Enhanced IGRP is a Cisco-proprietary balanced hybrid routing protocol that
combines the best features of distance vector and link state routing. EIGRP: ends the subnet mask in the routing update. It supports route summari!ation and "#$. upports automatic classful route summari!ation at ma%or net&ork boundaries 'this is the default in EIGRP(. )nlike IGRP and RIP* manual route summari!ation can also be configured on arbitrary net&ork boundaries to reduce the routing table si!e. Is not susceptible to routing loops. Instead* EIGRP uses built-in loop avoidance techni+ues. $echanisms such as holddo&n timers* split hori!on* or poison reverse are not needed. Is scalable and does not have the ,- hop limitation of RIP. )ses hello packets to discover neighbor routers. E.changes the full routing table at startup* and then partial routing updates thereafter. )ses band&idth and delay for the route metric 'similar to IGRP(. $aintains partial net&ork topology information in addition to routes. /eeps multiple paths to a single net&ork. $inimi!es net&ork band&idth usage for routing updates. 0uring normal operation EIGRP transmits only hello packets across the net&ork. EIGRP does not send periodic routing updates like RIP and IGRP. 1hen change occurs* only routing table changes are propagated in EIGRP not the entire table. Re+uires less processing and memory than link state protocols. Converges more +uickly than distance vector protocols. In some cases* convergence can be almost instantaneous because an EIGRP router stores backup routes for destinations. If no appropriate route or backup e.ists in the routing table* EIGRP &ill +uery neighbor routers to discover an alternate route. In this manner* EIGRP can +uickly adapt to alternate routes &hen changes occur. )ses the 0)2# link-state algorithm for calculating routes. upports multiple protocols. EIGRP can e.change routes for IP* 2pple3alk and IP45P4 net&orks. EIGRP Command List 6ou configure EIGRP %ust the same as you &ould configure IGRP. 3he follo&ing table lists the applicable commands. Command Function Router'config(7router eigrp number 0efines an EIGRP process. 3he number must match bet&een routers for information to be shared. Router'config-router(7net&ork n.n.n.n Identifies a net&ork that participates in the routing process. Example 3he follo&ing commands enable EIGRP on a router and defines three net&orks that participate in the routing process. Router'config(7router eigrp 8 Router'config-net&ork(7net&ork ,98.,-:.,.; Router'config-net&ork(7net&ork ,98.,-:.8.; Router'config-net&ork(7net&ork ,98.,-:.<.; )se the follo&ing commands to manage and monitor EIGRP. Command Features sho& ip route "ie& EIGRP-learned routes. sho& eigrp neighbors "ie& neighboring routers from &hich EIGRP routes can be learned. #ists the IP address of the connected router. sho& eigrp interfaces "ie& the interfaces that are running EIGRP and the number of connected routers. OSPF Facts 3he =pen hortest Path >irst '=P>( routing protocol is a robust link state routing protocol &ell-suited for large net&orks. 6ou should remember the follo&ing characteristics of link state protocols that apply to =P>: Is a public 'non-proprietary( routing protocol. Is considered a classless routing protocol because it does not assume the default subnet masks are used. It sends the subnet mask in the routing update and supports route summari!ation and "#$. Is not susceptible to routing loops. Instead* =P> uses built-in loop avoidance techni+ues. $echanisms such as holddo&n timers* split hori!on* or poison reverse are not needed. Is scalable and does not have the ,- hop limitation of RIP. )ses hello packets to discover neighbor routers. hares routing information through #ink tate 2dvertisements '#2s(. #2s contain small bits of information about routes. ')nadvertised links save on IP space* but they cannot be pinged because they &on?t appear in an =P> routing table.( )nder normal conditions* =P> only sends out updated information rather than e.changing the entire routing table. Converges faster than a distance vector protocol. Can re+uire additional processing po&er 'and therefore increased system re+uirements(. Good design can minimi!e this impact. $aintains a logical topographical map of the net&ork in addition to maintaining routes to various net&orks. )ses areas to subdivide large net&orks. Routers &ithin an area share information about the area. Routers on the edge of areas 'called 2rea @order Routers '2@R(( share summari!ed information bet&een areas. o 3he backbone is a speciali!ed area connected to all other areas. It contains net&orks not held &ithin another area* and distributes routing information bet&een areas. 6ou can think of the backbone as the AmasterA or ArootA area. Its address is al&ays ;.;.;.;. 2ll =P> net&orks must have a backbone area. o 2 stub area is an area &ith a single path in to and out of the area. )ses link costs as a metric for determining best routes. 3he hortest Path >irst 'P>( algorithm 'also called the 0i%kstra P> algorithm( is used to identify and select the optimal route. 2s part of the =P> process* each router is assigned a router I0 'RI0(. 3he router I0 is: 3he highest IP address assigned to a loopback 'logical( interface. If a loopback interface is not defined* the highest IP address of the router?s physical interfaces. @ecause the loopback interface takes precedence over the physical interfaces in determining the router I0* you can force a specific router I0 by defining a loopback interface and assigning it an IP address. OSPF Command List =P> is fairly simple* &ith only a fe& variations from the RIP and IGRP configuration steps you have previously use. Configuration is as simple as defining the =P> process using the router ospf command* and then identifying the net&orks that &ill participate in =P> routing. 3he follo&ing table lists the commands and details for configuring =P>. Command Purpose Router'config(7router ospf process-id )se to enter configuration mode for =P>. 3he process I0 identifies a separate routing process on the router. Note: 2lthough similar* the process I0 number is not the same thing as the 2 number used in IGRP5EIGRP routing. Process I0s do not need to match bet&een routers 'in other &ords* t&o routers configured &ith different process I0s might still share =P> information(. Router'config- router(7net&ork n.n.n.n m.m.m.m area number Identifies net&orks that participate in =P> routing. n.n.n.n is the net&ork address. 3his can be a subnetted* classless net&ork. m.m.m.m is a &ildcard mask 'not the normal subnet mask(. 3he &ildcard mask identifies the subnet address. number is the area number in the =P> topology. 3he area number must match bet&een routers. Example 3he follo&ing graphic sho&s a sample net&ork &ith t&o =P> areas. )se the follo&ing commands to configure =P> on each router: Router Configuration SFO router ospf , net&ork ,;.,.;.; ;.;.,B.8BB area ; net&ork ,;.,.,-.; ;.;.,B.8BB area , net&ork ,;.,.<8.; ;.;.,B.8BB area , LA router ospf 8 net&ork ,;.,.,-., ;.;.;.; area , net&ork ,;.8.;., ;.;.;.; area , P! router ospf , net&ork ,;.,.<8.; ;.;.,B.8BB area , net&ork ,;.<.;.; ;.;.8BB.8BB area , Cotice the follo&ing in the configuration: 3he process I0 on each router does not match. =P> uses areas to identify sharing of routes* not the process I0. 6ou can use the subnet address &ith the appropriate &ildcard mask 'as in ,;.,.,-.; ;.;.,B.8BB(* or you can use the IP address of the router interface &ith a mask of ;.;.;.;. 3he net&ork command identifies the subnet* &ildcard mask* and the =P> area of the subnet. 2 subnet can only be in one area. "anaging OSPF 3he follo&ing table lists some commands that are useful in monitoring and troubleshooting =P>. Command Function sho& ip route "ie& the routing table and =P> entries. sho& ip ospf neighbor "ie& neighbor =P> routers. ho&s the neighbor router I0 numbers. sho& ip ospf interface "ie& interfaces that are running =P>. Includes information such as: 2rea number Process I0 Router I0 3imer settings 2d%acent routers Spanning #ree Facts 3o provide for fault tolerance* many net&orks implement redundant paths bet&een devices using multiple s&itches. Do&ever* providing redundant paths bet&een segments causes packets to be passed bet&een the redundant paths endlessly. 3his condition is kno&n as a bridging loop. 3o prevent bridging loops* the IEEE :;8.,d committee defined a standard called the spanning tree algorithm '32(* or spanning tree protocol '3P(. 1ith this protocol* one bridge 'or s&itch( for each route is assigned as the designated bridge. =nly the designated bridge can for&ard packets. Redundant bridges 'and s&itches( are assigned as backups. 3he spanning tree algorithm provides the follo&ing benefits: Eliminates bridging loops Provides redundant paths bet&een devices Enables dynamic role configuration Recovers automatically from a topology change or device failure Identifies the optimal path bet&een any t&o net&ork devices 3he spanning tree algorithm automatically discovers the net&ork topology* and creates a single* optimum path through a net&ork by assigning one of the follo&ing roles to each bridge or s&itch. 3he bridge role determines ho& the device functions in relation to other devices* and &hether the device for&ards traffic to other segments. Role C$aracteristics Root @ridge 3he root bridge is the master or controlling bridge. 3he root bridge periodically broadcasts configuration messages. 3hese messages are used to select routes and reconfigure the roles of other bridges if necessary. 3here is only one root bridge per net&ork. It should be assigned by the net&ork administrator. 1hen selecting the root bridge* select the bridge that is closest to the physical center of the net&ork. 0esignated @ridge 2 designated bridge is any other device that participates in for&arding packets through the net&ork. 3hey are selected automatically by e.changing bridge configuration packets. 3o prevent bridging loops* there is only one designated bridge per segment. @ackup @ridge 2ll redundant devices are classified as backup bridges. @ackup bridges listen to net&ork traffic and build the bridge database. Do&ever* they &ill not for&ard packets. 2 backup bridge can take over if the root bridge or a designated bridge fails. 0evices send special packets called @ridge Protocol 0ata )nits '@P0)s( out each port. @P0)s sent and received from other bridges are used to determine the bridge roles* verify that neighbor devices are still functioning* and recover from net&ork topology changes. 0evices participating in the spanning tree algorithm use the follo&ing process to configure themselves: ,. 2t startup* s&itches send @P0)s '@ridge Protocol 0ata )nits( out each port. 8. &itches use information in the @P0)s to elect a root bridge. <. &itches on redundant paths are configured as either designated 'active( or backup 'inactive( s&itches. E. 2fter configuration* s&itches periodically send @P0)s to ensure connectivity and discover topology changes. 2s the s&itch participates in the configuration process* and &hile it operates* each of its ports is placed into one of five states. 3he port state determines &hether the port receives and for&ards normal net&ork messages. Port State %escription 0isabled 2 device in the disabled state is po&ered on but does not participate in listening to net&ork messages or for&arding them. 2 bridge must be manually placed in the disabled state. @locking 1hen a device is first po&ered on* it is in the blocking state. In addition* backup bridges are al&ays in a blocking state. 3he bridge receives packets and @P0)s sent to all bridges* but &ill not process any other packets. #istening 3he listening state is a transitionary state bet&een blocking and learning. 3he port remains in listening state for a specific period of time. 3his time period allo&s net&ork traffic to settle do&n after a change has occurred. >or e.ample* if a bridge goes do&n* all other bridges go to the listening state for a period of time. 0uring this time the bridges redefine their roles. #earning 2 port in the learning state is receiving packets and building the bridge database 'associating $2C addresses &ith ports(. 2 timer is also associated &ith this state. 3he port goes to the for&arding state after the timer e.pires. >or&arding 3he root bridge and designated bridges are in the for&arding state &hen they can receive and for&ard packets. 2 port in the for&arding state can both learn and for&ard. Note: 1hen you use spanning tree on a s&itch &ith multiple "#2Cs* each "#2C runs a separate instance of the spanning tree protocol. Spanning #ree Command List 6ou can configure multiple paths &ith s&itches to provide fault-tolerance. 2s you kno&* having multiple paths means that the net&ork is susceptible to data transmission 'bridging( loops. #ike bridges* s&itches can run the spanning tree algorithm to prevent such loops from forming. @y default* the spanning tree protocol is enabled on all Cisco s&itches. &itch port configuration is automatic &hen the s&itch is connected to the net&ork and po&ered on. )se the follo&ing commands to customi!e the spanning tree protocol. Command Function &itch'config(7no spanning-tree vlan number 0isables spanning tree on the selected "#2C. &itch'config(7spanning-tree vlan number root primary >orces the s&itch to be the root of the spanning tree. &itch7sho& spanning-tree ho& spanning tree configuration information. 3o determine if the "#2C is functioning properly* verify that the first line of the output is: "#2C, is e.ecuting the IEEE compatible spanning tree protocol. Example 3he follo&ing commands disable spanning tree for "#2C ,8 and force the s&itch to be the root of the spanning tree for "#2C ,. &itch'config(7no spanning-tree vlan ,8 &itch'config(7spanning-tree vlan , root primary Et$erC$annel Facts EtherChannel combines multiple s&itch ports into a single* logical link bet&een t&o s&itches. 1ith EtherChannel: 6ou can combine 8-: ports into a single link. 2ll links in the channel group are used for communication bet&een the s&itches. )se EtherChannel to increase the band&idth bet&een s&itches. )se EtherChannel to establish automatic-redundant paths bet&een s&itches. If one link fails* communication &ill still occur over the other links in the group. )se EtherChannel to reduce spanning tree convergence times. )se the channel-group command for a port to enable EtherChannel as follo&s: &itch'config(7interface fast ;5,8 &itch'config-if(7channel-group , mode on Each channel group has its o&n number. 2ll ports assigned to the same channel group &ill be vie&ed as a single logical link. Note: If you do not use the channel-group command* the spanning tree algorithm &ill identify each link as a redundant path to the other bridge and &ill put one of the ports in blocking state. Port Securit& Facts 3he basic function of a s&itch is to pass packets from one host to another. )nder normal operations* the s&itch learns the $2C address of the device's( connected to each of its ports. 1hen a device is connected to the s&itch port* the $2C address of the frame from the connected device is place in a for&arding table. )nder normal circumstances* there are no restrictions on the devices that can be attached to a s&itch port. 1ith s&itch port security* you configure the s&itch to allo& only specific devices to use a given port. 6ou identify the $2C address of allo&ed devices. 2ny devices not e.plicitly identified &ill not be allo&ed to send frames through the s&itch. 3o configure port security* take the follo&ing general actions on the port: E.plicitly configure the port as an access port 'a port &ith attached hosts* not &ith an attached s&itch(. Enable s&itch port security. Identify the $2C addresses that can use the s&itch. 3he follo&ing commands list the s&itch port configuration commands: Command Function s&itch'config- if(7s&itchport mode access Identifies the port as an access port. s&itch'config- if(7s&itchport port- security Enables port security. s&itch'config- if(7s&itchport port- security mac-address h.h.h Identifies the allo&ed $2C address 'h.h.h is a he.adecimal number(. s&itch'config- if(7s&itchport port- security ma.imum number Configures the ma.imum number of $2C addresses that can be allo&ed for a port. 3he default allo&s only a single $2C address per port. )se this command to increase the number allo&ed. s&itch'config- if(7s&itchport port- security mac-address sticky Configures the s&itch to dynamically identify the allo&ed $2C address. 3he address in the first frame received by the s&itch port is the allo&ed $2C address for the port. Note: 3he Catalyst s&itch can sticky learn a ma.imum of ,<8 $2C addresses. s&itch'config- if(7s&itchport port- security violation action Identifies the action the s&itch &ill take &hen an unauthori!ed device attempts to use the port. 2ction key&ords are: protect drops the frames from the unauthori!ed device restrict does the same as protect and also generates an C$P trap shutdo&n disables the port s&itch7sho& port- security interface interfacetype and number ho&s port security information for the specified port. Examples 3he follo&ing commands configure s&itch port security to allo& only host Bab9.;;,8.;8af to use >ast Ethernet port ;5,8: s&itch'config(7interface fast ;5,8 s&itch'config-if(7s&itchport mode access s&itch'config-if(7s&itchport port-security s&itch'config-if(7s&itchport port-security mac-address Bab9.;;,8.;8af 3he follo&ing commands configures >ast Ethernet port ;5,B to accept the first $2C address it receives as the allo&ed $2C address for the port: s&itch'config(7interface fast ;5,B s&itch'config-if(7s&itchport mode access s&itch'config-if(7s&itchport port-security s&itch'config-if(7s&itchport port-security mac-address sticky Inter'(LAN Routing In a typical configuration &ith multiple "#2Cs and a single or multiple s&itches* &orkstations in one "#2C &ill not be able to communicate &ith &orkstations in other "#2Cs. 3o enable inter-"#2C communication* you &ill need to use a router 'or a #ayer < s&itch( as sho&n in the follo&ing graphic. @e a&are of the follo&ing conditions &ith inter-"#2C routing: 3he top e.ample uses t&o physical interfaces on the router. 3he bottom e.ample uses a single physical interface on the router. In this configuration* the physical interface is divided into t&o logical interfaces called subinterfaces. 3his configuration is also called a router on a stick. In each case* the router interfaces are connected to s&itch trunk ports. 3he router interfaces or subinterfaces must be running a trunking protocol 'either I# or :;8.,F(. Each interface or subinterface re+uires an IP address. (LAN Facts 2 virtual #2C '"#2C( can be defined as: @roadcast domains defined by s&itch port rather than net&ork address 2 grouping of devices based on service need* protocol* or other criteria rather than physical pro.imity )sing "#2Cs lets you assign devices on different s&itch ports to different logical 'or virtual( #2Cs. 2lthough each s&itch can be connected to multiple "#2Cs* each s&itch port can be assigned to only one "#2C at a time. 3he follo&ing graphic sho&s a single-s&itch "#2C configuration. @e a&are of the follo&ing facts about "#2Cs: In the graphic above* >astEthernet ports ;5, and ;58 are members of "#2C ,. >astEthernet ports ;5< and ;5E are members of "#2C 8. In the graphic above* &orkstations in "#2C , &ill not be able to communicate &ith &orkstations in "#2C 8* even though they are connected to the same physical s&itch. 0efining "#2Cs creates additional broadcast domains. 3he above e.ample has t&o broadcast domains* each of &hich corresponds to one of the "#2Cs. @y default* s&itches come configured &ith several default "#2Cs: o "#2C , o "#2C ,;;8 o "#2C ,;;< o "#2C ,;;E o "#2C ,;;B @y default* all ports are members of "#2C ,. Creating "#2Cs &ith s&itches offers the follo&ing administrative benefits. 6ou can create virtual #2Cs based on criteria other than physical location 'such as &orkgroup* protocol* or service( 6ou can simplify device moves 'devices are moved to ne& "#2Cs by modifying the port assignment( 6ou can control broadcast traffic and create collision domains based on logical criteria 6ou can control security 'isolate traffic &ithin a "#2C( 6ou can load-balance net&ork traffic 'divide traffic logically rather than physically( Creating "#2Cs &ith s&itches offers the follo&ing benefits over using routers to create distinct net&orks. &itches are easier to administer than routers &itches are less e.pensive than routers &itches offer higher performance 'introduce less latency( 2 disadvantage of using s&itches to create "#2Cs is that you might be tied to a specific vendor. 0etails of ho& "#2Cs are created and identified can vary from vendor to vendor. Creating a "#2C might mean you must use only that vendor?s s&itches throughout the net&ork. 1hen using multiple vendors in a s&itched net&ork* be sure each s&itch supports the :;8.,+ standards if you &ant to implement "#2Cs. 0espite advances in s&itch technology* routers are still needed to: >ilter 12C traffic Route traffic bet&een separate net&orks Route packets bet&een "#2Cs Frame #agging Facts 2lthough you can create "#2Cs &ith only one s&itch* most net&orks involve connecting multiple s&itches. 3he area bet&een s&itches is called the switch fabric. 2s a frame moves from s&itch to s&itch &ithin the s&itch fabric* each s&itch must be able to identify the destination virtual #2C. =ne &ay to identify the "#2C is for the s&itch to use a filtering table that maps "#2Cs to $2C addresses. Do&ever* this solution does not scale &ell. >or large net&orks* s&itches append a "#2C I0 to each frame. 3his process* called frame tagging or frame coloring* identifies the "#2C of the destination device. Remember the follo&ing facts regarding s&itch frame tagging 'or coloring(. "#2C I0s identify the "#2C of the destination device. 3ags are appended by the first s&itch in the path* and removed by the last. =nly "#2C-capable devices understand the frame tag. 3ags must be removed before a frame is for&arded to a non-"#2C- capable device. 3ag formats and specifications can vary from vendor to vendor. 1hen designing "#2Cs* you might need to stick &ith one s&itch vendor. Cisco?s proprietary protocol is called the Inter-&itch #ink 'I#( protocol. )se :;8.,+-capable s&itches to ensure a consistent tagging protocol. (LAN Command List 3o configure a simple "#2C* first create the "#2C* and then assign ports to that "#2C. 3he follo&ing table sho&s common "#2C configuration commands. #as) Command*s+ 0efine a "#2C '6ou can create "#2Cs in either vlan database mode or by using the vlan command in global configuration mode.( s&itch7vlan databaseG s&itch'vlan(7vlan 8 name nameGG s&itch'vlan(7e.it =R apply s&itch'config(7vlan 8 s&itch'config-vlan(7name nameGG 2ssign ports to the "#2C s&itch'config-if(7s&itchport access vlan numberGGG ho& a list of "#2Cs on the system s&itch7sho& vlan ho& information for a specific "#2C s&itch7sho& vlan id number GCotice that the vlan database command is issued in privileged E4EC mode. GGGiving the "#2C a name is optional. GGGIf you have not yet defined the "#2C* it &ill be created automatically &hen you assign the port to the "#2C. Example 3he follo&ing commands create "#2C ,8 named IH"#2C* identifies port ;5,8 as having only &orkstations attached to it* and assigns the port to "#2C ,8. s&itch7config t s&itch'config(7vlan ,8 s&itch'config-vlan(7name IH"#2C s&itch'config-vlan(7interface fast ;5,8 s&itch'config-if(7s&itchport access vlan ,8 SEC,RI#- Access List Facts Routers use access lists to control incoming or outgoing traffic. 6ou should kno& the follo&ing characteristics of an access list. 2ccess lists describe the traffic type that &ill be controlled. 2ccess list entries describe the traffic characteristics. 2ccess list entries identify either permitted or denied traffic. 2ccess list entries can describe a specific traffic type* or allo& or restrict all traffic. 1hen created* an access list contains an implicit Adeny allA entry at the end of the access list. Each access list applies only to a specific protocol. Each router interface can have up to t&o access lists for each protocol* one for incoming traffic and one for outgoing traffic. 1hen an access list is applied to an interface* it identifies &hether the list restricts incoming or outgoing traffic. 2ccess lists e.ist globally on the router* but filter traffic only for the interfaces to &hich they have been applied. Each access list can be applied to more than one interface. Do&ever* each interface can only have one incoming and one outgoing list. 2ccess lists can be used to log traffic that matches the list statements. 1hen you create an access list* it automatically contains a Adeny anyA statement* although this statement does not appear in the list itself. >or a list to allo& any traffic* it must have at least one permit statement* either permitting a specific traffic type or permitting all traffic not specifically restricted. 3here are t&o general types of access lists: basic and e.tended. ,se a standard list to filter on... ,se an extended list to filter on... ource hostname or host IP address ource IP protocol 'i.e. IP* 3CP* )0P* etc.( ource hostname or host IP address ource or destination socket number 0estination hostname or host IP address Precedence or 3= values IP Access List Command List Configuring access lists involves t&o general steps: ,. Create the list and list entries &ith the access-list command 8. 2pply the list to a specific interface &ith the ip access-group command ,se . . . #o . . . Router'config(7access-list InumberJ Create an access list entry. )se the follo&ing number ranges to define the access list: ,-99 K tandard IP access lists ,;;-,99 K E.tended IP access lists Router'config-if(7ip access- group InumberJ 2pply the standard or e.tended IP access list to a specific interface. Examples 3he follo&ing commands create a standard IP access list that permits all outgoing traffic e.cept the traffic from net&ork ,;.;.;.;* and applies the list to the Ethernet; interface. Router'config(7access-list , deny ,;.;.;.; ;.8BB.8BB.8BB Router'config(7access-list , permit any Router'config(7int e; Router'config-if(7ip access-group , out 3he follo&ing commands create a standard IP access list that re%ects all traffic e.cept traffic from host ,;.,8.,8.,-* and applies the list to the erial; interface. Router'config(7access-list 8 permit ,;.,8.,8.,- Router'config(7int s; Router'config-if(7ip access-group 8 in Note: Remember that each access list contains an e.plicit deny any entry. 1hen created* the access list denies all traffic e.cept traffic e.plicitly permitted by permit statements in the list. 3he follo&ing commands create an e.tended IP access list that re%ects packets from host ,;.,.,., sent to host ,B.,.,.,* and applies the list to the second serial interface. Router'config(7access-list ,;, deny ip ,;.,.,., ;.;.;.; ,B.,.,., ;.;.;.; Router'config(7access-list ,;, permit ip any any Router'config(7int s, Router'config-if(7ip access-group ,;, in 3he follo&ing commands create an e.tended IP access list that does not for&ard 3CP packets from any host on net&ork ,;.;.;.; to net&ork ,,.,8.;.;* and applies the list to the first serial interface. Router'config(7access-list ,,, deny tcp ,;.;.;.; ;.8BB.8BB.8BB ,,.,8.;.; ;.;.8BB.8BB Router'config(7access-list ,,, permit ip any any Router'config(7int s; Router'config-if(7ip access-group ,,, in Calculating /ildcard "as)s 3he &ildcard mask is used &ith access list statements to identify a range of IP addresses 'such as all addresses on a specific net&ork(. 1hen used to identify net&ork addresses in access list statements* &ildcard masks are the e.act opposite of a subnet mask. 3o calculate the &ildcard mask: ,. Identify the decimal value of the subnet mask. 8. ubtract each octet in the subnet mask from 8BB. >or e.ample* suppose you &anted to allo& all traffic on net&ork ,;.,8.,-.;58,. 3o find the &ildcard mask: ,. 2 mask that covers 8, bits converts to 8BB.8BB.8E:.; 8. 3he &ildcard mask &ould be: o >irst octet: 8BB - 8BB K ; o econd octet: 8BB - 8BB K ; o 3hird octet: 8BB - 8E: K L o >ourth octet: 8BB - ; K 8BB 3his gives you the mask of: ;.;.L.8BB #ike subnet masks* &ildcard masks operate at the bit level. 2ny bit in the &ildcard mask &ith a ; value means that the bit must match to match the access list statement. 2 bit &ith a , value means that the bit does not have to match. >or e.ample* let?s e.amine the subnet address* subnet mask* and &ildcard mask in binary form for the preceding e.ample. Address #&pe %ecimal (alues 0inar& (alues ubnet address ,;.,8.,-.; ;;;;,;,;.;;;;,,;;.;;;,;;;;.;;;;;;;; ubnet mask 8BB.8BB.8E:.; ,,,,,,,,.,,,,,,,,.,,,,,;;;.;;;;;;;; 1ildcard mask ;.;.L.8BB ;;;;;;;;.;;;;;;;;.;;;;;,,,.,,,,,,,, Cotice ho& the bits in the &ildcard mask are e.actly opposite of the bits in the subnet mask. uppose an access list &ere created &ith a statement as follo&s: access-list ,8 deny ,;.,8.,-.; ;.;.L.8BB uppose that a packet addressed to ,;.,8.,-.,B &as received. 3he router uses the &ildcard mask to compare the bits in the address to the bits in the subnet address. Address #&pe %ecimal (alues 0inar& (alues ubnet address ,;.,8.,-.; ;;;;,;,;.;;;;,,;;.;;;,;;;;.;;;;;;;; 1ildcard mask ;.;.L.8BB ;;;;;;;;.;;;;;;;;.;;;;;,,,.,,,,,,,, 3arget address 7, ,;.,8.,-.,B ;;;;,;,;.;;;;,,;;.;;;,;;;;.;;;;,,,, Do& the router applies the mask to the address mKmatch iKignored .Kdoesn?t match mmmmmmmm.mmmmmmmm.mmmmmiii.iiiiiiii In this e.ample* all bits identified &ith a ; in the &ildcard mask must match bet&een the address and the net&ork address. 2ny bit identified &ith a , is ignored. In this e.ample* ,;.,8.,-.,B matches the access list statement and the traffic is denied. Co& suppose that a packet addressed to ,;.,<.,L.,B &as received. 3he router uses the &ildcard mask to compare the bits in the address to the bits in the subnet address. Address #&pe %ecimal (alues 0inar& (alues ubnet address ,;.,8.,-.; ;;;;,;,;.;;;;,,;;.;;;,;;;;.;;;;;;;; 1ildcard mask ;.;.L.8BB ;;;;;;;;.;;;;;;;;.;;;;;,,,.,,,,,,,, 3arget address 7, ,;.,<.,L.,B ;;;;,;,;.;;;;,,;,.;;;,;;;,.;;;;,,,, Do& the router applies the mask to the address mKmatch iKignored .Kdoesn?t match mmmmmmmm.mmmmmmm..mmmmmiii.iiiiiiii Cotice that this address does not match the access list statement as identified &ith the &ildcard mask. In this case* traffic &ould be permitted. %esigning Access Lists 2fter you have created an access list* you must apply it to an interface. In many cases* this means you &ill need to decide &hich router* &ith port* and &hich direction to apply the access list to. /eep in mind the follo&ing: Each interface can only have one inbound and one outbound access list for each protocol. 3his means that an interface can have either a standard inbound or an e.tended inbound IP access list* but not both. 6ou can have t&o access lists for the same direction applied to an interface if the lists restrict different net&orking protocols. >or e.ample* you can have one outbound IP access list and one outbound IP4 access list. 1hen constructing access lists* place the most restrictive statements at the top. 3raffic is matched to access list statements in the order they appear in the list. If traffic matches a statement high in the list* subse+uent statements &ill not be applied to the traffic. Each access list has an implicit deny any statement at the end of the access list. 6our access list must contain at least one allo& statement* or no traffic &ill be allo&ed. 2ccess lists applied to inbound traffic filter packets before the routing decision is made. 2ccess lists applied to outbound traffic filter packets after the routing decision is made. 2s a general rule* apply extended access lists as close to the source router as possible. 3his keeps the packets from being sent throughout the rest of the net&ork. 2s a general rule* apply standard access lists as close to the destination router as possible. 3his is because standard access lists can only filter on source address. Placing the list too close to the source &ill prevent any traffic from the source from getting to any other parts of the net&ork. 1hen making placement decisions* carefully read all access lists statements and re+uirements. Identify blocked and allo&ed traffic* as &ell as the direction that traffic &ill be traveling. Place the access list on the interface &here a single list &ill block 'or allo&( all necessary traffic. "onitoring Access Lists 3he follo&ing list summari!es the commands to use for vie&ing specific access list information on the router. If &ou 1ant to 2ie1... ,se... 2ll access lists that e.ist on the router sho& run sho& access-lists 2ll access lists applied to an interface sho& ip int sho& run Re%ected traffic information sho& log IP access lists configured on the router sho& run sho& ip access-lists 2 specific access list sho& access-lists InumberJ Network Address Translation (NAT) C23 is similar to Classless Inter-0omain Routing 'CI0R( in that the original intention for C23 &as to slo& the depletion of available IP address space by allo&ing many private IP addresses to be represented by some smaller number of public IP addresses !ere3s a list of situations in 1$ic$ it3s 4est to $a2e NA# on &our side: ,( 6ou need to connect to the Internet and your hosts donMt have globally uni+ue IP addresses. 8( 6ou change to a ne& IP that re+uires you to renumber your net&ork. <( 6ou need to merge t&o intranets &ith duplicate addresses. #&pes of Net1or) Address #ranslation In this section* IMm going to go over the three types of C23 &ith you: Static NA# 3his type of C23 is designed to allo& one-to-one mapping bet&een local and global addresses. /eep in mind that the static version re+uires you to have one real Internet IP address for every host on your net&ork. %&namic NA# 3his version gives you the ability to map an unregistered IP address to a registered IP address from out of a pool of registered IP addresses. 6ou donMt have to statically configure your router to map each inside address to an individual outside address as you &ould using static C23* but you do have to have enough real* bona-fide IP addresses for everyone &hoMs going to be sending packets to and receiving them from the Internet at the same time. O2erloading 3his is the most popular type of C23 configuration. )nderstand that overloading really is a form of dynamic C23 that maps multiple unregistered IP addresses to a single registered IP address 'many-to-one( by using different source ports. Co&* &hy is this so specialN 1ell* because itMs also kno&n as Port Address Translation (PAT) . 2nd by using P23 'C23 =verload(* you get to have thousands of users connect to the Internet using only one real global IP addressO pretty slick* yeahN eriously* C23 =verload is the real reason &e havenMt run out of valid IP address on the Internet. C23 terms Names "eaning Inside local Came of inside source address before translation =utside local Came of destination host after translation Inside global Came of inside host after translation =utside global Came of outside destination host before translation ,nderstand t$e term NA#. 3his may come as ne&s to you* because I didnMtOokay* failed toOmention it earlier* but C23 has a fe& nicknames. In the industry* itMs referred to as net&ork mas+uerading* IP- mas+uerading* and for those &ho are besieged &ith =C0 and compelled to spell everything out* Cet&ork 2ddress 3ranslation. 1hatever you &ant to dub it* basically* they all refer to the process of re&riting the source5destination addresses of IP packets &hen they go through a router or fire&all. Pust focus on the process thatMs occurring and your understanding of it 'i.e.* the important part( and youMre on it for sureQ Remem4er t$e t$ree met$ods of NA#. 3he three methods are static* dynamic* and overloadingR the latter is also called Port 2ddress 3ranslation 'P23(. ,nderstand static NA#. 3his type of C23 is designed to allo& one-to-one mapping bet&een local and global addresses. ,nderstand d&namic NA#. 3his version gives you the ability to map a range of unregistered IP addresses to a registered IP address from out of a pool of registered IP addresses. ,nderstand o2erloading. =verloading really is a form of dynamic C23 that maps multiple unregistered IP addresses to a single registeredIP address 'many-to-one( by using different ports. ItMs also kno&n as Port Address Translation (PAT). /IRELESS #EC!NOLOG- /ireless Access Points In the vast ma%ority of &ired net&orks* youMll find a central component such as a s&itch thatMs there to connect hosts together and allo& them to communicate &ith each other. ItMs the same thing &ith &ireless net&orksR they also have a component that connects all &ireless devices together* only that device is kno&n as a &ireless access point 'AP( instead. 1ireless access points have at least one antenna. )sually thereMs t&o for better reception 'referred to as diversity( and an Ethernet port to connect them to a &ired net&ork. Access point de2ices $a2e t$e follo1ing c$aracteristics: ,( 2Ps function as a central %unction point for the &ireless stations much like a s&itch or hub does &ithin a &ired net&ork. 0ue to the half-duple. nature of &ireless net&orking* the hub comparison is more accurate* even though hubs are rarely found in the &ired &orld anymore. 8( 2Ps have at least one antennaOmost likely t&o or more. <( 2Ps function as a bridge to the &ired net&ork* giving the &ireless station access to the &ired net&ork and5or the Internet. E( mall office5home office '=D=( 2Ps come in t&o flavorsOthe stand-alone 2P and the &ireless router. 3hey can and usually do includefunctions like C23 and 0DCP. /ireless Net1or) Interface Card */NIC+ Every host you &ant to connect to a &ireless net&ork needs a wireless network interface card '!"#( to do so. @asically* a &ireless CIC does the same %ob as a traditional Ethernet CIC* only instead of having a socket5port to plug a cable into* the &ireless CIC has a radio antenna. It &ould be difficult to buy a laptop today &ithout a &ireless card already built in. IP25 IPv- as Sthe ne.t-generation Internet protocol*T and it &as originally created as the ans&er to IPvEMs inevitable* looming addresse.haustion crisis. Given that an IP address is <8 bits in length* there are 8<8 actual IP addresses* &hich is E.< billion addresses. Cot all of these are usable* ho&ever: only <.L billion of these are actually usable. $any addresses are reserved* such as the research '8<9U 8BE(* broadcast '8BB(* multicast '88EU8<9(* private ',;* ,L8.,-* and ,98.,-:(* and loopback addresses ',8L(. 2nd* of course* many of the usable addresses are already assigned* leaving about ,.< billion addresses for ne& gro&th. )nlike <8-bit IPvE addresses* IPv- uses a ,8:-bit address. 3his allo&s for <.E V ,;<: addresses* &hich is enough for many IP addresses for each person on Earth* and probably multiple planets ,nderstand 1$& 1e need IP25. 1ithout IPv-* the &orld &ould be depleted of IP addresses. ,nderstand lin)'local. #ink-local is like an IPvE private IP address* but it canMt be routed at all* not even in your organi!ation. ,nderstand uni6ue local. 3his* like link-local* is like a private IP address in IPvE and cannot be routed to the Internet. Do&ever* the difference bet&een link-local and uni+ue local is that uni+ue local can be routed &ithin your organi!ation or company. Remem4er IP25 addressing. IPv- addressing is not like IPvE addressing. IPv- addressing has much more address space and is ,8: bits long* and represented in he.adecimal* unlike IPvE* &hich is only <8 bits long and represented in decimal. IPv- give us lots of addresses '<.E V ,;<: K definitely enough(* but there are many other features built into this version that make it &ell &orth the cost* time* and effort re+uired to migrate to it. >eatures of IPv- (er& large address space IPv-Ms large address space deals &ith global gro&th* &here route prefi.es can be easily aggregated in routing updates. upport for multihoming to IPs &ith a single address space is easily accomplished. 2utoconfiguration of addressing information* including the capability of including $2C addresses in the IP address* as &ell as plug- andplay options* simplifies address management. Renumbering and modification of addresses is easily accommodated* as &ell as public-to-private readdressing &ithout involving address translation. Securit& IP security 'IPec( is built into IPv-* &hereas it is an a&k&ard add-on in IPvE. 1ith IPv-* t&o devices can dynamically negotiate security parameters and build a secure tunnel bet&een them &ith no user intervention. "o4ilit& 1ith the gro&th of mobile devices* such as P02s and smart phones* devices can roam bet&een &ireless net&orks &ithout breaking their connections. Streamlined encapsulation 3he IPv- encapsulation is simpler than IPvE* providing faster for&arding rates by routers and better routing efficiency. Co checksums are included* reducing processing on endpoints. Co broadcasts are used* reducing utili!ation of devices &ithin the same subnet. Fo information is built into the IPv- header* &here a flo& label identifies the trafficR this alleviates intermediate net&ork devices from having to e.amine contents inside the packet* the 3CP5)0P headers* and payload information to classify the traffic for Fo correctly. #ransition capa4ilities "arious solutions e.ist to allo& IPvE and IPv- to successfully coe.ist &hen migrating bet&een the t&o. =ne method* dual stack* allo&s you to run both protocols simultaneously on an interface of a device. 2 second method* tunneling* allo&s you to tunnel IPv- over IPvE and vice versa to transmit an IP version of one type across a net&ork using another type. Cisco supports a third method* referred to as Cet&ork 2ddress 3ranslation-Protocol 3ranslation 'C23-P3(* to translate bet&een IPvE and IPv- 'sometimes the term Proxy is used instead of Protocol(. IP25 Address Format 1hereas IPvE addresses use a dotted-decimal format* &here each byte ranges from ; to 8BB* IPv- addresses use eight sets of four he.adecimal addresses ',- bits in each set(* separated by a colon ':(* like this: xxxx$xxxx$xxxx$xxxx$xxxx$xxxx$xxxx$xxxx 'x &ould be a he.adecimal value(. 3his notation is commonly called string notation. Recall from Chapter < that he.adecimal numbers range from ; to >. Dere are some important items concerning IPv- addresses: De.adecimal values can be displayed in either lo&er- or upper-case for the numbers 2U>. 2 leading !ero in a set of numbers can be omittedR for e.ample* you could either enter %%&' or &' in one of the eight fieldsOboth are correct. If you have successive fields of !eroes in an IPv- address* you can represent them as t&o colons '::(. >or e.ample* %$%$%$%$%$%$%$( could be represented as $$(R and A)#$(*+$%$%$,,,,$----$&&&&$% could be represented as A)#$ (*+$$,,,,$----$&&&&$%. Do&ever* you can only do this once in the address: A)#$$(*+$$,-&$$%% &ould be invalid since $$ appears more than once in the address. 3he reason for this limitation is that if you had t&o or more repetitions* you &ouldnMt kno& ho& many sets of !eroes &ere being omitted from each part. 2n unspecified address is represented as $$* since it contains all !eroes %!CP25 0DCPv- is an update of the 0DCP protocol in IPvE and &orks similarly to the previous version &ith a fe& differences. @efore the client can begin* it must first detect a router on the link via a neighbor discovery process. If the client detects a router* the client e.amines the router advertisement messages to determine &hether 0DCPv- has been set up. If the router specifies that 0DCPv- is supported* or no router advertisement messages are seen* the client &ill begin to find a 0DCPv- server by generating a 0DCP solicit message. 3his message is sent to the 2##-0DCP-2gents multicast address* using the link-local scope to ensure the message isnMt for&arded* by default* beyond the local link. 2n agent is either a 0DCPv- server or a relay* such as a router. Supported Routing Protocols IPv- supports both static and dynamic routing protocols. IPv- supports these routing protocols: static* RIPng* =P>v<* I-I for IPv-* $P-@GPE* and EIGRP for IPv-. 3his book covers only RIPngR the other dynamic routing protocols are covered in CiscoMs CCCP certification. RIPng Routing Information Protocol ne.t generation 'RIPng( is defined in R>C 8;:;. It is actually similar to RIP for IPvE* &ith these characteristics: ItMs a distance vector protocol. 3he hop-count limit is ,B. plit hori!on and poison reverse are used to prevent routing loops. It is based on RIPv8. 3hese are the enhancements in RIPng: 2n IPv- packet is used to transport the routing update. 3he 2##-RIP routers multicast address '>>;8::9( is used as the destination address in routing advertisements and is delivered to )0P port B8,. Routing updates contain the IPv- prefi. of the router and the ne.t-hop IPv- address. Ena4ling IP25 and Assigning Addresses 3o use IPv- on your router* you must* at a minimum* enable the protocol and assign IPv- addresses to your interfaces* like this: Router'config(7 ip25 unicast'routing Router'config(7 interface type Wslot./5Xport./ Router'config-if(7 ip25 address ipv*.address.prefix7prefix.length Weui'58X 3he ip25 unicast'routing command globally enables IPv- and must be the first IPv- command e.ecuted on the router. 3he ip25 address command assigns the prefi.* the length* and the use of E)I--E to assign the interface I0. =ptionally* you can omit the eui'58 parameter and configure the entire IPv- address. 6ou can use the s$o1 ip25 interface command to verify an interfaceMs configuration. DereMs an e.ample configuration* &ith its verification: Router'config(7 ip25 unicast'routing Router'config(7 interface fastet$ernet979 Router'config-if(7 ip25 address :99;:;cc;:dddd::::758 eui'58 Router'config-if(7 end Router7 s$o1 ip25 interface fastet$ernet979 /AN /AN Structure 2 typical 12C structure includes the follo&ing components. Component %escription Consumer premises e+uipment 'CPE( 0evices physically located on the subscriber?s premises. CPE includes the telephone &ire* telephone* modem* and other e+uipment* both the devices the subscriber o&ns and the ones leased from the 12C provider. 3he &iring typically includes )3P cable &ith RP-,, or RP-EB connectors. CPE is sometimes used synonymously &ith 03E. 0ata terminal e+uipment '03E( 2 device on the net&ork side of a 12C link that sends and receives data. 3he 03E resides on the subscriber?s premises* and marks the point of entry bet&een the #2C and the 12C. 03Es are usually routers* but computers and multiple.ers can also act as 03Es. @roadly* 03Es are any e+uipment at the customer?s site* and can include all computers. In a narro& sense* the 03E is the device that communicates &ith the 0CE at the other end. #ocal loop Cable that e.tends from the demarc to the central telephone office. 3he demarc media is o&ned and maintained by the telephone company. 3ypically* it is )3P* but it can also be one or a combination of )3P* fiber optic* or other media. >iber optic cable to the demarc is rare. 0emarcation point 'demarc( 3he point &here the telephone company?s telephone &iring connects to the subscriber?s &iring. 3he demarc can also be called the net&ork interface or point of presence. 3ypically* the customer is responsible for all e+uipment on one side of the demarc. 3he phone company is responsible for all e+uipment on the other side of the demarc. Central office 'C=( 3he s&itching facility closest to the subscriber* and the nearest point of presence for the 12C provider. It provides 12C-cloud entry and e.it points for incoming and outgoing calls* and acts as a s&itching point to for&ard data to other central offices. 2 C= provides services such as s&itching incoming telephone signals to outgoing trunk lines. It also provides reliable 0C po&er to the local loop to establish an electric circuit. C=s use long-distance* or toll* carriers to provide connections to almost any&here in the &orld. #ong-distance carriers are usually o&ned and operated by companies such as 23Y3 or $CI. 0ata circuit- terminating e+uipment '0CE( 2 device that communicates &ith both 03Es and the 12C cloud. 0CEs are typically routers at the service provider that relay messages bet&een the customer and the 12C cloud. In a strict sense* a 0CE is any device that supplies clocking signals to 03Es. 3hus* a modem or C)50) at the customer site is often classified as a 0CE. 0CEs may be devices similar to 03Es 'such as routers(* e.cept that each device plays a different role. 12C cloud 3he hierarchy of trunks* s&itches* and central offices that make up the net&ork of telephone lines. It is represented as a cloud because the physical structure varies* and different net&orks &ith common connection points may overlap. >e& people thoroughly understand &here data goes as it is s&itched through the Acloud.A 1hat is important is that data goes in* travels through the line* and arrives at its destination. Packet-s&itching e.change 'PE( 2 s&itch on a carrier?s packet-s&itched net&ork. PEs are the intermediary points in the 12C cloud. /AN Ser2ices Facts #isted belo& are the most common 12C transmission media. Line #&pe C$aracteristics Plain =ld 3elephone ervice 'P=3( P=3 service has the follo&ing characteristics: E.isting &ires use only one t&isted pair 2nalog signals are used through the local loop 2 modem is re+uired to convert digital signals to analog 3he line has an effective limit of B- /bps 6ou can also use the same physical &ires for digital signaling. $ultiple digital channels are sent over the same physical &ires. 3-, 'a.k.a. 0-,( 8E -E-/bps channels 'used in the )..( 3-< 'a.k.a. 0-<( -L8 -E-/bps channels E-, <, -E-/bps channels 'used in Europe( Note: 12C services also use fiber optic* &ireless* satellite* and other transmission media. Do&ever* the use of these media to the local loop is not common at this time. If your organi!ation needs 12C connectivity* you can choose from the follo&ing service options: Ser2ice 0and1idt$ *"ax.+ Line #&pe Signaling "et$od C$aracteristics Public &itched 3elephone Cet&ork 'P3C( B- /bps P=3 2nalog 0ialup over regular telephone lines #eased lines B- /bps P=3 2nalog 0edicated line &ith consistent line +uality 4.8B -E /bps P=3 2nalog 0edicated line "ariable packet si!es 'frames( Ideal for lo&-+uality lines >rame Relay ,.BE $bps P=3 3-, 3-< 0igital "ariable packet si!es 'frames( 2synchronous ,.8 Gbps Coa.ial* 0igital >i.ed-si!e cells 'B<- 3ransfer $ode '23$( t&isted pair* fiber- optic byte( Digh-+uality* high- speed lines Integrated ervices 0igital Cet&ork 'I0C( ,EE /bps '@RI( E $bps 'PRI( P=3 3-, 0igital @asic rate operates over regular telephone lines and is a dialup service Primary rate operates over 3-carriers 0# -., $bps ',.BEE or lo&er is more common( P=3 0igital =perates using digital signals over regular telephone lines 0# comes in many different flavors 'such as 20# and D0#( 3here is no clear distinction bet&een 12C services such as >rame Relay and I0C. >or e.ample* you can use >rame Relay protocol over I0C lines. =nce a device connects to the 12C cloud* internal protocols can convert data traffic into the necessary formats* then convert the data again at the other end. /AN Encapsulation Facts 12C Physical layer protocols specify the hard&are and bit signaling methods. 0ata #ink layer protocols control some or all of the follo&ing functions: Error checking and correction #ink establishment >rame-field composition Point-to-point flo& control 0ata #ink layer protocols also describe the encapsulation method or the frame format. 12C encapsulation methods are typically called D0#C 'high- level data link control(. 3his term is both a generic name for 0ata #ink protocols and the name of a specific protocol &ithin a 12C protocol suite or service. 0epending on the 12C service and connection method* you &ill select one of the follo&ing encapsulation methods. Cisco D0#C for synchronous* point-to-point connections &ith other Cisco routers 'Cisco D0#C does not communicate &ith other vendors? implementations of D0#C(. 3his is the default encapsulation method for synchronous serial links on Cisco routers. #2P@ for 4.8B net&orks. #2P0 in combination &ith another protocol for the @ channels in I0C net&orks. #2P0 is a #ayer 8 I0C protocol that manages flo& and signaling. PPP for dial-up #2C access* circuit-s&itched 12C net&orks* and I0C net&orks. PPP is non-proprietary* so it &orks in implementations that use products from multiple vendors. Cisco5IE3> for >rame Relay net&orks. Note: Routers on each side of a 12C link must use the same encapsulation method to be able to communicate. PPP Facts 3he follo&ing list represents some of the key features of the Point-to-Point Protocol 'PPP(: It can be used on a &ide variety of physical interfaces including asynchronous serial* synchronous serial 'dial up(* and I0C. It supports multiple Cet&ork layer protocols* including IP* IP4* 2pple3alk* and numerous others. =ptional authentication is provided through P2P '8-&ay authentication( or CD2P '<-&ay authentication(. It supports multilink connections* load-balancing traffic over multiple physical links. It includes #ink Fuality $onitoring '#F$( &hich can detect link errors and automatically terminate links &ith e.cessive errors. It includes looped link detection that can identify &hen messages sent from a router are looped back to that router. 3his is done through routers sending magic numbers in communications. If a router receives a packet &ith its o&n magic number* the link is looped. PPP uses t&o main protocols to establish and maintain the link. Protocol 0escription #ink Control Protocol '#CP( 3he #ink Control Protocol '#CP( is responsible for establishing* maintaining* and tearing do&n the PPP link. #CP packets are e.changed periodically to do the follo&ing: 0uring link establishment* #CPs are used to agree upon encapsulation* packet si!e* and compression settings. #CPs also indicate &hether authentication should be used. 3hroughout the session* #CPs are e.changed to detect and correct errors or to control the use of multiple links 'multilink(. 1hen the session is terminated* #CPs are responsible for tearing do&n the link. 2 single #ink Control Protocol runs for each physical connection. Cet&ork Control Protocol 'CCP( 3he Cet&ork Control Protocol 'CCP( is used to agree upon and configure Cet&ork layer protocols to use 'such as IP* IP4* or 2pple3alk(. Each Cet&ork layer protocol has a corresponding control protocol packet. E.amples of control protocols include: IP Control Protocol 'IPCP( C0P Control Protocol 'C0PCP( IP4 Control Protocol 'IP4CP( 2pple3alk Control Protocol '23CP( 2 single PPP link can run multiple control protocols* one for each Cet&ork-layer protocol supported on the link. PPP establishes communication in three phases. ,. #CP phase. #CPs are e.changed to open the link and agree upon link settings such as encapsulation* packet si!e* and &hether authentication &ill be used. 8. 2uthenticate phase 'optional(. 0uring this phase* authentication- specific packets are e.changed to configure authentication parameters and authenticate the devices. #CPs might also be e.changed during this phase to maintain the link. <. CCP phase. CCPs are e.changed to agree on upper-layer protocols to use. >or e.ample* routers might e.change IPCP and C0PCP packets to agree upon using IP and C0P for Cet&ork-layer communications. 0uring this phase* #CPs might continue to be e.changed. PPP Command List PPP configuration is often done in connection &ith configuring other services. 3o configure PPP on the router* you complete the follo&ing tasks: ,. et PPP encapsulation on the interface. 6ou must set the encapsulation method to PPP before you can configure authentication or compression. 8. elect CD2P and5or P2P as the authentication method 'optional(. <. If authentication is used* configure username5pass&ord combinations. PPP options are configured in interface mode for a specific interface. ,se . . . #o . . . Router'config-if(7encapsulation ppp et the encapsulation type to PPP Router'config-if(7ppp authentication IchapZpapJ Router'config-if(7ppp authentication chap pap et the authentication method's( 1hen multiple methods are specified* the first method &ill be tried first Router'config-if(7ppp compression et compression options Router'config-if(7ppp chapZpap pass&ord Ipass&ordJ et the pass&ord used &ith CD2P or P2P for an unkno&n host Router'config(7username IhostnameJ pass&ord Ipass&ordJ et the username and pass&ord for the local router Router'config(7band&idth IvalueJ et a band&idth value for an interface Router7sho& interface "ie& encapsulation and PPP information on an interface 3o hide the CD2P pass&ord from vie& in the configuration file* use the service pass&ord-encryption command from the global configuration mode. Example 3he follo&ing commands configure the >= router to use PPP and enable it to connect to the #24 router using P2P authentication. >='config(7hostname #24 pass&ord ciscoB >='config(7int s; >='config-if(7encap ppp >='config-if(7ppp auth pap IS%N Facts Integrated ervices 0igital Cet&ork 'I0C( is a set of standards covering the Physical* 0ata #ink* and Cet&ork layers. It allo&s fast* digital transmission of both voice and data 'including graphics* video* and so on( over e.isting telephone lines. It supports the ma%ority of upper-level protocols and encapsulation protocols. I0C uses 3-carrier technology to +uickly and efficiently send digital data streams. 3he physical cable of an I0C connection is divided into logical channels. Channels are classified as one of t&o types: @ channels are used to carry data. 0 channels are used to carry control and signaling information. 1hen you order I0C service* you have the choice bet&een the follo&ing services. Ser2ice 0 c$annels % c$annel C$aracteristics @asic Rate I0C '@RI( 3&o -E /bps =ne ,- /bps )ses e.isting phone lines 'but may not be available &here e.isting copper &ires don?t support it( 3he connection is Ademand-dialA 'established only &hen data needs to be sent( Primary Rate I0C 'PRI( 3&enty-three -E /bps =ne -E /bps )ses an entire 3-, line ometimes called 8<@[0 3he connection is Aal&ays onA Note: 3he total bandwidth of an I0C @RI line is ,EE /bps 't&o @ channels and one 0 channel(. 3he total data transfer rate is ,8: /bps 'data is sent only on the t&o @ channels(. I0C @RI is a relatively lo&-cost 12C service that is ideal for the follo&ing situations: Dome office or telecommuters &ho need a relatively fast connection @usinesses that need to periodically send data bet&een sites 'bursty traffic patterns( I0C @RI offers the follo&ing benefits over dial-up modems and other 12C connection options. >aster data transfer rates ',8: /bps( than dial-up modems 'B- /bps ma.imum( >aster call establishment 'dial-up( than modems #o&er cost than other 12C solutions 'users pay a monthly fee plus connection charges( IS%N Protocol Standards I0C standards are grouped according to function. 3he protocol groupings and descriptions follo& a lettering standard. Protocol %esignation Standard E tandards for I0C on the e.isting phone net&ork* such as international addressing I tandards for I0C concepts* terminology* and services* such as net&ork services < tandards for s&itching and signaling* such as call setup* flo& control* and error correction In practice* you &ill probably not need to kno& these standards* but you &ill need to memori!e them for the certification e.am. )se the follo&ing to help remember the classifications. E for E.isting net&orks I for Identifying concepts < for <uality s&itching signals IS%N Addressing I0C is a Cet&ork layer protocol that operates over a specific hard&are interface configuration. >or this reason* I0C has its o&n Cet&ork and 0ata #ink layer addressing. I0C uses the follo&ing addresses: Address C$aracteristics 3erminal Endpoint Identifier '3EI( 0ata #ink layer address 'similar to an Ethernet $2C address(. 3EIs are dynamically assigned to the router by the I0C s&itch &hen the connection is made. Each I0C device is assigned one 3EI. ervice Protocol Identifier 'PI0( Cet&ork layer address 'similar to a telephone number that that allo&s each channel to make and receive calls(. 0epending on the specific I0C implementation* each device can have one or more PI0s. 3he follo&ing are common PI0 assignments. =ne PI0 is assigned to the entire device Each @ channel has its o&n PI0 Each @ channel can have more than one assigned PI0 3he 12C service provide assigns the PI0s for you to configure on the router. 6our I0C router &ill be connected to an I0C s&itch at the 12C service provider. 6our router must be configured to communicate &ith the s&itch type used by your 12C service provider. Cisco routers support over ,; s&itch types. In Corth 2merica* the most common types are: 23Y3 BE Corthern 0$-,;; Cational I0C-, IS%N Communication Facts 3he follo&ing process is used to initiali!e an I0C router. ,. 3he router uses the 0 channel to perform 0ata #ink 'layer 8( initiali!ation. 3EIs are dynamically assigned to identify the router. 8. 3he router uses the 0 channel to perform Cet&ork 'layer <( initiali!ation. It uses its preconfigured PI0s 'if re+uired( to set up the @ channels. 1hen a router needs to communicate &ith another I0C device* the follo&ing process is used. ,. 3he sending device re+uests a connection through the 0 channel. 8. 3he receiving device ans&ers and the link is established. <. 3he @ channel is used to transmit data. 3he 0 channel is used for session maintenance. E. 2fter the transmission is over* the 0 channel is used to tear do&n the link. #ink 2ccess Protocol for the 0-Channel '#2P0( is the 0ata #ink encapsulation protocol used on an I0C net&ork. 2s its name implies* it operates on the 0 channel of an I0C connection and is used for: Initiali!ing #ayer 8 and #ayer < communications. 2ssigning 3EIs. $aintaining the session. 3erminating the link.
Web-Based Document Tracking and Management System of The Department of Public Works and Highways (DPWH), Laguna Ii District Engineering Office, Los Baños, Laguna