Upload
mrec20mau
View
28
Download
1
Embed Size (px)
DESCRIPTION
Exploring the functions of the Network
Citation preview
Building a Simple Network
Exploring the Functions of Networking
What Is a Network?
Resource-Sharing Functions and Benefits
Data and applications
Resources
Network storage
Backup devices
Characteristics of a Network
Speed
Cost
Security
Availability
Scalability
Reliability
Topology
Building a Simple Network
OSI Layer
Why a Layered Network Model?
Reduces complexity
Standardizes interfaces
Facilitates modular engineering
Ensures interoperable technology
Accelerates evolution
Simplifies teaching and learning
The Seven Layers of the OSI Model
The Seven Layers of the OSI Model
The Seven Layers of the OSI Model
The Seven Layers of the OSI Model
The Seven Layers of the OSI Model
The Seven Layers of the OSI Model
The Seven Layers of the OSI Model
Data Encapsulation
Data De-Encapsulation
Peer-to-Peer Communication
Unshielded Twisted-Pair Cable
Speed and throughput: 10 to 1000 Mb/s
Average cost per node: Least expensive
Media and connector size: Small
Maximum cable length: Varies
RJ-45 Connector
Cable 10BASE-T/
100BASE-TX Straight-Through
Pin Label Pin Label
1
2
3
4
5
6
7
8
TX+
TX-
RX+
NC
NC
RX-
NC
NC
1
2
3
4
5
6
7
8
TX+
TX-
RX+
NC
NC
RX-
NC
NC
Straight-Through Cable
Wires on cable ends
are in same order.
UTP Implementation (Straight-Through)
Cable 10BASE-T or
100BASE-TX Straight-Through Crossover Cable
Some wires on cable
ends are crossed.
Pin Label Pin Label
1
2
3
4
5
6
7
8
TX+
TX-
RX+
NC
NC
RX-
NC
NC
1
2
3
4
5
6
7
8
TX+
TX-
RX+
NC
NC
RX-
NC
NC
EIA/TIA T568A EIA/TIA T568B
UTP Implementation (Crossover)
UTP Implementation: Straight-Through vs. Crossover
Using Varieties of UTP
© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-23
Building a Simple Network
Understanding the Data Link Layer of
OSI
Network Interface Card
MAC Address Components
MAC Addresses
Physical Topology Categories
IP Addressing and Subnetting
Constructing a Network Addressing Scheme
Why IP Addresses?
They uniquely identify each device on an IP network.
Every host (computer, networking device, peripheral) must have a unique address.
Host ID:
– Identifies the individual host
– Is assigned by organizations to individual devices
IP Address Format: Dotted Decimal Notation
The binary-to-decimal and decimal-to-
binary conversion will be detailed later
in this course.
IP Address Classes: The First Octet
IP Address Ranges
*127 (01111111) is a Class A address reserved for loopback testing and cannot be assigned to a network.
Reserved Address
Public IP Addresses
Private IP Addresses
Class Private Address Range
A 10.0.0.0 to 10.255.255.255
B 172.16.0.0 to 172.31.255.255
C 192.168.0.0 to 192.168.255
© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-36
Internetworking Fundamentals
Internetwork Operating System
Cisco IOS Software
Features to carry the chosen network protocols and functions
Connectivity for high-speed traffic between devices
Security to control access and prohibit unauthorized network use
Scalability to add interfaces and capability as needed for network growth
Reliability to ensure dependable access to networked resources
External Configuration Sources
Configurations can come from many sources.
Configurations will act in device memory.
CLI is used to enter commands.
Operations vary on different internetworking devices.
Users type or paste entries in the console command modes.
Command modes have distinctive prompts.
Enter key instructs device to parse and execute the command.
Two primary EXEC modes are user mode and privileged mode.
Cisco IOS User Interface Functions
There are two main EXEC modes for entering commands.
Cisco IOS Software EXEC Mode (User)
Cisco IOS Software EXEC Mode (Privileged)
Switch Command-Line Help Facilities
Viewing the Configuration
Displays the current and saved configuration
show running-config and show startup-config Commands
Overview of Router Modes
Accessing the Cisco IOS Device Console
Telnet
Aux Port
Configuring Router Identification
Console-Line Commands
RouterX(config)#line console 0 RouterX(config-line)#exec-timeout 20 30
RouterX(config)#line console 0 RouterX(config-line)#logging synchronous
Modifies console session timeout
Redisplays interrupted console input
Configuring a Router Password
RouterX(config)#interface type number
RouterX(config-if)#
type includes serial, ethernet, token ring, fddi, hssi, loopback, dialer, null, async, atm, bri, tunnel, and so on
number is used to identify individual interfaces
RouterX(config-if)#exit
Quits from current interface configuration mode
RouterX(config)#interface type slot/port
RouterX(config-if)#
For modular routers, selects an interface
Configuring an Interface
RouterX(config-if)# description string
string is a comment or a description to help you remember what is attached to this interface.
The maximum number of characters for the string argument is 238.
Configuring an Interface Description
RouterX#configure terminal
RouterX(config)#interface serial 0
RouterX(config-if)#no shutdown
%LINK-3-UPDOWN: Interface Serial0, changed state to up
%LINEPROTO-5-UPDOWN: Line Protocol on Interface Serial0, changed state to up
Enables an interface that is administratively shut down
RouterX#configure terminal
RouterX(config)#interface serial 0
RouterX(config-if)#shutdown
%LINK-5-CHANGED: Interface Serial0, changed state to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down
Administratively turns off an interface
Disabling or Enabling an Interface
Unique addressing allows communication between end stations
Path choice is based on destination address
Configuring IP Addresses
Saving Configurations
Copies the current configuration to NVRAM
RouterX#
RouterX#copy running-config startup-config
Destination filename [startup-config]?
Building configuration…
RourterX#
Interpreting the Interface Status
Catalyst 2960 Switch LED Indicators
Configuration modes:
Global configuration mode
– SwitchX#configure terminal
– SwitchX(config)#
Interface configuration mode
– SwitchX(config)#interface fa0/1
– SwitchX(config-if)#
Configuring the Switch
Sets the local identity for the switch
Configuring Switch Identification
Example:
SwitchX(config)#interface vlan 1
SwitchX(config-if)#ip address 10.5.5.11 255.255.255.0
SwitchX(config-if)#no shutdown
Note: It is necessary to use the no shutdown command to make the
interface operational.
SwitchX(config)#interface vlan 1
SwitchX(config-if)#ip address {ip address} {mask}
Configuring the Switch IP Address
SwitchX(config)#ip default-gateway 172.20.137.1
Example:
SwitchX(config)#ip default-gateway {ip address}
Configuring the Switch Default Gateway
Saving Configurations
Copies the current configuration to NVRAM
SwitchX
SwitchX copy running-config startup-config
Destination filename [startup-config]?
Building configuration…
SwitchX
Laboratory
Routing Operations
A router needs to do the following:
Know the destination address.
Identify the sources from which the router can learn.
Discover possible routes to the intended destination.
Select the best route.
Maintain and verify routing information.
Router Operations
Routers must learn destinations that are not directly connected.
Router Operations (Cont.)
Static route
Uses a route that a network administrator enters into the router manually
Dynamic route
Uses a route that a network routing protocol adjusts automatically for topology or traffic changes
Identifying Static and Dynamic Routes
Static Routing
Static Routes
Configure unidirectional static routes to and from a stub network to allow communications to occur.
Defines a path to an IP destination network or subnet or host
Address = IP address of the next hop router
Interface = outbound interface of the local router
RouterX(config)# ip route network [mask] {address | interface}[distance] [permanent]
Static Route Configuration
Static Route Example
This is a unidirectional route. You must have a route configured in the
opposite direction.
RouterX(config)# ip route 172.16.1.0 255.255.255.0 172.16.2.1
Router(config)#ip route 172.16.1.0 255.255.255.0 s0/0/0
or
Default Routes
This route allows the stub network to reach all known networks beyond
Router A.
Verifying the Static Route Configuration
RouterX# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
10.0.0.0/8 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Serial0/0/0
S* 0.0.0.0/0 is directly connected, Serial0
Example
Laboratory 2
Given the topology below, configure static or default routing so that all network are
reachable.
Variable Length Subnetmasking
Variable Length Subnetmasking
25 hosts
Router A
20 hostsRouter B
12 hostsRouter C
9 hostsRouter D
3 hostsRouter E
HQ
Long Method…
N N N SN SN SN VLS
M 1
VLS
M 2
VLS
M 3
192 . 168 . 5 . X X X X X X X X
SN 1 192 . 168 . 5 . 0 0 0
LAN A (192.168.5.32)
SN 2 192 . 168 . 5 . 0 0 1 0 0 0 0 1 .33
1 1 1 1 0 .62
LAN B (192.168.5.64)
SN 3 192 . 168 . 5 . 0 1 0 0 0 0 0 1 .65
1 1 1 1 0 .94
LAN C (192.168.5.96)
SN 4 192 . 168 . 5 . 0 1 1 0 0 0 0 1 .97
1 1 1 0 .126
LAN D (192.168.5.112)
SN 5 192 . 168 . 5 . 0 1 1 1 0 0 0 1 .113
1 1 1 0 .126
LAN E (192.168.5.128)
SN 6 192 . 168 . 5 . 1 0 0 0 0 0 0 1 .129
1 1 0 .134
WAN A (192.168.5.136)
1 0 0 0 1 0 0 1 .137
1 0 .138
WAN B (192.168.5.140)
1 0 0 0 1 1 0 1 .141
1 0 .142
WAN C (192.168.5.144)
1 0 0 1 0 0 0 1 .145
1 0 .146
WAN D (192.168.5.148)
1 0 0 1 0 1 0 1 .149
1 0 .150
WAN E (192.168.5.152)
1 0 0 1 1 0 0 1 .153
1 0 .154
Shortcut ….. 25 hosts
Router A
20 hostsRouter B
12 hostsRouter C
9 hostsRouter D
3 hostsRouter E
HQ
192.168.5.32/27
192.168.5.64/27
192.168.5.96/28
192.168.5.112/28
192.168.5.128/29
192.168.5.136/30
192.168.5.140/30
192.168.5.144/30
192.168.5.148/30
192.168.5.152/30
No. of host bits
(m)
No. of to accommodate
Network
Address Prefix
hosts hosts required 2m (prev NA + 2m) /(32-m)
LAN A 25 5 32 192.168.5.32 /27
LAN B 20 5 32 192.168.5.64 /27
LAN C 12 4 16 192.168.5.96 /28
LAN D 9 4 16 192.168.5.112 /28
LAN E 3 3 8 192.168.5.128 /29
WAN A 2 2 4 192.168.5.136 /30
WAN B 2 2 4 192.168.5.140 /30
WAN C 2 2 4 192.168.5.144 /30
WAN D 2 2 4 192.168.5.148 /30
WAN E 2 2 4 192.168.5.152 /30
seatwork
A Class C network 192.168.100.0/24
is assigned. You need to create an
IP plan for this network using VLSM.
Please fill-out the vlsm table
No. of
Hbits to
accommodate
Network
Address Prefix
hosts hosts required 2m (prev NA + 2m)
/(32-
m)
LAN A 50
LAN B 27
LAN C 12
LAN D 12
WAN E 2
WAN F 2
WAN G 2
WAN H 2
Enabling RIP
Routing protocols are used between routers to determine paths and maintain routing tables.
After the path is determined, a router can route a routed protocol.
What Is a Routing Protocol?
An autonomous system is a collection of networks under a common administrative domain.
IGPs operate within an autonomous system.
EGPs connect different autonomous systems.
Autonomous Systems: Interior or Exterior Routing Protocols
Classes of Routing Protocols
Administrative Distance: Ranking Routes
Classful Routing Protocol
Classful routing protocols do not include the subnet mask with the route advertisement.
Within the same network, consistency of the subnet masks is assumed.
Summary routes are exchanged between foreign networks.
These are examples of classful routing protocols:
– RIPv1
– IGRP
Classless Routing Protocol
Classless routing protocols include the subnet mask with the route advertisement.
Classless routing protocols support a variable-length subnet mask (VLSM).
Summary routes can be manually controlled within the network.
These are examples of classless routing protocols:
– RIPv2
– EIGRP
– OSPF
– IS-IS
Routers pass periodic copies of their routing table to neighboring routers and accumulate distance vectors
Distance Vector Routing Protocols
Routers discover the best path to destinations from each neighbor.
Sources of Information and Discovering Routes
Maximum is 16 equal-cost paths (default = 4)
Hop-count metric selects the path
Routes update every 30 seconds
RIP Overview
RIPv1 and RIPv2 Comparison
RIPv1 RIPv2
Routing protocol Classful Classless
Supports variable-length subnet mask? No Yes
Sends the subnet mask along with the routing update?
No Yes
Addressing type Broadcast Multicast
Defined in … RFC 1058 RFCs 1721,
1722, and 2453
Supports manual route summarization? No Yes
Authentication support? No Yes
Router configuration
– Select routing protocols
– Specify networks or interfaces
IP Routing Configuration Tasks
Starts the RIP routing process
RouterX(config)# router rip
RouterX(config-router)# network network-number
Selects participating attached networks
Requires a major classful network number
RIP Configuration
Enables RIP version 2
RouterX(config-router)# version 2
RIP Configuration Example
Verifying the RIP Configuration
Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 6 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2
Serial0/0/2 2 2
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
172.16.0.0
Routing Information Sources:
Gateway Distance Last Update
10.1.1.2 120 00:00:25
Distance: (default is 120)
RouterA#
Displaying the IP Routing Table
RouterA# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route, o - ODR
T - traffic engineered route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, fastethernet0/0
10.0.0.0/24 is subnetted, 2 subnets
R 10.2.2.0 [120/1] via 10.1.1.2, 00:00:07, Serial0/0/2
C 10.1.1.0 is directly connected, Serial0/0/2
R 192.168.1.0/24 [120/2] via 10.1.1.2, 00:00:07, Serial0/0/2
debug ip rip Command
RouterA# debug ip rip
RIP protocol debugging is on
RouterA#
00:06:24: RIP: received v1 update from 10.1.1.2 on Serial0/0/2
00:06:24: 10.2.2.0 in 1 hops
00:06:24: 192.168.1.0 in 2 hops
00:06:33: RIP: sending v1 update to 255.255.255.255 via FastEthernet0/0 (172.16.1.1)
00:06:34: network 10.0.0.0, metric 1
00:06:34: network 192.168.1.0, metric 3
00:06:34: RIP: sending v1 update to 255.255.255.255 via Serial0/0/2 (10.1.1.1)
00:06:34: network 172.16.0.0, metric 1
Configuring OSPF
Link-State Routing Protocols
After an initial flood of LSAs, link-state routers pass small, event-triggered link-state updates to all other routers.
OSPF Overview
Creates a neighbor relationship by exchanging hello packets
Propagates LSAs rather than routing table updates
– Link: Router interface
– State: Description of an interface and its relationship to neighboring routers
Floods LSAs to all OSPF routers in the area, not just directly connected routers
Pieces together all the LSAs generated by the OSPF routers to create the OSPF link-state database
Uses the SPF algorithm to calculate the shortest path to each destination and places it in the routing table
Benefits of link-state routing:
– Fast convergence:
Changes are reported immediately by the affected source
– Robustness against routing loops:
Routers know the topology
Link-state packets are sequenced and acknowledged
– Hierarchical network design enables optimization of resources.
Drawbacks of link-state routing:
– Significant demands for resources:
Memory (three tables: adjacency, topology, forwarding)
CPU (Dijkstra’s algorithm can be intensive, especially when there are many instabilities)
– Requires very strict network design
– Configuration can be complex when tuning various parameters and when design is complex
Benefits and Drawbacks of Link-State Routing
OSPF Hierarchical Routing
Consists of areas and autonomous systems
Minimizes routing update traffic
SPF Algorithm
Places each router at the root of a tree and calculates the shortest path to each destination based on the cumulative cost
Cost = Reference Bandwidth / Interface Bandwidth (b/s)
10
1
10
1
1
Configuring Single-Area OSPF
network address wildcard-mask area area-id
Assigns networks to a specific OSPF area
router ospf process-id
Defines OSPF as the IP routing protocol
RouterX(config)#
RouterX(config-router)#
Configuring Loopback Interfaces
Router ID:
Number by which the router is known to OSPF
Default: The highest IP address on an active interface at the moment of OSPF process startup
Can be overridden by a loopback interface: Highest IP address of any active loopback interface
Can be set manually using the router-id command
Verifying the OSPF Configuration
RouterX# show ip protocols
Verifies that OSPF is configured
RouterX# show ip route
Displays all the routes learned by the router
RouterX# show ip route
Codes: I - IGRP derived, R - RIP derived, O - OSPF derived,
C - connected, S - static, E - EGP derived, B - BGP derived,
E2 - OSPF external type 2 route, N1 - OSPF NSSA external type 1 route,
N2 - OSPF NSSA external type 2 route
Gateway of last resort is 10.119.254.240 to network 10.140.0.0
O 10.110.0.0 [110/5] via 10.119.254.6, 0:01:00, Ethernet2
O IA 10.67.10.0 [110/10] via 10.119.254.244, 0:02:22, Ethernet2
O 10.68.132.0 [110/5] via 10.119.254.6, 0:00:59, Ethernet2
O 10.130.0.0 [110/5] via 10.119.254.6, 0:00:59, Ethernet2
O E2 10.128.0.0 [170/10] via 10.119.254.244, 0:02:22, Ethernet2
. . .
Verifying the OSPF Configuration (Cont.)
RouterX# show ip ospf
Routing Process "ospf 50" with ID 10.64.0.2
<output omitted>
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Number of areas transit capable is 0
External flood list length 0
Area BACKBONE(0)
Area BACKBONE(0)
Area has no authentication
SPF algorithm last executed 00:01:25.028 ago
SPF algorithm executed 7 times
<output omitted>
Displays the OSPF router ID, timers, and statistics
RouterX# show ip ospf
RouterX# show ip ospf interface ethernet 0
Ethernet 0 is up, line protocol is up
Internet Address 192.168.254.202, Mask 255.255.255.0, Area 0.0.0.0
AS 201, Router ID 192.168.99.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State OTHER, Priority 1
Designated Router id 192.168.254.10, Interface address 192.168.254.10
Backup Designated router id 192.168.254.28, Interface addr 192.168.254.28
Timer intervals configured, Hello 10, Dead 60, Wait 40, Retransmit 5
Hello due in 0:00:05
Neighbor Count is 8, Adjacent neighbor count is 2
Adjacent with neighbor 192.168.254.28 (Backup Designated Router)
Adjacent with neighbor 192.168.254.10 (Designated Router)
RouterX# show ip ospf interface
Verifying the OSPF Configuration (Cont.)
Displays the area ID and adjacency information
RouterX# show ip ospf neighbor
ID Pri State Dead Time Address Interface
10.199.199.137 1 FULL/DR 0:00:31 192.168.80.37 FastEthernet0/0
172.16.48.1 1 FULL/DROTHER 0:00:33 172.16.48.1 FastEthernet0/1
172.16.48.200 1 FULL/DROTHER 0:00:33 172.16.48.200 FastEthernet0/1
10.199.199.137 5 FULL/DR 0:00:33 172.16.48.189 FastEthernet0/1
Verifying the OSPF Configuration (Cont.)
RouterX# show ip ospf neighbor
Displays the OSPF neighbor information on a per-interface basis
RouterX# debug ip ospf events
OSPF:hello with invalid timers on interface Ethernet0
hello interval received 10 configured 10
net mask received 255.255.255.0 configured 255.255.255.0
dead interval received 40 configured 30
OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.117
aid:0.0.0.0 chk:6AB2 aut:0 auk:
RouterX# debug ip ospf packet
OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.116
aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x0
OSPF debug Commands
Laboratory
OSPF Authentication
OSPF supports two types of authentication:
– Plaintext (or simple) password authentication
– MD5 authentication
The router generates and checks every OSPF packet.
The router authenticates the source of each routing update packet that it receives.
Configure a ―key‖ (password); each participating neighbor must have the same key configured.
Configuring OSPF Plaintext Password Authentication
ip ospf authentication-key password
RouterX(config-if)#
Assigns a password to use with neighboring routers
RouterX(config-if)#
ip ospf authentication [message-digest | null]
Specifies the authentication type for an interface (as of Cisco IOS Release 12.0)
RouterX(config-router)#
area area-id authentication [message-digest]
Specifies the authentication type for an area
OR
Plaintext Password Authentication Configuration Example
© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-119
EIGRP Implementation
Implementing EIGRP
EIGRP Features
Flexible network design
Multicast and unicast instead of broadcast address
Support for VLSM and discontiguous subnets
Manual summarization at any point in the internetwork
Support for multiple network layer protocols
Advanced distance vector
Rapid convergence
100% loop-free classless routing
Easy configuration
Incremental updates
Load balancing across equal- and unequal-cost pathways
EIGRP Tables
EIGRP Path Calculation (Router C)
EIGRP Configuration
RouterX(config)# router eigrp autonomous-system
RouterX(config-router)# network network-number
EIGRP and Discontiguous Networks Default Scenario Configuration
EIGRP, by default, does not advertise subnets and, therefore, cannot support discontiguous subnets.
EIGRP and Discontiguous Networks with no auto-summary
EIGRP with the no auto-summary parameter can advertise subnets and, therefore, can support discontiguous subnets.
RouterX# show ip eigrp interfaces IP EIGRP interfaces for process 109 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Di0 0 0/0 0 11/434 0 0 Et0 1 0/0 337 0/10 0 0 SE0:1.16 1 0/0 10 1/63 103 0 Tu0 1 0/0 330 0/16 0 0
Verifying the EIGRP Configuration
RouterX# show ip eigrp interfaces Displays information about interfaces configured for EIGRP
RouterX# show ip protocols
RouterX# show ip route eigrp Displays the current EIGRP entries in the routing table
Displays the parameters and current state of the active process
RouterX# show ip eigrp neighbors IP-EIGRP Neighbors for process 77 Address Interface Holdtime Uptime Q Seq SRTT RTO (secs) (h:m:s) Count Num (ms) (ms) 172.16.81.28 Ethernet1 13 0:00:41 0 11 4 20 172.16.80.28 Ethernet0 14 0:02:01 0 10 12 24 172.16.80.31 Ethernet0 12 0:02:02 0 4 5 20
RouterX# show ip eigrp neighbors [detail]
Displays the neighbors discovered by IP EIGRP
Verifying the EIGRP Configuration (Cont.)
RouterX# show ip eigrp topology [all]
Displays the IP EIGRP topology table
Without the [all] parameter, shows successors and feasible successors
RouterX# show ip eigrp topology IP-EIGRP Topology Table for process 77 Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - Reply status P 172.16.90.0 255.255.255.0, 2 successors, FD is 46251776 via 172.16.80.28 (46251776/46226176), Ethernet0 via 172.16.81.28 (46251776/46226176), Ethernet1 via 172.16.80.31 (46277376/46251776), Serial0 P 172.16.81.0 255.255.255.0, 2 successors, FD is 307200 via Connected, Ethernet1 via 172.16.81.28 (307200/281600), Ethernet1 via 172.16.80.28 (307200/281600), Ethernet0 via 172.16.80.31 (332800/307200), Serial0
Verifying the EIGRP Configuration (Cont.)
EIGRP Load Balancing
By default, EIGRP does equal-metric load balancing:
– By default, up to four routes with a metric equal to the minimum metric are installed in the routing table.
There can be up to 16 entries in the routing table for the same destination:
– The number of entries is configurable with the maximum-paths command.
EIGRP Unequal-Cost Load Balancing
variance multiplier RouterX(config-router)#
Allows the router to load-balance across routes with a metric smaller than the multiplier value times the minimum metric route to that destination.
The default variance is 1, which means equal-cost load balancing.
Variance Example
Router E chooses router C to route to network 172.16.0.0 because it has the lowest feasible distance of 20.
With a variance of 2, router E also chooses router B to route to network 172.16.0.0 (20 + 10 = 30) < [2 * (FD) = 40].
Router D is not considered to route to network 172.16.0.0 (because 25 > 20).
Switching Fundamentals
Signals degrade with transmission distance.
Each Ethernet type has a maximum segment length.
LAN Segment Limitations
Extending LAN Segments
Shares bandwidth
Extends cable distances
Repeats or amplifies signal
Collisions
Multiple Collision Domains
Address learning
Forwarding the filtering decisions
Loop avoidance
Ethernet Switches and Bridges
MAC Address Table
• The initial MAC address table is empty.
Learning Addresses
• Station A sends a frame to station C.
• The switch caches the MAC address of station A to port E0 by learning the source address of data frames.
• The frame from station A to station C is flooded out to all ports except port E0 (unknown unicasts are flooded).
Learning Addresses (Cont.)
• Station D sends a frame to station C.
• The switch caches the MAC address of station D to port E3 by learning the source address of data frames.
• The frame from station D to station C is flooded out to all ports except port E3 (unknown unicasts are flooded).
Filtering Frames
• Station A sends a frame to station C.
• The destination is known; the frame is not flooded.
Filtering Frames (Cont.)
• Station A sends a frame to station B.
• The switch has the address for station B in the MAC address table.
• Station D sends a broadcast or multicast frame.
• Broadcast and multicast frames are flooded to all ports other than the originating port.
Broadcast and Multicast Frames
VLAN Operations
VLAN Overview
VLAN = Broadcast Domain = Logical Network (Subnet)
Segmentation
Flexibility
Security
Designing VLANs for an Organization
VLAN design must take into consideration the implementation of a hierarchical network addressing scheme.
The benefits of hierarchical addressing are:
– Ease of management and troubleshooting
– Minimization of errors
– Reduced number of routing table entries
Guidelines for Applying IP Address Space
Allocate one IP subnet per VLAN.
Allocate IP address spaces in contiguous blocks.
• Each logical VLAN is like a separate physical bridge.
• VLANs can span across multiple switches.
• Trunks carry traffic for multiple VLANs.
• Trunks use special encapsulation to distinguish between
different VLANs.
VLAN Operation
VLAN Membership Modes
802.1Q Trunking
802.1Q Frame
Understanding Native VLANs
VTP Features
Cannot create, change, or delete VLANs
Sends and forwards advertisements
Synchronizes
Create VLANs
Modify VLANs
Delete VLANs
Sends and forwards advertisements
Synchronizes
Create local VLANs only
Modify local VLANs only
Delete local VLANs only
Forwards advertisements
Does not synchronize
VTP Modes
VTP Operation
VTP advertisements are sent as multicast frames.
VTP servers and clients are synchronized to the latest revision number.
VTP advertisements are sent every 5 minutes or when there is a change.
VTP Pruning
Configuring VLANs and Trunks
1. Configure and verify VTP.
2. Configure and verify 802.1Q trunks.
3. Create or modify a VLAN on the VTP server switch.
4. Assign switch ports to a VLAN and verify.
5. Execute adds, moves, and changes.
6. Save the VLAN configuration.
VTP defaults for the Cisco Catalyst switch:
– VTP domain name: None
– VTP mode: Server mode
– VTP pruning: Enabled or disabled (model specific)
– VTP password: Null
– VTP version: Version 1
A new switch can automatically become part of a domain once it receives an advertisement from a server.
A VTP client can overwrite a VTP server database if the client has a higher revision number.
A domain name cannot be removed after it is assigned; it can only be reassigned.
VTP Configuration Guidelines
SwitchX# configure terminal
SwitchX(config)# vtp mode [ server | client | transparent ]
SwitchX(config)# vtp domain domain-name
SwitchX(config)# vtp password password
SwitchX(config)# vtp pruning
SwitchX(config)# end
Creating a VTP Domain
SwitchX(config)# vtp domain ICND
Changing VTP domain name to ICND
SwitchX(config)# vtp mode transparent
Setting device to VTP TRANSPARENT mode.
SwitchX(config)# end
SwitchX# show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 64
Number of existing VLANs : 17
VTP Operating Mode : Transparent
VTP Domain Name : ICND
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x7D 0x6E 0x5E 0x3D 0xAF 0xA0 0x2F 0xAA
Configuration last modified by 10.1.1.4 at 3-3-93 20:08:05
SwitchX#
VTP Configuration and Verification Example
802.1Q Trunking Issues
Make sure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link.
Note that native VLAN frames are untagged.
A trunk port cannot be a secure port.
All 802.1Q trunking ports in an EtherChannel group must have the same configuration.
Configuring 802.1Q Trunking
Configures the port as a VLAN trunk
SwitchX(config-if)#
switchport mode trunk
switchport mode {access | dynamic {auto | desirable} | trunk}
SwitchX(config-if)#
Configures the trunking characteristics of the port
SwitchX# show interfaces fa0/11 trunk
Port Mode Encapsulation Status Native vlan
Fa0/11 desirable 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/11 1-4094
Port Vlans allowed and active in management domain
Fa0/11 1-13
SwitchX# show interfaces fa0/11 switchport
Name: Fa0/11
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
. . .
Verifying a Trunk
SwitchX# show interfaces interface [switchport | trunk]
VLAN Creation Guidelines
The maximum number of VLANs is switch-dependent.
Most Cisco Catalyst desktop switches support 128 separate spanning-tree instances, one per VLAN.
VLAN 1 is the factory default Ethernet VLAN.
Cisco Discovery Protocol and VTP advertisements are sent on VLAN 1.
The Cisco Catalyst switch IP address is in the management VLAN (VLAN 1 by default).
If using VTP, the switch must be in VTP server or transparent mode to add or delete VLANs.
Adding a VLAN
SwitchX# configure terminal
SwitchX(config)# vlan 2
SwitchX(config-vlan)# name switchlab99
SwitchX# show vlan id 2
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
2 switchlab99 active Fa0/2, Fa0/12
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
2 enet 100002 1500 - - - - - 0 0
. . .
SwitchX#
Verifying a VLAN
SwitchX# show vlan [brief | id vlan-id || name vlan-name]
Assigning Switch Ports to a VLAN
SwitchX# configure terminal
SwitchX(config)# interface range fastethernet 0/2 - 4
SwitchX(config-if)# switchport access vlan 2
SwitchX# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- ----------------------
1 default active Fa0/1
2 switchlab99 active Fa0/2, Fa0/3, Fa0/4
switchport access [vlan vlan# | dynamic]
SwitchX(config-if)#
SwitchX# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1
2 switchlab99 active Fa0/2, Fa0/3, Fa0/4
3 vlan3 active
4 vlan4 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
SwitchX# show vlan brief
Verifying VLAN Membership
Verifying VLAN Membership (Cont.)
SwitchX# show interfaces fa0/2 switchport
Name: Fa0/2
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 2 (switchlab99)
Trunking Native Mode VLAN: 1 (default)
--- output omitted ----
show interfaces interface switchport
SwitchX(config-if)#
Laboratory
Vlan
1
Vlan
10
Vlan
20
Vlan
30
Vlan
1
Vlan
10
Vlan
20
Vlan
30
Vlan 10 assigned on Ports Fa0/3-5
Vlan 20 assigned on Ports Fa0/6-8
Vlan 30 assigned on Ports Fa0/9-12
Vlan 10 assigned on Ports Fa0/3-5
Vlan 20 assigned on Ports Fa0/6-8
Vlan 30 assigned on Ports Fa0/9-12
Trunk Links assigned on
Fa0/1- 2
Trunk Links assigned on
Fa0/1- 3
Trunk Links assigned on
Fa0/1- 3
Fa0/1
Fa0/2Fa0/1
Fa0/2
Fa0/3Fa0/3
Fa0/3
Fa0/1 Fa0/2
Fa0 – no ip adddess
Fa0.1 – 192.168.1.1/24
Fa0.10 – 192.168.10.1/24
Fa0.20 – 192.168.20.1/24
Fa0.30 – 192.168.30.1/24
Vlan 1 – 192.168.1.0/24
Vlan 10 – 192.168.10.0/24
Vlan 20 – 192.168.20.0/24
Vlan 30 – 192.168.30.0/24
VTP Domain – CITS
VTP Server
STP Primary for Vlan 1, 10
STP Secondary for Vlan 20, 30
VTP Server
STP Primary for Vlan 20, 30
STP Secondary for Vlan 1, 10
Implementing STP
Redundant Topology
Redundant topology eliminates single points of failure.
Redundant topology causes broadcast storms, multiple frame copies, and MAC address table instability problems.
Station D sends a broadcast frame.
Broadcast frames are flooded to all ports except the originating port.
Broadcast Frames
Broadcast Storms
Host X sends a broadcast.
Switches continue to propagate broadcast traffic over and over.
Multiple Frame Copies
Host X sends a unicast frame to router Y.
The MAC address of router Y has not been learned by either switch.
Router Y will receive two copies of the same frame.
Host X sends a unicast frame to router Y.
The MAC address of router Y has not been learned by either switch.
Switches A and B learn the MAC address of host X on port 1.
The frame to router Y is flooded.
Switches A and B incorrectly learn the MAC address of host X on port 2.
MAC Database Instability
Provides a loop-free redundant network topology by placing certain ports in the blocking state
Published in the IEEE 802.1D specification
Enhanced with the Cisco PVST+ implementation
Loop Resolution with STP
Spanning-Tree Operation
One root bridge per broadcast domain.
One root port per nonroot bridge.
One designated port per segment.
Nondesignated ports are unused.
STP Root Bridge Selection
BPDU (default = sent every 2 seconds)
Root bridge = bridge with the lowest bridge ID
Bridge ID = Bridge Priority
MAC Address
Spanning tree transits each port through several different states:
Spanning-Tree Port States
Describing PortFast
PortFast is configured on access ports, not trunk ports.
Configuring and Verifying PortFast
spanning-tree portfast
SwitchX(config-if)#
Configures PortFast on an interface
spanning-tree portfast default
SwitchX(config)#
Enables PortFast on all non-trunking interfaces
show running-config interface interface
SwitchX#
Verifies that PortFast has been configured on an interface
OR
Spanning-Tree Operation Example
Spanning-Tree Path Cost
Link Speed Cost (Revised IEEE
Specification) Cost (Previous IEEE
Specification)
10 Gb/s 2 1
1 Gb/s 4 1
100 Mb/s 19 10
10 Mb/s 100 100
Spanning-Tree Recalculation
Per VLAN Spanning Tree Plus
Default Spanning-Tree Configuration
Cisco Catalyst switches support three types of STPs:
– PVST+
– PVRST+
– MSTP
The default STP for Cisco Catalyst switches is PVST+ :
– A separate STP instance for each VLAN
– One root bridge for all VLANs
– No load sharing
PVRST+ Configuration Guidelines
1. Enable PVRST+.
2. Designate and configure a switch to be the root bridge.
3. Designate and configure a switch to be the secondary root bridge.
4. Verify the configuration.
PVRST+ Implementation Commands
spanning-tree mode rapid-pvst
SwitchX(config)#
Configures PVRST+
show spanning-tree vlan vlan# [detail]
SwitchX#
Verifies the spanning-tree configuration
debug spanning-tree pvst+
SwitchX#
Displays PVST+ event debug messages
Verifying PVRST+
The spanning-tree mode is set to PVRST.
SwitchX# show spanning-tree vlan 30
VLAN0030
Spanning tree enabled protocol rstp
Root ID Priority 24606
Address 00d0.047b.2800
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24606 (priority 24576 sys-id-ext 30)
Address 00d0.047b.2800
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
-------- ----- --- --- -------- ----
Gi1/1 Desg FWD 4 128.1 P2p
Gi1/2 Desg FWD 4 128.2 P2p
Gi5/1 Desg FWD 4 128.257 P2p
Configuring the Root and Secondary Bridges
Configuring the Root and Secondary Bridges: SwitchA
spanning-tree vlan 1 root primary
This command forces this switch to be the root for VLAN 1.
spanning-tree vlan 2 root secondary
This command configures this switch to be the secondary root
for VLAN 2.
OR
spanning-tree vlan # priority priority
This command statically configures the priority (increments of 4096).
SwitchA(config)#
SwitchA(config)#
SwitchA(config)#
Configuring the Root and Secondary Bridges: SwitchB
spanning-tree vlan 2 root primary
This command forces the switch to be the root for VLAN 2.
spanning-tree vlan 1 root secondary
This command configures the switch to be the secondary root VLAN 1.
OR
spanning-tree vlan # priority priority
This command statically configures the priority (increments of 4096).
SwitchB(config)#
SwitchB(config)#
SwitchB(config)#
Laboratory
Vlan
1
Vlan
10
Vlan
20
Vlan
30
Vlan
1
Vlan
10
Vlan
20
Vlan
30
Vlan 10 assigned on Ports Fa0/3-5
Vlan 20 assigned on Ports Fa0/6-8
Vlan 30 assigned on Ports Fa0/9-12
Vlan 10 assigned on Ports Fa0/3-5
Vlan 20 assigned on Ports Fa0/6-8
Vlan 30 assigned on Ports Fa0/9-12
Trunk Links assigned on
Fa0/1- 2
Trunk Links assigned on
Fa0/1- 3
Trunk Links assigned on
Fa0/1- 3
Fa0/1
Fa0/2Fa0/1
Fa0/2
Fa0/3Fa0/3
Fa0/3
Fa0/1 Fa0/2
Fa0 – no ip adddess
Fa0.1 – 192.168.1.1/24
Fa0.10 – 192.168.10.1/24
Fa0.20 – 192.168.20.1/24
Fa0.30 – 192.168.30.1/24
Vlan 1 – 192.168.1.0/24
Vlan 10 – 192.168.10.0/24
Vlan 20 – 192.168.20.0/24
Vlan 30 – 192.168.30.0/24
VTP Domain – CITS
VTP Server
STP Primary for Vlan 1, 10
STP Secondary for Vlan 20, 30
VTP Server
STP Primary for Vlan 20, 30
STP Secondary for Vlan 1, 10
Inter-Vlan Routing
VLAN-to-VLAN Overview
Network layer devices combine multiple broadcast domains.
Dividing a Physical Interface into Subinterfaces
Physical interfaces can be divided into multiple subinterfaces.
Routing Between VLANs with 802.1Q Trunks
interface fastethernet 0/0
ip address 10.1.1.1 255.255.255.0
interface fastethernet 0/0.2
ip address 10.2.2.1 255.255.255.0
encapsulation dot1q 2
Laboratory
Vlan
1
Vlan
10
Vlan
20
Vlan
30
Vlan
1
Vlan
10
Vlan
20
Vlan
30
Vlan 10 assigned on Ports Fa0/3-5
Vlan 20 assigned on Ports Fa0/6-8
Vlan 30 assigned on Ports Fa0/9-12
Vlan 10 assigned on Ports Fa0/3-5
Vlan 20 assigned on Ports Fa0/6-8
Vlan 30 assigned on Ports Fa0/9-12
Trunk Links assigned on
Fa0/1- 2
Trunk Links assigned on
Fa0/1- 3
Trunk Links assigned on
Fa0/1- 3
Fa0/1
Fa0/2Fa0/1
Fa0/2
Fa0/3Fa0/3
Fa0/3
Fa0/1 Fa0/2
Fa0 – no ip adddess
Fa0.1 – 192.168.1.1/24
Fa0.10 – 192.168.10.1/24
Fa0.20 – 192.168.20.1/24
Fa0.30 – 192.168.30.1/24
Vlan 1 – 192.168.1.0/24
Vlan 10 – 192.168.10.0/24
Vlan 20 – 192.168.20.0/24
Vlan 30 – 192.168.30.0/24
VTP Domain – CITS
VTP Server
STP Primary for Vlan 1, 10
STP Secondary for Vlan 20, 30
VTP Server
STP Primary for Vlan 20, 30
STP Secondary for Vlan 1, 10
Introducing ACL
Manage IP traffic as network access grows
Filter packets as they pass through the router
Why Use ACLs?
Permit or deny packets moving through the router.
Permit or deny vty access to or from the router.
Without ACLs, all packets could be transmitted onto all parts of your network.
ACL Applications
• Special handling for traffic based on packet tests
Other ACL Uses
• Standard
– Checks source address
– Generally permits or denies entire protocol suite
• Extended
– Checks source and destination address
– Generally permits or denies specific protocols
Types of ACLs
How to Identify ACLs
Standard IP lists (1-99) test conditions of all IP packets from source addresses.
Extended IP lists (100-199) test conditions of source and destination addresses, specific TCP/IP protocols, and destination ports.
Standard IP lists (1300-1999) (expanded range).
Extended IP lists (2000-2699) (expanded range).
Other ACL number ranges test conditions for other networking protocols.
Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name).
Testing Packets with Standard ACLs
Testing Packets with Extended ACLs
Outbound ACL Operation
• If no ACL statement matches, then discard the packet.
A List of Tests: Deny or Permit
0 means check value of corresponding address bit.
1 means ignore value of corresponding address bit.
Wildcard Bits: How to Check the Corresponding Address Bits
172.30.16.29 0.0.0.0 checks all the address bits.
Abbreviate this wildcard mask using the IP address preceded by the keyword host (host 172.30.16.29).
• Check all the address bits (match all).
• Verify an IP host address, for example:
Wildcard Bits to Match a Specific IP Host Address
• Test conditions: Ignore all the address bits (match any).
• An IP host address, for example:
Wildcard Bits to Match Any IP Address
•Accept any address: any
•Abbreviate expression with keyword “any”
• Check for IP subnets 172.30.16.0/24 to 172.30.31.0/24.
Address and wildcard mask:
172.30.16.0 0.0.15.255
Wildcard Bits to Match IP Subnets
Configuring ACL
ACL Configuration Guidelines
ACL numbers indicate which protocol is filtered.
One ACL per interface, per protocol, per direction is allowed.
The order of ACL statements controls testing.
The most restrictive statements go at the top of the list.
The last ACL test is always an implicit deny any statement, so every list needs at least one permit statement.
ACLs must be created before applying them to interfaces.
ACLs filter traffic going through the router. ACLs do not filter traffic originating from the router.
Step 1: Set parameters for this ACL test statement (which can be one of several statements).
Step 2: Enable an interface to use the specified ACL.
Router(config-if)#{protocol} access-group
access-list-number {in | out}
ACL Command Overview
Standard IP lists (1-99)
Extended IP lists (100-199)
Standard IP lists (1300-1999) (expanded range)
Extended IP lists (2000-2699) (expanded range)
Router(config)#access-list access-list-number
{permit | deny} {test conditions}
Activates the list on an interface
Sets inbound or outbound testing
Default = outbound
no ip access-group access-list-number removes ACL from the interface
Router(config-if)#ip access-group
access-list-number {in | out}
• Sets parameters for this list entry
• IP standard ACLs use 1 to 99
• Default wildcard mask = 0.0.0.0
• no access-list access-list-number removes entire ACL
• remark lets you add a description for the ACL
Router(config)#access-list access-list-number
{permit | deny | remark} source [mask]
Standard IP ACL Configuration
• Permit my network only.
Standard IP ACL Example 1
• Deny a specific host.
Standard IP ACL Example 2
• Deny a specific subnet.
Standard IP ACL Example 3
Router(config-if)#ip access-group access-list-number {in | out}
Extended IP ACL Configuration
• Activates the extended list on an interface
• Sets parameters for this list entry
Router(config)#access-list access-list-number
{permit | deny} protocol source source-wildcard [operator
port] destination destination-wildcard [operator port]
[established] [log]
Extended ACL Example 1
Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out E0.
Permit all other traffic.
Extended ACL Example 2
Deny only Telnet from subnet 172.16.4.0 out E0.
Permit all other traffic.
Router(config)#ip access-list {standard | extended} name
Router(config {std- | ext-}nacl)#{permit | deny}
{ip access list test conditions}
{permit | deny} {ip access list test conditions}
no {permit | deny} {ip access list test conditions}
Router(config-if)#ip access-group name {in | out}
Using Named IP ACL
• Alphanumeric name string must be unique.
• Permit or deny statements have no prepended number.
• “no” removes the specific test from the named ACL.
• Activates the named IP ACL on an interface.
Five virtual terminal lines (0 through 4)
Filter addresses that can access into the router vty ports
Filter vty access originating from the router
Filtering vty Access to a Router
How to Control vty Access
• Set up an IP address filter with a standard ACL
statement.
• Use line configuration mode to filter access with the
access-class command.
• Set identical restrictions on every vty.
• Enters configuration mode for a vty or vty range
• Restricts incoming or outgoing vty connections for
address in the ACL
Router(config-line)#access-class access-list-number
{in | out}
Router(config)#line vty {vty# | vty-range}
vty Commands
• Permits only hosts in network 192.168.1.0 0.0.0.255 to
connect to the router vty
access-list 12 permit 192.168.1.0 0.0.0.255
(implicit deny any)
!
line vty 0 4
access-class 12 in
Controlling Inbound Access
vty Access Example
ACL Configuration Guidelines
The order of ACL statements is crucial.
– Recommended: Use a text editor on a PC to create the ACL statements, then cut and paste them into the router.
– Top-down processing is important.
– Place the more specific test statements first.
Statements cannot be rearranged or removed.
– Use the no access-list number command to remove the entire ACL.
– Exception: Named ACLs permit removal of individual statements.
Implicit deny any will be applied to all packets that do not match any ACL statement unless the ACL ends with an explicit permit any statement.
Place extended ACLs close to the source.
Place standard ACLs close to the destination.
Where to Place IP ACLs
wg_ro_a#show ip interfaces e0
Ethernet0 is up, line protocol is up
Internet address is 10.1.1.11/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
<text ommitted>
Verifying ACLs
Monitoring ACL Statements
wg_ro_a#show access-lists
Standard IP access list 1
permit 10.2.2.1
permit 10.3.3.1
permit 10.4.4.1
permit 10.5.5.1
Extended IP access list 101
permit tcp host 10.22.22.1 any eq telnet
permit tcp host 10.33.33.1 any eq ftp
permit tcp host 10.44.44.1 any eq ftp-data
wg_ro_a#show {protocol} access-list {access-list number}
wg_ro_a#show access-lists {access-list number}
Scaling the Network with NAT/PAT
Network Address Translation
• An IP address is either local or global.
• Local IP addresses are seen in the inside network.
Port Address Translation
Translating Inside Source Addresses
Configuring Static Translation
• Establishes static translation between an inside local address and an inside global address
Router(config)#ip nat inside source static local-ip global-ip
• Marks the interface as connected to the inside
Router(config-if)#ip nat inside
• Marks the interface as connected to the outside
Router(config-if)#ip nat outside
Enabling Static NAT Address Mapping Example
Configuring Dynamic Translation
• Establishes dynamic source translation, specifying the ACL that was defined in the prior step.
Router(config)#ip nat inside source list
access-list-number pool name
• Defines a pool of global addresses to be allocated as needed.
Router(config)#ip nat pool name start-ip end-ip
{netmask netmask | prefix-length prefix-length}
• Defines a standard IP ACL permitting those inside local addresses that are to be translated.
Router(config)#access-list access-list-number permit
source [source-wildcard]
Dynamic Address Translation Example
Overloading an Inside Global Address
Configuring Overloading
• Establishes dynamic source translation, specifying the ACL that was defined in the prior step
Router(config)#ip nat inside source list
access-list-number interface interface overload
• Defines a standard IP ACL that will be permit the inside local addresses that are to be translated
Router(config)#access-list access-list-number permit
source source-wildcard
Overloading an Inside Global Address Example
Clearing the NAT Translation Table
• Clears a simple dynamic translation entry that contains an inside translation or both an inside and outside translation
Router#clear ip nat translation inside global-ip
local-ip [outside local-ip global-ip]
• Clears all dynamic address translation entries
Router#clear ip nat translation *
• Clears a simple dynamic translation entry that contains an outside translation
Router#clear ip nat translation outside
local-ip global-ip
• Clears an extended dynamic translation entry
Router#clear ip nat translation protocol inside global-ip
global-port local-ip local-port [outside local-ip
local-port global-ip global-port]
Displaying Information with show Commands
• Displays translation statistics
Router#show ip nat statistics
• Displays active translations
Router#show ip nat translations
Router#show ip nat translation
Pro Inside global Inside local Outside local Outside global
--- 172.16.131.1 10.10.10.1 --- ---
Router#show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
Ethernet0, Serial2.7
Inside interfaces:
Ethernet1
Hits: 5 Misses: 0
…
Sample Problem: Cannot Ping Remote Host
Solution: New Configuration
Using the debug ip nat Command
Router#debug ip nat
NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825]
NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852]
NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325]
Translation Not Installed in the Translation Table?
Verify that:
The configuration is correct
There are not any inbound ACLs denying the packets entry to the NAT router
The ACL referenced by the NAT command is permitting all necessary networks
There are enough addresses in the NAT pool
The router interfaces are appropriately defined as NAT inside or NAT outside
© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-250
Wireless LANs
Exploring Wireless Networking
Market Trends
Differences Between WLAN and LAN
WLANs use radio waves as the physical layer.
– WLANs use CSMA/CA instead of CSMA/CD for media access.
– Two-way radio (half-duplex) communication.
Radio waves have problems that are not found on wires.
– Connectivity issues:
Coverage problems
Interference, noise
– Privacy issues
Access points are shared devices similar to an Ethernet hub for shared bandwidth.
WLANs must meet country-specific RF regulations.
Radio Frequency Transmission
Radio frequencies are radiated into the air via an antenna, creating radio waves.
Objects can affect radio wave propagation resulting in:
– Reflection
– Scattering
– Absorption
Higher frequencies allow higher data rates; however, they have a shorter range.
Organizations That Define WLAN
ITU-R:
International Telecommunication Union-Radiocommunication Sector
Regulates the RF used in wireless
IEEE:
Institute of Electrical and Electronic Engineers
802.11 documents wireless technical standards
Wi-Fi Alliance:
Global nonprofit industry trade association
Promote wireless growth through interoperability certification
ITU-R with FCC Wireless
ISM: industry, scientific, and medical frequency band
No license required
No exclusive use
Best-effort
Interference possible
IEEE 802.11 Standards Comparison
802.11b 802.11a 802.11g
Frequency band
2.4 GHz 5 GHz 2.4 GHz
No. of channels
3 Up to 23 3
Transmission
Direct Sequence
Spread Spectrum (DSSS)
Orthogonal Frequency
Division Multiplexing
(OFDM)
Direct Sequence
Spread Spectrum (DSSS)
Orthogonal Frequency
Division Multiplexing
(OFDM)
Data rates [Mb/s]
1, 2, 5.5, 11 6, 9, 12, 18, 24,
36, 48, 54 1, 2, 5.5, 11
6, 9, 12, 18, 24, 36, 48, 54
Wi-Fi Certification
Wi-Fi Alliance certifies interoperability between products.
Products include 802.11a, 802.11b, 802.11g, dual-band products, and security testing.
Provides assurance to customers of migration and integration options.
Cisco is a founding member of the Wi-Fi Alliance.
Certified products can be found at http://www.wi-fi.com.
© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-258
Wireless LANs
Understanding WLAN Security
Wireless LAN Security Threats
Mitigating the Threats
Control and Integrity Privacy and
Confidentiality Protection and
Availability
Authentication Encryption Intrusion Prevention
System (IPS)
Ensure that legitimate clients associate with trusted access points.
Protect data as it is transmitted and
received.
Track and mitigate unauthorized access and network attacks.
WEP
Basic encryption
No strong authentication
Static, breakable keys
Not scalable
MAC filters and SSID-cloaking also used to complement WEP
Evolution of Wireless LAN Security
1997 2001
802.1x EAP
Dynamic keys
Improved encryption
User authentication
802.1X EAP (LEAP, PEAP)
RADIUS
2003
WPA
Standardized
Improved encryption
Strong, user authentication (such as, LEAP, PEAP, EAP-FAST)
2004 to Present
802.11i / WPA2
AES strong encryption
Authentication
Dynamic key management
Wireless Client Association
Access points send out beacons announcing SSID, data rates, and other information.
Client scans all channels.
Client listens for beacons and responses from access points.
Client associates to access point with strongest signal.
Client will repeat scan if signal becomes low to reassociate to another access point (roaming).
During association, SSID, MAC address, and security settings are sent from the client to the access point and checked by the access point.
How 802.1X Works on the WLAN
WPA and WPA2 Modes
WPA WPA2
Enterprise mode
(Business, education, Government)
Authentication: IEEE 802.1X/EAP
Encryption: TKIP/MIC
Authentication: IEEE 802.1X/EAP
Encryption: AES-CCMP
Personal mode
(SOHO, home and personal)
Authentication: PSK
Encryption: TKIP/MIC
Authentication: PSK
Encryption: AES-CCMP
© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-265
Wireless LANs
Implementing a WLAN
802.11 Topology Building Blocks
Ad hoc mode:
Independent Basic Service Set (IBSS)
– Mobile clients connect directly without an intermediate access point.
Infrastructure mode:
Basic Service Set (BSS)
– Mobile clients use a single access point for connecting to each other or to wired network resources.
Extended Service Set (ESS):
– Two or more BSSs are connected by a common distribution system .
BSA Wireless Topology— Basic Coverage
ESA Wireless Topology— Extended Cover
Wireless Topology Data Rates—802.11b
Common Wireless Network Issues
Most problems are due to incorrect configuration:
Verify that the access point is running the latest revision of firmware.
Verify the channel configuration. Try channels 1, 6, or 11.
Verify that users have the correct encryption type and password.
Other common problems:
RF interference
Not connected
Radio not enabled
Poor antenna location
© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-271
WAN Connections
Understanding WAN Technologies
Wide-Area Network
Need for WANs
WANs vs. LANs
WAN Access and the OSI Reference Model
WAN Devices
Routers
Terminal servers
Modems
DSU/CSU
WAN networking devices
– ATM switches
– Frame Relay switches
– PSTN
Physical Layer: WANs
Serial Point-to-Point Connections
WAN—Multiple LANs
WAN Data-Link Protocols
HDLC
PPP
Frame Relay (LAPF)
ATM
WAN Link Options
Packet Switching
DSL
DSL Service Types Overview
DSL Considerations
Advantages
Speed
Simultaneous voice and data transmission
Incremental additions
Always-on availability
Backward compatibility with analog phones
Disadvantages
Limited availability
Local phone company requirements
Security risks
Cable-Based WANs
© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-287
LAN Extension into a WAN
Introducing VPN Solutions
What Is a VPN?
Virtual: Information within a private network is transported over a public network.
Private: The traffic is encrypted to keep the data confidential.
Benefits of VPN
Cost
Security
Scalability
Site-to-Site VPNs
Site-to-site VPN: extension of classic WAN
Remote-Access VPNs
Remote-access VPN: evolution of dial-in networks and ISDN
Cisco Easy VPN
Cisco IOS IPsec SSL VPN (WebVPN)
Integrated security and routing
Browser-based full network SSL VPN access
VPN-Enabled Cisco IOS Routers
Cisco ASA Adaptive Security Appliances
(legacy)
VPN Clients
What Is IPsec?
IPsec acts at the network layer, protecting and authenticating IP packets.
It is a framework of open standards that is algorithm independent.
It provides data confidentiality, data integrity, and origin authentication.
IPsec Security Services
Confidentiality
Data integrity
Authentication
Antireplay protection
Confidentiality (Encryption)
Encryption Algorithms
Encryption algorithms:
DES
AES
3DES
RSA
DH Key Exchange
Diffie-Hellman algorithms:
DH1
DH2
DH5
Data Integrity
Hashing algorithms:
HMAC-MD5
HMAC-SHA-1
Authentication
Peer authentication methods:
PSKs
RSA signatures
IPsec Security Protocols
IPsec Framework
Typical WAN Encapsulation Protocols
An Overview of PPP
PPP can carry packets from several protocol suites using NCP.
PPP controls the setup of several link options using LCP.
PPP Session Establishment
PPP session establishment:
1. Link establishment phase
2. Authentication phase (optional)
Two PPP authentication protocols: PAP and CHAP
3. Network layer protocol phase
PPP Authentication Protocols: PAP
Passwords sent in plaintext
Peer in control of attempts
PPP Authentication Protocols: CHAP
This is an example of the Santa Cruz router authenticating to the HQ router.
Hash values, not actual passwords, are sent across the link.
The local router or external server is in control of authentication attempts.
Configuring PPP and Authentication Overview
Configuring PPP and Authentication
RouterX(config-if)# encapsulation ppp
Enables PPP encapsulation
RouterX(config)# hostname name
Assigns a hostname to your router
RouterX(config)# username name password password
Identifies the username and password of remote router
RouterX(config-if)# ppp authentication
{chap | chap pap | pap chap | pap}
Enables PAP or CHAP authentication
PPP and CHAP Configuration Example
hostname RouterX username RouterY password sameone ! int serial 0 ip address 10.0.1.1 255.255.255.0 encapsulation ppp ppp authentication chap
hostname RouterY username RouterX password sameone ! int serial 0 ip address 10.0.1.2 255.255.255.0 encapsulation ppp ppp authentication chap
Verifying the PPP Encapsulation Configuration
RouterX# show interface s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
Last input 00:00:05, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
38021 packets input, 5656110 bytes, 0 no buffer
Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
38097 packets output, 2135697 bytes, 0 underruns
0 output errors, 0 collisions, 6045 interface resets
0 output buffer failures, 0 output buffers swapped out
482 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
Verifying PPP Authentication
RouterX# debug ppp authentication 4d20h: %LINK-3-UPDOWN: Interface Serial0, changed state to up 4d20h: Se0 PPP: Treating connection as a dedicated line 4d20h: Se0 PPP: Phase is AUTHENTICATING, by both 4d20h: Se0 CHAP: O CHALLENGE id 2 len 28 from ”left" 4d20h: Se0 CHAP: I CHALLENGE id 3 len 28 from ”right" 4d20h: Se0 CHAP: O RESPONSE id 3 len 28 from ”left" 4d20h: Se0 CHAP: I RESPONSE id 2 len 28 from ”right" 4d20h: Se0 CHAP: O SUCCESS id 2 len 4 4d20h: Se0 CHAP: I SUCCESS id 3 len 4 4d20h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up
The debug ppp authentication command shows successful
CHAP output
Verifying PPP Negotiation
RouterX# debug ppp negotiation
PPP protocol negotiation debugging is on
RouterX#
*Mar 1 00:06:36.645: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
*Mar 1 00:06:36.661: BR0:1 PPP: Treating connection as a callin
*Mar 1 00:06:36.665: BR0:1 PPP: Phase is ESTABLISHING, Passive Open
*Mar 1 00:06:36.669: BR0:1 LCP: State is Listen
*Mar 1 00:06:37.034: BR0:1 LCP: I CONFREQ [Listen] id 7 len 17
*Mar 1 00:06:37.038: BR0:1 LCP: AuthProto PAP (0x0304C023)
*Mar 1 00:06:37.042: BR0:1 LCP: MagicNumber 0x507A214D (0x0506507A214D)
*Mar 1 00:06:37.046: BR0:1 LCP: Callback 0 (0x0D0300)
*Mar 1 00:06:37.054: BR0:1 LCP: O CONFREQ [Listen] id 4 len 15
*Mar 1 00:06:37.058: BR0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 00:06:37.062: BR0:1 LCP: MagicNumber 0x1081E7E1 (0x05061081E7E1)
*Mar 1 00:06:37.066: BR0:1 LCP: O CONFREJ [Listen] id 7 len 7
*Mar 1 00:06:37.070: BR0:1 LCP: Callback 0 (0x0D0300)
*Mar 1 00:06:37.098: BR0:1 LCP: I CONFACK [REQsent] id 4 len 15
*Mar 1 00:06:37.102: BR0:1 LCP: AuthProto CHAP (0x0305C22305)
*Mar 1 00:06:37.106: BR0:1 LCP: MagicNumber 0x1081E7E1 (0x05061081E7E1)
*Mar 1 00:06:37.114: BR0:1 LCP: I CONFREQ [ACKrcvd] id 8 len 14
*Mar 1 00:06:37.117: BR0:1 LCP: AuthProto PAP (0x0304C023)
*Mar 1 00:06:37.121: BR0:1 LCP: MagicNumber 0x507A214D (0x0506507A214D)
© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-317
LAN Extension into a WAN
Establishing a WAN Connection with Frame Relay
Frame Relay Overview
Connections made by virtual circuits
Connection-oriented service
Frame Relay Terminology
Frame Relay default: NBMA
Selecting a Frame Relay Topology
Resolving NBMA Reachability Issues
Split horizon can cause problems in NBMA environments.
Solution: subinterfaces
A single physical interface simulates multiple logical interfaces.
LMI receives locally significant DLCI from the Frame Relay switch.
Inverse ARP maps the local DLCI to the remote router network layer address.
Frame Relay Address Mapping
Frame Relay Signaling
Cisco supports three LMI standards:
Cisco
ANSI T1.617 Annex D
ITU-T Q.933 Annex A
Stages of Inverse ARP and LMI Operation
Stages of Inverse ARP and LMI Operation (Cont.)
Configuring Basic Frame Relay
Configuring a Static Frame Relay Map
Configure a static Frame Relay map when:
A Frame Relay peer does not support Inverse ARP
You want to control broadcast traffic across a PVC
You want to have different Frame Relay encapsulations across PVCs
Configuring Frame Relay Subinterfaces
Point-to-point
– Subinterfaces act like leased lines.
– Each point-to-point subinterface requires its own subnet.
– Point-to-point is applicable to hub-and-spoke topologies.
Multipoint
– Subinterfaces act like NBMA networks, so they do not resolve the split-horizon issues.
– Multipoint can save address space because it uses a single subnet.
– Multipoint is applicable to partial-mesh and full-mesh topologies.
Configuring Frame Relay Point-to-Point Subinterfaces
Configuring Frame Relay Multipoint Subinterfaces
Verifying Frame Relay Operation
RouterX# show interfaces type number
Displays information about Frame Relay DLCIs and the LMI
RouterX# show interfaces s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation FRAME-RELAY, loopback not set, keepalive set (10 sec)
LMI enq sent 19, LMI stat recvd 20, LMI upd recvd 0, DTE LMI up
LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0
LMI DLCI 1023 LMI type is CISCO frame relay DTE
FR SVC disabled, LAPF state down
Broadcast queue 0/64, broadcasts sent/dropped 8/0, interface broadcasts 5
Last input 00:00:02, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
<Output omitted>
Verifying Frame Relay Operation (Cont.)
RouterX# show frame-relay lmi [type number]
Displays LMI statistics
RouterX# show frame-relay lmi
LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 113100 Num Status msgs Rcvd 113100
Num Update Status Rcvd 0 Num Status Timeouts 0
Displays LMI debug information
Verifying Frame Relay Operation (Cont.)
RouterX# debug frame-relay lmi
Frame Relay LMI debugging is on
Displaying all Frame Relay LMI data
RouterX#
1w2d: Serial0(out): StEnq, myseq 140, yourseen 139, DTE up
1w2d: datagramstart = 0xE008EC, datagramsize = 13
1w2d: FR encap = 0xFCF10309
1w2d: 00 75 01 01 01 03 02 8C 8B
1w2d:
1w2d: Serial0(in): Status, myseq 140
1w2d: RT IE 1, length 1, type 1
1w2d: KA IE 3, length 2, yourseq 140, myseq 140
1w2d: Serial0(out): StEnq, myseq 141, yourseen 140, DTE up
1w2d: datagramstart = 0xE008EC, datagramsize = 13
1w2d: FR encap = 0xFCF10309
1w2d: 00 75 01 01 01 03 02 8D 8C
1w2d:
1w2d: Serial0(in): Status, myseq 142
1w2d: RT IE 1, length 1, type 0
1w2d: KA IE 3, length 2, yourseq 142, myseq 142
1w2d: PVC IE 0x7 , length 0x6 , dlci 100, status 0x2 , bw 0
Verifying Frame Relay Operation (Cont.)
RouterX# show frame-relay pvc [type number [dlci]]
Displays PVC statistics
RouterX# show frame-relay pvc 100
PVC Statistics for interface Serial0 (Frame Relay DTE)
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0
input pkts 28 output pkts 10 in bytes 8398
out bytes 1198 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 10 out bcast bytes 1198
pvc create time 00:03:46, last time pvc status changed 00:03:47
Verifying Frame Relay Operation (Cont.)
RouterX# clear frame-relay-inarp
RouterX# show frame-relay map
Clears dynamically created Frame Relay maps, created by using Inverse ARP
Displays the current Frame Relay map entries
RouterX# show frame-relay map
Serial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic,
broadcast,, status defined, active
RouterX# clear frame-relay-inarp
RouterX# show frame map
RouterX#
© 2007 Cisco Systems, Inc. All rights reserved. ICND1 v1.0—2-336
Transitioning to IPv6
What is IPv6
Also Known as IPng (next generation)
A new version of the Internet Protocol
– Primarily designed to extend address space
– Enhancement and new feature
History of IPv6
What happened to IPv5
Version 5 in IP header was assigned to ST protocol (Internet Streaming Protocol)
Experimental non-IP real-time streaming protocol
Never widely used
RFC 1819
Challenges in Today’s Internet
IPv4 growth and adoption phenomenal
Exhausting IP address space
Internet Routing table very big
Increasing Need for Security
No uniformity
Multitude of methods for hackers to attack networks
Increasing need for IP mobility
Increasing number of wireless/mobile devices accessing Internet service
Inadequate support for IP mobility in devices (moving seamlessly from one network to another)
Challenges in Today’s Internet
Increased Traffic Flow
New Applications have specific delivery requirements
QOS issues
Multiple methods available
Non-uniformity across network boundaries
Why is IPv6 Here
IPv6 provides a platform for New Internet functionality that will be needed in the immediate future, and provide flexibility for further growth and expansion
IPv4 and IPv6
Currently, there are approximately 1.3 billion usable IPv4 addresses available.
Why Do We Need a Larger Address Space?
Internet population
– Approximately 973 million users in November 2005
– Emerging population and geopolitical address space
Mobile users
– PDA, pen tablet, notepad, and so on
– Approximately 20 million in 2004
Mobile phones
– Already 1 billion mobile phones delivered by the industry
Transportation
– 1 billion automobiles forecast for 2008
– Internet access in planes, for example, Lufthansa
Consumer devices
– Sony mandated that all its products be IPv6-enabled by 2005
– Billions of home and industrial appliances
What IP is Touching
IPv6 Advanced Features
Larger address space:
Global reachability and flexibility
Aggregation
Multihoming
Autoconfiguration
Plug-and-play
End-to-end without NAT
Renumbering
Mobility and security:
Mobile IP RFC-compliant
IPsec mandatory (or native) for IPv6
Simpler header:
Routing efficiency
Performance and forwarding rate scalability
No broadcasts
No checksums
Extension headers
Flow labels
Transition richness:
Dual stack
6to4 and manual tunnels
Translation
IPv6 Terminology
IPv6 Terminology
IPv6 Terminology
IPv6 Terminology
IPv6 Terminology
IPv6 Terminology
IPv6 Terminology
IPv6 Terminology
IPv6 Address Representation
Format:
x:x:x:x:x:x:x:x, where x is a 16-bit hexadecimal field
– Case-insensitive for hexadecimal A, B, C, D, E, and F
Leading zeros in a field are optional
Successive fields of zeros can be represented as :: only once per address
Examples:
2031:0000:130F:0000:0000:09C0:876A:130B
– Can be represented as 2031:0:130f::9c0:876a:130b
– Cannot be represented as 2031::130f::9c0:876a:130b
FF01:0:0:0:0:0:0:1 FF01::1
0:0:0:0:0:0:0:1 ::1
0:0:0:0:0:0:0:0 ::
IPv6 Address Types
Unicast:
– Address is for a single interface
– IPv6 has several types (for example, global, reserved, link-local, and site-local)
Multicast:
– One-to-many
– Enables more efficient use of the network
– Uses a larger address range
Anycast:
– One-to-nearest (allocated from unicast address space)
– Multiple devices share the same address
– All anycast nodes should provide uniform service
– Source devices send packets to anycast address
– Routers decide on closest device to reach that destination
– Suitable for load balancing and content delivery services
IPv6 Unicast Addressing
Types of IPv6 unicast addresses:
– Global: Starts with 2000::/3 and assigned by IANA
– Reserved: Used by the IETF
– Private: Link local (starts with FE80::/10)
– Loopback (::1)
– Unspecified (::)
A single interface may be assigned multiple IPv6 addresses of any type: unicast, anycast, or multicast.
IPv6 addressing rules are covered by multiple RFCs.
– Architecture defined by RFC 4291
IPv6 Global Unicast (and Anycast) Addresses
IPv6 has the same address format for global unicast and for anycast addresses.
Uses a global routing prefix—a structure that enables aggregation upward, eventually to the ISP.
A single interface may be assigned multiple addresses of any type (unicast, anycast, multicast).
Every IPv6-enabled interface contains at least one loopback (::1/128) and one link-local address.
Optionally, every interface can have multiple unique local and global addresses.
Link-Local Addresses
Link-local addresses have a scope limited to the link and are dynamically created on all IPv6 interfaces by using a specific link-local prefix FE80::/10 and a 64-bit interface identifier.
Link-local addresses are used for automatic address configuration, neighbor discovery, and router discovery. Link-local addresses are also used by many routing protocols.
Link-local addresses can serve as a way to connect devices on the same local network without needing global addresses.
When communicating with a link-local address, you must specify the outgoing interface because every interface is connected to FE80::/10.
Larger Address Space Enables Address Aggregation
Address aggregation provides the following benefits:
Aggregation of prefixes announced in the global routing table
Efficient and scalable routing
Improved bandwidth and functionality for user traffic
Assigning IPv6 Global Unicast Addresses
Static assignment
– Manual interface ID assignment
– EUI-64 interface ID assignment
Dynamic assignment
Stateless autoconfiguration
DHCPv6 (stateful)
IPv6 EUI-64 Interface Identifier
Cisco can use the EUI-64 format for interface identifiers.
This format expands the 48-bit MAC address to 64 bits by inserting ―FFFE‖ into the middle 16 bits.
To make sure that the chosen address is from a unique Ethernet MAC address, the U/L bit is set to 1 for global scope (0 for local scope).
Stateless Autoconfiguration
DHCPv6 (Stateful)
DHCPv6 is an updated version of DHCP for IPv4:
Supports new addressing
Enables more control than stateless autoconfiguration
Can be used for renumbering
Can be used for automatic domain name registration of hosts using dynamic DNS
DHCPv6 Operation
DHCPv6 operates in a way that is similar to DHCPv4, except:
Client first detects the presence of routers on the link.
If a router is found, the router advertisement is examined to determine if DHCP can be used.
If no router is found, or if the router says DHCP can be used, then:
– A DHCP solicit message is sent to the all-DHCP-agents multicast address.
– The client uses the link-local address as the source address.
IPv6 Routing Protocols
IPv6 routing types:
– Static
– RIPng (RFC 2080)
– OSPFv3 (RFC 2740)
– IS-IS for IPv6
– MP-BGP4 (RFC 2545/2858)
– EIGRP for IPv6
The ipv6 unicast-routing command is required to enable
IPv6 before any routing protocol is configured.
RIPng (RFC 2080)
Similar IPv4 features:
Distance vector, radius of 15 hops, split horizon, and poison reverse
Based on RIPv2
Updated features for IPv6:
IPv6 prefix, next-hop IPv6 address
Uses the multicast group FF02::9, the all-rip-routers multicast group, as the destination address for RIP updates
Uses IPv6 for transport
Named RIPng
IPv4-to-IPv6 Transition
Transition richness means:
No fixed day to convert; no need to convert all at once
Different transition mechanisms are available:
– Dual stack
– Manual tunnel
– 6to4 tunnel
– ISATAP tunnel
– Teredo tunnel
Different compatibility mechanisms:
– Proxying and translation (NAT-PT)
Dual stack is an integration method in which a node has implementation and connectivity to both an IPv4 and IPv6 network.
Cisco IOS Dual Stack
Cisco IOS Dual Stack (Cont.)
When both IPv4 and IPv6 are configured on an interface, the interface is considered dual-stacked.
Tunneling is an integration method in which an IPv6 packet is encapsulated within another protocol, such as IPv4. This method of encapsulation is IPv4.
Includes a 20-byte IPv4 header with no options and an IPv6 header and payload
Requires dual-stack routers
IPv6 Tunneling
Manually Configured IPv6 Tunnel
Configured tunnels require:
Dual-stack endpoints
IPv4 and IPv6 addresses configured at each end
Enabling IPv6 on Cisco Routers
ipv6 unicast-routing
RouterX(config)#
Enables IPv6 traffic forwarding
ipv6 address ipv6prefix/prefix-length eui-64
Configures the interface IPv6 addresses
RouterX(config-if)#
IPv6 Address Configuration Example
Making IPv6 Real
Summary
IPv6 offers many additional benefits to IPv4 including a larger address space, easier address aggregation, and integrated security.
The IPv6 address is 128 bits long and is made up of a 48-bit global prefix, a 16-bit subnet ID, and a 64-bit interface identifier.
There are several ways to assign IPv6 addresses: statically, stateless autoconfiguration, and DHCPv6.
Cisco supports all of the major IPv6 routing protocols: RIPng, OSPFv3, and EIGRP.
Transitioning from IPv4 to IPv6 requires dual stacks, tunneling, and possibly NAT-PT.
Use the ipv6 unicast-routing command to enable IPv6 and the ipv6 address ipv6-address/prefix-length command to assign interface addresses and enable an IPv6 routing protocol.