Bellevue UniversityCIS 341A

Final Review

The test

• Monday, August 4, 2008

• 50 Question multiple choice, True/False, and fill in the blanks.

• You have the entire period to complete the exam.

• Closed book, closed notes, closed communication between students.

Scoring

• 2 points for each correct answer

• If the entire class gets a question wrong, it will be thrown out and 2 points will be credited to each student

What to study

• The review slides• Chapters 8-11 and 14 in your text

• The quizzes

• The lab assignments

What the exam will cover

• Layer 2 Switching

• VLANs

• Access lists

• NAT

• Wide Area Network Protocols

Layer 2 Switching

• Purposes for using switching– Used to break up collision domains– Cost-effective, resilient internetwork

• Purpose for Spanning-Tree Protocol (STP)– Stops loops in layer 2 switched networks

A Layer 2 Switch

• Breaks up collision domains

• Doesn’t break up broadcast domains

Before Layer 2 Switching

Switched LANs

Typical Switched Designs

Layer 2 Switching Provides

• Hardware-based bridging using ASICs (Application Specific Integrated Circuits)

• Wire speed

• Low latency

• Low cost

Limitations of Layer 2 Switching

• Layer 2 switches do not break up broadcast domains.

• Layer 2 switches have no internal security.

Layer 2 Switching Functions• Address Learning: Layer 2 switches remember the source hardware

address of each frame received on an interface. The address is saved in the forward/filter table along with the interface number.

• Forward/filter decision: When a frame is received, the switch compares the destination hardware address with the entries in the table. If a match is found, the frame is forwarded out the interface associated with that address. If a match is not found, the frame is repeated to all other interfaces.

• Loop avoidance: Loops can occur if redundant connections are made between switches to improve network reliability. Spanning tree protocol turns off alternate paths until they are needed. That way, traffic has a single path from point of origin to destination.

How Switches Learn Hosts’ Locations

Spanning Tree Protocol

• A layer 2 protocol used to prevent loops in a switched network containing redundant connections between switches.

• Activates alternate paths when primary paths fail.

Spanning-Tree Terms

• STP

• Root Bridge

• BPDU

• Bridge ID

• Nonroot Bridge

•Root port

•Designated port

•Port cost

•Nondesignated port

•Forwarding port

•Block port

Spanning-Tree Port States

• Disabled - Administratively down

• Blocking - Receive BPDUs only

• Listening – Send and receive BPDUs and receive traffic

• Learning – save MAC address information

• Forwarding – send/receive traffic

Root Bridge

• A master bridge that transmits network topology control information to other bridges.

• The bridge having the lowest numbered bridge ID is elected as the root bridge.

• The 64 bit bridge ID consists of the priority number and MAC address value.

Bridge Protocol Data Unit

• Sent out on each port by each switch.

• Used by other switches to elect a root bridge and block or allow traffic on ports that are connected between switches

Spanning-Tree Example

LAN Switch Types

• Cut-through (FastForward)

• FragmentFree (modified cut-through)

• Store-and-forward

Virtual LANs (VLANs)

• Definition: A logical grouping of network users and resources connected to administratively defined ports on a switch.

– Layer 2 switches break up collision domains– VLANs break up broadcast domains

• Features:– Provides a level of security over a flat network– Simplify network management– Add flexibility and scalability to the network

Broadcast Control

• Broadcasts occur in every protocol

• Bandwidth & Broadcasts

• Flat network

• VLANs & Broadcasts

Security

• Flat network problems

• VLANs

Flexibility & Scalability

• Layer-2 switches only read frames– Can cause a switch to forward all broadcasts

• VLANs – Essentially create broadcast domains

• Greatly reduces broadcast traffic• Ability to add wanted users to a VLAN regardless

of their physical location• Additional VLANs can be created when network

growth consumes more bandwidth

Flat Network

VLANs

Components of a VLAN

• One or more VLAN capable switches

• One or more VLAN capable Layer 3 switches or routers– Provide routing between VLANs

VLAN Memberships• Static VLANs

– Typical method of creating VLANs

– Most secure

• A switch port assigned to a VLAN always maintains that

assignment until changed

• Dynamic VLANs

– Node assignment to a VLAN is automatic

• MAC addresses, protocols, network addresses, etc

– VLAN Management Policy Server (VMPS)

• MAC address database for dynamic assignments

• MAC-address to VLAN mapping

Types of VLAN Links

• Access link – Carries traffic for only one VLAN

• Trunk link– Carries traffic for multiple VLANs

Identifying VLANs (cont.)

Frame Tagging

• Definition: A means of keeping track of frames as they travel from VLAN to VLAN

• The tag identifies the destination VLAN for the frame

• The tag is added to the frame by a VLAN capable Layer 3 Switch or Router that serves as a gateway between VLANs

• It is removed before the frame is sent out of the access port that is connected to the destination host

VLAN ID Methods• Inter-Switch Link (ISL)

– Cisco proprietary– FastEthernet & Gibabit Ethernet only

• IEEE 802.1q– Must use if trunking between Cisco & non-

Cisco switch

Inter-Switch Link (ISL) Protocol

• Definition: A means of explicitly tagging VLAN information onto an Ethernet frame– Allows VLANs to be multiplexed over a trunk

line– Cisco proprietary– External tagging process

VLAN Trunk Protocol (VTP)

• Purpose: to manage all configured VLANs across a switch internetwork & maintain consistency– Allows an administrator to add, delete, &

rename VLANs

VTP Benefits• Benefits

– Consistent configuration– Permits trunking over mixed networks– Accurate tracking– Dynamic reporting– Plug-and-Play

• A VTP server must be created to manage VLANs

VTP Modes

VTP Modes of Operation• Server

– Default for all Catalyst switches– Minimum one server for a VTP domain

• Client– Receives information + sends/receives updates– Cannot make any changes

• Transparent– Does not participate in a VTP domain but

forwards VTP advertisements– Can add/delete VLANs– Locally significant

Routing Between VLANs

Configuring VLANs

• Creating VLANs

• Assigning Switch Ports to VLANs

• Configuring Trunk Ports

• Configuring Inter-VLAN routing

Access Lists

• List of conditions that Characterize Packets.• Purpose:

– Used to permit or deny packets moving through the router

– Permit or deny Telnet (VTY) access to or from a router

– Create dial-on demand (DDR) interesting traffic that triggers dialing to a remote location

Important Rules

• Packets are compared to each line of the assess list in sequential order

• Packets are compared with lines of the access list only until a match is made

– Once a match is made & acted upon no further comparisons take place

• An implicit “deny” is at the end of each access list

– If no matches have been made, the packet will be discarded

Types of Access Lists

• Standard Access List– Filter by source IP addresses only

• Extended Access List– Filter by Source IP, Destination IP, Protocol Field, Port

Number

• Named Access List– Another way to create standard and extended access

lists.– Allows the use of descriptive names to ease network

management.

Application of Access Lists

• Inbound Access Lists– Packets are processed after they are received and before

they are routed to the outbound interface

• Outbound Access Lists– Packets are processed after they are routed to the

outbound interface and before they are sent

• Traffic that originates in the router is not processed through an access list.

Wildcard

• A 32 bit binary number used to specify what part of an IP address must match precisely an access list entry and what part can be any value. – A zero must match (wild card turned off for

that bit)– A one can be any value (wild card turned on for

that bit)

Using a Wildcard to Specify a Range of Subnets

Network address = 172.16.8.0/16

Wildcard = 0.0.0.255

This wild card represents the range of IP addresses from 172.16.8.0 – 172.16.8.255

Controlling VTY (Telnet) Access

• Why??– Without control, any user could Telnet to a

router via VTY and try to gain access

• Controlling access– Create a standard IP access list

• Permitting only the host/hosts authorized to Telnet into the router

– Apply the ACL to the VTY line with the access-class command

Net Address Translation (NAT)

• Allows private IP addresses to be represented by a smaller number of public IP addresses.

• Configured in a router

• Three types:– Static– Dynamic– Overloaded (Port Address Translation)

Benefits of NAT

• You can keep reduce the visibility of your private network.

• You don’t have to change your internal IP addresses when your ISP changes your public IP address.

• You can use the same private IP addresses for several different networks.

Static NAT

• 1 to 1 correspondence between private and public IP addresses

• You must designate both addresses manually by interface

Configuring Static NAT

ip nat inside source static 10.1.1.1 170.46.2.2

!

interface Ethernet0

ip address 10.1.1.10 255.255.255.0

ip nat inside

!

interface Serial0

ip address 170.46.2.1 255.255.255.0

ip nat outside

!

Dynamic NAT

• Allows outside IP addresses to be dynamically shared by a number of internal addresses.

• Requires that you define a pool of outside addresses to be used

Configuring Dynamic NATip nat pool todd 170.168.2.2 170.168.2.254

netmask 255.255.255.0

ip nat inside source list 1 pool todd

!

interface Ethernet0

ip address 10.1.1.10 255.255.255.0

ip nat inside

!

interface Serial0

ip address 170.168.2.1 255.255.255.0

ip nat outside

!

access-list 1 permit 10.1.1.0 0.0.0.255

!

Overloaded NAT

• Also known as Port Address Translation

• Allows multiple inside IP addresses to access a pool of outside IP address

• Uses ports to differentiate between inside addresses.

• The outside addresses must be defined, along with a range of inside addresses that may have access to them.

Configuring PAT

55

ip nat pool globalnet 170.168.2.1 170.168.2.1 netmask 255.255.255.0ip nat inside source list 1 pool globalnet overload!interface Ethernet0/0 ip address 10.1.1.10 255.255.255.0 ip nat inside!interface Serial0/0 ip address 170.168.2.1 255.255.255.0 ip nat outside!access-list 1 permit 10.1.1.0 0.0.0.255