CCNA Study Notes-Softech Systems

CCNA Training Notes for ICND 2

www.softechpune.com

Study Notes for

CCNA Training

ICND 2.0


www.softechpune.com

Layer-2 Switching Layer-2 switching is hardware based, which means it uses the MAC address from the host’s NIC cards to filter the network. Switches use Application-Specific Integrated Circuits (ASICs) to build and maintain filter tables. switches are fast because they do not look at the Network layer header information Functions of Switch Address learning : Layer-2 switches and bridges remember the source hardware address of each frame received on an interface and enter this information into a MAC database. Forward/filter decisions : When a frame is received on an interface, the switch looks at the destination hardware address and finds the exit interface in the MAC database. Loop avoidance : If multiple connections between switches are created for redundancy, network loops can occur. The Spanning-Tree Protocol (STP) is used to stop network loops and allow redundancy. Address Learning When a switch is powered on, the MAC filtering table is empty. When a device transmits and an interface receives a frame, the switch places the source address in the MAC filtering table, remembering what interface the device is located on. The switch has no choice but to flood the network with this frame because it has no idea where the destination device is located. If a device answers and sends a frame back, then the switch will take the source address from that frame and place the MAC address in the database, associating this address with the interface that received the frame. Since the switch now has two MAC addresses in the filtering table, the devices can make a point-to-point connection, and the frames will only be forwarded between the two devices. This is what makes layer-2 switches better than hubs. In a hub network, all frames are forwarded out all ports every time. Forward/Filter Decisions When a frame arrives at a switch interface, the destination hardware address is compared to the forward/filter MAC database. If the destination hardware address is known and listed in the database, the frame is only sent out the correct exit interface. The switch does not transmit the frame out any interface except for the destination interface. This preserves bandwidth on the other network segments and is called frame filtering.


www.softechpune.com

If the destination hardware address is not listed in the MAC database, then the frame is broadcasted out all active interfaces except the interface the frame was received on. If a device answers the broadcast, the MAC database is updated with the device location (interface). Loop Avoidance Redundant links are a good idea between switches. They are used to help stop complete network failures if one link fails. Even though redundant links are extremely helpful, they cause more problems than they solve. Because frames can be broadcast down all redundant links simultaneously, network loops can occur, among other problems. Some of the most serious problems are discussed in the following list. 1. If no loop avoidance schemes are put in place, the switches will flood broadcasts endlessly throughout the internetwork. This is sometimes referred to as a broadcast storm. 2. A device can receive multiple copies of the same frame since the frame can arrive from different segments at the same time. 3. The MAC address filter table will be confused about where a device is located since the switch can receive the frame from more than one link. It is possible that the switch can’t forward a frame because it is constantly updating the MAC filter table with source hardware address locations. This is called thrashing the MAC table. 4. One of the biggest problems is multiple loops generating throughout an internetwork. This means that loops can occur within other loops. If a broadcast storm were to then occur, the network would not be able to perform packet switching. Spanning-Tree Protocol (STP) This protocol avoids layer 2 loops. Initially, the protocol was introduced by DEC (Digital Equipment Corporation). But later on, IEEE introduced its own version of STP (IEEE 802.1d version). This version is significant because all Cisco switches use this version by default. Both versions are not compatible with each other. STP’s main task is to stop network loops from occurring on your layer-2 network (bridges or switches). STP is constantly monitoring the network to find all links and make sure that loops do not occur by shutting down redundant links. The way it does this is by electing a root bridge that will decide on the network topology. There can only be one root bridge in any given network. Root-bridge ports are called designated ports, which operate in forwarding state. Forwarding-state ports send and receive traffic.


www.softechpune.com

All other switches in the network are called non-root bridges. The port with the lowest cost (as determined by a link’s bandwidth) to the root bridge is called a root port and sends and receives traffic. The other port or ports on the bridge are considered non-designated and will not send or receive traffic, which is called blocking mode. Selecting the Root Bridge Switches or bridges running STP exchange information with what are called Bridge Protocol Data Units (BPDUs). BPDUs send configuration messages using multicast frames. The bridge ID of each device is sent to other devices using BPDUs. The bridge ID is used to determine the root bridge in the network and to determine the root port. The bridge ID is 8 bytes long and includes the priority and the MAC address of the device. The priority on all devices running the IEEE STP version is 32,768. To determine the root bridge, the priorities of the bridge and the MAC address are combined. If two switches or bridges have the same priority value, then the MAC address is used to determine which one has the lowest ID. Selecting the Designated Port To determine the port or ports that will be used to communicate with the root bridge, you must first figure out the path cost. The STP cost is an accumulated total path cost based on the bandwidth of the links. Spanning-Tree Port States The ports on a bridge or switch running the STP can transition through four different states: Blocking : This mode does not forward frames but listens to BPDUs. All ports are in blocking state by default when the switch is powered up. Listening : Listens to BPDUs to make sure no loops occur on the network before passing data frames. Learning : Learns MAC addresses and builds a filter table but does not forward frames. Forwarding : Sends and receives all data on the bridged port. Typically, switch ports are in either blocking or forwarding state. A forwarding port has been determined to have the lowest cost to the root bridge. However, if the network has a topology change because of a failed link or even if the administrator adds a new switch to the network, the ports on a switch will be in


www.softechpune.com

listening and learning state. Blocking ports are used to prevent network loops. Once a switch determines the best path to the root bridge, then all other ports will be in blocking Blocked ports still receive BPDUs. If a switch determines that a blocked port should now be the designated port, it will go to listening state. It will check all BPDUs heard to make sure that it won’t create a loop once the port goes to forwarding state. Convergence Convergence occurs when bridges and switches have transitioned to either the forwarding or blocking states. No data is forwarded during this time. Convergence is important to make sure all devices have the same database. Before data can be forwarded, all devices must be updated. The problem with convergence is the time it takes for these devices to update. It usually takes 50 seconds to go from blocking to forwarding state. It is not recommended that you change the default STP timers, but the timers can be adjusted if necessary. Forward delay is the time it takes to transition a port from listening to learning state or from learning to forwarding state. LAN Switching Modes : The latency for packet switching through the switch depends on the chosen switching mode. There are three switching modes: Store and Forward Store-and-forward switching is one of three primary types of LAN switching. With the store-and-forward switching method, the LAN switch copies the entire frame onto its onboard buffers and computes the cyclic redundancy check (CRC). Because it copies the entire frame, latency through the switch varies with frame length. The frame is discarded if it contains a CRC error, if it’s too short (less than 64 bytes including the CRC), or if it’s too long (more than 1518 bytes including the CRC). If the frame doesn’t contain any errors, the LAN switch looks up the destination hardware address in its forwarding or switching table and determines the outgoing interface. It then forwards the frame toward its destination. This is the mode used by the Catalyst 5000 series switches and cannot be modified on the switch. Cut-Through (Real Time) Cut-through switching is the other main type of LAN switching. With this method, the LAN switch copies only the destination address (the first six bytes following the preamble) onto its onboard buffers. It then looks up the hardware destination


www.softechpune.com

address in the MAC switching table, determines the outgoing interface, and forwards the frame toward its destination. A cut-through switch provides reduced latency because it begins to forward the frame as soon as it reads the destination address and determines the outgoing interface. FragmentFree (Modified Cut-Through) FragmentFree is a modified form of cut-through switching, in which the switch waits for the collision window (64 bytes) to pass before forwarding. If a packet has an error, it almost always occurs within the first 64 bytes. FragmentFree mode provides better error checking than the cut-through mode with practically no increase in latency. This is the default switching method for the 1900 switches.


www.softechpune.com

VLAN A Virtual Local Area Network (VLAN) is a logical grouping of network users and resources connected to administratively defined ports on a switch. By creating VLANs, you are able to create smaller broadcast domains within a switch by assigning different ports in the switch to different subnetworks. A VLAN is treated like its own subnet or broadcast domain. This means that frames broadcasted onto a network are only switched between ports in the same VLAN. Using virtual LANs, you’re no longer confined to creating workgroups by physical locations. VLANs can be organized by location, function, department, or even the application or protocol used, regardless of where the resources or users are located. In a layer-2 switched network, the network is flat. Every broadcast packet transmitted is seen by every device on the network, regardless of whether the device needs to receive the data. Because layer-2 switching creates individual collision domain segments for each device plugged into the switch, the Ethernet distance constraints are lifted, which means larger networks can be built. The larger the number of users and devices, the more broadcasts and packets each device must handle. Another problem with a flat layer-2 network is security, as all users can see all devices. You cannot stop devices from broadcasting and users trying to respond to broadcasts. Your security is passwords on the servers and other devices. By creating VLANs, you can solve many of the problems associated with layer-2 switching Broadcast Control Broadcasts occur in every protocol, but how often they occur depends upon the protocol, the application(s) running on the internetwork, and how these services are used. There are multimedia applications that use broadcasts and multicasts extensively. Faulty equipment, inadequate segmentation, and poorly designed firewalls can also add to the problems of broadcast-intensive applications. This has added a new chapter to network design, since broadcasts can propagate through the switched network. Routers, by default, send broadcasts only within the originating network, but switches forward broadcasts to all segments. This is called a flat network because it is one broadcast domain. As an administrator, you must make sure the network is properly segmented to keep one segment’s problems from propagating through the internetwork. The most effective way of doing this is through switching and routing. Since switches have become more cost-effective, many companies are replacing the flat network with a pure switched network and VLANs. All devices in a VLAN are members of the same broadcast domain and receive all broadcasts. The broadcasts, by default, are filtered from all ports on a switch that are not members of the same VLAN.


www.softechpune.com

Routers, or layer-3 switches, must be used in conjunction with switches to provide connections between networks (VLANs), which can stop broadcasts from propagating through the entire internetwork. Security One problem with the flat internetwork is that security was implemented by connecting hubs and switches together with routers. Security was maintained at the router, but anyone connecting to the physical network could access the network resources on that physical LAN. Another problem was that users could join a workgroup by just plugging their workstations into the existing hub. By using VLANs and creating multiple broadcast groups, administrators now have control over each port and user. Users can no longer just plug their workstations into any switch port and have access to network resources. The administrator controls each port and whatever resources it is allowed to use. If inter-VLAN communication needs to take place, restrictions on a router can also be implemented. Restrictions can also be placed on hardware addresses, protocols, and applications. Flexibility and Scalability Layer-2 switches only read frames for filtering; they do not look at the Network layer protocol. This can cause a switch to forward all broadcasts. However, by creating VLANs, you are essentially creating broadcast domains. Broadcasts sent out from a node in one VLAN will not be forwarded to ports configured in a different VLAN. VLAN Membership Modes Ports belonging to a VLAN are configured with a membership mode that determines to which VLAN they belong. Catalyst switch ports can belong to one of these VLAN membership modes: Static VLAN: An administrator statically configures the assignment of VLANs to ports. Dynamic VLAN: The Catalyst switches support dynamic VLANs by using a VLAN Management Policy Server (VMPS). The VMPS can be a Catalyst 5000 series switch or an external server. The Catalyst 2950 series cannot operate as the VMPS. The VMPS contains a database that maps MAC addresses to VLAN assignments. When a frame arrives on a dynamic port at the Catalyst access switch, the Catalyst switch queries the VMPS for the VLAN assignment based on the source MAC address of the arriving frame. A dynamic port can belong to only one VLAN at a time. Multiple hosts can be active on a dynamic port only if they all belong to the same VLAN.


www.softechpune.com

Type of Links : There are two different types of links in a switched environment: Access links Links that are only part of one VLAN and are referred to as the native VLAN of the port. Any device attached to an access link is unaware of a VLAN membership. This device just assumes it is part of a broadcast domain, with no understanding of the physical network. Switches remove any VLAN information from the frame before it is set to an access link device. Access link devices cannot communicate with devices outside their VLAN unless the packet is routed through a router. Trunk links Trunks can carry multiple VLANs and are used to connect switches to other switches, to routers, or even to servers. Trunked links are supported on Fast or Gigabit Ethernet only. To identify the VLAN that a frame belongs to with Ethernet technology, Cisco switches support two different identification techniques: ISL and 802.1q. Trunk links are used to transport VLANs between devices and can be configured to transport all VLANs or just a few. Trunk links still have a native, or default, VLAN that is used if the trunk link fails. Trunking Protocols Trunking is a way to carry traffic from several VLANs over a point-to-point link between the two devices. You can implement Ethernet trunking in these two ways: Inter-Switch Link ( ISL), a Cisco proprietary protocol used for FastEthernet and Gigabit Ethernet links only. Can be used on a switch port, router interfaces, and server interface cards to trunk a server. The server that is trunked is part of all VLANs (broadcast domains) simultaneously. This tagging information allows VLANs to be multiplexed over a trunk link through an external encapsulation method. By running ISL, you can interconnect multiple switches and still maintain VLAN information as traffic travels between switches on trunk links. ISL provides a low-latency, full wire-speed performance over FastEthernet using either half- or full-duplex mode. . ISL is an external tagging process, which means the original frame is not altered but instead encapsulated with a new 26-byte ISL header. It also adds a second 4-byte frame check sequence (FCS) field at the end of the frame. Because the frame is encapsulated with information, only ISL-aware devices can read it. Also, the frame can be up to 1522 bytes long. Devices that receive an ISL frame may record this as a giant frame because it is over the maximum of 1518 bytes allowed on an Ethernet segment.


www.softechpune.com

802.1Q, an IEEE standard IEEE 802.1Q extends IP routing capabilities to include support for routing IP frame types in VLAN configurations using the IEEE 802.1Q encapsulation. Every 802.1Q port is assigned to a trunk. All ports on a trunk are in a native VLAN. Every 802.1Q port is assigned an identifier value that is based on the port’s native VLAN ID (the default is VLAN 1). All untagged frames are assigned to the LAN specified in the ID parameter. An 802.1Q trunk and its associated trunk ports have a native VLAN value. 802.1Q does not tag frames for the native VLAN. Therefore, ordinary stations will be able to read the native untagged frames, but will not be able to read any other frame because the frames are tagged. VLAN Trunking Protocol (VTP) VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the additions, deletions, and name changes of VLANs across networks. VTP minimizes misconfigurations and configuration inconsistencies that can cause problems, such as duplicate VLAN names or incorrect VLAN-type specifications. A VTP domain is one switch or several interconnected switches sharing the same VTP environment. You can configure a switch to be in only one VTP domain. By default, a Catalyst switch is in the no-management-domain state until it receives an advertisement for a domain over a trunk link or until you configure a management domain. Configurations made to a single VTP server are propagated across links to all connected switches in the network.

VTP Modes VTP operates in one of three modes: server mode, transparent mode, or client mode. You can complete different tasks depending on the VTP operation mode. The characteristics of the three modes are as follows: Server mode: The default VTP mode is server mode, but VLANs are not propagated over the network until a management domain name is specified or learned. When you make a change to the VLAN configuration on a VTP server, the change is propagated to all switches in the VTP domain. VTP messages are transmitted out all trunk connections. Transparent mode: When you make a change to the VLAN configuration in VTP transparent mode, the change affects the local switch only and does not propagate to other switches in the VTP domain. VTP transparent mode does forward VTP advertisements within the domain. Client mode: You cannot make changes to the VLAN configuration when in VTP client mode. VTP advertisements are forwarded in VTP client mode.


www.softechpune.com

VTP Operations VTP advertisements are flooded throughout the management domain. VTP advertisements are sent every 5 minutes or whenever there is a change in VLAN configurations. Advertisements are transmitted over the default VLAN (VLAN 1) using a multicast frame. A configuration revision number is included in each VTP advertisement. A higher configuration revision number indicates that the VLAN information being advertised is more current than the stored information. One of the most critical components of VTP is the configuration revision number. Each time a VTP server modifies its VLAN information, the VTP server increments the configuration revision number by one. The server then sends out a VTP advertisement with the new configuration revision number. If the configuration revision number being advertised is higher than the number stored on the other switches in the VTP domain, the switches will overwrite their VLAN configurations with the new information being advertised. The configuration revision number in VTP transparent mode is always 0. A device that receives VTP advertisements must check various parameters before incorporating the received VLAN information. First, the management domain name and password in the advertisement must match those configured in the local switch. Next, if the configuration revision number indicates that the message was created after the configuration currently in use, the switch incorporates the advertised VLAN information. To reset the configuration revision number on most Catalyst switches, use the delete vtp privileged EXEC command. On a Catalyst 2950, change the VTP domain to another name and then change it back to reset the configuration revision number. VTP Pruning You can preserve bandwidth by configuring the VTP to reduce the amount of broadcasts, multicasts, and other unicast packets, which helps preserve bandwidth. This is called pruning. VTP pruning only sends broadcasts to trunk links that must have the information; any trunk link that does not need the broadcasts will not receive them. For example, if a switch does not have any ports configured for VLAN 5, and a broadcast is sent throughout VLAN 5, the broadcast would not traverse the trunk link to this switch. VTP pruning is disabled by default on all switches.


www.softechpune.com

IP Routing Routing is used for taking a packet from one device and sending it through the network to another device on a different network. If your network has no routers, then you are not routing. Routers route traffic to all the networks in your internetwork. To be able to route packets, a router must know, at a minimum, the following: • Destination address • Neighbor routers from which it can learn about remote networks • Possible routes to all remote networks • The best route to each remote network The routers can only send packets by looking at the routing table and discovering how to get to the remote networks. What happens when a router receives a packet with a network that is not listed in the routing table? It doesn’t send a broadcast looking for the remote network—the router just discards it. Period. There are a few different ways to configure the routing tables to include all the networks Static Routing Static routing is the process of an administrator manually adding routes in each router’s routing table. There are benefits and disadvantages to all routing processes. Static routing has the following benefits: • No overhead on the router CPU • No bandwidth usage between routers • Security (because the administrator only allows routing to certain networks) Static routing has the following disadvantages: • The administrator must really understand the internetwork and how each

router is connected to configure the routes correctly. • If one network is added to the internetwork, the administrator must add a

route to it on all routers. • It’s not feasible in large networks because it would be a full-time job. The command used to add a static route to a routing table is ip route [destination_network] [mask] [next_hop_address or exitinterface] [administrative_distance][permanent]


www.softechpune.com

ip route The command used to create the static route. destination network The network you are placing in the routing table. mask Indicates the subnet mask being used on the network. next hop address The address of the next hop router that will receive the packet and forward it to the remote network. This is a router interface that is on a directly connected network. You must be able to ping the router interface before you add the route. exit interface Used in place of the next hop address if desired. Must be on a point-to-point link, such as a WAN. This command does not work on a LAN; for example, Ethernet. administrative distance By default, static routes have an administrative distance of 1. You can change the default value by adding an administrative weight at the end of the command. permanent If the interface is shut down or the router cannot communicate to the next hop router, the route is automatically discarded from the routing table. Choosing the permanent option keeps the entry in the routing table no matter what happens. Default Routing Default routing is used to send packets with a remote destination network not in the routing table to the next hop router. You can only use default routing on stub networks, which means that they have only one exit port out of the network. Dynamic Routing Dynamic routing is the process of using protocols to find and update routing tables on routers. This is easier than static or default routing, but you use it at the expense of router CPU processes and bandwidth on the network links. A routing protocol defines the set of rules used by a router when it communicates between neighbor routers. Administrative Distances When configuring routing protocols, you need to be aware of administrative distances (ADs). These are used to rate the trustworthiness of routing information received on a router from a neighbor router. An administrative


www.softechpune.com

distance is an integer from 0 to 255, where 0 is the most trusted and 255 means no traffic will be passed via this route. Route Source Default Distance Connected Interface 0 Static Route 1 EIGRP 90 IGRP 100 OSPF 110 RIP 120 External EIGRP 170 Unknown 255 If a network is directly connected, it will always use the interface connected to the network. If an administrator configures a static route, the router will believe that route over any other learned routes. You can change the administrative distance of static routes, but, by default, they have an AD of 1. Routing Protocols There are three classes of routing protocols: Distance vector : The distance-vector routing protocols use a distance to a remote network to find the best path. Each time a packet goes through a router, it’s called a hop. The route with the least number of hops to the network is determined to be the best route. The vector is the determination of direction to the remote network. Examples of distance-vector routing protocols are RIP and IGRP. Link state : Typically called shortest path first, the routers each create three separate tables. One of these tables keeps track of directly attached neighbors, one determines the topology of the entire internetwork, and one is used for the routing table. Link-state routers know more about the internetwork than any distance-vector routing protocol. An example of an IP routing protocol that is completely link state is OSPF. Hybrid Uses aspects of distance vector and link state, for example, EIGRP.


www.softechpune.com

Routing Information Protocol (RIP) Routing Information Protocol (RIP) is a true distance-vector routing protocol. It sends the complete routing table out to all active interfaces every 30 seconds. RIP only uses hop count to determine the best way to a remote network, but it has a maximum allowable hop count of 15, meaning that 16 is deemed unreachable. RIP works well in small networks, but it is inefficient on large networks with slow WAN links or on networks with a large number of routers installed. RIP version 1 uses only classful routing, which means that all devices in the network must use the same subnet mask. This is because RIP version 1 does not send updates with subnet mask information in tow. RIP version 2 provides what is called prefix routing and does send subnet mask information with the route updates. This is called classless routing. RIP Timers RIP uses three different kinds of timers to regulate its performance: Route update timer Sets the interval (typically 30 seconds) between periodic routing updates, in which the router sends a complete copy of its routing table out to all neighbors. Route invalid timer Determines the length of time that must expire (90 seconds) before a router determines that a route has become invalid. It will come to this conclusion if it hasn’t heard any updates about a particular route for that period. When that happens, the router will send out updates to all its neighbors letting them know that the route is invalid. Route flush timer Sets the time between a route becoming invalid and its removal from the routing table (240 seconds). Before it is removed from the table, the router notifies its neighbors of that route’s impending doom. The value of the route invalid timer must be less than that of the route flush timer. This is to provide the router with enough time to tell its neighbors about the invalid route before the routing table is updated. RIP Configuration Router(config)# router rip The router rip command selects RIP as the routing protocol. It starts the RIP routing process. Router(config-router)# network network-number


www.softechpune.com

The network command assigns a major network number that the router is directly connected to. The RIP routing process associates interface addresses with the advertised network number and will begin RIP packet processing on the specified interfaces. The show ip protocols command displays values about routing protocols and the routing protocol timer information that is associated with the router. The show ip interface brief command displays summary of the IP information and status of all interfaces. The show ip route command displays the contents of the IP routing table. The debug ip rip command displays information on RIP routing transactions.


www.softechpune.com

Enhanced Interior Gateway Routing Protocol (EIGRP) Overview Enhanced Interior Gateway Routing Protocol (EIGRP) is an enhanced version of Interior Gateway Routing Protocol (IGRP) developed by Cisco. EIGRP is suited for many different topologies and media. In a well-designed network, EIGRP scales well and provides extremely quick convergence times with minimal overhead. EIGRP is a popular choice for a routing protocol on Cisco devices. Features of EIGRP EIGRP has rapid convergence times for changes in the network topology. In some situations, convergence can be almost instantaneous. EIGRP uses the Diffusing Update Algorithm (DUAL) to achieve rapid convergence. A router that is running EIGRP stores backup routes for destinations when they are available so that it can quickly adapt to alternate routes. If no appropriate route or backup route exists in the local routing table, EIGRP queries its neighbors to discover an alternate route. These queries are propagated until an alternate route is found. EIGRP has very low usage of network resources during normal operation; only hello packets are transmitted on a stable network. Like other link-state routing protocols, EIGRP uses EIGRP hello packets to establish relationships with neighboring EIGRP routers. Each router builds a neighbor table from the hello packets that it receives from adjacent EIGRP routers. EIGRP does not send periodic routing updates like IGRP does. When a change occurs, only routing table changes are propagated, not the entire routing table. And when only changes are propagated, the bandwidth that is required for EIGRP packets is minimized, which reduces the load that the routing protocol itself places on the network. EIGRP supports automatic (classful) route summarization at major network boundaries as the default. However, unlike other classful routing protocols, such as IGRP and Routing Information Protocol (RIP), manual route summarization can be configured on arbitrary network boundaries to reduce the size of the routing table.


www.softechpune.com

EIGRP Terminology Term Definition Neighbor table (AppleTalk, IPX, IPv6, IPv4)

Each EIGRP router maintains a neighbor table that lists adjacent routers. This table is comparable to the adjacencies database used by OSPF, and it serves the same purpose (to ensure bi-directional communication between each of the directly connected neighbors). There is a neighbor table for each protocol that EIGRP supports.

Topology table (AppleTalk, IPX, IPv6, IPv4)

Each EIGRP router maintains a topology table for each configured routing protocol. This table includes route entries for all destinations that the router has learned. All learned routes to a destination are maintained in the topology table.

Routing table (AppleTalk, IPX, IPv6, IPv4)

EIGRP chooses the best (successor) routes to a destination from the topology table and places these routes in the routing table. The router maintains one routing table for each network protocol.

Successor

A successor is a route selected as the primary route to reach a destination. Successors are the entries kept in the routing table.

Feasible successor

A feasible successor is considered a backup route. Backup routes are selected at the same time that the successors are identified; however, these routes are kept in a topology table. Multiple feasible successors for a destination can be retained.

EIGRP Configuration Use the router eigrp and network commands to create an EIGRP routing process. Note that EIGRP requires an autonomous system number. The autonomous system number does not have to be registered. However, all routers within an autonomous system must use the same autonomous system number; otherwise, they will not exchange routing information. Router(config)# router eigrp autonomous-system Router(config-router)# network network-number


www.softechpune.com

The network command assigns a major network number that the router is directly connected to. The EIGRP routing process associates interface addresses with the advertised network number and will begin EIGRP packet processing on the specified interfaces. EIGRP Configuration Verification The show ip route eigrp command displays the current EIGRP entries in the routing table. The show ip protocols command displays the parameters and current state of the active routing protocol process. This command shows the EIGRP autonomous system number. It also displays filtering and redistribution numbers and neighbors and distance information. The show ip eigrp interfaces command to determine on which interfaces EIGRP is active, and to learn information about EIGRP relating to those interfaces. If you specify an interface, only that interface is displayed. Otherwise, all interfaces on which EIGRP is running are displayed. If you specify an autonomous system, only the routing process for the specified autonomous system is displayed. Otherwise, all EIGRP processes are displayed. EIGRP Configuration Troubleshooting The debug ip eigrp privileged EXEC command helps you analyze the packets that are sent and received on an interface. Because the debug ip eigrp command generates a substantial amount of output, use it only when traffic on the network is light.


www.softechpune.com

Open Shortest Path First (OSPF) Overview Open Shortest Path First (OSPF) is an interior gateway protocol and a classless link-state routing protocol. Because OSPF is widely deployed, knowledge of its configuration and maintenance is essential. This lesson describes the function of OSPF and explains how to configure a single-area OSPF network on a Cisco router. OSPF Features OSPF is a routing protocol developed for IP networks by the Interior Gateway Protocol (IGP) working group of the Internet Engineering Task Force (IETF). Similar to Interior Gateway Routing Protocol (IGRP), OSPF was created in the mid-1980s because Routing Information Protocol (RIP) was increasingly incapable of serving large, heterogeneous internetworks. OSPF routes packets within a single autonomous system. OSPF characteristics: The protocol is an open standard, which means that its specification is in the public domain. The OSPF specification is published as an RFC. The most recent version, known as OSPF version 2, is described in RFC 2328. OSPF is based on the shortest path first (SPF) algorithm. The ability of OSPF to separate a large internetwork, or autonomous system, into smaller internetworks called areas is referred to as hierarchical routing. With this technique, routing still occurs between the areas (called interarea routing), but many of the minute internal routing operations, such as recalculating the database, are kept within an area. The hierarchical topology possibilities of OSPF have the following important advantages: • Reduced frequency of SPF calculations • Smaller routing tables • Reduced link-state update overhead


www.softechpune.com

Shortest Path First Algorithm The SPF algorithm places each router at the root of a tree and calculates the shortest path to each node, using Dijkstra’s algorithm, based on the cumulative cost that is required to reach that destination. LSAs are flooded throughout the area using a reliable algorithm, which ensures that all routers in an area have exactly the same topological database. Each router uses the information in its topological database to calculate a shortest path tree, with itself as the root. The router then uses this tree to route network traffic. Each router has its own view of the topology, even though all the routers build a shortest-path tree using the same link-state database. The cost, or metric, of an interface is an indication of the overhead that is required to send packets across a certain interface. The cost of an interface is inversely proportional to the bandwidth of that interface, so a higher bandwidth indicates a lower cost. There is more overhead, higher cost, and more time delays involved in crossing a 56 kbps serial line than in crossing a 10-Mbps Ethernet line. The default formula used to calculate OSPF cost is: cost = 100,000,000 / bandwidth in bps For example, it will cost 108/107 = 10 to cross a 10-Mbps Ethernet line, and it will cost 108/1,544,000 = 64 to cross a T1 line. Single-Area OSPF Configuration Router(config)# router ospf process-id Router(config-router)# network wildcard-mask area area-id The router ospf command takes a process identifier as an argument. The process ID is a unique, arbitrary number that you select to identify the routing process. The process ID does not need to match the OSPF process ID on other OSPF routers. The network command identifies which IP networks on the router are part of the OSPF network. For each network, you must also identify the OSPF area that the networks belong to.


www.softechpune.com

The network command takes the three arguments listed in the table. router ospf Command Parameters

Description

address

Can be the network, subnet, or interface address.

wildcard-mask

Wildcard mask. This mask identifies the part of the IP address that is to be matched, where 0 is a match and 1 is “do not care.” For example, a wildcard mask of 0.0.0.0 indicates a match of all 32 bits in the address.

area-id

Area that is to be associated with the OSPF address range. It can be specified either as a decimal value or in dotted-decimal notation.

OSPF Configuration Verification Router# show ip protocols The command displays parameters about timers, filters, metrics, networks, and other information for the entire router. Router# show ip route The command displays the routes that are known to the router and how they were learned. This command is one of the best ways to determine connectivity between the local router and the rest of the internetwork. Router# show ip ospf interface The command verifies that interfaces have been configured in the intended areas. If no loopback address is specified, the interface with the highest address is chosen as the router ID. This command also displays the timer intervals, including the hello interval, and shows the neighbor adjacencies. Router# show ip ospf neighbor The show ip ospf neighbor command displays OSPF neighbor information on a per-interface basis.


www.softechpune.com

Access control lists (ACLs) Overview Access control lists (ACLs) provide an important network security feature. With ACLs, you can classify and filter packets on inbound and outbound router interfaces and access ports. Understanding the uses of ACLs enables you to determine how to implement them on your Cisco network. This lesson describes some of the applications for ACLs on Cisco Systems networks and explains how Cisco IOS software processes ACLs. Access lists are essentially lists of conditions that control access of network traffic, both to and from network segments. They can filter unwanted packets and be used to implement security policies of the organisation. With the right combination of access lists, network managers will be armed with the power to enforce nearly any access policy they can invent. Access lists are basically the packet filters that packets are compared with, categorized by, and acted upon. Once the lists are built, they can be applied to either inbound or outbound traffic on any interface. Applying an access list will then cause the router to analyze every packet crossing that interface in the specified direction and take action accordingly. There are a few important rules a packet follows when it’s being compared with an access list: • Whenever a packet arrives on the interface of the router It is always

compared with each line of the access list in sequential order, i.e., it’ll always start with line 1, then go to line 2, then line 3, and so on.

• It’s compared with lines of the access list only until a match is made. Once

the packet matches a line of the access list, it’s acted upon, and no further comparisons take place.

• There is an implicit “deny” at the end of each access list—this means that if a

packet doesn’t match up to any lines in the access list, it’ll be discarded. Types of Access Lists : Two Types 1. Standard access lists These use only the source IP address in an IP packet to filter the network. This basically permits or denies an entire suite of protocols. 2. Extended access lists


www.softechpune.com

These check for both source and destination IP address, protocol field in the Network layer header, and port number at the Transport layer header Once you create an access list, you apply it to an interface with either an inbound or outbound list: Inbound access lists : Packets are processed through the access list before being routed to the outbound interface. Outbound access lists : Packets are routed to the outbound interface and then processed through the access list. Some access list guidelines that should be followed when creating and implementing access lists on a router: • You can only assign one access list per interface, per protocol, or per

direction. This means that if you are creating IP access lists, you can only have one inbound access list and one outbound access list per interface.

• Organize your access lists so that the more specific tests are at the top of the

access list. • Anytime a new list is added to the access list, it will be placed at the bottom of

the list. • You cannot remove one line from an access list. If you try to do this, you will

remove the entire list. It is best to copy the access list to a text editor before trying to edit the list.

• Unless your access list ends with a permit any command, all packets will be

discarded if they do not meet any of the lists’ tests. Every list should have at least one permit statement, or you might as well shut the interface down.

• Create access lists and then apply them to an interface. Any access list

applied to an interface without an access list present will not filter traffic. • Access lists are designed to filter traffic going through the router. They will not

filter traffic originated from the router. • Place IP standard access lists as close to the destination as possible. • Place IP extended access lists as close to the source as possible.


www.softechpune.com

Standard IP Access Lists Standard IP access lists filter the network by using the source IP address in an IP packet. You create a standard IP access list by using the access list numbers 1-99. Configuring Standard IP ACLs To configure standard IP ACLs on a Cisco router, you need to create a standard IP ACL and activate an ACL on an interface. Router(config)# access-list access-list-number {permit | deny | remark} source [mask] • Command sets parameters for this list entry • IP standard ACLs use 1 to 99 • Default wildcard mask = 0.0.0.0 • no access-list access-list-number removes entire ACL • remark lets you add a description for the ACL Router(config-if)# ip access-group access-list-number {in | out} Command Activates the list on an interface • Sets inbound or outbound testing • Default = outbound • no ip access-group access-list-number removes ACL from

the interface Steps required to configure standard ACLs on a router. Step Action Notes 1. Create an entry in a

standard IP traffic filter list using the access-list global configuration command. Router(config)# access-list 1 172.16.0.0 0.0.255.255

Enter the global no access-list access-list-number command to remove the entire ACL. The example statement matches any address that starts with 172.16.x.x. Use the remark option to add a description to your ACL.

2. Select an interface to enable the ACL using the interface configuration command. Router(config)# interface e1

After you enter the interface command, the CLI prompt will change from (config)# to (config-if)#.


www.softechpune.com

3. Activate the existing ACL to an interface using the ip access-group interface configuration command. Router(config-if)# ip access-group 1 out

To remove an IP ACL from an interface, enter the no ip access-group access-list-number command on the interface.

Configuring Extended IP ACLs Extended IP access lists allow you to choose your IP source and destination address as well as the protocol and port number, which identify the upper-layer protocol or application. By using extended IP access lists, you can effectively allow users access to a physical LAN and stop them from using certain services. Syntax : This command sets parameters for this list entry Router(config)# access-list access-list-number {permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log] Activates the extended list on an interface Router(config-if)# ip access-group access-list-number {in | out} Steps to configure extended ACLs on a router. Step Action Notes 1. Define an extended IP ACL.

Use the access-list global configuration command. Router(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21

Use the show access-lists command to display the contents of the ACL. In the example, access-list 101 denies TCP traffic from source 172.16.4.0, using the wildcard 0.0.0.255, to destination 172.16.3.0, using the wildcard 0.0.0.255 on port 21 (FTP control port).

2. Select a desired interface to be configured. Use the interface global config command. Router(config)# interface e0

After the interface command is entered, the CLI prompt changes from (config)# to (config-if)#.


www.softechpune.com

3. Link the extended IP ACL to an interface. Use the ip access-group interface config command. Router(config-if)# ip access-group 101 in

Use the show ip interfaces command to verify that an IP ACL is applied to the interface.

Controlling VTY (Telnet) Access You will have a difficult time trying to stop users from telnetting into a router because any active port on a router is fair game for VTY access. However, you can use a standard IP access list to control access by placing the access list on the VTY lines themselves. To perform this function: 1. Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers. 2. Apply the access list to the VTY line with the access-class command. Here is an example of allowing only host 172.16.10.3 to telnet into a router: RouterA(config)#access-list 50 permit 172.16.10.3 RouterA(config)#line vty 0 4 RouterA(config-line)#access-class 50 in Because of the implied deny any at the end of the list, the access list stops any host from telnetting into the router except the host 172.16.10.3.


www.softechpune.com

Network Address Translation (NAT ) Overview Two scalability challenges facing the Internet are depletion of registered IP address space and scaling in routing. Cisco IOS Network Address Translation (NAT) and port address translation (PAT) are mechanisms for conserving registered IP addresses in large networks and simplifying IP addressing management tasks. NAT and PAT translate IP addresses within private internal networks to legal IP addresses for transport over public external networks, such as the Internet, without requiring a registered subnet address. Incoming traffic is translated back for delivery within the inside network. Features Of NAT (Network Address Translation) and PAT (Port Address Translation) NAT operates on a Cisco router and is designed for IP address simplification and conservation. NAT enables private IP internetworks that use nonregistered IP addresses to connect to the Internet. Usually, NAT connects two networks together and translates the private (inside local) addresses in the internal network into public addresses (inside global) before packets are forwarded to another network. As part of this functionality, you can configure NAT to advertise only one address for the entire network to the outside world. Advertising only one address effectively hides the internal network from the world, thus providing additional security. Any device that sits between an internal network and the public network—such as a firewall, a router, or a computer—uses NAT, which is defined in RFC 1631. In NAT terminology, the “inside network” is the set of networks that are subject to translation. The “outside network” refers to all other addresses. Usually these are valid addresses located on the Internet. Cisco defines the following list of NAT terms: Inside local address: The IP address assigned to a host on the inside network. The inside local address is likely not an IP address assigned by the Network Information Center (NIC) or service provider. Inside global address: A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world. Outside local address: The IP address of an outside host as it appears to the inside network. Not necessarily legitimate, the outside local address is allocated from an address space routable on the inside


www.softechpune.com

Outside global address: The IP address assigned to a host on the outside network by the host owner. The outside global address is allocated from a globally routable address or network space. NAT has many forms and can work in the following ways: Static NAT: Maps an unregistered IP address to a registered IP address (one-to-one). Static NAT is particularly useful when a device needs to be accessible from outside the network. Dynamic NAT: Maps an unregistered IP address to a registered IP address from a group of registered IP addresses. Overloading: Maps multiple unregistered IP addresses to a single registered IP address (many-to-one) by using different ports. Overloading is also known as PAT, and is a form of dynamic NAT. Configuring Static NAT Router(config-if)# ip nat inside Marks the interface as connected to the inside Router(config-if)# ip nat outside Marks the interface as connected to the outside Router(config)# ip nat inside source static local-ip global-ip Establishes static translation between an inside local address and an inside global address Steps for configuring static inside source address translation. Steps Configuration Notes 1. Establish static translation between an

inside local address and an inside global address. Router(config)# ip nat inside source static local-ip global-ip

Enter the no ip nat inside source static global command to remove the static source translation.

2. Specify the inside interface. Router(config)# interface type number

After you enter the interface command, the CLI prompt will change from (config)# to (configif)#.

3. Mark the interface as connected to the inside. Router(config-if)# ip nat inside

4. Specify the outside interface.


www.softechpune.com

Router(config-if)# interface type number

5. Mark the interface as connected to the outside. Router(config-if)# ip nat outside

Configuration of Dynamic NAT Router(config)# ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} Defines a pool of global addresses to be allocated as needed Router(config)# access-list access-list-number permit source [source wildcard] Defines a standard IP ACL permitting those inside local addresses that are to be translated. Router(config)# ip nat inside source list access-list-number pool name Establishes dynamic source translation, specifying the ACL that was defined in the prior step. Steps for configuring dynamic inside source address translation. Step Action Notes 1. Define a pool of global addresses

to be allocated as needed. Router(config)# ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length

Enter the no ip nat pool global command to remove the pool of global addresses

2. Define a standard ACL that will permit the addresses that are to be translated. Router(config)# access-list access-listnumber permit source [source-wildcard]

Enter the no access-list access-list number global command to remove the ACL.

3. Establish dynamic source translation, specifying the ACL that was defined in the prior step. Router(config)# ip nat inside source list access-list-number pool name

Enter the no ip nat inside source global command to remove the dynamic source translation

4. Specify the inside interface. Router(config)# interface type number

After you enter the interface command, the CLI prompt will change from (config)# to (configif)#.


www.softechpune.com

5. Mark the interface as connected to the inside. Router(config-if)# ip nat inside

6. Specify the outside interface. Router(config-if)# interface type number

7. Mark the interface as connected to the outside. Router(config-if)# ip nat outside

Configuring PAT One of the main features of NAT is static PAT, which is also referred to as overload in Cisco IOS configuration. Several internal addresses can be translated using NAT into just one or a few external addresses by using PAT. PAT uses unique source port numbers on the inside global IP address to distinguish between translations. Because the port number is encoded in 16 bits, the total number of internal addresses that NAT can translate into one external address is, theoretically, as many as 65,536. PAT attempts to preserve the original source port. If the source port is already allocated, PAT attempts to find the first available port number. It starts from the beginning of the appropriate port group, 0-511, 512-1023, or 1024-65535. If PAT does not find a port that is available from the appropriate port group and if more than one external IP address is configured, PAT will move to the next IP address and try to allocate the original source port again. PAT continues trying to allocate the original source port until it runs out of available ports and external IP addresses. You can conserve addresses in the inside global address pool by allowing the router to use one inside global address for many inside local addresses. When this overloading is configured, the router maintains enough information from higher-level protocols—for example, TCP or User Datagram Protocol (UDP) port numbers—to translate the inside global address back into the correct inside local address. When multiple inside local addresses map to one inside global address, the TCP or UDP port numbers of each inside host distinguish between the local addresses. Configuration Router(config)# access-list access-list-number permit source source wildcard Defines a standard IP ACL that will permit the inside local addresses that are to be translated Router(config)# ip nat inside source list access-list-number interface interface overload


www.softechpune.com

Establishes dynamic source translation, specifying the ACL that was defined in the prior step To configure overloading of inside global addresses, perform the steps in this table. Step Action Notes 1. Define a standard ACL that will

permit the addresses that are to be translated. Router(config)# access-list access-listnumber permit source [source-wildcard]

Enter the no access-list access-list number global command to remove the ACL.

2. Establish dynamic source translation, specifying the ACL that was defined in the prior step. Router(config)# ip nat inside source list access-list-number interface interface overload

Enter the no ip nat inside source global command to remove the dynamic source translation. The keyword “overload” enables PAT.

3. Specify the inside interface. Router(config)# interface type number Router(config-if)# ip nat inside

After you enter the interface command, the CLI prompt will change from (config)# to (config-if)#.

4. Specify the outside interface. Router(config-if)# interface type number Router(config-if)# ip nat outside

Verifying the NAT and PAT Configuration Router# clear ip nat translation * Clears all dynamic address translation entries from the NAT translation table. Router# show ip nat translations Displays active translations Router# show ip nat statistics Displays translation statistics Use the debug ip nat command to verify the operation of the NAT feature by displaying information about every packet that is translated by the router. The debug ip nat detailed command generates a description of each packet considered for translation. This command also outputs information about certain errors or exception conditions, such as the failure to allocate a global address.


www.softechpune.com

WAN Protocols A WAN is different from a LAN. Unlike a LAN, which connects workstations, peripherals, terminals, and other devices that are located within a single building or other small geographic area, a WAN makes data connections across a broad geographic area. Companies use the WAN to connect various company sites so that information can be exchanged between distant offices. Because the cost of building a global network to connect remote sites can be very high, WAN services are generally leased from service providers. You must subscribe to an outside WAN provider to use network resources that your organization does not own. The service provider will transport your information via the portion of its network that you lease. WAN connection types Leased line: A leased line, also known as a point-to-point or dedicated connection, provides a single, preestablished WAN communication path from the customer premises through a service provider network to a remote network. The service provider reserves this connection for private use by the client. Leased lines eliminate the issues that arise with a shared connection, but they are costly. Leased lines are typically employed over synchronous serial connections up to T3 speeds, operating at 45 Mbps. Circuit-switched: Circuit switching is a switching system in which a dedicated circuit path must exist between sender and receiver for the duration of the call. Service provider networks use circuit switching to provide basic telephone service or ISDN. Circuitswitched connections are commonly used in environments that require only sporadic WAN usage. Circuit switching is typically employed over an asynchronous serial connection Packet-switched: Packet switching is a WAN switching method in which network devices share a common backbone to transport packets from a source to a destination across a carrier network. Packet-switched networks use virtual circuits (VCs) that provide end-to end connectivity. Programmed switching devices provide the physical connections. Packet headers generally identify the destination. Packet switching offers services that are similar to those of leased lines; however, the line is shared and the cost of the service is lower. Like leased lines, packet-switched networks are often employed over serial connections with speeds ranging from 56 kbps to T3 speeds (45 Mbps). Layer 2 Encapsulation Protocols On each WAN connection, data is encapsulated into frames before crossing the WAN link. To ensure that the correct protocol is used, you will need to configure the appropriate Layer 2 encapsulation type. The choice of protocol depends on the WAN technology and the communicating equipment.


www.softechpune.com

HDLC: The Cisco default encapsulation type on point-to-point connections, dedicated links, and circuit-switched connections. HDLC is typically used when two Cisco devices are communicating. HDLC is a bit-oriented synchronous data link layer protocol. PPP: Provides router-to-router and host-to-network connections over synchronous and asynchronous circuits. PPP was designed to work with several network layer protocols, including IP. PPP also has built-in security mechanisms, such as Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Serial Line Internet Protocol (SLIP): A standard protocol for point-to-point serial connections using TCP/IP. SLIP has been largely replaced by PPP. X.25 and Link Access Procedure, Balanced (LAPB): These are International Telecommunication Union Telecommunication Standardization Sector (ITU-T) standards that define how connections between DTE and DCE are maintained for remote terminal access and computer communications in public data networks. X.25 specifies LAPB, a data-link layer protocol that manages the communication between DTE and DCE, including packet framing, ordering, and error checking. X.25 is a predecessor to Frame Relay. Frame Relay: This is an industry standard, switched data-link layer protocol that handles multiple VCs. It is a successor to X.25 that is streamlined to eliminate some of the time consuming processes (such as error correction and flow control) that were employed in X.25 to compensate for older, less-reliable communication links. ATM: This is the international standard for cell relay in which multiple service types (such as voice, video, and data) are conveyed in fixed-length (53-byte) cells. ATM, a cell switched technology, uses fixed-length cells, which allow processing to occur in hardware, thereby reducing transit delays. ATM is designed to take advantage of high-speed transmission media such as T3, E3, and SONET.


www.softechpune.com

Configuring Serial Point-to-Point Encapsulation Overview You can use serial point-to-point connections to connect your LAN to your service provider WAN. You will most likely have serial point-to-point connections within your network, between your network and a service HDLC Encapsulation Configuration HDLC is an ISO standard, bit-oriented, data-link layer protocol that encapsulates data on synchronous serial data links. Standard HDLC does not inherently support multiple protocols on a single link because it does not have a way to indicate which protocol it is carrying. HDLC specifies a data encapsulation method on synchronous serial links using frame characters and checksums. Cisco offers a proprietary version of HDLC. The Cisco HDLC frame uses a proprietary-type field that acts as a protocol field, which makes it possible for multiple network layer protocols to share the same serial link. Router(config-if)# encapsulation hdlc Command enables HDLC encapsulation By default, Cisco devices use the Cisco HDLC serial encapsulation method on synchronous serial lines. However, if the serial interface is configured with another encapsulation protocol and you want to change the encapsulation back to HDLC, enter the interface configuration mode of the interface that you want to change. Use the encapsulation hdlc interface configuration command to specify HDLC encapsulation on the interface. Cisco HDLC is a PPP that can be used on leased lines between two Cisco devices. When communicating with a device from another vendor, synchronous PPP is a more viable option.


www.softechpune.com

(Point to Point Protocol) PPP Developers designed PPP to make the connection for point-to-point links. PPP, described in RFCs 1661 and 1332, encapsulates network layer protocol information over point-to-point links. You can configure PPP on the following types of physical interfaces: • Asynchronous serial • Synchronous serial • High-Speed Serial Interface (HSSI) • ISDN PPP uses its Network Control Program (NCP) component to encapsulate and negotiate options for multiple network layer protocols. PPP uses another of its major components, the link control protocol (LCP), to negotiate and set up control options on the WAN data link. PPP uses a layered architecture. With its lower-level functions, PPP can use the following: • Synchronous physical media • Asynchronous physical media, such as basic telephone service for modem

dial-up connections

• ISDN PPP offers a rich set of services that control the setup of a data link. These services are options in LCP. They are primarily negotiation and checking frame options to implement the point-to-point controls that an administrator specifies for the call. With its higher-level functions, PPP carries packets from several network layer protocols using its NCPs. The NCPs include functional fields containing standardized codes to indicate the network layer protocol type that PPP encapsulates. PPP Configuration This topic describes the different configuration options for PPP. Cisco routers that use PPP encapsulation may include these LCP configuration options Authentication: Requires the calling side of the link to enter information to help ensure that the caller has network administrator permission to make the call. Peer routers exchange authentication messages. Two alternatives are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).


www.softechpune.com

Compression: Increases the effective throughput on PPP connections by reducing the amount of data in the original frame that must travel across the link. The protocol decompresses the frame at its destination. Two compression protocols available in Cisco routers are Stacker and predictor. Error-detection: Along with PPP, enables a compression process to identify fault conditions. The Quality and Magic Number options help ensure a reliable, loop-free data link. Multilink PPP (MLP): Provides load balancing over the router interfaces that PPP uses. This feature is sometimes referred to as Multilink Protocol. Cisco IOS Release 11.1 (and later releases) support MLP. MLP, as specified in RFC 1717, provides packet fragmentation and sequencing that splits the load for PPP and sends fragments over parallel circuits. In some cases, this “bundle” of MLP pipes functions as a single logical link, improving throughput and reducing latency between peer routers. RFC 1990, The PPP Multilink Protocol (MP), renders RFC 1717 obsolete. PPP Authentication Protocols This topic describes the two PPP authentication protocols. PAP is a two-way handshake that provides a simple method for a remote node to establish its identity. PAP is done only upon initial link establishment. After the PPP link establishment phase is complete, a username and password pair are repeatedly sent by the remote node to the router until authentication is acknowledged or the connection is terminated. PAP is not a strong authentication protocol. Passwords are sent across the link in clear text, which may be fine in environments that use token-type passwords that change with each authentication, but are not secure in most environments. Also, there is no protection from playback or repeated trial-and-error attacks—the remote node is in control of the frequency and timing of the login attempts CHAP, which uses a three-way handshake, occurs at the startup of a link and periodically thereafter to verify the identity of the remote node using a three-way handshake. After the PPP link establishment phase is complete, the local router sends a challenge message to the remote node. The remote node responds with a value that is calculated using a one-way hash function (typically, Message Digest 5 [MD5]) based on the password and challenge message. The local router checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged. Otherwise, the connection is terminated immediately. CHAP provides protection against playback attack through the use of a variable challenge value that is unique and unpredictable. Because the challenge is unique and random, the resulting hash value will also be unique and random. The use of repeated challenges is intended to limit


www.softechpune.com

exposure to any single attack. The local router or a third-party authentication server is in control of the frequency and timing of the challenges PPP Authentication Configuration 1. To enable PPP encapsulation, enter interface configuration mode. Use the encapsulation ppp interface configuration command to specify PPP encapsulation on the interface. Router(config-if)# encapsulation ppp 2. Verify that each router has a host name assigned to it. To assign a host name, enter the hostname name command in global configuration mode. This name must match the username expected by the authenticating router at the other end of the link. Router(config)# hostname name 3. On each router, define the username and password to expect from the remote router with the username name password password global configuration command. Router(config)# username name password password 4. Configure PPP authentication. If you configure ppp authentication chap on an interface, all incoming calls on that interface that initiate a PPP connection will be authenticated using CHAP. Likewise, if you configure ppp authentication pap, all incoming calls that start a PPP connection will be authenticated using PAP. If you configure ppp authentication chap pap, the router will attempt to authenticate all incoming calls that start a PPP session by using CHAP. If the remote device does not support CHAP, the router will try to authenticate the call by using PAP If you configure ppp authentication pap chap, the router will attempt to authenticate all incoming calls that start a PPP session with PAP. If the remote device does not support PAP, the access server will try to authenticate the call using CHAP. Router(config-if)# ppp authentication {chap | chap pap | pap chap | pap}


www.softechpune.com

Frame-Relay Overview Frame Relay is a connection-oriented data-link technology that is streamlined to provide high performance and efficiency. For error protection, it relies on upper layer protocols and dependable fiber and digital networks. Frame Relay defines the interconnection process between the router and the service provider local access switching equipment. It does not define how the data is transmitted within the Frame Relay service provider cloud. Devices attached to a Frame Relay WAN fall into the following two categories: Data terminal equipment (DTE): Generally considered to be terminating equipment for a specific network. DTE devices are typically located on the premises of a customer and may be owned by the customer. Examples of DTE devices are Frame Relay access devices (FRADs), routers, and bridges. Data circuit-terminating equipment (DCE): Carrier-owned internetworking devices. The purpose of DCE devices is to provide clocking and switching services in a network and transmit data through the WAN. In most cases, the switches in a WAN are Frame Relay switches. Frame Relay provides a means for statistically multiplexing many logical data conversations (referred to as virtual circuits [VCs]) over a single physical transmission link by assigning connection identifiers to each pair of DTE devices. The service provider switching equipment constructs a switching table that maps the connection identifier to outbound ports. When a frame is received, the switching device analyzes the connection identifier and delivers the frame to the associated outbound port. The complete path to the destination is established prior to the transmission of the first frame. Frame Relay Terminology The terms described here may be the same or slightly different from the terms your Frame Relay service provider uses. Some terms that are used frequently when discussing Frame Relay are as follows: Local access rate: Clock speed (port speed) of the connection (local loop) to the Frame Relay cloud. It is the rate at which data travels into or out of the network, regardless of other settings. VC: Logical circuit, uniquely identified by a data-link connection identifier (DLCI), that is created to ensure bidirectional communication from one DTE device to another. A number of VCs can be multiplexed into a single physical circuit for


www.softechpune.com

transmission across the network. This capability can often reduce the complexity of equipment and network that is required to connect multiple DTE devices. A VC can pass through any number of intermediate DCE devices (Frame Relay switches). A VC can be either a permanent virtual circuit (PVC) or a switched virtual circuit (SVC). PVC: Provides permanently established connections that are used for frequent and consistent data transfers between DTE devices across the Frame Relay network. Communication across a PVC does not require the call setup and call teardown that is used with an SVC. SVC: Provides temporary connections that are used in situations requiring only sporadic data transfer between DTE devices across the Frame Relay network. SVCs are dynamically established on demand and are torn down when transmission is complete. DLCI: Contains a 10-bit number in the address field of the Frame Relay frame header that identifies the VC. DLCIs have local significance because the identifier references the point between the local router and the local Frame Relay switch that the DLCI is connected to. Therefore, devices at opposite ends of a connection can use different DLCI values to refer to the same virtual connection. Committed information rate (CIR): Specifies the maximum average data rate that the network undertakes to deliver under normal conditions. When subscri ing to Frame Relay service, you will specify the local access rate (for example, 56 kbps or T1). Typically, you will also be asked to specify a CIR for each DLCI. If you send faster than the CIR on a given DLCI, the network will flag some frames with a discard eligible (DE) bit. The network will do its best to deliver all packets, but will discard any DE packets first if there is congestion. Many inexpensive Frame Relay services are based on a CIR of zero. A CIR of zero means that every frame is a DE frame, and the network will throw any frame away when it needs to. The DE bit is within the address field of the Frame Relay frame header. Inverse Address Resolution Protocol (Inverse ARP): A method of dynamically associating the remote router network layer address with a local DLCI. Inverse ARP allows a router to automatically discover the network address of the remote DTE device associated with a VC. LMI: A signaling standard between the router (DTE device) and the local Frame Relay switch (DCE device) that is responsible for managing the connection and maintaining status between the router and the Frame Relay switch. Forward explicit congestion notification (FECN): A bit in the address field of the Frame Relay frame header. The FECN mechanism is initiated when a DTE device sends Frame Relay frames into the network. If the network is congested, DCE devices (Frame Relay switches) set the FECN bit value of the frames to


www.softechpune.com

one. When these frames reach the destination DTE device, the address field (with the FECN bit set) indicates that these frames experienced congestion in the path from source to destination. The DTE device can relay this information to a higher-layer protocol for processing. Depending on the implementation, flow control may be initiated or the indication may be ignored. Backward explicit congestion notification (BECN): A bit in the address field of the Frame Relay frame header. DCE devices set the value of the BECN bit to 1 in frames that travel in the opposite direction of frames that have their FECN bit set. Setting BECN bits to 1 informs the receiving DTE device that a particular path through the network is congested. The DTE device can then relay this information to a higher-layer protocol for processing. Depending on the implementation, flow control may be initiated or the indication may be ignored. Frame Relay Address Mapping A Frame Relay connection requires that on a VC, the local DLCI be mapped to a destination network layer address, such as an IP address. Routers can automatically discover their local DLCI from the local Frame Relay switch using the LMI protocol. On Cisco routers, the local DLCI can be automatically mapped to the remote router network layer addresses dynamically with Inverse ARP. Inverse ARP associates a given DLCI to the next-hop protocol address for a specific connection. Inverse ARP is described in RFC 1293. Frame Relay Signaling The LMI is a signaling standard between the router and the Frame Relay switch. The LMI is responsible for managing the connection and maintaining the status between the devices. Although the LMI is configurable, beginning in Cisco IOS Release 11.2, the Cisco router tries to autosense which LMI type the Frame Relay switch is using. The router sends one or more full LMI status requests to the Frame Relay switch. The Frame Relay switch responds with one or more LMI types, and the router configures itself with the last LMI type received. Three types of LMIs are supported as follows: Cisco: LMI type defined jointly by Cisco, StrataCom, Northern Telecom, and Digital Equipment Corporation ANSI: Annex D, defined by the ANSI standard T1.617 Q.933A: ITU-T Q.933 Annex A An administrator setting up a connection to a Frame Relay network may choose the appropriate LMI from the three supported types to ensure proper Frame Relay operation. When the router receives LMI information, it updates its VC status to one of the following three states:


www.softechpune.com

Active state: Indicates that the VC connection is active and that routers can exchange data over the Frame Relay network Inactive state: Indicates that the local connection to the Frame Relay switch is working, but the remote router connection to the remote Frame Relay switch is not working Deleted state: Indicates that either no LMI is being received from the Frame Relay switch or there is no service between the router and local Frame Relay switch. Monitoring Frame Relay Show Frame-Relay Lmi The show frame-relay lmi command will give you the LMI traffic statistics exchanged between the local router and the Frame Relay switch. Show Frame-Relay Pvc The show frame pvc command will list all configured PVCs and DLCI numbers. It provides the status of each PVC connection and traffic statistics. It will also give you the number of BECN and FECN packets received on the router. Show Interface We can also use the show interface command to check for LMI traffic. The show interface command displays information about the encapsulation as well as layer 2 and layer-3 information. Show Frame Map The show frame map command will show you the Network layer–to–DLCI mappings.

CCNA Study Notes-Softech Systems

Documents

Transcript of CCNA Study Notes-Softech Systems