1
Introducing
Routing
© 2004 Cisco Systems, Inc. All rights reserved.
ICND v2.2—3-2
What Is Routing ?
To route, a router needs to do the following:
•
•
•
-
Discover the connected networks .
Select the best paths (routes) to these networks.
Maintain and verify routing information using a routing table.
Network traffic filtration
Quality Of Serves .
3
Routing table
• Routing table contains the best paths
discovered by a “ routing protocol “
4
Routing Protocols
• Static Route
a route (path)
that a network
administrator
enters into the
router manually
• Dynamic Route
a route (path) that
a network routing
protocol discovers
automatically and
adjusted when
topology changes
5
Routing Protocols
Static
Direct
connected
Static Default
route route
Dynamic
IGP
Distance
vector
(RIPv1 ,
IGRP)
Link
state
(OSPF ,
ISIS)
EGP
(EGP ,
BGP)
Hybrid
(EIGRP ,
RIPv2)
6
Autonomous Systems: Interior or
Exterior Routing Protocols
7
Routing table creation
Routing table contains only the decisions of
the best routing protocol and the best
paths to reach networks.
- The best routing protocol is elected based
on its administrative distance.
- The best paths depend on its metric
8
Administrative Distance
it is a value between ( 0 – 255 ) that reflects the
truthfulness of routing protocol (the best protocol
has the least admin. distance)
OSPF
110
9
Selecting the
Best Route with Metrics
- The best path
has the least
metric.
- each routing
protocol use a
metric type
(hop count , BW ,
delay , load ,
reliability , MTU)
10
Static routing protocol
1- Direct connected networks :
- Direct connected networks are automatically detected
by the router without configuration
- symbol in routing table is “ C ”
- admin. Distance = 0
10.0.0.0
C 10.0.0.0
C 11.0.0.0
11.0.0.0
C 11.0.0.0
C 12.0.0.0
12.0.0.0
13.0.0.0
C 12.0.0.0
C 13.0.0.0
11
Static routing protocol
2- Static route :
- manually you can define a path to reach a certain network
- symbol in routing table is “ S ”
- admin. Distance = 1
192.168.1.0/24
Internet
12.0.0.1/8
12.0.0.2/8
192.168.1.0
OR
192.168.1.0
S0
12.0.0.2
12
Static routing protocol
3- Default route :
- This route allows the stub network to reach all known
networks beyond router A (gateway of last resort)
- symbol in routing table is “ S* ”
192.168.1.0/24
Internet
S0
12.0.0.1/8 12.0.0.2/8
12.0.0.1
13
Displaying the routing table
router# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
C
S*
12.0.0.0 is directly connected, Serial0
0.0.0.0/0 is directly connected, Serial0
14
Dynamic routing protocols
Distance Vector Routing Protocols :
- each router detects its direct connected networks and
form its initial routing table
- routers pass periodic copies of routing table to neighbor
routers and learn the best paths to all networks
( the paths with the least metric ) and form the final
routing table (convergence)
- after convergence periodic updates (full routing table) are
sent to indicate any change in the topology .
15
Distance Vector Routing
Protocols
10.0.0.0
11.0.0.0
12.0.0.0
10.0.0.0
11.0.0.0
12.0.0.0
11.0.0.0
12.0.0.0
13.0.0.0
12.0.0.0
13.0.0.0
11.0.0.0
13.0.0.0
10.0.0.0
10.0.0.0
13.0.0.0
16
Routing loops
- when network 10.0.0.0 fails , router A will mark its metric
by 16 (a max. hop count value to avoid counting to infinity)
and send its routing table to B after the periodic interval.
- before B sends its periodic update to C , router C sent its
routing table to B containing a path to 10.0.0.0 with a better
metric so B think that 10.0.0.0 can be reached by C while C
depends on B for that so loop occurs .
10.0.0.0
10.0.0.0
E0
16
down
10.0.0.0
10.0.0.0
S0
S1
16
3
10.0.0.0
S0
2
17
Routing loops solutions
- Split Horizon :
route learned from an interface can not be
sent back on the same interface
10.0.0.0
10.0.0.0
E0
16
down
10.0.0.0
S0
16
10.0.0.0
S0
2
18
Routing loops solutions
- Hold-down Timers :
- router that informed with a failed route don’t accept any
update about it for a time equal to the hold down timer so
by the end of the timer all routers would know that route
failed ( it is useful in flapping networks ).
- hold finish if :
– The hold-down timer expires.
– Another update is received with a better metric.
10.0.0.0
10.0.0.0
19
Routing loops solutions
- Triggered Updates :
instead of sending updates after a time interval , router
sends the update as soon as a route fails or any change
occurs so other routers immediately modify their routing
tables ( this is the most used solution ).
20
Properties of Distance Vector
Routing Protocols
- simple configuration
- low processing / memory usage
- bandwidth waste due to the periodic updates
- unreliable (no ack. for the protocol messages)
- updates are sent broadcast on all active interfaces
so it may affect the hosts PCs
- classful :
do not include the subnet mask with the route
advertisement and often sends a summary routes
- These are examples of distance vector protocols:
• RIP version 1 (RIPv1)
• IGRP
21
RIP v1
- distance vector routing protocol
- symbol in routing table is “ R ”
- admin. Distance = 120
- metric is hop count , metric 16 means unreachable
- full routing tables are flooded in the network till
convergence occurs (use Bellman Ford algorithm)
- after convergence , periodic updates are sent every
30 seconds
- at change , triggered update is sent
- support load balancing if many paths to the same network
exist with an equal metric
- Classful
22
RIP Configuration
Router(config)#router rip
- Starts the RIP routing process
Router(config-router)#network direct connected network
- Advertise about the connected networks
23
RIP Configuration Example
24
Verifying the RIP Configuration
25
Displaying the
IP Routing Table
26
27
Link-State Routing Protocols
11.0.0.2/8
11.0.0.1/8
14.0.0.2/8
14.0.0.1/8
10.0.0.1/8
15.0.0.1/8
12.0.0.1/8
12.0.0.2/8
13.0.0.1/8
13.0.0.2/8
- Operation :
- each router will discover its direct connected neighbors
using the “hello protocol“ (layer-3 protocol)
each router will form a packet called link state advertisement
L
(LSA)
S
A
10.0.0.1/8
11.0.0.1/8
12.0.0.1/8
State , Cost
C
28
Link-State Routing Protocols
- each router will flood its LSA to all neighbors on special
multicast address then neighbors continue flooding of
the LSA’s to each other.
- each router will form the link state database (LSDB) from
the received LSA’s so all routers will have the same
LSDB form.
A
B
C
D
13.0.0.1/8
14.0.0.1/8
15.0.0.1/8
11.0.0.2/8
14.0.0.2/8
10.0.0.1/8
11.0.0.1/8
12.0.0.1/8
12.0.0.2/8
13.0.0.2/8
29
Link-State Routing Protocols
- every router will form the Link State Tree that describe
the actual connection of the network topology then apply
the Dijekstra algorithm on the tree to form the routing table.
- after convergence:
no periodic updates
- at change:
partial triggered update for the affected route is sent so all
routers repeat the link state process.
30
Link-State Routing Protocols
31
Benefits of Link-State Routing
– Fast convergence:
changes are reported immediately by the source
affected (partial triggered updates)
– Robustness against routing loops:
• Routers know the topology.
• Link-state packets are sequenced and
acknowledged (reliable protocol)
– Lower bandwidth waste:
no periodic updates
– classless
32
disadvantages of Link-State
Routing
– Significant demands for resources:
• Memory (three tables: adjacency, topology,
forwarding)
• CPU (Dijkstra’s algorithm can be intensive,
especially when a lot of instabilities are present.)
– Complex configuration
– Requires very strict network design (multiple areas)
33
OSPF
•
•
•
•
•
•
•
•
•
•
Open standard
Shortest path first (SPF) algorithm
Link-state routing protocol
Use Dijkstra’s algorithm
Administrative Distance = 110
Metric called cost = 10^8 / BW
Hop-count is unlimited
Symbol in routing table is O
Loop free protocol
Classless routing protocol
34
OSPF (Cont.)
• discover neighbors and maintain neighbor relationship using
hello protocol
• send hello every 10 seconds in point-to-point and broadcast multi-access
networks on multicast address 224.0.0.5 to reach neighbors only
• dead interval = 4 hello timer (40 sec)
• send LSA’s (updates) on multicast address 224.0.0.5 (all OSPF routers)
and 224.0.0.6 (DR and BDR routers)
•Every OSPF router receives LSA updates it’s Link State Database (LSDB)
by copy of this LSA and flood it to all OSPF neighbors except the one that
send it, and then runs the Dijkstra OSF algorithm to the new LSDB to draw
the new topology tree then form the routing table.
35
OSPF (Cont.)
•
After convergence :
no periodic updates are sent except a periodic refreshment
message for LSDB every 30 minutes
• At change :
OSPF sends a triggered update for the affected route so
OSPF process repeated again
• OSPF tables :
1- neighbor table :
contains neighbor router ID’s and maintained by Hello’s
2- topology table :
all paths to all networks
3- routing table :
36
best paths to all networks
OSPF Hierarchical Routing
• OSPF supports Hierarchical multiple area design
• Multiple areas minimizes routing update traffic and limits
the frequent SPF calculations and tends scalability to
infinity
• Area 0 is the backbone area and all other areas must be
connected to area 0
37
Router ID
• every router in OSPF environment is identified by RID
• RID is 32 bit value, it is selected to be :
1- the highest IP address of loopback interface if exist
(logical interface that is always up)
to configure loopback interface :
(config)# interface loopback no.
255.255.255.255
(config-if)# ip address ip mask
2- if no loopback interfaces the RID will take the highest IP of
the active physical interfaces when the OSPF process get
started
38
OSPF operation
1- in point to point topology :
- neighbor discovery :
by sending hello messages periodically on multicast
224.0.0.5
•
- for OSPF routers to be neighbors they must have:
- the same area ID
- same hello and dead intervals
- same authentication password
- route discovery :
exchange LSA’s on 224.0.0.5 so as each router has the
same LSDB
- route selection :
form the routing table
39
OSPF operation
2- Broadcast Multiple Access (BMA) Operation :
- Neighbor Discovery : as in point to point
- DR & BDR Election:
- DR : Designated Router is a router that has
1- highest priority (range 0 – 255 , default = 1)
2- if equal priorities , DR is the highest RID
- BDR : Backup DR is a router that has the second highest priority
or RID
Note:
- if anew router with highest priority added ,it won’t be the DR
directly (non-preemptive)
- router with priority=0 can’t be the DR or BDR
40
- the routers that are not DR or BDR called drothers
OSPF operation in BMA (cont.)
- Route Discovery:
form the adjacency with DR & BDR on 224.0.0.6
new
Hello
- Route Selection:
-
-
The router will form
a topology table
from all routing
tables it receives.
Then apply the
Dijekstra algorithm
on the tree to
extract the routing
table
DR
224.0.0.5
unicast
here is my routing table
Hello
Unicast update
Ack.
here is my routing table
Update to 224.0.0.6
to other routers
Update to 224.0.0.5
update
41
OSPF operation in BMA (cont.)
- At change :
new
update
DR
224.0.0.6
Ack.
- Other routers repeat
the OSPF process
(SPF tree)
to other routers
update
Update to 224.0.0.5
Ack.
42
Configuring Single-Area OSPF
Router(config)#router ospf process-id
• Defines OSPF as the IP routing protocol
Router(config-router)#network network wildcard-mask area area-id
• Assigns networks to a specific OSPF area
OSPF Configuration Example
0
0
255 area 0
255 area 0
OSPF Configuration Example
Verifying the OSPF
Configuration
Router#show ip protocols
• Verifies that OSPF is configured
Router#show ip route
• Displays all the routes learned by the router
Router#show ip ospf interface
• Displays area ID and adjacency information
Router#show ip ospf neighbor
• Displays OSPF neighbor information on a per-interface basis
OSPF debug Commands
Router#debug ip ospf events
OSPF:hello with invalid timers on interface Ethernet0
hello interval received 10 configured 10
net mask received 255.255.255.0 configured 255.255.255.0
dead interval received 40 configured 30
Router# debug ip ospf packet
OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.117
aid:0.0.0.0 chk:6AB2 aut:0 auk:
Router#debug ip ospf packet
OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.116
aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x0
47
48
Hybrid Routing Protocols
49
Determining IP Routes
Enabling EIGRP
50
© 2004 Cisco Systems, Inc. All rights reserved.
ICND v2.2—3-50
EIGRP (Enhanced IGRP)
-
-
advanced distance vector protocol.
Cisco proprietary.
maintain neighbor relationship using hello protocol.
send hello every 5 sec. on fast link (>1.54Mbps).
send hello every 60 sec. on slow link (<1.54Mbps).
dead interval = 3 * hello interval.
rapid convergence by using DUAL algorithm ( store a backup
route for each best route).
support multiple network layer protocols (IP, IPX, Apple talk).
support equal and unequal load balancing between many
paths to the same destination network.
differentiate between internal and external routes.
admin. Distance = 90 for internal routes.
admin. Distance = 170 for external routes.
symbol ( D ) in routing table.
51
EIGRP (cont.)
-
Max. hop count = 224.
Classless
Reliable protocol.
Have the same operation in all topologies.
- Use composite metric
- EIGRP routers to be neighbors:
1- Must have the same AS number.
2- Must have the same K-values.
– Bandwidth
– Delay
– Reliability
– Loading
– MTU
52
EIGRP terminologies
-
Neighbor table: List of all neighbors.
Topology table: list of all routes to destination networks.
Routing table: list of best routes to all destination networks.
Successor ( S ): best route to destination network , stored in
routing table and topology.
- Feasible successor (FS): backup route to destination
network, stored in topology table.
- Feasible distance (FD): metric between source and
destination network.
- Advertised distance (AD): metric between my neighbor and
the destination network .
AD
- FD = next hop metric + AD.
S
FD
53
FS
EIGRP operation
- At start up :
new
Hello
-
-
The router will form
a topology table
from all routing
tables it receives.
Then apply the
DAUL algorithm on
topology table to
extract the routing
table (S) and
calculate the
backup routes (FS).
224.0.0.10
unicast
here is my routing table
Hello
Unicast update
Ack.
here is my routing table
Update to 224.0.0.10
Ack.
54
EIGRP operation (cont.)
- After convergence:
No periodic updates are sent
- At change:
1- New network appear :
update
224.0.0.10
Ack.
55
EIGRP operation (cont.)
2- Network failure:
- If there is a backup route (FS) :
The FS will be the new
successor for this rote
update
224.0.0.10
Ack.
- If there is no backup route (FS) :
query
Does any one know
another route to the
failed network
224.0.0.10
Ack.
Yes / no
Ack.
reply
56
Configuring EIGRP
Router(config)# router eigrp autonomous-system
• Defines EIGRP as the IP routing protocol
Router(config-router)# network network-number [wild card mask]
• Selects participating attached networks
57
EIGRP Configuration Example
58
Verifying the EIGRP Configuration
Router# show ip eigrp neighbors
• Displays the neighbors discovered by IP EIGRP
Router# show ip eigrp topology
• Displays the IP EIGRP topology table
Router# show ip route eigrp
• Displays current EIGRP entries in the routing table
Router# show ip protocols
• Displays the parameters and current state of the active
routing protocol process
Router# show ip eigrp traffic
• Displays the number of IP EIGRP packets sent and received
59
debug ip eigrp Command
Router#debug ip eigrp
IP-EIGRP: Processing incoming UPDATE packet
IP-EIGRP: Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 256000 104960
IP-EIGRP: Ext 192.168.0.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 256000 104960
IP-EIGRP: Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 256000 104960
IP-EIGRP: 172.69.43.0 255.255.255.0, - do advertise out Ethernet0/1
IP-EIGRP: Ext 172.69.43.0 255.255.255.0 metric 371200 - 256000 115200
IP-EIGRP: 192.135.246.0 255.255.255.0, - do advertise out Ethernet0/1
IP-EIGRP: Ext 192.135.246.0 255.255.255.0 metric 46310656 - 45714176 596480
IP-EIGRP: 172.69.40.0 255.255.255.0, - do advertise out Ethernet0/1
IP-EIGRP: Ext 172.69.40.0 255.255.255.0 metric 2272256 - 1657856 614400
IP-EIGRP: 192.135.245.0 255.255.255.0, - do advertise out Ethernet0/1
IP-EIGRP: Ext 192.135.245.0 255.255.255.0 metric 40622080 - 40000000 622080
IP-EIGRP: 192.135.244.0 255.255.255.0, - do advertise out Ethernet0/1
60
EIGRP Load Balancing
Metric 20
Metric 40
Metric 60
- Configuration :
Router(config)# router eigrp
Router(config-router)# variance multiplier
Router(config-router)#traffic share-balance
61
RIP v2
•
•
•
•
•
•
•
Advanced distance vector protocol.
No periodic updates, only partial triggered updates.
Updates are sent on multicast 224.0.0.9
Classless.
Admin. Distance = 120
Symbol ( R ) in routing table.
Metric = hop count.
- Configuration :
Router(config)# router rip
Router(config-router)# version 2
Router(config-router)#network direct connected network
62
Route Summarization
63
© 2004 Cisco Systems, Inc. All rights reserved.
ICND v2.2—3-63
Route summarization
It is grouping block of subnets and advertise them as a single network address.
(single IP address represent group of contiguous subnets).
64
Route summarization (cont.)
• Advantages of route summarization:
- reduce the size of routing table for the router who know
the summary only.
- summary requires less bandwidth.
- router that know the summary don’t affected by network
instability.
65
Classless Inter domain Routing
(CIDR)
It is grouping of major networks into one
address
-
EX :
8.0.0.0/8
9.0.0.0/8
0000 10 00 . 0 . 0 . 0
0000 10 01 . 0 . 0 . 0
10.0.0.0/8
11.0.0.0/8
0000 10 10 . 0 . 0 . 0
0000 10 11 . 0 . 0 . 0
CIDR 8 . 0 . 0 . 0 / 6
66
Summarizing Routes in a
Discontiguous Network
– RIPv1 and IGRP do not advertise subnets, and therefore
cannot support discontiguous subnets.
– OSPF, EIGRP, and RIPv2 can advertise subnets, and
therefore can support discontiguous subnets.
67
Implementing Variable
Length Subnet Masks
(VLSM)
68
© 2004 Cisco Systems, Inc. All rights reserved.
ICND v2.2—3-68
Variable Length
Subnet Mask (VLSM)
- VLSM means that in a single class A, B, or C network,
more than one subnet mask is used.
- VLSM allows some subnets to be smaller and some
subnets to be larger, which reduce the waste in IP
addresses.
- VLSM allows you to apply different subnet masks to the
same class address.
- Steps :
- begin with the largest subnet
- continue giving addresses with the suitable subnet mask
69
VLSM example
- For s1, s2 , s3 to support 60
host we need 6 bits
- so subnet mask is
255.255.255.192
Divide network
192.168.1.0 /24
s1
s2
60 host
s4
s5
2 hosts
2 hosts
60 host
- hop count = 256-192 = 64
- s1 address 192.168.1.0 /26
s3
60 host
s6
2 hosts
s2 address 192.168.1.64 /26
s3 address 192.168.1.128 /26
- starting from address 192.168.1.192 give addresses to s4 , s5 , s6
- 2 hosts need 2 bits
- new subnet mask is 255.255.255.252 , hop count = 256-252 = 4
- s4 address 192.168.1.192 /30
s5 address 192.168.1.196 /30
s6 address 192.168.1.200 /30
VLSM is supported only by the
classless routing protocols
70
71
Managing IP Traffic with
Access Lists (ACL)
72
© 2004 Cisco Systems, Inc. All rights reserved.
ICND v2.2—4-72
Access control list (ACL)
• Manage IP traffic as network access grows
• Filter packets as they pass through the router
73
ACL Structure
- ACL is a set of commands that are grouped under certain
name or number to control traffic flow (permit or deny).
- Access list is configured on the router then activated on
interfaces.
• ACL processing:
- statements are checked from up to down.
- once a match found, no further checking.
- if no match found, the packet will be dropped due to the
“ implicit deny “ statement at the end of the ACL.
- ACL must contain at least one permit statement otherwise all
packets will be dropped.
- in any ACL , you can not add statement between statements
(any new statements can only be added to the end of ACL).
- you can have one ACL per interface per protocol per direction.
74
ACL types
ACL
Standard ACL
Numbered
Named
Extended ACL
Numbered
1 - 99
100 - 199
1300 - 1999
2000 - 2699
Named
Note :
- in numbered ACL, you can not delete a certain statement ,
only delete the whole ACL.
- In named ACL, you can delete a certain statement between
statements.
75
Standard ACLs
- It filters the packets based on the source ip address
- Configuration :
Router(config)# access-list ACL-number
{permit|deny} source ip [w.c.mask]
•
•
•
•
IP standard ACLs use 1 to 99
default wildcard mask = 0.0.0.0 (exactly match the ip address)
12.0.0.1 0.0.0.0 = host 12.0.0.1 & 0.0.0.0 255.255.255.255 = any
no access-list ACL-number removes entire ACL
Router(config-if)# ip access-group ACL-number
{in | out}
Activates the list on an interface •
Sets inbound or outbound testing •
no ip access-group ACL-number removes ACL from the interface •
76
Standard IP ACL example
- Deny traffic from host 172.16.4.13 to host A and permit
all other traffic.
Note:
commands
order is
important
12.0.0.0
A
= host 172.16.4.13
= any
77
Standard ACL (cont.)
• control telnet access to router :
we want to restrict the telnet access from host 10.1.1.1 to
the router.
10 . 1 . 1 . 1
(config)# access-list 1 deny host 10.1.1.1
(config)# access-list 1 permit any
(config)# line vty 0 4
(config-line)# access-class 1 in
78
Standard Named IP ACL
Router(config)# ip access-list standard name
Router(config-std-nacl)# {permit|deny} source ip [ w.c.mask ]
Router(config-std-nacl)# no {permit|deny} source ip [w.c.mask ]
• Permit or deny statements have no prepended number.
• “no” removes the specific test from the named ACL.
Router(config-if)# ip access-group name {in | out}
• Activates the named IP ACL on an interface.
79
Placement of standard ACL
192.168.2.0/24
Host X
A
192.168.5.1/24
B
e0
C
Server
192.168.1.1/24
- we want to restrict the user X from accessing the server.
C(config)# access-list 1 deny host 192.168.5.1
C(config)# access-list 1 permit any
C(config)# interface e0
C(config-if)# ip access-group 1 out
- Rule:
• Standard ACL is placed as close as possible to
destination.
80
Extended ACL
- It is more flexible than standard ACL.
- extended ACL can match on:
1- source IP , destination IP.
2- TCP/IP protocols ( IP, TCP, UDP, ICMP,…….).
3- protocol information ( port no. ).
81
Extended IP ACL Configuration
Router(config)# access-list access-list-number
{permit | deny} protocol
source ip source-wildcard [operator port]
destination ip destination-wildcard [operator port]
• Sets parameters for this list entry
Router(config-if)# ip access-group access-list-number
{in | out}
• Activates the extended list on an interface
82
Extended ACL
• Note:
- 0.0.0.0 is called host mask.
- 12.0.0.1 0.0.0.0 = host 12.0.0.1
- 0.0.0.0 255.255.255.255 = any
- The operator and port values :
(eq) operator means equal
(Lt) operator means less than or equal.
(gt) operator means greater than or equal.
range 10 – 80 ---- all ports between 10 , 80
-
eq 80 = eq http ---- put the port number or name
83
Extended ACL example
internet
1
in
– Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0
– Permit all other traffic.
84
Extended ACL example
internet
1
in
– Deny only Telnet from subnet 172.16.4.0
– Permit all other traffic.
85
Extended Named ACL
Router(config)# ip access-list extended name
• Alphanumeric name string must be unique.
Router(config-ext-nacl)# {permit | deny}
{ip access list test conditions}
Router(config-ext-nacl)# no {permit | deny}
{ip access list test conditions}
• Permit or deny statements have no prepended number.
• “no” removes the specific test from the named ACL.
Router(config-if)# ip access-group name {in | out}
• Activates the named IP ACL on an interface.
86
Placement of Extended ACL
192.168.2.0/24
Host X
192.168.5.1/24
A
B
Server
C
192.168.1.1/24
- We want to restrict the user X from accessing the server
- Rule:
Extended ACL is placed as close as possible to source. •
87
Monitoring ACL Statements
router# show {protocol} access-list {access-list number}
router# show access-lists {access-list number}
wg_ro_a#show access-lists
Standard IP access list 1
permit 10.2.2.1
permit 10.3.3.1
permit 10.4.4.1
permit 10.5.5.1
Extended IP access list 101
permit tcp host 10.22.22.1 any eq telnet
permit tcp host 10.33.33.1 any eq ftp
permit tcp host 10.44.44.1 any eq ftp-data
88
Verifying ACLs
router# show ip interfaces e0
Ethernet0 is up, line protocol is up
Internet address is 10.1.1.11/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is
disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is
disabled
<text ommitted>
89
Scaling the Network
with NAT and PAT
90
© 2004 Cisco Systems, Inc. All rights reserved.
ICND v2.2—4-90
Network address translation
(NAT)
- Address translation allows you to translate your internal
private address to a public address before the packets
leave your local network to the public network.
- NAT terminologies:
1- Inside local IP: an internal device that has a private IP.
2- Inside global IP: an internal device that has a public IP.
3- Outside local IP: an outside device that has a private IP.
4- Outside global IP: an outside device that has a public IP.
- Types of Address Translation:
• Static Translation.
• Dynamic Translation.
91
Static NAT
10.0.0.1
10.0.0.1
10.0.0.1
12.0.0.1
12.0.0.1
12.0.0.1
NAT table is
formed
manually
translating
private IPs to
public IPs.
- Static NAT is used when outside users are trying to
access your internal resources
92
Configuring Static Translation
Router(config)# ip nat inside source static local-ip global-ip
• Establishes static translation between an inside local address
and an inside global address
Router(config-if)# ip nat inside
• Marks the interface as connected to the inside
Router(config-if)# ip nat outside
• Marks the interface as connected to the outside
93
Static NAT Example
94
Dynamic NAT
- the router is given a pool of IPs that contains global IPs,
so every user tries to access a public network will be
given an IP from the pool.
- To configure Dynamic NAT:
1- Define the pool of IPs.
2- Define which inside addresses are allowed to be
translated. (ACL)
95
Configuring Dynamic NAT
Router(config)# ip nat pool name start-ip end-ip
{netmask netmask | prefix-length prefix-length}
• Defines a pool of global addresses to be allocated as needed.
Router(config)# access-list access-list-number permit
source ip [source-wildcard]
• Defines a standard IP ACL permitting those inside local
addresses that are to be translated.
Router(config)# ip nat inside source
list access-list-number pool pool-name
• Establishes dynamic source translation, specifying the ACL
that was defined in the prior step.
96
Dynamic NAT Example
97
port address translation (PAT)
- Static or dynamic NAT provide only one to one translation while
PAT supports many to one translation using port numbers.
10.0.0.1
10.0.0.1 13.0.0.1 2000 80
12.0.0.1 13.0.0.1 2000 80
internet
10.0.0.2 13.0.0.1 3000 80
12.0.0.1 13.0.0.1 3000 80
13.0.0.1
10.0.0.2
Inside local ip
10.0.0.1
10.0.0.2
10.0.0.2
inside global
Inside local
inside global ip
port
port
2000
3000
2000
12.0.0.1
12.0.0.1
12.0.0.1
2000
3000
4000
98
Configuring PAT
Router(config)# access-list access-list-number permit
source-ip source-wildcard
• Defines a standard IP ACL that will be permit the inside local
addresses that are to be translated
Router(config)# ip nat inside source list
access-list-number interface interface overload
• Establishes dynamic source translation, specifying the ACL
that was defined in the prior step
99
PAT Example
100
Displaying Information with show
Commands
Router# show ip nat translations
• Displays active translations
Router#show ip nat translation
Pro Inside global
Inside local
--- 172.16.131.1
10.10.10.1
Outside local
---
Outside global
---
Router# show ip nat statistics
• Displays translation statistics
Router#show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
Ethernet0, Serial2.7
Inside interfaces:
Ethernet1
Hits: 5 Misses: 0
…
101
Using the debug ip nat
Command
Router#debug ip nat
NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825]
NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852]
NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325]
102
103
Switching
104
© 2004 Cisco Systems, Inc. All rights reserved.
ICND v2.2—1-104
Spanning Tree
Protocol
IEEE 802.1D
105
© 2004 Cisco Systems, Inc. All rights reserved.
ICND v2.2—1-105
Layer 2 loops
MAC
port
A
3
A
1
• Solution : using Spanning tree protocol (STP)
106
Spanning Tree Protocol
- provides a loop-free redundant network topology by
placing certain ports in the blocking state (logical blocking)
- STP protocol enables switches to become aware
of each other so they can negotiate a loop free path.
- when the used path fails the STP opens the blocked port
(activate the other path)
107
Spanning Tree Operation
1- BPDU Flooding:
- BPDUs (bridge protocol data unit) are flooded from each
switch to the other switches on a well known multicast
MAC address.
- every switch will take a copy of the BPDU and resend it to
other switches.
- every switch will form a database from all the BPDUs.
- BPDU is sent every two seconds.
BPDU
Port ID
accumulated
path cost
bridge ID
(BID)
108
Spanning Tree Operation (cont.)
2- Root Bridge election
- Root bridge is the bridge with the lowest bridge ID
- Bridge ID =
priority
2 bytes
default = 32768
Bridge MAC address
6 bytes
- Root bridge has the lowest priority ,
if equal priorities then it has the lowest MAC address
109
- after election, the root bridge only sends the BPDUs every 2
sec.
Spanning Tree Operation (cont.)
3- Root port election: (RP)
- each non-root switch will elect the best port to reach the root
switch.
- Root port is the port having:
1- the lowest accumulative path cost to the root switch.
2- If equal costs, it is the port that closer to the second
lowest switch BID.
3- if equal , it is the port that has the lowest serial number
110
Spanning Tree Operation (cont.)
assume BID of
A<B<C<D A
is Root bridge
RP 3
B
5
root bridge
1
A
2
RP
to get RP :
which port is
closer to A ?
(compare 4,6)
4
C
6
(compare 3,5)
(compare 7,8)
RP
7
8
D
111
Spanning Tree Operation (cont.)
4- Designated port election: (DP)
- DP has the lowest accumulative path cost from the root
switch on every LAN segment.
5- Blocked Port: (BP)
- It is the port that neither RP nor DP.
- BP will logically blocked till any change happen.
112
Spanning Tree Operation (cont.)
blocked port BP
is not RP or DP
(port 8)
RP 3
B
5
DP
root bridge
DP
1
A
DP
2
RP
to get DP :
which port is
closer to A ?
(compare 1,3)
(compare 2,4)
(compare 5,7)
(compare 6,8)
RP
7
4
C
6
DP
8
D
BP
113
Spanning Tree Operation (cont.)
after convergence :
• ports are either forwarding (RP , DP) or blocked (BP)
• a blocked port keeps listening to BPDUs, if for 20 sec.
(Max. age time =10 BPDUs) hasn’t receive a BPDU,
then the port will automatically change its state
(move to listening state).
at change :
• the first switch which feels the change sends a BPDU
called TCN (Topology change notification) destined the
root switch indicating the change.
• the Root switch sends a configuration BPDU with TCN
flag to all switches then the STP will be recalculated.
• if a new switch added with a lower priority , it will be the
114
root switch
Spanning Tree Port States
• Spanning tree transits each port through several
different states:
STP convergence
time is from
30 sec. to 50 sec.
115
Rapid STP (IEEE 802.1w)
• RSTP significantly speeds the recalculation of the
spanning tree when the network topology change.
• to enhance the convergence time, RSTP :
1- elects a backup port for every RP or DP.
2- merges the Blocking state and Listening state into one
state called Discarding state.
116
the show spanning-tree command
117
Virtual LANs (VLAN)
118
© 2004 Cisco Systems, Inc. All rights reserved.
ICND v2.2—2-118
Virtual LANs (VLANs)
Before VLANs:
- All switch ports are in single broadcast domain
After VLANs:
- each VLAN is a single broadcast domain and one logical
subnet.
- VLANs provides:
1- Segmentation
2- Flexibility
3- Security
119
VLAN Overview
• Segmentation
• Flexibility
• Security
VLAN = Broadcast Domain = Logical Network (Subnet)
120
VLAN Operation
• Traffic can be transferred between only the same VLANs
on different switches.
• To transfer traffic between different Vlans , a router should
be used
• Trunks carry traffic for multiple VLANs.
121
VLAN membership
1- Static VLAN membership:
- assign certain port to a certain VLAN ( port based VLAN )
- by default, all ports of the switch are assigned to VLAN 1
(native VLAN).
2- Dynamic VLAN membership:
- assign certain MAC to a certain VLAN ( MAC based VLAN )
- even if the PC changes its port on the switch , the PC still be
connected to its VLAN.
- This is done by using VMPS ( VLAN membership policy
server ).
122
VLAN connection (Port) types
1- Access port:
- It is a port which is member in only one Vlan.
ex: a switch port that connected to a pc.
2- Trunk port:
- switch port that is member in all Vlans by default.
ex: a switch port that connected to another switch.
123
Trunking problem
A
5
1
Vlan 1
B
Vlan 2
3
2
Vlan 1
4
E
F
MAC
port
A
B
C,D
1
2
3
VLAN
1
2
all
MAC
C
D
A,B
C
port
5
6
4
6
VLAN
D
Vlan 2
1
2
all
- if host B sends a broadcast to Vlan 2, the frames will be passed to
port 4 on switch F over the trunk link .
- the switch F will broadcast the frames to all ports 5,6 although port
6 is not a member in Vlan 2 because it doesn’t know the source
VLAN of the frame.
- Solution:
trunk add a field that identify the source Vlan ID to the frame
124
VLAN trunking Methods
- to provide inter VLAN communication , frame tagging is
used to identify the frame source VLAN .
- Tagging methods:
1- ISL (Inter switch Link) for Ethernet.
2- IEEE 802.1q (dot1q) for Ethernet.
3- LANE for ATM.
4- IEEE 802.10 for FDDI.
- so for Ethernet we concerns on ISL and dot1q methods.
125
1- ISL (Inter switch link)
- Cisco proprietary
- It encapsulates the original Ethernet frame with 30 bytes.
- 26 bytes header (contains 10 bits Vlan id) and 4 bytes trailer
- Vlan range: 0 – 1023 Vlan
- Vlan 1 - 1001 for Ethernet.
- Vlan 1002 - 1023 reserved .
( ex : 1002 - 1005 for token ring and FDDI )
- ISL is not supported now by Cisco.
126
2- IEEE 802.1q (dot1q)
- add 4 bytes tagging to the Ethernet frame and recalculate
new CRC.
- Vlan ID is 12 bits inside the Tag field so, the Vlan range is
0 - 4095.
- dot1q makes less overhead on frame than ISL.
- dot1q can support both tagged and untagged frames,
where the untagged Vlan traffic belongs to the Native Vlan
- by default, Native Vlan is VLAN 1.
- Native Vlan is a management Vlan where all management
traffic between switches are sent through it.
( BPDU, STP, VTP,….. ).
127
Inter VLAN routing
- We have to use a router to route between different VLANs.
Method 1:
- Inter VLAN routing using access ports.
- Disadvantage:
for each Vlan you need 1 router interface and 1 switch port.
Vlan1
Vlan1
Vlan2
Vlan2
Vlan3
Vlan3
VLAN configuration:
1- Create VLAN.
2- Naming VLAN (optional).
3- Assign ports to VLAN.
128
VLAN configuration
To create and name VLAN:
- New method
(config)# vlan <vlan id>
(config-vlan)# name <name>
- Old method
# vlan database
(vlan)# vlan <valn id> [name <name>]
To assign port to vlan:
(config)# int <int. name>
(config-if)# switchport mode access
(config-if)# switchport access vlan <vlan id>
129
Inter VLAN routing (cont.)
- Method 2:
- Router on stick:
Vlan1
Vlan2
Vlan3
trunk
fa1/1
e0/0.1
e0/0.2
e0/0.3
- Switch port fa1/1 configuration:
Router(config)# int fa1/1
Router(config-if)# switchport mode trunk
Router(config-if)# switchport mode trunk encapsulation {isl / dot1q}
- Router sub-interface e0/0.1 configuration:
Router(config)# int e0/0.1
Router(config-if)# encapsulation {isl / dot1q} <vlan id>
Router(config-if)# ip address <ip> <mask>
130
Verifying a VLAN
switch# show vlan [brief | id vlan-id | name vlan-name]
switch# show vlan brief
VLAN Name
Ports
---- ---------------------------------------------------------1
default
Fa0/1, Fa0/2, Fa0/3, Fa0/4
2
vlan2
3
vlan3
4
vlan4
1002 fddi-default
1003 token-ring-default
Status
VLAN Name
Ports
---- ---------------------------------------------------------1004 fddinet-default
1005 trnet-default
Status
--------- ---active
active
active
active
act/unsup
act/unsup
--------- ---act/unsup
act/unsup
131
Verifying STP for a VLAN
switch# show spanning-tree vlan 2
VLAN0002
Spanning tree enabled protocol ieee
Root ID
Priority
2
Address
0008.20fc.a840
Cost
31
Port
12 (FastEthernet0/12)
Hello Time
2 sec Max Age 20 sec
Delay 15 sec
Bridge ID
Priority
Address
Hello Time
Forward
32770 (priority 32768 sys-id-ext 2)
0008.a445.9b40
2 sec Max Age 20 sec Forward
Delay 15 sec
Aging Time 300
Interface
------------------------------Fa0/2
Fa0/12
Role Sts Cost
Prio.Nbr Type
---- --- --------- -------- ---------------Desg FWD 100
Root FWD 19
128.2
128.12
Shr
P2p
132
Verifying a Trunk
switch# show interfaces fa0/11 switchport
Name: Fa0/11
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
switch# show interfaces fa0/11 trunk
Port
Mode
Native vlan
Fa0/11
desirable
Port
Fa0/11
Port
domain
Fa0/11
Encapsulation
Status
802.1q
trunking
Vlans allowed on trunk
1-4094
Vlans allowed and active in management
1-13
133
VTP (VLAN Trunknig Protocol)
• Cisco introduces an easy administration method to transfer Vlan
information between switches connected on the same domain
without repeating commands on all switches.
• VTP manages addition, deletion, and modification of Vlan
information in a certain VTP domain.
• VTP has a messaging system that advertises VLAN
configuration information from one switch to all others
• maintains VLAN configuration consistency throughout a common
administrative domain
• sends advertisements on trunk ports only
- VTP domain:
Area with common VLAN requirements
(all switches have the same function and VLAN policy).
The switch can only be in one VTP domain.
134
VTP modes
- VTP Modes:
1- server mode: default mode on switch
- can add, delete, modify Vlans
- generate VTP messages to apply this configuration on the
other switches.
2- client mode:
- can not add, delete, modify Vlans
- accept VTP messages and apply it on itself then forward it
- can not generate VTP messages
3- transparent mode:
- can add, delete, modify Vlans locally (by console
configuration) and can not generate VTP messages
- forward VTP messages without applying it on itself
135
VTP Operation
• VTP advertisements are sent as multicast frames.
• VTP servers and clients are synchronized to the latest
revision number (highest number overrides lower ones).
• VTP advertisements are sent every 5 minutes or when
there is a change.
136
VTP Pruning
• Increases available bandwidth by reducing unnecessary flooded traffic
• Example: Station A sends broadcast, and broadcast is flooded only
toward any switch with ports assigned to the red VLAN
137
VTP configuration
New Method
switch(config)#
switch(config)#
switch(config)#
switch(config)#
switch(config)#
vtp
vtp
vtp
vtp
end
mode [ server | client | transparent ]
domain <domain-name>
password <password>
pruning
Old Method
switch# vlan database
switch(vlan)# vtp [ server | client | transparent ]
switch(vlan)# vtp domain <domain-name>
138
VTP Troubleshooting
Switch# show vtp status
VTP Version
: 2
Configuration Revision
: 0
Maximum VLANs supported locally : 64
Number of existing VLANs
: 17
VTP Operating Mode
: Transparent
VTP Domain Name
: ICND
VTP Pruning Mode
: Disabled
VTP V2 Mode
: Disabled
VTP Traps Generation
: Disabled
MD5 digest
: 0x7D 0x6E 0x5E 0x3D
Configuration last modified by 10.1.1.4 at 3-3-93 20:08:05
Switch#
139
DTP (Dynamic Trunking Protocol)
• It negotiates a common trunking mode between two
switches by sending periodic messages every 30 sec.
• The router can never participating in DTP.
• (config-if)# switchport mode { access / trunk /
dynamic [ desirable / auto ] / nonegotiate}
• (config)# show dtp
Trunk ?
140
DTP Mode
Generate DTP
frames
Trunking
Access
Trunk
Dynamic
desirable
Dynamic auto
Yes in case that other side:
-Trunk.
-Desirable.
-Auto.
Yes in case that other side:
-Trunk.
-Desirable.
Nonegotiate
141
Configuring the Switch IP Address
(config)# interface vlan 1
(config-if)# ip address <ip address> <mask>
(config-if)# no shutdown
• Configures an IP address and subnet mask for the
switch VLAN1 interface to allow ping and telnet to switch
switch# show interfaces vlan 1
Vlan1 is up, line protocol is up
Hardware is CPU Interface, address is 0008.a445.9b40
(bia 0008.a445.9b40)
Internet address is 10.2.2.11/24
142
Configuring the Switch Default Gateway
switch(config)# ip default-gateway <ip address>
• Configures the switch default gateway for
the 2950 series switches
Setting Duplex Options
switch(config)# interface fa0/1
switch(config-if)# duplex {auto | full | half}
Switch# show interfaces fa0/1
143
Managing the MAC Address Table
switch# show mac-address-table
Mac Address Table
------------------------------------------Vlan
Mac Address
Type
Ports
------------------------All
0008.a445.9b40
STATIC
CPU
All
0100.0ccc.cccc
STATIC
CPU
All
0100.0ccc.cccd
STATIC
CPU
All
0100.0cdd.dddd
STATIC
CPU
1
0008.e3e8.0440
DYNAMIC
Fa0/2
Total Mac Addresses for this criterion: 5
Setting a Static MAC Address
switch(config)# mac-address-table static
<mac-address> vlan <vlan-id>
interface <interface-id>
144
Configuring Port Security
switch(config-if)# switchport port-security
[mac-address <mac-address>] | [maximum value] |
[violation {protect |restrict | shutdown}]
switch(config)# interface fa0/1
switch(config-if)# switchport mode access
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security maximum 1
switch(config-if)# switchport port-security mac-address
0008.eeee.eeee
switch(config-if)# switchport port-security violation
shutdown
145
Verifying Port Security
on the Catalyst 2950 Series
switch# show port-security interface <interface-id>
switch# show port-security interface fastethernet 0/5
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address
Security Violation Count
:
:
:
:
:
:
:
:
:
:
:
:
Enabled
Secure-up
Shutdown
20 mins
Absolute
Disabled
1
1
0
0
0000.0000.0000
0
146
147
Introducing Wide Area
Networks
148
© 2004 Cisco Systems, Inc. All rights reserved.
ICND v2.2—5-148
WAN Overview
- WANs connects remote sites over large geographical area by
using the infrastructure of the service provider.
- WANs are a L2 technologies concern by hop-to-hop delivery
- Connection requirements vary depending on user
requirements, cost, and availability.
149
Interfacing Between
WAN Service Providers
• Provider assigns connection parameters to subscriber
150
WAN terminologies
- DTE: data terminal equipment, It is a source of data.
- DCE: data communication (circuit) equipment, a device that
terminates a connection and provides clocking &
synchronization for the connection.
- Demarcation point: this is where the responsibility of the
service provider is passed to you (logical boundary)
- CPE: customer premises equipment, this is your own
network equipments which include DTE & DCE.
- Local loop: this is the connection from the carrier’s switch to
the demarcation point.
- CO switch : central office switch (WAN switch)
- Toll network: this is the carrier infrastructure.
151
WAN connection types
WAN connections
Dedicated
(leased line)
Circuit switching Packet switching
(analog modem , (X.25 , Frame relay ,
ISDN)
ATM)
Broadband
(Satellite,
Wireless,
cable modem,
DSL)
152
Serial Point-to-Point Connections
153
Configuring Serial PointTo-Point Encapsulation
154
© 2004 Cisco Systems, Inc. All rights reserved.
ICND v2.2—5-154
HDLC Frame Format
• uses a proprietary data field to support
multiprotocol environments (but is a Cisco proprietary)
• default encapsulation method on Cisco routers
• supports only single-protocol environments
155
Configuring HDLC Encapsulation
Router(config-if)# encapsulation hdlc
• enables HDLC encapsulation
• uses the default encapsulation on synchronous
serial interfaces
156
Point to point protocol (PPP)
• Overview:
- data link layer protocol used on point to point WAN
connections.
- used in dedicated and circuit switching technologies
- works with synchronous & asynchronous serial
connections.
- support multiple network layer protocols.
- open standard by IETF. (RFC 1332, 1661 & 2153)
- PPP frame format :
Flag
address
control protocol Payload
FCS
157
PPP components
1- Link control protocol (LCP) :
- responsible for negotiating & maintaining a PPP connection
including some options (establish, configure, negotiate
options, test, terminate the PPP connection).
- LCP options are:
authentication, compression, multilink, call back,
error detection
2- Network control protocol:
- negotiate the upper layer protocols that will be used during
the PPP connection.
158
PPP operation
Open connection
LCP
OK
Negotiate options
What is my IP ?
Your IP is ….
NCP
What is my IPX ?
No IPX
159
PPP options
1- Authentication:
a- PPP authentication protocol (PAP):
- 2 way handshaking
- 1 way authentication
client
server
160
1- Authentication (cont.)
- PAP configuration:
Client configuration :
(config-if)# encapsulation ppp
(config-if)# ppp authentication pap
(config-if)# ppp pap sent username <client username>
password <password>
Server configuration:
(config)# username <client username> password <password>
(config-if)# encapsulation ppp
(config-if)# ppp authentication pap
161
1- Authentication (cont.)
b- Challenge handshake authentication protocol (CHAP):
- 3 way handshaking.
- 2 way authentication.
162
1- Authentication (cont.)
- CHAP configuration:
(config)# hostname <local name>
(config)# username <remote name> password <password>
(config-if)# ppp authentication chap
Router(config-if)#ppp authentication
{chap | chap pap | pap chap | pap}
• Enables PAP or CHAP authentication
163
1- Authentication (cont.)
- CHAP Configuration Example :
164
1- Authentication (cont.)
- Verifying the HDLC and PPP encapsulation configuration :
Router#show interface s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
Last input 00:00:05, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
38021 packets input, 5656110 bytes, 0 no buffer
Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
38097 packets output, 2135697 bytes, 0 underruns
0 output errors, 0 collisions, 6045 interface resets
0 output buffer failures, 0 output buffers swapped out
482 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
165
1- Authentication (cont.)
- Verifying PPP Authentication :
• debug ppp authentication shows successful CHAP output.
166
PPP options (cont.)
2- Multilink :
- B.W aggregation by combining multiple physical
interfaces into one link (logically).
- splitting L3 packets & send fragments over parallel links.
- Configuration:
(config-if)# ppp multilink.
167
PPP options (cont.)
3- Call back:
- enable a router to place a call and request call back.
- once the request is made, the call disconnect and the
other router (server) dial the router (client) back.
4- Compression:
- to improve the throughput on slower links.
- PPP compression support :
1- Stack
2- Predictor
3- MPPC (Microsoft point to point)
4- TCP header
168
PPP options (cont.)
5- Error detection:
- using LQM (link quality monitor)
- getting a ratio between corrupted frames and the total
no. of frames sent.
- if this ratio is more than certain reference no., the link will
be dropped.
6- Looped link detection:
- using Magic no.
- every router have a magic no.
- if the router receives a frame have its own magic no.,
then the link is looped & would go down.
169
Troubleshooting
# show interface s0/0.
the status of interface, encapsulation, LCP state, NCP state.
#debug ppp negotiation.
#debug ppp authentication.
170
171
ISDN
172
© 2004 Cisco Systems, Inc. All rights reserved.
ICND v2.2—7-172
Integrated services digital network
(ISDN)
173
ISDN
•
-
Overview:
ISDN is a digital dial up circuit switching WAN technology.
digital end to end so higher speeds & fast setup than analog.
used as a backup for primary WAN connection (leased line ,
F.R).
- ISDN use 2 types of channels :
1- Bearer channel (B-channel)
2- Delta channel (D-channel)
- ISDN services types:
1- BRI (basic rate interface)
2- PRI (primary rate interface)
174
ISDN layer model
B-channel
L3
L2
L1
IP, IPX , AppleTalk
D-channel
Q.931
PPP, HDLC
Q.921
I-series
Ex: I-430, I-431
175
ISDN layer model (cont.)
1- Physical layer (L1):
- I-series defines the interfaces of ISDN and reference points.
- to implement ISDN connection , the router must be configured
with ISDN switch type to enable the physical layer
communication.
(config)# isdn switch-type <type>
2- Data link layer (L2):
- for B-ch define the data encapsulation protocol (PPP, HDLC).
- for D-ch define LAP-D (Q.921) encapsulation that carry the
signaling information between TE & CO switch.
3- Network layer (L3):
- for B-ch define any routed protocol (IP, IPX, Apple talk).
- for D-ch define control information protocol (Q.931).
176
ISDN types
1- ISDN BRI :
- BRI = 2 B + 1 D channels.
- B = 64 kbps, D = 16 kbps.
- Basic B.w = 2 * 64 +16 = 144 kbps.
- Effective B.w = 2 * 64 = 128 kbps.
- Overall B.w = 144 + 48 = 192 kbps.
the 48 kbps is for framing & synchronization.
2- ISDN PRI:
- PRI T1 : (North America & Japan) = 23 B + 1 D
B = 64 kbps, D = 64 kbps.
Basic B.w = 23 * 64 + 64 = 1.54 Mbps
- PRI E1 : (Europe& Egypt) = 30 B + 1 D
Basic B.w = 30 * 64 + 64 = 2.04 Mbps
177
ISDN Reference Points
TE1
R , S , T , U are reference points
TE2
-TE1 : terminal equipment with native ISDN interface
- TE2 : terminal equipment with non-native ISDN interface
- TA : terminal adapter that convert non-native ISDN interface to
native ISDN interface (used by TE2)
- NT2 : network terminal used for grouping multiple ISDN connections
178
- NT1 : network terminal used as the ISDN modem
Cisco ISDN BRI Interfaces
179
Configuring ISDN BRI
Step 1: Specify the ISDN switch type.
Router(config)# isdn switch-type switch-type
OR
Router(config-if)# isdn switch-type switch-type
• The command specifies the type of ISDN switch that the
router communicates with.
• Other configuration requirements vary by provider.
180
Configuring ISDN BRI (Cont.)
Step 2: (Optional) Setting SPIDs
Router(config-if)# isdn spid1 spid-number [ldn]
• Sets a B-channel SPID, required by many service
providers
Router(config-if)# isdn spid2 spid-number [ldn]
• Sets a SPID for the second B channel
181
Verifying the ISDN Configuration
Router# show isdn active
• Displays current call information
Router# show interfaces bri0
• Displays statistics for the BRI interface that is
configured on the router
Router# show isdn status
• Displays the status of an ISDN connection
182
Monitoring ISDN BRI
183
Troubleshooting the ISDN Configuration
Router# debug isdn q921
• Shows ISDN Layer 2 messages
Router# debug isdn q931
• Shows ISDN call setup and teardown activity (Layer 3)
Router# debug ppp authentication
• Displays the PPP authentication protocol messages
Router# debug ppp negotiation
• Displays information on PPP link establishment
184
Dial on demand routing (DDR)
- Legacy DDR :
bounds the call configuration to the physical interface ,
so all dial out calls will have the parameters for
automatic dialing.
• Connects automatically when needed
• Disconnects when finished
185
Configuring DDR
1
2
3
Define static routes—What route do I use?
Specify interesting traffic—What traffic
enables the link?
Configure the dialer information—What
number do I call?
186
Configuring DDR (cont.)
1- Routing protocol (static route) :
(config)# ip route network mask next hop address
2- Define the interesting traffic :
(config)# dialer-list no. protocol protocol
{ permit / deny / list acl no. }
3- Assign dialer list to interface :
(config-if)# dialer-group <list no.>
4- define dialer map :
(config-if)# dialer map protocol next hop address
[name remote name ] dial number [speed rate ]
187
Configuring DDR (cont.)
DDR Example :
12.0.0.0 /8
(config)# ip route 12.0.0.0 255.0.0.0 10.1.0.2
(config)# dialer-list 1 protocol ip permit
(config)# interface bri0
(config-if)# dialer-group 1
(config)# dialer map ip 10.1.0.2 name Central 5552000
188
Dialer Profile
s
- enhanced DDR
- separates the logical configuration from the
physical interface.
- we can configure more than one dialer
configuration for single physical interface.
189
190
Frame Relay
191
© 2004 Cisco Systems, Inc. All rights reserved.
ICND v2.2—6-191
Frame Relay topology
connections made by virtual circuits •
connection-oriented service •
Frame Relay overview
- FR is a data link layer protocol packet switching technology.
- performs only error detection and leaves the correction for
upper layer protocols.
- defines only the interaction between the CPE and the FR
switch.
- FR is a multiple access technology depending on the virtual
circuit concept.
- FR is a connection oriented protocol through the FR feature
called LMI.
- Encapsulation protocol is LAPF , LAPF types are :
1- Cisco
2- IETF
- note : the same encapsulation type must be used in the
193
source and destination routers
Frame Relay Topologies
• Frame Relay default: nonbroadcast multiaccess (NBMA)
Frame Relay addressing
- DLCI number :
- DLCI ( data link connection identifier ) is the VCID of the FR
(the L2 path address)
- DLCI no. is a local significant
- different DLCI’s on the same path doesn’t affect the
connection
DLCI 200
DLCI 100
DLCI 300
DLCI 400
195
Frame Relay management
• LMI (Local Management Interface) :
- signaling protocol between the router and the FR switch.
- used for management purpose and allows directly connected
devices to share the information about the status of VCs as
well as their configuration.
- It is used so as a router can get its local DLCI from the FR
switch.
- LMI types:
1- Cisco
2- ANSI (Annex-D)
3- Q.933a (Annex-A) (ITU-T)
- Note :
different LMI type on the same path doesn’t affect the
connection
196
Frame Relay management (cont.)
- LMI status :
1- Active : connection using this DLCI is all right
2- Inactive : there is a problem in the remote site
3- Deleted : there is a problem in your local site
Frame Relay Address Mapping
- To map between destination ip and its DLCI :
1- manual resolution :
mapping between the DCLI no. and the next hop ip address
using configuration.
(config-if)# frame-relay map <protocol> <next hop address>
<dlci no.> [broadcast] [ietf]
2- Dynamic Resolution. (Inverse ARP) :
allows the router to automatically discover the address of
next hop on each VC that in active state.
198
LMI Signaling and Inverse ARP
Inverse ARP (cont.)
Inverse ARP (cont.)
– Use LMI to get locally significant DLCI from the Frame
Relay switch.
– Use Inverse ARP to map the local DLCI to the remote
router network layer address.
Reachability Issues with Routing
Updates
•
Problem:
– Broadcast traffic must be replicated for each active connection.
– Split-horizon rule prevents routing updates received on
an interface from being forwarded out the same interface.
Resolving Reachability Issues
Use sub-interfaces
•
•
•
•
•
split horizon can cause problems in NBMA environments.
solution: sub-interfaces can resolve split-horizon issues.
a single physical interface simulates multiple logical interfaces.
each corresponding peers are in a separate subnet
don’t assign ip address to the main interface
Frame Relay configuration
(config)# int s0/0
(config-if)# encapsulation frame-relay [cisco / ietf]
(config-if)# frame-relay lmi-type { cisco / q933a / ansi }
(config-if)# frame-relay map <protocol> <next hop address>
<dlci no.> [broadcast] [ietf]
Sub-interface configuration:
(config)# int s0/0.1 [ point-to-point / multipoint ]
(config-subif)# frame-relay interface dlci <dlci no.>
204
Configuring a Static Frame Relay
Map
Configuring Subinterfaces
– Point-to-point :
• Subinterfaces act like leased lines.
• Each point-to-point subinterface requires its own subnet.
• Point-to-point is applicable to hub-and-spoke topologies.
•
– Multipoint :
• Subinterfaces act like NBMA networks, so they do not resolve the
split-horizon issues.
• Multipoint can save address space because it uses a single subnet.
• Multipoint is applicable to partial mesh and full mesh topologies.
Configuring Point-to-Point
Subinterfaces
Multipoint Subinterfaces
Configuration Example
Verifying Frame Relay Operation
Router#show frame-relay traffic
• Displays Frame Relay traffic statistics
Router#show interfaces name
• Displays information about Frame Relay DLCIs and the LMI
Router#show frame-relay lmi [int.name]
• Displays LMI statistics
Router#show frame-relay map
• Displays the current Frame Relay map entries
Router#show frame-relay pvc [int.name [dlci]]
• Displays PVC statistics
show interfaces Example
Router#show interfaces s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation FRAME-RELAY, loopback not set, keepalive set (10 sec)
LMI enq sent 19, LMI stat recvd 20, LMI upd recvd 0, DTE LMI up
LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0
LMI DLCI 1023 LMI type is CISCO frame relay DTE
FR SVC disabled, LAPF state down
Broadcast queue 0/64, broadcasts sent/dropped 8/0, interface broadcasts 5
Last input 00:00:02, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
<Output omitted>
– Displays line, protocol, DLCI, and LMI information
show frame-relay lmi Example
Router#show frame-relay lmi
LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 113100 Num Status msgs Rcvd 113100
Num Update Status Rcvd 0 Num Status Timeouts 0
– Displays LMI information
show frame-relay pvc Example
Router#show frame-relay pvc 100
PVC Statistics for interface Serial0 (Frame Relay DTE)
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0
input pkts 28
output pkts 10
in bytes 8398
out bytes 1198
dropped pkts 0
in FECN pkts 0
in BECN pkts 0
out FECN pkts 0
out BECN pkts 0
in DE pkts 0
out DE pkts 0
out bcast pkts 10
out bcast bytes 1198
pvc create time 00:03:46, last time pvc status changed 00:03:47
– Displays PVC traffic statistics
show frame-relay map Example
Router# show frame-relay map
Serial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic,
broadcast,, status defined, active
– Displays the route maps, either static or dynamic
Troubleshooting Basic Frame Relay
Operations
Router#debug frame-relay lmi
Frame Relay LMI debugging is on
Displaying all Frame Relay LMI data
Router#
1w2d: Serial0(out): StEnq, myseq 140, yourseen 139, DTE up
1w2d: datagramstart = 0xE008EC, datagramsize = 13
1w2d: FR encap = 0xFCF10309
1w2d: 00 75 01 01 01 03 02 8C 8B
1w2d:
1w2d: Serial0(in): Status, myseq 140
1w2d: RT IE 1, length 1, type 1
1w2d: KA IE 3, length 2, yourseq 140, myseq 140
1w2d: Serial0(out): StEnq, myseq 141, yourseen 140, DTE up
1w2d: datagramstart = 0xE008EC, datagramsize = 13
1w2d: FR encap = 0xFCF10309
1w2d: 00 75 01 01 01 03 02 8D 8C
1w2d:
1w2d: Serial0(in): Status, myseq 142
1w2d: RT IE 1, length 1, type 0
1w2d: KA IE 3, length 2, yourseq 142, myseq 142
1w2d: PVC IE 0x7 , length 0x6 , dlci 100, status 0x2 , bw 0
• Displays LMI debug information
214
Frame Relay Traffic Shaping
•
•
•
•
•
CIR : committed information rate
EIR : excessive information rate
Rate < CIR , DE = 0
CIR < Rate < EIR , DE = 1
Rate > EIR , Frame will be dropped
LAPF
DE
FECN
BECN
• DE : discard eligibility
• FECN : forward explicit congestion notification
• BECN : backward explicit congestion notification
215