12/2017
1 INTRODUCATION TO NETWORKS
Networking Today
Networks in Our Past and Daily Lives
Tài liệu Quản trị mạng cơ bản CCNA
1
12/2017
Networking Today
The Global Community
Interconnecting Our Lives
Networking Impacts in Our Daily Lives
Networks support the way we learn.
Networks support the way we communicate.
Networks support the way we work.
Networks support the way we play.
Tài liệu Quản trị mạng cơ bản CCNA
2
12/2017
Providing Resources in a Network
Networks of Many Sizes
Providing Resources in a Network
Clients and Servers
Tài liệu Quản trị mạng cơ bản CCNA
3
12/2017
Providing Resources in a Network
Peer-to-Peer
LANs, WANs, and Internets
Components of a Network
There are three categories of network components:
Devices
Media
Services
Tài liệu Quản trị mạng cơ bản CCNA
4
12/2017
Components of a Network
End Devices
Some examples of end devices are:
Computers (work stations, laptops, file servers, web servers)
Network printers
VoIP phones
TelePresence endpoint
Security cameras
Mobile handheld devices (such as smart phones, tablets, PDAs, and
wireless debit / credit card readers and barcode scanners)
Components of a Network
Network Infrastructure Devices
Examples of intermediary network devices are:
Network Access Devices (switches, and wireless access points)
Internetworking Devices (routers)
Security Devices (firewalls)
Tài liệu Quản trị mạng cơ bản CCNA
5
12/2017
Components of a Network
Network Media
Components of a Network
Network Representations
Tài liệu Quản trị mạng cơ bản CCNA
6
12/2017
Components of a Network
Topology Diagrams
2. NETWORKING TYPES
Tài liệu Quản trị mạng cơ bản CCNA
7
12/2017
LANs and WANs
Types of Networks
The two most common types of network infrastructures are:
Local Area Network (LAN)
Wide Area Network (WAN).
Other types of networks include:
Metropolitan Area Network (MAN)
Wireless LAN (WLAN)
Storage Area Network (SAN)
LANs and WANs
Local Area Networks (LAN)
Tài liệu Quản trị mạng cơ bản CCNA
8
12/2017
LANs and WANs
Wide Area Networks (WAN)
LANs, WANs, and the Internet
The Internet
Tài liệu Quản trị mạng cơ bản CCNA
9
12/2017
Connecting to the Internet
Connecting Remote Users to the Internet
Connecting to the Internet
Connecting Businesses to the Internet
Tài liệu Quản trị mạng cơ bản CCNA
10
12/2017
Reliable Network
Supporting Network Architecture
As networks evolve, we are discovering that there are four basic
characteristics that the underlying architectures need to address in
order to meet user expectations:
Fault Tolerance
Scalability
Quality of Service (QoS)
Security
Network Trends
Cloud Computing
Cloud computing offers the following potential benefits:
Organizational flexibility
Agility and rapid deployment
Reduced cost of infrastructure
Refocus of IT resources
Creation of new business
models
Tài liệu Quản trị mạng cơ bản CCNA
11
12/2017
Networking Technologies for the Home
Technology Trends in the Home
Networking Technologies for the Home
Powerline Networking
Tài liệu Quản trị mạng cơ bản CCNA
12
12/2017
Networking Technologies for the Home
Wireless Broadband
Future of Networking
Network Security
Tài liệu Quản trị mạng cơ bản CCNA
13
12/2017
Network Security
Security Threats
The most common external threats to networks include:
Viruses, worms, and Trojan horses
Spyware and adware
Zero-day attacks, also called zero-hour attacks
Hacker attacks
Denial of service (DoS) attacks
Data interception and theft
Identity theft
Network Security
Security Solutions
Network security components often include:
Antivirus and antispyware
Firewall filtering
Dedicated firewall systems
Access control lists (ACL)
Intrusion prevention systems (IPS)
Virtual Private Networks (VPNs)
Tài liệu Quản trị mạng cơ bản CCNA
14
12/2017
3. OSI Reference Model
Protocols
Network Protocols
How the message is formatted or structured
The process by which networking devices share information about
pathways with other networks
How and when error and system messages are passed between
devices
The setup and termination of data transfer sessions
Tài liệu Quản trị mạng cơ bản CCNA
15
12/2017
Protocols
Interaction of Protocols
Application Protocol – Hypertext Transfer Protocol (HTTP)
Transport Protocol – Transmission Control Protocol (TCP)
Internet Protocol – Internet Protocol (IP)
Network Access Protocols – Data link & physical layers
Protocol Suites
Protocol Suites and Industry Standards
Tài liệu Quản trị mạng cơ bản CCNA
16
12/2017
Protocol Suites
TCP/IP Protocol Suite and
Communication
Standards Organizations
Open Standards
The Internet Society (ISOC)
The Internet Architecture Board (IAB)
The Internet Engineering Task Force (IETF)
Institute of Electrical and Electronics Engineers (IEEE)
The International Organization for Standards (ISO)
Tài liệu Quản trị mạng cơ bản CCNA
17
12/2017
Standards Organizations
ISOC, IAB, and IETF
Standards Organizations
IEEE
38 societies
130 journals
1,300 conferences each year
1,300 standards and projects
400,000 members
160 countries
IEEE 802.3
IEEE 802.11
Tài liệu Quản trị mạng cơ bản CCNA
18
12/2017
Standards Organizations
ISO
OSI Model
Standards Organizations
Other Standards Organization
The Electronic Industries Alliance (EIA)
The Telecommunications Industry Association (TIA)
The International Telecommunications Union –
Telecommunications Standardization Sector (ITU-T)
The Internet Corporation for Assigned Names and Numbers
(ICANN)
The Internet Assigned Numbers Authority (IANA)
Tài liệu Quản trị mạng cơ bản CCNA
19
12/2017
Reference Models
Benefits of Using a Layered Model
Reference Models
The OSI Reference Model
Tài liệu Quản trị mạng cơ bản CCNA
20
12/2017
4. TCP / IP LAYER
Reference Models
The TCP/IP Reference Model
Tài liệu Quản trị mạng cơ bản CCNA
21
12/2017
Reference Models
Comparing the OSI and TCP/IP Models
5. ETHERNET TECHNOLOGIES AND CABLING
Tài liệu Quản trị mạng cơ bản CCNA
22
12/2017
Ethernet Operation
LLC and MAC Sublayers
Ethernet
▪ One of the most widely used LAN technologies
▪ Operates in the data link layer and the physical layer
▪ Family of networking technologies that are defined in the
IEEE 802.2 and 802.3 standards
▪ Supports data bandwidths of 10, 100, 1000, 10,000, 40,000,
and 100,000 Mbps (100 Gbps)
Ethernet Standards
▪ Define Layer 2 protocols and Layer 1 technologies
▪ Two separate sub layers of the data link layer to operate –
Logical link control (LLC) and the MAC sublayers
Ethernet Operation
MAC Sublayer (cont.)
MAC
▪ Responsible for the placement of frames on the media and the removal of
frames from the media
▪ Communicates directly with the physical layer
▪ If multiple devices on a single medium attempt to forward data
simultaneously, the data will collide resulting in corrupted, unusable data
▪ Ethernet provides a method for controlling how the nodes share access
through the use a Carrier Sense Multiple Access (CSMA) technology
Tài liệu Quản trị mạng cơ bản CCNA
23
12/2017
Ethernet Operation
Media Access Control
Carrier Sense Multiple Access (CSMA) process
▪ Used to first detect if the media is carrying a signal
▪ If no carrier signal is detected, the device transmits its data
▪ If two devices transmit at the same time - data collision
Ethernet Operation
Media Access Control (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
24
12/2017
Ethernet Operation
Media Access Control (cont.)
CSMA is usually implemented in conjunction with a method for
resolving media contention. The two commonly used methods are:
CSMA/Collision Detection and CSMA/Collision Avoidance
CSMA/Collision Detection
• The device monitors the media for the presence of a data signal
• If a data signal is absent, indicating that the media is free, the
device transmits the data
• If signals are then detected that show another device was
transmitting at the same time, all devices stop sending & try again
later
• While Ethernet networks are designed with CSMA/CD technology,
with today’s intermediate devices, collisions do not occur and the
processes utilized by CSMA/CD are really unnecessary
• Wireless connections in a LAN environment still have to take
collisions into account
Ethernet Operation
Media Access Control (cont.)
CSMA/Collision Avoidance (CSMA/CA) media access method
• Device examines the media for the presence of data signal - if the media is
free, the device sends a notification across the media of its intent to use it
• The device then sends the data.
• Used by 802.11 wireless networking technologies
Tài liệu Quản trị mạng cơ bản CCNA
25
12/2017
Ethernet Frame Attributes
Ethernet Frame Size
▪ Ethernet II and IEEE 802.3 standards define the minimum frame size as 64
bytes and the maximum as 1518 bytes
▪ Less than 64 bytes in length is considered a "collision fragment" or "runt
frame”
▪ If size of a transmitted frame is less than the minimum or greater than the
maximum, the receiving device drops the frame
▪ At the physical layer, different versions of Ethernet vary in their method for
detecting and placing data on the media
Ethernet MAC
End-to-End Connectivity, MAC, and IP
IP Packet Encapsulated in an Ethernet Frame
Tài liệu Quản trị mạng cơ bản CCNA
26
12/2017
Ethernet MAC
End-to-End Connectivity, MAC, and IP (cont.)
ARP
Introduction to ARP
ARP Purpose
▪ Sending node needs a way to find the MAC address of the destination for a
given Ethernet link
The ARP protocol provides two basic functions:
▪ Resolving IPv4 addresses to MAC addresses
▪ Maintaining a table of mappings
Tài liệu Quản trị mạng cơ bản CCNA
27
12/2017
ARP
Introduction to ARP (cont.)
ARP
ARP Functions/Operation
ARP Table
▪ Used to find the data link layer address that is mapped to the destination
IPv4 address.
▪ As a node receives frames from the media, it records the source IP and
MAC address as a mapping in the ARP table.
ARP Request
▪ Layer 2 broadcast to all devices on the Ethernet LAN.
▪ The node that matches the IP address in the broadcast will reply.
▪ If no device responds to the ARP request, the packet is dropped because a
frame cannot be created.
Note: Static map entries can be entered in an ARP table, but this is rarely
done.
Tài liệu Quản trị mạng cơ bản CCNA
28
12/2017
ARP
ARP Operation
ARP
ARP Operation (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
29
12/2017
ARP
ARP Operation (cont.)
ARP
ARP Operation (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
30
12/2017
ARP
ARP Functions/Operation (cont.)
ARP
ARP Role in Remote Communication
▪ If the destination IPv4 host is on the local network, the frame will use the
MAC address of this device as the destination MAC address.
▪ If the destination IPv4 host is not on the local network, the source uses the
ARP process to determine a MAC address for the router interface serving as
the gateway.
▪ In the event that the gateway entry is not in the table, an ARP request is
used to retrieve the MAC address associated with the IP address of the
router interface.
Tài liệu Quản trị mạng cơ bản CCNA
31
12/2017
ARP
Removing Entries from an ARP Table
▪ The ARP cache
timer removes ARP
entries that have
not been used for
a specified period
of time.
▪ Commands may
also be used to
manually remove
all or some of the
entries in the ARP
table.
Link Aggregation
• Link Aggregation (LA): The combination of
multiple physical links to function as a single
logical link.
• Link Aggregation Group (LAG): A group of
physical links that make up a single aggregation.
Each physical port may be a member of a single
LAG.
• Link Aggregation Control Protocol (LACP): The
protocol specified by IEEE 802.3.ad-2000 to
outline standardized Link Aggregation
Tài liệu Quản trị mạng cơ bản CCNA
32
12/2017
Link Aggregation
• Also known as port bundling, link bundling
• You can use multiple links in parallel as a single,
logical link
For increased capacity
For redundancy (fault tolerance)
• LACP (Link Aggregation Control Protocol) is a
standardized method of negotiating these
bundled links between switches
LACP Operation
• Two switches connected via multiple links will
send LACPDU packets, identifying themselves
and the port capabilities
• They will then automatically build the logical
aggregated links, and then pass traffic.
• Switche ports can be configured as active or
passive
Tài liệu Quản trị mạng cơ bản CCNA
33
12/2017
LACP Operation
100 Mbps
Switch A
Switch B
100 Mbps
LACPDUs
• Switches A and B are connected to each other
using two sets of Fast Ethernet ports
• LACP is enabled and the ports are turned on
• Switches start sending LACPDUs, then negotiate
how to set up the aggregation
LACP Operation
100 Mbps
Switch A
Switch B
100 Mbps
200 Mbps logical link
• The result is an aggregated 200 Mbps logical link
• The link is also fault tolerant: If one of the member links fail, LACP will
automatically take that link off the bundle, and keep sending traffic over
the remaining link
Tài liệu Quản trị mạng cơ bản CCNA
34
12/2017
SLAs for IP/MPLS Networks
• Cisco IOS IP SLAs’ operations measure per VPN
• Allows measurements from a PE to CE routers
SP Converged IP/MPLS Network
Measure Either
CE–PE or CE–
CE Links
Cisco
Exclusive
P Router
CRS-1
Enterprise
Site 1
Measure Either CE–PE
or CE–CE or
PE-PE Links
Enterprise
Site 2
Cisco IOS IP SLAs
Understanding IP Service Levels
• Optimize IP business applications and services
Voice over IP, Video, and VPN
• Reduce total cost of ownership
• End to end service level measurements
Tài liệu Quản trị mạng cơ bản CCNA
35
12/2017
Cisco IOS IP SLAs Benefits
OPTIMIZED APPLICATIONS
& SERVICES
• Performance visibility
• Prove service levels
• Enhance Customer satisfaction
• Enhance acceptance of businesscritical services
REDUCED TOTAL COST OF
OWNERSHIP AND OpEx
• Reduce deployment time
• Lower mean time to restore and
downtime
• Proactive identification of issues
enforces higher reliability
Continuous
Predictable Reliable
Measurements and Metrics
Automated Intelligence
Proactive
Cisco IOS IP SLAs Advantages
VPN
VoIP
• SLAs are
essential to VPN
services
• Quality of Service
(QoS)-based
measurements
• Revenue for
differentiated
services
• Brings IP service
customer
confidence
• Demonstrate how
VoIP is working
• Deploy with
confidence
• Enhanced
customer
satisfaction
• Metrics useful for
trouble shooting &
and reducing
down time
Business
Applications
• Assure delivery
with network
performance
• Meet business
objectives with
guaranteed
service levels
• Assure network
quality of service
• Reduce downtime
Key Services Benefit from Cisco IOS IP SLA
Tài liệu Quản trị mạng cơ bản CCNA
36
12/2017
Cisco IOS IP SLAs Uses and Metrics
*DATA
TRAFFIC
REQUIREMENT
• Minimize
Delay, Packet
Loss
• Verify QoS
IP SLA MEASURMENT
•
•
•
•
Jitter
Packet loss
Latency
per QoS
*VoIP
• Minimize
Delay, Packet
Loss, Jitter
•
•
•
•
Jitter
Packet loss
Latency
MOS Voice
Quality Score
*SERVICE LEVEL
AGREEMENT
• Measure Delay,
Packet Loss,
Jitter
• One-way
•
•
•
•
•
Jitter
Packet loss
Latency
One-way
Enhanced
accuracy
• NTP
*AVAILABILITY
Connectivity
testing
**STREAMING
VIDEO
• Minimize
Delay, Packet
Loss
• Connectivity
tests to IP
devices
• Jitter
• Packet loss
• Latency
Chapter 2:
IP Addressing and Subnets
Tài liệu Quản trị mạng cơ bản CCNA
37
12/2017
Chapter 2
1
2
3
4
5
IP Addresses – Composition, Types and Classes
Private and Public IP Address
Subnetting
Variable Length Subnet mask ( VLSM)
Route Summarizion
1. IP ADDRESSES – COMPOSITION, TYPES AND CLASSES
Tài liệu Quản trị mạng cơ bản CCNA
38
12/2017
IPv4 Address Structure
Converting a Binary Address to Decimal
IPv4 Address Structure
Converting from Decimal to Binary
168 = ? binary
Tài liệu Quản trị mạng cơ bản CCNA
39
12/2017
IPv4 Address Structure
Converting from Decimal to Binary (Cont.)
2. PRIVATE AND PUBLIC IP ADDRESS
Tài liệu Quản trị mạng cơ bản CCNA
40
12/2017
Types of IPv4 Address
Public and Private IPv4 Addresses
Private address blocks are:
Hosts that do not require access to the Internet can use private addresses
▪ 10.0.0.0 to 10.255.255.255 (10.0.0.0/8)
▪ 172.16.0.0 to 172.31.255.255 (172.16.0.0/12)
▪ 192.168.0.0 to 192.168.255.255 (192.168.0.0/16)
Shared address space addresses:
Not globally routable
Intended only for use in service provider networks
Address block is 100.64.0.0/10
Types of IPv4 Address
Special Use IPv4 Addresses
Network and Broadcast addresses – within each network the first and last
addresses cannot be assigned to hosts
Loopback address – 127.0.0.1 a special address that hosts use to direct traffic
to themselves (addresses 127.0.0.0 to 127.255.255.255 are reserved)
Link-Local address – 169.254.0.0 to 169.254.255.255 (169.254.0.0/16)
addresses can be automatically assigned to the local host
TEST-NET addresses – 192.0.2.0 to 192.0.2.255 (192.0.2.0/24) set aside for
teaching and learning purposes, used in documentation and network examples
Experimental addresses – 240.0.0.0 to 255.255.255.254 are listed as reserved
Tài liệu Quản trị mạng cơ bản CCNA
41
12/2017
consistency.
Types of IPv4 Address
Legacy Classful Addressing
3 SUBNETTING
Tài liệu Quản trị mạng cơ bản CCNA
42
12/2017
Network Segmentation
Reasons for Subnetting
Subnetting is the process of segmenting a network into multiple smaller
network spaces called subnetworks or subnets.
Large networks must be segmented into smaller subnetworks, creating
smaller groups of devices and services to:
• Control traffic by containing broadcast traffic within each subnetwork.
• Reduce overall network traffic and improve network performance.
Communication Between Subnets
A router is necessary for devices on different networks and subnets to
communicate.
Each router interface must have an IPv4 host address that belongs to the
network or subnet that the router interface is connected.
Devices on a network and subnet use the router interface attached to their
LAN as their default gateway.
Subnetting an IPv4 Network
Basic Subnetting
Borrowing Bits to Create Subnets
Borrowing 1 bit 21 = 2 subnets
Borrowing 1 Bit from the host portion creates 2 subnets with the same subnet mask
Subnet 0
Subnet 1
Network 192.168.1.0-127/25
Network 192.168.1.128-255/25
Mask: 255.255.255.128
Mask: 255.255.255.128
Tài liệu Quản trị mạng cơ bản CCNA
43
12/2017
Subnetting an IPv4 Network
Subnets in Use
Subnets in Use
Subnet 0
Network 192.168.1.0-127/25
Subnet 1
Network 192.168.1.128-255/25
Determining the Subnet Mask
Subnetting Based on Host Requirements
Two considerations when planning subnets:
Number of subnets required
Number of host addresses required
Formula to determine number of usable hosts: 2^n-2
▪ 2^n (where n is the number of remaining host bits) is
used to calculate the number of hosts.
▪ -2 (The subnetwork ID and broadcast address cannot
be used on each subnet.)
Tài liệu Quản trị mạng cơ bản CCNA
44
12/2017
Determining the Subnet Mask
Subnetting Network-Based Requirements
Calculate the number
of subnets:
2^n (where n is the
number
of
bits
borrowed)
Subnet needed for
each department.
Determining the Subnet Mask
Subnetting To Meet Network Requirements
▪ Balance the required
number of subnets
and hosts for the
largest subnet.
▪ Design the addressing
scheme to
accommodate the
maximum number of
hosts for each
subnet.
▪ Allow for growth in
each subnet.
Tài liệu Quản trị mạng cơ bản CCNA
45
12/2017
Benefits of Variable Length Subnet Masking
Traditional Subnetting Wastes Addresses
Traditional subnetting – Uses
the same number of
addresses is allocated for
each subnet.
Subnets that require fewer
addresses have unused
(wasted) addresses; for
example, WAN links only
need two addresses.
4 VARIABLE LENGTH SUBNET MASKS (VLSM)
Tài liệu Quản trị mạng cơ bản CCNA
46
12/2017
Benefits of Variable Length Subnet Masking
Variable Length Subnet Masks (VLSM)
The variable-length subnet
mask (VLSM) or subnetting a
subnet provides more
efficient use of addresses.
VLSM allows a network space
to be divided in unequal
parts.
Subnet mask varies, depending
on how many bits have been
borrowed for a particular
subnet.
Network is first subnetted, and
then the subnets are
resubnetted.
Benefits of Variable Length Subnet Masking
Basic VLSM
Tài liệu Quản trị mạng cơ bản CCNA
47
12/2017
Benefits of Variable Length Subnet Masking
VLSM in Practice
Using VLSM subnets, the LAN and WAN segments in example below can be
addressed with minimum waste.
Each LANs will be assigned a subnet with /27 mask.
Each WAN link will be assigned a subnet with /30 mask.
Benefits of Variable Length Subnet Masking
VLSM Chart
Tài liệu Quản trị mạng cơ bản CCNA
48
12/2017
Structured Design
Planning to Address the Network
Allocation of network addresses should be planned and documented for the
purposes of:
Preventing duplication of addresses
Providing and controlling access
Monitoring security and performance
Client addresses – Usually dynamically assigned using the Dynamic Host
Configuration Protocol (DHCP).
Sample
Network
Addressing
Plan
Chapter 3 – Introduction to Cisco
Routers, Switches and IOS
Tài liệu Quản trị mạng cơ bản CCNA
49
12/2017
Chapter 3
1 Introduction to Cisco Routers, Switches, IOS & the Boot Process
2 Using the Command-Line Interface (CLI)
3 Basic Configuration of Router and Switches
4 Configuring Router Interfaces
5 Gathering Information and Verifying Configuration
6 Saving, Erasing, Restoring and Backing up Configuration & IOS File
7 Password Recovery on a Cisco Router
8 Cisco Discovery Protocol (CDP)
9 Using Telnet, SSH on IOS
1 INTRODUCTION TO CISCO ROUTERS, SWITCHES, IOS
& THE BOOT PROCESS
Tài liệu Quản trị mạng cơ bản CCNA
50
12/2017
Cisco IOS
Operating Systems
All networking equipment dependent on operating systems
The operating system on home routers is usually called firmware
Cisco IOS – Collection of network operating systems used on Cisco devices
Cisco IOS
Operating Systems (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
51
12/2017
Cisco IOS
Purpose of OS
PC operating systems (Windows 8 and OS X) perform technical functions that
enable:
▪ Use of a mouse
▪ View output
▪ Enter text
Switch or router IOS provides options to:
▪ Configure interfaces
▪ Enable routing and switching functions
All networking devices come with a default IOS
Possible to upgrade the IOS version or feature set
In this course, primary focus is Cisco IOS Release 15.x
Cisco IOS
Location of the Cisco IOS
Cisco IOS stored in Flash
Non-volatile storage, not lost when power is lost
Can be changed or overwritten as needed
Can be used to store multiple versions of IOS
IOS copied from flash to volatile RAM
Quantity of flash and RAM memory determines IOS that can be used
Tài liệu Quản trị mạng cơ bản CCNA
52
12/2017
Cisco IOS
IOS Functions
These are the major functions performed or enabled by Cisco routers and
switches.
Accessing a Cisco IOS Device
Console Access Method
Most common methods to access the CLI:
Console
Telnet or SSH
AUX port
Tài liệu Quản trị mạng cơ bản CCNA
53
12/2017
Accessing a Cisco IOS Device
Console Access Method
Console Port
Device is accessible even if no networking services have been configured (outof-band)
Need a special console cable
Allows configuration commands to be entered
Should be configured with passwords to prevent unauthorized access
Device should be located in a secure room so console port cannot be easily
accessed
Accessing a Cisco IOS Device
Telnet, SSH, and AUX Access Methods
Telnet
Method for remotely accessing the CLI over a network
Require active networking services and one active interface that is configured
Secure Shell (SSH)
Remote login similar to Telnet, but utilizes more security
Stronger password authentication
Uses encryption when transporting data
Aux Port
Out-of-band connection
Uses telephone line
Can be used like console port
Tài liệu Quản trị mạng cơ bản CCNA
54
12/2017
Accessing a Cisco IOS Device
Terminal Emulation Programs
Software
available
for
connecting to a networking
device:
PuTTY
Tera Term
SecureCRT
HyperTerminal
OS X Terminal
3-2 USING THE COMMAND-LINE INTERFACE (CLI)
Tài liệu Quản trị mạng cơ bản CCNA
55
12/2017
Navigating the IOS
Cisco IOS Modes of Operation
Navigating the IOS
Primary Modes
Tài liệu Quản trị mạng cơ bản CCNA
56
12/2017
Navigating the IOS
Global Configuration Mode and Submodes
Navigating the IOS
Navigating Between IOS Modes
Tài liệu Quản trị mạng cơ bản CCNA
57
12/2017
Navigating the IOS
Navigating Between IOS Modes (cont.)
The Command Structure
IOS Command Structure
Tài liệu Quản trị mạng cơ bản CCNA
58
12/2017
The Command Structure
Cisco IOS Command Reference
To navigate to Cisco’s IOS Command Reference to find a command:
1. Go to http://www.cisco.com.
2. Click Support.
3. Click Networking Software (IOS & NX-OS).
4. Click 15.2M&T (for example).
5. Click Reference Guides.
6. Click Command References.
7. Click the particular technology that encompasses the command you
reference.
8. Click the link on the left that alphabetically matches the command you
referencing.
9. Click the link for the command.
The Command Structure
Context-Sensitive Help
Tài liệu Quản trị mạng cơ bản CCNA
59
12/2017
The Command Structure
Command Syntax Check
The Command Structure
Hot Keys and Shortcuts
Tab – Completes the remainder of a partially typed command or keyword.
Ctrl-R – Redisplays a line.
Ctrl-A – Moves to the beginning of the line.
Ctrl-Z – Exits the configuration mode and returns to user EXEC.
Down Arrow – Allows the user to scroll forward through former
commands.
Up Arrow – Allows the user to scroll backward through former commands.
Ctrl-shift-6 – Allows the user to interrupt an IOS process such as ping
or traceroute.
Ctrl-C – Exits the current configuration or aborts the current command.
Tài liệu Quản trị mạng cơ bản CCNA
60
12/2017
The Command Structure
IOS Examination Commands
The Command Structure
The show version Command
Tài liệu Quản trị mạng cơ bản CCNA
61
12/2017
4 CONFIGURING ROUTER INTERFACES
Hostnames
Why the Switch
Let’s focus on:
Creating a two PC network connected via a switch
Setting a name for the switch
Limiting access to the device configuration
Configuring banner messages
Saving the configuration
Tài liệu Quản trị mạng cơ bản CCNA
62
12/2017
Hostnames
Device Names
Some guidelines for naming conventions:
Start with a letter
Contains no spaces
Ends with a letter or digit
Uses only letters, digits, and dashes
Be less than 64 characters in length
Without names, network
devices are difficult to
identify for configuration
purposes.
Hostnames
Configuring Device Names
Hostnames allow
devices to be identified
by network
administrators over a
network or the
Internet.
Tài liệu Quản trị mạng cơ bản CCNA
63
12/2017
Hostnames
Configuring Hostnames
Limiting Access to Device Configurations
Securing Device Access
These are device access passwords:
▪
▪
▪
▪
enable password – Limits access to the privileged EXEC mode
enable secret – Encrypted, limits access to the privileged EXEC mode
console password – Limits device access using the console connection
VTY password – Limits device access over Telnet
Note: In most of the labs in this course, we will be using simple
passwords such as cisco or class.
Tài liệu Quản trị mạng cơ bản CCNA
64
12/2017
Limiting Access to Device Configurations
Securing Privileged EXEC Access Mode
Use the enable secret command, not the older enable
password command.
The enable secret command provides greater security because the
password is encrypted.
Limiting Access to Device Configurations
Securing User EXEC Access
▪ Console port must be secured; it reduces the chance of unauthorized
personnel physically plugging a cable into the device and gaining
device access.
▪ VTY lines allow access to a Cisco device via Telnet. The number of VTY
lines supported varies with the type of device and the IOS version.
Tài liệu Quản trị mạng cơ bản CCNA
65
12/2017
Limiting Access to Device Configurations
Encrypting Password Display
service
passwordencryption
Prevents
passwords
from showing up as
plain
text
when
viewing
the
configuration
Keeps
unauthorized
individuals
from
viewing passwords in
the configuration file
Once
applied,
removing
the
encryption
service
does not reverse the
encryption
Limiting Access to Device Configurations
Banner Messages
Important part of the
legal process in the
event that someone is
prosecuted
for
breaking into a device
Wording that implies
that
a
login
is
"welcome" or "invited"
is not appropriate
Often used for legal
notification because it
is displayed to all
connected terminals
Tài liệu Quản trị mạng cơ bản CCNA
66
12/2017
5,6 GATHERING INFORMATION AND VERIFYING CONFIGURATION
Saving Configurations
Configuration Files
Switch# reload
System configuration has
been modified. Save?
[yes/no]: n
Proceed with reload?
[confirm]
Startup configuration is removed
by using the erase startupconfig
Switch# erase startupconfig
On a switch, you must also issue
the delete vlan.dat
Switch# delete vlan.dat
Delete filename
[vlan.dat]?
Delete flash:vlan.dat?
[confirm]
Tài liệu Quản trị mạng cơ bản CCNA
67
12/2017
Saving Configurations
Capturing Text
Ports and Addresses
IP Addressing of Devices
Each end device on a
network must be configured
with an IP address.
Structure of an IPv4 address
is called dotted decimal.
IP address displayed in
decimal notation, with four
decimal numbers between 0
and 255.
With the IP address, a
subnet
mask
is
also
necessary.
IP addresses can be assigned
to both physical ports and
virtual interfaces.
Tài liệu Quản trị mạng cơ bản CCNA
68
12/2017
Ports and Addresses
Interfaces and Ports
Network communications depend on end user device interfaces, networking
device interfaces, and the cables that connect them.
Types of network media include twisted-pair copper cables, fiber-optic
cables, coaxial cables, or wireless.
Different types of network media have different features and benefits.
Ethernet is the most common local area network (LAN) technology.
Ethernet ports are found on end user devices, switch devices, and other
networking devices.
Cisco IOS switches have physical ports for devices to connect to, but also have
one or more switch virtual interfaces (SVIs; no physical hardware on the
device associated with it; created in software).
SVI provides a means to remotely manage a switch over a network.
Addressing Devices
Configuring a Switch Virtual Interface
IP address – Together with subnet mask, uniquely identifies end device on
internetwork.
Subnet mask – Determines which part of a larger network is used by an IP
address.
interface VLAN 1 – Available in interface configuration mode,
ip address 192.168.10.2 255.255.255.0 – Configures the IP
address and subnet mask for the switch.
no shutdown – Administratively enables the interface.
Switch still needs to have physical ports configured and VTY lines to enable
remote management.
Tài liệu Quản trị mạng cơ bản CCNA
69
12/2017
Addressing Devices
Configuring a Switch Virtual Interface
Addressing Devices
Manual IP Address Configuration for End Devices
Tài liệu Quản trị mạng cơ bản CCNA
70
12/2017
Addressing Devices
Automatic IP Address Configuration for End Devices
Addressing Devices
IP Address Conflicts
Tài liệu Quản trị mạng cơ bản CCNA
71
12/2017
Verifying Connectivity
Test the Loopback Address on an End Device
Verifying Connectivity
Testing the Interface Assignment
Tài liệu Quản trị mạng cơ bản CCNA
72
12/2017
Verifying Connectivity
Testing End-to-End Connectivity
7 PASSWORD RECOVERY ON A CISCO ROUTER
http://www.cisco.com/c/en/us/support/docs/routers/
2600-series-multiservice-platforms/22188-pswdrec-2600.html
9 USING TELNET, SSH ON IOS
Tài liệu Quản trị mạng cơ bản CCNA
73
12/2017
CHAPTER 4 – INTRODUCTION TO IP ROUTING
Routing & Switching
Chapter 4
1 Understanding IP Routing
2 Static, Default and Dynamic Routing
3 Administrative Distance and Routing Metrics
4 Classes of Routing Protocols
5 Routing Loops
6 Route Redistribution
7 Understanding DHCP and DNS server
Tài liệu Quản trị mạng cơ bản CCNA
74
12/2017
Functions of a Router
Why Routing?
The router is responsible for the routing of traffic
between networks.
1. UNDERSTANDING IP ROUTING
Tài liệu Quản trị mạng cơ bản CCNA
75
12/2017
Functions of a Router
Routers are Computers
Routers are specialized computers containing the
following required components to operate:
• Central processing unit (CPU)
• Operating system (OS) - Routers use Cisco IOS
• Memory and storage (RAM, ROM, NVRAM, Flash,
hard drive)
Functions of a Router
Routers are Computers
Routers use specialized ports and network
interface cards to interconnect to other networks.
Tài liệu Quản trị mạng cơ bản CCNA
76
12/2017
Functions of a Router
Routers Interconnect Networks
Routers can connect multiple networks.
Routers have multiple interfaces, each on a
different IP network.
Functions of a Router
Routers Choose Best Paths
Routers use static routes and dynamic routing
protocols to learn about remote networks and
build their routing tables.
Routers use routing tables to determine the best
path to send packets.
Routers encapsulate the packet and forward it to
the interface indicated in routing table.
Tài liệu Quản trị mạng cơ bản CCNA
77
12/2017
Functions of a Router
Routers Choose Best Paths
Connect Devices
Default Gateways
To enable network access
devices must be configured with
the following IP address
information
▪IP address - Identifies a
unique host on a local
network.
▪Subnet mask - Identifies
the host’s network subnet.
▪Default gateway - Identifies
the router a packet is sent to
to when the destination is
not on the same local
network subnet.
Tài liệu Quản trị mạng cơ bản CCNA
78
12/2017
Basic Settings on a Router
Configure Basic Router Settings
Basics tasks that should be first configured on a Cisco Router and Cisco
Switch:
Name the device – Distinguishes it from other routers
Secure management access – Secures privileged EXEC, user EXEC, and
Telnet access, and encrypts passwords to their highest level
Configure a banner – Provides legal notification of unauthorized access.
Save the Configuration
Basic Settings on a Router
Configure an IPv4 Router Interface
To be available, a router interface
must be:
Configured with an address and
subnet mask .
Must be activated using no shutdown
command. By default LAN and WAN
interfaces are not activated.
Serial cable end labeled DCE must be
configured
with
the
clock
rate command.
Optional description can be included.
Tài liệu Quản trị mạng cơ bản CCNA
79
12/2017
Basic Settings on a Router
Configure a Loopback Interface
A loopback interface is a
logical interface that is
internal to the router:
It is not assigned to a physical
port, it
is considered a
software interface that is
automatically in an UP state.
A loopback interface is useful
for testing.
It is important in the OSPF
routing process.
Verify Connectivity of Directly Connected Networks
Verify Interface Settings
Show commands are used to
verify
operation
and
configuration of interface:
show ip interfaces brief
show ip route
show running-config
Show commands are used to
gather more detailed interface
information:
show interfaces
show ip interfaces
Tài liệu Quản trị mạng cơ bản CCNA
80
12/2017
Verify Connectivity of Directly Connected Networks
Verify Interface Settings
Some of the common commands
to verify the IPv6 interface
configuration are:
show ipv6 interface brief - displays
a summary for each of the
interfaces.
show
ipv6
interface
gigabitethernet 0/0 - displays the
interface status and all the IPv6
addresses for this interface.
show ipv6 route - verifies that
IPv6 networks and specific IPv6
interface addresses have been
installed in the IPv6 routing table.
Verify Connectivity of Directly Connected Networks
Filter Show Command Output
Show command output can be managed using the following command and filters:
Use the terminal length number command to specify the number of lines to be
displayed. A value of 0 (zero) prevents the router from pausing between screens of
output.
To filter specific output of commands use the (|)pipe character after show
command. Parameters that can be used after pipe include:
section, include, exclude, begin
Tài liệu Quản trị mạng cơ bản CCNA
81
12/2017
Switching Packets between Networks
Router Switching Functions
Switching Packets between Networks
Packet Routing
Tài liệu Quản trị mạng cơ bản CCNA
82
12/2017
Switching Packets between Networks
Reach the Destination
Path Determination
Routing Decisions
Tài liệu Quản trị mạng cơ bản CCNA
83
12/2017
Statically Learned Routes
Static Routes
Static routes and default static routes can be implemented after directly
connected interfaces are added to the routing table:
Static routes are manually configured
They define an explicit path between two networking devices.
Static routes must be manually updated if the topology changes.
Their benefits include improved security and control of resources.
Configure a static route to a specific network using the ip route
network
mask {next-hop-ip | exit-intf} command.
A default static route is used when the routing table does not contain a path
for a destination network.
Configure a default static route using the ip route 0.0.0.0 0.0.0.0 {exitintf | next-hop-ip} command.
2 STATIC, DEFAULT AND DYNAMIC ROUTING
Tài liệu Quản trị mạng cơ bản CCNA
84
12/2017
Statically Learned Routes
Default Static Routes Example
Statically Learned Routes
Static Routes Example
Tài liệu Quản trị mạng cơ bản CCNA
85
12/2017
Dynamic Routing Protocols
Dynamic Routing
Dynamic routing is used by routers to share information about the
reachability and status of remote networks. It performs network discovery
and maintains routing tables.
Dynamic Routing Protocols
IPv4 Routing Protocols
Cisco ISR routers can support a variety of dynamic IPv4
routing protocols including:
EIGRP – Enhanced Interior Gateway Routing Protocol
OSPF – Open Shortest Path First
IS-IS – Intermediate System-to-Intermediate System
RIP – Routing Information Protocol
Tài liệu Quản trị mạng cơ bản CCNA
86
12/2017
Types of Routing Protocols
Classifying Routing Protocols
Types of Routing Protocols
IGP and EGP Routing Protocols
Interior Gateway
Protocols (IGP) ▪ Used for routing
within an AS
▪ Include RIP, EIGRP,
OSPF, and IS-IS
Exterior Gateway
Protocols (EGP) ▪ Used for routing
between AS
▪ Official routing
protocol used by the
Internet
Tài liệu Quản trị mạng cơ bản CCNA
87
12/2017
Types of Routing Protocols
Distance Vector Routing Protocols
Distance vector IPv4 IGPs:
▪ RIPv1 - First generation
legacy protocol
▪ RIPv2 - Simple distance
vector routing protocol
▪ IGRP - First generation
Cisco proprietary protocol
(obsolete)
▪ EIGRP - Advanced
version of distance vector
routing
For R1, 172.16.3.0/24 is one hop away
(distance). It can be reached through R2
(vector).
Types of Routing Protocols
Distance Vector or Link-State Routing Protocols
Distance vector protocols use routers as sign posts
along the path to the final destination.
A link-state routing protocol is like having a complete map of the network
topology. The sign posts along the way from source to destination are not
necessary, because all link-state routers are using an identical map of the
network. A link-state router uses the link-state information to create a
topology map and to select the best path to all destination networks in the
topology.
Tài liệu Quản trị mạng cơ bản CCNA
88
12/2017
Types of Routing Protocols
Link-State Routing Protocols
Link-state IPv4 IGPs:
▪ OSPF - Popular standards
based routing protocol
▪ IS-IS - Popular in
provider networks.
Types of Routing Protocols
Classful Routing Protocols
Classful routing protocols do not send subnet mask information in their routing updates:
▪ Only RIPv1 and IGRP are classful.
▪ Created when network addresses were allocated based on classes (class A, B, or C).
▪ Cannot provide variable length subnet masks (VLSMs) and classless interdomain
routing (CIDR).
▪ Create problems in discontiguous networks.
Tài liệu Quản trị mạng cơ bản CCNA
89
12/2017
Types of Routing Protocols
Classless Routing Protocols
Classless routing protocols include subnet mask information in the routing updates:
▪ RIPv2, EIGRP, OSPF, and IS_IS
▪ Support VLSM and CIDR
▪ IPv6 routing protocols
Types of Routing Protocols
Routing Protocol Characteristics
Tài liệu Quản trị mạng cơ bản CCNA
90
12/2017
Types of Routing Protocols
Routing Protocol Metrics
A metric is a measurable value that is assigned by the routing protocol to
different routes based on the usefulness of that route:
▪ Used to determine the overall “cost” of a path from source to destination.
▪ Routing protocols determine the best path based on the route with the lowest
cost.
Distance Vector Routing Protocol Operation
Distance Vector Technologies
Distance vector routing protocols:
▪ Share updates between neighbors
▪ Not aware of the network topology
▪ Some send periodic updates to broadcast IP
255.255.255.255 even if topology has not changed
▪ Updates consume bandwidth and network device CPU
resources
▪ RIPv2 and EIGRP use multicast addresses
▪ EIGRP will only send an update when topology has
changed
Tài liệu Quản trị mạng cơ bản CCNA
91
12/2017
Distance Vector Routing Protocol Operation
Distance Vector Algorithm
RIP uses the Bellman-Ford algorithm as its routing algorithm.
IGRP and EIGRP use the Diffusing Update Algorithm (DUAL) routing algorithm
developed by Cisco.
Types of Distance Vector Routing Protocols
Routing Information Protocol
Routing
updates
broadcasted
every 30
seconds
Updates
use UDP
port 520
RIPng is based on RIPv2 with a 15 hop limitation and the
administrative distance of 120
Tài liệu Quản trị mạng cơ bản CCNA
92
12/2017
Configuring the RIP Protocol
Disabling Auto Summarization
▪
▪
▪
▪
▪
Similarly to RIPv1, RIPv2 automatically summarizes networks at major network
boundaries by default.
To modify the default RIPv2 behavior of automatic summarization, use the no
auto-summary router configuration mode command.
This command has no effect when using RIPv1.
When automatic summarization has been disabled, RIPv2 no longer summarizes
networks to their classful address at boundary routers. RIPv2 now includes all
subnets and their appropriate masks in its routing updates.
The show ip protocols now states that automatic network summarization is
not in effect.
Configuring the RIP Protocol
Configuring Passive Interfaces
Sending out unneeded updates on
a LAN impacts the network in
three ways:
▪ Wasted Bandwidth
▪ Wasted Resources
▪ Security Risk
Tài liệu Quản trị mạng cơ bản CCNA
93
12/2017
7 UNDERSTANDING DHCP AND DNS SERVER
DHCPv4 Operation
Introducing DHCPv4
DHCPv4 uses three different address allocation methods:
Manual Allocation – The administrator assigns a pre-allocated IPv4 address
to the client, and DHCPv4 communicates only the IPv4 address to the device.
Automatic Allocation – DHCPv4 automatically assigns a static IPv4 address
permanently to a device, selecting it from a pool of available addresses.
Dynamic Allocation – DHCPv4 dynamically assigns, or leases, an IPv4 address
from a pool of addresses for a limited period of time chosen by the server, or
until the client no longer needs the address. This method is the most
commonly used.
Tài liệu Quản trị mạng cơ bản CCNA
94
12/2017
DHCPv4 Operation
DHCPv4 Operation
DHCPv4 Operation
DHCPv4 Message Format
Tài liệu Quản trị mạng cơ bản CCNA
95
12/2017
DHCPv4 Operation
Format DHCPv4 Discover and Offer Messages
DHCPv4 Operation
Configuring a DHCPv4 Server
A Cisco router running the Cisco IOS software can be configured to act as a
DHCPv4 server. To set up DHCP:
1. Exclude addresses from the pool.
2. Set up the DHCP pool name.
3. Define the range of addresses and subnet mask.
Use the default-router command for the
default gateway. Optional parameters that can be
included in the pool – dns server, domain-name.
To disable DHCP, use the no service dhcp command.
Tài liệu Quản trị mạng cơ bản CCNA
96
12/2017
DHCPv4 Operation
Verifying a DHCPv4 Server
Commands to verify DHCP:
show running-config | section dhcp
show ip dhcp binding
show ip dhcp server statistics
On the PC, issue the ipconfig /all command.
DHCPv4 Operation
DHCPv4 Relay
Using an IP helper address enables a router to
forward DHCPv4 broadcasts to the DHCPv4 server.
Acting as a relay.
Tài liệu Quản trị mạng cơ bản CCNA
97
12/2017
Configuring a DHCPv4 Client
Configuring a Router as a DHCPv4 Client
Troubleshoot DHCPv4
Verifying the Router DHCPv4 Configuration
Tài liệu Quản trị mạng cơ bản CCNA
98
12/2017
Troubleshoot DHCPv4
Debugging DHCPv4
Providing IP Addressing Services
Domain Name Service
A human legible
name is resolved to
its numeric network
device address by
the DNS protocol.
Tài liệu Quản trị mạng cơ bản CCNA
99
12/2017
Providing IP Addressing Services
Domain Name Service (cont.)
A human legible
name is resolved
to its numeric
network device
address by the
DNS protocol.
Providing IP Addressing Services
Domain Name Service (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
100
12/2017
Providing IP Addressing Services
DNS Message Format
▪ DNS server stores different types of resource records used to resolve names
▪ Contains the name, address, and type of record.
▪ Record types are:
▪ A – An end device address
▪ NS – An authoritative name server
▪ CNAME – The canonical name for an alias; used when multiple services
have the single network address, but each service has its own entry in
DNS
▪ MX – Mail exchange record; maps a domain name to a list of mail
exchange servers
▪ Unable to resolve the name using its stored records, contacts other servers.
▪ Server temporarily stores the numbered address that matches the name in
cache memory.
▪ Windows ipconfig /displaydns displays all cached DNS.
Providing IP Addressing Services
DNS Hierarchy
Examples toplevel domains:
.au - Australia
.co - Colombia
.com - business or
industry
.jp - Japan
.org - non-profit
organization
Tài liệu Quản trị mạng cơ bản CCNA
101
12/2017
Providing IP Addressing Services
nslookup
▪ Operating system utility called nslookup allows the user to manually query
the name servers to resolve a given host name
▪ Utility can be used to troubleshoot name resolution issues and to verify the
current status of the name servers
CHAPTER 5 – ROUTING PROTOCOLS WITH EIGRP
Tài liệu Quản trị mạng cơ bản CCNA
102
12/2017
Chapter 5
1 Introdude Enhanced Interior Gateway Routing
Protocol
2 Configuring EIGRP
3 Verifying and Troubleshooting EIGRP
1 INTRODUDE ENHANCED INTERIOR GATEWAY ROUTING
PROTOCOL (EIGRP)
Tài liệu Quản trị mạng cơ bản CCNA
103
12/2017
Basic Features of EIGRP
Features of EIGRP
Released in 1992 as a Cisco proprietary protocol.
2013 basic functionality of EIGRP released as an open standard.
Advanced Distance Vector routing protocol.
Uses the Diffusing Update Algorithm (DUAL) to calculate paths and back-up
paths.
Establishes Neighbor Adjacencies.
Uses the Reliable Transport Protocol to provide delivery of EIGRP packets to
neighbors.
Partial and Bounded Updates. Send updates only when there is a change and
only to the routers that need the information.
Supports Equal and Unequal Cost Load Balancing.
Basic Features of EIGRP
Protocol Dependent Modules
Tài liệu Quản trị mạng cơ bản CCNA
104
12/2017
Basic Features of EIGRP
Reliable Transport Protocol
Basic Features of EIGRP
Authentication
EIGRP can be configured
to authenticate routing
information.
Ensures routers only
accept updates from
routers that have been
configured with the
correct
authentication
information.
Tài liệu Quản trị mạng cơ bản CCNA
105
12/2017
Types of EIGRP Packets
EIGRP Packet Types
Types of EIGRP Packets
EIGRP Hello Packets
Used to discover EIGRP neighbors.
Used to form and maintain EIGRP neighbor adjacencies.
Sent as IPv4 or IPv6 multicasts.
IPv4 multicast address 224.0.0.10.
IPv6 multicast address FF02::A.
Unreliable delivery.
Sent every 5 seconds (every 60 seconds on low-speed NBMA networks).
EIGRP uses a default Hold timer of three times the Hello interval before
declaring neighbor unreachable.
Tài liệu Quản trị mạng cơ bản CCNA
106
12/2017
Types of EIGRP Packets
EIGRP Update & Acknowledgement Packets
Update packets are sent to
propagate routing information,
only when necessary.
Sends Partial updates – only
contains information about route
changes.
Sends Bounded updates-sent only
to routers affected by the change.
Updates use reliable delivery,
therefore,
require
an
acknowledgement.
Types of EIGRP Packets
EIGRP Query and Reply Packets
Used when searching for networks.
Queries use reliable delivery, which can be multicast or unicast.
Replies use reliable delivery.
Tài liệu Quản trị mạng cơ bản CCNA
107
12/2017
EIGRP Messages
Encapsulating EIGRP Messages
EIGRP Messages
EIGRP Packet Header and TLV
Tài liệu Quản trị mạng cơ bản CCNA
108
12/2017
Metrics
Calculating the EIGRP Metric
Step 1. Determine the link with the slowest bandwidth. Use that value to
calculate bandwidth (10,000,000/bandwidth).
Step 2. Determine the delay value for each outgoing interface on the way to
the destination. Add the delay values and divide by 10 (sum of
delay/10).
Step 3. Add the computed values for bandwidth and delay, and multiply the
sum by 256 to obtain the EIGRP metric.
DUAL and the Topology Table
DUAL Concepts
▪ Diffusing Update ALgorithm (DUAL) provides the following:
▪ Loop-free paths and loop-free backup paths
▪ Fast convergence
▪ Minimum bandwidth usage with bounded updates
▪ The decision process for all route computations is done by the DUAL
Finite State Machine (FSM)
▪ DUAL FSM tracks all routes.
▪ Uses EIGRP metrics to select efficient, loop-free paths.
▪ Identifies the routes with the least-cost path to be inserted into the
routing table.
▪ EIGRP maintains a list of backup routes that DUAL has already
determined that can be used immediately if the primary path fails.
Tài liệu Quản trị mạng cơ bản CCNA
109
12/2017
DUAL and the Topology Table
Successor and Feasible Distance
▪ The Successor is the least-cost route to the destination
network.
▪ The Feasible Distance (FD) is the lowest calculated metric to
reach the destination network.
Feasible Successors, Feasibility Condition, and
Reported Distance
▪ Feasible Successor (FS) is a neighbor that has a loop-free
backup path to the same network as the successor, and it
satisfies the Feasibility Condition (FC).
▪ Feasibility Condition (FC) is met when a neighbor’s Reported
Distance (RD) to a network is less than the local router’s
feasible distance to the same destination network.
▪ Reported Distance (RD) is an EIGRP neighbor’s feasible
distance to the same destination network.
Tài liệu Quản trị mạng cơ bản CCNA
110
12/2017
DUAL and the Topology Table
Topology Table: show ip eigrp Command
DUAL and the Topology Table
Topology Table: No Feasible Successor
Tài liệu Quản trị mạng cơ bản CCNA
111
12/2017
DUAL and Convergence
DUAL Finite State Machine (FSM)
DUAL and Convergence
DUAL: Feasible Successor
Tài liệu Quản trị mạng cơ bản CCNA
112
12/2017
DUAL and Convergence
DUAL: No Feasible Successor
2 CONFIGURING EIGRP FOR IPV4
Tài liệu Quản trị mạng cơ bản CCNA
113
12/2017
Configuring EIGRP with IPv4
EIGRP Network Topology
This course uses the topology that configures EIGRP with IPv4.
Configuring EIGRP with IPv4
Autonomous System Numbers
The router eigrp autonomous-system command enables the
EIGRP process.
The autonomous system number is only significant to the EIGRP routing
domain.
The EIGRP autonomous system number is not associated with the Internet
Assigned Numbers Authority (IANA) globally assigned autonomous system
numbers used by external routing protocols.
Internet Service Providers (ISPs) require an autonomous system number
from IANA.
ISPs often use the Border Gateway Protocol (BGP), which does use the IANA
autonomous system number in its configuration.
Tài liệu Quản trị mạng cơ bản CCNA
114
12/2017
Configuring EIGRP with IPv4
Router EIGRP Command
Router(config)# router eigrp autonomous-system
To completely remove the EIGRP routing process from a device, use
the no router eigrp autonomous-system command.
Configuring EIGRP with IPv4
EIGRP Router ID
Used in both EIGRP and OSPF routing protocols, the router ID’s role is
more significant in OSPF.
Tài liệu Quản trị mạng cơ bản CCNA
115
12/2017
Configuring EIGRP with IPv4
Configuring the EIGRP Router ID
Configuring the EIGRP router ID
Router(config)# router eigrp autonomous-system
Router(config-router)# eigrp router-id ipv4-address
The IPv4 loopback address can be used as the router ID.
If the eigrp router-id value is not configured, the highest loopback
address is selected as the router ID.
Configuring a loopback interface
Router(config)# interface loopback number
Router(config-if)# ip addressipv4-address subnetmask
Configuring EIGRP with IPv4
Network Command
Enables any interface on this router that matches the network address in
the network router configuration mode command to send and receive
EIGRP updates.
These networks are included in EIGRP routing updates.
Tài liệu Quản trị mạng cơ bản CCNA
116
12/2017
Configuring EIGRP with IPv4
Network Command
The eigrp log-neighbor-changes router configuration mode
•
•
•
•
On by default
Displays changes in neighbor adjacencies
Verifies neighbor adjacencies during configuration
Indicates when any adjacencies have been
removed
Configuring EIGRP with IPv4
The Network Command and Wildcard Mask
To configure EIGRP to advertise specific subnets only, use the wildcard-mask
option with the network command.
Router(config-router)#
network
network
address [wildcard-mask]
The wildcard mask is the inverse of the subnet mask.
To calculate the wildcard mask, subtract the subnet mask from
255.255.255.255:
255.255.255.255
-- 255.255.255.252
0. 0. 0. 3 wildcard mask
Note: Some IOS versions also let you enter the subnet mask instead of a
wildcard mask.
Tài liệu Quản trị mạng cơ bản CCNA
117
12/2017
Configuring EIGRP with IPv4
Passive Interface
Use the passive-interface command to:
▪ Prevent neighbor adjacencies
▪ Suppress unnecessary update traffic
▪ Increase security controls, such as preventing unknown rogue routing
devices from receiving EIGRP updates
To configure:
Router(config)# router eigrp as-number
Router(config-router)# passiveinterface interface-type interface-number
To verify:
Router# show ip protocols
Configuring EIGRP with IPv4
Verifying EIGRP: Examining Neighbors
Tài liệu Quản trị mạng cơ bản CCNA
118
12/2017
Configuring EIGRP with IPv4
Verifying EIGRP: show ip protocols Command
Configuring EIGRP with IPv4
Verifying EIGRP: Examine the IPv4 Routing Table
Tài liệu Quản trị mạng cơ bản CCNA
119
12/2017
3 VERIFYING AND TROUBLESHOOTING EIGRP
CHAPTER 6 – ROUTING PROTOCOLS WITH IS – IS, OSPF
Tài liệu Quản trị mạng cơ bản CCNA
120
12/2017
Chapter 8
1 Open Shortest Path First (OSPF)
2 Configuring OSPF
3 Verifying and Troubleshooting OSPF
1 OPEN SHORTEST PATH FIRST (OSPF)
Tài liệu Quản trị mạng cơ bản CCNA
121
12/2017
Open Shortest Path First
Evolution of OSPF
Interior Gateway Protocols
1988
1989
updated in
2008
Open Shortest Path First
Features of OSPF
Tài liệu Quản trị mạng cơ bản CCNA
122
12/2017
Open Shortest Path First
Components of OSPF
Open Shortest Path First
Components of OSPF (cont.)
OSPF Routers Exchange Packets - These packets are used to discover neighboring
routers and also to exchange routing information to maintain accurate information
about the network.
Tài liệu Quản trị mạng cơ bản CCNA
123
12/2017
Open Shortest Path First
Link-State Operation
If a neighbor is present, the OSPFenabled router attempts to establish
a neighbor adjacency with that
neighbor
Open Shortest Path First
Link-State Operation (cont.)
▪ LSAs contain the state and
cost of each directly
connected link.
▪ Routers flood their LSAs to
adjacent neighbors.
▪ Adjacent neighbors receiving
the LSA immediately flood
the LSA to other directly
connected neighbors, until all
routers in the area have all
LSAs.
Tài liệu Quản trị mạng cơ bản CCNA
124
12/2017
Open Shortest Path First
Link-State Operation
▪ Build the topology table
based on the received LSAs.
▪ This database eventually
holds all the information
about the topology of the
network.
▪ Execute the SPF Algorithm.
Open Shortest Path First
Link-State Operation (cont.)
From the SPF tree, the best
paths are inserted into the
routing table.
Tài liệu Quản trị mạng cơ bản CCNA
125
12/2017
Open Shortest Path First
Single-area and Multiarea OSPF
Open Shortest Path First
Single-area and Multiarea OSPF (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
126
12/2017
OSPF Messages
Encapsulating OSPF Messages
OSPF Messages
Types of OSPF Packets
Tài liệu Quản trị mạng cơ bản CCNA
127
12/2017
OSPF Messages
Hello Packet
OSPF Type 1 packet = Hello packet:
▪
▪
▪
Discover OSPF neighbors and establish neighbor adjacencies.
Advertise parameters on which two routers must agree to become
neighbors.
Elect the Designated Router (DR) and Backup Designated Router
(BDR) on multiaccess networks like Ethernet and Frame Relay.
OSPF Messages
Hello Packet (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
128
12/2017
OSPF Messages
Hello Packet Intervals
OSPF Hello packets are transmitted:
▪ To 224.0.0.5 in IPv4 and FF02::5 in IPv6 (all OSPF routers)
▪ Every 10 seconds (default on multiaccess and point-to-point networks)
▪ Every 30 seconds (default on non-broadcast multiaccess [NBMA] networks)
▪ Dead interval is the period that the router waits to receive a Hello packet before
declaring the neighbor down
▪ Router floods the LSDB with information about down neighbors out all OSPF
enabled interfaces
▪ Cisco’s default is 4 times the Hello interval
OSPF Messages
Link-State Updates
Tài liệu Quản trị mạng cơ bản CCNA
129
12/2017
OSPF Operation
OSPF Operational States
When an OSPF router is initially
connected to a network, it attempts to:
▪ Create adjacencies with neighbors
▪ Exchange routing information
▪ Calculate the best routes
▪ Reach convergence
▪ OSPF progresses through several
states while attempting to reach
convergence.
OSPF Operation
Establish Neighbor Adjacencies
Tài liệu Quản trị mạng cơ bản CCNA
130
12/2017
OSPF Operation
Establish Neighbor Adjacencies (cont.)
DR and BDR election only occurs on multi-access networks such as Ethernet LANs.
OSPF Operation
OSPF DR and BDR
Tài liệu Quản trị mạng cơ bản CCNA
131
12/2017
OSPF Operation
Synchronizing OSPF Database
OSPF Operation
Synchronizing OSPF Database (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
132
12/2017
OSPF Router ID
OSPF Network Topology
OSPF Router ID
Router IDs
Tài liệu Quản trị mạng cơ bản CCNA
133
12/2017
2 CONFIGURING OSPF
Configure Single-area OSPFv2
The network Command
Tài liệu Quản trị mạng cơ bản CCNA
134
12/2017
Configure Single-Area OSPFv2
Passive Interface
By default, OSPF messages are forwarded out all OSPF-enabled interfaces.
However, these messages really only need to be sent out interfaces
connecting to other OSPF-enabled routers.
Sending out unneeded messages on a LAN affects the network in three
ways:
▪ Inefficient Use of Bandwidth
▪ Inefficient Use of Resources
▪ Increased Security Risk
The Passive Interface feature helps limiting the scope of routing updates
advertisements.
Configure Single-area OSPFv2
Configuring Passive Interfaces
Use the passive-interface router configuration mode command to
prevent the transmission of routing messages through a router
interface, but still allow that network to be advertised to other
routers.
Tài liệu Quản trị mạng cơ bản CCNA
135
12/2017
OSPF Cost
OSPF Metric = Cost
Cost = reference bandwidth / interface bandwidth
(default reference bandwidth is 10^8)
Cost = 100,000,000 bps / interface bandwidth in bps
OSPF Cost
OSPF Accumulates Costs
Cost of an OSPF route is the accumulated value from one router to the
destination network.
Tài liệu Quản trị mạng cơ bản CCNA
136
12/2017
OSPF Cost
Adjusting the Reference Bandwidth
▪ Use the command - auto-cost reference-bandwidth
▪ Must be configured on every router in the OSPF domain
▪ Notice that the value is expressed in Mb/s:
▪ Gigabit Ethernet - auto-cost reference-bandwidth 1000
▪ 10 Gigabit Ethernet - auto-cost reference-bandwidth 10000
OSPF Cost
Default Interface Bandwidths
On Cisco routers, the default bandwidth on most serial interfaces is set to 1.544
Mb/s.
Tài liệu Quản trị mạng cơ bản CCNA
137
12/2017
OSPF Cost
Adjusting the Interface Bandwidths
OSPF Cost
Manually Setting the OSPF Cost
Both the bandwidth interface command and the ip ospf cost interface
command achieve the same result, which is to provide an accurate value for
use by OSPF in determining the best route.
Tài liệu Quản trị mạng cơ bản CCNA
138
12/2017
3 VERIFYING AND TROUBLESHOOTING OSPF
Verify OSPF
Verify OSPF Neighbors
Verify that the router has formed an adjacency with its
neighboring routers.
Tài liệu Quản trị mạng cơ bản CCNA
139
12/2017
Verify OSPF
Verify OSPF Protocol Settings
Verify OSPF
Verify OSPF Process Information
Tài liệu Quản trị mạng cơ bản CCNA
140
12/2017
Verify OSPF
Verify OSPF Interface Settings
4. IS-IS Protocols
Tài liệu Quản trị mạng cơ bản CCNA
141
12/2017
IS-IS Protocols
• Intermediate System to Intermediate System
• ISO 10589 specifies OSI IS-IS routing protocol for
CLNS traffic
- A Link State protocol with a 2 level
hierarchical architecture
- Type/Length/Value (TLV) options to enhance
the protocol
• RFC 1195 added IP support n Integrated IS-IS
• IS/IS-IS runs on top of the Data Link Layer
IS-IS Adjacencies
• Once an adjacency is formed, neighbours share
their link state information
• Information goes in a Link State PDU (LSP)
• LSPs are flooded to all neighbours p
• New information received from neighbours is
used to compute a new view of the network
• On a link failure n New LSPs are flooded n The
routers recompute the routing table
Tài liệu Quản trị mạng cơ bản CCNA
142
12/2017
Designated IS
• There is ONE designated router per multi-access
network
• Generates network link advertisements
• Assists in database synchronization
• Scales IS-IS for multi-access (ethernet)
networks
Adding interfaces to IS-IS
Tài liệu Quản trị mạng cơ bản CCNA
143
12/2017
IS-IS Neighbour Authentication
IS-IS Neighbour Authentication
Tài liệu Quản trị mạng cơ bản CCNA
144
12/2017
Handling IPv6 in IS-IS
Chapter 7 – VLANs and VTP
Tài liệu Quản trị mạng cơ bản CCNA
145
12/2017
Chapter 3
1 Virtual LANs (VLANs)
2 Types of Switch Ports
3 VLAN Trunking: ISL and 802.1Q
4 VLAN Trunking Protocol (VTP)
5 Inter-VLAN Routing
6 VLAN Configuration
7 Inter-VLAN Routing Configuration
1 VIRTUAL LANS (VLANS)
Tài liệu Quản trị mạng cơ bản CCNA
146
12/2017
Overview of VLANs
VLAN Definitions
A VLAN is a logical partition of a Layer 2 network.
Multiple partitions can be created, allowing for multiple VLANs to co-exist.
Each VLAN is a broadcast domain, usually with its own IP network.
VLANs are mutually isolated and packets can only pass between them via a
router.
The partitioning of the Layer 2 network takes place inside a Layer 2 device,
usually via a switch.
The hosts grouped within a VLAN are unaware of the VLAN’s existence.
Overview of VLANs
VLAN Definitions (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
147
12/2017
Overview of VLANs
Benefits of VLANs
Security
Cost reduction
Better performance
Shrink broadcast domains
Improved IT staff efficiency
Simpler project and application management
Overview of VLANs
Types of VLANs
Data VLAN
Default VLAN
Native VLAN
Management VLAN
Tài liệu Quản trị mạng cơ bản CCNA
148
12/2017
Overview of VLANs
Types of VLANs (cont.)
Overview of VLANs
Voice VLANs
VoIP traffic is time-sensitive and requires:
• Assured bandwidth to ensure voice quality.
• Transmission priority over other types of
network traffic.
• Ability to be routed around congested areas on
the network.
• Delay of less than 150 ms across the network.
The voice VLAN feature enables access ports to carry IP voice traffic from
an IP phone.
The switch can connect to a Cisco 7960 IP phone and carry IP voice traffic.
The sound quality of an IP phone call can deteriorate if the data is
unevenly sent; the switch supports quality of service (QoS).
Tài liệu Quản trị mạng cơ bản CCNA
149
12/2017
Overview of VLANs
Voice VLANs (cont.)
The Cisco 7960 IP phone has two RJ-45 ports that each support
connections to external devices.
• Network Port (10/100 SW) - Use this port to connect the
phone to the network. The phone can also obtain inline power
from the Cisco Catalyst switch over this connection.
• Access Port (10/100 PC) - Use this port to connect a network
device, such as a computer, to the phone.
Overview of VLANs
Voice VLANs (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
150
12/2017
2 TYPES OF SWITCH PORTS
3 VLAN TRUNKING: ISL AND 802.1Q
Tài liệu Quản trị mạng cơ bản CCNA
151
12/2017
VLANs in a Multi-Switched Environment
VLAN Trunks
A VLAN trunk carries more than one VLAN.
A VLAN trunk is usually established between switches so same-VLAN devices
can communicate, even if physically connected to different switches.
A VLAN trunk is not associated to any VLANs; neither is the trunk ports used
to establish the trunk link.
Cisco IOS supports IEEE802.1q, a popular VLAN trunk protocol.
VLANs in a Multi-Switched Environment
VLAN Trunks (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
152
12/2017
VLANs in a Multi-Switched Environment
Controlling Broadcast Domains with VLANs
VLANs can be used to limit the reach of broadcast frames.
A VLAN is a broadcast domain of its own.
A broadcast frame sent by a device in a specific VLAN is forwarded within
that VLAN only.
VLANs help control the reach of broadcast frames and their impact in the
network.
Unicast and multicast frames are forwarded within the originating VLAN.
VLANs in a Multi-Switched Environment
Tagging Ethernet Frames for VLAN Identification
Frame tagging is the process of adding a VLAN identification header to the
frame.
It is used to properly transmit multiple VLAN frames through a trunk link.
Switches tag frames to identify the VLAN to that they belong. Different
tagging protocols exist; IEEE 802.1Q is a vey popular example.
The protocol defines the structure of the tagging header added to the
frame.
Switches add VLAN tags to the frames before placing them into trunk links
and remove the tags before forwarding frames through nontrunk ports.
When properly tagged, the frames can transverse any number of switches
via trunk links and still be forwarded within the correct VLAN at the
destination.
Tài liệu Quản trị mạng cơ bản CCNA
153
12/2017
VLANs in a Multi-Switched Environment
Tagging Ethernet Frames for VLAN Identification
VLANs in a Multi-Switched Environment
Native VLANs and 802.1Q Tagging
Frames that belong to the native VLAN are not tagged.
Frames received untagged remain untagged and are placed in the native
VLAN when forwarded.
If there are no ports associated to the native VLAN and no other trunk links,
an untagged frame is dropped.
In Cisco switches, the native VLAN is VLAN 1, by default.
Tài liệu Quản trị mạng cơ bản CCNA
154
12/2017
VLANs in a Multi-Switched Environment
Voice VLAN Tagging
VLAN Assignment
VLAN Ranges on Catalyst Switches
Cisco Catalyst 2960 and 3560 Series switches support over 4,000 VLANs.
VLANs are split into two categories:
• Normal range VLANs
• VLAN numbers from 1 to 1,005
• Configurations stored in the vlan.dat (in the flash memory)
• VTP can only learn and store normal range VLANs
• Extended Range VLANs
• VLAN numbers from 1,006 to 4,096
• Configurations stored in the running configuration (NVRAM)
• VTP does not learn extended range VLANs
Tài liệu Quản trị mạng cơ bản CCNA
155
12/2017
Dynamic Trunking Protocol
Introduction to DTP
Switch ports can be manually configured to form trunks.
Switch ports can also be configured to negotiate and establish a trunk link
with a connected peer.
The Dynamic Trunking Protocol (DTP) manages trunk negotiation.
DTP is a Cisco proprietary protocol and is enabled, by default, in Cisco
Catalyst 2960 and 3560 switches.
If the port on the neighbor switch is configured in a trunk mode that
supports DTP, it manages the negotiation.
The default DTP configuration for Cisco Catalyst 2960 and 3560 switches is
dynamic auto.
Dynamic Trunking Protocol
Negotiated Interface Modes
Cisco Catalyst 2960 and 3560 support the following trunk
modes:
• Switchport mode dynamic auto
• Switchport mode dynamic desirable
• Switchport mode trunk
• Switchport nonegotiate
Tài liệu Quản trị mạng cơ bản CCNA
156
12/2017
Troubleshooting VLANs and Trunks
IP Addressing Issues with VLAN
It is a common practice to associate a VLAN with an IP network.
Because different IP networks only communicate through a router, all
devices within a VLAN must be part of the same IP network to communicate.
The figure displays that PC1 cannot communicate to the server because it
has a wrong IP address configured.
Troubleshooting VLANs and Trunks
Missing VLANs
If all the IP addresses mismatches have been solved, but the device still
cannot connect, check if the VLAN exists in the switch.
Tài liệu Quản trị mạng cơ bản CCNA
157
12/2017
Troubleshooting VLANs and Trunks
Introduction to Troubleshooting Trunks
Troubleshooting VLANs and Trunks
Common Problems with Trunks
Trunking issues are usually associated with incorrect configurations.
The most common type of trunk configuration errors are:
1. Native VLAN mismatches
2. Trunk mode mismatches
3. Allowed VLANs on trunks
If a trunk problem is detected, the best practice guidelines recommend to
troubleshoot in the order shown above.
Tài liệu Quản trị mạng cơ bản CCNA
158
12/2017
Troubleshooting VLANs and Trunks
Trunk Mode Mismatches
If a port on a trunk link is configured with a trunk mode that is incompatible
with the neighboring trunk port, a trunk link fails to form between the two
switches.
Use the show interfaces trunk command to check the status of the trunk
ports on the switches.
To fix the problem, configure the interfaces with proper trunk modes.
Troubleshooting VLANs and Trunks
Incorrect VLAN List
VLANs must be allowed in the trunk before their frames can be transmitted
across the link.
Use the switchport trunk allowed vlan command to specify which VLANs are
allowed in a trunk link.
Use the show interfaces trunk command to ensure the correct VLANs are
permitted in a trunk.
Tài liệu Quản trị mạng cơ bản CCNA
159
12/2017
5 INTER-VLAN ROUTING
Inter-VLAN Routing Operation
What is Inter-VLAN routing?
Layer 2 switches cannot forward traffic between VLANs without the
assistance of a router.
Inter-VLAN routing is a process for forwarding network traffic from one
VLAN to another, using a router.
Tài liệu Quản trị mạng cơ bản CCNA
160
12/2017
Inter-VLAN Routing Operation
Legacy Inter-VLAN Routing
In the past:
Actual routers were used to route between VLANs.
Each VLAN was connected to a different physical router interface.
Packets would arrive on the router through one through interface, be
routed and leave through another.
Because the router interfaces were connected to VLANs and had IP
addresses from that specific VLAN, routing between VLANs was achieved.
Large networks with large number of VLANs required many router
interfaces.
Inter-VLAN Routing Operation
Router-on-a-Stick Inter-VLAN Routing
The router-on-a-stick approach uses a different path to route between
VLANs.
One of the router’s physical interfaces is configured as a 802.1Q trunk port
so it can understand VLAN tags.
Logical subinterfaces are created; one subinterface per VLAN.
Each subinterface is configured with an IP address from the VLAN it
represents.
VLAN members (hosts) are configured to use the subinterface address as a
default gateway.
Only one of the router’s physical interface is used.
Tài liệu Quản trị mạng cơ bản CCNA
161
12/2017
Inter-VLAN Routing Operation
Multilayer Switch Inter-VLAN Routing
Multilayer switches can perform Layer 2 and Layer 3 functions, replacing the
need for dedicated routers.
Multilayer switches support dynamic routing and inter-VLAN routing.
The multilayer switch must have IP routing enabled.
A switch virtual interface (SVI) exists for VLAN 1 by default. On a multilayer
switch, a logical (layer 3) interface can be configured for any VLAN.
The switch understands network-layer PDUs; therefore, can route between
its SVIs, just as a router routes between its interfaces.
With a multilayer switch, traffic is routed internal to the switch device.
This routing process is a suitable and scalable solution.
Configure Legacy Inter-VLAN Routing
Preparation
Legacy inter-VLAN routing requires routers to have multiple physical
interfaces.
Each one of the router’s physical interfaces is connected to a unique VLAN.
Each interface is also configured with an IP address for the subnet
associated with the particular VLAN.
Network devices use the router as a gateway to access the devices
connected to the other VLANs.
Tài liệu Quản trị mạng cơ bản CCNA
162
12/2017
Configure Legacy Inter-VLAN Routing
Preparation (cont.)
6 VLAN CONFIGURATION
Tài liệu Quản trị mạng cơ bản CCNA
163
12/2017
VLAN Assignment
Creating a VLAN
VLAN Assignment
Assigning Ports to VLANs
Tài liệu Quản trị mạng cơ bản CCNA
164
12/2017
VLAN Assignment
Assigning Ports to VLANs (cont.)
VLAN Assignment
Changing VLAN Port Membership
Tài liệu Quản trị mạng cơ bản CCNA
165
12/2017
VLAN Assignment
Changing VLAN Port Membership (cont.)
VLAN Assignment
Deleting VLANs
Tài liệu Quản trị mạng cơ bản CCNA
166
12/2017
VLAN Assignment
Verifying VLAN Information
VLAN Assignment
Verifying VLAN Information (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
167
12/2017
VLAN Assignment
Configuring IEEE 802.1q Trunk Links
VLAN Assignment
Resetting the Trunk To Default State
Tài liệu Quản trị mạng cơ bản CCNA
168
12/2017
VLAN Assignment
Resetting the Trunk To Default State (cont.)
VLAN Assignment
Verifying Trunk Configuration
Tài liệu Quản trị mạng cơ bản CCNA
169
12/2017
7 INTER-VLAN ROUTING CONFIGURATION
Configure Legacy Inter-VLAN Routing
Switch Configuration
Tài liệu Quản trị mạng cơ bản CCNA
170
12/2017
Configure Legacy Inter-VLAN Routing
Router Interface Configuration
Configure Router-on-a-Stick
Preparation
An alternative to legacy inter-VLAN routing is to use VLAN trunking and
subinterfaces.
VLAN trunking allows a single physical router interface to route traffic for
multiple VLANs.
The physical interface of the router must be connected to a trunk link on
the adjacent switch.
On the router, subinterfaces are created for each unique VLAN.
Each subinterface is assigned an IP address specific to its subnet or VLAN
and is also configured to tag frames for that VLAN.
Tài liệu Quản trị mạng cơ bản CCNA
171
12/2017
Configure Router-on-a-Stick
Switch Configuration
Configure Router-on-a-Stick
Router Subinterface Configuration
Tài liệu Quản trị mạng cơ bản CCNA
172
12/2017
Configure Router-on-a-Stick
Verifying Subinterfaces
Configure Router-on-a-Stick
Verifying Subinterfaces (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
173
12/2017
Configure Router-on-a-Stick
Verifying Routing
Access to devices on remote VLANs can be tested using
the ping command.
The ping command sends an ICMP echo request to the
destination address.
When a host receives an ICMP echo request, it responds with an
ICMP echo reply.
Tracert is a useful utility for confirming the routed path taken
between two devices.
Chapter 8 – Switching and
Spanning Tree Protocol
Tài liệu Quản trị mạng cơ bản CCNA
174
12/2017
Chapter 8 – Switching and Spanning Tree
Protocol
1 Spanning Tree Protocol (STP)
2 Cisco’s additions to STP (Portfast, BPDUGuard, BPDUFilter,
3 Per-VLAN Spanning Tree Plus (PVST+)
4 EtherChannel
1 SPANNING TREE PROTOCOL (STP)
Tài liệu Quản trị mạng cơ bản CCNA
175
12/2017
Purpose of Spanning Tree
Redundancy at OSI Layers 1 and 2
Multiple cabled paths between switches:
Provide physical redundancy in a switched network.
Improves the reliability and availability of the network.
Enables users to access network resources, despite path disruption.
Purpose of Spanning Tree
Issues with Layer 1 Redundancy:
MAC Database Instability
Ethernet frames do not have a time to live (TTL) attribute.
• Frames continue to propagate between switches
endlessly, or until a link is disrupted and breaks the loop.
• Results in MAC database instability.
• Can occur due to broadcast frames forwarding.
If there is more than one path for the frame to be forwarded
out, an endless loop can result.
• When a loop occurs, it is possible for the MAC address
table on a switch to constantly change with the updates
from the broadcast frames, resulting in MAC database
instability.
Tài liệu Quản trị mạng cơ bản CCNA
176
12/2017
Purpose of Spanning Tree
Issues with Layer 1 Redundancy: Broadcast
Storms
A broadcast storm occurs when there are so many broadcast frames
caught in a Layer 2 loop that all available bandwidth is consumed. It is also
known as denial of service
A broadcast storm is inevitable on a looped network.
• As more devices send broadcasts over the network, more traffic is
caught within the loop; thus consuming more resources.
• This eventually creates a broadcast storm that causes the network
to fail.
Purpose of Spanning Tree
Issues with Layer 1 Redundancy: Broadcast
Storms
Tài liệu Quản trị mạng cơ bản CCNA
177
12/2017
Purpose of Spanning Tree
Issues with Layer 1 Redundancy: Duplicate
Unicast Frames
Unicast frames sent onto a looped network can result in duplicate frames
arriving at the destination device.
Most upper layer protocols are not designed to recognize, or cope with,
duplicate transmissions.
Layer 2 LAN protocols, such as Ethernet, lack a mechanism to recognize
and eliminate endlessly looping frames.
Purpose of Spanning Tree
Issues with Layer 1 Redundancy: Duplicate
Unicast Frames
Tài liệu Quản trị mạng cơ bản CCNA
178
12/2017
STP Operation
Spanning Tree Algorithm: Introduction
STP ensures that there is only one logical path between all destinations on
the network by intentionally blocking redundant paths that could cause a
loop.
A port is considered blocked when user data is prevented from entering or
leaving that port. This does not include bridge protocol data unit (BPDU)
frames that are used by STP to prevent loops.
The physical paths still exist to provide redundancy, but these paths are
disabled to prevent the loops from occurring.
If the path is ever needed to compensate for a network cable or switch
failure, STP recalculates the paths and unblocks the necessary ports to
allow the redundant path to become active.
STP Operation
Spanning Tree Algorithm: Introduction
Tài liệu Quản trị mạng cơ bản CCNA
179
12/2017
STP Operation
Spanning Tree Algorithm: Introduction
STP Operation
Spanning Tree Algorithm: Introduction
Tài liệu Quản trị mạng cơ bản CCNA
180
12/2017
STP Operation
Spanning Tree Algorithm: Port Roles
STP Operation
Spanning Tree Algorithm: Root Bridge
Tài liệu Quản trị mạng cơ bản CCNA
181
12/2017
STP Operation
Spanning Tree Algorithm: Path Cost
STP Operation
802.1D BPDU Frame Format
Tài liệu Quản trị mạng cơ bản CCNA
182
12/2017
STP Operation
BPDU Propagation and Process
STP Operation
BPDU Propagation and Process
Tài liệu Quản trị mạng cơ bản CCNA
183
12/2017
STP Operation
Extended System ID
STP was enhanced to include support for VLANs, requiring the VLAN ID
to be included in the BPDU frame through the use of the extended system
ID
STP Operation
Extended System ID
In the example, the priority of all the switches is 32769. The value is based
on the 32768 default priority and the VLAN 1 assignment associated with
each switch (32768+1).
Tài liệu Quản trị mạng cơ bản CCNA
184
12/2017
STP Configuration Issues
Analyzing the STP Topology
STP Configuration Issues
Expected Topology versus Actual Topology
Tài liệu Quản trị mạng cơ bản CCNA
185
12/2017
STP Configuration Issues
Overview of Spanning Tree Status
STP Configuration Issues
Spanning-Tree Failure Consequences
▪ STP erroneously moves one
or more ports into the
forwarding state.
▪ Any frame that is flooded by
a switch enters the loop.
Tài liệu Quản trị mạng cơ bản CCNA
186
12/2017
STP Configuration Issues
Repairing a Spanning Tree Problem
One way to correct spanning-tree failure is to manually remove redundant
links in the switched network, either physically or through configuration,
until all loops are eliminated from the topology.
Before restoring the redundant links, determine and correct the cause of
the spanning-tree failure.
Carefully monitor the network to ensure that the problem is fixed.
Rapid PVST+
Overview of Rapid PVST+
Tài liệu Quản trị mạng cơ bản CCNA
187
12/2017
2 CISCO’S ADDITIONS TO STP (PORTFAST, BPDUGUARD, BPDUFILTER,
Rapid PVST+
RSTP BPDU
Tài liệu Quản trị mạng cơ bản CCNA
188
12/2017
Rapid PVST+
Edge Ports
Rapid PVST+
Link Types
The link type can determine whether the port can immediately transition
to forwarding state. Edge port connections and point-to-point connections
are candidates for rapid transition to forwarding state.
Tài liệu Quản trị mạng cơ bản CCNA
189
12/2017
PVST+ Configuration
Catalyst 2960 Default Configuration
2 CISCO’S ADDITIONS TO STP (PORTFAST, BPDUGUARD, BPDUFILTER,
UPLINKFAST, BACKBONEFAST)
Tài liệu Quản trị mạng cơ bản CCNA
190
12/2017
PVST+ Configuration
PortFast and BPDU Guard
▪ When a switch port is
configured with PortFast that
port transitions from
blocking to forwarding state
immediately.
▪ BPDU guard puts the port in
an error-disabled state on
receipt of a BPDU.
3 PER-VLAN SPANNING TREE PLUS (PVST+)
Tài liệu Quản trị mạng cơ bản CCNA
191
12/2017
Overview
List of Spanning Tree Protocols
STP or IEEE 802.1D-1998
PVST+
IEEE 802.1D-2004
Rapid Spanning Tree Protocol (RSTP) or IEEE 802.1w
Rapid PVST+
Multiple Spanning Tree Protocol (MSTP) or IEEE 802.1s
STP Overview
Characteristics of the Spanning Tree Protocols
Tài liệu Quản trị mạng cơ bản CCNA
192
12/2017
PVST+
Overview of PVST+
Networks running PVST+ have these characteristics:
A network can run an independent IEEE 802.1D STP instance for each VLAN
in the network.
Optimum load balancing can result.
One spanning-tree instance for each VLAN maintained can mean a
considerable waste of CPU cycles for all the switches in the network. In
addition to the bandwidth that is used for each instance to send its own
BPDU.
PVST+
Overview of PVST+
Tài liệu Quản trị mạng cơ bản CCNA
193
12/2017
PVST+
Port States and PVST+ Operation
STP introduces the five port states:
PVST+
Extended System ID and PVST+ Operation
In a PVST+ environment, the extended switch ID ensures each switch has a
unique BID for each VLAN.
For example, the VLAN 2 default BID would be 32770; priority 32768, plus
the extended system ID of 2.
Tài liệu Quản trị mạng cơ bản CCNA
194
12/2017
Rapid PVST+
Overview of Rapid PVST+
RSTP is the preferred protocol for preventing Layer 2 loops in a switched
network environment.
With Rapid PVST+, an independent instance of RSTP runs for each VLAN.
RSTP supports a new port type: an alternate port in discarding state.
There are no blocking ports. RSTP defines port states as discarding,
learning, or forwarding.
RSTP (802.1w) supersedes STP (802.1D) while retaining backward
compatibility
RSTP keeps the same BPDU format as IEEE 802.1D, except that the version
field is set to 2 to indicate RSTP, and the flags field uses all 8 bits.
PVST+ Configuration
PVST+ Load Balancing
Tài liệu Quản trị mạng cơ bản CCNA
195
12/2017
PVST+ Configuration
PVST+ Load Balancing
Another method to specify the root bridge is to set the spanning tree
priority on each switch to the lowest value so that the switch is selected as
the primary bridge for its associated VLAN.
PVST+ Configuration
PVST+ Load Balancing
Display and verify spanning tree configuration details.
Tài liệu Quản trị mạng cơ bản CCNA
196
12/2017
PVST+ Configuration
PVST+ Load Balancing
Rapid PVST+ Configuration
Spanning Tree Mode
Rapid PVST+ is the Cisco
implementation of RSTP. It
supports RSTP on a per-VLAN
basis.
Tài liệu Quản trị mạng cơ bản CCNA
197
12/2017
PVST+ Configuration
Configuring and Verifying the Bridge ID
PVST+ Configuration
Configuring and Verifying the Bridge ID
Tài liệu Quản trị mạng cơ bản CCNA
198
12/2017
8 ETHER CHANEL
Tài liệu Quản trị mạng cơ bản CCNA
199
12/2017
Chapter 9: Access Control Lists
Tài liệu Quản trị mạng cơ bản CCNA
200
12/2017
Chapter 9
1 Introduction to Access Lists
2 Standard Access Lists
3 Extended Access Lists
1 INTRODUCTION TO ACCESS LISTS
Tài liệu Quản trị mạng cơ bản CCNA
201
12/2017
Purpose of ACLs
What is an ACL?
Purpose of ACLs
A TCP Conversation
Tài liệu Quản trị mạng cơ bản CCNA
202
12/2017
Purpose of ACLs
Packet Filtering
Packet filtering, sometimes called static packet
filtering, controls access to a network by analyzing
the incoming and outgoing packets and passing or
dropping them based on given criteria, such as the
source IP address, destination IP addresses, and the
protocol carried within the packet.
A router acts as a packet filter when it forwards or
denies packets according to filtering rules.
An ACL is a sequential list of permit or deny
statements, known as access control entries (ACEs).
Purpose of ACLs
Packet Filtering (Cont.)
Tài liệu Quản trị mạng cơ bản CCNA
203
12/2017
Purpose of ACLs
ACL Operation
The last statement of an ACL is always an implicit deny.
This statement is automatically inserted at the end of
each ACL even though it is not physically present. The
implicit deny blocks all traffic. Because of this implicit
deny, an ACL that does not have at least one permit
statement will block all traffic.
Standard versus Extended IPv4 ACLs
Types of Cisco IPv4 ACLs
Standard ACLs
Extended ACLs
Tài liệu Quản trị mạng cơ bản CCNA
204
12/2017
Standard versus Extended IPv4 ACLs
Numbering and Naming ACLs
Wildcard Masks in ACLs
Introducing ACL Wildcard Masking
Wildcard masks and subnet masks differ in the way they
match binary 1s and 0s. Wildcard masks use the following
rules to match binary 1s and 0s:
Wildcard mask bit 0 - Match the corresponding bit value in the
address.
Wildcard mask bit 1 - Ignore the corresponding bit value in the
address.
Wildcard masks are often referred to as an inverse mask. The
reason is that, unlike a subnet mask in which binary 1 is equal
to a match and binary 0 is not a match, in a wildcard mask the
reverse is true.
Tài liệu Quản trị mạng cơ bản CCNA
205
12/2017
Wildcard Masks in ACLs
Wildcard Mask Examples: Hosts / Subnets
Wildcard Masks in ACLs
Wildcard Mask Examples: Match Ranges
Tài liệu Quản trị mạng cơ bản CCNA
206
12/2017
Wildcard Masks in ACLs
Calculating the Wildcard Mask
Calculating wildcard masks can be challenging. One
shortcut method is to subtract the subnet mask from
255.255.255.255.
Wildcard Masks in ACLs
Wildcard Mask Keywords
Tài liệu Quản trị mạng cơ bản CCNA
207
12/2017
Wildcard Masks in ACLs
Examples Wildcard Mask Keywords
Guidelines for ACL creation
General Guidelines for Creating ACLs
Use ACLs in firewall routers positioned between your
internal network and an external network such as the
Internet.
Use ACLs on a router positioned between two parts
of your network to control traffic entering or exiting a
specific part of your internal network.
Configure ACLs on border routers, that is routers
situated at the edges of your networks.
Configure ACLs for each network protocol configured
on the border router interfaces.
Tài liệu Quản trị mạng cơ bản CCNA
208
12/2017
Guidelines for ACL creation
General Guidelines for Creating ACLs (cont.)
The Three Ps
One ACL per protocol - To control traffic flow on an
interface, an ACL must be defined for each protocol
enabled on the interface.
One ACL per direction - ACLs control traffic in one
direction at a time on an interface. Two separate
ACLs must be created to control inbound and
outbound traffic.
One ACL per interface - ACLs control traffic for an
interface, for example, GigabitEthernet 0/0.
Guidelines for ACL creation
ACL Best Practices
Tài liệu Quản trị mạng cơ bản CCNA
209
12/2017
Guidelines for ACL Placement
Where to Place ACLs
Every ACL should be placed where it has the greatest
impact on efficiency. The basic rules are:
Extended ACLs - Locate extended ACLs as close as
possible to the source of the traffic to be filtered.
Standard ACLs - Because standard ACLs do not specify
destination addresses, place them as close to the
destination as possible.
Placement of the ACL and therefore the type of ACL used
may also depend on: the extent of the network
administrator’s control, bandwidth of the networks
involved, and ease of configuration.
Guidelines for ACL Placement
Standard ACL Placement
Tài liệu Quản trị mạng cơ bản CCNA
210
12/2017
Guidelines for ACL Placement
Extended ACL Placement
Configure Standard IPv4 ACLs
Entering Criteria Statements
Tài liệu Quản trị mạng cơ bản CCNA
211
12/2017
2 STANDARD ACCESS LISTS
Configure Standard IPv4 ACLs
Configuring a Standard ACL
Example ACL
access-list
access-list
access-list
access-list
2
2
2
2
deny host 192.168.10.10
permit 192.168.10.0 0.0.0.255
deny 192.168.0.0 0.0.255.255
permit 192.0.0.0 0.255.255.255
Tài liệu Quản trị mạng cơ bản CCNA
212
12/2017
Configure Standard IPv4 ACLs
Configuring a Standard ACL (cont.)
The full syntax of the standard ACL command is as
follows:
Router(config)# access-list accesslist-number deny permit remark source
[ source-wildcard ] [ log ]
To remove the ACL, the global configuration no
access-list command is used.
The remark keyword is used for documentation and
makes access lists a great deal easier to understand.
Configure Standard IPv4 ACLs
Internal Logic
Cisco IOS applies an internal logic when accepting
and processing standard access list statements. As
discussed previously, access list statements are
processed sequentially. Therefore, the order in which
statements are entered is important.
Tài liệu Quản trị mạng cơ bản CCNA
213
12/2017
Configure Standard IPv4 ACLs
Applying Standard ACLs to Interfaces
After a standard ACL is configured, it is linked to an
interface using the ip access-group command
in interface configuration mode:
Router(config-if)# ip access-group {
access-list-number
|
access-listname } { in | out }
To remove an ACL from an interface, first enter the
no ip access-group command on the
interface, and then enter the global no accesslist command to remove the entire ACL.
Configure Standard IPv4 ACLs
Applying Standard ACLs to Interfaces (Cont.)
Tài liệu Quản trị mạng cơ bản CCNA
214
12/2017
Configure Standard IPv4 ACLs
Creating Named Standard ACLs
Configure Standard IPv4 ACLs
Commenting ACLs
Tài liệu Quản trị mạng cơ bản CCNA
215
12/2017
Modify IPv4 ACLs
Editing Standard Numbered ACLs
Modify IPv4 ACLs
Editing Standard Numbered ACLs (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
216
12/2017
Modify IPv4 ACLs
Editing Standard Named ACLs
Modify IPv4 ACLs
Verifying ACLs
Tài liệu Quản trị mạng cơ bản CCNA
217
12/2017
Modify IPv4 ACLs
ACL Statistics
Modify IPv4 ACLs
Standard ACL Sequence Numbers
Another part of the IOS internal logic involves the internal
sequencing of standard ACL statements. Range
statements that deny three networks are configured first
followed by five host statements. The host statements are
all valid statements because their host IP addresses are
not part of the previously entered range statements.
The host statements are listed first by the show
command, but not necessarily in the order that they were
entered. The IOS puts host statements in an order using a
special hashing function. The resulting order optimizes
the search for a host ACL entry.
Tài liệu Quản trị mạng cơ bản CCNA
218
12/2017
Securing VTY ports with a Standard IPv4 ACL
Configuring a Standard ACL to Secure a VTY Port
Filtering Telnet or SSH traffic is typically considered
an extended IP ACL function because it filters a
higher level protocol. However, because the
access-class command is used to filter
incoming or outgoing Telnet/SSH sessions by source
address, a standard ACL can be used.
Router(config-line)#
access-class
access-list-number { in [ vrf-also ]
| out }
Securing VTY ports with a Standard IPv4 ACL
Verifying a Standard ACL used to Secure a VTY Port
Tài liệu Quản trị mạng cơ bản CCNA
219
12/2017
Structure of an Extended IPv4 ACL
Extended ACLs
3 EXTENDED ACCESS LISTS
Tài liệu Quản trị mạng cơ bản CCNA
220
12/2017
Structure of an Extended IPv4 ACL
Extended ACLs (Cont.)
Configure Extended IPv4 ACLs
Configuring Extended ACLs
The procedural steps for configuring extended ACLs
are the same as for standard ACLs. The extended ACL
is first configured, and then it is activated on an
interface. However, the command syntax and
parameters are more complex to support the
additional features provided by extended ACLs.
Tài liệu Quản trị mạng cơ bản CCNA
221
12/2017
Configure Extended IPv4 ACLs
Applying Extended ACLs to Interfaces
Configure Extended IPv4 ACLs
Filtering Traffic with Extended ACLs
Tài liệu Quản trị mạng cơ bản CCNA
222
12/2017
Configure Extended IPv4 ACLs
Creating Named Extended ACLs
Configure Extended IPv4 ACLs
Verifying Extended ACLs
Tài liệu Quản trị mạng cơ bản CCNA
223
12/2017
Configure Extended IPv4 ACLs
Editing Extended ACLs
Editing an extended ACL can be accomplished using
the same process as editing a standard. An extended
ACL can be modified using:
Method 1 - Text editor
Method 2 – Sequence numbers
Processing Packets with ACLs
Inbound ACL Logic
Packets are tested against an inbound ACL, if one
exists, before being routed.
If an inbound packet matches an ACL statement with
a permit, it is sent to be routed.
If an inbound packet matches an ACL statement with
a deny, it is dropped and not routed.
If an inbound packet does not meet any ACL
statements, then it is “implicitly denied” and dropped
without being routed.
Tài liệu Quản trị mạng cơ bản CCNA
224
12/2017
Processing Packets with ACLs
Outbound ACL Logic
Packets are first checked for a route before being sent
to an outbound interface. If there is no route, the
packets are dropped.
If an outbound interface has no ACL, then the packets
are sent directly to that interface.
If there is an ACL on the outbound interface, it is
tested before being sent to that interface.
If an outbound packet matches an ACL statement
with a permit, it is sent to the interface.
Processing Packets with ACLs
Outbound ACL Logic (cont.)
If an outbound packet matches an ACL statement
with a deny, it is dropped.
If an outbound packet does not meet any ACL
statements, then it is “implicitly denied” and
dropped.
Tài liệu Quản trị mạng cơ bản CCNA
225
12/2017
Processing Packets with ACLs
ACL Logic Operations
When a packet arrives at a router interface, the
router process is the same, whether ACLs are used or
not. As a frame enters an interface, the router checks
to see whether the destination Layer 2 address
matches its the interface Layer 2 address or if the
frame is a broadcast frame.
If the frame address is accepted, the frame
information is stripped off and the router checks for
an ACL on the inbound interface. If an ACL exists, the
packet is tested against the statements in the list.
Processing Packets with ACLs
ACL Logic Operations (cont.)
If the packet is accepted, it is then checked against
routing table entries to determine the destination
interface. If a routing table entry exists for the
destination, the packet is then switched to the outgoing
interface, otherwise the packet is dropped.
Next, the router checks whether the outgoing interface
has an ACL. If an ACL exists, the packet is tested against
the statements in the list.
If there is no ACL or the packet is permitted, the packet is
encapsulated in the new Layer 2 protocol and forwarded
out the interface to the next device.
Tài liệu Quản trị mạng cơ bản CCNA
226
12/2017
Processing Packets with ACLs
Standard ACL Decision Process
Standard ACLs only examine the source IPv4 address.
The destination of the packet and the ports involved
are not considered.
Cisco IOS software tests addresses against the
conditions in the ACL. The first match determines
whether the software accepts or rejects the address.
Because the software stops testing conditions after
the first match, the order of the conditions is critical.
If no conditions match, the address is rejected.
Processing Packets with ACLs
Extended ACL Decision Process
The ACL first filters on the source address, then on
the port and protocol of the source. It then filters on
the destination address, then on the port and
protocol of the destination, and makes a final permit
or deny decision.
Tài liệu Quản trị mạng cơ bản CCNA
227
12/2017
Common ACLs Errors
Troubleshooting Common ACL Errors - Example 1
Host 192.168.10.10
has no connectivity
with 192.168.30.12.
Common ACLs Errors
Troubleshooting Common ACL Errors – Example 2
The 192.168.10.0 /24
network cannot use
TFTP to connect to
the 192.168.30.0 /24
network.
Tài liệu Quản trị mạng cơ bản CCNA
228
12/2017
Common ACLs Errors
Troubleshooting Common ACL Errors – Example 3
The 192.168.11.0 /24 network can use Telnet to connect to 192.168.30.0
/24, but according to company policy, this connection should not be
allowed.
Common ACLs Errors
Troubleshooting Common ACL Errors – Example 4
Host 192.168.30.12 is able to Telnet to connect to 192.168.31.12, but
company policy states that this connection should not be allowed.
Tài liệu Quản trị mạng cơ bản CCNA
229
12/2017
Common ACLs Errors
Troubleshooting Common ACL Errors – Example 5
Host 192.168.30.12 can use Telnet to connect to 192.168.31.12, but
according to the security policy, this connection should not be allowed.
Chapter 10 – Network Address
Translation (NAT)
Tài liệu Quản trị mạng cơ bản CCNA
230
12/2017
Chapter 1
1 Introduction to NAT
2 Static NAT Configuration & Verification
3 Dynamic NAT Configuration
4 NAT Overloading aka Port Address Translation (PAT)
1 INTRODUCTION TO NAT
Tài liệu Quản trị mạng cơ bản CCNA
231
12/2017
NAT Characteristics
IPv4 Private Address Space
IPv4 address space is not big enough to uniquely address all the devices that
must be connected to the Internet.
Network private addresses are described in RFC 1918 and are to designed to
be used within an organization or site only.
Private addresses are not routed by Internet routers while public addresses
are.
Private addresses can alleviate IPv4 scarcity, but because they aren’t routed
by Internet devices, they first need to be translated.
NAT is process used to perform such translation.
NAT Characteristics
IPv4 Private Address Space
Tài liệu Quản trị mạng cơ bản CCNA
232
12/2017
NAT Characteristics
What is NAT?
NAT is a process used to translate network addresses.
NAT’s primary use is to conserve public IPv4 addresses.
NAT is usually implemented at border network devices, such as firewalls or
routers.
NAT allows the networks to use private addresses internally, only translating
to public addresses when needed.
Devices within the organization can be assigned private addresses and
operate with locally unique addresses.
When traffic must be sent or received to or from other organizations or the
Internet, the border router translates the addresses to a public and globally
unique address.
NAT Characteristics
What is NAT? (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
233
12/2017
NAT Characteristics
NAT Terminology
Inside network is the set of
devices using private addresses
Outside network refers to all
other networks
NAT includes four types of
addresses:
• Inside local address
• Inside global
address
• Outside local
address
• Outside global
address
NAT Characteristics
NAT Terminology (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
234
12/2017
Types of NAT
Static NAT
Static NAT uses a one-to-one mapping of local and global
addresses.
These mappings are configured by the network administrator
and remain constant.
Static NAT is particularly useful when servers hosted in the inside
network must be accessible from the outside network.
A network administrator can SSH to a server in the inside
network by pointing the SSH client to the proper inside global
address.
Types of NAT
Static NAT (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
235
12/2017
Types of NAT
Dynamic NAT
Dynamic NAT uses a pool of public addresses and assigns them
on a first-come, first-served basis.
When an inside device requests access to an outside network,
dynamic NAT assigns an available public IPv4 address from the
pool.
Dynamic NAT requires that enough public addresses are
available to satisfy the total number of simultaneous user
sessions.
Types of NAT
Dynamic NAT (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
236
12/2017
Types of NAT
Port Address Translation
Port Address Translation (PAT) maps multiple private IPv4 addresses to a
single public IPv4 address or a few addresses.
PAT uses the pair source port and source IP address to keep track of what
traffic belongs to what internal client.
PAT is also known as NAT overload.
By also using the port number, PAT forwards the response packets to the
correct internal device.
The PAT process also validates that the incoming packets were requested,
thus adding a degree of security to the session.
Types of NAT
Comparing NAT and PAT
NAT translates IPv4 addresses on a 1:1 basis between private IPv4 addresses
and public IPv4 addresses.
PAT modifies both the address and the port number.
NAT forwards incoming packets to their inside destination by referring to the
incoming source IPv4 address provided by the host on the public network.
With PAT, there is generally only one or a very few publicly exposed IPv4
addresses.
PAT is able to translate protocols that do not use port numbers, such as ICMP;
each one of these protocols is supported differently by PAT.
Tài liệu Quản trị mạng cơ bản CCNA
237
12/2017
Benefits of NAT
Benefits of NAT
Conserves the legally registered addressing scheme
Increases the flexibility of connections to the public network
Provides consistency for internal network addressing schemes
Provides network security
Benefits of NAT
Disadvantages of NAT
Performance is degraded
End-to-end functionality is degraded
End-to-end IP traceability is lost
Tunneling is more complicated
Initiating TCP connections can be disrupted
Tài liệu Quản trị mạng cơ bản CCNA
238
12/2017
2 STATIC NAT CONFIGURATION & VERIFICATION
Configuring Static NAT
Configuring Static NAT
There are two basic tasks to perform when
configuring static NAT translations:
Create the mapping between the inside local and
outside local addresses.
Define which interfaces belong to the inside network
and which belong to the outside network.
Tài liệu Quản trị mạng cơ bản CCNA
239
12/2017
Configuring Static NAT
Configuring Static NAT
Configuring Static NAT
Analyzing Static NAT
Tài liệu Quản trị mạng cơ bản CCNA
240
12/2017
Configuring Static NAT
Verifying Static NAT
Configuring Static NAT
Verifying Static NAT (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
241
12/2017
3 DYNAMIC NAT CONFIGURATION
Configuring Dynamic NAT
Dynamic NAT Operation
The pool of public IPv4 addresses (inside global address pool) is
available to any device on the inside network on a first-come, firstserved basis.
With dynamic NAT, a single inside address is translated to a single
outside address.
The pool must be large enough to accommodate all inside devices.
A device is unable to communicate to any external networks if no
addresses are available in the pool.
Tài liệu Quản trị mạng cơ bản CCNA
242
12/2017
Configuring Dynamic NAT
Configuring Dynamic NAT
Configuring Dynamic NAT
Analyzing Dynamic NAT
Tài liệu Quản trị mạng cơ bản CCNA
243
12/2017
Configuring Dynamic NAT
Analyzing Dynamic NAT
Configuring Dynamic NAT
Verifying Dynamic NAT
Tài liệu Quản trị mạng cơ bản CCNA
244
12/2017
Configuring Dynamic NAT
Verifying Dynamic NAT
4 NAT OVERLOADING AKA PORT ADDRESS TRANSLATION (PAT)
Tài liệu Quản trị mạng cơ bản CCNA
245
12/2017
Configuring PAT
Configuring PAT: Address Pool
Configuring PAT
Configuring PAT: Single Address
Tài liệu Quản trị mạng cơ bản CCNA
246
12/2017
Configuring PAT
Analyzing PAT
Configuring PAT
Analyzing PAT
Tài liệu Quản trị mạng cơ bản CCNA
247
12/2017
Configuring PAT
Verifying PAT Translations
Port Forwarding
Port Forwarding
Port forwarding is the act of forwarding a network port from one network
node to another.
A packet sent to the public IP address and port of a router can be
forwarded to a private IP address and port in inside network.
Port forwarding is helpful in situations where servers have private
addresses, not reachable from the outside networks.
Tài liệu Quản trị mạng cơ bản CCNA
248
12/2017
Port Forwarding
Configuring Port Forwarding with IOS
In IOS, Port forwarding is essentially a static NAT translation with a
specified TCP or UDP port number.
Configuring NAT and IPv6
NAT for IPv6?
NAT is a workaround for IPv4 address scarcity.
IPv6 with a 128-bit address provides 340 undecillion addresses.
Address space is not an issue for IPv6.
IPv6 makes IPv4 public-private NAT unnecessary by design; however,
IPv6 does implement a form of private addresses, and it is
implemented differently than they are for IPv4.
Tài liệu Quản trị mạng cơ bản CCNA
249
12/2017
Chapter 11 – Wide Area Networks
Chapter 2
1 Introduction to Wide-Area Networks
2 PPP Concepts
3 PPP Configuration
Tài liệu Quản trị mạng cơ bản CCNA
250
12/2017
1 Introduction to Wide-Area Networks
Purpose of WANs
Why Choose a WAN?
Operates beyond the
geographic scope of a LAN
Used to interconnect the
enterprise LAN to remote
LANs in branch sites and
telecommuter sites
Owned by a service
provider
Organization must pay a
fee to use the provider’s
services to connect sites
Tài liệu Quản trị mạng cơ bản CCNA
251
12/2017
WAN Operations
WANs in the OSI Model
WAN access standards
typically describe both
physical layer delivery
methods and data link layer
requirements, including
physical addressing, flow
control, and encapsulation.
WAN Operations
WAN Devices
Tài liệu Quản trị mạng cơ bản CCNA
252
12/2017
WAN Operations
Circuit Switching
The two most common types of circuit-switched WAN technologies are
the public switched telephone network (PSTN) and the Integrated
Services Digital Network (ISDN).
WAN Operations
Packet Switching
Splits traffic data into packets that are routed over a shared network. Packetswitching allow many pairs of nodes to communicate over the same channel.
Tài liệu Quản trị mạng cơ bản CCNA
253
12/2017
WAN Services
WAN Link Connection Options
WAN Services
Service-Provided Network Infrastructure
Tài liệu Quản trị mạng cơ bản CCNA
254
12/2017
Private WAN Infrastructures
Leased Lines
Advantages:
Disadvantages:
▪ Simplicity
▪ Cost
▪ Quality
▪ Limited flexibility
▪ Availability
Private WAN Infrastructures
Dialup
Advantages:
Disadvantages:
▪ Simplicity
▪ Low data rates
▪ Availability
▪ Relatively long
connection time
▪ Low implementation cost
Tài liệu Quản trị mạng cơ bản CCNA
255
12/2017
Private WAN Infrastructures
ISDN
Sample ISDN Topology
ISDN BRI
ISDN PRI
Private WAN Infrastructures
Frame Relay
▪ PVCs carry both voice and
data traffic.
▪ PVCs are uniquely
identified by a data-link
connection identifier
(DLCI).
▪ PVCs and DLCIs ensure
bidirectional
communication from one
DTE device to another.
▪ R1 uses DLCI 102 to reach
R2 while R2 uses DLCI
201 to reach R1.
Tài liệu Quản trị mạng cơ bản CCNA
256
12/2017
Private WAN Infrastructures
ATM
Built on a cell-based architecture, rather than on a frame-based architecture.
ATM cells are always a fixed length of 53 bytes.
Private WAN Infrastructures
Ethernet WAN
Features and Benefits of Ethernet
WAN include:
▪ Reduced expenses and
administration
▪ Easy integration with existing
networks
▪ Enhanced business productivity
▪ Service providers now offer
Ethernet WAN service using
fiber-optic cabling.
▪ Known as Metropolitan
Ethernet (MetroE), Ethernet
over MPLS (EoMPLS), and
Virtual Private LAN Service
(VPLS).
Tài liệu Quản trị mạng cơ bản CCNA
Note: Commonly used to replace the
traditional Frame Relay and ATM WAN
links.
257
12/2017
Private WAN Infrastructures
MPLS
Multiprotocol Label Switching (MPLS) is a multiprotocol highperformance WAN technology that directs data from one router to the
next, based on short path labels rather than IP network addresses.
Private WAN Infrastructures
VSAT
Very small aperture
terminal (VSAT) - a
solution that creates a
private WAN using
satellite communications.
Tài liệu Quản trị mạng cơ bản CCNA
258
12/2017
Private WAN Infrastructures
DSL
▪ Always-on connection
technology that uses
existing twisted-pair
telephone lines to
transport highbandwidth data, and
provides IP services to
subscribers.
▪ A DSL modem converts
an Ethernet signal from
the user device to a DSL
signal, which is
transmitted to the
central office.
Private WAN Infrastructures
Cable
▪ Network access is
available from some
cable television
networks.
▪ Cable modems
provide an always-on
connection and a
simple installation.
Tài liệu Quản trị mạng cơ bản CCNA
259
12/2017
Private WAN Infrastructures
Wireless
New developments in
broadband wireless
technology:
▪ Municipal Wi-Fi – Many
cities have begun setting up
municipal wireless
▪ WiMAX – Worldwide
Interoperability for
Microwave Access
(WiMAX) is a new
technology that is just
beginning to come into use.
▪ Satellite Internet
Private WAN Infrastructures
3G/4G Cellular
Common cellular industry terms include:
▪ 3G/4G Wireless – Abbreviation for 3rd generation and 4th generation
cellular access. These technologies support wireless Internet access.
▪ Long-Term Evolution (LTE) – A newer and faster technology,
considered to be part of the 4th generation (4G) technology.
Tài liệu Quản trị mạng cơ bản CCNA
260
12/2017
Private WAN Infrastructures
VPN Technology
VPN is an encrypted connection
between private networks over a
public network.
Benefits:
▪ Cost savings
▪ Security
▪ Scalability
▪ Compatibility with broadband
technology
Two types of VPN:
▪ Site-to-site VPNs
▪ Remote-access VPNs
Selecting WAN Services
Choosing a WAN Link Connection
Answer the following questions when choosing a WAN Connection:
▪ What is the purpose of the WAN?
▪ What is the geographic scope?
▪ What are the traffic requirements?
Tài liệu Quản trị mạng cơ bản CCNA
261
12/2017
Selecting WAN Services
Choosing a WAN Link Connection
2 PPP CONCEPTS
Connecting Networks
Tài liệu Quản trị mạng cơ bản CCNA
262
12/2017
Serial Communications
Point-to-Point Communication Links
Point-to-point links can connect two geographically distant sites.
Carrier dedicates specific resources for a line leased by the customer (leasedline).
Point-to-point links are usually more expensive than shared services.
Serial Communications
DTE-DCE
▪ DTE – Commonly CPE, generally a router, could also be a terminal, computer,
printer, or fax machine if they connect directly to the service provider
network.
▪ DCE – Commonly a modem or CSU/DSU, it is a device used to convert the
user data from the DTE into a form acceptable to the WAN service provider
transmission link. The signal is received at the remote DCE, which decodes
the signal back into a sequence of bits; the remote DCE then signals this
sequence to the remote DTE.
Tài liệu Quản trị mạng cơ bản CCNA
263
12/2017
Serial Communications
Serial Cables
Serial Communications
Serial Bandwidth
Bandwidth refers to the rate at which data is transferred over the
communication link.
Tài liệu Quản trị mạng cơ bản CCNA
264
12/2017
HDLC Encapsulation
WAN Encapsulation Protocols
Data is encapsulated into frames before crossing the WAN link; an appropriate
Layer 2 encapsulation type must be configured.
HDLC Encapsulation
HDLC Encapsulation
▪ Bit-oriented, synchronous data link layer protocol developed by the
International Organization for Standardization (ISO).
▪ Uses synchronous serial transmission to provide error-free communication
between two points.
▪ Defines a Layer 2 framing structure that allows for flow control and error
control through the use of acknowledgments.
▪ Cisco has developed an extension to the HLDC protocol to solve the inability
to provide multiprotocol support (Cisco HLDC also referred to as cHDLC).
Tài liệu Quản trị mạng cơ bản CCNA
265
12/2017
HDLC Encapsulation
HDLC Frame Types
• The Flag field initiates and
terminates error checking, and
the frame always starts and ends
with an 8-bit flag field,
01111110.
• I-frames carry upper layer information and
some control information; sends and
receives sequence numbers, and the poll
final (P/F) bit performs flow and error
control.
• S-frames provide control information –
Request and suspend transmission, report on
status, and acknowledge receipt of I-frame.
• U-frames support control purposes
and are not sequenced.
HDLC Encapsulation
Configuring HDLC Encapsulation
▪ Default encapsulation method used by Cisco devices on synchronous serial
lines
▪ Point-to-point protocol on leased lines between two Cisco devices
▪ Connecting to a non-Cisco device, use synchronous PPP
Tài liệu Quản trị mạng cơ bản CCNA
266
12/2017
HDLC Encapsulation
Troubleshooting a Serial Interface
HDLC Encapsulation
Troubleshooting a Serial Interface (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
267
12/2017
HDLC Encapsulation
Troubleshooting a Serial Interface (cont.)
HDLC Encapsulation
Troubleshooting a Serial Interface (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
268
12/2017
HDLC Encapsulation
Troubleshooting a Serial Interface (cont.)
HDLC Encapsulation
Troubleshooting a Serial Interface (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
269
12/2017
PPP OPERATION
Benefits of PPP
Introducing PPP
PPP contains three main
components:
▪ HDLC protocol for
encapsulating datagrams over
point-to-point links
▪ Extensible Link Control
Protocol (LCP) to establish,
configure, and test the data
link connection
▪ Family of Network Control
Protocols (NCPs) to establish
and configure different
network layer protocols (IPv4,
IPv6, AppleTalk, Novell IPX, and
SNA Control Protocol)
Tài liệu Quản trị mạng cơ bản CCNA
270
12/2017
Benefits of PPP
Advantages of PPP
▪ PPP not proprietary
▪ PPP includes many features not available in HDLC
▪ Link quality management feature monitors the quality of the link. If too
many errors are detected, PPP takes down the link
▪ Supports PAP and CHAP authentication
LCP and NCP
PPP Layered Architecture
▪ LCP sets up the
PPP connection
and its
parameters
▪ NCPs handle
higher layer
protocol
configurations
▪ LCP terminates
the PPP
connection
Tài liệu Quản trị mạng cơ bản CCNA
271
12/2017
LCP and NCP
PPP Control Protocol (LCP)
LCP provides automatic
configuration of the
interfaces at each end,
including:
▪ Handling varying
limits on packet size.
▪ Detecting common
misconfiguration
errors.
▪ Terminating the link.
▪ Determining when a
link is functioning
properly or when it is
failing.
LCP and NCP
PPP Network Control Protocol (NCP)
▪ PPP permits
multiple network
layer protocols to
operate on the
same
communications
link.
▪ For every network
layer protocol
used, PPP uses a
separate NCP.
Tài liệu Quản trị mạng cơ bản CCNA
272
12/2017
LCP and NCP
PPP Frame Structure
PPP Sessions
Establishing a PPP Session
Phase 1 – LCP must first open the connection and negotiate
configuration options; it completes when the receiving router sends a
configuration-acknowledgment frame back to the router initiating the
connection.
Tài liệu Quản trị mạng cơ bản CCNA
273
12/2017
PPP Sessions
Establishing a PPP Session (cont.)
Phase 2 – LCP tests the link to determine whether the link
quality is sufficient to bring up network layer protocols.
PPP Sessions
Establishing a PPP Session (cont.)
Phase 3 – After the LCP has finished the link quality determination
phase, the appropriate NCP can separately configure the network
layer protocols, and bring them up and take them down at any time.
Tài liệu Quản trị mạng cơ bản CCNA
274
12/2017
PPP Sessions
LCP Operation
▪ LCP operation includes provisions for link establishment, link maintenance,
and link termination.
▪ LCP operation uses three classes of LCP frames to accomplish the work of
each of the LCP phases:
▪ Link-establishment frames establish and configure a link.
▪ Configure-Request, Configure-Ack, Configure-Nak, and ConfigureReject
▪ Link-maintenance frames manage and debug a link.
▪ Code-Reject, Protocol-Reject, Echo-Request, Echo-Reply, and
Discard-Request
▪ Link-termination frames terminate a link.
▪ Terminate-Request and Terminate-Ack
PPP Sessions
LCP Operation (cont.)
During link maintenance, LCP can use messages to provide feedback and test
the link.
▪ Echo-Request, Echo-Reply, and Discard-Request can be used to test the
link.
▪ Code-Reject and Protocol-Reject provides feedback when one device
receives an invalid frame due to either an unrecognized LCP code (LCP
frame type) or a bad protocol identifier.
Tài liệu Quản trị mạng cơ bản CCNA
275
12/2017
PPP Sessions
LCP Operation (cont.)
PPP Sessions
LCP Packet
Tài liệu Quản trị mạng cơ bản CCNA
276
12/2017
PPP Sessions
LCP Packet
PPP Sessions
LCP Packet (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
277
12/2017
PPP Sessions
PPP Configuration Options
Optional functions
include:
▪ Authentication
using either PAP
or CHAP
▪ Compression
using either
Stacker or
Predictor
▪ Multilink that
combines two or
more channels to
increase the
WAN bandwidth
PPP Sessions
NCP Explained
Tài liệu Quản trị mạng cơ bản CCNA
278
12/2017
3.3 CONFIGURING PPP
Configure PPP
PPP Configuration Options
▪ Authentication – Two authentication
Authentication Protocol (PAP) and
Authentication Protocol (CHAP).
choices are Password
Challenge Handshake
▪ Compression – Increases the effective throughput on PPP connections
by reducing the amount of data in the frame that must travel across
the link. The protocol decompresses the frame at its destination. Two
compression protocols available in Cisco routers are Stacker and
Predictor.
▪ Error detection – Identifies fault conditions. The Quality and Magic
Number options help ensure a reliable, loop-free data link. The Magic
Number field helps in detecting links that are in a looped-back
condition. Magic numbers are generated randomly at each end of the
connection.
Tài liệu Quản trị mạng cơ bản CCNA
279
12/2017
Configure PPP
PPP Configuration Options
▪ PPP Callback – PPP callback is used to enhance security. With this LCP
option, a Cisco router can act as a callback client or a callback server.
The client makes the initial call, requests that the server call it back,
and terminates its initial call. The callback router answers the initial
call and makes the return call to the client based on its configuration
statements. The command is ppp callback [accept |
request].
▪ Multilink – This alternative provides load balancing over the router
interfaces that PPP uses. Multilink PPP provides a method for
spreading traffic across multiple physical WAN links while providing
packet fragmentation and reassembly, proper sequencing,
multivendor interoperability, and load balancing on inbound and
outbound traffic.
Configure PPP
PPP Basic Configuration Command
Tài liệu Quản trị mạng cơ bản CCNA
280
12/2017
Configure PPP
PPP Compression Commands
Configure PPP
PPP Link Quality Monitoring Command
The ppp quality percentage command ensures that the
link meets the quality requirement set; otherwise, the link closes
down.
Tài liệu Quản trị mạng cơ bản CCNA
281
12/2017
Configure PPP
PPP Multilink Commands
Configure PPP
Verifying PPP Configuration
Tài liệu Quản trị mạng cơ bản CCNA
282
12/2017
Configure PPP
Verifying PPP Configuration (cont.)
The output indicates the interface Multilink 1, the hostnames of both the local
and remote endpoints, and the serial interfaces assigned to the multilink
bundle.
PPP Authentication
PPP Authentication Protocols
Tài liệu Quản trị mạng cơ bản CCNA
283
12/2017
PPP Authentication
Password Authentication Protocol (PAP)
Initiating PAP
Completing PAP
PPP Authentication
Challenge Handshake Authentication Protocol
Initiating CHAP
Responding CHAP
Tài liệu Quản trị mạng cơ bản CCNA
284
12/2017
PPP Authentication
CHAP (cont.)
Completing CHAP
PPP Authentication
PPP Encapsulation and Authentication Process
Tài liệu Quản trị mạng cơ bản CCNA
285
12/2017
PPP Authentication
Configuring PPP Authentication
PPP Authentication
Configuring PPP Authentication (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
286
12/2017
PPP Authentication
Configuring PPP Authentication (cont.)
Chapter 12 – Virtual Private Networks
Tài liệu Quản trị mạng cơ bản CCNA
287
12/2017
Chapter 7: Securing Site-to-Site Connectivity
1 VPN Concepts
2 Types of VPN
3 Encryption
4 IPsec VPNs
5 SSL VPNs & Tunneling Protocols
6 GRE Tunnels
1 VPN CONCEPTS
Tài liệu Quản trị mạng cơ bản CCNA
288
12/2017
Fundamentals of VPNs
Introducing VPNs
VPNs are used to create an end-to-end private network connection over thirdparty networks, such as the Internet or extranets.
To implement VPNs, a VPN gateway is necessary: Could be a router, a firewall,
or a Cisco Adaptive Security Appliance (ASA).
Fundamentals of VPNs
Benefits of VPNs
Cost savings
• Enable organizations to use cost-effective, thirdparty Internet transport to connect remote offices
and remote users to the main site.
Scalability
• Enable organizations to use the Internet
infrastructure within ISPs and devices, which
makes it easy to add new users.
Tài liệu Quản trị mạng cơ bản CCNA
289
12/2017
Fundamentals of VPNs
Benefits of VPNs (cont.)
Compatibility with broadband technology
• Allow mobile workers and telecommuters to take
advantage of high-speed, broadband connectivity, such as
DSL and cable, to gain access to the networks of their
organization, providing workers flexibility and efficiency.
• Provide a cost-effective solution for connecting remote
offices.
Security
• Can include security mechanisms that provide the highest
level of security by using advanced encryption and
authentication protocols that protect data from
unauthorized access.
2 TYPES OF VPN
Tài liệu Quản trị mạng cơ bản CCNA
290
12/2017
Types of VPNs
Site-to-Site VPNs
Connect entire networks to each other, in the past, a leased line
or Frame Relay connection was required to connect sites, but
because most corporations now have Internet access, these
connections can be replaced with site-to-site VPNs.
Internal hosts have no knowledge that a VPN exists.
Created when devices on both sides of the VPN connection are
aware of the VPN configuration in advance.
Types of VPNs
Site-to-Site VPNs (cont.)
End hosts send and receive normal TCP/IP traffic through a VPN
gateway.
The VPN gateway is responsible for encapsulating and
encrypting outbound traffic for all traffic from a particular site
The VPN gateway then sends it through a VPN tunnel over the
Internet to a peer VPN gateway at the target site.
Upon receipt, the peer VPN gateway strips the headers, decrypts
the content, and relays the packet toward the target host inside
its private network.
Tài liệu Quản trị mạng cơ bản CCNA
291
12/2017
Types of VPNs
Site-to-Site VPNs (cont.)
Types of VPNs
Remote Access VPNs
Support the needs of telecommuters, mobile users, and extranet,
consumer-to-business traffic.
Support a client/server architecture, where the VPN client
(remote host) gains secure access to the enterprise network via a
VPN server device at the network edge.
Used to connect individual hosts that must access their company
network securely over the Internet.
VPN client software may need to be installed on the mobile user’s
end device (Cisco AnyConnect Secure Mobility Client).
When the host tries to send any traffic, the VPN Client software
encapsulates and encrypts this traffic and sends over the Internet
to the VPN gateway at the edge of the target network.
Tài liệu Quản trị mạng cơ bản CCNA
292
12/2017
Types of VPNs
Remote Access VPNs (cont.)
3 Encryption
Tài liệu Quản trị mạng cơ bản CCNA
293
12/2017
Encryption Algorithms
▪ As key length increases, it becomes more difficult to break
the encryption. However, a longer key requires more
processor resources when encrypting and decrypting data.
▪ Two main types of encryption are:
▪ Symmetric Encryption
▪ Asymmetric Encryption
Symmetric Encryption
▪ Encryption and decryption use the same key.
▪ Each of the two networking devices must know the key to decode the
information.
▪ Each device encrypts the information before sending it over the network to
the other device.
▪ Typically used to encrypt the content of the message.
▪ Examples: DES and 3DES (no longer considered secure) and AES (256-bit
recommended for IPsec encryption).
Tài liệu Quản trị mạng cơ bản CCNA
294
12/2017
Asymmetric Encryption
▪ Uses different keys for encryption and decryption.
▪ Knowing one of the keys does not allow a hacker to deduce the second key
and decode the information.
▪ One key encrypts the message, while a second key decrypts the message.
▪ Public key encryption is a variant of asymmetric encryption that uses a
combination of a private key and a public key.
▪ Typically used in digital certification and key management
▪ Example: RSA
Diffie-Hellman Key Exchange
▪ Diffie-Hellman (DH) is not an encryption mechanism and is not typically
used to encrypt data.
▪ DH is a method to securely exchange the keys that encrypt data.
▪ DH algorithms allow two parties to establish a shared secret key used by
encryption and hash algorithms.
▪ DH is part of the IPsec standard.
▪ Encryption algorithms, such as DES, 3DES, and AES, as well as the MD5
and SHA-1 hashing algorithms, require a symmetric, shared secret key to
perform encryption and decryption.
▪ DH algorithm specifies a public key exchange method that provides a way
for two peers to establish a shared secret key that only they know,
although they are communicating over an insecure channel.
Tài liệu Quản trị mạng cơ bản CCNA
295
12/2017
Diffie-Hellman Key Exchange
Integrity with Hash Algorithms
▪ The original sender generates a hash of the message and
sends it with the message itself.
▪ The recipient parses the message and the hash, produces
another hash from the received message, and compares the
two hashes.
▪ If they are the same, the recipient can be reasonably sure of
the integrity of the original message.
Tài liệu Quản trị mạng cơ bản CCNA
296
12/2017
Integrity with Hash Algorithms (cont.)
Integrity with Hash Algorithms (cont.)
Hash-based Message Authentication Code (HMAC) is a mechanism for message
authentication using hash functions.
▪ HMAC has two parameters: A message input and a secret key known only to
the message originator and intended receivers.
▪ Message sender uses an HMAC function to produce a value (the message
authentication code) formed by condensing the secret key and the message
input.
▪ Message authentication code is sent along with the message.
▪ Receiver computes the message authentication code on the received
message using the same key and HMAC function as the sender used.
▪ Receiver compares the result that is computed with the received message
authentication code.
▪ If the two values match, the message has been correctly received and the
receiver is assured that the sender is a user community member who share
the key.
Tài liệu Quản trị mạng cơ bản CCNA
297
12/2017
Integrity with Hash Algorithms (cont.)
There are two common HMAC algorithms:
▪ MD5 – Uses a 128-bit shared secret key. The variable-length message and
128-bit shared secret key are combined and run through the HMAC-MD5
hash algorithm. The output is a 128-bit hash. The hash is appended to the
original message and forwarded to the remote end.
▪ SHA – SHA-1 uses a 160-bit secret key. The variable-length message and
the 160-bit shared secret key are combined and run through the HMACSHA1 hash algorithm. The output is a 160-bit hash. The hash is appended
to the original message and forwarded to the remote end.
4 IPSEC VPNS
Tài liệu Quản trị mạng cơ bản CCNA
298
12/2017
Internet Protocol Security
IPsec VPNs
▪ Information from a
private network is
securely
transported over a
public network.
▪ Forms a virtual
network instead of
using a dedicated
Layer 2 connection.
▪ To remain private,
the
traffic
is
encrypted to keep
the
data
confidential.
Internet Protocol Security
IPsec Functions
▪ Defines how a VPN can be configured in a secure manner using IP.
▪ Framework of open standards that spells out the rules for secure
communications.
▪ Not bound to any specific encryption, authentication, security algorithms, or
keying technology.
▪ Relies on existing algorithms to implement secure communications.
▪ Works at the network layer, protecting and authenticating IP packets between
participating IPsec devices.
▪ Secures a path between a pair of gateways, a pair of hosts, or a gateway and
host.
▪ All implementations of IPsec have a plaintext Layer 3 header, so there are no
issues with routing.
▪ Functions over all Layer 2 protocols, such as Ethernet, ATM, or Frame Relay.
Tài liệu Quản trị mạng cơ bản CCNA
299
12/2017
Internet Protocol Security
IPsec Characteristics
IPsec characteristics can be summarized as follows:
▪ IPsec is a framework of open standards that is algorithmindependent.
▪ IPsec provides data confidentiality, data integrity, and origin
authentication.
▪ IPsec acts at the network layer, protecting and authenticating IP
packets.
Internet Protocol Security
IPsec Security Services
▪ Confidentiality (encryption) – encrypt the data before
transmitting across the network
▪ Data integrity – verify that data has not been changed while in
transit, if tampering is detected, the packet is dropped
▪ Authentication – verify the identity of the source of the data
that is sent, ensures that the connection is made with the
desired communication partner, IPsec uses Internet Key
Exchange (IKE) to authenticate users and devices that can carry
out communication independently.
▪ Anti-Replay Protection – detect and reject replayed packets
and helps prevent spoofing
CIA: confidentiality, integrity, and authentication
Tài liệu Quản trị mạng cơ bản CCNA
300
12/2017
IPsec Framework
Confidentiality with Encryption
▪ For encryption to work, both the sender and the receiver must know the rules
used to transform the original message into its coded form.
▪ Rules are based on algorithms and associated keys.
▪ Decryption is extremely difficult (or impossible) without the correct key.
IPsec Framework
Encryption Algorithms
▪ As key length increases, it becomes more difficult to break
the encryption. However, a longer key requires more
processor resources when encrypting and decrypting data.
▪ Two main types of encryption are:
▪ Symmetric Encryption
▪ Asymmetric Encryption
Tài liệu Quản trị mạng cơ bản CCNA
301
12/2017
IPsec Framework
Symmetric Encryption
▪ Encryption and decryption use the same key.
▪ Each of the two networking devices must know the key to decode the
information.
▪ Each device encrypts the information before sending it over the network to
the other device.
▪ Typically used to encrypt the content of the message.
▪ Examples: DES and 3DES (no longer considered secure) and AES (256-bit
recommended for IPsec encryption).
IPsec Framework
Asymmetric Encryption
▪ Uses different keys for encryption and decryption.
▪ Knowing one of the keys does not allow a hacker to deduce the second key
and decode the information.
▪ One key encrypts the message, while a second key decrypts the message.
▪ Public key encryption is a variant of asymmetric encryption that uses a
combination of a private key and a public key.
▪ Typically used in digital certification and key management
▪ Example: RSA
Tài liệu Quản trị mạng cơ bản CCNA
302
12/2017
IPsec Framework
Diffie-Hellman Key Exchange
▪ Diffie-Hellman (DH) is not an encryption mechanism and is not typically
used to encrypt data.
▪ DH is a method to securely exchange the keys that encrypt data.
▪ DH algorithms allow two parties to establish a shared secret key used by
encryption and hash algorithms.
▪ DH is part of the IPsec standard.
▪ Encryption algorithms, such as DES, 3DES, and AES, as well as the MD5
and SHA-1 hashing algorithms, require a symmetric, shared secret key to
perform encryption and decryption.
▪ DH algorithm specifies a public key exchange method that provides a way
for two peers to establish a shared secret key that only they know,
although they are communicating over an insecure channel.
IPsec Framework
Diffie-Hellman Key Exchange
Tài liệu Quản trị mạng cơ bản CCNA
303
12/2017
IPsec Framework
Integrity with Hash Algorithms
▪ The original sender generates a hash of the message and
sends it with the message itself.
▪ The recipient parses the message and the hash, produces
another hash from the received message, and compares the
two hashes.
▪ If they are the same, the recipient can be reasonably sure of
the integrity of the original message.
IPsec Framework
Integrity with Hash Algorithms (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
304
12/2017
IPsec Framework
Integrity with Hash Algorithms (cont.)
Hash-based Message Authentication Code (HMAC) is a mechanism for message
authentication using hash functions.
▪ HMAC has two parameters: A message input and a secret key known only to
the message originator and intended receivers.
▪ Message sender uses an HMAC function to produce a value (the message
authentication code) formed by condensing the secret key and the message
input.
▪ Message authentication code is sent along with the message.
▪ Receiver computes the message authentication code on the received
message using the same key and HMAC function as the sender used.
▪ Receiver compares the result that is computed with the received message
authentication code.
▪ If the two values match, the message has been correctly received and the
receiver is assured that the sender is a user community member who share
the key.
IPsec Framework
Integrity with Hash Algorithms (cont.)
There are two common HMAC algorithms:
▪ MD5 – Uses a 128-bit shared secret key. The variable-length message and
128-bit shared secret key are combined and run through the HMAC-MD5
hash algorithm. The output is a 128-bit hash. The hash is appended to the
original message and forwarded to the remote end.
▪ SHA – SHA-1 uses a 160-bit secret key. The variable-length message and
the 160-bit shared secret key are combined and run through the HMACSHA1 hash algorithm. The output is a 160-bit hash. The hash is appended
to the original message and forwarded to the remote end.
Tài liệu Quản trị mạng cơ bản CCNA
305
12/2017
IPsec Framework
IPsec Authentication
▪ IPsec VPNs support authentication.
▪ Device on the other end of the VPN tunnel must be authenticated before
the communication path is considered secure.
IPsec Framework
IPsec Authentication (cont.)
There are two peer authentication methods, PSK and RSA signatures:
▪ PSK
▪ A secret key shared between the two parties using a secure channel
before it needs to be used.
▪ Use symmetric key cryptographic algorithms.
▪ A PSK is entered into each peer manually and is used to authenticate the
peer.
Tài liệu Quản trị mạng cơ bản CCNA
306
12/2017
IPsec Framework
IPsec Authentication (cont.)
▪ RSA signatures
▪ Digital certificates are exchanged to authenticate peers.
▪ Local device derives a hash and encrypts it with its private key.
▪ Encrypted hash, or digital signature, is attached to the message and
forwarded to the remote end.
▪ At the remote end, the encrypted hash is decrypted using the public key
of the local end.
▪ If the decrypted hash matches the recomputed hash, the signature is
genuine.
IPsec Framework
IPsec Protocol Framework
Authentication Header (AH)
▪ Appropriate protocol to use when confidentiality is not required or
permitted.
▪ Provides data authentication and integrity for IP packets that are passed
between two systems.
▪ Does not provide data confidentiality (encryption) of packets.
Encapsulating Security Payload (ESP)
▪ A security protocol that provides confidentiality and authentication by
encrypting the IP packet.
▪ Authenticates the inner IP packet and ESP header.
▪ Both encryption and authentication are optional in ESP, at a minimum, one
of them must be selected.
Tài liệu Quản trị mạng cơ bản CCNA
307
12/2017
IPsec Framework
IPsec Protocol Framework (cont.)
IPsec Framework
IPsec Protocol Framework (cont.)
Four basic building block of the IPsec framework that must be selected:
▪ IPsec framework protocol – A combination of ESP and AH, ESP or ESP+AH
options are almost always selected because AH itself does not provide
encryption.
▪ Confidentiality (if IPsec is implemented with ESP) – DES, 3DES, or AES, AES is
strongly recommended since provides the greatest security.
▪ Integrity – Guarantees that the content has not been altered in transit using
hash algorithms (MD5 or SHA).
▪ Authentication – Represents how devices on either end of the VPN tunnel are
authenticated (PSK or RSA).
▪ DH algorithm group – Represents how a shared secret key is established
between peers, DH24 provides the greatest security.
Tài liệu Quản trị mạng cơ bản CCNA
308
12/2017
IPsec Framework
IPsec Protocol Framework (cont.)
5 SSL VPNS & TUNNELING PROTOCOLS
Tài liệu Quản trị mạng cơ bản CCNA
309
12/2017
Remote Access VPN Solutions
Types of Remote Access VPNs
▪ There are two primary methods for deploying remote access VPNs:
▪ Secure Sockets Layer (SSL)
▪ IP Security (IPsec)
▪ Type of VPN method based on the access requirements of the users and
the organization’s IT processes.
▪ Both types offer access to virtually any network application or resource.
Remote Access VPN Solutions
Cisco SSL VPN
▪ Provides remote access by using a web browser and the web browser’s
native SSL encryption.
▪ Can provide remote access using the Cisco AnyConnect Secure Mobility
Client software
Tài liệu Quản trị mạng cơ bản CCNA
310
12/2017
Remote Access VPN Solutions
Cisco SSL VPN Solutions
Cisco AnyConnect Secure Mobility Client with SSL
▪ Client-Based SSL VPNs provide authenticated users with LAN-like, full
network access to corporate resources
▪ The remote devices require a client application, such as the Cisco VPN
Client or the newer AnyConnect client to be installed on the end-user
device
Cisco Secure Mobility Clientless SSL VPN
▪ Enables corporations to provide access to corporate resources even when
the remote device is not corporately-managed
▪ Cisco ASA is used as a proxy device to network resources
▪ Provides a web portal interface for remote devices to navigate the
network using port-forwarding capabilities
IPsec Remote Access VPNs
IPsec Remote Access
Tài liệu Quản trị mạng cơ bản CCNA
311
12/2017
IPsec Remote Access VPNs
IPsec Remote Access (cont.)
▪ The Cisco Easy VPN solution consists of three components:
▪ Cisco Easy VPN Server – A Cisco IOS router or Cisco ASA Firewall acting
as the VPN head-end device in site-to-site or remote-access VPNs.
▪ Cisco Easy VPN Remote – A Cisco IOS router or Cisco ASA Firewall acting
as a remote VPN client.
▪ Cisco VPN Client – An application supported on a PC used to access a
Cisco VPN server.
▪ The Cisco Easy VPN solution feature offers flexibility, scalability, and ease of
use for both site-to-site and remote access IPsec VPNs.
IPsec Remote Access VPNs
Cisco Easy VPN Server and Remote
Tài liệu Quản trị mạng cơ bản CCNA
312
12/2017
IPsec Remote Access VPNs
Comparing IPsec and SSL
6 GRE TUNNELS
Tài liệu Quản trị mạng cơ bản CCNA
313
12/2017
Fundamentals of Generic Routing Encapsulation
Introduction to GRE
▪ Basic, non-secure, siteto-site VPN tunneling
protocol developed by
Cisco
▪ Encapsulates a wide
variety
of
protocol
packet types inside IP
tunnels
▪ Creates a virtual pointto-point link to routers
at remote points, over
an IP internetwork
Fundamentals of Generic Routing Encapsulation
Characteristics of GRE
Tài liệu Quản trị mạng cơ bản CCNA
314
12/2017
Fundamentals of Generic Routing Encapsulation
Characteristics of GRE
GRE has these characteristics:
▪ GRE is defined as an IETF standard.
▪ IP protocol 47 is used to identify GRE packets.
▪ GRE encapsulation uses a protocol type field in the GRE header to support
the encapsulation of any OSI Layer 3 protocol.
▪ GRE itself is stateless; it does not include any flow-control mechanisms, by
default.
▪ GRE does not include any strong security mechanisms to protect its
payload.
▪ The GRE header, together with the tunneling IP header, creates at least 24
bytes of additional overhead for tunneled packets.
Configuring GRE Tunnels
GRE Tunnel Configuration
Tài liệu Quản trị mạng cơ bản CCNA
315
12/2017
Configuring GRE Tunnels
GRE Tunnel Configuration
Configuring GRE Tunnels
GRE Tunnel Verification
Verify Tunnel
Interface is
Up
Verify OSPF
Adjacency
Tài liệu Quản trị mạng cơ bản CCNA
316
12/2017
Chapter 13 – IPv6
Chapter 13
1 IPv6 Introduction
2 IPv6 Address Configuration
3 Static route with IPV6
4 OSPF Version 3
5 EIGRP for IPv6
Tài liệu Quản trị mạng cơ bản CCNA
317
12/2017
1 IPV6 INTRODUCTION
IPv4 Issues
The Need for IPv6
▪ IPv6 is designed to be the successor to IPv4.
▪ Depletion of IPv4 address space has been the motivating factor for moving
to IPv6.
▪ Projections show that all five RIRs will run out of IPv4 addresses between
2015 and 2020.
▪ With an increasing Internet population, a limited IPv4 address space, issues
with NAT and an Internet of things, the time has come to begin the
transition to IPv6!
▪ IPv4 has a theoretical maximum of 4.3 billion addresses, plus private
addresses in combination with NAT.
▪ IPv6 larger 128-bit address space provides for 340 undecillion addresses.
▪ IPv6 fixes the limitations of IPv4 and includes additional enhancements,
such as ICMPv6.
Tài liệu Quản trị mạng cơ bản CCNA
318
12/2017
IPv4 Issues
IPv4 and IPv6 Coexistence
The migration techniques can be divided into three categories:
Dual-stack, Tunnelling, and Translation.
Dual-stack
Dual-stack: Allows IPv4 and IPv6 to coexist on the same network. Devices
run both IPv4 and IPv6 protocol stacks simultaneously.
IPv4 Issues
IPv4 and IPv6 Coexistence (cont.)
Tunnelling
Tunnelling: A method of transporting an IPv6 packet over an IPv4
network. The IPv6 packet is encapsulated inside an IPv4 packet.
Tài liệu Quản trị mạng cơ bản CCNA
319
12/2017
IPv4 Issues
IPv4 and IPv6 Coexistence (cont.)
Translation
Translation: The Network Address Translation 64 (NAT64) allows IPv6enabled devices to communicate with IPv4-enabled devices using a
translation technique similar to NAT for IPv4. An IPv6 packet is translated to
an IPv4 packet, and vice versa.
2 IPV6 ADDRESS CONFIGURATION
Tài liệu Quản trị mạng cơ bản CCNA
320
12/2017
IPv6 Addressing
Hexadecimal Number System
Hexadecimal is a base
sixteen system.
Base 16 numbering system
uses the numbers 0 to 9 and
the letters A to F.
Four bits (half of a byte) can
be represented with a single
hexadecimal value.
IPv6 Addressing
Hexadecimal Number System (cont.)
Look at the binary bit patterns
that match the decimal and
hexadecimal values
Tài liệu Quản trị mạng cơ bản CCNA
321
12/2017
IPv6 Addressing
IPv6 Address Representation
128 bits in length and written as a string of hexadecimal values
In IPv6, 4 bits represents a single hexadecimal digit, 32 hexadecimal value = IPv6
address
2001:0DB8:0000:1111:0000:0000:0000:0200
FE80:0000:0000:0000:0123:4567:89AB:CDEF
Hextet used to refer to a segment of 16 bits or four hexadecimals
Can be written in either lowercase or uppercase
IPv6 Addressing
IPv6 Address Representation (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
322
12/2017
IPv6 Addressing
Rule 1- Omitting Leading 0s
The first rule to help reduce the notation of IPv6 addresses is any leading 0s
(zeros) in any 16-bit section or hextet can be omitted.
01AB can be represented as 1AB.
09F0 can be represented as 9F0.
0A00 can be represented as A00.
00AB can be represented as AB.
IPv6 Addressing
Rule 2 - Omitting All 0 Segments
A double colon (::) can replace any single, contiguous string of one or more 16bit segments (hextets) consisting of all 0’s.
Double colon (::) can only be used once within an address otherwise the
address will be ambiguous.
Known as the compressed format.
Incorrect address - 2001:0DB8::ABCD::1234.
Tài liệu Quản trị mạng cơ bản CCNA
323
12/2017
IPv6 Addressing
Rule 2 - Omitting All 0 Segments (cont.)
Example #1
Example #2
Types of IPv6 Addresses
IPv6 Prefix Length
IPv6 does not use the dotted-decimal subnet mask notation
Prefix length indicates the network portion of an IPv6 address using the
following format:
▪ IPv6 address/prefix length
▪ Prefix length can range from 0 to 128
▪ Typical prefix length is /64
Tài liệu Quản trị mạng cơ bản CCNA
324
12/2017
Types of IPv6 Addresses
IPv6 Address Types
There are three types of IPv6 addresses:
▪
Unicast
▪
Multicast
▪
Anycast.
Note: IPv6 does not have broadcast addresses.
Types of IPv6 Addresses
IPv6 Unicast Addresses
Unicast
▪ Uniquely
identifies an
interface on an
IPv6-enabled
device.
▪ A packet sent to a
unicast address is
received by the
interface that is
assigned that
address.
Tài liệu Quản trị mạng cơ bản CCNA
325
12/2017
Types of IPv6 Addresses
IPv6 Unicast Addresses (cont.)
Types of IPv6 Addresses
IPv6 Unicast Addresses (cont.)
Global Unicast
▪
▪
▪
▪
Similar to a public IPv4 address
Globally unique
Internet routable addresses
Can be configured statically or assigned dynamically
Link-local
▪ Used to communicate with other devices on the same local
link
▪ Confined to a single link; not routable beyond the link
Tài liệu Quản trị mạng cơ bản CCNA
326
12/2017
Types of IPv6 Addresses
IPv6 Unicast Addresses (cont.)
Loopback
▪ Used by a host to send a packet to itself and cannot be
assigned to a physical interface.
▪ Ping an IPv6 loopback address to test the configuration of
TCP/IP on the local host.
▪ All-0s except for the last bit, represented as ::1/128 or just ::1.
Unspecified Address
▪ All-0’s address represented as ::/128 or just ::
▪ Cannot be assigned to an interface and is only used as a source
address.
▪ An unspecified address is used as a source address when the
device does not yet have a permanent IPv6 address or when
the source of the packet is irrelevant to the destination.
Types of IPv6 Addresses
IPv6 Unicast Addresses (cont.)
Unique Local
▪ Similar to private addresses for IPv4.
▪ Used for local addressing within a site or between
a limited number of sites.
▪ In the range of FC00::/7 to FDFF::/7.
IPv4 Embedded (not covered in this course)
▪ Used to help transition from IPv4 to IPv6.
Tài liệu Quản trị mạng cơ bản CCNA
327
12/2017
Types of IPv6 Addresses
IPv6 Link-Local Unicast Addresses
Every IPv6-enabled network interface is REQUIRED to have a link-local
address
Enables a device to communicate with other IPv6-enabled devices on the
same link and only on that link (subnet)
FE80::/10 range, first 10 bits are 1111 1110 10xx xxxx
1111 1110 1000 0000 (FE80) - 1111 1110 1011 1111 (FEBF)
Types of IPv6 Addresses
IPv6 Link-Local Unicast Addresses (cont.)
Packets with a source
or destination linklocal address cannot
be routed beyond the
link from where the
packet originated.
Tài liệu Quản trị mạng cơ bản CCNA
328
12/2017
IPv6 Unicast Addresses
Structure of an IPv6 Global Unicast Address
IPv6 global unicast addresses are globally unique and routable on
the IPv6 Internet
Equivalent to public IPv4 addresses
ICANN allocates IPv6 address blocks to the five RIRs
IPv6 Unicast Addresses
Structure of an IPv6 Global Unicast Address (cont.)
Currently, only global unicast addresses with the first three bits of 001 or
2000::/3 are being assigned
Tài liệu Quản trị mạng cơ bản CCNA
329
12/2017
IPv6 Unicast Addresses
Structure of an IPv6 Global Unicast Address (cont.)
A global unicast address has three parts: Global Routing Prefix, Subnet ID, and
Interface ID.
▪ Global Routing Prefix is the prefix or network portion of the address
assigned by the provider, such as an ISP, to a customer or site,
currently, RIR’s assign a /48 global routing prefix to customers.
▪ 2001:0DB8:ACAD::/48 has a prefix that indicates that the first 48 bits
(2001:0DB8:ACAD) is the prefix or network portion.
IPv6 Unicast Addresses
Structure of an IPv6 Global Unicast Address (cont.)
Subnet ID is used by an organization to identify subnets within its site
Interface ID
▪ Equivalent to the host portion of an IPv4 address.
▪ Used because a single host may have multiple
interfaces, each having one or more IPv6 addresses.
Tài liệu Quản trị mạng cơ bản CCNA
330
12/2017
IPv6 Unicast Addresses
Static Configuration of a Global Unicast Address
IPv6 Unicast Addresses
Static Configuration of an IPv6 Global Unicast Address
(cont.)
Windows
IPv6 Setup
Tài liệu Quản trị mạng cơ bản CCNA
331
12/2017
IPv6 Unicast Addresses
Dynamic Configuration of a Global Unicast Address
using SLAAC
Stateless Address Autoconfiguraton (SLAAC)
▪ A method that allows a device to obtain its prefix, prefix length and default
gateway from an IPv6 router
▪ No DHCPv6 server needed
▪ Rely on ICMPv6 Router Advertisement (RA) messages
IPv6 routers
▪ Forwards IPv6 packets between networks
▪ Can be configured with static routes or a dynamic IPv6 routing protocol
▪ Sends ICMPv6 RA messages
IPv6 Unicast Addresses
Dynamic Configuration of a Global Unicast Address using
SLAAC (cont.)
▪ The IPv6 unicast-routing command enables IPv6 routing.
▪ RA message can contain one of the following three options:
▪ SLAAC Only – Uses the information contained in the RA message.
▪ SLAAC and DHCPv6 – Uses the information contained in the RA message
and get other information from the DHCPv6 server, stateless DHCPv6 (for
example, DNS).
▪ DHCPv6 only – The device should not use the information in the RA,
stateful DHCPv6.
▪ Routers send ICMPv6 RA messages using the link-local address as the source
IPv6 address
Tài liệu Quản trị mạng cơ bản CCNA
332
12/2017
IPv6 Unicast Addresses
Dynamic Configuration of a Global Unicast Address
using SLAAC (cont.)
IPv6 Unicast Addresses
Dynamic Configuration of a Global Unicast
Address using DHCPv6 (cont.)
Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
▪ Similar to IPv4
▪ Automatically receives addressing information, including a global unicast
address, prefix length, default gateway address and the addresses of DNS
servers using the services of a DHCPv6 server.
▪ Device may receive all or some of its IPv6 addressing information from a
DHCPv6 server depending upon whether option 2 (SLAAC and DHCPv6) or
option 3 (DHCPv6 only) is specified in the ICMPv6 RA message.
▪ Host may choose to ignore whatever is in the router’s RA message and
obtain its IPv6 address and other information directly from a DHCPv6
server.
Tài liệu Quản trị mạng cơ bản CCNA
333
12/2017
IPv6 Unicast Addresses
Dynamic Configuration of a Global Unicast Address
using DHCPv6 (cont.)
IPv6 Unicast Addresses
EUI-64 Process or Randomly Generated
EUI-64 Process
▪ Uses a client’s 48-bit Ethernet MAC address and inserts another 16 bits in
the middle of the 46-bit MAC address to create a 64-bit Interface ID.
▪ Advantage is that the Ethernet MAC address can be used to determine the
interface; is easily tracked.
EUI-64 Interface ID is represented in binary and comprises three parts:
▪ 24-bit OUI from the client MAC address, but the 7th bit (the
Universally/Locally bit) is reversed (0 becomes a 1).
▪ Inserted as a 16-bit value FFFE.
▪ 24-bit device identifier from the client MAC address.
Tài liệu Quản trị mạng cơ bản CCNA
334
12/2017
IPv6 Unicast Addresses
EUI-64 Process or Randomly Generated (cont.)
IPv6 Unicast Addresses
EUI-64 Process or Randomly Generated (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
335
12/2017
IPv6 Unicast Addresses
EUI-64 Process or Randomly Generated (cont.)
Randomly Generated Interface IDs
▪ Depending upon the operating system, a device can use a randomly
generated Interface ID instead of using the MAC address and the EUI64 process.
▪ Beginning with Windows Vista, Windows uses a randomly generated
Interface ID instead of one created with EUI-64.
▪ Windows XP (and previous Windows operating systems) used EUI-64.
IPv6 Unicast Addresses
Dynamic Link-local Addresses
Link-Local Address
▪ After a global unicast address is assigned to an interface, an IPv6enabled device automatically generates its link-local address.
▪ Must have a link-local address that enables a device to communicate
with other IPv6-enabled devices on the same subnet.
▪ Uses the link-local address of the local router for its default gateway
IPv6 address.
▪ Routers exchange dynamic routing protocol messages using link-local
addresses.
▪ Routers’ routing tables use the link-local address to identify the nexthop router when forwarding IPv6 packets.
Tài liệu Quản trị mạng cơ bản CCNA
336
12/2017
IPv6 Unicast Addresses
Dynamic Link-local Addresses (cont.)
Dynamically Assigned
The link-local address is dynamically created using the FE80::/10 prefix and the
Interface ID.
IPv6 Unicast Addresses
Static Link-local Addresses
Configuring Link-local
Tài liệu Quản trị mạng cơ bản CCNA
337
12/2017
IPv6 Unicast Addresses
Static Link-local Addresses (cont.)
Configuring Link-local
IPv6 Global Unicast Addresses
Verifying IPv6 Address Configuration
Each interface has two IPv6
addresses 1.
2.
global unicast address that
was configured
one that begins with FE80
is automatically added as a
link-local unicast address
Tài liệu Quản trị mạng cơ bản CCNA
338
12/2017
IPv6 Global Unicast Addresses
Verifying IPv6 Address Configuration (cont.)
IPv6 Multicast Addresses
Assigned IPv6 Multicast Addresses
IPv6 multicast addresses have the prefix FF00::/8
There are two types of IPv6 multicast addresses:
▪ Assigned multicast
▪ Solicited node multicast
Tài liệu Quản trị mạng cơ bản CCNA
339
12/2017
IPv6 Multicast Addresses
Assigned IPv6 Multicast Addresses (cont.)
Two common IPv6 assigned multicast groups include:
▪ FF02::1 All-nodes multicast group –
▪ All IPv6-enabled devices join
▪ Same effect as an IPv4 broadcast address
▪ FF02::2 All-routers multicast group
▪ All IPv6 routers join
▪ A router becomes a member of this group when it is
enabled as an IPv6 router with the ipv6 unicastrouting global configuration mode command.
▪ A packet sent to this group is received and processed
by all IPv6 routers on the link or network.
IPv6 Multicast Addresses
Assigned IPv6 Multicast Addresses (cont.)
Tài liệu Quản trị mạng cơ bản CCNA
340
12/2017
IPv6 Multicast Addresses
Solicited Node IPv6 Multicast Addresses
▪ Similar to the all-nodes
multicast address, matches
only the last 24 bits of the
IPv6 global unicast address of
a device
▪ Automatically created when
the global unicast or linklocal unicast addresses are
assigned
▪ Created by combining a
special
FF02:0:0:0:0:0:FF00::/104
prefix with the right-most 24
bits of its unicast address
IPv6 Multicast Addresses
Solicited Node IPv6 Multicast Addresses (cont.)
The solicited node multicast
address consists of two parts:
FF02:0:0:0:0:0:FF00::/104
multicast prefix – First 104 bits
of the all solicited node
multicast address
Least significant 24-bits –
Copied from the right-most 24
bits of the global unicast or linklocal unicast address of the
device
Tài liệu Quản trị mạng cơ bản CCNA
341
12/2017
3 STATIC ROUTE WITH IPV6
Configure IPv6 Static Routes
The ipv6 route Command
Most of parameters are identical to the IPv4 version of
the command. IPv6 static routes can also be implemented
as:
Standard IPv6 static route
Default IPv6 static route
Summary IPv6 static route
Floating IPv6 static route
Tài liệu Quản trị mạng cơ bản CCNA
342
12/2017
Configure IPv6 Static Routes
Next-Hop Options
The next hop can be identified by an IPv6 address, exit
interface, or both. How the destination is specified
creates one of three route types:
Next-hop IPv6 route - Only the next-hop IPv6 address
is specified.
Directly connected static IPv6 route - Only the router
exit interface is specified.
Fully specified static IPv6 route - The next-hop IPv6
address and exit interface are specified.
Configure IPv6 Static Routes
Configure a Next-Hop Static IPv6 Route
Tài liệu Quản trị mạng cơ bản CCNA
343
12/2017
Configure IPv6 Static Routes
Configure Directly Connected Static IPv6 Route
Configure IPv6 Static Routes
Configure Fully Specified Static IPv6 Route
Tài liệu Quản trị mạng cơ bản CCNA
344
12/2017
Configure IPv6 Static Routes
Verify IPv6 Static Routes
Along with ping and traceroute, useful
commands to verify static routes include:
show ipv6 route
show ipv6 route static
show ipv6 route network
Configure IPv6 Default Routes
Default Static IPv6 Route
Tài liệu Quản trị mạng cơ bản CCNA
345
12/2017
Configure IPv6 Default Routes
Configure a Default Static IPv6 Route
Configure IPv6 Default Routes
Configure a Default Static IPv6 Route
Tài liệu Quản trị mạng cơ bản CCNA
346
12/2017
4 OSPF VERSION 3
Configuring OSFPv3
OSPFv3 Network Topology
Tài liệu Quản trị mạng cơ bản CCNA
347
12/2017
Configuring OSFPv3
OSPFv3 Network Topology (cont.)
Configuring OSFPv3
Link-Local
Addresses
▪
▪
▪
▪
▪
Link-local addresses are automatically created when an IPv6 global unicast
address is assigned to the interface (required).
Global unicast addresses are not required.
Cisco routers create the link-local address using FE80::/10 prefix and the EUI-64
process unless the router is configured manually,
EUI-64 involves using the 48-bit Ethernet MAC address, inserting FFFE in the
middle and flipping the seventh bit. For serial interfaces, Cisco uses the MAC
address of an Ethernet interface.
Notice in the figure that all three interfaces are using the same link-local address.
Tài liệu Quản trị mạng cơ bản CCNA
348
12/2017
Configuring OSFPv3
Assigning Link-Local Addresses
Manually configuring
the link-local address
provides the ability to
create an address that
is recognizable and
easier to remember.
Configuring OSFPv3
Configuring the OSPFv3 Router ID
Tài liệu Quản trị mạng cơ bản CCNA
349
12/2017
Configuring OSFPv3
Configuring the OSPFv3 Router ID (cont.)
Configuring OSFPv3
Modifying an OSPFv3 Router ID
Tài liệu Quản trị mạng cơ bản CCNA
350
12/2017
OSPF Configuring OSFPv3
Enabling OSPFv3 on Interfaces
Instead of using the network router configuration mode command
to specify matching interface addresses, OSPFv3 is configured
directly on the interface.
Verify OSPFv3
Verify OSPFv3 Neighbors/Protocol Settings
Tài liệu Quản trị mạng cơ bản CCNA
351
12/2017
Verify OSPFv3
Verify OSPFv3 Interfaces
Verify OSPFv3
Verify IPv6 Routing Table
Tài liệu Quản trị mạng cơ bản CCNA
352
12/2017
5 EIGRP FOR IPV6
EIGRP for IPv4 vs. IPv6
EIGRP for IPv6
Tài liệu Quản trị mạng cơ bản CCNA
353
12/2017
EIGRP for IPv4 vs. IPv6
Comparing EIGRP for IPv4 and IPv6
EIGRP for IPv4 vs. IPv6
IPv6 Link-local Addresses
Tài liệu Quản trị mạng cơ bản CCNA
354
12/2017
Configuring EIGRP for IPv6
EIGRP for IPv6 Network Topology
Configuring EIGRP for IPv6
Configuring IPv6 Link-Local Addresses
Manually configuring link-local addresses
Verifying link-local addresses
Tài liệu Quản trị mạng cơ bản CCNA
355
12/2017
Configuring EIGRP for IPv6
Configuring EIGRP for the IPv6 Routing Process
▪ The ipv6 unicast-routing global
configuration mode command is required to enable
any IPv6 routing protocol.
▪ Configuring EIGRP for IPv6
▪ The no shutdown command and a router ID are
required for the router to form neighbor adjacencies.
Configuring EIGRP for IPv6
IPv6 EIGRP interface Command
Enabling EIGRP of IPv6 on an Interface
Tài liệu Quản trị mạng cơ bản CCNA
356
12/2017
Verifying EIGRP for IPv6
Verifying EIGRP for IPv6: Examining Neighbors
Verifying EIGRP for IPv6
Verifying EIGRP for IPv6: show ip protocols Command
Tài liệu Quản trị mạng cơ bản CCNA
357
12/2017
Verifying EIGRP for IPv6
Verifying EIGRP for IPv6: Examine the Routing Table
Use the show ipv6 route command to examine the IPv6
routing table.
Chapter 14 – IP Services
Tài liệu Quản trị mạng cơ bản CCNA
358
12/2017
CHAPTER 14 – IP SERVICES
Chapter 14
1 High Availability – HSRP
2 Cisco IOS NetFlow, SNMP
Tài liệu Quản trị mạng cơ bản CCNA
359
12/2017
1 HIGH AVAILABILITY – HSRP
HSRP
HSRP is a Cisco proprietary protocol that
can be run on most, but not all, of
Cisco’s router and multilayer switch
models. It defines a standby group, and
each standby group that you define
includes the following routers:
▪Active router
▪Standby router
▪Virtual router
▪Any other routers that maybe attached
to the subnet
Tài liệu Quản trị mạng cơ bản CCNA
360
12/2017
HSRP active and standby routers
The problem with HSRP is that with it, only
one router is active and two or more routers
just sit there in standby mode and won’t be
used unless a failure occurs—not very cost
effective or efficient!
The standby group will always have at least
two routers participating in it. The primary
players in the group are the one active
router and one standby router that
communicate to each other using multicast
Hello messages.
HSRP Virtual MAC
The HSRP MAC address has
only one variable piece in it. ▪
The first 24 bits still identify the
vendor who manufactured the
device (the organizationally ▪
unique identifier, or OUI).
The next 16 bits in the address
tells us that the MAC address is ▪
a well-known HSRP MAC
Tài liệu Quản trị mạng cơ bản CCNA
Here is an example of what an HSRP MAC address
would look like:0000.0c07.ac0a
The first 24 bits (0000.0c) are the vendor ID of the
address; in the case of HSRP being a Cisco protocol,
the ID is assigned to Cisco.
The next 16 bits (07.ac) are the well-known HSRP ID.
This part of the address was assigned by Cisco in the
protocol, so it’s always easy to recognize that this
address is for use with HSRP.
The last 8 bits (0a) are the only variable bits and
represent the HSRP group number that you assign. In
this case, the group number is 10 and converted to
hexadecimal when placed in the MAC address, where
it becomes the 0a that you see.
361
12/2017
2 CISCO IOS NETFLOW, SNMP
SNMP
SNMP is an Application layer protocol that provides a message
format for agents on a variety of devices to communicate with
network management stations (NMSs)
The NMS periodically queries or polls the SNMP agent on a device to
gather and analyze statistics via GET messages. End devices running
SNMP agents would send an SNMP trap to the NMS if a problem
occurs.
Tài liệu Quản trị mạng cơ bản CCNA
362
12/2017
SNMP versions
SNMP has three versions, with version 1 being rarely, if ever implemented today.
Here’s a summary of these three versions:
SNMPv1
Supports plaintext authentication with community strings and uses only by UDP.
SNMPv2c
Supports plaintext authentication (using community strings) with MD5 or SHA with no
encryption but provides GET BULK, which is a way to gather many types of information
at once and minimize the number of GET requests. It offers a more detailed error
message reporting method, but it’s not more secure than v1. It uses UDP even though
it can be configured to use TCP.
SNMPv3
Supports strong authentication with MD5 or SHA, providing confidentiality
(encryption) and data integrity of messages via DES or DES-256 encryption between
agents and managers. GET BULK is a supported feature of SNMPv3, and this version
also uses TCP.
NetFlow
Cisco IOS NetFlow efficiently provides a key set of services for IP
applications, including network traffic accounting for baselining, usagebased network billing for consumers of network services, network design
and planning, general network security, and DoS and DDoS monitoring
capabilities as well as general network monitoring.
Tài liệu Quản trị mạng cơ bản CCNA
363
12/2017
Service providers use NetFlow to do the following
▪ Efficiently measuring who is using network service and for
which purpose
▪ Accounting and charging back according to the resource
utilizing level
▪ Using the measure information for more effective network
planning so that resource allocation and deployment are
well aligned with customer requirements
▪ Using the information to better structure and customize
the set of available applications and services to meet user
needs and customer service requirements
NetFlow Uses
▪ Major users of the network, meaning top talkers, top listeners,
top protocols, and so on
▪ Websites that are routinely visited, plus what’s been
downloaded
▪ Who’s generating the most traffic and using excessive
bandwidth
▪ Descriptions of bandwidth needs for an application as well as
your available bandwidth
Tài liệu Quản trị mạng cơ bản CCNA
364
12/2017
Configuring NetFlow
SF(config)#int fa0/0
SF(config-if)#ip flow ingress
SF(config-if)#ip flow egress
SF(config-if)#exit
SF(config)#ip flow-export destination
172.16.20.254 9996
SF(config)#ip flow-export version ?
1
5
9
SF(config)#ip flow-export version 9
SF(config)#ip flow-export source loopback
0
Show ip cache flow
SF#sh ip cache flow
IP packet size distribution (161 total packets):
[output cut]
IP Flow Switching Cache, 278544 bytes
1 active, 4095 inactive, 1 added
215 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
1 active, 1023 inactive, 1 added, 1 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol
Total
Flows
Packets Bytes Packets Active(Sec)
Idle(Sec)
-------Flows
/Sec
/Flow /Pkt
/Sec
/Flow
/Flow
TCP-Telnet
14
0.0
19
58
0.1
6.5
11.7
TCP-WWW
8
0.0
9
108
0.1
2.5
1.7
SrcIf
SrcIPaddress
DstIf
DstIPaddress
Pr SrcP DstP
Pkts
Fa0/0
172.16.10.1
gig0/1
255.255.255.255 11 0044 0050
1161
Tài liệu Quản trị mạng cơ bản CCNA
365
12/2017
Chapter 15 – Network Security
Chapter 15 – Network Security
1 Network Security
2 Cisco Firewalls
3 Layer 2 Security
4 AAA Security Services
5 Secure Device Management
6 Secure Communications
Tài liệu Quản trị mạng cơ bản CCNA
366
12/2017
1 NETWORK SECURITY
Future of Networking
Network Security
Tài liệu Quản trị mạng cơ bản CCNA
367
12/2017
Network Security
Security Threats
The most common external threats to networks include:
Viruses, worms, and Trojan horses
Spyware and adware
Zero-day attacks, also called zero-hour attacks
Hacker attacks
Denial of service (DoS) attacks
Data interception and theft
Identity theft
2 CISCO FIREWALLS
Tài liệu Quản trị mạng cơ bản CCNA
368
12/2017
Network Security
Security Solutions
Network security components often include:
Antivirus and antispyware
Firewall filtering
Dedicated firewall systems
Access control lists (ACL)
Intrusion prevention systems (IPS)
Virtual Private Networks (VPNs)
3 LAYER 2 SECURITY
Tài liệu Quản trị mạng cơ bản CCNA
369
12/2017
2950 CISCO SWITCH
2950 CISCO SWITCH
The Cisco Catalyst® 2950 Series is a
family of wire-speed Fast Ethernet
desktop switches that delivers the next
generation
of
performance
and
functionality
for
the
LAN
with
10/100/1000BaseT uplinks, enhanced
IOS service, quality of service (QoS),
multicast management, high availability
and security features using a simple,
Web-based interface.
Tài liệu Quản trị mạng cơ bản CCNA
370
12/2017
Introduction
Secured ports restrict a port to a user-defined
group of stations. When you assign secure
addresses to a secure port, the switch does not
forward any packets with source addresses outside
the defined group of addresses. If you define the
address table of a secure port to contain only one
address, the workstation or server attached to that
port is guaranteed the full bandwidth of the port.
As part of securing the port, you can also define
the size of the address table for the port.
IMPORTANT NOTE
Port security can only be configured on
static access ports.
Tài liệu Quản trị mạng cơ bản CCNA
371
12/2017
Secured ports generate address security violations
under these conditions
• The address table of a secured port is full, and
the address of an incoming packet is not found in
the table.
• An incoming packet has a source address
assigned as a secure address on another port
ADVANTAGES OF PORT SECURITY
Dedicated bandwidth If the size of the address
table is set to 1, the attached device is
guaranteed the full bandwidth of the port.
Added security—Unknown devices cannot
connect to the port
Tài liệu Quản trị mạng cơ bản CCNA
372
12/2017
COMMANDS TO VALIDATE PORT
SECURITY
Interface :Port to secure.
Security :Enable port security on the port.
Trap :Issue a trap when an addresssecurity violation occurs.
Shutdown Port :Disable the port when an
address-security violation occurs.
COMMANDS TO VALIDATE PORT
SECURITY
Secure Addresses :Number of addresses
in the secure address table for this port.
Secure ports have at least one address.
Max Addresses :Number of addresses that
the secure address table for the port can
contain.
Security Rejects :Number of unauthorized
addresses seen on the port.
Tài liệu Quản trị mạng cơ bản CCNA
373
12/2017
Security Violation Mode
Shutdown- The interface is shut down immediately
following a security violation
Restrict- A security violation sends a trap to the
network management station.
Protect- When the port secure addresses reach the
allowed limit on the port, all packets with unknown
addresses are dropped.
**The default is shutdown
Defining the Maximum Secure Address Count
A secure port can have from 1 to 132
associated secure addresses. Setting one
address in the MAC address table for the port
ensures that the attached device has the full
bandwidth of the port. If the secure-port
maximum addresses are set between 1 to 132
addresses and some of the secure addresses
have not been added by user, the remaining
addresses are dynamically learnt and become
secure addresses.
Tài liệu Quản trị mạng cơ bản CCNA
374
12/2017
IMPORTANT NOTE
If the port link goes down, all the
dynamically learned addresses
are removed
Enabling Port Security on The Switch
Beginning in privileged EXEC mode on the switch,
follow these steps to enable port security, these
settings will guarantee accurate and tight security. s
Tài liệu Quản trị mạng cơ bản CCNA
375
12/2017
TABLE OF COMMANDS
Command
Purpose
Step 1
configure terminal
Enter global configuration
mode.
Step 2
interface interface
Enter interface configuration
mode for the port you want to
secure.
Step 3
switchport portsecurity
Enable basic port security on
the interface.
Step 4
switchport portsecurity maximum
max_addrs
Set the maximum number of
MAC addresses that is allowed
on this interface.
•
TABLE OF COMMANDS
Step 5
switchport port-security
violation {shutdown |
restrict | protect}
Set the security violation mode for the interface.
The default is shutdown.
For mode, select one of these keywords:
•
shutdown—The interface is shut down
immediately following a security violation.
•
restrict—A security violation sends a trap
to the network management station.
•
protect—When the port secure
addresses reach the allowed limit on the
port, all packets with unknown addresses
are dropped.
Step 6
end
Return to privileged EXEC mode.
Step 7
show port security
[interface interface-id |
address]
Verify the entry.
Tài liệu Quản trị mạng cơ bản CCNA
376
12/2017
DISABLING PORT SECURITY
Step 1
configure terminal
Enter global configuration
mode.
Step 2
interface interface
Enter interface
configuration mode for the
port that you want to
unsecure.
Step 3
no switchport portsecurity
Disable port security.
Step 4
end
Return to privileged EXEC
mode.
Step 5
show port security
[interface interfaceid | address]
Verify the entry.
TABLE OF CONFLICTING FEATURES
Port
Group
Port
Security
SPAN
Source
Port
SPAN
Destination
Port
Connect
to
Cluster
Protected
Port
802.1X
Port
Port Group
-
No
Yes
No
Yes
Yes
No
Port
Security
No
-
Yes
No
Yes
No
No
SPAN
Source
Port
Yes
Yes
-
No
Yes
Yes1
Yes
SPAN
Destination
Port
No
No
No
-
Yes
Yes
No
Connect to
Cluster
Yes
Yes
Yes
Yes
-
Yes
-
Protected
Port
Yes
No
Yes1
Yes1
Yes
-
-
802.1X
Port
No
No
Yes
No
-
-
-
Tài liệu Quản trị mạng cơ bản CCNA
377
12/2017
4 AAA SECURITY SERVICES
Major Concepts
• Local Authentication
• Enhancements to Local Authentication
• Describe the purpose of AAA and the various implementation
techniques
• Implement AAA using the local database
• Implement AAA using TACACS+ and RADIUS protocols
• Implement AAA Authorization and Accounting
Tài liệu Quản trị mạng cơ bản CCNA
378
12/2017
Lesson Objectives
Upon completion of this lesson, the successful participant will be
able to:
1. Describe the importance of AAA as it relates to
authentication, authorization, and accounting
2. Configure AAA authentication using a local database
3. Configure AAA using a local database in SDM
4. Troubleshoot AAA using a local database
5. Explain server-based AAA
6. Describe and compare the TACACS+ and RADIUS protocols
Lesson Objectives
7. Describe the Cisco Secure ACS for Windows software
8. Describe how to configure Cisco Secure ACS for Windows as
a TACACS+ server
9. Configure server-based AAA authentication on Cisco Routers
using CLI
10. Configure server-based AAA authentication on Cisco Routers
using SDM
11. Troubleshoot server-based AAA authentication using Cisco
Secure ACS
12. Configure server-based AAA Authorization using Cisco Secure
ACS
13. Configure server-based AAA Accounting using Cisco Secure
ACS
Tài liệu Quản trị mạng cơ bản CCNA
379
12/2017
AAA Access Security
Authorization
Authentication
which resources the user is allowed to access and which
operations the user is allowed to perform?
Who are you?
Accounting
What did you spend it on?
Authentication – Password-Only
Password-Only Method
Internet
User Access Verification
Password: cisco
Password: cisco1
Password: cisco12
% Bad passwords
R1(config)# line vty 0 4
R1(config-line)# password cisco
R1(config-line)# login
•
•
•
•
Uses a login and password combination on access lines
Easiest to implement, but most unsecure method
Vulnerable to brute-force attacks
Provides no accountability
Tài liệu Quản trị mạng cơ bản CCNA
380
12/2017
Authentication – Local Database
•
•
•
•
Creates individual user account/password on each device
Provides accountability
User accounts must be configured locally on each device
Provides no fallback authentication method
R1(config)# username Admin secret
Str0ng5rPa55w0rd
R1(config)# line vty 0 4
R1(config-line)# login local
User Access Verification
Username: Admin
Password: cisco1
% Login invalid
Username: Admin
Password: cisco12
% Login invalid
Internet
Local Database Method
Local Versus Remote Access
Remote Access
Local Access
LAN 2
R1 Firewall R2
R1
LAN 1
Internet
Interne
t
LAN 3
Console Port
Administrator
Requires a direct connection to a
console port using a computer
running terminal emulation software
Management
LAN
Administratio
n Host
Logging
Host
Uses Telnet, SSH HTTP or SNMP
connections to the router from a computer
Tài liệu Quản trị mạng cơ bản CCNA
381
12/2017
Password Security
To increase the security of passwords, use additional
configuration parameters:
– Minimum password lengths should be enforced
– Unattended connections should be disabled
– All passwords in the configuration file should be encrypted
R1(config)# service password-encryption
R1(config)# exit
R1# show running-config
line con 0
exec-timeout 3 30
password 7 094F471A1A0A
login
line aux 0
exec-timeout 3 30
password 7 094F471A1A0A
login
Passwords
An acceptable password length is 10 or more characters
Complex passwords include a mix
of upper and lowercase letters,
numbers, symbols and spaces
Avoid any password based on
repetition, dictionary words, letter or
number sequences, usernames,
relative
or
pet
names,
or
biographical information
Deliberately misspell a password
(Security = 5ecur1ty)
Do not write passwords down and
leave them in obvious places
Tài liệu Quản trị mạng cơ bản CCNA
Change passwords often
382
12/2017
Access Port Passwords
Command to restrict access to
privileged EXEC mode
R1(config)# enable secret cisco
Commands to establish a login
password on incoming Telnet sessions
Commands to establish a
login password for dial-up
modem connections
R1(config)# line vty 0 4
R1(config-line)# password cisco
R1(config-line)# login
R1(config)# line aux 0
R1(config-line)# password cisco
R1(config-line)# login
R1
R1(config)# line con 0
R1(config-line)# password cisco
R1(config-line)# login
Commands to establish a
login password on the
console line
Creating Users
username name secret {[0]password|5encrypted-secret}
Parameter
Description
name
This parameter specifies the username.
0
(Optional) This option indicates that the plaintext
password is to be hashed by the router using MD5.
password
This parameter is the plaintext password to be
hashed using MD5.
5
This parameter indicates that the encrypted-secret
password was hashed using MD5.
encrypted-secret
This parameter is the MD5 encrypted-secret
password that is stored as the encrypted user
password.
Tài liệu Quản trị mạng cơ bản CCNA
383
12/2017
Enhanced Login Features
Login block-for Command
All login enhancement features are disabled by
default. The login block-for command enables
configuration of the login enhancement features.
– The login block-for feature monitors login device
activity and operates in two modes:
• Normal-Mode (Watch-Mode) —The router keeps count of
the number of failed login attempts within an identified
amount of time.
• Quiet-Mode (Quiet Period) — If the number of failed
logins exceeds the configured threshold, all login
attempts made using Telnet, SSH, and HTTP are denied.
Tài liệu Quản trị mạng cơ bản CCNA
384
12/2017
System Logging Messages
• To generate log messages for successful/failed logins:
– login on-failure log
– login on-success log
• To generate a message when failure rate is exceeded:
– security authentication failure rate thresholdrate log
• To verify that the login block-for command is configured and
which mode the router is currently in:
– show login
• To display more information regarding the failed attempts:
– show login failures
Access Methods
Character Mode
A user sends a request to
establish an EXEC mode
process with the router for
administrative purposes
Packet Mode
A user sends a request to
establish a connection
through the router with a
device on the network
Tài liệu Quản trị mạng cơ bản CCNA
385
12/2017
Self-Contained AAA Authentication
Remote Client
AAA
Router
1
2
3
Self-Contained AAA
1. The client establishes a connection with the router.
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using the local database and the user is authorized to access the network
based on information in the local database.
• Used for small networks
• Stores usernames and passwords locally in the Cisco router
Server-Based AAA Authentication
• Uses an external database server
– Cisco Secure Access Control Server (ACS) for Windows Server
– Cisco Secure ACS Solution Engine
– Cisco Secure ACS Express
• More appropriate if there are multiple routers
Remote Client
1
2
AAA
Router
4
Cisco Secure
ACS Server
3
Server-Based AAA
1. The client establishes a connection with the router.
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using a remote AAA server.
4. The user is authorized to access the network based on information on the remote AAA Server.
Tài liệu Quản trị mạng cơ bản CCNA
386
12/2017
AAA Authorization
• Typically implemented using an AAA server-based solution
• Uses a set of attributes that describes user access to the
network
1. When a user has been authenticated, a session is established with
an AAA server.
2. The router requests authorization for the requested service from the
AAA server.
3. The AAA server returns a PASS/FAIL for authorization.
AAA Accounting
• Implemented using an AAA server-based solution
• Keeps a detailed log of what an authenticated user does on a
device
1. When a user has been authenticated, the AAA accounting process
generates a start message to begin the accounting process.
2. When the user finishes, a stop message is recorded ending the
accounting process.
Tài liệu Quản trị mạng cơ bản CCNA
387
12/2017
Local AAA Authentication
Commands
R1# conf t
R1(config)#
R1(config)#
R1(config)#
R1(config)#
R1(config)#
username JR-ADMIN secret Str0ngPa55w0rd
username ADMIN secret Str0ng5rPa55w0rd
aaa new-model
aaa authentication login default local-case
aaa local authentication attempts max-fail 10
To authenticate administrator access (character
mode access)
1. Add usernames and passwords to the local
router database
2. Enable AAA globally
3. Configure AAA parameters on the router
4. Confirm and troubleshoot the AAA
configuration
Additional Commands
aaa authentication enable
Enables AAA for EXEC mode access
aaa authentication ppp
Enables AAA for PPP network access
Tài liệu Quản trị mạng cơ bản CCNA
388
12/2017
AAA Authentication
Command Elements
router(config)#
aaa authentication login {default | list-name}
method1…[method4]
Command
default
Description
Uses the listed authentication methods that follow this
keyword as the default list of methods when a user logs in
list-name
Character string used to name the list of authentication
methods activated when a user logs in
passwordexpiry
Enables password aging on a local authentication list.
method1
Identifies the list of methods that the authentication
[method2... algorithm tries in the given sequence. You must enter at
]
least one method; you may enter up to four methods.
Method Type Keywords
Keywords
Description
enable
Uses the enable password for authentication. This keyword cannot be used.
krb5
Uses Kerberos 5 for authentication.
krb5-telnet
Uses Kerberos 5 telnet authentication protocol when using Telnet to connect
to the router.
line
Uses the line password for authentication.
local
Uses the local username database for authentication.
local-case
Uses case-sensitive local username authentication.
none
Uses no authentication.
cache group-name
Uses a cache server group for authentication.
group radius
Uses the list of all RADIUS servers for authentication.
group tacacs+
Uses the list of all TACACS+ servers for authentication.
group group-name
Uses a subset of RADIUS or TACACS+ servers for authentication as defined
by the aaa group server radius or aaa group server tacacs+ command.
Tài liệu Quản trị mạng cơ bản CCNA
389
12/2017
Additional Security
router(config)#
aaa local authentication attempts max-fail [number-ofunsuccessful-attempts]
R1# show aaa local user lockout
Local-user
JR-ADMIN
Lock time
04:28:49 UTC Sat Dec 27 2008
R1# show aaa sessions
Total sessions since last reload: 4
Session Id: 1
Unique Id: 175
User Name: ADMIN
IP Address: 192.168.1.10
Idle Time: 0
CT Call Handle: 0
Sample Configuration
R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default local-case enable
R1(config)# aaa authentication login TELNET-LOGIN local-case
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN
Tài liệu Quản trị mạng cơ bản CCNA
390
12/2017
Verifying AAA Authentication
• AAA is enabled by default in SDM
• To verify or enable/disable AAA, choose Configure >
Additional Tasks > AAA
Using SDM
1. Select Configure > Additional Tasks > Router Access >
User Accounts/View
2. Click Add
3. Enter username
and password
4. Choose 15
5. Check the box and
select a view
6. Click OK
Tài liệu Quản trị mạng cơ bản CCNA
391
12/2017
Configure Login Authentication
1. Select Configure > Additional Tasks > AAA > Authentication
Policies > Login and click Add
2. Verify that Default is selected
3. Click Add
4. Choose local
6. Click OK
5. Click OK
The debug aaa Command
R1# debug aaa ?
accounting
administrative
api
attr
authentication
authorization
cache
coa
db
dead-criteria
id
ipc
mlist-ref-count
mlist-state
per-user
pod
protocol
server-ref-count
sg-ref-count
sg-server-selection
subsys
testing
R1# debug aaa
Tài liệu Quản trị mạng cơ bản CCNA
Accounting
Administrative
AAA api events
AAA Attr Manager
Authentication
Authorization
Cache activities
AAA CoA processing
AAA DB Manager
AAA Dead-Criteria Info
AAA Unique Id
AAA IPC
Method list reference counts
Information about AAA method list state change and
notification
Per-user attributes
AAA POD processing
AAA protocol processing
Server handle reference counts
Server group handle reference counts
Server Group Server Selection
AAA Subsystem
Info. about AAA generated test packets
392
12/2017
Sample Output
R1# debug aaa authentication
113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user=''
ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list=''
action=LOGIN service=LOGIN
113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list
113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL
113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='(undef)')
113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS
113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='diallocal')
113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS
113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS
Local Versus Server-Based
Authentication
Local Authentication
1. The user establishes a connection with the router.
2. The router prompts the user for a username and password authenticating
the user using a local database.
Perimeter
Router
1
Cisco Secure ACS
for Windows Server
3
2
4
Remote User
Server-Based Authentication
1. The user establishes a connection with the router.
2. The router prompts the user for a username and password.
3. The router passes the username and password to the Cisco Secure ACS (server or engine).
4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the
network based on information found in the Cisco Secure ACS database.
Tài liệu Quản trị mạng cơ bản CCNA
393
12/2017
Overview of TACACS+ and RADIUS
TACACS+ or RADIUS protocols are used to
communicate between the clients and AAA
security servers.
Cisco Secure ACS for
Windows Server
Perimeter
Router
Cisco Secure
ACS Express
Remote User
TACACS+/RADIUS Comparison
TACACS+
RADIUS
Functionality
Separates AAA according to the AAA
architecture, allowing modularity of
the security server implementation
Combines authentication and
authorization but separates
accounting, allowing less flexibility in
implementation than TACACS+.
Standard
Mostly Cisco supported
Open/RFC standard
Transport Protocol
TCP
UDP
CHAP
Bidirectional challenge and response
as used in Challenge Handshake
Authentication Protocol (CHAP)
Unidirectional challenge and response
from the RADIUS security server to
the RADIUS client.
Protocol Support
Multiprotocol support
No ARA, no NetBEUI
Confidentiality
Entire packet encrypted
Password encrypted
Customization
Provides authorization of router
commands on a per-user or
per-group basis.
Has no option to authorize router
commands on a per-user or
per-group basis
Confidentiality
Limited
Extensive
Tài liệu Quản trị mạng cơ bản CCNA
394
12/2017
TACACS+ Authentication Process
Connect
Username prompt?
Username?
Use “Username”
JR-ADMIN
JR-ADMIN
Password prompt?
Password?
Use “Password”
“Str0ngPa55w0rd”
“Str0ngPa55w0rd”
Accept/Reject
• Provides separate AAA services
• Utilizes TCP port 49
RADIUS Authentication Process
Access-Request
Username?
(JR_ADMIN, “Str0ngPa55w0rd”)
JR-ADMIN
Access-Accept
Password?
Str0ngPa55w0rd
• Works in both local and roaming situations
• Uses UDP ports 1645 or 1812 for authentication and UDP
ports 1646 or 1813 for accounting
Tài liệu Quản trị mạng cơ bản CCNA
395
12/2017
Cisco Secure ACS Benefits
Extends
access
security
by
combining
authentication, user access, and administrator
access with policy control
Allows greater flexibility and mobility, increased
security, and user-productivity gains
Enforces a uniform security policy for all users
Reduces the administrative and management
efforts
Advanced Features
Automatic service monitoring
Database synchronization and importing of tools for largescale deployments
Lightweight Directory Access Protocol (LDAP) user
authentication support
User and administrative access reporting
Restrictions to network access based on criteria
User and device group profiles
Tài liệu Quản trị mạng cơ bản CCNA
396
12/2017
Installation Options
Cisco Secure ACS for Windows can be installed on:
- Windows 2000 Server with Service Pack 4
- Windows 2000 Advanced Server with Service Pack 4
- Windows Server 2003 Standard Edition
- Windows Server 2003 Enterprise Edition
Cisco Secure ACS Solution Engine
- A highly scalable dedicated platform that serves as a highperformance ACS
- 1RU, rack-mountable
- Preinstalled with a security-hardened Windows software, Cisco
Secure ACS software
- Support for more than 350 users
Cisco Secure ACS Express 5.0
- Entry-level ACS with simplified feature set
- Support for up to 50 AAA device and up to 350 unique user ID logins
in a 24-hour period
Deploying ACS
Consider Third-Party Software Requirements
Verify Network and Port Prerequisites
AAA clients must run Cisco IOS Release 11.2 or later.
Cisco devices that are not Cisco IOS AAA clients must be configured with
TACACS+, RADIUS, or both.
Dial-in, VPN, or wireless clients must be able to connect to AAA clients.
The computer running ACS must be able to reach all AAA clients using
ping.
Gateway devices must permit communication over the ports that are
needed to support the applicable feature or protocol.
A supported web browser must be installed on the computer running
ACS.
All NICs in the computer running Cisco Secure ACS must be enabled.
Configure Secure ACS via the HTML interface
Tài liệu Quản trị mạng cơ bản CCNA
397
12/2017
Cisco Secure ACS Homepage
add, delete, modify settings for AAA clients (routers)
set menu display options for TACACS and RADIUS
configure database settings
Network Configuration
1. Click Network Configuration on the navigation bar
2. Click Add Entry
3. Enter the hostname
4. Enter the IP address
5. Enter the secret key
7. Make any other necessary
selections and click Submit
and Apply
Tài liệu Quản trị mạng cơ bản CCNA
6. Choose the appropriate
protocols
398
12/2017
Interface Configuration
The selection made in the Interface Configuration window
controls the display of options in the user interface
External User Database
1. Click the External User Databases button on the navigation bar
2. Click Database Configuration
3. Click Windows Database
Tài liệu Quản trị mạng cơ bản CCNA
399
12/2017
Windows User Database Configuration
4. Click configure
5. Configure options
Configuring the Unknown User Policy
1. Click External User Databases on the navigation bar
2. Click Unknown User Policy
3. Place a check in the box
4. Choose the database in from the list and click
the right arrow to move it to the Selected list
5. Manipulate the databases to reflect the order
in which each will be checked
Tài liệu Quản trị mạng cơ bản CCNA
6. Click Submit
400
12/2017
Group Setup
Database group mappings - Control authorizations for users
authenticated by the Windows server in one group and those
authenticated by the LDAP server in another
1. Click Group Setup on the navigation bar
2. Choose the
group to edit
and click
Edit Settings
3. Click Permit in the Unmatched
Cisco IOS commands option
4. Check the Command check box
and select an argument
5. For the Unlisted Arguments option,
click Permit
User Setup
1. Click User Setup on the navigation bar
2. Enter a username and click Add/Edit
3. Enter the data to define the user account
4. Click Submit
Tài liệu Quản trị mạng cơ bản CCNA
401
12/2017
Configuring Server-Based AAA
Authentication
1. Globally enable AAA to allow the user of all AAA
elements (a prerequisite)
2. Specify the Cisco Secure ACS that will provide AAA
services for the network access server
3. Configure the encryption key that will be used to
encrypt the data transfer between the network access
server and the Cisco Secure ACS
4. Configure the AAA authentication method list
AAA authentication Command
R1(config)# aaa authentication type { default | list-name } method1 … [method4]
R1(config)# aaa authentication login default ?
enable
Use enable password for authentication.
group
Use Server-group
krb5
Use Kerberos 5 authentication.
krb5-telnet
Allow logins only if already authenticated via Kerberos V
Telnet.
line
Use line password for authentication.
local
Use local username authentication.
local-case
Use case-sensitive local username authentication.
none
NO authentication.
passwd-expiry enable the login list to provide password aging support
R1(config)# aaa authentication login default group ?
WORD
Server-group name
radius
Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.
R1(config)# aaa authentication login default group
Tài liệu Quản trị mạng cơ bản CCNA
402
12/2017
Sample Configuration
•
•
Multiple RADIUS servers can be
identified by entering a radius-server
command for each
For TACACS+, the single-connection
command maintains a single TCP
connection for the life of the session
TACACS+ or RADIUS protocols are
used to communicate between the
clients and AAA security servers.
192.168.1.100
R1
Cisco Secure ACS
for Windows
using RADIUS
R1(config)#
R1(config)#
R1(config)#
R1(config)#
R1(config)#
R1(config)#
R1(config)#
R1(config)#
R1(config)#
R1(config)#
aaa new-model
radius-server host 192.168.1.100
radius-server key RADIUS-Pa55w0rd
tacacs-server host 192.168.1.101
tacacs-server key TACACS+Pa55w0rd single-connection
192.168.1.101
aaa authentication login default group tacacs+ group radius local-case
Cisco Secure ACS
Solution Engine
using TACACS+
Add TACACS Support
1. Choose Configure > Additional Tasks > AAA > AAA Servers and
Groups > AAA Servers
2. Click Add
3. Choose TACACS+
192.168.1.101
4. Enter the IP address
(or hostname) of the
AAA server
5. Check the Single
Connection check box to
maintain a single
connection
7. Click OK
Tài liệu Quản trị mạng cơ bản CCNA
6. Check the Configure Key
to encrypt traffic
403
12/2017
Create AAA Login Method
1. Choose Configure>Additional Tasks>AAA>Authentication Policies>Login
2. Click Add
3. Choose User Defined
4. Enter the name
5. Click Add
6. Choose group tacacs+ from the list
7. Click OK
8. Click Add to add a backup method
9. Choose enable from the list
Click OK twice
Apply Authentication Policy
1. Choose Configure>Additional Tasks>Router Access>VTY
2. Click Edit
3. Choose the authentication
policy to apply
Tài liệu Quản trị mạng cơ bản CCNA
404
12/2017
Sample Commands
R1# debug aaa authentication
AAA Authentication debugging is on
R1#
14:01:17: AAA/AUTHEN (567936829): Method=TACACS+
14:01:17: TAC+: send AUTHEN/CONT packet
14:01:17: TAC+ (567936829): received authen response status = PASS
14:01:17: AAA/AUTHEN (567936829): status = PASS
• The debug aaa authentication command provides a view of
login activity
• For successful TACACS+ login attempts, a status message of
PASS results
Sample Commands
R1# debug radius ?
accounting
RADIUS accounting packets only
authentication RADIUS authentication packets only
brief
Only I/O transactions are recorded
elog
RADIUS event logging
failover
Packets sent upon fail-over
local-server
Local RADIUS server
retransmit
Retransmission of packets
verbose
Include non essential RADIUS debugs
<cr>
R1# debug radius
R1# debug tacacs ?
accounting
TACACS+
authentication TACACS+
authorization
TACACS+
events
TACACS+
packet
TACACS+
<cr>
Tài liệu Quản trị mạng cơ bản CCNA
protocol
protocol
protocol
protocol
packets
accounting
authentication
authorization
events
405
12/2017
AAA Authorization Overview
show version
Command authorization for user
JR-ADMIN, command “show version”?
Display “show
version” output
configure terminal
Accept
Command authorization for user
JR-ADMIN, command “config terminal”?
Do not permit
“configure terminal”
•
•
•
The TACACS+ protocol allows the separation of authentication from authorization.
Can be configured to restrict the user to performing only certain functions after successful
authentication.
Authorization can be configured for
–
–
•
Reject
character mode (exec authorization)
packet mode (network authorization)
RADIUS does not separate the authentication from the authorization process
AAA Authorization Commands
R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default group tacacs+
R1(config)# aaa authentication login TELNET-LOGIN local-case
R1(config)# aaa authorization exec default group tacacs+
R1(config)# aaa authorization network default group tacacs+
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN
R1(config-line)# ^Z
•
•
To configure command authorization, use:
aaa authorization service-type {default | list-name} method1 [method2] [method3]
[method4]
Service types of interest include:
–
–
–
commands level
For exec (shell) commands
exec
For starting an exec (shell)
network
For network services. (PPP, SLIP, ARAP)
Tài liệu Quản trị mạng cơ bản CCNA
406
12/2017
Using SDM to Configure Authorization
Character Mode
1. Choose Configure>Additional Tasks>AAA>Authorization Policies>Exec
2. Click Add
3. Choose Default
4. Click Add
5. Choose group tacacs+ from the list
6. Click OK
7. Click OK to return to the Exec Authorization window
1. Choose Configure>Additional Tasks>AAA>Authorization Policies>Network
2. Click Add
3. Choose Default
4. Click Add
7. Click OK to return to
5. Choose group tacacs+ from the list
the Exec Authorization
pane
6. Click OK
Tài liệu Quản trị mạng cơ bản CCNA
407
12/2017
AAA Accounting Overview
Provides the ability to track usage, such as dial-in access; the
ability to log the data gathered to a database; and the ability
to produce reports on the data gathered
To configure AAA accounting using named method lists:
aaa accounting {system | network | exec | connection
| commands level} {default | list-name} {start-stop | waitstart | stop-only | none} [method1 [method2]]
Supports six different types of accounting: network,
connection, exec, system, commands level, and resource.
AAA Accounting Commands
R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default group tacacs+
R1(config)# aaa authentication login TELNET-LOGIN local-case
R1(config)# aaa authorization exec group tacacs+
R1(config)# aaa authorization network group tacacs+
R1(config)# aaa accounting exec start-stop group tacacs+
R1(config)# aaa accounting network start-stop group tacacs+
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN
R1(config-line)# ^Z
•
•
aaa accounting exec default start-stop group tacacs+
Defines a AAA accounting policy that uses TACACS+ for logging both start
and stop records for user EXEC terminal sessions.
aaa accounting network default start-stop group tacacs+
Defines a AAA accounting policy that uses TACACS+ for logging both start
and stop records for all network-related service requests.
Tài liệu Quản trị mạng cơ bản CCNA
408
12/2017
CHAPTER 16 BACKUP, RESTORE, UPGRACE
1 BACKUP, RESTORE
Tài liệu Quản trị mạng cơ bản CCNA
409
12/2017
Back up and Restore Configuration Files
Requirements Before you use the information in
this document, make sure that you meet these
requirements:
Access to a Trivial File Transfer Protocol (TFTP) or
File Transfer Protocol (FTP) server.
Connectivity − Routers must be able to access the
FTP or TFTP server. Use the ping command to verify
connectivity.
Make a Backup of the Configuration
Use a TFTP Server to Backup and Restore a
Configuration
Use an FTP Server to Backup and Restore a
Configuration
Use a Terminal Emulation Program to Backup and
Restore a Configuration
Verify
Tài liệu Quản trị mạng cơ bản CCNA
410
12/2017
Tài liệu Quản trị mạng cơ bản CCNA
411
12/2017
2 UPGRADING THE CISCO IOS SOFTWARE
Tài liệu Quản trị mạng cơ bản CCNA
412
12/2017
Why Would I Upgrade the System Image?
At some point, you may want to load a different
image onto the router or the access point. For
example, you may want to upgrade your IOS
software to the latest release, or you may want to
use the same Cisco IOS release for all the routers in
a network. Each system image contains different
sets of Cisco IOS features, therefore select an
appropriate system image to suit your network
requirements.
Tài liệu Quản trị mạng cơ bản CCNA
413
12/2017
How to Upgrade the Cisco IOS Image
This section provides information about upgrading the Cisco
IOS image on the router.
Saving Backup Copies of Your Old System Image and
Configuration
Ensuring Adequate DRAM for the New System Image,
Ensuring Adequate Flash Memory for the New System
Image
Copying the System Image into Flash Memory
Loading the New System Image
Saving Backup Copies of Your New System Image and
Configuration, pag
Tài liệu Quản trị mạng cơ bản CCNA
414