_a#show access-lists Standard IP access list 1 permit 10.2.2.1 permit 10.3.3.1 permit 10.4.4.1 permit 10.5.5.1Extended IP access list 101 permit tcp host 10.22.22.1 any eq telnet permit tcp host 10.33.33.1 any eq ftp permit tcp host 10.44.44.1 any eq ftp-data
router# show {protocol} access-list {access-list number}
router# show access-lists {access-list number}
89
router# show ip interfaces e0Ethernet0 is up, line protocol is up Internet address is 10.1.1.11/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled <text ommitted>
Verifying ACLs
90
© 2004 Cisco Systems, Inc. All rights reserved. ICND v2.2—4-90
Scaling the Network with NAT and PAT
91
- Address translation allows you to translate your internal private address to a public address before the packets leave your local network to the public network.
- NAT terminologies:1- Inside local IP: an internal device that has a private IP.2- Inside global IP: an internal device that has a public IP.3- Outside local IP: an outside device that has a private IP.4- Outside global IP: an outside device that has a public IP.
- Types of Address Translation:
• Static Translation.• Dynamic Translation.
Network address translation (NAT)
92
Static NAT
10.0.0.112.0.0.112.0.0.110.0.0.1
10.0.0.1 12.0.0.1
NAT table is formed
manually translating
private IPs to public IPs.
- Static NAT is used when outside users are trying to access your internal resources
93
Configuring Static Translation
• Establishes static translation between an inside local address and an inside global address
Router(config)# ip nat inside source static local-ip global-ip
• Marks the interface as connected to the inside
Router(config-if)# ip nat inside
• Marks the interface as connected to the outside
Router(config-if)# ip nat outside
94
Static NAT Example
95
- the router is given a pool of IPs that contains global IPs, so every user tries to access a public network will be given an IP from the pool.
- To configure Dynamic NAT:
1- Define the pool of IPs.
2- Define which inside addresses are allowed to be translated. (ACL)
Dynamic NAT
96
Configuring Dynamic NAT
• Establishes dynamic source translation, specifying the ACL that was defined in the prior step.
Router(config)# ip nat inside source list access-list-number pool pool-name
• Defines a pool of global addresses to be allocated as needed.
Router(config)# ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
• Defines a standard IP ACL permitting those inside local addresses that are to be translated.
Router(config)# access-list access-list-number permit source ip [source-wildcard]
97
Dynamic NAT Example
98
-Static or dynamic NAT provide only one to one translation while PAT supports many to one translation using port numbers.
port address translation (PAT)
internet
13.0.0.1
10.0.0.1
10.0.0.2
10.0.0.1 13.0.0.1 2000 80
10.0.0.2 13.0.0.1 3000 80
12.0.0.1 13.0.0.1 2000 80
12.0.0.1 13.0.0.1 3000 80
Inside local ipInside local
portinside global ip
inside global port
10.0.0.210.0.0.210.0.0.1 2000
30002000 12.0.0.1
12.0.0.112.0.0.1 2000
30004000
99
Configuring PAT
• Establishes dynamic source translation, specifying the ACL that was defined in the prior step
Router(config)# ip nat inside source list access-list-number interface interface overload
• Defines a standard IP ACL that will be permit the inside local addresses that are to be translated
Router(config)# access-list access-list-number permit source-ip source-wildcard
100
PAT Example
101
Displaying Information with show Commands
• Displays translation statistics
Router# show ip nat statistics
• Displays active translations
Router# show ip nat translations
Router#show ip nat translation Pro Inside global Inside local Outside local Outside global --- 172.16.131.1 10.10.10.1 --- ---
Router#show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: Ethernet0, Serial2.7 Inside interfaces: Ethernet1 Hits: 5 Misses: 0 …
102
Using the debug ip nat Command
Router#debug ip nat NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825]NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852] NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311] NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827] NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313] NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325]
103
104
© 2004 Cisco Systems, Inc. All rights reserved. ICND v2.2—1-104
Switching
105
© 2004 Cisco Systems, Inc. All rights reserved. ICND v2.2—1-105
Spanning Tree Protocol
IEEE 802.1D
106
Layer 2 loops
MAC port
A
A
3
1• Solution : using Spanning tree protocol (STP)
107
- provides a loop-free redundant network topology by placing certain ports in the blocking state (logical blocking)
- STP protocol enables switches to become aware of each other so they can negotiate a loop free path.- when the used path fails the STP opens the blocked port
(activate the other path)
Spanning Tree Protocol
108
1- BPDU Flooding:
- BPDUs (bridge protocol data unit) are flooded from each switch to the other switches on a well known multicast MAC address.
- every switch will take a copy of the BPDU and resend it to other switches.
- every switch will form a database from all the BPDUs. - BPDU is sent every two seconds.
Spanning Tree Operation
Port IDaccumulated
path costbridge ID
(BID)BPDU
109
- Root bridge is the bridge with the lowest bridge ID
- Bridge ID =
2- Root Bridge election
2 bytes default = 32768
Spanning Tree Operation (cont.)
priority Bridge MAC address
- Root bridge has the lowest priority , if equal priorities then it has the lowest MAC address- after election, the root bridge only sends the BPDUs every 2 sec.
6 bytes
110
3- Root port election: (RP)- each non-root switch will elect the best port to reach the root
switch.- Root port is the port having:
1- the lowest accumulative path cost to the root switch.
2- If equal costs, it is the port that closer to the second lowest switch BID.
3- if equal , it is the port that has the lowest serial number
Spanning Tree Operation (cont.)
111
Spanning Tree Operation (cont.)
RP
5
RP
RP4
6
8
7
3
21 A
B C
D
assume BID of A < B < C < D A is Root bridge
to get RP : which port is closer to A ? (compare 4,6)
(compare 3,5)
(compare 7,8)
root bridge
112
4- Designated port election: (DP)- DP has the lowest accumulative path cost from the root
switch on every LAN segment.5- Blocked Port: (BP)- It is the port that neither RP nor DP.- BP will logically blocked till any change happen.
Spanning Tree Operation (cont.)
113
Spanning Tree Operation (cont.)
RP
5
RP
RP4
6
8
3
21 A
B C
D
blocked port BP is not RP or DP
(port 8)
to get DP : which port is closer to A ? (compare 1,3) (compare 2,4) (compare 5,7) (compare 6,8)
root bridge
7
DPDP
DP DP
BP
114
after convergence :• ports are either forwarding (RP , DP) or blocked (BP)• a blocked port keeps listening to BPDUs, if for 20 sec.
(Max. age time =10 BPDUs) hasn’t receive a BPDU, then the port will automatically change its state (move to listening state).
at change : • the first switch which feels the change sends a BPDU
called TCN (Topology change notification) destined the root switch indicating the change.
• the Root switch sends a configuration BPDU with TCN flag to all switches then the STP will be recalculated.
• if a new switch added with a lower priority , it will be the root switch
Spanning Tree Operation (cont.)
115
• Spanning tree transits each port through several different states:
Spanning Tree Port States
STP convergence time is from
30 sec. to 50 sec.
116
Rapid STP (IEEE 802.1w)
• RSTP significantly speeds the recalculation of the spanning tree when the network topology change.
• to enhance the convergence time, RSTP : 1- elects a backup port for every RP or DP. 2- merges the Blocking state and Listening state into one
state called Discarding state.
117
the show spanning-tree command
118
© 2004 Cisco Systems, Inc. All rights reserved. ICND v2.2—2-118
Virtual LANs (VLAN)
119
Before VLANs:- All switch ports are in single broadcast domain
After VLANs:- each VLAN is a single broadcast domain and one logical
subnet.- VLANs provides:
1- Segmentation2- Flexibility3- Security
Virtual LANs (VLANs)
120
VLAN = Broadcast Domain = Logical Network (Subnet)
VLAN Overview
• Segmentation
• Flexibility
• Security
121
• Traffic can be transferred between only the same VLANs on different switches.
• To transfer traffic between different Vlans , a router should be used
• Trunks carry traffic for multiple VLANs.
VLAN Operation
122
1- Static VLAN membership:- assign certain port to a certain VLAN ( port based VLAN )- by default, all ports of the switch are assigned to VLAN 1
(native VLAN).
2- Dynamic VLAN membership:- assign certain MAC to a certain VLAN ( MAC based VLAN )- even if the PC changes its port on the switch , the PC still be
connected to its VLAN. - This is done by using VMPS ( VLAN membership policy
server ).
VLAN membership
123
1- Access port:- It is a port which is member in only one Vlan.
ex: a switch port that connected to a pc.
2- Trunk port:- switch port that is member in all Vlans by default.
ex: a switch port that connected to another switch.
VLAN connection (Port) types
124
Vlan 1
Vlan 2
Vlan 1
Vlan 2
- if host B sends a broadcast to Vlan 2, the frames will be passed to port 4 on switch F over the trunk link .
- the switch F will broadcast the frames to all ports 5,6 although port 6 is not a member in Vlan 2 because it doesn’t know the source VLAN of the frame.
- Solution: trunk add a field that identify the source Vlan ID to the frame
4
Trunking problemA
B2
3
1 5
6
C
DE F
AB
C,D
123
12
all
CD
A,B
564
12
all
MAC port VLAN MAC port VLAN
125
- to provide inter VLAN communication , frame tagging is used to identify the frame source VLAN .
- Tagging methods:
1- ISL (Inter switch Link) for Ethernet.
2- IEEE 802.1q (dot1q) for Ethernet.
3- LANE for ATM.
4- IEEE 802.10 for FDDI.
- so for Ethernet we concerns on ISL and dot1q methods.
VLAN trunking Methods
126
1 -ISL (Inter switch link)
- Cisco proprietary
- It encapsulates the original Ethernet frame with 30 bytes.
- 26 bytes header (contains 10 bits Vlan id) and 4 bytes trailer
- Vlan range: 0 – 1023 Vlan
- Vlan 1 - 1001 for Ethernet.
- Vlan 1002 - 1023 reserved . ( ex : 1002 - 1005 for token ring and FDDI )
- ISL is not supported now by Cisco.
127
- add 4 bytes tagging to the Ethernet frame and recalculate new CRC.
- Vlan ID is 12 bits inside the Tag field so, the Vlan range is 0 - 4095.
- dot1q makes less overhead on frame than ISL.- dot1q can support both tagged and untagged frames,
where the untagged Vlan traffic belongs to the Native Vlan- by default, Native Vlan is VLAN 1.- Native Vlan is a management Vlan where all management
traffic between switches are sent through it. ( BPDU, STP, VTP,….. ).
2 -IEEE 802.1q (dot1q)
128
- We have to use a router to route between different VLANs.
Method 1:- Inter VLAN routing using access ports.- Disadvantage:
for each Vlan you need 1 router interface and 1 switch port.
Inter VLAN routing
Vlan1
Vlan2
Vlan3
Vlan1
Vlan2
Vlan3
VLAN configuration:1- Create VLAN.2- Naming VLAN (optional).3- Assign ports to VLAN.
129
To create and name VLAN:- New method
(config)# vlan <vlan id>
(config-vlan)# name <name>- Old method
# vlan database
(vlan)# vlan <valn id> [name <name>]
To assign port to vlan:
(config)# int <int. name>
(config-if)# switchport mode access
(config-if)# switchport access vlan <vlan id>
VLAN configuration
130
- Method 2:- Router on stick:
Inter VLAN routing (cont.)
- Router sub-interface e0/0.1 configuration: Router(config)# int e0/0.1 Router(config-if)# encapsulation {isl / dot1q} <vlan id> Router(config-if)# ip address <ip> <mask>
Vlan1
Vlan2
Vlan3
trunk
e0/0.1e0/0.2e0/0.3
fa1/1
- Switch port fa1/1 configuration: Router(config)# int fa1/1 Router(config-if)# switchport mode trunk Router(config-if)# switchport mode trunk encapsulation {isl / dot1q}
131
Verifying a VLAN
switch# show vlan [brief | id vlan-id | name vlan-name]switch# show vlan brief
VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 2 vlan2 active3 vlan3 active4 vlan4 active1002 fddi-default act/unsup1003 token-ring-default act/unsup
VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1004 fddinet-default act/unsup1005 trnet-default act/unsup
132
Verifying STP for a VLANswitch# show spanning-tree vlan 2
VLAN0002 Spanning tree enabled protocol ieee Root ID Priority 2 Address 0008.20fc.a840 Cost 31 Port 12 (FastEthernet0/12) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32770 (priority 32768 sys-id-ext 2) Address 0008.a445.9b40 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300
Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------Fa0/2 Desg FWD 100 128.2 ShrFa0/12 Root FWD 19 128.12 P2p
133
Verifying a Trunkswitch# show interfaces fa0/11 switchport
Name: Fa0/11Switchport: EnabledAdministrative Mode: trunkOperational Mode: downAdministrative Trunking Encapsulation: dot1qNegotiation of Trunking: OnAccess Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)
switch# show interfaces fa0/11 trunk
Port Mode Encapsulation Status Native vlanFa0/11 desirable 802.1q trunking
Port Vlans allowed on trunkFa0/11 1-4094
Port Vlans allowed and active in management domainFa0/11 1-13
134
• Cisco introduces an easy administration method to transfer Vlan information between switches connected on the same domain without repeating commands on all switches.
• VTP manages addition, deletion, and modification of Vlan information in a certain VTP domain.
• VTP has a messaging system that advertises VLAN configuration information from one switch to all others
• maintains VLAN configuration consistency throughout a common administrative domain
• sends advertisements on trunk ports only
VTP (VLAN Trunknig Protocol)
- VTP domain:
Area with common VLAN requirements (all switches have the same function and VLAN policy). The switch can only be in one VTP domain.
135
- VTP Modes:
1- server mode: default mode on switch
- can add, delete, modify Vlans - generate VTP messages to apply this configuration on the other switches.
2- client mode:
- can not add, delete, modify Vlans
- accept VTP messages and apply it on itself then forward it
- can not generate VTP messages
3- transparent mode:
- can add, delete, modify Vlans locally (by console configuration) and can not generate VTP messages
- forward VTP messages without applying it on itself
VTP modes
136
• VTP advertisements are sent as multicast frames.
• VTP servers and clients are synchronized to the latest revision number (highest number overrides lower ones).
• VTP advertisements are sent every 5 minutes or when there is a change.
VTP Operation
137
• Increases available bandwidth by reducing unnecessary flooded traffic
• Example: Station A sends broadcast, and broadcast is flooded only toward any switch with ports assigned to the red VLAN
VTP Pruning
138
VTP configurationNew Method
switch(config)# vtp mode [ server | client | transparent ]switch(config)# vtp domain <domain-name> switch(config)# vtp password <password>switch(config)# vtp pruningswitch(config)# end
switch# vlan databaseswitch(vlan)# vtp [ server | client | transparent ]switch(vlan)# vtp domain <domain-name>
Old Method
139
VTP Troubleshooting
Switch# show vtp status
VTP Version : 2Configuration Revision : 0Maximum VLANs supported locally : 64Number of existing VLANs : 17VTP Operating Mode : TransparentVTP Domain Name : ICNDVTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0x7D 0x6E 0x5E 0x3D Configuration last modified by 10.1.1.4 at 3-3-93 20:08:05
Switch#
140
DTP (Dynamic Trunking Protocol)
• It negotiates a common trunking mode between two switches by sending periodic messages every 30 sec.
• The router can never participating in DTP.• (config-if)# switchport mode { access / trunk /
dynamic [ desirable / auto ] / nonegotiate} • (config)# show dtp
Trunk ?
141
DTP ModeGenerate DTP frames
Trunking
Access
Trunk
Dynamic desirable
Dynamic auto
Nonegotiate
Yes in case that other side:-Trunk.-Desirable.-Auto.
Yes in case that other side:-Trunk.-Desirable.
142
Configuring the Switch IP Address
(config)# interface vlan 1(config-if)# ip address <ip address> <mask>(config-if)# no shutdown
• Configures an IP address and subnet mask for the switch VLAN1 interface to allow ping and telnet to switch
switch# show interfaces vlan 1
Vlan1 is up, line protocol is up Hardware is CPU Interface, address is 0008.a445.9b40 (bia 0008.a445.9b40) Internet address is 10.2.2.11/24
143
switch(config)# ip default-gateway <ip address>
• Configures the switch default gateway for the 2950 series switches
Configuring the Switch Default Gateway
Setting Duplex Options
switch(config)# interface fa0/1switch(config-if)# duplex {auto | full | half}
Switch# show interfaces fa0/1
144
Managing the MAC Address Table
switch# show mac-address-table Mac Address Table-------------------------------------------Vlan Mac Address Type Ports---- ----------- -------- ----- All 0008.a445.9b40 STATIC CPU All 0100.0ccc.cccc STATIC CPU All 0100.0ccc.cccd STATIC CPU All 0100.0cdd.dddd STATIC CPU 1 0008.e3e8.0440 DYNAMIC Fa0/2Total Mac Addresses for this criterion: 5
Setting a Static MAC Address
switch(config)# mac-address-table static <mac-address> vlan <vlan-id> interface <interface-id>
145
Configuring Port Security
switch(config-if)# switchport port-security [mac-address <mac-address>] | [maximum value] | [violation {protect |restrict | shutdown}]
switch(config)# interface fa0/1switch(config-if)# switchport mode accessswitch(config-if)# switchport port-securityswitch(config-if)# switchport port-security maximum 1switch(config-if)# switchport port-security mac-address 0008.eeee.eeeeswitch(config-if)# switchport port-security violation shutdown
146
switch# show port-security interface <interface-id>
Verifying Port Security on the Catalyst 2950 Series
switch# show port-security interface fastethernet 0/5
Port Security : EnabledPort Status : Secure-upViolation Mode : ShutdownAging Time : 20 minsAging Type : AbsoluteSecureStatic Address Aging : DisabledMaximum MAC Addresses : 1Total MAC Addresses : 1Configured MAC Addresses : 0Sticky MAC Addresses : 0Last Source Address : 0000.0000.0000Security Violation Count : 0
147
148
© 2004 Cisco Systems, Inc. All rights reserved. ICND v2.2—5-148
Introducing Wide Area Networks
149
WAN Overview
- WANs connects remote sites over large geographical area by using the infrastructure of the service provider.
- WANs are a L2 technologies concern by hop-to-hop delivery - Connection requirements vary depending on user
requirements, cost, and availability.
150
• Provider assigns connection parameters to subscriber
Interfacing BetweenWAN Service Providers
151
- DTE: data terminal equipment, It is a source of data.- DCE: data communication (circuit) equipment, a device that
terminates a connection and provides clocking & synchronization for the connection.
- Demarcation point: this is where the responsibility of the service provider is passed to you (logical boundary)
- CPE: customer premises equipment, this is your own network equipments which include DTE & DCE.
- Local loop: this is the connection from the carrier’s switch to the demarcation point.
- CO switch : central office switch (WAN switch)- Toll network: this is the carrier infrastructure.
WAN terminologies
152
WAN connections
WAN connection types
Dedicated (leased line)
Broadband (Satellite, Wireless,
cable modem, DSL)
Packet switching (X.25 , Frame relay , ATM)
Circuit switching (analog modem ,
ISDN)
153
Serial Point-to-Point Connections
154
© 2004 Cisco Systems, Inc. All rights reserved. ICND v2.2—5-154
Configuring Serial Point-To-Point Encapsulation
155
• supports only single-protocol environments
HDLC Frame Format
• uses a proprietary data field to supportmultiprotocol environments (but is a Cisco proprietary)
• default encapsulation method on Cisco routers
156
Router(config-if)# encapsulation hdlc
• enables HDLC encapsulation
• uses the default encapsulation on synchronous serial interfaces
Configuring HDLC Encapsulation
157
• Overview:- data link layer protocol used on point to point WAN
connections.- used in dedicated and circuit switching technologies- works with synchronous & asynchronous serial
connections.- support multiple network layer protocols.- open standard by IETF. (RFC 1332, 1661 & 2153)
- PPP frame format :
Point to point protocol (PPP)
FlagaddresscontrolprotocolPayloadFCS
158
1- Link control protocol (LCP) :- responsible for negotiating & maintaining a PPP connection
including some options (establish, configure, negotiate options, test, terminate the PPP connection).
- LCP options are:
authentication, compression, multilink, call back, error detection
2- Network control protocol:- negotiate the upper layer protocols that will be used during
the PPP connection.
PPP components
159
PPP operation
Open connection
OK
Negotiate options
What is my IP ?
Your IP is ….
What is my IPX ?
No IPX
LCP
NCP
160
1- Authentication: a- PPP authentication protocol (PAP):- 2 way handshaking- 1 way authentication
PPP options
client server
161
-PAP configuration:
Client configuration : (config-if)# encapsulation ppp (config-if)# ppp authentication pap (config-if)# ppp pap sent username <client username> password <password>
Server configuration: (config)# username <client username> password <password>(config-if)# encapsulation ppp(config-if)# ppp authentication pap
1- Authentication (cont.)
162
b- Challenge handshake authentication protocol (CHAP):- 3 way handshaking.- 2 way authentication.
1- Authentication (cont.)
163
(config)# hostname <local name>(config)# username <remote name> password <password>
(config-if)# ppp authentication chap
-CHAP configuration:
1- Authentication (cont.)
Router(config-if)#ppp authentication{chap | chap pap | pap chap | pap}
• Enables PAP or CHAP authentication
164
-CHAP Configuration Example:
1- Authentication (cont.)
165
Router#show interface s0Serial0 is up, line protocol is up Hardware is HD64570 Internet address is 10.140.1.2/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) LCP Open Open: IPCP, CDPCP Last input 00:00:05, output 00:00:05, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 38021 packets input, 5656110 bytes, 0 no buffer Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 38097 packets output, 2135697 bytes, 0 underruns 0 output errors, 0 collisions, 6045 interface resets 0 output buffer failures, 0 output buffers swapped out 482 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up
-Verifying the HDLC and PPP encapsulation configuration:
1- Authentication (cont.)
166
• debug ppp authentication shows successful CHAP output.
-Verifying PPP Authentication:
1- Authentication (cont.)
167
- B.W aggregation by combining multiple physical interfaces into one link (logically).
- splitting L3 packets & send fragments over parallel links.- Configuration:
(config-if)# ppp multilink.
2- Multilink :
PPP options (cont.)
168
3- Call back:- enable a router to place a call and request call back.- once the request is made, the call disconnect and the
other router (server) dial the router (client) back.
4- Compression: - to improve the throughput on slower links.- PPP compression support : 1- Stack 2- Predictor 3- MPPC (Microsoft point to point) 4- TCP header
PPP options (cont.)
169
5- Error detection: - using LQM (link quality monitor)- getting a ratio between corrupted frames and the total
no. of frames sent.- if this ratio is more than certain reference no., the link will
be dropped.
6- Looped link detection:- using Magic no.- every router have a magic no.- if the router receives a frame have its own magic no.,
then the link is looped & would go down.
PPP options (cont.)
170
#debug ppp negotiation.
# debug ppp authentication.
Troubleshooting
# show interface s0/0.
the status of interface, encapsulation, LCP state, NCP state.
171
172
© 2004 Cisco Systems, Inc. All rights reserved. ICND v2.2—7-172
ISDN
173
Integrated services digital network(ISDN)
174
• Overview:- ISDN is a digital dial up circuit switching WAN technology.- digital end to end so higher speeds & fast setup than analog.- used as a backup for primary WAN connection (leased line ,
F.R).- ISDN use 2 types of channels : 1- Bearer channel (B-channel) 2- Delta channel (D-channel) - ISDN services types: 1- BRI (basic rate interface) 2- PRI (primary rate interface)
ISDN
175
B-channel D-channel
I-seriesEx: I-430, I-431
ISDN layer model
L2
L3
L1
IP, IPX , AppleTalk Q.931
Q.921 PPP, HDLC
176
1- Physical layer (L1):- I-series defines the interfaces of ISDN and reference points.- to implement ISDN connection , the router must be configured
with ISDN switch type to enable the physical layer communication.
(config)# isdn switch-type <type> 2- Data link layer (L2):- for B-ch define the data encapsulation protocol (PPP, HDLC).- for D-ch define LAP-D (Q.921) encapsulation that carry the
signaling information between TE & CO switch.
3- Network layer (L3): - for B-ch define any routed protocol (IP, IPX, Apple talk).- for D-ch define control information protocol (Q.931).
ISDN layer model (cont.)
177
1- ISDN BRI : - BRI = 2 B + 1 D channels.
- B = 64 kbps, D = 16 kbps.
- Basic B.w = 2 * 64 +16 = 144 kbps.
- Effective B.w = 2 * 64 = 128 kbps.
- Overall B.w = 144 + 48 = 192 kbps.
the 48 kbps is for framing & synchronization.
2- ISDN PRI:- PRI T1 : (North America & Japan) = 23 B + 1 D B = 64 kbps, D = 64 kbps. Basic B.w = 23 * 64 + 64 = 1.54 Mbps- PRI E1 : (Europe& Egypt) = 30 B + 1 D Basic B.w = 30 * 64 + 64 = 2.04 Mbps
ISDN types
178
ISDN Reference Points
TE1
TE2
-TE1 : terminal equipment with native ISDN interface
- TE2 : terminal equipment with non-native ISDN interface
- TA : terminal adapter that convert non-native ISDN interface to native ISDN interface (used by TE2)
- NT2 : network terminal used for grouping multiple ISDN connections
- NT1 : network terminal used as the ISDN modem
R , S , T , U are reference points
179
Cisco ISDN BRI Interfaces
180
Router(config)# isdn switch-type switch-type
• The command specifies the type of ISDN switch that the router communicates with.
• Other configuration requirements vary by provider.
Step 1: Specify the ISDN switch type.
Router(config-if)# isdn switch-type switch-type
Configuring ISDN BRI
OR
181
• Sets a B-channel SPID, required by many service providers
Step 2: (Optional) Setting SPIDs
• Sets a SPID for the second B channel
Router(config-if)# isdn spid1 spid-number [ldn]
Router(config-if)# isdn spid2 spid-number [ldn]
Configuring ISDN BRI (Cont.)
182
Verifying the ISDN Configuration
Router# show isdn active
Router# show isdn status
• Displays current call information
• Displays the status of an ISDN connection
Router# show interfaces bri0
• Displays statistics for the BRI interface that is configured on the router
183
Monitoring ISDN BRI
184
Troubleshooting the ISDN Configuration
Router# debug ppp authentication
• Displays the PPP authentication protocol messages
• Displays information on PPP link establishment
Router# debug isdn q921
• Shows ISDN Layer 2 messages
• Shows ISDN call setup and teardown activity (Layer 3)
Router# debug isdn q931
Router# debug ppp negotiation
185
- Legacy DDR :
bounds the call configuration to the physical interface , so all dial out calls will have the parameters for automatic dialing.
Dial on demand routing (DDR)
• Connects automatically when needed• Disconnects when finished
186
3
1
2
Define static routes—What route do I use?
Specify interesting traffic—What traffic enables the link?
Configure the dialer information—What number do I call?
Configuring DDR
1
187
1- Routing protocol (static route) : (config)# ip route network mask next hop address
2- Define the interesting traffic : (config)# dialer-list no. protocol protocol
{ permit / deny / list acl no. }
3- Assign dialer list to interface : (config-if)# dialer-group <list no.>
4- define dialer map : (config-if)# dialer map protocol next hop address
[name remote name ] dial number [speed rate ]
Configuring DDR (cont.)
188
Configuring DDR (cont.)
DDR Example :
12.0.0.0 /8
(config)# ip route 12.0.0.0 255.0.0.0 10.1.0.2
(config)# dialer-list 1 protocol ip permit
(config)# interface bri0
(config-if)# dialer-group 1
(config)# dialer map ip 10.1.0.2 name Central 5552000
189
Dialer Profile
- enhanced DDR - separates the logical configuration from the
physical interface.- we can configure more than one dialer
configuration for single physical interface.
s
190
191
© 2004 Cisco Systems, Inc. All rights reserved. ICND v2.2—6-191
Frame Relay
Frame Relay topology
•connections made by virtual circuits•connection-oriented service
193
- FR is a data link layer protocol packet switching technology.- performs only error detection and leaves the correction for
upper layer protocols.- defines only the interaction between the CPE and the FR
switch.- FR is a multiple access technology depending on the virtual
circuit concept.- FR is a connection oriented protocol through the FR feature
called LMI.- Encapsulation protocol is LAPF , LAPF types are :
1- Cisco
2- IETF
- note : the same encapsulation type must be used in the source and destination routers
Frame Relay overview
• Frame Relay default: nonbroadcast multiaccess (NBMA)
Frame Relay Topologies
195
- DLCI number :- DLCI ( data link connection identifier ) is the VCID of the FR (the
L2 path address)- DLCI no. is a local significant - different DLCI’s on the same path doesn’t affect the connection
Frame Relay addressing
DLCI 100
DLCI 200
DLCI 300
DLCI 400
196
• LMI (Local Management Interface) :- signaling protocol between the router and the FR switch.- used for management purpose and allows directly connected
devices to share the information about the status of VCs as well as their configuration.
- It is used so as a router can get its local DLCI from the FR switch.
- LMI types: 1- Cisco 2- ANSI (Annex-D) 3- Q.933a (Annex-A) (ITU-T)- Note : different LMI type on the same path doesn’t affect the
connection
Frame Relay management
- LMI status : 1- Active : connection using this DLCI is all right 2- Inactive : there is a problem in the remote site 3- Deleted : there is a problem in your local site
Frame Relay management (cont.)
198
- To map between destination ip and its DLCI :
1- manual resolution :
mapping between the DCLI no. and the next hop ip address using configuration.
(config-if)# frame-relay map <protocol> <next hop address> <dlci no.> [broadcast] [ietf]
2- Dynamic Resolution. (Inverse ARP) :
allows the router to automatically discover the address of next hop on each VC that in active state.
Frame Relay Address Mapping
LMI Signaling and Inverse ARP
Inverse ARP (cont.)
– Use LMI to get locally significant DLCI from the Frame Relay switch.
– Use Inverse ARP to map the local DLCI to the remote router network layer address.
Inverse ARP (cont.)
Reachability Issues with Routing Updates
• Problem:
– Broadcast traffic must be replicated for each active connection.
– Split-horizon rule prevents routing updates received onan interface from being forwarded out the same interface.
Resolving Reachability Issues
• split horizon can cause problems in NBMA environments.• solution: sub-interfaces can resolve split-horizon issues.• a single physical interface simulates multiple logical interfaces.• each corresponding peers are in a separate subnet• don’t assign ip address to the main interface
Use sub-interfaces
204
(config)# int s0/0
(config-if)# encapsulation frame-relay [cisco / ietf]
(config-if)# frame-relay lmi-type { cisco / q933a / ansi }
(config-if)# frame-relay map <protocol> <next hop address> <dlci no.> [broadcast] [ietf]
Sub-interface configuration:
(config)# int s0/0.1 [ point-to-point / multipoint ]
(config-subif)# frame-relay interface dlci <dlci no.>
Frame Relay configuration
Configuring a Static Frame Relay Map
Configuring Subinterfaces
– Point-to-point :• Subinterfaces act like leased lines. • Each point-to-point subinterface requires its own subnet. • Point-to-point is applicable to hub-and-spoke topologies.•
– Multipoint :• Subinterfaces act like NBMA networks, so they do not resolve the
split-horizon issues.• Multipoint can save address space because it uses a single subnet.• Multipoint is applicable to partial mesh and full mesh topologies.
Configuring Point-to-Point Subinterfaces
Multipoint Subinterfaces Configuration Example
Verifying Frame Relay Operation
Router#show interfaces name
• Displays information about Frame Relay DLCIs and the LMI
Router#show frame-relay lmi [int.name]
• Displays LMI statistics
Router#show frame-relay map
• Displays the current Frame Relay map entries
Router#show frame-relay pvc [int.name [dlci]]
• Displays PVC statistics
Router#show frame-relay traffic
• Displays Frame Relay traffic statistics
show interfaces Example
– Displays line, protocol, DLCI, and LMI information
Router#show interfaces s0Serial0 is up, line protocol is up Hardware is HD64570 Internet address is 10.140.1.2/24 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation FRAME-RELAY, loopback not set, keepalive set (10 sec) LMI enq sent 19, LMI stat recvd 20, LMI upd recvd 0, DTE LMI up LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0 LMI DLCI 1023 LMI type is CISCO frame relay DTE FR SVC disabled, LAPF state down Broadcast queue 0/64, broadcasts sent/dropped 8/0, interface broadcasts 5 Last input 00:00:02, output 00:00:02, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops <Output omitted>
– Displays LMI information
Router#show frame-relay lmi LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO Invalid Unnumbered info 0 Invalid Prot Disc 0 Invalid dummy Call Ref 0 Invalid Msg Type 0 Invalid Status Message 0 Invalid Lock Shift 0 Invalid Information ID 0 Invalid Report IE Len 0 Invalid Report Request 0 Invalid Keep IE Len 0 Num Status Enq. Sent 113100 Num Status msgs Rcvd 113100 Num Update Status Rcvd 0 Num Status Timeouts 0
show frame-relay lmi Example
– Displays PVC traffic statistics
show frame-relay pvc Example
Router#show frame-relay pvc 100
PVC Statistics for interface Serial0 (Frame Relay DTE)
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0
input pkts 28 output pkts 10 in bytes 8398 out bytes 1198 dropped pkts 0 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 10 out bcast bytes 1198 pvc create time 00:03:46, last time pvc status changed 00:03:47
– Displays the route maps, either static or dynamic
Router# show frame-relay mapSerial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic, broadcast,, status defined, active
show frame-relay map Example
214
Troubleshooting Basic Frame Relay Operations
• Displays LMI debug information
Router#debug frame-relay lmiFrame Relay LMI debugging is onDisplaying all Frame Relay LMI dataRouter#1w2d: Serial0(out): StEnq, myseq 140, yourseen 139, DTE up1w2d: datagramstart = 0xE008EC, datagramsize = 131w2d: FR encap = 0xFCF103091w2d: 00 75 01 01 01 03 02 8C 8B1w2d:1w2d: Serial0(in): Status, myseq 1401w2d: RT IE 1, length 1, type 11w2d: KA IE 3, length 2, yourseq 140, myseq 1401w2d: Serial0(out): StEnq, myseq 141, yourseen 140, DTE up1w2d: datagramstart = 0xE008EC, datagramsize = 131w2d: FR encap = 0xFCF103091w2d: 00 75 01 01 01 03 02 8D 8C1w2d:1w2d: Serial0(in): Status, myseq 1421w2d: RT IE 1, length 1, type 01w2d: KA IE 3, length 2, yourseq 142, myseq 1421w2d: PVC IE 0x7 , length 0x6 , dlci 100, status 0x2 , bw 0
215
Frame Relay Traffic Shaping
• CIR : committed information rate• EIR : excessive information rate• Rate < CIR , DE = 0• CIR < Rate < EIR , DE = 1• Rate > EIR , Frame will be dropped
• DE : discard eligibility• FECN : forward explicit congestion notification• BECN : backward explicit congestion notification
DEFECNBECNLAPF