Академический Документы
Профессиональный Документы
Культура Документы
Static routes while manually intensive to keep up, are a very quick and effective way to route data from one subnet to different subnet. Lets start with the basics. What is a static route? - a static route is a hard coded path in the router that specifies how the router will get to a certain subnet by using a certain path. What do you mean by "hard coded"? - you or someone has typed in the network ID and the next hop to get to the network specified How do I add a static route into my Cisco router? - Pretty simple router# config t ; get into the configuration mode router(config)# ip route A.B.C.D (destination network/host) A.B.C.D (mask) A.B.C.D (next hop); this is a simple static route Are there any other ways to name the next hop except by using an IP address? - Yes, you can use the port name i.e. ethernet0, E0, S0 and so on What is "distance metric" that I can add at the end of the command? - all routes have a value that allows the router to give a priority to which type of routing is used first. In static routes, the value is 1 which means no matter what other protocol you may have running like OSPF or RIP, the static route will always be used first. This can be changed to special needs. for example, if you have a frame link with ISDN back up, you can static routes for the frame and a second set of the same static routes but with a distance matric of 255. This means while the frame is up, it goes first but when the frame goes down, the router will try to use the 2nd static which is normally ignored due to the 255 value. Why do I want to use static routes when there are neat routing protocols like OSPF? - static routes are easy, no overhead either on the link or the the CPU of the router. They also offer good security when coupled with a tight IP mask like 252 which gives only 2 hosts on a given link If static routes are so easy, why not use them all the time? - Static routes while easy can be overwhelming in a large or complicated network. Each time there is a change, someone must manually make changes to reflect the change. If a link goes down, even if there is a second path, the router would ignore it and consider the link down.
One of the most common uses of a static map is the default classless route
- ip classless - ip route 0.0.0.0 0.0.0.0 [next hop] This static map says that everything is remote and should be forwarded to the next hop( or supernet) which will take care fo the routing. Dial on demand is also a big user of static routes. Many times with dial up or ISDN, you do not have the bandwidth or you do not want to pay the connection fees for routing updates so you use static routes. Static routes allow you to set up load balancing after a fashion. Keep in mind that the IOS load balances across routes first and not interfaces. The easiest way to configure multiple routes on the same interface is to use the secondary IP command
ip address 192.0.0.2 255.255.255.0 secondary ! second route on same interface interface serial 1 ip address 192.1.0.1 255.255.255.0 ip address 192.1.0.2 255.255.255.0 secondary ip route 200.2.0.0 255.255.255.0 196.0.0.4; goes to serial 0 ip route 200.2.0.0 255.255.255.0 196.0.0.5; goes to serial 0 ip route 200.2.0.0 255.255.255.0 196.1.0.4; goes to serial 1 Router 2 ! interface ethernet 0 ip address 200.2.0.1 255.255.255.0 ! interface serial 0 ip address 196.0.0.4 255.255.255.0 ip address 196.0.0.5 255.255.255.0 secondary ! interface serial 1 ip address 196.1.0.4 255.255.255.0 ip address 196.1.0.5 255.255.255.0 secondary
The traffic would go out router 1 across the two IPs on serial 0 first then across 1 IP on serial 1 This gives you unequal load balancing.
From the global configuration mod e, configure the hostname then configure the console and enable passwords on each router.
To configure static routes, first enter global configuration mode to run the following commands.
First run the command show ip route to view the IP routing table for router A before defining static routes
RouterA#configure terminal
RouterA(config)#exit
RouterA#
Now run the command show ip route on router A to view the IP routing table (directly connected + static routes) detail. Configure the Static Routes on Router B.
First run the command show ip route to view the IP routing table for router B before defining static routes
RouterB#configure terminal
RouterB(config)#exit
RouterB#
Now run the command show ip route on router B to view the IP routing table (directly connected + static routes) detail.
First run the command show ip route to view the IP routing table for router C before defining static routes
RouterC#configure terminal
RouterC(config)#exit
RouterC#
Now run the command show ip route on router C to view the IP routing table (directly connected + static routes) detail. Configure the Static Routes on Router B.
First run the command show ip route to view the IP routing table for router B before defining static routes
RouterB#configure terminal
RouterB(config)#exit
RouterB#
Now run the command show ip route on router B to view the IP routing table (directly connected + static routes) detail.
First run the command show ip route to view the IP routing table for router C before defining static routes
RouterC#configure terminal
RouterC(config)#exit
RouterC#
Now run the command show ip route on router C to view the IP routing table (directly connected + static routes) detail.
Spanning-Tree Protocol (STP) prevents loops from being formed when switches or bridges are interconnected via multiple paths. Spanning-Tree Protocol implements the 802.1D IEEE algorithm by exchanging BPDU messages with other switches to detect loops, and then removes the loop by shutting down selected bridge interfaces. This algorithm guarantees that there is one and only one active path between two network devices. (Spanning Tree Algorithm is used to calculate a loop-free path. All switch ports are in blocking mode to begin with. It takes approx 30 seconds until packets can be forwarded.
Step 1 : Elect Root Bridge - Lowest bridge priority, if there is a tie then switch with lowest bridge ID Step 2 : Elect Root Ports - Locate redundant paths to root bridge; block all but on root. Root Path Cost is cumulative cost of path to root bridge. Ports directly connected to Root Bridge will be root ports, otherwise lowest root path cost used. Step 3 : Elect Designated Ports - Single port that sends and receives traffic from a switch to and from Root Bridge - Lowest cost path to Root Bridge. Spanning Tree Overview There can only be one Root Bridge. Root-Bridge ports are called 'Designated' and are set to send and receive traffic (forwarding state). All other redundant links to the root bridge are shutdown. Blocked ports still receive BPDUs. Convergence occurs when switches have transitioned to either forwarding or blocking states. No other data is forwarded during this time. Forward delay - Time taken for a switch to go from Listening to Learning (50 seconds default). IEEE default priority = 32,768, this is true for all devices running STP IEEE version. Port Fast Mode - Immediately brings a port from blocking to forwarding state by eliminating forward delays. Bridges can only have one spanning tree instance compared to switches which can have many. Bridge Protocol Data Units send confirmation messages using multicast frames.)
Introduction
Spanning Tree Protocol (STP) is a Layer 2 protocol that runs on bridges and switches. The specification for STP is IEEE 802.1D. The main purpose of STP is to ensure that you do not create loops when you have redundant paths in your network. Loops are deadly to a network.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
Although this document uses Cisco Catalyst 5500/5000 Switches, the spanning tree principles that the document presents are applicable to almost all devices that support STP. For the examples, this document used: A console cable that is suitable for the Supervisor Engine in the switch Six Catalyst 5509 Switches The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Background Theory
The configurations in this document apply to Catalyst 2926G, 2948G, 2980G, 4500/4000, 5500/5000, and 6500/6000 Switches that run Catalyst OS (CatOS). Refer to these documents for information on the configuration of STP on other switch platforms: Configuring STP and IEEE 802.1s MST (Catalyst 6500/6000 Switches that run Cisco IOS Software) Understanding and Configuring STP (Catalyst 4500/4000 Switches that run Cisco IOS Software) Configuring STP section of Configuring the System (Catalyst 2900XL/3500XL Switches) Configuring STP (Catalyst 3550 Switches) Configuring STP (Catalyst 2950 Switches)
Network Diagram
This document uses this network setup:
Concepts
STP runs on bridges and switches that are 802.1D-compliant. There are different flavors of STP, but 802.1D is the most popular and widely implemented. You implement STP on bridges and switches in order to prevent loops in the network. Use STP in situations where you want redundant links, but not loops. Redundant links are as important as backups in the case of a failover in a network. A failure of your primary activates the backup links so that users can continue to use the network. Without STP on the bridges and switches, such a failure can result in a loop. If two connected switches run different flavors of STP, they require different timings to converge. When different flavors are used in the switches, it creates timing issues between Blocking and Forwarding states. Therefore, it is recommended to use the same flavors of STP. Consider this network:
In this network, a redundant link is planned between Switch A and Switch B. However, this setup creates the possibility of a bridging loop. For example, a broadcast or multicast packet that transmits from Station M and is destined for Station N simply continues to circulate between both switches. However, when STP runs on both switches, the network logically looks like this:
This information applies to the scenario in the Network Diagram: Switch 15 is the backbone switch. Switches 12, 13, 14, 16, and 17 are switches that attach to workstations and PCs. The network defines these VLANs: 1 200 201 202 203 204 The VLAN Trunk Protocol (VTP) domain name is STD-Doc.
In order to provide this desired path redundancy, as well as to avoid a loop condition, STP defines a tree that spans all the switches in an extended network. STP forces certain redundant data paths into a standby (blocked) state and leaves other paths in a forwarding state. If a link in the forwarding state becomes unavailable, STP reconfigures the network and reroutes data paths through the activation of the appropriate standby path.
STP Operation
Task
Prerequisites Before you configure STP, select a switch to be the root of the spanning tree. This switch does not need to be the most powerful switch, but choose the most centralized switch on the network. All data flow across the network is from the perspective of this switch. Also, choose the least disturbed switch in the network. The backbone switches often serve as the spanning tree root because these switches typically do not connect to end stations. Also, moves and changes within the network are less likely to affect these switches. After you decide on the root switch, set the appropriate variables to designate the switch as the root switch. The only variable that you must set is thebridge priority. If the switch has a bridge priority that is lower than all the other switches, the other switches automatically select the switch as the root switch. Clients (end stations) on Switch Ports You can also issue the set spantree portfast command, on a per-port basis. When you enable the portfast variable on a port, the port immediately switches from blocking mode to forwarding mode. Enablement of portfast helps to prevent timeouts on clients who use Novell Netware or use DHCP in order to obtain an IP address. However, do not use this command when you have switch-to-switch connection. In this case, the command can result in a loop. The 30- to 60second delay that occurs during the transition from blocking to forwarding mode prevents a temporal loop condition in the network when you connect two switches.
Leave most other STP variables at their default values. Rules of Operation This section lists rules for how STP works. When the switches first come up, they start the root switch selection process. Each switch transmits a BPDU to the directly connected switch on a per-VLAN basis. As the BPDU goes out through the network, each switch compares the BPDU that the switch sends to the BPDU that the switch receives from the neighbors. The switches then agree on which switch is the root switch. The switch with the lowest bridge ID in the network wins this election process. Note: Remember that one root switch is identified per-VLAN. After the root switch identification, the switches adhere to these rules: STP Rule 1All ports of the root switch must be in forwarding mode. Note: In some corner cases, which involve self-looped ports, there is an exception to this rule. Next, each switch determines the best path to get to the root. The switches determine this path by a comparison of the information in all the BPDUs that the switches receive on all ports. The switch uses the port with the least amount of information in the BPDU in order to get to the root switch; the port with the least amount of information in the BPDU is the root port. After a switch determines the root port, the switch proceeds to rule 2. STP Rule 2The root port must be set to forwarding mode. In addition, the switches on each LAN segment communicate with each other to determine which switch is best to use in order to move data from that segment to the root bridge. This switch is called the designated switch. STP Rule 3In a single LAN segment, the port of the designated switch that connects to that LAN segment must be placed in forwarding mode. STP Rule 4All the other ports in all the switches (VLAN-specific) must be placed in blocking mode. The rule only applies to ports that connect to other bridges or switches. STP does not affect ports that connect to workstations or PCs. These ports remain forwarded. Note: The addition or removal of VLANs when STP runs in per-VLAN spanning tree (PVST / PVST+) mode triggers spanning tree recalculation for that VLAN instance and the traffic is disrupted only for that VLAN. The other VLAN parts of a trunk link can forward traffic normally. The addition or removal of VLANs for a Multiple Spanning Tree (MST) instance that exists triggers spanning tree recalculation for that instance and traffic is disrupted for all the VLAN parts of that MST instance. Note: By default, spanning tree runs on every port. The spanning tree feature cannot be turned off in switches on a perport basis. Although it is not recommended, you can turn off STP on a per-VLAN basis, or globally on the switch. Extreme care should be taken whenever you disable spanning tree because this creates Layer 2 loops within the network.
Step-by-Step Instructions
Complete these steps: Issue the show version command in order to display the software version that the switch runs. Note: All switches run the same software version.
Switch-15> (enable)show version WS-C5505 Software, Version McpSW: 4.2(1) NmpSW: 4.2(1) Copyright (c) 1995-1998 by Cisco Systems NMP S/W compiled on Sep 8 1998, 10:30:21
Model: WS-C5505
Serial #: 066509927
Serial #
Versions
Switch-15> (enable)set spantree root 1 VLAN 1 bridge priority set to 8192. VLAN 1 bridge max aging time set to 20. VLAN 1 bridge hello time set to 2. VLAN 1 bridge forward delay set to 15. Switch is now the root switch for active VLAN 1. Switch-15> (enable)
Switch-15> (enable)set spantree root 200 VLAN 200 bridge priority set to 8192. VLAN 200 bridge max aging time set to 20. VLAN 200 bridge hello time set to 2.
VLAN 200 bridge forward delay set to 15. Switch is now the root switch for active VLAN 200. Switch-15> (enable)
Switch-15> (enable)set spantree root 201 VLAN 201 bridge priority set to 8192. VLAN 201 bridge max aging time set to 20. VLAN 201 bridge hello time set to 2. VLAN 201 bridge forward delay set to 15. Switch is now the root switch for active VLAN 201. Switch-15> (enable)
Switch-15> (enable)set spantree root 202 VLAN 202 bridge priority set to 8192. VLAN 202 bridge max aging time set to 20. VLAN 202 bridge hello time set to 2. VLAN 202 bridge forward delay set to 15. Switch is now the root switch for active VLAN 202. Switch-15>
Switch-15> (enable)set spantree root 203 VLAN 203 bridge priority set to 8192. VLAN 203 bridge max aging time set to 20. VLAN 203 bridge hello time set to 2. VLAN 203 bridge forward delay set to 15. Switch is now the root switch for active VLAN 203. Switch-15>
Switch-15> (enable)set spantree root 204 VLAN 204 bridge priority set to 8192. VLAN 204 bridge max aging time set to 20. VLAN 204 bridge hello time set to 2. VLAN 204 bridge forward delay set to 15. Switch is now the root switch for active VLAN 204. Switch-15> (enable)
The shorter version of the command has the same effect, as this example shows:
Switch-15> (enable)set spantree root 1,200-204 VLANs 1,200-204 bridge priority set to 8189. VLANs 1,200-204 bridge max aging time set to 20. VLANs 1,200-204 bridge hello time set to 2. VLANs 1,200-204 bridge forward delay set to 15. Switch is now the root switch for active VLANs 1,200-204. Switch-15> (enable)
The set spantree priority command provides a third method to specify the root switch:
Switch-15> (enable)set spantree priority 8192 1 Spantree 1 bridge priority set to 8192. Switch-15> (enable)
Note: In this scenario, all the switches started with cleared configurations. Therefore, all the switches started with a bridge priority of 32768. If you are not certain that all the switches in your network have a priority that is greater than 8192, set the priority of your desired root bridge to 1. Issue the set spantree portfast mod_num/port_num enable command in order to configure the PortFast setting on Switches 12, 13, 14, 16, and 17. Note: Only configure this setting on ports that connect to workstations or PCs. Do not enable PortFast on any port that connects to another switch. This example only configures Switch 12. You can configure other switches in the same way. Switch 12 has these port connections: Port 2/1 connects to Switch 13. Port 2/2 connects to Switch 15. Port 2/3 connects to Switch 16. Ports 3/1 through 3/24 connect to PCs.
Ports 4/1 through 4/24 connect to UNIX workstations. With this information as a basis, issue the set spantree portfast command on ports 3/1 through 3/24 and on ports 4/1 through 4/24:
Warning: Spantree port fast start should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc. to Use with caution.
Warning: Spantree port fast start should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc. to Use with caution.
Designated Root
00-10-0d-b1-78-00
!--- This is the MAC address of the root switch for VLAN 1.
Designated Root Priority Designated Root Cost Designated Root Port Root Max Age 20 sec Hello Time 2 sec
Bridge ID MAC ADDR Bridge ID Priority Bridge Max Age 20 sec Hello Time 2
This output shows that Switch 15 is the designated root on the spanning tree for VLAN 1. The MAC address of the designated root switch, 00-10-0d-b1-78-00, is the same as the bridge ID MAC address of Switch 15, 00-10-0d-b178-00. Another indicator that this switch is the designated root is that the designated root port is 1/0. In this output from Switch 12, the switch recognizes Switch 15 as the Designated Root for VLAN 1:
Switch-12> (enable)show spantree 1 VLAN 1 spanning-tree enabled spanning-tree type IEEEDesignated Root 00-10-0d-b1-78-00
!--- This is the MAC address of the root switch for VLAN 1.
Designated Root Priority Designated Root Cost Designated Root Port Root Max Age 20 sec Hello Time 2 sec
Bridge ID MAC ADDR Bridge ID Priority Bridge Max Age 20 sec Hello Time 2
Note: The output of the show spantree vlan_id command for the other switches and VLANs can also indicate that Switch 15 is the designated root for all VLANs.
Verify
This section provides information you can use to confirm that your configuration works properly. The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output. show spantree vlan_id Shows the current state of the spanning tree for this VLAN ID, from the perspective of the switch on which you issue the command. show spantree summaryProvides a summary of connected spanning tree ports by VLAN.
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
Troubleshoot Commands
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output. Note: Refer to Important Information on Debug Commands before you use debug commands. show spantree vlan_id Shows the current state of the spanning tree for this VLAN ID, from the perspective of the switch on which you issue the command. show spantree summaryProvides a summary of connected spanning tree ports by VLAN. show spantree statisticsShows spanning tree statistical information. show spantree backbonefastDisplays whether the spanning tree BackboneFast Convergence feature is enabled. show spantree blockedportsDisplays only the blocked ports. show spantree portstateDetermines the current spanning tree state of a Token Ring port within a spanning tree. show spantree portvlancostShows the path cost for the VLANs on a port. show spantree uplinkfastShows the UplinkFast settings.
As used in this document: Syntax: As used in this document: Syntax: As used in this document:
show version
set spantree root [vlan_id] set spantree root 1 set spantree root 1,200-204 set spantree priority [vlan_id]
Syntax:
show spantree 1
other routers. Advertisements containingroutes are referred to as Link State Advertisements (LSAs) in OSPF. OSPF router keeps track of the state of all the various network connections (links) between itself and anetwork it is trying to send data to. This makes it a link-state routing protocol. OSPF supports the use of classless IP address ranges and is very efficient. OSPF uses areas to organize a network into a hierarchal structure; it summarizes route information to reduce the number of advertised routes and thereby reduce network load and uses a designated router (elected via a process that is part of OSPF) to reduce the quantity and frequency of Link State Advertisements. OSPF does require the router have a more powerful processor and more memory than other routing protocols. OSPF selects the best routes by finding the lowest cost paths to a destination. All router interfaces (links) are given a cost. The cost of a route is equal to the sum of all the costs configured on all the outbound links between the router and the destination network, plus the cost configured on the inteface that OSPF received the Link State Advertisement on. This tutorial will focus on explaining the basic components of OSPF, the operation of OSPF, basic configuration of OSPF and finally close with troubleshooting techniques used to verify correct OSPF configuration and operation.
The election process which determines the Designated Router will also elect a Backup Designated Router (BDR). The BDR takes over from the DR when the DR fails.
OSPF Areas
OSPF areas are used to impose a hierarchial structure to the flow of data over the network. A network using OSPF will always have at least one area and if there is more than one area, one of the two areas must be the backbone area. Areas are used to group routers into manageable groups that exchange routing information locally, but summarize that routing information when advertising the routes externally. A standard OSPF network looks something like a big bubble (the backbone area) with a lot of smaller bubbles (stub areas) attached directly to it. Area Border Routers (ABR) are used to connect the areas. Each area will elect a designated router (DR) and a backup designated router (BDR) to assist in flooding Link State Advertisements (LSAs)throughout the area.
Backbone (Area 0)
The backbone is the first area you should always build in any network using OSPF and the backbone is always Area 0 (zero). All areas are connected directly to the OSPF backbone area. When designing an OSPF backbone area, you should make sure there is little or no possibility of the backbone area being split into two or more parts by a router or link failure. If the OSPF backbone is split due to hardware failures or access lists, sizeable areas of the network will become unreachable.
Stub Area
Stub areas are connected only to the backbone area. Stub areas do not receive routes from outside the autonomous system, but do receive the routes from within the autonomous system, even if the route comes from another area.
Not-So-Stubby (NSSA)
Frequently, it is advisable to use a separate network to connect the internal enterprise network to the Internet. OSPF makes provisions for placing an Autonomous System Boundary Router (ASBR) within a non-backbone area. In this case, the stub area must learn routes from outside the OSPF autonomous system. Thus, a new type of LSA was required--the Type 7 LSA. Type 7 LSA's are created by the Autonomous System Boundary Router and forwarded via the stub area's border router (ABR) to the backbone. This allows the other areas to learn routes that are external to the OSPF routing domain.
Virtual Links
Virtual links are used when you have a network that must be connected to an existing OSPF system, but cannot be physically connected directly to the routers in the OSPF backbone area. You can configure an OSPF virtual link from the area to a backbone router, creating a virtual direct connection to the backbone area. This virtual link acts as a tunnel which forwards LSAs to the backbone via a second intermediate area.
Operation
STILL UNDER DEVELOPMENT
Neighbor Discovery
STILL UNDER DEVELOPMENT Forming Adjacencies Link State Advertisements (LSAs) LSA Types (by type code) 1 - Router LSA 2 - Network LSA 3 - Network summary LSA 4 - ASBR Summary LSA 5 - AS External LSA 6 - Group Membership LSA 7 - NSSA External LSA 8 - External Attributes LSA 9 - Opaque LSA (link-local scope) 10 - Opaque LSA (area-local scope) 11 - Opaque LSA (AS scope) Flooding Reliable Transport Shortest Path First Calculations Configuration Troubleshooting
OSPF Components
Areas Routers Link State Advertisements Processes
OSPF Areas
OSPF organizes a network into areas. An area is a set of routers that will share routing information about one or more networks. Routers are used by OSPF to maintain routing informatioin within an area and to send Link State Advertisements to other areas.
When a packet arrives at the router, the router extracts certain information from the packet header and makes decisions according to the filter rules as to whether the packet can pass through or be dropped. Packet filtering process works at the Network layer of the Open Systems Interconnection (OSI) model, or the Internet layer of TCP/IP.
Standard access-list Standard access lists create filters based on source addresses and are used for server based filtering. Address based access lists distinguish routes on a network you want to control by using network address number (IP). Address-based access lists consist of a list of addresses or address ranges and a statement as to whether access to or from that address is permitted or denied.
Example of the command syntax for configuring a standard numbered IP ACL: R1(config)# access-list {1-99} {permit | deny} source-addr [source-wildcard]
i. ii.
The first value {1-99} specifies the standard ACL number range.
The second value specifies whether to permit or deny the configured source IP address traffic. iii. The third value is the source IP address that must be matched.
iv.
The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range.
Extended access lists Extended access lists create filters based on source addresses, destination addresses, protocol, port number and other features and are used for packet based filtering for packets that traverse the network. Example of the command syntax for configuring an extended numbered IP ACL:
Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-wildcard] [operator operand] destination-addr [destination-wildcard] [operator operand] [established]
i. Like the standard ACLs, the first value {100-199 or 2000 - 2699} specifies the ACL number range. ii. The next value specifies whether to permit or deny according to the criteria that follows. iii. The third value specifies protocol type ( IP, TCP, UDP, or other specific IP sub-protocols). The source IP address and wildcard mask determine traffic source. The destination IP address and its wildcard mask are used to indicate the final destination of the network traffic. When the destination IP address and mask are configured, the port number must be specified to match, either by number or by a well-known port name, otherwise all traffic to that destination will be dropped.
Standard and Extended access lists can be applied base on the use of ip access-list command. Access lists use the deny or permit statement to define which packet is allowed or denied entry into a server or network.
Masks
Masks are used with IP addresses in IP ACLs to specify what should be permitted and denied. Masks in order to configure IP addresses on interfaces start with 255 and have the large values on the left side, for example, IP address 172.16.2.14 with a 255.255.255.0 mask. Masks for IP ACLs are the reverse, for example, mask 0.0.0.255. This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a "no". Note these ACL equivalents. The source/source-wildcard of 0.0.0.0/255.255.255.255 means "any". The source/wildcard of 10.1.1.2/0.0.0.0 is the same as "host 10.1.1.2". If you subtract 255.255.255.0 (normal mask) from 255.255.255.255, it yields 0.0.0.255. Read about Wildcards The command below defines an ACL that permits this network 192.168.1.0 0.0.0.255. access-list acl_permit permit ip 192.168.1.0 0.0.0.255 Inbound traffic to the router is compared to access lists entries based on the order that the entries occur in the router. The router looks through the entries until it has a match. If the router found no match when it reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted. Single-entry access lists with only one deny entry has the effect of denying all traffic. You must have at least one permit statement in an ACL or all traffic is blocked. Access lists implicitly deny all access that is not expressly permitted. The following line is auto-appended to all access-lists: deny ip any any If it is desirable to over-ride this implicit denial statement, enter a permit ip any any statement as the last entry in the access-list.
SubnetA portion of a network sharing a particular subnet address. Subnet maskA 32-bit combination used to describe which portion of an address refers to the subnet and which part refers to the host. InterfaceA network connection. If you have already received your legitimate address(es) from the Internet Network Information Center (InterNIC), you are ready to begin. If you do not plan to connect to the Internet, Cisco strongly suggests that you use reserved addresses from RFC
1918
Conventions
Refer to Cisco
Understanding IP Addresses
An IP address is an address used in order to uniquely identify a device on an IP network. The address is made up of 32 binary bits, which can be divisible into a network portion and host portion with the help of a subnet mask. The 32 binary bits are broken into four octets (1 octet = 8 bits). Each octet is converted to decimal and separated by a period (dot). For this reason, an IP address is said to be expressed in dotted decimal format (for example, 172.16.81.100). The value in each octet ranges from 0 to 255 decimal, or 00000000 - 11111111 binary. Here is how binary octets convert to decimal: The right most bit, or least significant bit, of an octet holds a value of 20. The bit just to the left of that holds a value of 21. This continues until the left-most bit, or most significant bit, which holds a value of 27. So if all binary bits are a one, the decimal equivalent would be 255 as shown here:
0 1000001 0 64 0 0 0 0 0 1 (0+64+0+0+0+0+0+1=65)
And this is sample shows an IP address represented in both binary and decimal.
10.
1.
23.
19 (decimal)
00001010.00000001.00010111.00010011 (binary)
These octets are broken down to provide an addressing scheme that can accommodate large and small networks. There are five different classes of networks, A to E. This document focuses on addressing classes A to C, since classes D and E are reserved and discussion of them is beyond the scope of this document. Note: Also note that the terms "Class A, Class B" and so on are used in this document to help facilitate the understanding of IP addressing and subnetting. These terms are rarely used in the industry anymore because of the introduction of classless
In a Class A address, the first octet is the network portion, so the Class A example in Figure 1 has a major network address of 1.0.0.0 - 127.255.255.255. Octets 2, 3, and 4 (the next 24 bits) are for the network manager to divide into subnets and hosts as he/she sees fit. Class A addresses are used for networks that have more than 65,536 hosts (actually, up to 16777214 hosts!). In a Class B address, the first two octets are the network portion, so the Class B example in Figure 1 has a major network address of 128.0.0.0 - 191.255.255.255. Octets 3 and 4 (16 bits) are for local subnets and hosts. Class B addresses are used for networks that have between 256 and 65534 hosts. In a Class C address, the first three octets are the network portion. The Class C example in Figure 1 has a major network address of 192.0.0.0 - 233.255.255.255. Octet 4 (8 bits) is for local subnets and hosts - perfect for networks with less than 254 hosts.
Network Masks
A network mask helps you know which portion of the address identifies the network and which portion of the address identifies the node. Class A, B, and C networks have default masks, also known as natural masks, as shown here:
Understanding Subnetting
Subnetting allows you to create multiple logical networks that exist within a single Class A, B, or C network. If you do not subnet, you are only able to use one network from your Class A, B, or C network, which is unrealistic. Each data link on a network must have a unique network ID, with every node on that link being a member of the same network. If you break a major network (Class A, B, or C) into smaller subnetworks, it allows you to create a network of interconnecting subnetworks. Each data link on this network would then have a unique network/subnetwork ID. Any device, or gateway, connecting n networks/subnetworks has n distinct IP addresses, one for each network / subnetwork that it interconnects. In order to subnet a network, extend the natural mask using some of the bits from the host ID portion of the address to create a subnetwork ID. For example, given a Class C network of 204.17.5.0 which has a natural mask of 255.255.255.0, you can create subnets in this manner:
204.17.5.0 -
11001100.00010001.00000101.00000000
255.255.255.224 - 11111111.11111111.11111111.11100000 --------------------------|sub|---By extending the mask to be 255.255.255.224, you have taken three bits (indicated by "sub") from the original host portion of the address and used them to make subnets. With these three bits, it is possible to create eight subnets. With the remaining five host ID bits, each subnet can have up to 32 host addresses, 30 of which can actually be assigned to a device since host ids of all zeros or all ones are not allowed (it is very important to remember this). So, with this in mind, these subnets have been created.
204.17.5.0 255.255.255.224 204.17.5.32 255.255.255.224 204.17.5.64 255.255.255.224 204.17.5.96 255.255.255.224 204.17.5.128 255.255.255.224 204.17.5.160 255.255.255.224 204.17.5.192 255.255.255.224 204.17.5.224 255.255.255.224
host address range 1 to 30 host address range 33 to 62 host address range 65 to 94 host address range 97 to 126 host address range 129 to 158 host address range 161 to 190 host address range 193 to 222 host address range 225 to 254
Note: There are two ways to denote these masks. First, since you are using three bits more than the "natural" Class C mask, you can denote these addresses as having a 3-bit subnet mask. Or, secondly, the mask of 255.255.255.224 can also be denoted as /27 as there are 27 bits that are set in the mask. This second method is used with CIDR. With this method, one of these networks can be described with the notation prefix/length. For example, 204.17.5.32/27 denotes the network 204.17.5.32 255.255.255.224. When appropriate the prefix/length notation is used to denote the mask throughout the rest of this document.
The network subnetting scheme in this section allows for eight subnets, and the network might appear as: Figure 2
Notice that each of the routers in Figure 2 is attached to four subnetworks, one subnetwork is common to both routers. Also, each router has an IP address for each subnetwork to which it is attached. Each subnetwork could potentially support up to 30 host addresses. This brings up an interesting point. The more host bits you use for a subnet mask, the more subnets you have available. However, the more subnets available, the less host addresses available per subnet. For example, a Class C network of 204.17.5.0 and a mask of 255.255.255.224 (/27) allows you to have eight subnets, each with 32 host addresses (30 of which could be assigned to devices). If you use a mask of 255.255.255.240 (/28), the break down is:
204.17.5.0 -
11001100.00010001.00000101.00000000
255.255.255.240 - 11111111.11111111.11111111.11110000 --------------------------|sub |--Since you now have four bits to make subnets with, you only have four bits left for host addresses. So in this case you can have up to 16 subnets, each of which can have up to 16 host addresses (14 of which can be assigned to devices). Take a look at how a Class B network might be subnetted. If you have network 172.16.0.0 ,then you know that its natural mask is 255.255.0.0 or 172.16.0.0/16. Extending the mask to anything beyond 255.255.0.0 means you are subnetting. You can quickly see that you have the ability to create a lot more subnets than with the Class C network. If you use a mask of 255.255.248.0 (/21), how many subnets and hosts per subnet does this allow for?
172.16.0.0 -
10101100.00010000.00000000.00000000
255.255.248.0 - 11111111.11111111.11111000.00000000 -----------------| sub |----------You are using five bits from the original host bits for subnets. This allows you to have 32 subnets (25). After using the five bits for subnetting, you are left with 11 bits for host addresses. This allows each subnet so have 2048 host addresses (211), 2046 of which could be assigned to devices. Note: In the past, there were limitations to the use of a subnet 0 (all subnet bits are set to zero) and all ones subnet (all subnet bits set to one). Some devices would not allow the use of these subnets. Cisco Systems devices allow the use of these subnets when theip subnet zero command is configured.
Examples
Sample Exercise 1
Now that you have an understanding of subnetting, put this knowledge to use. In this example, you are given two address / mask combinations, written with the prefix/length notation, which have been assigned to two devices. Your task is to determine if these devices are on the same subnet or different subnets. You can do this by using the address and mask of each device to determine to which subnet each address belongs.
172.16.17.30 255.255.240.0 -
subnet =
10101100.00010000.00010000.00000000 = 172.16.16.0
Looking at the address bits that have a corresponding mask bit set to one, and setting all the other address bits to zero (this is equivalent to performing a logical "AND" between the mask and address), shows you to which subnet this address belongs. In this case, DeviceA belongs to subnet 172.16.16.0. Determining the Subnet for DeviceB:
172.16.28.15 255.255.240.0 -
subnet =
10101100.00010000.00010000.00000000 = 172.16.16.0
From these determinations, DeviceA and DeviceB have addresses that are part of the same subnet.
Sample Exercise 2
Given the Class C network of 204.15.5.0/24, subnet the network in order to create the network in Figure shown. Figure 3
Looking at the network shown in Figure 3, you can see that you are required to create five subnets. The largest subnet must support 28 host addresses. Is this possible with a Class C network? and if so, then how? You can start by looking at the subnet requirement. In order to create the five needed subnets you would need to use three bits from the Class C host bits. Two bits would only allow you four subnets (22). Since you need three subnet bits, that leaves you with five bits for the host portion of the address. How many hosts does this support? 25 = 32 (30 usable). This meets the requirement. Therefore you have determined that it is possible to create this network with a Class C network. An example of how you might assign the subnetworks is:
netA: 204.15.5.0/27
host address range 33 to 62 host address range 65 to 94 host address range 97 to 126 host address range 129 to 158
VLSM Example
In all of the previous examples of subnetting, notice that the same subnet mask was applied for all the subnets. This means that each subnet has the same number of available host addresses. You can need this in some cases, but, in most cases, having the same subnet mask for all subnets ends up wasting address space. For example, in the Sample Exercise 2 section, a class C network was split into eight equal-size subnets; however, each subnet did not utilize all available host addresses, which results in wasted address space. Figure
Figure 4 illustrates that of the subnets that are being used, NetA, NetC, and NetD have a lot of unused host address space. It is possible that this was a deliberate design accounting for future growth, but in many cases this is just wasted address space due to the fact that the same subnet mask is being used for all the subnets.
Variable Length Subnet Masks (VLSM) allows you to use different masks for each subnet, thereby using address space efficiently.
VLSM Example
Given the same network and requirements as in Sample
netA: must support 14 hosts netB: must support 28 hosts netC: must support 2 hosts netD: must support 7 hosts netE: must support 28 host
Determine what mask allows the required number of hosts.
netA: requires a /28 (255.255.255.240) mask to support 14 hosts netB: requires a /27 (255.255.255.224) mask to support 28 hosts netC: requires a /30 (255.255.255.252) mask to support 2 hosts netD*: requires a /28 (255.255.255.240) mask to support 7 hosts netE: requires a /27 (255.255.255.224) mask to support 28 hosts
* a /29 (255.255.255.248) would only allow 6 usable host addresses therefore netD requires a /28 mask.
The easiest way to assign the subnets is to assign the largest first. For example, you can assign in this manner:
netB: 204.15.5.0/27 host address range 1 to 30 netE: 204.15.5.32/27 host address range 33 to 62 netA: 204.15.5.64/28 host address range 65 to 78 netD: 204.15.5.80/28 host address range 81 to 94 netC: 204.15.5.96/30 host address range 97 to 98
This can be graphically represented as shown in Figure 5: Figure 5
Figure 5 illustrates how using VLSM helped save more than half of the address space.
CIDR
Classless Interdomain Routing (CIDR) was introduced to improve both address space utilization and routing scalability in the Internet. It was needed because of the rapid growth of the Internet and growth of the IP routing tables held in the Internet routers. CIDR moves way from the traditional IP classes (Class A, Class B, Class C, and so on). In CIDR , an IP network is represented by a prefix, which is an IP address and some indication of the length of the mask. Length means the number of left-most contiguous mask bits that are set to one. So network 172.16.0.0 255.255.0.0 can be represented as 172.16.0.0/16. CIDR also depicts a more hierarchical Internet architecture, where each domain takes its IP addresses from a higher level. This allows for the summarization of the domains to be done at the higher level. For example, if an ISP owns network 172.16.0.0/16, then the ISP can offer 172.16.1.0/24, 172.16.2.0/24, and so on to customers. Yet, when advertising to other providers, the ISP only needs to advertise 172.16.0.0/16. For more information on CIDR, see RFC
1518
and RFC
1519
Appendix
Sample Config
Routers A and B are connected via serial interface.
Router A
hostname routera ! ip routing !
int e 0 ip address 172.16.50.1 255.255.255.0 !(subnet 50) int e 1 ip address 172.16.55.1 255.255.255.0 !(subnet 55) int t 0 ip address 172.16.60.1 255.255.255.0 !(subnet 60) int s 0 ip address 172.16.65.1 255.255.255.0 (subnet 65) !S 0 connects to router B router rip network 172.16.0.0
Router B
hostname routerb ! ip routing ! int e 0 ip address 192.1.10.200 255.255.255.240 !(subnet 192) int e 1 ip address 192.1.10.66 255.255.255.240 !(subnet 64) int s 0 ip address 172.16.65.2 (same subnet as router A's s 0) !Int s 0 connects to router A router rip network 192.1.10.0 network 172.16.0.0
------- --------------- --------- --------1 2 3 4 5 6 7 8 9 10 11 12 13 14 255.255.128.0 255.255.192.0 255.255.224.0 255.255.240.0 255.255.248.0 255.255.252.0 255.255.254.0 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 2 4 8 16 32 64 128 256 512 1024 2048 4096 8192 16384 32766 16382 8190 4094 2046 1022 510 254 126 62 30 14 6 2
------- --------------- --------- --------1 2 3 4 5 6 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 2 4 8 16 32 64 126 62 30 14 6 2
*Subnet all zeroes and all ones included. These might not be supported on some legacy systems. *Host all zeroes and all ones excluded.
Classes of IP
Class A networks use a default subnet mask of 255.0.0.0 and have 0-127 as their first octet. The address 10.52.36.11 is a class A address. Its first octet is 10, which is between 1 and 126, inclusive. Class B networks use a default subnet mask of 255.255.0.0 and have 128-191 as their first octet. The address 172.16.52.63 is a class B address. Its first octet is 172, which is between 128 and 191, inclusive. Class C networks use a default subnet mask of 255.255.255.0 and have 192-223 as their first octet. The address 192.168.123.132 is a class C address. Its first octet is 192, which is between 192 and 223, inclusive.