cisco ccna certification noteshome.wtnet.de/~sbuelow/ccna.pdf · cisco ccna certification notes by...

Cisco CCNA certification notes by Sascha Bülow 2003

Seite 2 von 121

0. Table of Contents

0. Table of Contents _______________________________________2

1. IOS Basics ____________________________________________10

CLI – Command Line Interface__________________________________10 Exec Modes ___________________________________________________ 10

Syslog & Debug _____________________________________________11 Overview______________________________________________________ 11

Configuration processes & configuration files_______________________12

Cisco Discovery Protocol (CDP)_________________________________12

IOS Images_________________________________________________12 Boot system command ___________________________________________ 13 Password recovery ______________________________________________ 14 Memory types & function _________________________________________ 14

2. OSI reference modell ___________________________________15

Osi Layers, roles and examples _________________________________15

Encapsulation _______________________________________________15

PDU – Protocol Data Unit ______________________________________15

TCP/IP, Novell Netware and OSI in comparison ____________________15

Connection-oriented vs. connectionless ___________________________16

Error detection ≠ error recovery _________________________________16

Flow controll ________________________________________________16 Buffering ______________________________________________________ 16 Congestion avoidance ___________________________________________ 16 Windowing ____________________________________________________ 16

OSI Data Link layer functions ___________________________________17

OSI Network layer function _____________________________________17

routing notes________________________________________________17 routed protocol _________________________________________________ 17 routing protocol _________________________________________________ 17 routing table ___________________________________________________ 17

3. Bridges, switches and LAN design ________________________18

LAN types __________________________________________________18 Ethernet ______________________________________________________ 18 Token Ring ____________________________________________________ 18 FDDI _________________________________________________________ 18

LAN Adressing ______________________________________________18


Seite 3 von 121

MAC address __________________________________________________ 18 Most significant bit __________________________________________________ 18 Unicast address ____________________________________________________ 18 Broadcast Address __________________________________________________ 18 Multicast Address ___________________________________________________ 18 Functional MAC Address _____________________________________________ 18 Broadcast bit_______________________________________________________ 18 local/universal bit ___________________________________________________ 19

LAN framing ________________________________________________19

LAN standards ______________________________________________19

Bridging, Switching and Spanning Tree Protocol ____________________20 Transparent Bridging ____________________________________________ 20 Lan Switching __________________________________________________ 20

Broadcast and collision domain _________________________________20

Switching Methods ___________________________________________21 Store and forward switching _______________________________________ 21 Cut Through switching ___________________________________________ 21 Fragment free switching __________________________________________ 21

Comparison of bridging, switching an routing _______________________21

Spanning Tree Protocol (STP) __________________________________22 Explanation: ___________________________________________________ 23 Summary______________________________________________________ 23 How STP works ________________________________________________ 24

Goal _____________________________________________________________ 24 Way _____________________________________________________________ 24

Root bridge election _____________________________________________ 25 Network topology changes ________________________________________ 25

Timers in CBPDUs __________________________________________________ 25 Change type one – no CBPDUs received on any port for MaxAge _____________ 26 Change type two – CBPDUs received on some ports (no CBPDUs on root port) __ 26

STP graphics __________________________________________________ 27 Root bridge election _________________________________________________ 27

VLAN – Virtual Local Area Network ______________________________28 Definition______________________________________________________ 28 Advantages____________________________________________________ 28 VLAN tagging (ISL Inter Switch Link) ________________________________ 28 VLAN summary_________________________________________________ 28

VTP – VLAN Trunking Protocol _________________________________29 Definition______________________________________________________ 29 Graphics ______________________________________________________ 29 VTP notes _____________________________________________________ 29 VTP operation modes ____________________________________________ 30 VTP pruning ___________________________________________________ 30

LAN switch configuration ______________________________________30 Configuration by default (1900 series) _______________________________ 30


Seite 4 von 121

Port numbering _________________________________________________ 30 Basic IP configuration ____________________________________________ 30 MAC address table entry types_____________________________________ 31 Port security ___________________________________________________ 31

Port security commands ______________________________________________ 31 Basic VLAN configuration _________________________________________ 31

Information ________________________________________________________ 31

4. TCP/IP Protocols _______________________________________32

TCP – Transmission Control Protocol_____________________________32 Features ______________________________________________________ 32

- Ordered Data Transfer ___________________________________________ 32 - Multiplexing____________________________________________________ 32 - Error Recovery (reliability) ________________________________________ 32 - Flow control (windowing) _________________________________________ 32 - Connection establishment and termination____________________________ 33

TCP Summary _________________________________________________ 33

UDP – User Datagramm Protocol________________________________33 Features ______________________________________________________ 33

- Data Transfer __________________________________________________ 33 - Multiplexing____________________________________________________ 33

ARP – Adress resolution protocol & Inverse ARP ___________________34 Features __________________________________________________________ 34

ICMP – Internet control message protocol _________________________34

ICMP – Internet control message protocol _________________________35 Features ______________________________________________________ 35 ICMP messages overview ________________________________________ 35 ICMP messages in detail _________________________________________ 36

Destination unreachable messages _____________________________________ 36 Time exceeded messages ____________________________________________ 36 ICMP echo request and reply __________________________________________ 36

ICMP summary _________________________________________________ 37

FTP and TFTP in comparison___________________________________37

IP addressing _______________________________________________37

Network classes _____________________________________________37

Network numbers ____________________________________________37

Network masks ______________________________________________38

Subnetting__________________________________________________38

Address format concepts summary ______________________________38

IP Grouping Concepts and Subnetting ____________________________39 Needs for subnetting_____________________________________________ 39 Graphical comparison of subnetted and not subnetted networks___________ 40 Subnetting overview _____________________________________________ 41

Subnet math algorithms _______________________________________42


Seite 5 von 121

Given an IP Address and Mask, What Is the Network/Subnet Number? _____ 42 Decimal Algorithm for Deriving the Network Number, No Subnetting in Use ______ 42 Binary Algorithm for Deriving the Network Number, No Subnetting in Use _______ 42 Boolean AND Operation ______________________________________________ 42 Decimal Algorithm for Deriving the Subnet Number, Basic Subnetting __________ 43 Binary Algorithm for Deriving the Subnet Number, Basic Subnetting____________ 43 Binary Algorithm for Deriving the Subnet Number, Difficult Subnetting __________ 43 Typical difficult mask values ___________________________________________ 44 Decimal Algorithm for Deriving the Subnet Number, Difficult Subnetting_________ 44

Definition of network/subnet number and broadcast address___________45 Given an IP Address and Mask, What Is the Network/Subnet Broadcast Address?______________________________________________________ 45

Decimal Algorithm for Deriving the Broadcast Address, No Subnetting or Basic Subnetting ________________________________________________________ 45 Binary Algorithm for Deriving the Broadcast Address _______________________ 45 Decimal Algorithm for Deriving the Broadcast Address, Difficult Subnetting ______ 46

Given an IP Address and Mask, What Are the Assignable IP Addresses in That Network/Subnet? _______________________________________________ 46 Given a Network Number and a Static Subnet Mask, What Are the Valid Subnet Numbers? _____________________________________________________ 47

Decimal Algorithm for Deriving the Valid Subnets with Basic Subnetting ________ 47 Binary Algorithm for Deriving the Valid Subnets with Basic and Difficult Subnetting 47 Decimal Algorithm for Deriving the Valid Subnets with Basic and Difficult Subnetting_________________________________________________________________ 48

Given a Network Number and a Static Subnet Mask, How Many Hosts per Subnet, and How Many Subnets? __________________________________ 48 Zero Subnet and Broadcast subnet _________________________________ 49

CIDR, Private Addressing, and NAT______________________________49 Reasons for the usage of registered network numbers __________________ 49 CIDR – Classless Inter Domain Routing______________________________ 49

Graphically ________________________________________________________ 50 Private addressing ______________________________________________ 51

Adress ranges _____________________________________________________ 51 NAT – Network Address Translation_________________________________ 52

NAT functionality graphics ____________________________________________ 52

Using secondary addresses ____________________________________52

MTU ______________________________________________________53

Fragmentation_______________________________________________53

IP naming commands and telnet ________________________________53 Telnet suspend and resume commands______________________________ 53

Default routes and the “ip classless” command _____________________53

IPX addressing and routing ____________________________________54

Some facts about IPX _________________________________________54 Feature table___________________________________________________ 54

IPX routing algorithm _________________________________________55


Seite 6 von 121

Internal networks and encapsulation types_________________________56 Ethernet Encapsulation___________________________________________ 56

Encapsulation names ________________________________________________ 56 Encapsulation structure ______________________________________________ 57

Token Ring & FDDI______________________________________________ 58 Encapsulation names ________________________________________________ 58 Encapsulation structure ______________________________________________ 59

General Encapsulation notes ______________________________________ 59

IPX configuration hints ________________________________________59

5. Routing_______________________________________________60

Generell goals of routing_______________________________________60

Protocol types_______________________________________________60

Assignment of routing algorithms and protocols _____________________61

Distance Vector Routing behaviour ______________________________61 Problems that can occur in multiple path networks _____________________ 62 Split horizon ___________________________________________________ 63 Split horizon with poison reverse ___________________________________ 63 Route poisoning ________________________________________________ 63 Holddown timer_________________________________________________ 63 Triggered Updates ______________________________________________ 63

RIP and IGRP behaviour ______________________________________63 Comparison of RIP and IGRP Features ______________________________ 63 Metric issues___________________________________________________ 64

RIP ______________________________________________________________ 64 IGRP_____________________________________________________________ 64

Distance Vector Routing Protocol Summary___________________________ 64

Configuration of RIP and IGRP__________________________________64 The “network” command__________________________________________ 64 The “passive-interface” Command __________________________________ 64

RIP-1 and IGRP—No Subnet Masks _____________________________65

RIP Version 2 _______________________________________________65 Features ______________________________________________________ 65 RIP Version migration____________________________________________ 66

Auto Summary and Route Aggregation ___________________________66

Multiple routes to the same subnet_______________________________67

Administrative distance________________________________________67

IPX RIP____________________________________________________68 IP RIP and IPX RIP in comparison __________________________________ 68 IPX RIP Metric _________________________________________________ 68

Service Advertisement Protocol – SAP____________________________68 Brief SAP Description ____________________________________________ 68 SAP Process___________________________________________________ 68


Seite 7 von 121

IPX logon procedure __________________________________________69 Graphically ____________________________________________________ 70

IPX configuration ____________________________________________71

Tunneling __________________________________________________71 Description ____________________________________________________ 71 Important terms_________________________________________________ 71 Reasons for tunneling____________________________________________ 72 Tunneling for VPNs______________________________________________ 73 Tunneling configuration___________________________________________ 74

Integrated Multiprotocol Routing_________________________________75 Integrated multiprotocol routing process______________________________ 75

Separate Multiprotocol Routing ↔ Integrated Multiprotocol Routing _____75

Routing Command Summary ___________________________________76

6. Access list security_____________________________________77

Filtering IP Traffic ____________________________________________77 Where Filtering can be done_______________________________________ 77 Graphically ____________________________________________________ 77 IP access list commands _________________________________________ 78 Access list logic_________________________________________________ 78 Standard IP access lists __________________________________________ 79

Functionality _______________________________________________________ 79 Examples _________________________________________________________ 79

Extended IP access lists__________________________________________ 79 Functionality _______________________________________________________ 79 Matching options graphically __________________________________________ 80 Matching options overview ____________________________________________ 80 Examples _________________________________________________________ 80

Named IP access lists____________________________________________ 81 Differences between numbered and named ACL’s _________________________ 81 Comparison of named and numbered ACL’s ______________________________ 81 Notes about deleting parts of named access lists __________________________ 82

IP access list summary ___________________________________________ 83

Filtering IPX Traffic and SAPs __________________________________84 ACL numbers __________________________________________________ 84 IPX ACL commands _____________________________________________ 84 Standard IPX ACL’S _____________________________________________ 84 Extended IPX ACL’s _____________________________________________ 85

Can filter by: _______________________________________________________ 85 Graphically:________________________________________________________ 85

SAP Filters ____________________________________________________ 86 How SAP packets flow _______________________________________________ 86 Filtering without forwarding____________________________________________ 86 Function __________________________________________________________ 86 Graphically ________________________________________________________ 87 Reasons for filtering SAP Packets ______________________________________ 87 SAP filtering matching fields___________________________________________ 88

Named IPX ACL’s_______________________________________________ 88


Seite 8 von 121

Comparison of named and numbered IPX ACL’s / Commands ____________ 88

Overview IPX ACL configuration commands _______________________90

7. WAN Protocols and Design ______________________________91

Point to point leased lines______________________________________91 Terms and Definitions____________________________________________ 91 Protocol used on point to point links _________________________________ 92

Overview__________________________________________________________ 92 Functions _________________________________________________________ 92 Framing __________________________________________________________ 92

How to differentiate the 3 protocols _________________________________ 92 Point-to-Point Data Link Protocol Attributes ___________________________ 93

Note: Architected type field____________________________________________ 93 Configuration commands _________________________________________ 93 Changing encapsulation types _____________________________________ 94 PPP special features_____________________________________________ 94

PPP LCP Features ___________________________________________95 Error Detection _________________________________________________ 95 Looped Link Detection ___________________________________________ 96 Compression___________________________________________________ 96

Compression goal & price ____________________________________________ 96 What happens with compression _______________________________________ 96 Reasons for using compression ________________________________________ 96 Compession algorithms ______________________________________________ 96 Assignment of compression algorithm and protocol_________________________ 97

WAN cabling standards _______________________________________97 Connector examples_____________________________________________ 97 Connector details _______________________________________________ 97 Further Connector notes__________________________________________ 98

Frame Relay Protocols ________________________________________98 Frame Relay Definition ___________________________________________ 98 Frame Relay Features and Terminology _____________________________ 99

Terms and concepts _________________________________________________ 99 LMI and encapsulation types _____________________________________ 101

Definition_________________________________________________________ 101 LMI _____________________________________________________________ 101 Encapsulation_____________________________________________________ 101 Frame View ______________________________________________________ 102

DLCI and Frame Relay Switching__________________________________ 103 DLCI Global Addressing_____________________________________________ 104 Global Addressing Summary _________________________________________ 104 Global Addressing Advantages _______________________________________ 105

Network layers and Frame Relay __________________________________ 106 Layer 3 addressing_________________________________________________ 106

Full Mesh ____________________________________________________________ 106 Partial Mesh __________________________________________________________ 107 Hybrid _______________________________________________________________ 108

Broadcast Handling ________________________________________________ 108 Split Horizon ______________________________________________________ 109


Seite 9 von 121

How Address Mapping Works_____________________________________ 110 Shortcut _________________________________________________________ 110 Definition_________________________________________________________ 110

Review: Frame Relay initialization _________________________________ 111 Graphically _______________________________________________________ 112

Compression__________________________________________________ 112 Shortcut _________________________________________________________ 112 Payload compression _______________________________________________ 112

STAC compression_____________________________________________________ 112 FRF.9 compression_____________________________________________________ 113

TCP header compression____________________________________________ 113 Frame Relay Configuration_______________________________________ 113

Frame Relay Configuration commands _________________________________ 113 Guideline whether to use subinterfaces _________________________________ 114 Correlating DLCIs to subinterfaces_____________________________________ 114

ISDN protocols and design ____________________________________115 ISDN Channels ________________________________________________ 115

B channels _______________________________________________________ 115 D channels _______________________________________________________ 115

ISDN protocol overview _________________________________________ 115 ISDN ↔ OSI comparison ____________________________________________ 115

ISDN Function Groups and Reference Points _____________________116 Inexact Definition (but familiar) ________________________________________ 116 Facts to reminder __________________________________________________ 116

Typical use of ISDN _________________________________________117

PAP & Chap _______________________________________________117 Login description_______________________________________________ 117

Multilink PPP_______________________________________________117 Enabling commands ____________________________________________ 117

Dial-on-Demand Routing and ISDN Configuration __________________118 Some Notes __________________________________________________ 118 Example configuration __________________________________________ 118 Configuring the dialing itself / needed information _____________________ 119

WAN options – strength and weakness __________________________120

Enterprise Networks and their hardware__________________________121


Seite 10 von 121

1. IOS Basics

CLI – Command Line Interface Access from

- console port - auxiliary (e.g. modem connection) - telnet

Last 2 need password to be set before usage

Exec Modes User Exec Mode

- shows only basic information (mainly viewing of settings) Enable or Privileged Exec Mode

- allows full controll of the device


Seite 11 von 121

Syslog & Debug

Overview

Created messages are sent to console and named syslog “debug” command enables monitoring points / parameters and create additional messages describing what the IOS is doing and seeing ! Debug command can crash the machine when messages are too much ! use with caution !

“no debug all” disables debugging syslog is only sent to console by default

“terminal monitor” enables syslog to telnet (vty) or aux “logging host” sents messages to an external server “snmp-server enable trap” messages are sent as SNMP traps (SNMP already has to be configured


Seite 12 von 121

Configuration processes & configuration files

- enter config mode from priv exec mode (conf t) - startup configuration file NVRAM (Non Volatile RAM) - active configuration file RAM / DRAM - copying into RAM does same things like typing them manually - copying into NVRAM or tftp replaces (if same file name) - no startup-config in NVRAM causes the device to enter setup mode after

rebooting for entering basic configuration info

Cisco Discovery Protocol (CDP)

- discovers basic information about neighboring routers & switches - Device Identifier - Address lis (mostly hostname) - Port identifier (Interface) - Capabilities list (what does the discovered device do ?) - Platform (modell and OS Level)

- enabled by default

- disable: “no cdp run”

- can run on specific interface only

int subcmd: “cdp enable”

- “show cdp <params>” shows cdp information

IOS Images Ios files are stored in flash memory Images can only come from or go to tfp server

“copy tftp flash” ROM stores a limited IOS image Several IOS images can be saved in flash

“boot system” command allows to choose which one to boot


Seite 13 von 121

Boot system command


Seite 14 von 121

Password recovery Refer to page 52 following / table 2-7 for detailed process steps Shortcut: ROM Monitor / RomMon ! Password recovery overwrites NVRAM !

Memory types & function Memory Function RAM / DRAM Working memory (running-config) Flash IOS images ROM Limited IOS image NVRAM Startup-config


Seite 15 von 121

2. OSI reference modell Osi Layers, roles and examples Alle Application User interface /

HTTP Priester Presentation How data is

presented ASCII / JPEG

Saufen Session Keeping data seperated from different application

Tee Transport Reliable or unreliable connection TCP / UDP

Nach Network Logical addressing IP / IPX

Der Data Link IEEE 802.3 / 802.5 Predigt Physical

Layer

V.35 / RJ-45

Encapsulation - concept of placing data after headers and/or before trailers - is done in each layer (except physical)

PDU – Protocol Data Unit Layer Unit L1 Bits L2 Frame L3 Packet or datagramm L4 segment

TCP/IP, Novell Netware and OSI in comparison OSI TCP/IP NetWare Application Presentation Session

Application SAP , NCP

Transport Transport IPX SPX Network Internet IPX


Seite 16 von 121

Data Link Physical

Network (Interface) MAC Protocols

Connection-oriented vs. connectionless Connection-oriented Connectionless Establishes connection between 2 endpoints before transfer beginns

Transfer begins immediately

Error detection ≠ error recovery Error detection means that protocol is able to detect an error and discards the PDU Error recovery means that a protocol is able to react on the lost data due to an error and causes the transmission to be repeated

Flow controll Flow control means that a sender can control his sending data rate to decrease the amount of lost data due to slower systems “on the way”

Buffering Receiving device has a receive buffer whi9ch holds the received data until processed Sending data rate isn’t affected

Congestion avoidance Receiving device notices that buffers are filling and notifies the sender to stop or slow down transmission When buffers are free again the sender is noticed to start or speed up transmission

e.g. ICMP “Source Squench” slows the sender down step by step until no Source Quench messages are received by sender anymore

Windowing A window is the maximum amount of data a sender can send without acknowledgement


Seite 17 von 121

OSI Data Link layer functions Function Ethernet Token Ring HDLC Frame Relay Arbitration CSMA/CD Token passing --- --- Addressing Source and

destination MAC address

Source and destination MAC address

Single 1 byte Address Unimportant on point to point links

DLCI to identify virtual circuits

Error Detection FCS (Filed Correction Sum) in trailer Identify data contents

802.2 DSAP, SNAP or Ethertype as needed

802.2 DSAP or SNAP header as needed

Proprietary type field

L2/L3 protocol ID’s or SNAP header

OSI Network layer function

- routing and logical addressing o logical adresses can be grouped

TCP/IP = Subnet IPX = Network Appletalk = Cable Range

- refer to page 108 / table 3-10

routing notes

routed protocol - the one being routed - IP - IPX - OSI - DECnet - …

routing protocol - the information to perform routing process as quickly as possible - RIP - IGRP - OSPF - …

routing table - where the routing information is stored


Seite 18 von 121

3. Bridges, switches and LAN design

LAN types

Ethernet

Token Ring

FDDI

LAN Adressing

MAC address - consists of two 24 bit parts (=48 bit)

o vendor part o card part

Most significant bit - Ethernet: most significant bit is last - FDDI & Token Ring: most significant bit is first

Unicast address An individual LAN interface card

Broadcast Address All devices in a LAN

Multicast Address A subset of devices in Ethernet or FDDI

Functional MAC Address Device with specific funktion on a Token Ring

Broadcast bit The most significant bit in the first byte unicast address when bit is 0


Seite 19 von 121

broadcast, multicast or functional address when bit is 1

local/universal bit The second most significant bit in the first byte =0 when burned in MAC is used =1 when locally administered address is in use

LAN framing Refer to tables 4-2 and 4-5 on page 140

LAN standards Name MAC sublayer

Spec LLC Sublayer Spec

Comments

Ethernet Version 2 (DIX Ethernet)

Ethernet Not applicable Spec owned by Digital, Intel and Xerox

IEEE Ethernet IEEE 802.3 IEEE802.2 Other name: 802.3 Ethernet

Token Ring IEEE 802.5 IEEE 802.2 IBM developed IEEE took over

FDDI ANSI X3T9.5 IEEE 802.2 --- Standard MAC Sublayer

Spec Max. cable length

Cable Type Pairs needed

10Base5 802.3 500m entire

bus 50Ohm thick coaxial

---

10Base2 802.3 185m entire bus

50Ohm thin coaxial

---

10BaseT 802.3 100m entire bus

CAT3,4, or 5 UTP

4

10BaseFL 802.3 2000m from device to hub/switch

Fiber 1

100BaseTx 802.3u 100m from device to hub/switch

CAT5 UTP 2

100BaseT4 802.3u 100m from device to hub/switch

CAT3 UTP 4

Standard MAC Sublayer Spec

Max. cable length

Cable Type Pairs needed


Seite 20 von 121

100BaseT2 802.3u 100m from

device to hub/switch

CAT3,4 or 5 UTP

2

100baseFx 802.3u 400/2000m (half/full duplex)

Multimode fiber 1

100BaseFx 802.3u 10.000m Singlemode fiber

1

1000BaseSx 802.3z 220-550m Multimode fiber 1000BaseLx 802.3z 3000m Single or

multimode fiber 1

1000BaseCx 802.3z 25m Shielded copper

2

1000BaseT 802.3ab 100m CAT5 UTP 2

Bridging, Switching and Spanning Tree Protocol

Transparent Bridging Endpoints do not need to know wheter there is a bridge or not. Key Functions:

- Learning MAC Address by examining source MAC addresses of received frames

- Forward or filter frames based on destination MAC address - Loop free environment created by Spanning tree protocol STP

Lan Switching Switches decide where to forward frames to (which port(s)) based on the destination MAC address (multiport bridge).

Broadcast and collision domain BD is a set of NICs which all receive a broadcast by other NICs in same BD CD is a set of NICs which could cause a collision in same CD. ! All devices in the same BD will be in the same subnet / network !


Seite 21 von 121

Switching Methods

Store and forward switching Receives entirely frame (store) and forwards it after that Allows to check FCS (Filed correction sum) in trailer

Cut Through switching Receiver destination address of the frame and forwards it immediately Disallows FCS checks

Fragment free switching Almost like cut through switching but waits for the first 64 bytes of a frame before forwarding it. A collision has to be detected within the first 64 bytes of a frame so that fragmented packets due to a collision aren’t forwarded.

Comparison of bridging, switching an routing Feature Bridging Switching Routing Forward LAN broadcasts

Yes Yes No

Forward LAN multicasts

Yes Yes; can be optimized by using CGMP

No (if not configured, but not the original frame is forwarded)

OSI layer used to make forward decision

Layer 2 Layer 2 Layer 3

Internal processing variants

Store and forward Store and forward cut through fragment free

Store and forward

Fragmentation allowed ?

No No Yes

Multiple concurrent equal-cost paths to same destination allowed ?

No No Yes


Seite 22 von 121

Feature Bridging Switching Routing Greater cabling distances allowed

Yes Yes Yes

Dcrease in collisions, assuming equal traffic loads

Yes Yes Yes

Decreased adverse impact of broadcasts

Yes No Yes

Decreased adverse impact of multicasts

No Yes (with CGMP) Yes

Increase in bandwidth

Yes Yes Yes

Filtering on Layer 2 header allowed

Yes Yes Yes

Filtering on Layer 3 header allowed

No No Yes

Spanning Tree Protocol (STP) STP creates a network where only one active path exists between any pair of LAN segments. STP enabled Switches and bridges have dynamic blocking or forwarding ports.


Seite 23 von 121

Explanation:

Ethernet

Ethernet

Ethernet

IBM-kompatibelIBM-kompatibel

Bridge

Bridge Bridge

IBM-kompatibel

One broadcast domain Broadcasts will be forwarded infinitely

Summary - physical redundancy is allowed and be used when other paths fail - bridging logic gets confused by multiple ways to the same MAC address. STP

avoids confusion by creating only one active way - Loops in the bridget network are avoided


Seite 24 von 121

How STP works

Goal Creation of a physical redundant network with only one active path to avoid loop and network congestion.

Way • All interfaces are either in forwarding or blocking state • The forwarding interfaces are part of the spanning tree • One bridge is the root bridge and has all interfaces in forwarding mode • Each bridge receives CBPDUs (Configuration Bridge Protocol Data Units)

from the root bridge. • The interface on which CBPDUs are received is called root port and is in

forwarding state • The bridge in evere segment with the lowest cost path to the root bridge is

called designated bridge and has the port on that segment forwarding. • All other interfaces are in blocking state. • Every “HelloTime” seconds the root bridge sends a CBPDU to say that no

network change has occurred. • If a bridge doesn’t receive CBPDUs for a “MaxAge” time it z beginns the

process of spanning tree change. This process varies from topology to topology.

• One or more bridges decide to change blocking into forwarding ports or vice versa.

o In the first case thy first switch the port to listening state for a “ForwardDelayTimer” period of time , then switch to learning state after a second “Forward DelayTimer” time and finally switch the port to forwarding.

• These delays are necessary to prevent temporary loops.


Seite 25 von 121

Root bridge election

1. each bridge beginns claiming to be the root bridge by sending out CBPDUs of following contents

a. root bridges ID (they want to be root thereselves so they say they are root. the ID is normally a MAC adress of an interface on that bridge

b. the cost between these bridge and the root bridge set to 0 because they all want to be root

c. the sending bridges bridge ID (=root bridge ID first) 2. root bridge with the lowest priority value (set by administrator) wins the elction

a. on a tie the bridge with the lowest bridge ID wins 3. if a bridge hears a CBPDU of a better candidate for root bridge (see step 2) it

stops claiming to be root and starts forwarding the CBPDUs of the better candidate on all ports except the one these CBPDU are received

4. before forwarding these CBPDUs the bridge increments the costs of these CBPDUs by the costs of the receiving interface

a. cost values are set by administrator 5. at the end of the process one bridge is elected being root 6. The ports where the CBPDUs with the lowest costs to root are received is

called the root port and placed in forwarding state. a. On root ports no CBPDUs are forwarded

7. For every segment of the LAN there is one bridge sending CBPDUs with the least costs to root. These bridges are called designated bridges and have the interface on that segment placed in forwarding state.

8. All other ports go into blocking state.

Network topology changes

Timers in CBPDUs Every CBPDU contains 3 timers: - HelloTime The time between 2 CBPDUs sent by root bridge to say that nothing

has changed. - MaxAge: The time any bridge should wait before deciding that topology has

changed. - ForwardDelay: The time a bridge waits during a topology change before changing a

blocking port into a listening port and a listening port into a learning port.


Seite 26 von 121

Change type one – no CBPDUs received on any port for MaxAge Result: the bridge starts claiming to be the root bridge

Change type two – CBPDUs received on some ports (no CBPDUs on root port) Result:

- the port with the lowest cost to root gets the new root port - one or more bridges being not a designated bridge before reacts to the lack of

CBPDUs from the bridge with the new root port (no CBPDUs on root ports!) sets its blocked port to listening and cleares its address table

- These bridge sends a message CBPDU out of the root port to indicate that a topology change is being made

- After forward delay timer expired the listening port is changed to learning port and to forwarding port after a second forward delay timer expiration

- Root bridge sends a CBPDU to indicate all bridges the topology change - All bridges clear their address tables and start learning MAC addresses (and

the paths) again


Seite 27 von 121

STP graphics

Root bridge election

B1

B5

B4

B3

B2

E1E0

E0

E0

E0 E0

E1

E1

E1

E1

ID is 0200.1111.1111Priority 1Root is 0200.1111.1111Cost is 0



ID is 0200.4444.4444Priority 1Root is 0200.1111.1111Cost is 110 ID is 0200.5555.5555

Priority 1Root is 0200.1111.1111Cost is 10

root port

root port

root port

root port

highest prioritylow est ID= root bridge

blocking

desi

gnat

ed b

ridge

designated bridge

designated bridge

root bridge electedinterface states set

spanning treecreated

topology change

link to B5 broken

B1

B5

B4

B3

B2

E1E0

E0

E0

E0 E0

E1

E1

E1

E1




ID is 0200.4444.4444Priority 1Root is 0200.1111.1111Cost is 210 ID is 0200.5555.5555

Priority 1Root is 0200.1111.1111Cost is 10

root port

root port root port

highest prioritylow est ID= root bridge

listening ->learning ->forwarding

desi

gnat

ed b

ridge

new root port

B4/E -> B5/E1broken

B3/E1 forwarding


Seite 28 von 121

VLAN – Virtual Local Area Network

Definition A VLAN is a broadcast domain created by one or more switches. The VLAN is created via configuration in the switch or an external server (VLAN membership Policy Server [VMPS])

Advantages VLANs allow easy moves, additions and changes. One switch can offer many different VLANs. Routers are needed to route between the different VLANs.

VLAN tagging (ISL Inter Switch Link) ISL is used to minimize broadcast effects. ISL is not an IEEE thing. IEEE uses 802.1q as Ethernet VLAN protocol. ISL encapsulates the original frame and puts a VLAN-ID in the ISL header.

VLAN summary - VLANs make moves, additions and changes to device connections easier - By forcing a Layer 3 device to route between VLANs greater administrative

control can be used (accounting, access lists…..) - Unnecessary LAN bandwidth consumption is reduced compared to a single

broadcast domain - Unnecessary CPU usage is reduced by resulting reduction in broadcast

forwarding


Seite 29 von 121

VTP – VLAN Trunking Protocol

Definition VTP is a layer 2 messaging protocol that maintains VLAN configuration consistency throughout an administration domain by managing VLAN config changes throughout the network.. Onfigurations made on to a single switch (the so called VTP server) are propagated through the network using trunk links to all switches in the same VTP domain.

Graphics

VTP notes o VTP advertisements are flooded every 5 minutes throughout the management

domain or

o When a VLAN configuration change has been done o In an VTP advertisement is included

o Configuration revision number o VLAN names and numbers o Information about witch switches have ports assigned to each VLAN

VTPserver

VTPclient

VTPclient

1. Add new VLAN2. Rev 3 --> Rev 4

3. Send VTPadvertisement

3. Send VTPadvertisement

4. Rev 3 --> Rev 45. Sync new VLAN info

4. Rev 3 --> Rev 45. Sync new VLAN info


Seite 30 von 121

VTP operation modes o Transparent mode

o Used when a Switch does not need or want to participiate in VTP but willing to pass VTP advertisements to other switches

o VLAN configuration changes affect only the VTP trasparent switch o Server mode

o A VTP server can create, modify or delete VLANs and other configuration parameters for the entire VTP domain

o VTP servers save VLAN configuration in NVRAM o VTP messages are transmitted out of all trunk connection

o Client mode o A VTP client cannot create, modify or change VTP configuration o Clients do not store VLAN configuration in NVRAM

VTP pruning VTP pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the appropriate network devices. VTP version notes VTP version 1 only supports Ethernet VTP Version 2 supports Ethernet and Token Ring.

LAN switch configuration

Configuration by default (1900 series) - IP address: 0.0.0.0 - CDP: enabled - Switching method: fragment free - 100BaseT Port(s): auto-negotiate duplex mode - 10BaseT port(s): half duplex - Spanning Tree: enabled - Console password: none

Port numbering 10BaseT: e0/1 to e0/12 or e0/1 to e0/24 AUI port: e0/25 100BaseTUplink ports : fa0/26 and fa0/27

Basic IP configuration On switches the IP address is valid for the whole switch due to the fact that the IP address is only used for management purposes but not needed for the normal switching job to run!


Seite 31 von 121

MAC address table entry types There are 3 types of MAC address table entries:

- dynamic addresses which are entered by normal switching activity and deleted when the whole table is cleared (expiration time)

o use for normal hosts - permanent MAC addresses are associated with a specific port and don’t have

an expiration date o use for popular servers

- restricted-static entries are entries where a MAC address is associated with a specific port and frames destined for these MAC address have to come in from a particular set of ports

o use for hosts only specific machines shall communicate with

Port security Port security limits the number of MAC addresses associated with a port. The number of devices with the specified MAC address to these ports is limited.

Port security commands “show mac-address-table” “show mac-address-table security” “port secure-max-mac-count x” “adress-violation {suspend|disable|ignore}”

Basic VLAN configuration

Information - max number of VLANs is switch dependent (1900 series = 64 VLANs) - VLAN1 is factory default - CDP and VTP advertisements are sent on VLAN1 - Switch IP address is in VLAN1 broadcast domain - Switch must be in VTP server mode for creation, adding or deletion of VLANs


Seite 32 von 121

4. TCP/IP Protocols

TCP – Transmission Control Protocol

Features

- Error Recovery (reliability) - Data Transfer - Multiplexing - Flow control (windowing) - Connection establishment and termination

- Ordered Data Transfer TCP provides its functions to the upper layers. The TCP/IP modell only provides the application layer as last upper layer so you can say that TCP provides data transfer from one application to another. Port number, destination IP address and the name of the transport layer protocol (TCP) form a socket. Applications use TCP services by opening a socket and TCP manages the delivery of the data to the toher sides socket.

- Multiplexing TCPs multiplexing task is to decide which application layer process to give the data to after the data is received. So multiplexing enables data delivery to different applications over “one single link”.

- Error Recovery (reliability) To accomplish reliablity data bytes are numbered using the sequence and acknowledgment fields in the TCP header.

- Flow control (windowing) TCP implements flow control by taking advantage of the sequence and acknowledgment fields in the TCP header along with the so-called window field. This window field implies the maximum number of unacknowldged bytes outstanding instant in time.


Seite 33 von 121

The windows starts small and grows until errors occur. The windows then starts varying in size based on the network performance. In other words the window field is used by the receiver to tell the sender how much data can be sent before the next acknowledgment.

- Connection establishment and termination The connection establishment is called three way handshake and takes place before data transfer begins. The connection termination is four way and interesting is that TCP notifies the application that connection is coming down before the third flow in termination sequence takes places (in other words before the connection is really down) and waits for the application to acknowledge the connection closure.

TCP Summary Function Descripition Data Trasfer Continous stream of ordered data Multiplexing Allowing the receiving host to decide the

correct application for which the data is destined, based on the port number

Error recovery (reliability) Process of numbering and acknowledging header fields.

Flow control (windowing) Process of using windows fields to protect buffer space and routing devices

Connection establishment and termination

Process used to initialize port numbers, sequence and acknowledgment fields.

UDP – User Datagramm Protocol

Features

- Data Transfer

- Multiplexing Multiplexing is the same thing TCP does. Data Transfer is just reliable for message delivery but does not order, window or proove data receiving. No recording or recovery is accomplished, discarded frames are discarded! The big advantage of UDP is the much smaller header due to less fields (smaller protocol overhead) and the data rate isn’t artificially slowed by an acknowledgment process.


Seite 34 von 121

If your IP is 1.1.1.1 pleasereply !

OK, my MAC is0200.1234.5678

1. ARP request

2. ARP reply

Hey, who is MAC0200.1234.5678 ?

Here I am. IP is 1.1.1.1

1. inverse ARP request

2. inverse ARP reply

ARP – Adress resolution protocol & Inverse ARP

Features ARP is the method to resolve the Layer 3 (IP, IPX…) address to a known layer 2 (MAC) address. Inverse ARP handles resolution of MAC to IP addresses.


Seite 35 von 121

ICMP – Internet control message protocol

Features ICMP helps control and manage the work of IP and therefore is consideres to be part of TCP/IP’s network layer.

ICMP messages overview Message Purpose Destination unreachable This tells the source that there is problem

delivering a packet Time exceeded The time it takes delivering a packet has

exceeded; packet discarded Source Quench The source is sending date faster than it

can be forwarded; requests the sender to slow down

Redirect The router sending this message has received some packet for qhich another oruter has a better toute; tells the sender to use the better router

Echo Used by ping command to verify connectivity

Parameter problem Used to identify an incorrect paramater Timestamp Measures roundtrip time to particular

hosts Address mask Request/reply Used to inquire about and learn the

correct subnet mask to be used Router advertisement and selection Used to dynamically learn the IP

addresses of the routers on same subnet.• black items most likely on exam


Seite 36 von 121

ICMP messages in detail

Destination unreachable messages There are five separate unreachable functions: Unreachable code When used Typically sent by Network unreachable No routing table match for

the packets destination. Router

Host unreachable Packet routed to a router in destination subnet, but host is not responding

Router

Can’t fragment Packet has “Don’t fragment bit” but a router must fragment to forward the packet

Router

Protocol unreachable Packet was delivered to host but the used transport layer protocol is not available there

Endpoint host

Port unreachable Packet was delivered to host, but the destination port has not been opened by an application.

Endpoint host

Time exceeded messages Every IP header contains a Time to live field (TTL) to make sure that packets aren’t crusing through network infinetly. Every router on the packets way will decrease the TTL field by one. When TTL decreased to 0 the packet will be discarded. The ICMP time exceeded message indicates that the TTL field was decreased to 0.

ICMP echo request and reply The ping command sends an ICMP echo request and the host replys to this message with an ICMP echo reply. Whatever data is sent in the request is sent back in the reply.


Seite 37 von 121

ICMP summary ICMP defines several message types and subtypes (called codes) to indicate that there is a network or host problem.

FTP and TFTP in comparison (Trivial) File Transfer Protocol FTP TFTP Uses TCP Uses UDP Robust control commands Simple control commands Sends data over a separate TCP connection from control commands

No connection, due to UDP

Requires more memory and programming effort

Requires less memory and programming effort

No support as application from IOS Supported by IOS as application

IP addressing

Network classes Any network of this class

Network Bytes (Bits)

Host bytes (bits) Number of addresses per network

A 1 (8) 3 (24) 224 minus 2 special B 2 (16) 2 (16) 216 minus 2 special C 3 (24) 1 (8) 28 minus 2 special

Network numbers Class First Octet

Range Valid Network Numbers

Total number of This class of network

Number of hosts per network

A 1 to 126 1.0.0.0 to

126.0.0.0 27 minus 2 special

224 minus 2 special

B 128 to 191 128.1.0.0 to 191.254.0.0

214 minus 2 special

216 minus 2 special

C 192 to 223 192.0.1.0 to 223.255.254.0

221 minus 2 special

28 minus 2 special

Network numbers represent the group of all IP addresses in the network.


Seite 38 von 121

A network number is build with a nonzero value in te network part but with all 0s in the host part of the network number.

Network masks Network masks key purpose is to define the number of host bits in an address. Computers use the network(subnet) mask to calculate the network or subnet number of which the address is a member.

Subnetting When subnetting, a third part of an IP address appears—namely, the subnet part of the address.This field is created by “stealing” bits from the host part of the address. Three portions of the address now exist: network, subnet, and host. The network part size is determined by the class (A, B, or C). The host part is determined by the subnet mask in use, the number of bits of value 0 in the subnet mask define the number of host bits. The remaining bits define the size of the subnet part of the address.

Address format concepts summary

• Two unique IP addresses in the same network have identical values in the network part of their address and have different values in their host parts.

• Two unique IP addresses in the same subnet have identical values in the

network part of their address, identical values in the subnet part of their address, and different values in their host parts.

• Two unique IP addresses in different subnets of the same Class A, B, or C

network have identical values in the network part of their address and have different values in the subnet part of their address.

• Without subnetting, the network number, the network broadcast address, and

all


Seite 39 von 121

• assignable IP addresses in the network have the same value in the network part of their addresses.

• With subnetting, the subnet number, the subnet broadcast address, and all

assignable IP addresses in the subnet have the same value in the network and subnet parts of their addresses.

• Most people treat the combined network and subnet parts of addresses as one

part of the address and call it the subnet part of the address, or simply the subnet.

IP Grouping Concepts and Subnetting

Needs for subnetting - all organisations connected to the internet (and not using IP address

translation) are required to use IP networks registered with the NIC - IP protocols enforce the following grouping concept: All hosts in the same

group must not be seperated by an IP router - Hosts separated by an IP router must be in separate groups - Without subnetting the smallest group is a single entire Class A , B or C

network number - Without subnetting the NIC would be short of assignable networks - With subnetting the NIC can assign one or a few network numbers to an

organization and the organization can subdivide those network(s) into subnets of more usuable sizes.


Seite 40 von 121

Graphical comparison of subnetted and not subnetted networks

Frame Relay150.5.0.0

150.1.0.0 150.2.0.0

150.3.0.0150.4.0.0

150.6.0.0

Network using 6 entire Class Bnetworks

Network using 1 Class B network &6 subnets

Frame Relay150.150.5.0

150.150.1.0 150.150.2.0

150.150.3.0150.150.4.0

150.150.6.0


Seite 41 von 121

As seen above the left network topology contains 6 different entire Class B networks. Many addresses and network numbers are wasted due to the fact that they aren’t needed. The right network topology contains only one Class B network which is subnetted into 6 different subnets. 5 Class B network and its IP addresses are saved for other usage.

Subnetting overview A review of some basic concepts relating to networks without subnetting can be used as a comparison to networks with subnetting. When not subnetting, the default mask defines the number of host bits. The mask accomplishes this by simply using binary 0 for each bit position in the mask that corresponds to the host part of the address in question. For example, the mask 255.255.0.0 (Class B) has a value of all binary 0s in the last 16 bits. This implies 16 host bits at the end of the address. The following list summarizes basic concepts when not using subnetting:

- The mask defines the number of host bits in the host part of an address. - Class A, B, and C rules define the number of network bits in the network part

of the - address. - Without subnetting, these two fields (network and host) compose the entire

32-bit address. - Each host address in the network has the same value in the network part of

the address. - Each host address in the network has a unique value in the host part of the

address. (For example, 130.1.1.1 and 130.1.1.2 are in the same network but can be assigned to two different network interfaces.)

Subnetting creates a third part of the address, called the subnet field or subnet part. For example, using network 150.150.0.0 again, assume that you want a third field called the subnet field. Several assertions are true in this case:

- The Class A, B, and C network field sizes cannot be changed; they remain as 8, 16, and 24 bits, respectively.

- The IP address must still be 32 bits in length. - Therefore, to create a third field called the subnet part of the address, some of

the bits previously in the host part of the address are used. - The subnet part of an address identifies the different subdivisions of this

network. An address with a different value in the subnet field, as compared with a second address, is considered to be in a different subnet.


Seite 42 von 121

Subnet math algorithms

Given an IP Address and Mask, What Is the Network/Subnet Number? Both people and computers need to think about the question, “Which network is a particular address a member of?” Humans care because it is useful in troubleshooting, planning, and address assignment; computers need to know because the answer is a vital part of routing.

Decimal Algorithm for Deriving the Network Number, No Subnetting in Use When no subnetting is in use, the decimal algorithm is as follows:

1. Write down the IP address in decimal. 2. Copy below the IP address either the first one, two, or three dotted

decimal numbers of the address, based on whether the address is a Class A, B, or C address, respectively.

3. For the remaining dotted decimal numbers, record decimal value 0.

Binary Algorithm for Deriving the Network Number, No Subnetting in Use When a computer needs to answer this same question, it performs a Boolean math operation called AND between the address in question and the mask. The result of the AND operation is that the host bits are masked out—that is, changed to binary 0s. The binary process, with no subnetting, is as follows:

1. Write down the IP address in binary. 2. Write down the default mask appropriate for the class of address,

in binary, beneath the binary IP address from Step 1. 3. Record the results of the Boolean AND below the two numbers. 4. Convert the result of Step 3 back into decimal, 8 bits at a time.

Boolean AND Operation To perform the Boolean AND, each bit is examined in the address and is compared to the corresponding bit in the mask. The AND operation results in a binary 1 if both the address and the mask bits are also 1; otherwise, the result is 0.


Seite 43 von 121

Decimal Algorithm for Deriving the Subnet Number, Basic Subnetting The decimal algorithm, when basic subnetting is in use, is as follows:


decimal numbers of the address, based on whether the subnet mask is 255.0.0.0, 255.255.0.0, or 255.255.255.0, respectively.

3. For the remaining dotted decimal numbers, record decimal value 0. This algorithm is very similar to the algorithm that is used when there is no subnetting. The only difference is in Step 2. In fact, this later version of the algorithm would work fine when there is no subnetting in use.

Binary Algorithm for Deriving the Subnet Number, Basic Subnetting The binary algorithm to determine the subnet number, when using basic subnetting, is practically identical to the algorithm used when there is no subnetting. Again, the key is in knowing what subnet mask is in use. The binary process, with basic subnetting, is as follows:

1. Write down the IP address in binary. 2. Write down the subnet mask used in this network, in binary,

beneath the binary IP address from Step 1. 3. Record the results of the Boolean AND below the two numbers. 4. Convert the result of Step 3 back into decimal, 8 bits at a time.

Binary Algorithm for Deriving the Subnet Number, Difficult Subnetting Difficult subnetting is a term used in this book to denote subnetting when the mask is not all 255s and 0s. The decimal algorithm for calculating the subnet, when basic subnetting is in use, is more challenging. In fact, several math tricks come in handy so that the result can be calculated without thinking about binary math. However, starting with the binary algorithm is helpful.


Seite 44 von 121

Typical difficult mask values Decimal Binary 0 0000 0000 128 1000 0000 192 1100 0000 224 1110 0000 240 1111 0000 248 1111 1000 252 1111 1100 254 1111 1110 255 1111 1111 The binary algorithm to determine the subnet number, when using difficult subnetting, is identical to the algorithm used when there is no subnetting or basic subnetting. Again, the key is in knowing what subnet mask is in use. The binary algorithm is as follows:

1. Write down the IP address in binary. 2. Write down the subnet mask used in this network, in binary,

beneath the binary IP address from Step 1. 3. Record the results of the Boolean AND below the two numbers. 4. Convert the result of Step 3 back into decimal, 8 bits at a time.

Decimal Algorithm for Deriving the Subnet Number, Difficult Subnetting The decimal algorithm that I like best for difficult subnetting works well. However, this algorithm is not very helpful for understanding subnetting. So, if you understand subnetting and are willing to use the more time-consuming binary algorithm on the exam for the difficult cases, you may want to skip this section to avoid getting confused. The algorithm is as follows:

1. Write down the IP address in decimal. 2. Write down the mask in decimal. 3. Examine the mask. One of the four octets will have a value besides

255 or 0; otherwise, this would not be considered to be a difficult case. The octet with the non-255, non-0 value is considered to be the “interesting” octet. The other three are considered “boring.” Write down the number (1, 2, 3, or 4) of the interesting octet. (For example, mask 255.255.240.0 has an interesting third octet.)

4. Subtract the mask’s interesting octet value from 256. Call that value the multiplier. Write it down.

5. For any boring octets to the left of the interesting octet, copy those octets’ values onto your paper, leaving space for the remaining octets. This will be where you record your subnet number.


Seite 45 von 121

6. For any boring octets to the right of the interesting octet, record a value 0 in your subnet number. One of the four octets should still be empty—the interesting octet.

7. Examine the interesting octet of the original IP address. Discover the multiple of the multiplier closest to this number, but less than the number. Write down this interesting multiple of the multiplier into the interesting octet of the subnet number.

Definition of network/subnet number and broadcast address The network/subnet number is the lowest value numerically in that network/subnet. The broadcast address is the largest value numerically in that network/subnet. The valid, assignable addresses in that network are the numbers between the network/subnet number and the broadcast address.

Given an IP Address and Mask, What Is the Network/Subnet Broadcast Address?

Decimal Algorithm for Deriving the Broadcast Address, No Subnetting or Basic Subnetting


decimal numbers of the address, based on whether the subnet mask is 255.0.0.0, 255.255.0.0, or 255.255.255.0, respectively.

3. For the remaining dotted decimal numbers, record decimal value 255.

Binary Algorithm for Deriving the Broadcast Address

1. Write down the IP address in binary. 2. Write down the subnet mask used in this network, in binary, beneath the

binary IP address from Step 1. 3. Record the results of the Boolean AND below the two numbers. (This is the

subnet number.) 4. Copy down the network and subnet bits of the subnet number onto the next

line. This is the beginning of the broadcast address.

5. Fill in the host bit values with all binary 1s. This is the broadcast address. 6. Convert the result of Step 5 back into decimal, 8 bits at a time.


Seite 46 von 121

Decimal Algorithm for Deriving the Broadcast Address, Difficult Subnetting

1. Write down the IP address in decimal. 2. Write down the mask in decimal. 3. Examine the mask. One of the four octets will have a value besides

255 or 0; otherwise, this would not be considered to be a “difficult” case. The octet with the non-255, non-0 value is considered to be the “interesting” octet. The other three are considered “boring.” Write down the number (1, 2, 3, or 4) of the interesting octet. (For example, mask 255.255.240.0 has an interesting third octet.)

4. Subtract the mask’s interesting octet’s value from 256. Call that value the multiplier. Write it down.

5. For any boring octets to the left of the interesting octet, copy those octets from the subnet onto a new line on your paper, leaving space for the remaining octets. This line will be where you record the broadcast address.

6. For any boring octets to the right of the interesting octet, record a value of 255 in the broadcast address (the same number as in Step 5.) One of the four octets should still be empty—the interesting octet.

7. Examine the interesting octet of the original IP address. Discover the multiple of the multiplier closest to this number but greater than the number. Subtract 1 from this multiple. Write down this value (1 less than the integer multiple of the multiplier) in the interesting octet of the broadcast address.

Given an IP Address and Mask, What Are the Assignable IP Addresses in That Network/Subnet? All IP addresses between the network/subnet number and the broadcast address are valid IP addresses for this specific network/subnet. (Also when the IP address would be x.x.x.0 or y.y.y.255 [if these addresses lay between upper mentioned numbers])


Seite 47 von 121

Given a Network Number and a Static Subnet Mask, What Are the Valid Subnet Numbers?

Decimal Algorithm for Deriving the Valid Subnets with Basic Subnetting

1. Write down the 1 or 2 bytes of the network number. 2. Leave a space immediately to the right to add a value in the next octet. 3. Write down two octets (in the case of Class A) or one octet (in the

case of Class B) of 0 after the one-octet space left in Step 2, leaving a number with three octets written and an open space in the subnet part of the number.

4. Write down a 1 in the open octet. 5. Repeat Steps 1 through 4, but in Step 4 add 1 to the number. Continue repeating these steps until you reach 254.

Binary Algorithm for Deriving the Valid Subnets with Basic and Difficult Subnetting

1. Reserve space to record a series of 32-bit numbers, one over the other. Also leave space between each nibble and byte on each line for better readability.

2. Write down the 8, 16, or 24 bits of the network part of the address, in binary, on each line.

3. Write down binary 0s in the host field on each line. This should result in a long list of binary numbers, with the subnet bits unrecorded at this point.

4. Write down all binary 0s in the subnet bit positions of the first number in the list. This is the first subnet number, in binary. This is also the zero subnet.

5. Add binary 1 to the subnet field in the previous line, and record the result in the subnet field of the next line.

6. Repeat Step 5 until the subnet field is all binary 1s. That is the last subnet number, which is also the broadcast subnet.

7. Convert any of these 32-bit numbers back to decimal, 8 bits at a time. IGNORE THE BOUNDARIES BETWEEN THE SUBNET AND HOST FIELDS—do the conversion 8 bits at a time.


Seite 48 von 121

Decimal Algorithm for Deriving the Valid Subnets with Basic and Difficult Subnetting

1. Based on the network number and mask, all subnet bits are in 1 byte. (Having all subnet bits in 1 byte is an assumption used for this algorithm.) This is the “interesting” byte. Write down which byte is the interesting byte. The other 3 octets/bytes are considered “boring.”

2. Find the number of host bits in the interesting octet, and call that number N. 2N is called the increment. Record that number.

3. Create a list, one entry above the other, that contains repeated copies of the decimal network number. However, leave the interesting octet blank. This will become the list of subnet numbers.

4. In the first number in the list, in the interesting octet, write a decimal 0. This is the first (zero) subnet.

5. For each successive entry in your list of subnets, add the increment to the previous entry’s interesting octet value, and record that value in the interesting octet.

6. When 256 is the value to be recorded in Step 5, you have completed the list of subnet numbers.

Given a Network Number and a Static Subnet Mask, How Many Hosts per Subnet, and How Many Subnets? The number of hosts per subnet is defined as: 2number of host bits –2 The number of host bits in an address is equal to the number of binary 0s in the subnet mask. The number of subnets is defined as: 2number of subnet bits

The number of subnet bits is based on the mask and class of address. The number of subnet bits is: 32 – (number of network bits) – (number of host bits)


Seite 49 von 121

Zero Subnet and Broadcast subnet Two previously reserved cases, 150.150.0.0 and 150.150.255.0, were not used in the example. The first of these, which is called the zero subnet because the subnet value is all binary 0s, is usable only if the “ip subnet-zero” global command is configured. The other subnet, called the broadcast subnet because it looks like a typical broadcast address, is usable without any special configuration.

CIDR, Private Addressing, and NAT

Reasons for the usage of registered network numbers With registered numbers no IP address conflicts in the internet will occur. Because there are not much registered but not assigned to a company left so that IPv6 –with larger addresses- is being planned for future use. 3 other functions already available in IPv4 where invented to reduce the need for registered network numbers.

CIDR – Classless Inter Domain Routing CIDR is a convention, defined in RFC 1817 (www.ietf.org/rfc/rfc1817.txt), that calls for aggregating multiple network numbers into a single routing entity. CIDR was actually created to help the scalability of Internet routers—imagine a router in the Internet with a route to every Class A, B, and C network on the planet! By aggregating the routes, fewer routes would need to exist in the routing table.


Seite 50 von 121

Graphically

ISP #1198.0.0.0 -

198.255.255.0

ISP #2

ISP #3

ISP #4

Customer #1198.8.3.0/24

Customer #2198.4.2.0/24198.4.3.0/24

Customer #3198.1.0.0

Class C networks 198.0.0.0 through 198.255.255.0 (they may look funny, but they are valid Class C network numbers) are registered networks for an ISP. All other ISPs’ routing tables would have a separate route to each of the 216

networks without CIDR. However, as seen above, now the other ISPs’ routers will have a single route to 198.0.0.0/8—in other words, a route to all hosts whose IP address begins with 198. More than 2 million Class C networks alone exist, but CIDR has helped Internet routers reduce their routing tables to a more manageable size, in the range of 70,000 routes at the end of 1999. By using a routing protocol that exchanges the mask as well as the subnet/network number, a “classless” view of the number can be attained. In other words, treat the grouping as a math problem, ignoring the bourgeois Class A, B, and C rules. For instance, 198.0.0.0/8 (198.0.0.0, mask 255.0.0.0) defines a set of addresses whose first 8 bits are equal. This route is advertised by ISP #1 to the other ISPs, who need a route only to 198.0.0.0/8. In its routers, ISP #1 knows which Class C networks are at which customer sites. This is how CIDR gives Internet routers a much more scalable routing table, by reducing the number of entries in the tables.


Seite 51 von 121

Historically speaking, ISPs then found ways to use CIDR to allow better use of the IP Version 4 address space. Imagine that Customer #1 and Customer #3 need 10 and 20 IP addresses—ever. Each customer has only a router and a single Ethernet. Each customer could register its own Class C network, but if both did so, it would not be in the range already registered to the ISP. So, to help CIDR work in the Internet, ISP #1 wants its customers to use IP addresses in the 198.x.x.x range. As a service, the ISP suggests to Customer #1 something like this: Use IP subnet 198.8.3.16/28, with assignable addresses 198.8.17 to 198.8.30. To Customer #3, who needs 20 addresses, ISP #1 suggests 198.8.3.32/27, with 30 assignable addresses (198.8.3.33 to 198.8.3.62). The need for registered IP network numbers is reduced through CIDR. Instead of the two customers consuming two whole Class C networks, each consumes a small portion of a single network. The ISP gets customers to use its IP addresses in a convenient range of values, so CIDR works well and enables the Internet to grow.

Private addressing When designing a network that is not and will be routed to the internet you can use every IP address you’d like. But remember that you to switch to registered IP addresses, if you ever should decide to connect the network to the internet. For such cases there are 3 ranges of IP addresses reserved for private use. These address ranges will not be routed by internet routers (but can be routed by Inhouse LAN routers).

Adress ranges Range of IP addresses Network class Number of networks 10.0.0.0 to 10.255.255.255 A 1 172.16.0.0 to 172.31.255.255 B 16 192.168.0.0 to 192.168.255.255

C 256


Seite 52 von 121

NAT – Network Address Translation The problem that private addresses (or registered IP addresses assigned to another organisation) can’t communicate through the internet (due to conflicts or the character of private addresses) can be bypassed by using NAT. NAT achieves the goal of routing these addresses through the internet by using a correctly assigned and registered IP address to represent the invalid ones mentioned above.

NAT functionality graphics

NAT

Private Internet

Client192.168.0.1

www.sascha-b.de81.88.35.42

Source 192.168.0.1 Dest 81.88.35.52 Source 164.168.0.1 Dest 81.88.35.52

Source 81.88.35.52 Dest 192.168.0.1 Source 192.168.0.1 Dest 164.168.0.1

1 2

34

1. The client sends the request with its source and the servers destination. 2. The NAT router replaces the clients source with a valid registered IP

address 3. The server replies to the valid registered IP address 4. The NAT router replaces the valid registered IP address destination

with the clients private IP address Because of the amount of processing power needed to perform NAT (for example for marking the packets origin so the replies can be sent to the right origin) it is not recommended to use NAT for a larger amount of hosts.

Using secondary addresses If you run out of IP addresses in a specific subnet you can use a secondary subnet on the same data link. For routing both subnets you have to set the secondary address on the used routers interface.


Seite 53 von 121

MTU The maximum transmission unit labels the largest layer 3 packet that can be forwarded out an interface. The MTUs values is based on the used data link layer protocol. Default value is 1500 bytes.

Fragmentation If an interface MTU is smaller than a packet that has to be forwarded the packet will be fragmented (as long as the “Don’t fragment” bit isn’t set). Fragmentation simply means the breaking up of a packet into smaller packets with a smaller or equal size of the interfaces MTU.

IP naming commands and telnet Names are not important for routing of IP packets, but most human users prefer using names instead of IP addresses. Names can be set statically or be acquired through DNS (Domain Name Service). The telnet server is run by IOS automatically. The IOSs telnet client can suspend conection, so that you can hold more than connection.

Telnet suspend and resume commands

- Suspend a telnet session CTRL+Shift+6 followed by an x

- “show sessions” shows all active and supended telnet sessions - “resume ‘x’ ” resumes telnet session ‘x’ (number can be found with show

sessions command)

Default routes and the “ip classless” command The default out is the route a packet is routed to when the router has no match of the packets destination address and ist routing table. Without any default routes the packet would have been discarded without a default route. The default route is defined as a static ip route with destination and mask 0.0.0.0

“ip route 0.0.0.0 0.0.0.0 192.168.0.10” (with 192.168.0.10 being the router where the packets should go by default route) If there is more than one default route available to the router (configured by admin or learned by a routing protocol) the active default route is called “gateway of last resort”.


Seite 54 von 121

When “ip classless” is added to a router the router changes ist routing strategy from “best match in the same network as the destination of the packet” to “best match in the entire routing table”, which means that the router ignores class rules when routing.

!It is recommended to use “ip classless” if using any default routes!

IPX addressing and routing

Some facts about IPX - Internetwork Packet Exchange - Network Layer equivalent protocol - 80 bit address structure

o 32 bit network part o 48 bit node part

Feature table Feature Description Size of a group IPX addresses use a 48-bit node part of

the address, giving 248 possible addresses per network (minus a few reserved values), which should be big enough.

Unique Addresses IPX calls for the LAN MAC address to be used as the node part of the IPX address. This allows for easy assignment and little chance of duplication. Ensuring that no duplicates of the network numbers are made is the biggest concern because the network numbers are configured.

Grouping The grouping concept is identical to IP, with all interfaces attached to the same medium using the same network number. There is no equivalent of IP subnetting.

Dynamic address assignment Client IPX addresses are dynamically assigned as part of the protocol specifications. Servers and routers are configured with the network number(s) on their physical interfaces. Servers can choose to automatically generate an internal network number at installation time.


Seite 55 von 121

IPX routing algorithm

Packetarrives

Am I configured toroute IPX packets ?

Branch to bridginglogic

No

Compare the destinationnetwork number in the

destination address of thepacket with the IPX

routing table

Yes

The destinationnetwork

is NOT found inthe IPX

routing table. Isthere a

default route?

Discard packet

No

The destinationnetwork

IS found in theIPX

routing table

Build the data linkheader

appropriate for theoutgoing interface

Yes

Forward the frameout

that interface


Seite 56 von 121

Internal networks and encapsulation types

- Netware Servers use internal network numbers - Clients, servers and routers have to use correct encapsulation - Routers have to keep the internal network numbers in their routing tables

because the internal addresses are used as destination address of the packets

- Encapsulation is the Cisco term for describing which data link header is used o “Data link encapsulation defines the details of data link headers and

trailers created by arouter and placed around a packet, before completing the routing process by forwardingthe frame out an interface.”

- There are four different styles of Ethernet headers that can be used: o ARPA o Novell-ether o SAP o SNAP

Ethernet Encapsulation

Encapsulation names Novell’s Name Cisco IOS’s Name Hints for remembering

names and meanings Ethernet_II ARPA One way to help correlate

the two names is to remember that ARPA was the original agency that created TCP/IP and that Ethernet_II is the older version of Ethernet; remember that the “old” names go together.

Ethernet_802.3 Novell-ether Novell’s name refers to the final header before the IPX header, in this case. There are no suggestions on easier ways to recall the IOS name Novell-ether. This setting is Novell’s default on NetWare 3.11 and prior releases.


Seite 57 von 121

Novell’s Name Cisco IOS’s Name Hints for remembering

names and meanings Ethernet_802.2 SAP Novell’s name refers to the

final header before the IPX header, in this case. Novell’s name refers to the committee and complete header that defines the SAP field; Cisco’s name refers to the SAP part of the 802.2 header. (The SAP field denotes that an IPX packet follows the 802.2 header.) This setting is Novell’s default on NetWare 3.12 and later releases.

Ethernet_SNAP SNAP Novell’s name refers to the final header before the IPX header, in this case. Cisco’s name refers to this same header.

Encapsulation structure

Ethernet IPX Data

802.3 IPX Data

802.3 802.2 IPX Data

802.3 802.2 SNAP IPX Data

ARPA

Novell-ether

SAP

SNAP


Seite 58 von 121

Token Ring & FDDI

Encapsulation names Novell’s Name Cisco IOS’s Name Hints for remembering FDDI_Raw Novell-fddi The IPX packet follow

directly after the FDDI header. No type field is used.

FDDI_802.2 SAP The IPX packet follows the 802.2 header. Novell’s name refers to the committee and complete header that defines the SAP field; Cisco’s name refers to the SAP part of the 802.2 header.

FDDI_SNAP SNAP Novell’s name refers to the final header before the IPX header, in this case. Cisco’s name refers to this same header.

Token-Ring SAP The IPX packet follows the 802.2 header. Novell’s name refers to the committee and complete header that defines the SAP field; Cisco’s name refers to the SAP part of the 802.2 header.

Token-RING_SNAP SNAP Novell’s name refers to the final header before the IPX header. Cisco’s name refers to this same header.


Seite 59 von 121

Encapsulation structure

FDDI IPX Data

802.2 IPX Data

FDDI SNAP IPX Data

802.2 SAP IPX Data

FDDI_RAW

FDDI_802.2

FDDI_SNAP

Token-Ring

802.2 SNAP IPX DataToken -Ring_SNAP

General Encapsulation notes

- on or more encapsulations needed per Ethernet interface - if more than one encapsulation is used on same interface, more than one

encapsulation is possible and allowed on one interface - for each encapsulation type another network number has to be used - two configuration methods:

o IPX secondary addresses o Subinterfaces (allow NLSP as routing protocol)

IPX configuration hints Enabling IPX routing globally as well as on each interface is all that is required to route IPX in a Cisco router. The ipx routing command enables IPX in this router and initializes the RIP and SAP processes. The individual ipx network commands on each interface enable IPX routing into and out of each interface and enable RIP and SAP on each interface, respectively. The IPX addresses are not completely defined, however. Only the network number is configured. The full IPX network number is created by adding the MAC address of each interface to the configured IPX network number. For non-LAN interfaces, the MAC address of a LAN interface is used by default. However, for easier troubleshooting, a MAC address to be used as the node part of the IPX address on non-LAN interfaces can be configured. Several nuances are involved in how the node parts of the addresses are assigned. The first is that if the node part of the IPX address on WAN interfaces is derived from the MAC of a LAN interface, and if there is more than one LAN interface, then the IOS must choose one MAC address to use. The algorithm uses the MAC address of the “first” Ethernet interface—or the first Token Ring interface, if no Ethernet exists, or the first FDDI interface, if no Ethernet or Token Ring exists. The lowest numbered interface number is considered to be “first.” The next nuance is that if no LAN interfaces exist, the node parameter on the ipx routing command must


Seite 60 von 121

be configured, or IPX routing will not work on a WAN interface. The final nuance is that the node part of IPX addresses on router LAN interfaces ignores the node parameter of the ipx routing command, and uses its specific MAC address as the node part of the address.

5. Routing

Generell goals of routing

- To dynamically learn and fill the routing table with a route to all subnets in the network.

- If more than one route to a subnet is available, to place the best route in the routing table.

- To notice when routes in the table are no longer valid, and to remove those routes from the routing table.

- If a route is removed from the routing table and another route through another neighboring router is available, to add the route to the routing table. (Many people view this goal and the previous one as a single goal.)

- To add new routes, or to replace lost routes with the best currently available route, as

- quickly as possible. The time between losing the route and finding a working replacement route is called convergence time.

- To prevent routing loops.

Protocol types

- interior routing protocols for routing inside one organization o RIP Version 1 and 2 o (E)IGRP o OSPF

- CCNA exam focusses on interior routing protocols - Exterior routing protocols for routing between organizations

o BGP – Border Gateway Protocol o EGP – Exterior Gateway Protocol

- Routing protocol ↔ routing algorithms ↔ type of routing protocol o Link-state

Topological database on each router describing • Each router • Each routers attached links • Each routers neighboring routers

Complete Map of the network Dijkstra shortest path first(SPF) algorithm for choosing the best

routes to add to the routing table. This detailed topology information along with the Dijkstra algorithm helps link-state protocols avoid loops and converge quickly.


Seite 61 von 121

o Balanced hybrid mixture of link state and distance vector topological database Diffusing Update Algorithm (DUAL) Less intensive math operations

o Distance Vector Refer to next passage

Assignment of routing algorithms and protocols Routing protocol Protocol type Loop prevention by Mask sent in

Updates? RIP-1 Distance Vector Holddown timer,

split horizon No

RIP-2 Distance Vector Holddown timer, split horizon

Yes

IGRP Distance Vector Holddown timer, split horizon

No

EIGRP Balanced Hybrid DUAL and feasible successors

Yes

OSPF Link-State Dijkstra SPF algorithm and full topology knowledge

Yes

Distance Vector Routing behaviour

Directly connected subnets are already known by the router; these routes are advertised to neighboring routers.

Routing updates are broadcast (or multicast, in many cases). This is so that all neighboring routers can learn routes via the single broadcast or multicast update.

Routing updates are listened for so that this router can learn new routes. A metric describes each route in the update. The metric describes how good

the route is; if multiple routes to the same subnet are learned, the lower metric route is used.

Topology information in routing updates includes, at a minimum, the subnet and metric information.

Periodic updates are expected to be received from neighboring routers at a specified

interval. Failure to receive updates from a neighbor in a timely manner results in the

removal of the routes previously learned from that neighbor. A route learned from a neighboring router is assumed to be through that

router. A failed route is advertised for a time, with a metric that implies that the

network is


Seite 62 von 121

“infinite” distance. This route is considered unusable. Infinity is defined by each routing protocol to be some very large metric value. For instance, RIP’s infinite metric is 16 because RIP’s maximum valid hop count is 15.

Problems that can occur in multiple path networks (with distance vector routing protocols) Possible Problem Possible Solution(s) Multiple routes to same subnet with equal metric

Implementation options involve either using the first route learned or putting multiple routes to the same subnet in the routing table.

Routing loops occurring due to updates passing each other over a single link

Split horizon—The routing protocol advertises routes out an interface only if they were not learned from updates entering that interface. Split horizon with poison reverse—The routing protocol advertises all routes out an interface, but those learned from earlier updates coming in that interface are marked with infinite distance metrics.

Routing loops occurring due to updates passing each other over alternate paths

Route poisoning—When a route to a subnet fails, the subnet is advertised with an infinite distance metric.

Counting to infinity Holddown timer—After knowing that a route to a subnet has failed, a router waits a certain period of time before believing any other routing information about that subnet. Triggered updates—An update is sent immediately rather than waiting on the update timer to expire when a route has failed. Used in conjunction with route poisoning, this ensures that all routers know of failed routes before any holddown timers can expire.


Seite 63 von 121

Split horizon The routing protocol advertises routes out an interface only if they were not learned from updates entering that interface

Split horizon with poison reverse The routing protocol advertises all routes out an interface, but those learned from earlier updates coming in that interface are marked with infinite distance metrics

Route poisoning When a route to a subnet fails, the subnet is advertised with an infinite distance metric.

Holddown timer After knowing that a route to a subnet has failed, a router waits a certain period of time before believing any other routing information about that subnet

Triggered Updates An update is sent immediately rather than waiting on the update timer to expire when a route has failed. Used in conjunction with route poisoning, this ensures that all routers know of failed routes before any holddown timers can expire.

RIP and IGRP behaviour

Comparison of RIP and IGRP Features Feature RIP IGRP Update Timer 30 seconds 90 seconds Metric Hop Count Function of bandwith and

delay(default); can include reliability, load and MTU

Holddown timer 180 280 Flash / triggered updates Yes Yes Mask sent in update RIP Version 1: No

RIP Version 2: Yes No


Seite 64 von 121

Infinite Metric Value 16 4.294.967.295

Metric issues

RIP RIP’s hop count metric signifies the number of routers between the router receiving an update and the updated subnet. Before sending an update the router increments the metric of each route by 1.

IGRP The IGRP metric considering bandwith and delay on the update receiving interface is more robust than the RIP metric. The metric gets more meaningful, because longer hop routes on faster links can be considered better routes. ( better 30 hops in 2 seconds than 1 hop in 4 seconds ☺) IGRP uses a composite metric. This metric is calculated as a function of bandwidth, delay, load, and reliability. By default, only the bandwidth and delay are considered; the other parameters are considered only if enabled via configuration. Delay and bandwidth are not measured values but are set via the delay and bandwidth interface subcommands. (The same formula is used for calculating the metric for EIGRP, but with a scaling factor so that the actual metric values are larger, allowing more granularity in the metric.)

Distance Vector Routing Protocol Summary Distance vector routing protocols learn and advertise routes. The routes placed in the routing table should be loop-free and should be the best known working route. Metrics are used to choose the best route. Mechanisms such as split horizon and holddown timers are used to prevent routing loops.

Configuration of RIP and IGRP

The “network” command The network command causes implementation of the following three functions:

Routing updates are broadcast or multicast out an interface. Routing updates are processed if they enter that same interface. The subnet directly connected to that interface is advertised.

The “passive-interface” Command The passive-interface command can be used to cause the router to listen for RIP/IGRP and advertise about the connected subnet, but not to send RIP/IGRP updates on the interface.


Seite 65 von 121

RIP-1 and IGRP—No Subnet Masks Several subtle actions are taken in light of the lack of mask information in the update:

Updates sent out an interface in network X, when containing routes about subnets of

network X, contain the subnet numbers of the subnets of network X but not the corresponding masks. Updates sent out an interface in network X, when containing routes about

subnets of network Y, are summarized into one route about the entire network Y. When receiving a routing update containing routes referencing subnets of

network X, the receiving router assumes that the mask in use is the same mask it uses on an interface with an address in network X.

When receiving an update about network X, if the receiving router has no interfaces in network X, it treats the route as a route to the entire Class A, B, or C network X.

RIP Version 2

Features Feature Description Transmits subnet masks with route This feature allows VLSM by passing the

mask along with each route so that the subnet is exactly defined.

Provides authentication Both clear text (RFC-defined) and MD5 encryption (Ciscoadded feature) can be used to authenticate the source of a routing update.

Includes a next-hop router IP address in its routing update

A router can advertise a route but direct any listeners to a different router on that same subnet. This is done only when the other router has a better route.

Uses external route tags RIP can pass information about routes learned from an external source and redistributed into RIP.

Provides multicast routing updates Instead of sending updates to 255.255.255.255, the destination IP address is 224.0.0.9, an IP multicast address. This reduces the amount of processing required on non-RIP-speaking hosts on a common subnet.


Seite 66 von 121

RIP Version migration Migration from RIP-1 to RIP-2 requires some planning. RIP-1 sends updates to the broadcast address, whereas RIP-2 uses a multicast. A RIP-1 only router and a RIP-2 only router will not succeed in exchanging routing information. To migrate to RIP-2, one option is to migrate all routers at the same time. This might not be a reasonable political or administrative option, however. If not, then some coexistence between RIP-1 and RIP-2 is required. The ip rip send version command can be used to overcome the problem. Essentially, the configuration tells the router whether to send RIP-1 style updates, RIP-2 style updates, or both for each interface.

Auto Summary and Route Aggregation It is typically true that any algorithm that searches a list will run more quickly if the list is short, compared to searching a similar list that is long. Auto summary and route aggregation (also known as route summarization) are two IOS features that reduce the size of the IP routing table. Auto summarization is a routing protocol feature that operates by this rule:

When advertised on an interface whose IP address is not in network X, routes about subnets in network X will be summarized and advertised as one route. That route will be for the entire Class A, B, or C network X.

Auto summary is a feature of RIP-1 and IGRP that cannot be disabled. For RIP-2 and EIGRP, auto summary can be enabled or disabled. IP subnet design traditionally has not allowed discontiguous networks. A contiguous network is a single Class A, B, or C network for which all routes to subnets of that network pass through only other subnets of that same single network. Discontiguous networks refer to the concept that, in a single Class A, B, or C network, there is at least one case in which the only routes to one subnet pass through subnets of a different network. Route summarization (also called route aggregation) works like auto summarization, except that there is no requirement to summarize into a Class A, B, or C network. Route aggregation is simply a tool used to tell a routing protocol to advertise a single, larger subnet rather than the individual smaller subnets. EIGRP and OSPF are the only interior IP routing protocols to support route aggregation.


Seite 67 von 121

Routing Protocol Auto summary

enabled Auto summary disabled

Route aggregation

RIP-1 Yes, by default Not allowed No IGRP Yes, by default Not allowed No RIP-2 Yes, by default Allowed via

configuration No

EIGRP Yes, by default Allowed via configuration

Yes

OSPF No, but can do equivalent with aggregation

Yes Yes

Multiple routes to the same subnet

- 4 equal cost paths to same IP subnet allowed by default - “ip maximum-paths x” changes from 1 to 6 - (E)IGRP metrics are most lokely not 100 per cent equal

o “variance multiplier” command defines when not 100 per cent equal routes are threated as equal

o route metric < lowest metric * multiplier = equal route - “traffic share min” all traffic over llowest metric route - “traffic share balanced” traffic proportionally splitted to all routes based on

theire metric (default)

Administrative distance Administrative distance is important only if multiple IP routing protocols are in use in a single router. When this is true, both routing protocols can learn routes to the same subnets. Because their metric values are different (for example, hop count or a function of bandwidth and delay), there is no way to know which routing protocol’s routes are better. So, Cisco supplies a method of defining which routing protocol’s routes are better. The IOS implements this concept using something called administrative distance. Administrative distance is an integer value; a value is assigned to each source of routing information. The lower the administrative distance, the better the source of routing information. IGRP’s default is 100, OSPF’s is 110, RIP’s is 120, and Enhanced IGRP’s is 90. The value 100 in brackets in the show ip route output signifies that the administrative distance used for IGRP routes is 100—in other words, the default value is in use. So, if RIP and IGRP are both used, and if both learn routes to the same subnets, only IGRP’s routing information for those subnets will be added to the routing table. If RIP learns about a subnet that IGRP does not know about, that route will be added to the routing table.


Seite 68 von 121

IPX RIP

IP RIP and IPX RIP in comparison Novell RIP / IPX RIP IP RIP Uses Distance Vector Uses Distance Vector Is based on XNS RIP Is based on XNS RIP 60 seconds update timer (by default) 30 seconds update timer (by default) Uses timer ticks as primary metric, hop count as secondary metric

Uses hop count as only metric

IPX RIP Metric IPX RIP uses two metrics: ticks and hops. Ticks are 1/18 of 1 second; the metric is an integer counter of the number of ticks delay for this route. By default, a Cisco router treats a link as having a certain number of ticks delay. LAN interfaces default to one tick and WAN interfaces default to six ticks. The number of hops is considered only when the number of ticks is a tie. By using ticks as the primary metric, better routes can be chosen instead of just using hop count. For example, a three-hop, three-tick route that uses three Ethernets will be chosen over a twohop, eight-tick route that uses two Ethernets and a serial link.

Service Advertisement Protocol – SAP

Brief SAP Description SAP is used by servers to propagate information that describes their services.

SAP Process - SAP uses a concept similar to split horizon to stop a node from advertising

SAP information it learned on an interface with updates sent out that same interface.

- Each server sends SAP updates by default every 60 seconds that include the IPX address, server name, and service type.

- Every other server and router listens for these updates but does not forward the SAP packet(s). Instead, the SAP information is added to a SAP table in the server or router; then the packets are discarded.

- When that router or server’s SAP timer expires, new SAP broadcasts are sent. As with IPX RIP for routing information, IPX SAP propagates service information until all servers and routers have learned about all servers.


Seite 69 von 121

IPX logon procedure - The overall goal of Client 1 is to log in to its preferred server, Server 2. - The first step is to connect to some server that has a full SAP table so that the

client can learn the IPX address of its preferred server. (The preferred server name is configured on the client, not the IPX address of the preferred server.)

- The router might know the preferred server’s name and IPX address in its SAP table, but no IPX message defined allows the client to query the router for name resolution. However, an IPX broadcast message asking for any nearby server is defined by IPX: the GNS request.

- The router can supply the IPX address of some nearby server because the router has a SAP table.

- Next, the client needs to learn which router to use to forward packets to the server discovered by its GNS request.

- RIP requests and replies are used by the client to learn the route from any router (or server) on the same LAN.

- As a result, Client 1 knows which router to use to deliver packets to network 1001.

- After connecting to Server 1, the client learns the IPX address of Server 2, its preferred server.

- The client needs to know the best route to the preferred server’s - network; therefore, a RIP request and reply to learn the best next-hop router to

network 1002. - Finally, packets are sent between the client and Server 2 so that the client can

log in; the intervening routers are simply routing the packets. - IPX clients create their own IPX address using the network number in the

source address field of the GNS reply. The GNS reply is always sent by a router or server on the same network as the client. The client examines the source IPX address of the GNS reply to learn its own IPX network number. The complete client IPX address is formed by putting that network number with the MAC address of the client’s LAN interface.


Seite 70 von 121

Graphically


Seite 71 von 121

IPX configuration - “ipx routing” command enables IPX RIP and SAP - “ipx network” command implies that RIP and SAP updates should be sent and

listened for on those interfaces. Only one route to each network is allowed in the routing table, by default. If the ipx maximum-paths 2 global command had been configured on Yosemite, both routes would be included. Unlike with IP, when two routes are in the IPX routing table, per-packet load balancing across these paths occurs, even if fast switching is enabled. The default per-packet load balancing used for IPX when multiple routes to the same network are in the routing table may not be desired because packets can arrive out of order. By having the router send all packets to an individual IPX address over the same route every time, those packets should be received in order. The ipx per-host-load-share configuration command disables per-packet balancing and enables balancing based on the destination address. Of course, the penalty is that the traffic will not be completely balanced, based on the numbers of packets to each destination.

Tunneling

Description Tunneling is the process whereby a router encapsulates one Layer 3 protocol inside another protocol (typically IP) for transport across a network to another router. The receiving router de-encapsulates the packet, leaving the original protocol. Each intermediate router that is used between the endpoints of the tunnel is unaware of the protocol being encapsulated.

Important terms Three important terms are used to describe the three parts of the entity that is sent between the two tunneling routers:

- Passenger protocol—This is the protocol being encapsulated. In Figure 6-16, IPX is the passenger protocol.

- Encapsulation protocol—To identify the passenger protocol, an additional header is used. You can think of this additional header as another place to include a field such as the data link layer’s type, DSAP, or protocol field. The IP header defines that one of these encapsulating protocol headers follows IP, and the encapsulation protocol identifies the type of Layer 3 passenger protocol that follows it.

- Transport protocol—The transport protocol delivers the passenger protocol across the network. IP is the only choice in the IOS.


Seite 72 von 121

Reasons for tunneling - To allow multiple protocols to flow over a single-protocol backbone - To overcome discontiguous network problems - To allow virtual private networks (VPNs) - To overcome the shortcoming of some routing protocols with low maximum

metric limitations - To reduce the amount of overhead of routing protocols

The reduction of overhead and the capability to have an IP-only backbone are the two most compelling reasons to use tunneling.


Seite 73 von 121

Tunneling for VPNs

Token-Ring

Token-Ring

VPN Provider

Ethernet

Ethernet

B1 B2

A2A1

Routers A1 and A2 are owned by Company A, and Routers B1 and B2 are owned by Company B. The two companies do not want their traffic intermingled. If the service provider simply set up routing protocols to each company’s sites and advertised all the routes into the service provider network, a couple of undesirable situations will occur. First, route filtering would be required to keep Company A from learning routes to Company B, and vice versa. Also, if either company wanted to use private IP addresses, then the intermingling of IP routes would be disastrous. For instance, if both Company A and Company B decided to use network 10.0.0.0, subnets would overlap and only some of the traffic would be delivered correctly. The benefit of tunneling for VPNs is that the service provider network does not learn routes about Company A or Company B. The tunnels use addresses in the service provider network. The routing protocol on Routers A1 and A2 send updates to each other over the tunnel, so these two routers think they are logically adjacent. Likewise, Routers B1 and B2 send updates to each other; these updates do not need to be processed by the service provider routers. Also, because the customer routes are not learned by the service provider, there is no need for route redistribution or route filtering.


Seite 74 von 121

Tunneling configuration Tunneling configuration is not very complicated if you remember the framing with the transport, encapsulation, and passenger protocols. A tunnel interface is created on each router at the ends of the tunnel. To accommodate the transport protocol, an IP address is used at the endpoints of the tunnel; these IP addresses are used as the source and destination IP addresses of the encapsulated packets. The type of encapsulation protocol is configured; there are six alternatives. Finally, the tunnel interface is configured just like any other interface to enable the desired passenger protocols. The configuration is simplified if you concentrate on the transport, encapsulation, and passenger protocols. First IP is enabled on all interfaces except the tunnel interface. However, the tunnel source command implies the IP address to be used on the interface; this IP address is used as the source for all packets sent out the tunnel interface. Likewise, the tunnel destination IP address is used as the destination address for packets sent out each tunnel interface. IP is enabled by default. The encapsulation protocol in this case has defaulted to generic route encapsulation (GRE). If another protocol were desired, the tunnel mode interface subcommand would be used to set the protocol. The passenger protocol is enabled on the tunnel interface, just as it would be for any other interface. IPX routing is enabled globally, and the ipx network command is used on both the Ethernet interface and the tunnel interface.


Seite 75 von 121

Integrated Multiprotocol Routing So far only separate Multiprotocol Routing was discussed. That means, that for every possible Layer 3 Protocol an own routing protocol is defined. Integrated multiprotocol routing means that a routing protocol is able to decide the best route for every Layer 3 protocol.

Integrated multiprotocol routing process IP Packet

IPX PacketAppleTalk Packet

Type of packet ?

IP routing table IPX routing table AppleTalk routingtable

route it route it route it

compare

com

pare

compare

Separate Multiprotocol Routing ↔ Integrated Multiprotocol Routing Separate Multiprotocol Routing Integrated Multiprotocol Routing Multiple routing tables, one each for IP, IPX, and AppleTalk

Multiple routing tables, one each for IP, IPX, and AppleTalk

Multiple routing updates, one per routing protocol.

One routing update combined for all three routed protocols.


Seite 76 von 121

Routing Command Summary Command Information supplied Show ip protocol Provides information on IP routing

protocols running, IP addresses of neighboring routers using the routing protocol, and timers.

Show ip route Lists IP routes, including subnet, next-hop router, and outgoing interface. Also identifies the source of routing information.

Show ipx route Lists IPX routes, including subnet, next-hop router, and outgoing interface. Also identifies the source of routing information.

Show ipx servers Lists contents of the SAP table, including server name, address, and SAP type.

Debug ip rip Lists detailed contents of both sent and received IP RIP updates.

Debug ip igrp transactions Lists detailed contents of both sent and received IGRP updates.

Debug ip igrp event Lists summary of contents of both sent and received IGRP updates.

Debug ip rip activity Lists detailed contents of both sent and received IPX RIP updates.

Debug ipx sap activity Lists detailed contents of both sent and received SAP updates.

Router rip Enables RIP as routing protocol Router igrp process-id Enables IGRP with process-id Network net-number Includes net-number in Routing Protocol

updates Passive-interface type number Excludes subnets on this interface from

routing protocol advertisements Maximum-paths x Sets the maximum number of equal cost

paths kept in routing table Variance multiplier Determines when 2 nearly equal cost

IGRP paths are threated as really equal Traffic-share balanced/min Determines wheter only lowest cost IGRP

path (min) or all paths are used proportionally to theire costs (balanced)

Show ip route subnet Shows entire routing table or just subnet entry

Show ip protocol Routing protocol parameters and timers


Seite 77 von 121

6. Access list security Filtering IP Traffic

Where Filtering can be done Packets can be filtered as they enter an interface, before the routing decision.

- Packets can be filtered before they exit an interface, after the routing decision. - “Deny” is the term used in the IOS to imply that the packet will be filtered. - “Permit” is the term used in the IOS to imply that the packet will not be filtered. - The filtering logic is configured in the access list. - At the end of every access list is an implied “deny all traffic” statement.

Therefore, if a - packet does not match any of your access list statements, the packet will be

blocked.

Graphically

IP packet

inboundaccess list

trash

can routing logic

outboundaccess list

Forward

permit

permit

deny

deny


Seite 78 von 121

IP access list commands Command Function / Purpose access-list {1-99} {permit/deny} source-addr [source-mask] Global command for

standard numbered access lists.

access-list{100-199} {permit/deny}protocolsource-addr[source-mask] [operator operand]destination-addr[destination-mask] [operatoroperand] [established]

Global command for extended numbered access lists.

ip access-group{number/name[in/out] } Interface subcommand to enable access lists

ip access-list{standard/extended}name

Global command for standard and extended named access lists.

deny{source[source-wildcard] /any}[log] Standard named access list subcommand

{Permit/deny}protocol source-addr[sourcemask] [operator operand] destination-addr[destination-mask] [operator operand][established]

Extended named access list subcommand

access-class number/name [in/out] Line subcommand for standard or extended access lists.

show ip interface Includes reference to the access lists enabled on the interface.

show access-list Shows details of configured access lists for all protocols.

show ip access-list[number] Shows IP access lists.

Access list logic - The matching parameters of the first access list statement are compared to

the packet. - If a match is made, the action defined in this access list statement(permit or

deny) is performed. - If a match is not made in Step 2, then Steps 1 and 2 are repeated using the

next sequential access list statement. - If no match is made with an entry in the access list, the deny action is

performed.


Seite 79 von 121

Standard IP access lists

Functionality - Standard access lists can match only by examining the source IP

address field in the packet’s IP header. - Any bit positions in the 32-bit source IP address can be compared to

the access list - Statements. - A wildcard mask defines the subset of the 32 bits in the IP address that

must be matched. - Matching is performed by comparing an access-list command address

parameter and the packet’s source IP address. - Mask bits of value binary 0 imply that the same bit positions must be

compared in the two IP addresses. - Mask bits of value binary 1 are wildcards; the corresponding bit

positions in the addresses are considered to match, regardless of values.

- In other words, binary 1s mean that these bit positions already match—hence the name wildcard.

Examples - Access List entry 0.0.0.0 All bits have to match - Access List entry 255.255.255.255 All bits automatically match regardless

of the address in the packet - Access List entry 0.0.255.255 The first 16 bits of the address have to match - Access List entry 32.48.0.255 All bits except the 3rd, 11th, 12th, and last 8

must match (refer to binary representation of the access list mask).

Extended IP access lists

Functionality Extended IP access lists are almost identical to standard IP access lists in their use. The key difference between the two types is the variety of fields in the packet that can be compared for matching by extended access lists.


Seite 80 von 121

Matching options graphically

Matching options overview

- Source IP address (like a standard access list) - Portions of the source IP address, using a wildcard mask (like a standard

access list) - Destination IP address - Portions of the destination IP address, using a wildcard mask - Protocol type (TCP, UDP, ICMP, IGRP, IGMP, and others) - Source port - Destination port - Established matches all TCP flows except first flow - IP TOS - IP precedence

An access list statement matches when all options in the statement match!

Examples Access list statement What matches ? access-list 101 deny tcp any host 10.1.1.1 eq 23 Packet with any source address;

destination must be 10.1.1.1, with a TCP header, with destination port 23.

access-list 101 deny tcp any host 10.1.1.1 eq telnet Same function as last example; telnet keyword is used instead of port 23.

access-list 101 deny udp 1.0.0.0 0.255.255.255 lt 1023 any Packet with source in network 1.0.0.0 to any destination, using UDP with source port less than 1023..


Seite 81 von 121

Access list statement What matches ? access-list 101 deny udp 1.0.0.0 0.255.255.255 lt 1023 44.1.2.3 0.0.255.255

Packet with source in network 1.0.0.0 to destinations beginning 44.1, using UDP with source port less than 1023.

access-list 101 deny ip 33.1.2.0 0.0.0.255 44.1.2.3 0.0.255.255

Packet with source in 33.1.2.0/24 to destinations beginning 44.1.

access-list 101 deny icmp 33.1.2.0 0.0.0.255 44.1.2.3 0.0.255.255 echo

Packet with source in 33.1.2.0/24 to destinations beginning 44.1, which are ICMP Echo Requests and Replies.

The keyword any implies that any value is matched. The keyword host, followed by an IP address, implies that exactly that IP address is matched. In other words, the any keyword implies logic like a wildcard mask of 255.255.255.255, and the host keyword implies logic like a wildcard mask of 0.0.0.0.

Named IP access lists

Differences between numbered and named ACL’s - Names are more intuitive reminders of the function of the list. - Names allow for more access lists than 99 standard and 100 extended, which

is the restriction using numbered access lists. - Named access lists allow individual statements to be deleted. Numbered lists

allow for deletion only of the entire list. Insertion of the new statement into a named list requires deletion and re-addition of all statements that should be later in the list than the newly added statement.

- The actual names used must be unique across all named access lists of all protocols and types on an individual router. Names can be duplicated on different routers.

Comparison of named and numbered ACL’s Numbered Named Commands for matching packets: standard IP ACLs

access-list 1-99 permit | deny . . .

ip access-list standard name

Commands for matching packets: extended IP ACLs


ip access-list extended name

Commands for enabling ACLs

ip access-group 1-99 in | out ip

access-group name in | out

Commands for enabling ACLs

ip access-group 100-199 in | out

ip access-group name in | out


Seite 82 von 121

Notes about deleting parts of named access lists You can delete parts of named access lists. So for example just one statement in it. Check the following config log to see how this can be done: First we build us an access list:

conf t Enter configuration commands, one per line. End with Ctrl-Z. Router(config)#ip access-list extended barney Router(config-ext-nacl)#permit tcp host 10.1.1.2 eq www any Router(config-ext-nacl)#deny udp host 10.1.1.1 0.0.0.128 255.255.255.127 Router(config-ext-nacl)#deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 ! The next statement is purposefully wrong so that the process of changing the list can be seen. Router(config-ext-nacl)#deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 Router(config-ext-nacl)#deny ip host 10.1.1.130 host 10.1.3.2 Router(config-ext-nacl)#deny ip host 10.1.1.28 host 10.1.3.2 Router(config-ext-nacl)#permit ip any any Router(config-ext-nacl)#^Z Router#sh run Building configuration... Current configuration: . . (unimportant statements omitted) . ! ip access-list extended barney permit tcp host 10.1.1.2 eq www any deny udp host 10.1.1.1 0.0.0.128 255.255.255.127 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 deny ip host 10.1.1.130 host 10.1.3.2 deny ip host 10.1.1.28 host 10.1.3.2 permit ip any any


Seite 83 von 121

Then we want to delete an entry:

IP access list summary

- The order of the list is important. - All matching parameters must be true before a statement is “matched.” - An implied “deny all” is at the end of the list.

The philosophy of choosing the location for access lists is covered in more depth in the CCNP exam than in the CCNA exam. However, filtering packets closer to the source of the packet generally is better because the soon-to-be discarded packets will waste less bandwidth than if the packets were allowed to flow over additional links before being denied.Be particularly careful of questions relating to existing lists. In particular, if the question suggests that one more access-list command should be added, simply adding that command will place the statement at the end of the list, but the statement might need to be earlier in the list to accomplish the goal described in the question. Also focus on the differences between named and numbered IP access lists.

Router#conf t Enter configuration commands, one per line. End with Ctrl-Z. Router(config)#ip access-list extended barney Router(config-ext-nacl)#no deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 Router(config-ext-nacl)#^Z Router#show access-list Extended IP access list barney permit tcp host 10.1.1.2 eq www any deny udp host 10.1.1.1 0.0.0.128 255.255.255.127 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 deny ip host 10.1.1.130 host 10.1.3.2 deny ip host 10.1.1.28 host 10.1.3.2 permit ip any any Router#conf t Enter configuration commands, one per line. End with Ctrl-Z. Router(config)#ip access-list extended barney Router(config-ext-nacl)#no permit ip any any Router(config-ext-nacl)#no deny ip host 10.1.1.130 host 10.1.3.2 Router(config-ext-nacl)#no deny ip host 10.1.1.28 host 10.1.3.2 Router(config-ext-nacl)#deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255 Router(config-ext-nacl)#deny ip host 10.1.1.130 host 10.1.3.2 Router(config-ext-nacl)#deny ip host 10.1.1.28 host 10.1.3.2 Router(config-ext-nacl)#permit ip any any Router(config-ext-nacl)#^Z Router#sh ip access-list Extended IP access list barney permit tcp host 10.1.1.2 eq www any deny udp host 10.1.1.1 0.0.0.128 255.255.255.127 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255 deny ip host 10.1.1.130 host 10.1.3.2 deny ip host 10.1.1.28 host 10.1.3.2 permit ip any any


Seite 84 von 121

Filtering IPX Traffic and SAPs

ACL numbers 800 – 899 Standard IPX ACL 900 – 999 Extended IPX ACL 1000 – 1099 SAP ACL

IPX ACL commands The commands are nearly the same. Additionally the following commands are available:

- ipx access-group {number | name [in | out] } Interface subcommand to enable a named or numbered, standard or extended IPX access list

- ipx output-sap-filter list-number Interface subcommand to enable SAP access lists used for outbound SAP packets

- ipx input-sap-filter list-number Interface subcommand to enable SAP access lists used for inbound SAP packets

- show ipx interface Includes reference to the access lists enabled on the interface

- show access-list number Shows details of all configured access lists for all protocols

- show ipx access-list Shows details of all IPX access lists

Standard IPX ACL’S Can filter by::

- Source network - Source IPX address (network and node) - Source network and portions of the node address, using a node mask - Destination network - Destination IPX address (network and node) - Destination network and portions of the node address, using a node mask


Seite 85 von 121

Extended IPX ACL’s

Can filter by:

- Source network - Source IPX address (network and node) - Source network and portions of the node address,

using a node mask - Destination network - Destination IPX address (network and node) - Destination network and portions of the node address,

using a node mask

- Portions of entire source IPX address, using a wildcard mask - Portions of entire destination IPX address, using a wildcard mask - Protocol type (NetBios, SPX, SPX+NCP,RIP,SAP) - Source socket - Destination socket

(Socket is the same as an TCP/UDP port)

Graphically: Matching fields can be:

Like

sta

ndar

d IP

X A

CL


Seite 86 von 121

SAP Filters

How SAP packets flow

1. A router or server decides it is time to send a SAP broadcast on its attached network, based on the expiration of its SAP timer.

2. That router or server creates enough SAP packets to advertise all its SAP information (up to seven services per packet, by default).

3. That router or server sends the SAP packets out into the attached network. 4. Other routers and servers are attached to the same medium; these routers

and servers receive all the SAP packets. 5. The receiving routers and servers examine the information inside the SAP

packets and update their SAP tables as necessary. 6. The receiving routers and servers discard the SAP packets. Every server and

router uses a SAP timer, which is not synchronized with the other servers and routers.

7. When the timer expires, each server and router performs Steps 1 through 3, and their neighboring servers and routers react and perform Steps 4 through 6.

In other words: SAP packets are never forwarded by a router or server!

Filtering without forwarding Due to the fact that packets are only filtered by packet filters when they go through a router SAP packets can’t be filtered, because they don’t go through a router.

distribute lists are used instead

Function SAP filtering provides two functions:

- filtering the services listed in outgoing SAP updates o reduces the information sent to the router’s neighboring IPX servers

and routers. - filtering services listed in received SAP updates.

o limits what a router adds to its SAP table when an update is received. - Unlike packet filters, SAP filters examine the data inside the packet as well.


Seite 87 von 121

Graphically

SAPUpdatePacket

Check SAPInfo Update Sap Table

Sap Table

Check SAPtable

Do not add totable

Do not put entryinto packet Build SAP packets

permitdeny

permitdeny

send SAPUpdates

SAP timerexpires

Reasons for filtering SAP Packets - SAP updates can consume a large amount of bandwidth, particularly in

nonbroadcast multiaccess (NBMA) networks. If clients in one division never need services from servers in another division, there is no need to waste bandwidth advertising the services.

- Sap Filters can accomplish the same task as most IPX packet filters, but with less overhead.

- SAP filtering to disallow certain clients from using certain servers is more efficient than IPX packet filters. SAPs are sent once every 60 seconds, whereas packet filters cause the IOS to examine every IPX packet, a much more frequent task.


Seite 88 von 121

SAP filtering matching fields - Source network - Source IPX address (network and node) - Portions of the source address, using a wildcard mask - Destination network - Destination IPX address (network and node) - Portions of the destination address, using a wildcard mask - Service type - Server name

Named IPX ACL’s - use same configuration logic like standard and extendes IPX ACL’s and SAP

filtering - Some advantages:

o Names are more intuitive reminders of the function of the list. o Names allow more access lists than 100 standard, extended, and SAP

access lists, which is the restriction using numbered access lists. o Named access lists allow individual statements to be deleted.

Numbered lists allow for deletion only of the entire list. Insertion of the new statement into a named list requires deletion and re-addition of all statements that should follow the newly added statement.

o The actual names used must be unique across all named access lists of all protocols and types on an individual router. Names can be duplicated on different routers.

- Matching fields of numbered and named IPX ACL’s and SAP filtering are identical

Comparison of named and numbered IPX ACL’s / Commands Numbered Named Standard Matchin command


*ipx access-list standard namepermit | deny . . .

Extended Matching command


*ipx access-list extended name permit | deny . . .

SAP matching command access-list 1000-1099 permit | deny . . .

*ipx access-list sap name permit | deny . . .

Standard ACL enabling ipx access-group 800-899 in | out

ipx access-group name in | out

Extended ACL enabling ipx access-group 900-999 in | out

ipx access-group name in | out

SAP filter enabling ipx output-sap-filter 1000- 1099 ipx input-sap-filter 1000-1099

ipx output-sap-filter name ipx input-sap-filter name

*Permit and deny are subcommands of the ipx access-list command name is created by administrator


Seite 89 von 121

Notes about deleting parts of named access lists You can delete parts of named access lists. So for example just one statement in it. Check the following config log to see how this can be done: First we build us an access list: Then we want to delete an entry:

configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ipx access-list sap fred R1(config-ipx-sap-nacl)#deny 2 7 R1(config-ipx-sap-nacl)#deny 3 R1(config-ipx-sap-nacl)#deny 4 7 R1(config-ipx-sap-nacl)#permit -1 R1(config-ipx-sap-nacl)#^Z R1#show ipx access-lists IPX sap access list fred deny 2 7 deny 3 deny 4 7 permit FFFFFFFF

R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ipx access-list sap fred R1(config-ipx-sap-nacl)#no deny 4 7 R1(config-ipx-sap-nacl)#^Z R1#show ipx access-lists IPX sap access list fred deny 2 7 deny 3 permit FFFFFFFF


Seite 90 von 121

Overview IPX ACL configuration commands Command Configuration mode and

purpose access-list {800-899} {permit | deny} sourcenetwork [.source-node [source-node-mask]] [destination-network [.destination-node [destination-node-mask]]]

Global command to create numbered standard IPX access lists

access-list {900-999} {permit | deny} protocol [source-network] [[[.source-node [source-nodemask]] | [.source-node source-networkmask. source-node-mask]] [source-socket] [destination-network] [[[.destination-node [destination-node-mask] | [.destination-node destination-network-mask. Destination-nodemask]] [destination-socket] log

Global command to create numbered extended IPX access lists

access-list {1000-1099} {permit | deny} network [.node] [network-mask.node-mask] [service-type [server-name]]

Global command to create numbered SAP access lists

ipx access-list {standard | extended | sap } name

Global command to begin creation of a named standard, extended, or SAP access list

{permit | deny} source-network [.source-node [source-node-mask]] [destination-network [.destination-node [destination-node-mask]]]

Named access list subcommand for standard access lists

{permit | deny} protocol [source-network] [[[.source-node [source-node-mask]] | [.sourcenode source-network-mask.source-node-mask]] [source-socket] [destination-network] [[[.destination-node [destination-node-mask] | [.destination-node destination-network-mask. Destination-node-mask]] [destination-socket] log

Named access list subcommand for extended access lists

{permit | deny} network [.node] [networkmask. node-mask] [service-type [server-name]]

Named access list subcommand for SAP access lists

ipx access-group {number | name [in | out] } Interface subcommand to enable a named or numbered, standard or extended IPX access list

ipx output-sap-filter list-number Interface subcommand to enable SAP access lists used for outbound SAP packets

ipx input-sap-filter list-number Interface subcommand to enable SAP access lists used for inbound SAP packets

show ipx interface Includes reference to the access lists enabled on the interface

show access-list number Shows details of all configured access lists for all protocols

show ipx access-list Shows details of all IPX access lists


Seite 91 von 121

7. WAN Protocols and Design Point to point leased lines

Terms and Definitions Term Definition Synchronous The imposition of time ordering on a bit stream. More practically

speaking, a device will try to use the same speed as another on the other end of a serial link. However, by examining transitions between voltage states on the link, the device can notice slight variations in the speed on each end so that it can adjust its speed

Asynchronous The lack of an imposed time ordering on a bit stream. More practically speaking, both sides agree to the same speed, but there is no check or adjustment of the rates if they are slightly different. However, because only 1 byte per transfer is sent, slight differences in clock speed are not an issue. A start bit is used to signal the beginning of a byte.

Clock source The device to which the other devices on the link adjust their speed when using synchronous links.

DSU/CSU Data Services Unit and Channel Services Unit. This is used on digital links as an interface to the telephone company in the United States. Routers typically use a short cable from a serial interface to a DSU/CSU, which is attached to the line from the telco with a similar configuration at the other router on the other end of the link. The routers use their attached DSU/CSU as the clock source.

Telco Telephone company. 4-wire circuit A line from the telco with four wires, comprised of two twisted-pair

wires. Each pair is used to send in one direction, so a 4-wire circuit allows full-duplex communication.

2-wire circuit A line from the telco with two wires, comprised of one twisted-pair wire. The pair is used to send in only one direction at a time, so a 2-wire circuit allows only half-duplex communication.

T/1 A line from the telco that allows transmission of data at 1.544Mbps. This can be used with a T/1 multiplexor.

T/1 mux. A multiplexor that separates the T/1 into 24 different 64kbps channels. In the United States, one of every 8 bits in each channel can be used by the telco so that the channels are effectively 56kbps channels

E/1 Like a T/1, but in Europe. It uses a rate of 2.048Mbps and 32 64kbps channels.


Seite 92 von 121

Protocol used on point to point links

Overview - Link Access Procedure Balanced (LAPB) - High-Level Data Link Control (HDLC) - Point-to-Point Protocol (PPP)

Functions - LAPB, HDLC, and PPP provide for delivery of data across a single point-to-

point serial link. - LAPB, HDLC, and PPP deliver data on synchronous serial links. (PPP

supports asynchronous functions as well.)

Framing Each of these protocols defines framing so that receiving stations know where the beginning of the frame is, what address is in the header, and the point at which the packet begins. By doing so, the router receiving data can distinguish between idle frames and data frames. Synchronous links, rather than asynchronous links, are typically used between routers.

How to differentiate the 3 protocols - Whether the protocol supports synchronous communications, asynchronous

communications, or both. - Whether the protocol provides error recovery. (The LAPB, HDLC, and PPP

protocols all provide error detection.) - Whether an architected Protocol Type field exists. In other words, the protocol

specifications define a field in the header that identifies the type of packet contained in the data portion of the frame.


Seite 93 von 121

Point-to-Point Data Link Protocol Attributes Protocol Error Correction ? Architected

Type Field Other Attributes

Synchronous Data Link Control (SDLC)

Yes None SDLC supports multipoint links; it assumes that the SNA header occurs after the SDLC header.

Link Access Procedure Balanced (LAPB)

Yes None Spec assumes a single configurable protocol after LAPB. LAPB is used mainly with X.25. Cisco uses a proprietary type field to support multiprotocol traffic.

Link Access Procedure on the D channel (LAPD)

No No LAPD is not used between routers, but is used on the D channel from router to ISDN switch for signaling.

High-Level Data Link Control (HDLC)

No No HDLC serves as Cisco’s default on serial links. Cisco uses a proprietary type field to support multiprotocol traffic.

Point-to-Point Protocol (PPP)

Enables the user to choose whether error correction is performed; correction uses LAPB

Yes PPP was meant for multiprotocol interoperability from its inception, unlike all the others. PPP also supports asynchronous communication.

Note: Architected type field A field defined in the protocol itself which defines the type of encapsulated packet inside the WAN data link frame (if more than one type is possible)is called architected (“build in”) HDLC and PPP Configuration

Configuration commands Command Configration mode and purpose encapsulation{hdlc|ppp|lapb} Interface subcommand; defines which protocol to

use compress[Predictor|stac|mppc[ignore-pfc]] Interface subcommand; defines whether and

which compression should be used on the link. show interface Lists statistics and details of interface

configuration, including the encapsulation type.

show compress Lists compression ratios. show process Lists processor and task utilization. Is useful in

watching for increased utilization due to compression.


Seite 94 von 121

Changing encapsulation types Converting back to HDLC (the default) is done with the encapsulation hdlc command, not by using a command such as no encapsulation ppp! Additionally, any other interface subcommands that are pertinent only to PPP are also removed when the encapsulation hdlc command is used..

PPP special features • PPP provides several other features in addition to synchronization and

framing. • Two categories:

o those needed regardless of the Layer 3 protocol sent across the link o those particular to each Layer 3 protocol.

PPP Link Control Protocol (LCP) provides the base features needed regardless of the Layer 3 protocol sent across the link. A series of PPP control protocols, such as IP Control Protocol (IPCP), provide features for a particular Layer 3 protocol to function well across the link. For example, IPCP provides for IP address assignment; this feature is used extensively with Internet dialup connections today. Only one LCP is needed per link, but multiple control protocols are needed. If a router is configured for IPX, AppleTalk, and IP on a PPP serial link, the router configured for PPP encapsulation automatically tries to bring up the appropriate control protocols for each Layer 3 protocol.


Seite 95 von 121

PPP LCP Features Function Name of LCP Feature Description Looped link detection

Magic number Using a magic number, routers send messages to each other with a different magic number. If you ever receive your own magic number, the link is looped. A configuration setting determines whether the link should be taken down when looped.

Error detection Link Quality Monitoring (LQM)

PPP can take down a link based on the percentage of errors on the link. LQM exchanges statistics about lost packets versus sent packets in each direction; when compared to packets and bytes sent, this yields a percentage of errored traffic. The percentage of loss that causes a link to be taken down is enabled and defined by a configuration setting.

Authentication PAP and CHAP Mostly used on dial links, PAP and CHAP can be used to authenticate the device on the other end of the link.

Compression STAC and Predictor This is software compression. Multilink support Multilink PPP Fragments of packets are load-

balanced across multiple links. This feature is more often used with dial.

Error Detection

Looped link detection allows for faster convergence when a link fails because it is looped. (Links are typically looped for testing purposes.) When this occurs, a router continues to receive the looped Cisco proprietary keepalive messages, so the router might not think that the link has failed. For instance, the absence of routing updates from a neighbor for a certain length of time is used to drive convergence. Waiting on such an event when the link is looped increases convergence time. Looped link detection defeats this problem using a PPP feature called magic numbers. The router sends PPP messages instead of keepalives; these messages include a magic number, which is different on each router. If a line is looped, the router receives a message with its own magic number instead of getting a message with the magic number identifying the router on the other end of the link. A router receiving its own magic number knows that the frame it sent has been looped back. If configured to do so, the router can take down the interface, which speeds convergence.


Seite 96 von 121

Looped Link Detection

Error detection (not error recovery) is accomplished by a PPP feature called Link QualityMonitoring (LQM). PPP at each end of the link sends messages describing the number of correctly received packets and bytes. This is compared to the number of packets and bytes sent to calculate a percentage loss. The router can be configured to take down the link after a configured error rate has been exceeded so that future packets are sent over a longer—but hopefully better—path.

Compression Compression can be performed on LAPB, HDLC, and PPP point-to-point serial links.

Compression goal & price The goal of compression is to reduce the number of bytes sent across the link. However, there is a price to pay for compression—CPU cycles and possibly increased latency for the packets.

What happens with compression • More processing is required on the router to compress each frame, as

compared with no compression. • Latency per frame will increase because of the processing required. • Latency per frame will decrease in cases when the uncompressed packets

have waited in the output queue due to link congestion. With the compressed frames, however, the queue is shorter.

• Link utilization will decrease. • Cisco recommends avoiding sustained CPU utilization exceeding between 40

and 65 percent, depending on the platform.

Reasons for using compression

• leased lines and the traffic are expensive • faster line is not available but more data needs to travel across the line

Compession algorithms Compression can be performed in software or in hardware. Any IOS router can perform LAPB,HDLC, and PPP link compression in software; when software compression is used, CPU utilization is impacted. For hardware compression, either a VIP2 card or a Compression Service Adapter (CSA) on a 72xx or 75xx series router is required. When hardware compression is performed, the CPU is not affected. Several compression algorithms are available in the IOS to perform PPP compression: the STAC, Predictor, and Microsoft Point-to-Point Compression algorithm (MPPC).


Seite 97 von 121

Assignment of compression algorithm and protocol

Encapsulation Possible compression algorithm(s) PPP STAC, Predictor, MPPC LAPB STAC, Predictor HDLC STAC

WAN cabling standards For any of the point-to-point serial links or Frame Relay links mentioned further on, all that is needed on the router is a synchronous serial interface. Traditionally, this interface is a 60-pin D-shell connector. This interface must then be cabled to a DSU/CSU, which in turn is connected to the cable supplied by the service provider.

Connector examples

Connector details

Standard Standards Body Number of Pins EIA/TIA 232 Telecommunications Industry Association 25EIA/TIA 449 Telecommunications Industry Association 37EIA/TIA 530 Telecommunications Industry Association 25V.35 International Telecommunications Union 34X.21 International Telecommunications Union 15


Seite 98 von 121

Further Connector notes The interface to the service provider is dependent on the type of connection; the connector could be RJ-11, RJ-48, RJ-45, or possibly coax. Some serial interfaces have an integrated DSU/CSU and do not require a cable of the types shown in the figure. Depending on the expected type of line, a variety of physical interfaces are used. These interfaces are the same as those used for external CSU/DSU devices.

Frame Relay Protocols

Frame Relay Definition - delivers variable-sized data frames to multiple WAN-connected sites - relates most closely to OSI layer 2 - Layer 2 protocol - Does not use logical addressing


Seite 99 von 121

Frame Relay Features and Terminology

- multiaccess network o more than tweo devices can connect to the medium o leases lines are used as the access link component of frame relay

networks

DCE DCE

FrameRelay

Access Link

LMIMessages

LMIMessages

Frame RelayHeader

Layer 3Packet

The Access Link between router and Frame Relay Network is a leased line.

Terms and concepts Virtual circuit (VC) A VC is a logical concept that represents the path

that frames travel between DTEs. VCs are particularly useful when comparing Frame Relay to leased physical circuits.

Permanent virtual circuit (PVC) A PVC is a VC that is predefined. A PVC can be equated to a leased line in concept.

Switched virtual circuit (SVC) An SVC is a VC that is set up dynamically. An SVC can be equated to a dial connection in concept.

Data terminal equipment (DTE) DTEs are also known as data-circuit termination equipment. For example, routers are DTEs when connected to a Frame Relay service from a telecommunication company.

Data communications equipment (DCE) Frame Relay switches are DCE devices. Access link The access link is the leased line between DTE

and DCE.


Seite 100 von 121

Access rate (AR) The access rate is the speed at which the access link is clocked. This choice affects the price of the connection

Committed information rate (CIR) The CIR is the rate at which the DTE can send data for an individual VC, for which the provider commits to deliver that amount of data. The provider will send any data in excess of this rate for this VC if its network has capacity at the time. This choice typically affects the price of each VC.

Burst rate The burst rate is the rate and length of time for which, for a particular VC, the DTE can send faster than the CIR, and the provider agrees to forward the data. This choice typically affects the price of each VC.

Data link connection identifier (DLCI) A DLCI is a Frame Relay address and is used in Frame Relay headers to identify the virtual circuit.

Forward explicit congestion notification (FECN) The FECN is the bit in the Frame Relay header that signals to anyone receiving the frame (switches and DTEs) that congestion is occurring in the same direction as the frame. Switches and DTEs can react by slowing the rate by which data is sent in that direction.

Backward explicit congestion notification (BECN) The BECN is the bit in the Frame Relay header that signals to anyone receiving the frame (switches and DTEs) that congestion is occurring in the opposite (backward) direction as the frame. Switches and DTEs can react by slowing the rate by which data is sent in that direction.

Discard eligibility (DE) The DE is the bit in the Frame Relay header that signals to a switch to, if frames must be discarded, please choose this frame to discard instead of another frame without the DE bit set.

Nonbroadcast multiaccess (NBMA) NBMA refers to a network in which broadcasts are not supported, but more than two devices can be connected

Local Management Interface (LMI) LMI is the protocol used between a DCE and DTE to manage the connection. Signaling messages for SVCs, PVC status messages, and keepalives are all LMI messages.

Link access procedure—frame mode bearer services (LAPF)

LAPF is the basic Frame Relay header and trailer; it includes DLCI, FECN, BECN, and DE bits.


Seite 101 von 121

LMI and encapsulation types

Definition LMI – Local Management Interface:

- definition of messages between DTE (e.g. a router) and DCE (e.g. Frame Relay Switch of Service Provider)

Encapsulation:

- defines the headers used in addition to basic frame relay headers DTE and DCE care about same LMI. DCE does not care about encapsulation.

LMI - 3 LMI protocols available in IOS:

Name Document IOS LMI-type parameter Cisco Propietary Cisco ANSI TI.617 Annex D Ansi ITU Q.933 Annex A q933a

- LMI autosense supported with IOS version greater 11.2 - Configured LMI type diables autosensing feature - One LMI type per serial interface

o Each LMI controlls single physical link connected to single Frame Relay Switch

- Most important LMI message: o LMI status enquiry

Signals whether a PVC is up or down E.g. when PVC is down a routing protocol can react to signal

that routes over that PVC are down

Encapsulation - Frame Relay defines header/trailer with fields to allow switches and DTEs to

deliver the frame across the network


Seite 102 von 121

Frame View

LAPFheader

Information LAPFtrailer

DLCI (usually 10 bits)

FECN,BECN,DE (1 bit each)

FCS

There is no protocol field defined. If Frame Relay only uses LAPF header then DTEs cannot support multiprotocol traffic because there is no way to identify the type of protocol in the information field. Two solutions to that problem were created:

- Cisco and three other companies created an andditional header o Comes first in information field o 2 byte protocol type field

values matching the same field used for HDLC by Cisco

Ciscos protocol type field

LAPFheader Cisco Packet LAPF

trailer

- Defined in RFC1490 “Multiprotocol Interconnect over Frame Relay” o Written for multivendor interoperability o Includes a protocol type field o And many other options

E.g. bridged frames o ITU and ANSI intercorporated RFC1490 headers into Q.933 Annex E

and T.617 Annex F RFC1490 protocol type field

LAPFheader

RFC1490 Packet LAPF

trailer

Includes DLCI

Later added toQ.933-E andT.617-Fincludes protocoltype field


Seite 103 von 121

- Because the frames flow from DTE to DTE both of them have to agree to encapsulation used.

- Each VC can use a different encapsulation.

DLCI and Frame Relay Switching - Data Link connection Identifier (DLCI) is the Frame Relay Address - DLCIs are used to address virtual circuits (not DTEs!) - There is just a single DLCI field in the header – not a source and destination

DLCI - Each VC has to use a different DLCI - Frame Relay Switches will swap the DLCI in transit - DLCIs need to be unique only on the local access link - DLCI values are choosen by the service provider

o DLCIs must be unique on each access link. The DLCI used to identify an individual VC on one access link has no bearing on the value that is chosen to identify the VC on the access link at the other end of the VC.

Frame Relay

DLCI 40 DLCI 41

DLCI 40

DLCI 42

VC

VC

As you can see the DLCI just has to be different on each end of the VC.


Seite 104 von 121

DLCI Global Addressing

GlobalDLCI 42

GlobalDLCI 41

GlobalDLCI 40

Frame Relay

DLCI 40

DLCI 41

DLCI 40

DLCI 42

A

B

C The concept of global addressing is the reason that typical Frame Relay networks use a different DLCI value on each end of the VC. Global addressing allows you to think of the Frame Relay network like a LAN in terms of addressing concepts. In the graphic above, think of the DLCI values as an address for the DTE, which is similar to how a unicast MAC address represents a LAN card. On a LAN, if Host B wants to send a frame to Host A, Host B sends a frame with Host A’s MAC address as the destination. Similarly, if Router B wants to send a frame to Router A, then Router B (by the convention of global addressing) sends a frame with Router A’s global DLCI value in the header. Likewise, Router C sends frames with DLCI 40 to reach Router A, by convention. Router A sends frames with DLCI 41 to reach Router B, and with DLCI 42 to reach Router C, again, by the convention of global addressing. Figure 8-9 shows the DLCIs used for global addressing and the actual values placed into the Frame Relay headers for correct delivery across the network.

Global Addressing Summary • Local addressing is how Frame Relay addressing works. However, by

following the convention of global addressing, planning is easier because the addressing appears similar to LAN addressing.

• A global address for one DTE simply means that all other DTEs with a VC to this one DTE use its global address on their local access links.


Seite 105 von 121

Global Addressing Advantages The biggest advantage is that is easier to add new sites.

DLCI 40

DLCI 41 DLCI 42

DLCI 40

DLCI 41 DLCI 42 DLCI 43 DLCI 44


Seite 106 von 121

Network layers and Frame Relay There are 3 issues relating to layer 3 flows over frame relay:

- Choices for Layer 3 addressing over Frame Relay interfaces - Broadcast handling - Split horizon

Layer 3 addressing There are three possible Frame Relay meshes

- Full mesh - Partial mesh - Hybrid

Full Mesh Full mesh means that every router has a direct connection to every other router as seen in following graphic:

The IPX and IP addresses would be configured as subcommands on the serial interface.


Seite 107 von 121

Partial Mesh Because all four routers do not have VCs to each other, each VC uses a different set of Layer 3 groups.

The addresses would be configured as subcommands on the serial interface. Subinterfaces allow the Atlanta router to have three IP addresses and three IPX addresses associated with its serial 0 interface. Subinterfaces can treat each VC as though it were a pointto- point serial link. Each of the three subinterfaces of serial 0 on Atlanta would be assigned a different IP address and IPX address.


Seite 108 von 121

Hybrid Hybrid means a mixture of full and partial meshes so that the following topology can occur:

Two options exist for Layer 3 addressing in this case. The first is to treat each VC as a separate Layer 3 group; five subnets and five IPX networks would be needed for the Frame Relay network. However, if Routers A, B, and C are considered alone, they meet the criteria that each can send packets directly to each other, like a full mesh. This would allow Routers A, B, and C to use one subnet and IPX network. The other two VCs—between A and D, and between A and E—are treated as two separate Layer 3 groups. The result is a total of three subnets and three IPX network numbers. To accomplish either style of Layer 3 addressing in this third and final case, subinterfaces are used. Point-to-point subinterfaces are used when a single VC is considered to be all that is in the group. Multipoint subinterfaces are used among Routers A, B, and C.

Broadcast Handling Broadcasts are not supported over a Frame Relay network. In other words, no capability exists for a DTE to send a frame that is replicated and delivered across more than one VC. However, routers need to send broadcasts for several features to work. In particular, routing protocol updates and SAP updates are broadcasts. The solution to the broadcast dilemma for Frame Relay has two parts. First, the IOS sends copies of the broadcasts across each VC that you instruct it to. Of course, if there are only a few VCs, this is not a big problem. However, if hundreds of VCs terminate in one router, then for each broadcast, hundreds of copies could be sent. The IOS can be configured to limit the amount of bandwidth that is used for these replicated broadcasts.


Seite 109 von 121

As the second part of the solution, the router tries to minimize the impact of the first part of the solution. The router places these broadcasts into a different queue than user traffic so that the user does not experience a large spike in delay each time some broadcast is replicated and sent over each VC.

Split Horizon Split horizon is useful for preventing routing loops by preventing a router from advertising a route onto the same interface in which the route was learned. With Split horizon problems occur when multipoint interfaces are used, because if one VC of a Serial interface fails split horizon does not advertise all VCs on that serial interface in routing updates so that either network loops or network unavailabilities occur. For a deeper view on the topic read the whole Cisco CCNA 640-507 certification guide ☺ The solution to the problem is to disable split horizon when not using subinterfaces or when using multipoint subinterfaces. The IOS defaults to disable split horizon on Frame Relay interfaces in all cases except for point-to-point subinterfaces. If the default value for split horizon is not desired, then the ip split horizon interface configuration command can be used to enable split horizon. Similarly, the no ip split horizon interface configuration command disables split horizon on that interface.


Seite 110 von 121

How Address Mapping Works

Shortcut Mapping is required when using some other data links, but not all. For example, with IP, the ARP process dynamically builds a mapping between an IP address and a LAN address.

Definition The information that correlates to the next-hop router’s Layer 3 address, and the Layer 2 address used to reach it, is called mapping. Mapping is needed on multiaccess networks.

Consider the core routing logic. Router A receives an Ethernet frame from some host and strips the Ethernet header (and trailer). It decides to route the packet out serial 0 to the next router, 10.1.2.2 (Router B’s S0 IP address). Router A builds the Frame Relay header/trailer and sends the frame. Although Router A knows the serial interfaces out which to forward the frame, Router A does not know the correct DLCI yet. A mapping is needed in Router A to correlate 10.1.2.2 (Router B) and the DLCI Router A used to reach Router B.


Seite 111 von 121

However, the same IP ARP used on LANs will not work on Frame Relay because there is no support for broadcasts. Therefore, ARP cannot be used to discover that DLCI. Two solutions exist by which Router A can learn the mapping between Router B’s IP address and DLCI. One uses a statically configured mapping, and the other uses a dynamic process called Inverse ARP. Inverse ARP acquires mapping information in a manner opposite of IP ARP, but the information that maps the Layer 3 and Layer 2 addresses is still found. Inverse ARP is basic; after the VC is up, each DTE announces its network layer address to the DTE on the other end of the VC. Inverse ARP is enabled by default if no subinterfaces are in use. Inverse ARP is also on by default for multipoint subinterfaces. However, Inverse ARP is not enabled on point-to-point subinterfaces because point-to-point subinterfaces behave like a true point-to-point line in regard to routing; if the packet needs to be sent out a point-to-point subinterface, then there is only one possible next router and only one DLCI in use. So, Inverse ARP is not needed with point-to-point subinterfaces.

Review: Frame Relay initialization 1. The LMI sends a status enquiry notifying the DTE when the VC is up. 2. Inverse ARP frames are sent by the routers in each direction for each Layer 3

protocol configured for the VC. Packets can be forwarded at this point. 3. Routing protocols will send their initial updates, routes will be learned 4. End user traffic will be able to flow

LMI status messages inform the routers when the PVC first comes up. Because Inverse ARP frames could not be delivered until the VC was up but can be delivered now, the Inverse ARP announcements declare the Layer 3 addresses. Unless keepalives have been turned off, both the switch and the router expect to send and receive periodic status and status enquiry messages, respectively.


Seite 112 von 121

Graphically

B

DLCI 40 DLCI 41

A

Status: DLCI 41 Up Status: DLCI 40 Up

Inverse-ARP: I am 10.1.1.1 (IP)

Inverse-ARP: I am 10.1.1.2 (IP)

Inverse-ARP: I am 10.AAAA.AAAA.AAAA (IPX)

Inverse-ARP: I am 10.BBBB.BBBB.BBBB (IPX)

Status enquiryStatus enquiry

Status Status

Compression

Shortcut Compression can be performed on Frame relay interfaces. Two general compression types exist:

- payload compresion - TCP header compression

Payload compression Payload compression leaves the Frame relay header intact and only compresses the packet (payload) before transmission. Two algorithm are available:

- STAC - FRF.9

STAC compression - historically used - The algorithm did not follow any standard. - Process works fine, but it can run only in software—no support for this

algorithm exists for Frame Relay on the Versatile Interface Processor (VIP) or the Compression Service Adapter (CSA).


Seite 113 von 121

FRF.9 compression - Frame Relay Forum standard compression - Also uses STAC algorithm but differs in some details from Ciscos original - FRF.9 compression support is added in hardware into Compression Service

Adapter (CSA) and Versatile Interface Processor 2 (VIP2) - use recommended from Cisco

TCP header compression - compression algorithm can be optimized if the data to be compressed is

known o TCP header is known

- 40 byte TCP header can be reduced to an average of 10 bytes - takes little processing works fast with low CPU amount - TCP header compression can rise to impressing 2 to 1 if IP packets are small

(e.g. during a Telnet session) - For larger packets TCP header compression rates decreases

Frame Relay Configuration

Frame Relay Configuration commands Command Configuration Mode Purpose / Function frame-relay map protocol protocol-address dlci [payloadcompress{packet-by-packet | frf9 stac}] [broadcast] [ietf | cisco]

Interface Statically defines a mapping between a network layer address and a DLCI.

keepalive sec Interface Defines whether and how often LMI status enquiry messages are sent and expected.

interface serial num.sub [pointto-point | multipoint]

Global Creates a subinterface, or references a previously created subinterface.

frame-relay interface-dlci dlc[ietf | cisco] Interface Defines a DLCI used for a VC to another DTE.

frame-relay payload-compress {packet-by-packet | frf9 stac}

Interface subcommand Defines payload compression onpoint-to-point subinterfaces.

show interface. Shows physical interface status show frame-relay {pvc | map | lmi } Shows PVC status, mapping

(dynamic and static), and LMI status.

debug frame-relay {lmi | events} Lists messages describing LMI flows (LMI option). The events option lists inverse ARP information. Other options include lapf, informationelements, ppp, and packet.


Seite 114 von 121

Guideline whether to use subinterfaces Use subinterfaces:

- When the network is partially meshed, using point-to-point subinterfaces overcomes split horizon issues by treating each subinterface as a separate interface.

- When the network is partially meshed, using a multipoint subinterface will work.

- When the network is truly fully meshed, a multipoint subinterface can be used to reduce the number of network-layer groups (for example, IP subnets) that are used.

- When the network is truly fully meshed, point-to-point subinterfaces can be used. This is typically chosen to maintain consistency with other Frame Relay networks elsewhere in the network that are not fully meshed. This choice requires a larger number of IP subnets to be used.

- When the network contains some fully meshed portions (for example, when 3 sites have VCs between each other but the other 10 do not), a multipoint subinterface can be used for the fully meshed portion and point-to-point subinterfaces can be used for the rest.

- When the network contains some fully meshed portions (for example, when 3 sites have VCs between each other but the other 10 do not), using only point-to-point subinterfaces is another option. This requires more IP subnets and IPX networks than when using a multipoint subinterface for the fully meshed portion of the network.

- Many sites avoid confusion by always using point-to-point subinterfaces to maintain consistency.

Correlating DLCIs to subinterfaces Correlating the DLCI(s) to their subinterfaces is required when using either type of subinterface. LMI enquiry messages notify the router that PVCs are active; the router then needs to know which subinterface uses the DLCI. An individual DLCI is used by only one subinterface. For a point-to-point subinterface, only one DLCI is used; for multipoint, many DLCIs are used.


Seite 115 von 121

ISDN protocols and design

ISDN Channels Two types of ISDN interfaces are focussed in IOS documentation:

- Basic Rate Interface (BRI) o 2 Bearer (B) Channels (up to 64kbit) o 1 signaling (D) channel (16kbit)

- Primary Rate Interface (PRI) o T/1 (1,544mbit)

23 B Channels (up to 64kbit) 1 D channel (64 kbit)

o E/1 (2,014 mbit) 30 B channels (up to 64kbit) 1 D channel (64 kbit)

B channels - transport data - speed depends on service provider

D channels - used for signaling

ISDN protocol overview Issue Protocol Key examples Telephone network and ISDN E-series E.163: international telephone numbering plan

E.164: international ISDN addressing ISDN concepts, aspects and interfaces

I-series I.100 series: concepts, structures, terminology I.400 series: User-Network Interfaces (UNI)

Switching and signaling Q-series Q.921: LAPD Q.931: ISDN network layer

ISDN ↔ OSI comparison Osi compared Layer

I-Series Equivalent Q-series specification

General purpose

1 ITU-T I.430

ITU-T I.431 Defines connectors, encoding, framing and

reference points 2 ITU-T I.440

ITU-T I.4411 ITU-T Q.920 ITU-T Q.921

Defines the LAPD protocol used on the D channel to encapsulate signaling requests

3 ITU-T I.450 ITU-T I.451

ITU-T Q.930 ITU-T Q.931

Defines signaling messages—for example, call setup and takedown messages


Seite 116 von 121

ISDN Function Groups and Reference Points

Inexact Definition (but familiar) - Function groups—A set of functions implemented by a device and software. - Reference points—The interface between two function groups; this includes

cabling details.

Facts to reminder - Not all reference points are used in any one topology; in fact, one or two might

never be used in a particular part of the world. - After the equipment is ordered and working, there is no need to think about

function groups and reference points. - The router configuration does not refer to reference points and function

groups, so many people ignore these details. Function Group Akronym Stands for Description TE1 Terminal Equipment 1 ISDN-capable four-wire cable.

Understands signaling, 2B+D. Uses S reference point.

TE2 Terminal Equipment 1 Equipment that does not understand ISDN protocols and specifications (no ISDN awareness). Uses R reference point, typically an RS-232 or V.35 cable, to connect to a TA.

TA Terminal Adapter Equipment that uses R and S reference points. Can be thought of as the TE1 function group on behalf of a TE2.

NT1 Network Termination Type 1 CPE equipment in North America. Connects with U reference point (two-wire) to telco. Connects with T or S reference points to other customer premise equipment.

NT2 Network Termination Type 2 Equipment that uses a T reference point to the telco outside North America, or to an NT1 inside North America. Uses an S reference point to connect to other customer premise equipment.

NT1/NT2 A combined NT1 and NT2 in the same device. This is relatively common in North America.

Reference Group Connection between R TE and TA2 S TE1 or TA and NT2. T NT2 and NT1. U NT1 and telco. S/T TE1 or TA, connected to an NT1, when no NT2 is used.

Alternately, the connection from a TE1 or TA to a combined NT1/NT2.


Seite 117 von 121

Typical use of ISDN - temporary dial connections

o backup o occasional (DDR dial on demand routing)

- permanently dialed lines (cause of nice prices)

PAP & Chap PAP - Password Authentication Protocol CHAP - Challenge Handshake Authentication Protocol

- used to verify that the endpoints of a dial connections are allowed to connect - PAP uses cleartext passwords and is less often used - CHAP MD5 - encodes the passwords and is mostly used today

Login description Both PAP and CHAP require the exchange of messages between devices. The dialed-to router expects to receive a user name and password from the dialing router with both PAP and CHAP. With PAP, the user name and password are sent by the dialing router. With CHAP, the dialed to router sends a message (called a challenge) that asks the dialing router to send its user name and password. The challenge includes a random number, which is part of the input into the MD5 hash algorithm. The dialing router replies with the MD5 hash value, which is a function of its ID (host name), its password, and the random number supplied in the challenge.

Multilink PPP - function that allows multiple links between a router and another device on

which the traffic is balanced - breaks a packet into fragments, sends them over each of the links and puts

them together again on the other end

Enabling commands The two key commands are the PPP multilink and the dialer load-threshold commands. PPP multilink enables multilink PPP; dialer load-threshold xx either tells the router to dial another B channel if the utilization average on the currently used links is more than xx percent for either inbound or outbound utilization.


Seite 118 von 121

Dial-on-Demand Routing and ISDN Configuration

Some Notes DDR can be used to cause the router to dial or to receive a dial on asynchronous serial interfaces, synchronous serial interfaces, and ISDN BRI and PRI interfaces. All examples in this chapter use ISDN BRI. Two ways exist by which to configure DDR. The two styles of DDR configuration are called DDR legacy and DDR dialer profiles. The main difference between the two is that DDR legacy associates dial details with a physical interface, but DDR dialer profiles-style configuration disassociates the dial configuration from a physical interface, allowing a great deal of flexibility.

- DDR will not dial until some traffic is directed (routed) out the dial interface.

o All routable protocols can be configured to trigger the dial. o Of course, routes are not learned over a dial link while the dial link is

down. o Therefore, static routes are configured

- “Is this packet, which is being routed out this dial interface, worthy of causing the dial to occur?” The packets that are worthy of causing the device to dial are called interesting packets by Cisco.

o Interesting can be defined as all packets of one or more Layer 3 protocols (for example, all IP packets).

o The second method is that interesting can be defined as packets permitted by an access list. In this case, if the access list permits the packet, it is considered interesting.

Example configuration

ip route 172.16.3.0 255.255.255.0 172.16.2.1 access-list 101 permit tcp any host 172.16.3.1 eq 80 dialer-list 1 protocol ip permit dialer-list 2 protocol ip list 101 interface bri 0 encapsulation ppp ip address 172.16.2.2 255.255.255.0 !Use this one if all IP is considered interesting ... dialer-group 1 ! OR Use next statement to trigger for Web to Server Lois dialer-group 2


Seite 119 von 121

Configuring the dialing itself / needed information

1. For non-ISDN interfaces, it is necessary to communicate the dial string to the external dialing device. In-band signaling (dialing) must be enabled on these interfaces using the command dialer in-band. This is not necessary on a BRI interface because it uses the out-of-band D channel for signaling.

2. The phone number to dial The command is dialer string string, where string is the phone number.

If there is more than one number to dial (e.g. if different sites shall be dialed for different routes) then we got a problem. The dilemma now be how to determine which ISDN telephone number to signal. The key is in the ip route commands and the new dialer map command. Of course, there are unique ISDN telephone numbers for both LosAngeles and GothamCity. Because the static routes will direct the router to send the packet to either 172.16.2.1 or 172.16.2.3, all that is needed is a mapping between these next-hop addresses and their respective ISDN telephone numbers. The dialer map command does exactly that. The dialer map commands imply that if the interesting packet were routed to 172.16.2.1, the dial to LosAngeles would occur. Conversely, if the interesting packet were routed to 172.16.2.3, the dial to GothamCity would occur. Broadcast handling is the final configuration element that must be addressed. Just as with any other point-to-point serial link, there is no true data link broadcast. If a broadcast must be sent on the interface, however, it is necessary to issue the broadcast command to tell the interface to forward the packet across the link.

ip route 172.16.3.0 255.255.255.0 172.16.2.1 ip route 172.16.4.0 255.255.255.0 172.16.2.3 ! Added usernames for CHAP support! username LosAngeles password Clark username GothamCity password Bruce access-list 101 permit tcp any host 172.16.3.1 eq 80 ! Added next statement to make The Client’s FTP connection interesting! access-list 101 permit tcp any host 172.16.4.1 eq 21 ! dialer-list 2 protocol ip list 101 ! interface bri 0 ip address 172.16.2.2 255.255.255.0 encapsulation ppp ppp authentication chap dialer map ip 172.16.2.1 broadcast name LosAngeles 14045551234 dialer map ip 172.16.2.3 broadcast name GothamCity 1999999999901 dialer-group 2 !


Seite 120 von 121

The decision to take the link down is the most intriguing part about what happens while the link is up. Although any type of packets can be routed across the link, only interesting packets are considered worthy of keeping the link up. An idle timer counts the time since the last interesting packet went across the link. If that time expires, the link is brought down. Two idle timers can be set. With the dialer idle-timeout seconds command, the idle time as previously described is set. If interesting traffic that needs to flow to another dial site is occurring, however, another shorter idle timer can be used. The dialer fast-idle seconds command enables you to configure a typically lower number than the idle timer so that when other sites need to be dialed, the link that is currently up but can be brought down earlier in the process of idling out as per the dialer idle-timeout command.

WAN options – strength and weakness Type of WAN service Data Link Protocols Strengths and weaknesses Leased Delivers pervasive availability. Can be expensive for

long circuits. Is more expensive for providers to engineer than are packet services.

PPP Can improve speed of routing protocol convergence. Allows multivendor interoperability. Has available error recovery option.

HDLC Is the IOS default. Requires Cisco router on each end.

LAPD Provides error recovery, but this also can result in throttling (slowing) the data rate.

Packet-switched Allows addition of new sites to be made quickly. Typically involves a lower cost.

Frame Relay Allows bursting past CIR, giving perception of “free” capacity. Is pervasive in the United States.

ATM As a WAN technology, is not as pervasively available as Frame Relay. Has an attractive built-in Quality of Service feature.

X.25 Is available pervasively in some parts of the world. Offers beneficial error-recovery features when links have higher error rates. Typically is the third choice of these three if all are available to all connected sites.


Seite 121 von 121

Enterprise Networks and their hardware CoreLayer

DistributionLayer

AccessLayer

Switches Traffic to theappropriate Service

Routing, filteringand WAN access

End station,entry point to the network

Layer Features Desired device

characteristics Core Fast transport, often at the

topological center of the network. Packet manipulation is not performed here.

Highest forwarding speed

Distribution Aggregation of access points. Any media translation or security (for instance, access lists) is performed here.

High interface density, high processing capacity per interface for packet manipulation

Access Entry point for end-user devices, both LAN and dial.

High variety of interface types, less processing capacity required (versus distribution).

cisco ccna certification noteshome.wtnet.de/~sbuelow/ccna.pdf · cisco ccna certification notes by...

Documents