Bellevue University CIS 341A Final Review. The test Monday, August 4, 2008 50 Question multiple...
-
date post
19-Dec-2015 -
Category
Documents
-
view
215 -
download
1
Transcript of Bellevue University CIS 341A Final Review. The test Monday, August 4, 2008 50 Question multiple...
Bellevue UniversityCIS 341A
Final Review
The test
• Monday, August 4, 2008
• 50 Question multiple choice, True/False, and fill in the blanks.
• You have the entire period to complete the exam.
• Closed book, closed notes, closed communication between students.
Scoring
• 2 points for each correct answer
• If the entire class gets a question wrong, it will be thrown out and 2 points will be credited to each student
What to study
• The review slides• Chapters 8-11 and 14 in your text
• The quizzes
• The lab assignments
What the exam will cover
• Layer 2 Switching
• VLANs
• Access lists
• NAT
• Wide Area Network Protocols
Layer 2 Switching
• Purposes for using switching– Used to break up collision domains– Cost-effective, resilient internetwork
• Purpose for Spanning-Tree Protocol (STP)– Stops loops in layer 2 switched networks
A Layer 2 Switch
• Breaks up collision domains
• Doesn’t break up broadcast domains
Before Layer 2 Switching
Switched LANs
Typical Switched Designs
Layer 2 Switching Provides
• Hardware-based bridging using ASICs (Application Specific Integrated Circuits)
• Wire speed
• Low latency
• Low cost
Limitations of Layer 2 Switching
• Layer 2 switches do not break up broadcast domains.
• Layer 2 switches have no internal security.
Layer 2 Switching Functions• Address Learning: Layer 2 switches remember the source hardware
address of each frame received on an interface. The address is saved in the forward/filter table along with the interface number.
• Forward/filter decision: When a frame is received, the switch compares the destination hardware address with the entries in the table. If a match is found, the frame is forwarded out the interface associated with that address. If a match is not found, the frame is repeated to all other interfaces.
• Loop avoidance: Loops can occur if redundant connections are made between switches to improve network reliability. Spanning tree protocol turns off alternate paths until they are needed. That way, traffic has a single path from point of origin to destination.
How Switches Learn Hosts’ Locations
Spanning Tree Protocol
• A layer 2 protocol used to prevent loops in a switched network containing redundant connections between switches.
• Activates alternate paths when primary paths fail.
Spanning-Tree Terms
• STP
• Root Bridge
• BPDU
• Bridge ID
• Nonroot Bridge
•Root port
•Designated port
•Port cost
•Nondesignated port
•Forwarding port
•Block port
Spanning-Tree Port States
• Disabled - Administratively down
• Blocking - Receive BPDUs only
• Listening – Send and receive BPDUs and receive traffic
• Learning – save MAC address information
• Forwarding – send/receive traffic
Root Bridge
• A master bridge that transmits network topology control information to other bridges.
• The bridge having the lowest numbered bridge ID is elected as the root bridge.
• The 64 bit bridge ID consists of the priority number and MAC address value.
Bridge Protocol Data Unit
• Sent out on each port by each switch.
• Used by other switches to elect a root bridge and block or allow traffic on ports that are connected between switches
Spanning-Tree Example
LAN Switch Types
• Cut-through (FastForward)
• FragmentFree (modified cut-through)
• Store-and-forward
Virtual LANs (VLANs)
• Definition: A logical grouping of network users and resources connected to administratively defined ports on a switch.
– Layer 2 switches break up collision domains– VLANs break up broadcast domains
• Features:– Provides a level of security over a flat network– Simplify network management– Add flexibility and scalability to the network
Broadcast Control
• Broadcasts occur in every protocol
• Bandwidth & Broadcasts
• Flat network
• VLANs & Broadcasts
Security
• Flat network problems
• VLANs
Flexibility & Scalability
• Layer-2 switches only read frames– Can cause a switch to forward all broadcasts
• VLANs – Essentially create broadcast domains
• Greatly reduces broadcast traffic• Ability to add wanted users to a VLAN regardless
of their physical location• Additional VLANs can be created when network
growth consumes more bandwidth
Flat Network
VLANs
Components of a VLAN
• One or more VLAN capable switches
• One or more VLAN capable Layer 3 switches or routers– Provide routing between VLANs
VLAN Memberships• Static VLANs
– Typical method of creating VLANs
– Most secure
• A switch port assigned to a VLAN always maintains that
assignment until changed
• Dynamic VLANs
– Node assignment to a VLAN is automatic
• MAC addresses, protocols, network addresses, etc
– VLAN Management Policy Server (VMPS)
• MAC address database for dynamic assignments
• MAC-address to VLAN mapping
Types of VLAN Links
• Access link – Carries traffic for only one VLAN
• Trunk link– Carries traffic for multiple VLANs
Identifying VLANs (cont.)
Frame Tagging
• Definition: A means of keeping track of frames as they travel from VLAN to VLAN
• The tag identifies the destination VLAN for the frame
• The tag is added to the frame by a VLAN capable Layer 3 Switch or Router that serves as a gateway between VLANs
• It is removed before the frame is sent out of the access port that is connected to the destination host
VLAN ID Methods• Inter-Switch Link (ISL)
– Cisco proprietary– FastEthernet & Gibabit Ethernet only
• IEEE 802.1q– Must use if trunking between Cisco & non-
Cisco switch
Inter-Switch Link (ISL) Protocol
• Definition: A means of explicitly tagging VLAN information onto an Ethernet frame– Allows VLANs to be multiplexed over a trunk
line– Cisco proprietary– External tagging process
VLAN Trunk Protocol (VTP)
• Purpose: to manage all configured VLANs across a switch internetwork & maintain consistency– Allows an administrator to add, delete, &
rename VLANs
VTP Benefits• Benefits
– Consistent configuration– Permits trunking over mixed networks– Accurate tracking– Dynamic reporting– Plug-and-Play
• A VTP server must be created to manage VLANs
VTP Modes
VTP Modes of Operation• Server
– Default for all Catalyst switches– Minimum one server for a VTP domain
• Client– Receives information + sends/receives updates– Cannot make any changes
• Transparent– Does not participate in a VTP domain but
forwards VTP advertisements– Can add/delete VLANs– Locally significant
Routing Between VLANs
Configuring VLANs
• Creating VLANs
• Assigning Switch Ports to VLANs
• Configuring Trunk Ports
• Configuring Inter-VLAN routing
Access Lists
• List of conditions that Characterize Packets.• Purpose:
– Used to permit or deny packets moving through the router
– Permit or deny Telnet (VTY) access to or from a router
– Create dial-on demand (DDR) interesting traffic that triggers dialing to a remote location
Important Rules
• Packets are compared to each line of the assess list in sequential order
• Packets are compared with lines of the access list only until a match is made
– Once a match is made & acted upon no further comparisons take place
• An implicit “deny” is at the end of each access list
– If no matches have been made, the packet will be discarded
Types of Access Lists
• Standard Access List– Filter by source IP addresses only
• Extended Access List– Filter by Source IP, Destination IP, Protocol Field, Port
Number
• Named Access List– Another way to create standard and extended access
lists.– Allows the use of descriptive names to ease network
management.
Application of Access Lists
• Inbound Access Lists– Packets are processed after they are received and before
they are routed to the outbound interface
• Outbound Access Lists– Packets are processed after they are routed to the
outbound interface and before they are sent
• Traffic that originates in the router is not processed through an access list.
Wildcard
• A 32 bit binary number used to specify what part of an IP address must match precisely an access list entry and what part can be any value. – A zero must match (wild card turned off for
that bit)– A one can be any value (wild card turned on for
that bit)
Using a Wildcard to Specify a Range of Subnets
Network address = 172.16.8.0/16
Wildcard = 0.0.0.255
This wild card represents the range of IP addresses from 172.16.8.0 – 172.16.8.255
Controlling VTY (Telnet) Access
• Why??– Without control, any user could Telnet to a
router via VTY and try to gain access
• Controlling access– Create a standard IP access list
• Permitting only the host/hosts authorized to Telnet into the router
– Apply the ACL to the VTY line with the access-class command
Net Address Translation (NAT)
• Allows private IP addresses to be represented by a smaller number of public IP addresses.
• Configured in a router
• Three types:– Static– Dynamic– Overloaded (Port Address Translation)
Benefits of NAT
• You can keep reduce the visibility of your private network.
• You don’t have to change your internal IP addresses when your ISP changes your public IP address.
• You can use the same private IP addresses for several different networks.
Static NAT
• 1 to 1 correspondence between private and public IP addresses
• You must designate both addresses manually by interface
Configuring Static NAT
ip nat inside source static 10.1.1.1 170.46.2.2
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.46.2.1 255.255.255.0
ip nat outside
!
Dynamic NAT
• Allows outside IP addresses to be dynamically shared by a number of internal addresses.
• Requires that you define a pool of outside addresses to be used
Configuring Dynamic NATip nat pool todd 170.168.2.2 170.168.2.254
netmask 255.255.255.0
ip nat inside source list 1 pool todd
!
interface Ethernet0
ip address 10.1.1.10 255.255.255.0
ip nat inside
!
interface Serial0
ip address 170.168.2.1 255.255.255.0
ip nat outside
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
Overloaded NAT
• Also known as Port Address Translation
• Allows multiple inside IP addresses to access a pool of outside IP address
• Uses ports to differentiate between inside addresses.
• The outside addresses must be defined, along with a range of inside addresses that may have access to them.
Configuring PAT
55
ip nat pool globalnet 170.168.2.1 170.168.2.1 netmask 255.255.255.0ip nat inside source list 1 pool globalnet overload!interface Ethernet0/0 ip address 10.1.1.10 255.255.255.0 ip nat inside!interface Serial0/0 ip address 170.168.2.1 255.255.255.0 ip nat outside!access-list 1 permit 10.1.1.0 0.0.0.255