EIGRP Facts

Enhanced IGRP is a Cisco-proprietary balanced hybrid routing protocol that

combines the best features of distance vector and link state routing. EIGRP:
ends the subnet mask in the routing update. It supports route
summari!ation and "#$.
upports automatic classful route summari!ation at ma%or net&ork
boundaries 'this is the default in EIGRP(. )nlike IGRP and RIP* manual
route summari!ation can also be configured on arbitrary net&ork
boundaries to reduce the routing table si!e.
Is not susceptible to routing loops. Instead* EIGRP uses built-in loop
avoidance techni+ues. $echanisms such as holddo&n timers* split
hori!on* or poison reverse are not needed.
Is scalable and does not have the ,- hop limitation of RIP.
)ses hello packets to discover neighbor routers.
E.changes the full routing table at startup* and then partial routing
updates thereafter.
)ses band&idth and delay for the route metric 'similar to IGRP(.
$aintains partial net&ork topology information in addition to routes.
/eeps multiple paths to a single net&ork.
$inimi!es net&ork band&idth usage for routing updates. 0uring
normal operation EIGRP transmits only hello packets across the
net&ork. EIGRP does not send periodic routing updates like RIP and
IGRP. 1hen change occurs* only routing table changes are propagated
in EIGRP not the entire table.
Re+uires less processing and memory than link state protocols.
Converges more +uickly than distance vector protocols. In some cases*
convergence can be almost instantaneous because an EIGRP router
stores backup routes for destinations. If no appropriate route or
backup e.ists in the routing table* EIGRP &ill +uery neighbor routers to
discover an alternate route. In this manner* EIGRP can +uickly adapt to
alternate routes &hen changes occur.
)ses the 0)2# link-state algorithm for calculating routes.
upports multiple protocols. EIGRP can e.change routes for IP*
2pple3alk and IP45P4 net&orks.
EIGRP Command List
6ou configure EIGRP %ust the same as you &ould configure IGRP. 3he
follo&ing table lists the applicable commands.
Command Function
Router'config(7router eigrp
number
0efines an EIGRP process.
3he number must match bet&een routers for
information to be shared.
Router'config-router(7net&ork
n.n.n.n
Identifies a net&ork that participates in the
routing process.
Example
3he follo&ing commands enable EIGRP on a router and defines three
net&orks that participate in the routing process.
Router'config(7router eigrp 8
Router'config-net&ork(7net&ork ,98.,-:.,.;
Router'config-net&ork(7net&ork ,98.,-:.8.;
Router'config-net&ork(7net&ork ,98.,-:.<.;
)se the follo&ing commands to manage and monitor EIGRP.
Command Features
sho& ip route "ie& EIGRP-learned routes.
sho& eigrp
neighbors
"ie& neighboring routers from &hich EIGRP routes can be
learned. #ists the IP address of the connected router.
sho& eigrp
interfaces
"ie& the interfaces that are running EIGRP and the number
of connected routers.
OSPF Facts
3he =pen hortest Path >irst '=P>( routing protocol is a robust link state
routing protocol &ell-suited for large net&orks. 6ou should remember the
follo&ing characteristics of link state protocols that apply to =P>:
Is a public 'non-proprietary( routing protocol.
Is considered a classless routing protocol because it does not assume
the default subnet masks are used. It sends the subnet mask in the
routing update and supports route summari!ation and "#$.
Is not susceptible to routing loops. Instead* =P> uses built-in loop
avoidance techni+ues. $echanisms such as holddo&n timers* split
hori!on* or poison reverse are not needed.
Is scalable and does not have the ,- hop limitation of RIP.
)ses hello packets to discover neighbor routers.
hares routing information through #ink tate 2dvertisements '#2s(.
#2s contain small bits of information about routes. ')nadvertised
links save on IP space* but they cannot be pinged because they &on?t
appear in an =P> routing table.(
)nder normal conditions* =P> only sends out updated information
rather than e.changing the entire routing table.
Converges faster than a distance vector protocol.
Can re+uire additional processing po&er 'and therefore increased
system re+uirements(. Good design can minimi!e this impact.
$aintains a logical topographical map of the net&ork in addition to
maintaining routes to various net&orks.
)ses areas to subdivide large net&orks. Routers &ithin an area share
information about the area. Routers on the edge of areas 'called 2rea
@order Routers '2@R(( share summari!ed information bet&een areas.
o 3he backbone is a speciali!ed area connected to all other areas.
It contains net&orks not held &ithin another area* and
distributes routing information bet&een areas. 6ou can think of
the backbone as the AmasterA or ArootA area. Its address is
al&ays ;.;.;.;. 2ll =P> net&orks must have a backbone area.
o 2 stub area is an area &ith a single path in to and out of the
area.
)ses link costs as a metric for determining best routes. 3he hortest
Path >irst 'P>( algorithm 'also called the 0i%kstra P> algorithm( is
used to identify and select the optimal route.
2s part of the =P> process* each router is assigned a router I0 'RI0(. 3he
router I0 is:
3he highest IP address assigned to a loopback 'logical( interface.
If a loopback interface is not defined* the highest IP address of the
router?s physical interfaces.
@ecause the loopback interface takes precedence over the physical interfaces
in determining the router I0* you can force a specific router I0 by defining a
loopback interface and assigning it an IP address.
OSPF Command List
=P> is fairly simple* &ith only a fe& variations from the RIP and IGRP
configuration steps you have previously use. Configuration is as simple as
defining the =P> process using the router ospf command* and then
identifying the net&orks that &ill participate in =P> routing. 3he follo&ing
table lists the commands and details for configuring =P>.
Command Purpose
Router'config(7router ospf
process-id
)se to enter configuration mode for =P>.
3he process I0 identifies a separate routing
process on the router. Note: 2lthough similar*
the process I0 number is not the same thing
as the 2 number used in IGRP5EIGRP routing.
Process I0s do not need to match bet&een
routers 'in other &ords* t&o routers configured
&ith different process I0s might still share
=P> information(.
Router'config-
router(7net&ork n.n.n.n
m.m.m.m area number
Identifies net&orks that participate in =P>
routing.
n.n.n.n is the net&ork address. 3his can be a
subnetted* classless net&ork.
m.m.m.m is a &ildcard mask 'not the normal
subnet mask(. 3he &ildcard mask identifies
the subnet address.
number is the area number in the =P>
topology. 3he area number must match
bet&een routers.
Example
3he follo&ing graphic sho&s a sample net&ork &ith t&o =P> areas.
)se the follo&ing commands to configure =P> on each router:
Router Configuration
SFO
router ospf ,
net&ork ,;.,.;.; ;.;.,B.8BB area ;
net&ork ,;.,.,-.; ;.;.,B.8BB area ,
net&ork ,;.,.<8.; ;.;.,B.8BB area ,
LA
router ospf 8
net&ork ,;.,.,-., ;.;.;.; area ,
net&ork ,;.8.;., ;.;.;.; area ,
P!
router ospf ,
net&ork ,;.,.<8.; ;.;.,B.8BB area ,
net&ork ,;.<.;.; ;.;.8BB.8BB area ,
Cotice the follo&ing in the configuration:
3he process I0 on each router does not match. =P> uses areas to
identify sharing of routes* not the process I0.
6ou can use the subnet address &ith the appropriate &ildcard mask
'as in ,;.,.,-.; ;.;.,B.8BB(* or you can use the IP address of the
router interface &ith a mask of ;.;.;.;.
3he net&ork command identifies the subnet* &ildcard mask* and the
=P> area of the subnet. 2 subnet can only be in one area.
"anaging OSPF
3he follo&ing table lists some commands that are useful in monitoring and
troubleshooting =P>.
Command Function
sho& ip route "ie& the routing table and =P> entries.
sho& ip ospf
neighbor
"ie& neighbor =P> routers. ho&s the neighbor router
I0 numbers.
sho& ip ospf
interface
"ie& interfaces that are running =P>. Includes
information such as:
2rea number
Process I0
Router I0
3imer settings
2d%acent routers
Spanning #ree Facts
3o provide for fault tolerance* many net&orks implement redundant paths
bet&een devices using multiple s&itches. Do&ever* providing redundant
paths bet&een segments causes packets to be passed bet&een the
redundant paths endlessly. 3his condition is kno&n as a bridging loop.
3o prevent bridging loops* the IEEE :;8.,d committee defined a standard
called the spanning tree algorithm '32(* or spanning tree protocol '3P(.
1ith this protocol* one bridge 'or s&itch( for each route is assigned as the
designated bridge. =nly the designated bridge can for&ard packets.
Redundant bridges 'and s&itches( are assigned as backups.
3he spanning tree algorithm provides the follo&ing benefits:
Eliminates bridging loops
Provides redundant paths bet&een devices
Enables dynamic role configuration
Recovers automatically from a topology change or device failure
Identifies the optimal path bet&een any t&o net&ork devices
3he spanning tree algorithm automatically discovers the net&ork topology*
and creates a single* optimum path through a net&ork by assigning one of
the follo&ing roles to each bridge or s&itch. 3he bridge role determines ho&
the device functions in relation to other devices* and &hether the device
for&ards traffic to other segments.
Role C$aracteristics
Root @ridge
3he root bridge is the master or controlling bridge. 3he root
bridge periodically broadcasts configuration messages. 3hese
messages are used to select routes and reconfigure the roles of
other bridges if necessary. 3here is only one root bridge per
net&ork. It should be assigned by the net&ork administrator.
1hen selecting the root bridge* select the bridge that is closest
to the physical center of the net&ork.
0esignated
@ridge
2 designated bridge is any other device that participates in
for&arding packets through the net&ork. 3hey are selected
automatically by e.changing bridge configuration packets.
3o prevent bridging loops* there is only one designated bridge
per segment.
@ackup
@ridge
2ll redundant devices are classified as backup bridges. @ackup
bridges listen to net&ork traffic and build the bridge database.
Do&ever* they &ill not for&ard packets. 2 backup bridge can
take over if the root bridge or a designated bridge fails.
0evices send special packets called @ridge Protocol 0ata )nits '@P0)s( out
each port. @P0)s sent and received from other bridges are used to
determine the bridge roles* verify that neighbor devices are still functioning*
and recover from net&ork topology changes. 0evices participating in the
spanning tree algorithm use the follo&ing process to configure themselves:
,. 2t startup* s&itches send @P0)s '@ridge Protocol 0ata )nits( out each
port.
8. &itches use information in the @P0)s to elect a root bridge.
<. &itches on redundant paths are configured as either designated
'active( or backup 'inactive( s&itches.
E. 2fter configuration* s&itches periodically send @P0)s to ensure
connectivity and discover topology changes.
2s the s&itch participates in the configuration process* and &hile it operates*
each of its ports is placed into one of five states. 3he port state determines
&hether the port receives and for&ards normal net&ork messages.
Port State %escription
0isabled
2 device in the disabled state is po&ered on but does not
participate in listening to net&ork messages or for&arding them.
2 bridge must be manually placed in the disabled state.
@locking
1hen a device is first po&ered on* it is in the blocking state. In
addition* backup bridges are al&ays in a blocking state. 3he
bridge receives packets and @P0)s sent to all bridges* but &ill
not process any other packets.
#istening
3he listening state is a transitionary state bet&een blocking and
learning. 3he port remains in listening state for a specific period
of time. 3his time period allo&s net&ork traffic to settle do&n
after a change has occurred. >or e.ample* if a bridge goes do&n*
all other bridges go to the listening state for a period of time.
0uring this time the bridges redefine their roles.
#earning
2 port in the learning state is receiving packets and building the
bridge database 'associating $2C addresses &ith ports(. 2 timer
is also associated &ith this state. 3he port goes to the for&arding
state after the timer e.pires.
>or&arding
3he root bridge and designated bridges are in the for&arding
state &hen they can receive and for&ard packets. 2 port in the
for&arding state can both learn and for&ard.
Note: 1hen you use spanning tree on a s&itch &ith multiple "#2Cs* each
"#2C runs a separate instance of the spanning tree protocol.
Spanning #ree Command List
6ou can configure multiple paths &ith s&itches to provide fault-tolerance. 2s
you kno&* having multiple paths means that the net&ork is susceptible to
data transmission 'bridging( loops. #ike bridges* s&itches can run the
spanning tree algorithm to prevent such loops from forming.
@y default* the spanning tree protocol is enabled on all Cisco s&itches.
&itch port configuration is automatic &hen the s&itch is connected to the
net&ork and po&ered on. )se the follo&ing commands to customi!e the
spanning tree protocol.
Command Function
&itch'config(7no spanning-tree
vlan number
0isables spanning tree on the selected
"#2C.
&itch'config(7spanning-tree
vlan number root primary
>orces the s&itch to be the root of the
spanning tree.
&itch7sho& spanning-tree
ho& spanning tree configuration
information. 3o determine if the "#2C is
functioning properly* verify that the first
line of the output is:
"#2C, is e.ecuting the IEEE compatible
spanning tree protocol.
Example
3he follo&ing commands disable spanning tree for "#2C ,8 and force the
s&itch to be the root of the spanning tree for "#2C ,.
&itch'config(7no spanning-tree vlan ,8
&itch'config(7spanning-tree vlan , root primary
Et$erC$annel Facts
EtherChannel combines multiple s&itch ports into a single* logical link
bet&een t&o s&itches. 1ith EtherChannel:
6ou can combine 8-: ports into a single link.
2ll links in the channel group are used for communication bet&een the
s&itches.
)se EtherChannel to increase the band&idth bet&een s&itches.
)se EtherChannel to establish automatic-redundant paths bet&een
s&itches. If one link fails* communication &ill still occur over the other
links in the group.
)se EtherChannel to reduce spanning tree convergence times.
)se the channel-group command for a port to enable EtherChannel as
follo&s:
&itch'config(7interface fast ;5,8
&itch'config-if(7channel-group , mode on
Each channel group has its o&n number. 2ll ports assigned to the same
channel group &ill be vie&ed as a single logical link.
Note: If you do not use the channel-group command* the spanning tree
algorithm &ill identify each link as a redundant path to the other bridge and
&ill put one of the ports in blocking state.
Port Securit& Facts
3he basic function of a s&itch is to pass packets from one host to another.
)nder normal operations* the s&itch learns the $2C address of the device's(
connected to each of its ports. 1hen a device is connected to the s&itch
port* the $2C address of the frame from the connected device is place in a
for&arding table. )nder normal circumstances* there are no restrictions on
the devices that can be attached to a s&itch port.
1ith s&itch port security* you configure the s&itch to allo& only specific
devices to use a given port. 6ou identify the $2C address of allo&ed devices.
2ny devices not e.plicitly identified &ill not be allo&ed to send frames
through the s&itch. 3o configure port security* take the follo&ing general
actions on the port:
E.plicitly configure the port as an access port 'a port &ith attached
hosts* not &ith an attached s&itch(.
Enable s&itch port security.
Identify the $2C addresses that can use the s&itch.
3he follo&ing commands list the s&itch port configuration commands:
Command Function
s&itch'config-
if(7s&itchport mode
access
Identifies the port as an access port.
s&itch'config-
if(7s&itchport port-
security
Enables port security.
s&itch'config-
if(7s&itchport port-
security mac-address
h.h.h
Identifies the allo&ed $2C address 'h.h.h is a
he.adecimal number(.
s&itch'config-
if(7s&itchport port-
security ma.imum
number
Configures the ma.imum number of $2C addresses
that can be allo&ed for a port. 3he default allo&s
only a single $2C address per port. )se this
command to increase the number allo&ed.
s&itch'config-
if(7s&itchport port-
security mac-address
sticky
Configures the s&itch to dynamically identify the
allo&ed $2C address. 3he address in the first frame
received by the s&itch port is the allo&ed $2C
address for the port.
Note: 3he Catalyst s&itch can sticky learn a
ma.imum of ,<8 $2C addresses.
s&itch'config-
if(7s&itchport port-
security
violation action
Identifies the action the s&itch &ill take &hen an
unauthori!ed device attempts to use the port. 2ction
key&ords are:
protect drops the frames from the
unauthori!ed device
restrict does the same as protect and also
generates an C$P trap
shutdo&n disables the port
s&itch7sho& port-
security interface
interfacetype and
number
ho&s port security information for the specified
port.
Examples
3he follo&ing commands configure s&itch port security to allo& only host
Bab9.;;,8.;8af to use >ast Ethernet port ;5,8:
s&itch'config(7interface fast ;5,8
s&itch'config-if(7s&itchport mode access
s&itch'config-if(7s&itchport port-security
s&itch'config-if(7s&itchport port-security mac-address Bab9.;;,8.;8af
3he follo&ing commands configures >ast Ethernet port ;5,B to accept the
first $2C address it receives as the allo&ed $2C address for the port:
s&itch'config(7interface fast ;5,B
s&itch'config-if(7s&itchport mode access
s&itch'config-if(7s&itchport port-security
s&itch'config-if(7s&itchport port-security mac-address sticky
Inter'(LAN Routing
In a typical configuration &ith multiple "#2Cs and a single or multiple
s&itches* &orkstations in one "#2C &ill not be able to communicate &ith
&orkstations in other "#2Cs. 3o enable inter-"#2C communication* you &ill
need to use a router 'or a #ayer < s&itch( as sho&n in the follo&ing graphic.
@e a&are of the follo&ing conditions &ith inter-"#2C routing:
3he top e.ample uses t&o physical interfaces on the router.
3he bottom e.ample uses a single physical interface on the router. In
this configuration* the physical interface is divided into t&o logical
interfaces called subinterfaces. 3his configuration is also called a
router on a stick.
In each case* the router interfaces are connected to s&itch trunk
ports. 3he router interfaces or subinterfaces must be running a
trunking protocol 'either I# or :;8.,F(.
Each interface or subinterface re+uires an IP address.
(LAN Facts
2 virtual #2C '"#2C( can be defined as:
@roadcast domains defined by s&itch port rather than net&ork address
2 grouping of devices based on service need* protocol* or other criteria
rather than physical pro.imity
)sing "#2Cs lets you assign devices on different s&itch ports to different
logical 'or virtual( #2Cs. 2lthough each s&itch can be connected to multiple
"#2Cs* each s&itch port can be assigned to only one "#2C at a time. 3he
follo&ing graphic sho&s a single-s&itch "#2C configuration.
@e a&are of the follo&ing facts about "#2Cs:
In the graphic above* >astEthernet ports ;5, and ;58 are members of
"#2C ,. >astEthernet ports ;5< and ;5E are members of "#2C 8.
In the graphic above* &orkstations in "#2C , &ill not be able to
communicate &ith &orkstations in "#2C 8* even though they are
connected to the same physical s&itch.
0efining "#2Cs creates additional broadcast domains. 3he above
e.ample has t&o broadcast domains* each of &hich corresponds to one
of the "#2Cs.
@y default* s&itches come configured &ith several default "#2Cs:
o "#2C ,
o "#2C ,;;8
o "#2C ,;;<
o "#2C ,;;E
o "#2C ,;;B
@y default* all ports are members of "#2C ,.
Creating "#2Cs &ith s&itches offers the follo&ing administrative benefits.
6ou can create virtual #2Cs based on criteria other than physical
location 'such as &orkgroup* protocol* or service(
6ou can simplify device moves 'devices are moved to ne& "#2Cs by
modifying the port assignment(
6ou can control broadcast traffic and create collision domains based on
logical criteria
6ou can control security 'isolate traffic &ithin a "#2C(
6ou can load-balance net&ork traffic 'divide traffic logically rather than
physically(
Creating "#2Cs &ith s&itches offers the follo&ing benefits over using routers
to create distinct net&orks.
&itches are easier to administer than routers
&itches are less e.pensive than routers
&itches offer higher performance 'introduce less latency(
2 disadvantage of using s&itches to create "#2Cs is that you might be tied
to a specific vendor. 0etails of ho& "#2Cs are created and identified can vary
from vendor to vendor. Creating a "#2C might mean you must use only that
vendor?s s&itches throughout the net&ork. 1hen using multiple vendors in a
s&itched net&ork* be sure each s&itch supports the :;8.,+ standards if you
&ant to implement "#2Cs.
0espite advances in s&itch technology* routers are still needed to:
>ilter 12C traffic
Route traffic bet&een separate net&orks
Route packets bet&een "#2Cs
Frame #agging Facts
2lthough you can create "#2Cs &ith only one s&itch* most net&orks involve
connecting multiple s&itches. 3he area bet&een s&itches is called the switch
fabric. 2s a frame moves from s&itch to s&itch &ithin the s&itch fabric* each
s&itch must be able to identify the destination virtual #2C.
=ne &ay to identify the "#2C is for the s&itch to use a filtering table that
maps "#2Cs to $2C addresses. Do&ever* this solution does not scale &ell.
>or large net&orks* s&itches append a "#2C I0 to each frame. 3his process*
called frame tagging or frame coloring* identifies the "#2C of the destination
device.
Remember the follo&ing facts regarding s&itch frame tagging 'or coloring(.
"#2C I0s identify the "#2C of the destination device.
3ags are appended by the first s&itch in the path* and removed by the
last.
=nly "#2C-capable devices understand the frame tag.
3ags must be removed before a frame is for&arded to a non-"#2C-
capable device.
3ag formats and specifications can vary from vendor to vendor. 1hen
designing "#2Cs* you might need to stick &ith one s&itch vendor.
Cisco?s proprietary protocol is called the Inter-&itch #ink 'I#(
protocol. )se :;8.,+-capable s&itches to ensure a consistent tagging
protocol.
(LAN Command List
3o configure a simple "#2C* first create the "#2C* and then assign
ports to that "#2C. 3he follo&ing table sho&s common "#2C
configuration commands.
#as) Command*s+
0efine a "#2C '6ou can create "#2Cs in either
vlan database mode or by using the vlan
command in global configuration mode.(
s&itch7vlan databaseG
s&itch'vlan(7vlan 8 name
nameGG
s&itch'vlan(7e.it =R apply
s&itch'config(7vlan 8
s&itch'config-vlan(7name
nameGG
2ssign ports to the "#2C
s&itch'config-if(7s&itchport
access vlan numberGGG
ho& a list of "#2Cs on the system s&itch7sho& vlan
ho& information for a specific "#2C s&itch7sho& vlan id number
GCotice that the vlan database command is issued in privileged E4EC
mode.
GGGiving the "#2C a name is optional.
GGGIf you have not yet defined the "#2C* it &ill be created
automatically &hen you assign the port to the "#2C.
Example
3he follo&ing commands create "#2C ,8 named IH"#2C* identifies
port ;5,8 as having only &orkstations attached to it* and assigns the
port to "#2C ,8.
s&itch7config t
s&itch'config(7vlan ,8
s&itch'config-vlan(7name IH"#2C
s&itch'config-vlan(7interface fast ;5,8
s&itch'config-if(7s&itchport access vlan ,8
SEC,RI#-
Access List Facts
Routers use access lists to control incoming or outgoing traffic. 6ou should
kno& the follo&ing characteristics of an access list.
2ccess lists describe the traffic type that &ill be controlled.
2ccess list entries describe the traffic characteristics.
2ccess list entries identify either permitted or denied traffic.
2ccess list entries can describe a specific traffic type* or allo& or
restrict all traffic.
1hen created* an access list contains an implicit Adeny allA entry at the
end of the access list.
Each access list applies only to a specific protocol.
Each router interface can have up to t&o access lists for each protocol*
one for incoming traffic and one for outgoing traffic.
1hen an access list is applied to an interface* it identifies &hether the
list restricts incoming or outgoing traffic.
2ccess lists e.ist globally on the router* but filter traffic only for the
interfaces to &hich they have been applied.
Each access list can be applied to more than one interface. Do&ever*
each interface can only have one incoming and one outgoing list.
2ccess lists can be used to log traffic that matches the list statements.
1hen you create an access list* it automatically contains a Adeny anyA
statement* although this statement does not appear in the list itself. >or a
list to allo& any traffic* it must have at least one permit statement* either
permitting a specific traffic type or permitting all traffic not specifically
restricted.
3here are t&o general types of access lists: basic and e.tended.
,se a standard list to filter on... ,se an extended list to filter on...
ource hostname or host IP
address
ource IP protocol 'i.e. IP* 3CP* )0P* etc.(
ource hostname or host IP address
ource or destination socket number
0estination hostname or host IP address
Precedence or 3= values
IP Access List Command List
Configuring access lists involves t&o general steps:
,. Create the list and list entries &ith the access-list command
8. 2pply the list to a specific interface &ith the ip access-group command
,se . . . #o . . .
Router'config(7access-list
InumberJ
Create an access list entry. )se the follo&ing
number ranges to define the access list:
,-99 K tandard IP access lists
,;;-,99 K E.tended IP access lists
Router'config-if(7ip access-
group InumberJ
2pply the standard or e.tended IP access list
to a specific interface.
Examples
3he follo&ing commands create a standard IP access list that permits all
outgoing traffic e.cept the traffic from net&ork ,;.;.;.;* and applies the list
to the Ethernet; interface.
Router'config(7access-list , deny ,;.;.;.; ;.8BB.8BB.8BB
Router'config(7access-list , permit any
Router'config(7int e;
Router'config-if(7ip access-group , out
3he follo&ing commands create a standard IP access list that re%ects all
traffic e.cept traffic from host ,;.,8.,8.,-* and applies the list to the erial;
interface.
Router'config(7access-list 8 permit ,;.,8.,8.,-
Router'config(7int s;
Router'config-if(7ip access-group 8 in
Note: Remember that each access list contains an e.plicit deny any entry.
1hen created* the access list denies all traffic e.cept traffic e.plicitly
permitted by permit statements in the list.
3he follo&ing commands create an e.tended IP access list that re%ects
packets from host ,;.,.,., sent to host ,B.,.,.,* and applies the list to the
second serial interface.
Router'config(7access-list ,;, deny ip ,;.,.,., ;.;.;.; ,B.,.,., ;.;.;.;
Router'config(7access-list ,;, permit ip any any
Router'config(7int s,
Router'config-if(7ip access-group ,;, in
3he follo&ing commands create an e.tended IP access list that does not
for&ard 3CP packets from any host on net&ork ,;.;.;.; to net&ork
,,.,8.;.;* and applies the list to the first serial interface.
Router'config(7access-list ,,, deny tcp ,;.;.;.; ;.8BB.8BB.8BB ,,.,8.;.;
;.;.8BB.8BB
Router'config(7access-list ,,, permit ip any any
Router'config(7int s;
Router'config-if(7ip access-group ,,, in
Calculating /ildcard "as)s
3he &ildcard mask is used &ith access list statements to identify a range of
IP addresses 'such as all addresses on a specific net&ork(. 1hen used to
identify net&ork addresses in access list statements* &ildcard masks are the
e.act opposite of a subnet mask. 3o calculate the &ildcard mask:
,. Identify the decimal value of the subnet mask.
8. ubtract each octet in the subnet mask from 8BB.
>or e.ample* suppose you &anted to allo& all traffic on net&ork
,;.,8.,-.;58,. 3o find the &ildcard mask:
,. 2 mask that covers 8, bits converts to 8BB.8BB.8E:.;
8. 3he &ildcard mask &ould be:
o >irst octet: 8BB - 8BB K ;
o econd octet: 8BB - 8BB K ;
o 3hird octet: 8BB - 8E: K L
o >ourth octet: 8BB - ; K 8BB
3his gives you the mask of: ;.;.L.8BB
#ike subnet masks* &ildcard masks operate at the bit level. 2ny bit in the
&ildcard mask &ith a ; value means that the bit must match to match the
access list statement. 2 bit &ith a , value means that the bit does not have
to match. >or e.ample* let?s e.amine the subnet address* subnet mask* and
&ildcard mask in binary form for the preceding e.ample.
Address #&pe %ecimal (alues 0inar& (alues
ubnet address ,;.,8.,-.; ;;;;,;,;.;;;;,,;;.;;;,;;;;.;;;;;;;;
ubnet mask 8BB.8BB.8E:.; ,,,,,,,,.,,,,,,,,.,,,,,;;;.;;;;;;;;
1ildcard mask ;.;.L.8BB ;;;;;;;;.;;;;;;;;.;;;;;,,,.,,,,,,,,
Cotice ho& the bits in the &ildcard mask are e.actly opposite of the bits in
the subnet mask. uppose an access list &ere created &ith a statement as
follo&s:
access-list ,8 deny ,;.,8.,-.; ;.;.L.8BB
uppose that a packet addressed to ,;.,8.,-.,B &as received. 3he router
uses the &ildcard mask to compare the bits in the address to the bits in the
subnet address.
Address
#&pe
%ecimal
(alues
0inar& (alues
ubnet
address
,;.,8.,-.; ;;;;,;,;.;;;;,,;;.;;;,;;;;.;;;;;;;;
1ildcard
mask
;.;.L.8BB ;;;;;;;;.;;;;;;;;.;;;;;,,,.,,,,,,,,
3arget
address 7,
,;.,8.,-.,B ;;;;,;,;.;;;;,,;;.;;;,;;;;.;;;;,,,,
Do& the router applies the
mask to the address
mKmatch
iKignored
.Kdoesn?t match
mmmmmmmm.mmmmmmmm.mmmmmiii.iiiiiiii
In this e.ample* all bits identified &ith a ; in the &ildcard mask must match
bet&een the address and the net&ork address. 2ny bit identified &ith a , is
ignored. In this e.ample* ,;.,8.,-.,B matches the access list statement and
the traffic is denied.
Co& suppose that a packet addressed to ,;.,<.,L.,B &as received. 3he
router uses the &ildcard mask to compare the bits in the address to the bits
in the subnet address.
Address
#&pe
%ecimal
(alues
0inar& (alues
ubnet
address
,;.,8.,-.; ;;;;,;,;.;;;;,,;;.;;;,;;;;.;;;;;;;;
1ildcard
mask
;.;.L.8BB ;;;;;;;;.;;;;;;;;.;;;;;,,,.,,,,,,,,
3arget
address 7,
,;.,<.,L.,B ;;;;,;,;.;;;;,,;,.;;;,;;;,.;;;;,,,,
Do& the router applies the
mask to the address
mKmatch
iKignored
.Kdoesn?t match
mmmmmmmm.mmmmmmm..mmmmmiii.iiiiiiii
Cotice that this address does not match the access list statement as
identified &ith the &ildcard mask. In this case* traffic &ould be permitted.
%esigning Access Lists
2fter you have created an access list* you must apply it to an interface. In
many cases* this means you &ill need to decide &hich router* &ith port* and
&hich direction to apply the access list to. /eep in mind the follo&ing:
Each interface can only have one inbound and one outbound access list
for each protocol. 3his means that an interface can have either a
standard inbound or an e.tended inbound IP access list* but not both.
6ou can have t&o access lists for the same direction applied to an
interface if the lists restrict different net&orking protocols. >or
e.ample* you can have one outbound IP access list and one outbound
IP4 access list.
1hen constructing access lists* place the most restrictive statements
at the top. 3raffic is matched to access list statements in the order
they appear in the list. If traffic matches a statement high in the list*
subse+uent statements &ill not be applied to the traffic.
Each access list has an implicit deny any statement at the end of the
access list. 6our access list must contain at least one allo& statement*
or no traffic &ill be allo&ed.
2ccess lists applied to inbound traffic filter packets before the routing
decision is made. 2ccess lists applied to outbound traffic filter packets
after the routing decision is made.
2s a general rule* apply extended access lists as close to the source
router as possible. 3his keeps the packets from being sent throughout
the rest of the net&ork.
2s a general rule* apply standard access lists as close to the
destination router as possible. 3his is because standard access lists
can only filter on source address. Placing the list too close to the
source &ill prevent any traffic from the source from getting to any
other parts of the net&ork.
1hen making placement decisions* carefully read all access lists
statements and re+uirements. Identify blocked and allo&ed traffic* as
&ell as the direction that traffic &ill be traveling. Place the access list
on the interface &here a single list &ill block 'or allo&( all necessary
traffic.
"onitoring Access Lists
3he follo&ing list summari!es the commands to use for vie&ing
specific access list information on the router.
If &ou 1ant to 2ie1... ,se...
2ll access lists that e.ist on the router
sho& run
sho& access-lists
2ll access lists applied to an interface
sho& ip int
sho& run
Re%ected traffic information sho& log
IP access lists configured on the router
sho& run
sho& ip access-lists
2 specific access list sho& access-lists InumberJ
Network Address Translation (NAT)
C23 is similar to Classless Inter-0omain Routing 'CI0R( in that the original
intention for C23 &as to slo& the depletion of available IP address
space by allo&ing many private IP addresses to be represented by some
smaller number of public IP addresses
!ere3s a list of situations in 1$ic$ it3s 4est to $a2e NA# on &our side:
,( 6ou need to connect to the Internet and your hosts donMt have globally
uni+ue IP addresses.
8( 6ou change to a ne& IP that re+uires you to renumber your net&ork.
<( 6ou need to merge t&o intranets &ith duplicate addresses.
#&pes of Net1or) Address #ranslation
In this section* IMm going to go over the three types of C23 &ith you:
Static NA# 3his type of C23 is designed to allo& one-to-one mapping
bet&een local and global addresses. /eep in mind that the static
version re+uires you to have one real Internet IP address for every
host on your net&ork.
%&namic NA# 3his version gives you the ability to map an
unregistered IP address to a registered IP address from out of a pool
of registered
IP addresses. 6ou donMt have to statically configure your router to map
each inside address to an individual outside address as you &ould
using static C23* but you do have to have enough real* bona-fide IP
addresses for everyone &hoMs going to be sending packets to and
receiving them from the Internet at the same time.
O2erloading 3his is the most popular type of C23 configuration.
)nderstand that overloading really is a form of dynamic C23 that maps
multiple unregistered IP addresses to a single registered IP address
'many-to-one( by using different source ports. Co&* &hy is this so
specialN 1ell* because itMs also kno&n as Port Address Translation
(PAT) . 2nd by using P23 'C23 =verload(* you get to have thousands
of
users connect to the Internet using only one real global IP addressO
pretty slick* yeahN eriously* C23 =verload is the real reason &e
havenMt
run out of valid IP address on the Internet.
C23 terms
Names "eaning
Inside local Came of inside source address before translation
=utside local Came of destination host after translation
Inside global Came of inside host after translation
=utside global Came of outside destination host before translation
,nderstand t$e term NA#. 3his may come as ne&s to you* because I
didnMtOokay* failed toOmention it earlier* but C23 has a fe&
nicknames. In the industry* itMs referred to as net&ork mas+uerading* IP-
mas+uerading* and for those &ho are besieged &ith =C0 and
compelled to spell everything out* Cet&ork 2ddress 3ranslation. 1hatever
you &ant to dub it* basically* they all refer to the process of re&riting
the source5destination addresses of IP packets &hen they go through a
router or fire&all. Pust focus on the process thatMs occurring and your
understanding of it 'i.e.* the important part( and youMre on it for sureQ
Remem4er t$e t$ree met$ods of NA#. 3he three methods are static*
dynamic* and overloadingR the latter is also called Port 2ddress
3ranslation 'P23(.
,nderstand static NA#. 3his type of C23 is designed to allo& one-to-one
mapping bet&een local and global addresses.
,nderstand d&namic NA#. 3his version gives you the ability to map a
range of unregistered IP addresses to a registered IP address from
out of a pool of registered IP addresses.
,nderstand o2erloading. =verloading really is a form of dynamic C23 that
maps multiple unregistered IP addresses to a single registeredIP address
'many-to-one( by using different ports. ItMs also kno&n as Port Address
Translation (PAT).
/IRELESS #EC!NOLOG-
/ireless Access Points
In the vast ma%ority of &ired net&orks* youMll find a central component such
as a s&itch thatMs there to connect hosts together and allo& them to
communicate &ith each other. ItMs the same thing &ith &ireless net&orksR
they also have a component that connects all &ireless devices together* only
that device is kno&n as a &ireless access point 'AP( instead. 1ireless access
points have at least one antenna. )sually thereMs t&o for better reception
'referred to as diversity( and an Ethernet port to connect them to a &ired
net&ork.
Access point de2ices $a2e t$e follo1ing c$aracteristics:
,( 2Ps function as a central %unction point for the &ireless stations
much like a s&itch or hub does &ithin a &ired net&ork. 0ue to
the half-duple.
nature of &ireless net&orking* the hub comparison is more
accurate* even though hubs are rarely found in the &ired
&orld anymore.
8( 2Ps have at least one antennaOmost likely t&o or more.
<( 2Ps function as a bridge to the &ired net&ork* giving the
&ireless station access to the &ired net&ork and5or the Internet.
E( mall office5home office '=D=( 2Ps come in t&o flavorsOthe
stand-alone 2P and the &ireless router. 3hey can and usually do
includefunctions like C23 and 0DCP.
/ireless Net1or) Interface Card */NIC+
Every host you &ant to connect to a &ireless net&ork needs a wireless
network interface card '!"#( to do so. @asically* a &ireless CIC does the
same %ob as a traditional Ethernet CIC* only instead of having a socket5port
to plug a cable into* the &ireless CIC has a radio antenna. It &ould be
difficult to buy a laptop today &ithout a &ireless card already built in.
IP25
IPv- as Sthe ne.t-generation Internet protocol*T and it &as originally created
as the ans&er to IPvEMs inevitable* looming addresse.haustion crisis.
Given that an IP address is <8 bits in length* there are 8<8 actual IP
addresses* &hich is
E.< billion addresses. Cot all of these are usable* ho&ever: only <.L billion of
these are
actually usable. $any addresses are reserved* such as the research '8<9U
8BE(* broadcast
'8BB(* multicast '88EU8<9(* private ',;* ,L8.,-* and ,98.,-:(* and
loopback addresses
',8L(. 2nd* of course* many of the usable addresses are already assigned*
leaving about
,.< billion addresses for ne& gro&th.
)nlike <8-bit IPvE addresses* IPv- uses a ,8:-bit address. 3his allo&s for
<.E V ,;<:
addresses* &hich is enough for many IP addresses for each person on Earth*
and probably
multiple planets
,nderstand 1$& 1e need IP25. 1ithout IPv-* the &orld &ould be
depleted of IP addresses.
,nderstand lin)'local. #ink-local is like an IPvE private IP address* but it
canMt be routed at all* not even in your organi!ation.
,nderstand uni6ue local. 3his* like link-local* is like a private IP address in
IPvE and cannot be routed to the Internet. Do&ever* the
difference bet&een link-local and uni+ue local is that uni+ue local can be
routed &ithin your organi!ation or company.
Remem4er IP25 addressing. IPv- addressing is not like IPvE addressing.
IPv- addressing has much more address space and is ,8: bits
long* and represented in he.adecimal* unlike IPvE* &hich is only <8 bits long
and represented in decimal.
IPv- give us lots of addresses '<.E V ,;<: K definitely enough(* but there
are
many other features built into this version that make it &ell &orth the cost*
time* and effort re+uired to migrate to it.
>eatures of IPv-
(er& large address space IPv-Ms large address space deals &ith global
gro&th* &here route prefi.es can be easily aggregated in routing updates.
upport for multihoming to IPs &ith a single address space is easily
accomplished. 2utoconfiguration of addressing information* including the
capability of including $2C addresses in the IP address* as &ell as plug-
andplay
options* simplifies address management. Renumbering and modification
of addresses is easily accommodated* as &ell as public-to-private
readdressing
&ithout involving address translation.
Securit& IP security 'IPec( is built into IPv-* &hereas it is an a&k&ard
add-on in IPvE. 1ith IPv-* t&o devices can dynamically negotiate
security parameters and build a secure tunnel bet&een them &ith no user
intervention.
"o4ilit& 1ith the gro&th of mobile devices* such as P02s and smart
phones* devices can roam bet&een &ireless net&orks &ithout breaking their
connections.
Streamlined encapsulation 3he IPv- encapsulation is simpler than
IPvE*
providing faster for&arding rates by routers and better routing efficiency. Co
checksums are included* reducing processing on endpoints. Co broadcasts
are
used* reducing utili!ation of devices &ithin the same subnet. Fo
information
is built into the IPv- header* &here a flo& label identifies the trafficR this
alleviates intermediate net&ork devices from having to e.amine contents
inside the packet* the 3CP5)0P headers* and payload information to classify
the traffic for Fo correctly.
#ransition capa4ilities "arious solutions e.ist to allo& IPvE and IPv- to
successfully coe.ist &hen migrating bet&een the t&o. =ne method* dual
stack* allo&s you to run both protocols simultaneously on an interface of a
device. 2 second method* tunneling* allo&s you to tunnel IPv- over IPvE
and vice versa to transmit an IP version of one type across a net&ork using
another type. Cisco supports a third method* referred to as Cet&ork 2ddress
3ranslation-Protocol 3ranslation 'C23-P3(* to translate bet&een IPvE and
IPv- 'sometimes the term Proxy is used instead of Protocol(.
IP25 Address Format
1hereas IPvE addresses use a dotted-decimal format* &here each byte
ranges from ;
to 8BB* IPv- addresses use eight sets of four he.adecimal addresses ',- bits
in each
set(* separated by a colon ':(* like this:
xxxx$xxxx$xxxx$xxxx$xxxx$xxxx$xxxx$xxxx 'x
&ould be a he.adecimal value(. 3his notation is commonly called string
notation.
Recall from Chapter < that he.adecimal numbers range from ; to >.
Dere are some important items concerning IPv- addresses:
De.adecimal values can be displayed in either lo&er- or upper-case for
the
numbers 2U>.
2 leading !ero in a set of numbers can be omittedR for e.ample* you could
either enter %%&' or &' in one of the eight fieldsOboth are correct.
If you have successive fields of !eroes in an IPv- address* you can
represent
them as t&o colons '::(. >or e.ample* %$%$%$%$%$%$%$( could be represented
as $$(R and A)#$(*+$%$%$,,,,$----$&&&&$% could be represented as A)#$
(*+$$,,,,$----$&&&&$%. Do&ever* you can only do this once in the address:
A)#$$(*+$$,-&$$%% &ould be invalid since $$ appears more than once in
the address. 3he reason for this limitation is that if you had t&o or more
repetitions* you &ouldnMt kno& ho& many sets of !eroes &ere being omitted
from each part.
2n unspecified address is represented as $$* since it contains all !eroes
%!CP25
0DCPv- is an update of the 0DCP protocol in IPvE and &orks similarly to the
previous
version &ith a fe& differences. @efore the client can begin* it must first
detect a router
on the link via a neighbor discovery process. If the client detects a router*
the client
e.amines the router advertisement messages to determine &hether 0DCPv-
has been
set up. If the router specifies that 0DCPv- is supported* or no router
advertisement
messages are seen* the client &ill begin to find a 0DCPv- server by
generating a 0DCP
solicit message. 3his message is sent to the 2##-0DCP-2gents multicast
address* using
the link-local scope to ensure the message isnMt for&arded* by default*
beyond the local
link. 2n agent is either a 0DCPv- server or a relay* such as a router.
Supported Routing Protocols
IPv- supports both static and dynamic routing protocols. IPv- supports
these routing
protocols: static* RIPng* =P>v<* I-I for IPv-* $P-@GPE* and EIGRP for
IPv-.
3his book covers only RIPngR the other dynamic routing protocols are
covered in
CiscoMs CCCP certification.
RIPng
Routing Information Protocol ne.t generation 'RIPng( is defined in R>C
8;:;. It is
actually similar to RIP for IPvE* &ith these characteristics:
ItMs a distance vector protocol.
3he hop-count limit is ,B.
plit hori!on and poison reverse are used to prevent routing loops.
It is based on RIPv8.
3hese are the enhancements in RIPng:
2n IPv- packet is used to transport the routing update.
3he 2##-RIP routers multicast address
'>>;8::9( is used as the destination address
in routing advertisements and is delivered
to )0P port B8,.
Routing updates contain the IPv- prefi. of
the router and the ne.t-hop IPv- address.
Ena4ling IP25 and Assigning Addresses
3o use IPv- on your router* you must* at a minimum* enable the protocol
and assign
IPv- addresses to your interfaces* like this:
Router'config(7 ip25 unicast'routing
Router'config(7 interface type Wslot./5Xport./
Router'config-if(7 ip25 address ipv*.address.prefix7prefix.length
Weui'58X
3he ip25 unicast'routing command globally enables IPv- and must be the
first IPv- command e.ecuted on the router. 3he ip25 address command
assigns
the prefi.* the length* and the use of E)I--E to assign the interface I0.
=ptionally*
you can omit the eui'58 parameter and configure the entire IPv- address.
6ou can
use the s$o1 ip25 interface command to verify an interfaceMs
configuration.
DereMs an e.ample configuration* &ith its verification:
Router'config(7 ip25 unicast'routing
Router'config(7 interface fastet$ernet979
Router'config-if(7 ip25 address :99;:;cc;:dddd::::758 eui'58
Router'config-if(7 end
Router7 s$o1 ip25 interface fastet$ernet979
/AN
/AN Structure
2 typical 12C structure includes the follo&ing components.
Component %escription
Consumer
premises
e+uipment 'CPE(
0evices physically located on the subscriber?s premises.
CPE includes the telephone &ire* telephone* modem* and
other e+uipment* both the devices the subscriber o&ns
and the ones leased from the 12C provider. 3he &iring
typically includes )3P cable &ith RP-,, or RP-EB
connectors. CPE is sometimes used synonymously &ith
03E.
0ata terminal
e+uipment '03E(
2 device on the net&ork side of a 12C link that sends and
receives data. 3he 03E resides on the subscriber?s
premises* and marks the point of entry bet&een the #2C
and the 12C. 03Es are usually routers* but computers and
multiple.ers can also act as 03Es. @roadly* 03Es are any
e+uipment at the customer?s site* and can include all
computers. In a narro& sense* the 03E is the device that
communicates &ith the 0CE at the other end.
#ocal loop
Cable that e.tends from the demarc to the central
telephone office. 3he demarc media is o&ned and
maintained by the telephone company. 3ypically* it is )3P*
but it can also be one or a combination of )3P* fiber optic*
or other media. >iber optic cable to the demarc is rare.
0emarcation point
'demarc(
3he point &here the telephone company?s telephone &iring
connects to the subscriber?s &iring. 3he demarc can also
be called the net&ork interface or point of presence.
3ypically* the customer is responsible for all e+uipment on
one side of the demarc. 3he phone company is responsible
for all e+uipment on the other side of the demarc.
Central office
'C=(
3he s&itching facility closest to the subscriber* and the
nearest point of presence for the 12C provider. It provides
12C-cloud entry and e.it points for incoming and outgoing
calls* and acts as a s&itching point to for&ard data to
other central offices. 2 C= provides services such as
s&itching incoming telephone signals to outgoing trunk
lines. It also provides reliable 0C po&er to the local loop to
establish an electric circuit. C=s use long-distance* or toll*
carriers to provide connections to almost any&here in the
&orld. #ong-distance carriers are usually o&ned and
operated by companies such as 23Y3 or $CI.
0ata circuit-
terminating
e+uipment '0CE(
2 device that communicates &ith both 03Es and the 12C
cloud. 0CEs are typically routers at the service provider
that relay messages bet&een the customer and the 12C
cloud. In a strict sense* a 0CE is any device that supplies
clocking signals to 03Es. 3hus* a modem or C)50) at
the customer site is often classified as a 0CE. 0CEs may
be devices similar to 03Es 'such as routers(* e.cept that
each device plays a different role.
12C cloud
3he hierarchy of trunks* s&itches* and central offices that
make up the net&ork of telephone lines. It is represented
as a cloud because the physical structure varies* and
different net&orks &ith common connection points may
overlap. >e& people thoroughly understand &here data
goes as it is s&itched through the Acloud.A 1hat is
important is that data goes in* travels through the line*
and arrives at its destination.
Packet-s&itching
e.change 'PE(
2 s&itch on a carrier?s packet-s&itched net&ork. PEs are
the intermediary points in the 12C cloud.
/AN Ser2ices Facts
#isted belo& are the most common 12C transmission media.
Line #&pe C$aracteristics
Plain =ld 3elephone
ervice 'P=3(
P=3 service has the follo&ing characteristics:
E.isting &ires use only one t&isted pair
2nalog signals are used through the local loop
2 modem is re+uired to convert digital signals to
analog
3he line has an effective limit of B- /bps
6ou can also use the same physical &ires for digital
signaling. $ultiple digital channels are sent over the
same physical &ires.
3-,
'a.k.a. 0-,(
8E -E-/bps channels 'used in the )..(
3-<
'a.k.a. 0-<(
-L8 -E-/bps channels
E-, <, -E-/bps channels 'used in Europe(
Note: 12C services also use fiber optic* &ireless* satellite* and other
transmission media. Do&ever* the use of these media to the local loop is not
common at this time.
If your organi!ation needs 12C connectivity* you can choose from the
follo&ing service options:
Ser2ice
0and1idt$
*"ax.+
Line #&pe
Signaling
"et$od
C$aracteristics
Public &itched
3elephone
Cet&ork 'P3C(
B- /bps P=3 2nalog
0ialup over regular
telephone lines
#eased lines B- /bps P=3 2nalog
0edicated line &ith
consistent line +uality
4.8B -E /bps P=3 2nalog
0edicated line
"ariable packet si!es
'frames(
Ideal for lo&-+uality
lines
>rame Relay ,.BE $bps
P=3
3-,
3-<
0igital
"ariable packet si!es
'frames(
2synchronous ,.8 Gbps Coa.ial* 0igital >i.ed-si!e cells 'B<-
3ransfer $ode
'23$(
t&isted
pair* fiber-
optic
byte(
Digh-+uality* high-
speed lines
Integrated
ervices 0igital
Cet&ork 'I0C(
,EE /bps
'@RI(
E $bps 'PRI(
P=3
3-,
0igital
@asic rate operates
over regular telephone
lines and is a dialup
service
Primary rate operates
over 3-carriers
0#
-., $bps
',.BEE or
lo&er is more
common(
P=3 0igital
=perates using digital
signals over regular
telephone lines
0# comes in many
different flavors 'such
as 20# and D0#(
3here is no clear distinction bet&een 12C services such as >rame Relay and
I0C. >or e.ample* you can use >rame Relay protocol over I0C lines. =nce
a device connects to the 12C cloud* internal protocols can convert data
traffic into the necessary formats* then convert the data again at the other
end.
/AN Encapsulation Facts
12C Physical layer protocols specify the hard&are and bit signaling
methods. 0ata #ink layer protocols control some or all of the follo&ing
functions:
Error checking and correction
#ink establishment
>rame-field composition
Point-to-point flo& control
0ata #ink layer protocols also describe the encapsulation method or the
frame format. 12C encapsulation methods are typically called D0#C 'high-
level data link control(. 3his term is both a generic name for 0ata #ink
protocols and the name of a specific protocol &ithin a 12C protocol suite or
service. 0epending on the 12C service and connection method* you &ill
select one of the follo&ing encapsulation methods.
Cisco D0#C for synchronous* point-to-point connections &ith other
Cisco routers 'Cisco D0#C does not communicate &ith other vendors?
implementations of D0#C(. 3his is the default encapsulation method
for synchronous serial links on Cisco routers.
#2P@ for 4.8B net&orks.
#2P0 in combination &ith another protocol for the @ channels in I0C
net&orks. #2P0 is a #ayer 8 I0C protocol that manages flo& and
signaling.
PPP for dial-up #2C access* circuit-s&itched 12C net&orks* and I0C
net&orks. PPP is non-proprietary* so it &orks in implementations that
use products from multiple vendors.
Cisco5IE3> for >rame Relay net&orks.
Note: Routers on each side of a 12C link must use the same encapsulation
method to be able to communicate.
PPP Facts
3he follo&ing list represents some of the key features of the Point-to-Point
Protocol 'PPP(:
It can be used on a &ide variety of physical interfaces including
asynchronous serial* synchronous serial 'dial up(* and I0C.
It supports multiple Cet&ork layer protocols* including IP* IP4*
2pple3alk* and numerous others.
=ptional authentication is provided through P2P '8-&ay authentication(
or CD2P '<-&ay authentication(.
It supports multilink connections* load-balancing traffic over multiple
physical links.
It includes #ink Fuality $onitoring '#F$( &hich can detect link errors
and automatically terminate links &ith e.cessive errors.
It includes looped link detection that can identify &hen messages sent
from a router are looped back to that router. 3his is done through
routers sending magic numbers in communications. If a router
receives a packet &ith its o&n magic number* the link is looped.
PPP uses t&o main protocols to establish and maintain the link.
Protocol 0escription
#ink Control
Protocol
'#CP(
3he #ink Control Protocol '#CP( is responsible for establishing*
maintaining* and tearing do&n the PPP link. #CP packets are
e.changed periodically to do the follo&ing:
0uring link establishment* #CPs are used to agree upon
encapsulation* packet si!e* and compression settings.
#CPs also indicate &hether authentication should be used.
3hroughout the session* #CPs are e.changed to detect
and correct errors or to control the use of multiple links
'multilink(.
1hen the session is terminated* #CPs are responsible for
tearing do&n the link.
2 single #ink Control Protocol runs for each physical connection.
Cet&ork
Control
Protocol
'CCP(
3he Cet&ork Control Protocol 'CCP( is used to agree upon and
configure Cet&ork layer protocols to use 'such as IP* IP4* or
2pple3alk(. Each Cet&ork layer protocol has a corresponding
control protocol packet. E.amples of control protocols include:
IP Control Protocol 'IPCP(
C0P Control Protocol 'C0PCP(
IP4 Control Protocol 'IP4CP(
2pple3alk Control Protocol '23CP(
2 single PPP link can run multiple control protocols* one for each
Cet&ork-layer protocol supported on the link.
PPP establishes communication in three phases.
,. #CP phase. #CPs are e.changed to open the link and agree upon link
settings such as encapsulation* packet si!e* and &hether
authentication &ill be used.
8. 2uthenticate phase 'optional(. 0uring this phase* authentication-
specific packets are e.changed to configure authentication parameters
and authenticate the devices. #CPs might also be e.changed during
this phase to maintain the link.
<. CCP phase. CCPs are e.changed to agree on upper-layer protocols to
use. >or e.ample* routers might e.change IPCP and C0PCP packets to
agree upon using IP and C0P for Cet&ork-layer communications.
0uring this phase* #CPs might continue to be e.changed.
PPP Command List
PPP configuration is often done in connection &ith configuring other services.
3o configure PPP on the router* you complete the follo&ing tasks:
,. et PPP encapsulation on the interface. 6ou must set the encapsulation
method to PPP before you can configure authentication or
compression.
8. elect CD2P and5or P2P as the authentication method 'optional(.
<. If authentication is used* configure username5pass&ord combinations.
PPP options are configured in interface mode for a specific interface.
,se . . . #o . . .
Router'config-if(7encapsulation ppp et the encapsulation type to PPP
Router'config-if(7ppp authentication
IchapZpapJ
Router'config-if(7ppp authentication
chap pap
et the authentication method's(
1hen multiple methods are
specified* the first method &ill be
tried first
Router'config-if(7ppp compression et compression options
Router'config-if(7ppp chapZpap
pass&ord Ipass&ordJ
et the pass&ord used &ith CD2P or
P2P for an unkno&n host
Router'config(7username IhostnameJ
pass&ord Ipass&ordJ
et the username and pass&ord for
the local router
Router'config(7band&idth IvalueJ
et a band&idth value for an
interface
Router7sho& interface
"ie& encapsulation and PPP
information on an interface
3o hide the CD2P pass&ord from vie& in the configuration file* use the
service pass&ord-encryption command from the global configuration mode.
Example
3he follo&ing commands configure the >= router to use PPP and enable it
to connect to the #24 router using P2P authentication.
>='config(7hostname #24 pass&ord ciscoB
>='config(7int s;
>='config-if(7encap ppp
>='config-if(7ppp auth pap
IS%N Facts
Integrated ervices 0igital Cet&ork 'I0C( is a set of standards covering the
Physical* 0ata #ink* and Cet&ork layers. It allo&s fast* digital transmission of
both voice and data 'including graphics* video* and so on( over e.isting
telephone lines. It supports the ma%ority of upper-level protocols and
encapsulation protocols.
I0C uses 3-carrier technology to +uickly and efficiently send digital data
streams. 3he physical cable of an I0C connection is divided into logical
channels. Channels are classified as one of t&o types:
@ channels are used to carry data.
0 channels are used to carry control and signaling information.
1hen you order I0C service* you have the choice bet&een the follo&ing
services.
Ser2ice 0 c$annels
%
c$annel
C$aracteristics
@asic Rate
I0C '@RI(
3&o -E /bps
=ne ,-
/bps
)ses e.isting phone lines 'but may not
be available &here e.isting copper
&ires don?t support it(
3he connection is Ademand-dialA
'established only &hen data needs to
be sent(
Primary Rate
I0C 'PRI(
3&enty-three
-E /bps
=ne -E
/bps
)ses an entire 3-, line
ometimes called 8<@[0
3he connection is Aal&ays onA
Note: 3he total bandwidth of an I0C @RI line is ,EE /bps 't&o @ channels
and one 0 channel(. 3he total data transfer rate is ,8: /bps 'data is sent
only on the t&o @ channels(.
I0C @RI is a relatively lo&-cost 12C service that is ideal for the follo&ing
situations:
Dome office or telecommuters &ho need a relatively fast connection
@usinesses that need to periodically send data bet&een sites 'bursty
traffic patterns(
I0C @RI offers the follo&ing benefits over dial-up modems and other 12C
connection options.
>aster data transfer rates ',8: /bps( than dial-up modems 'B- /bps
ma.imum(
>aster call establishment 'dial-up( than modems
#o&er cost than other 12C solutions 'users pay a monthly fee plus
connection charges(
IS%N Protocol Standards
I0C standards are grouped according to function. 3he protocol
groupings and descriptions follo& a lettering standard.
Protocol
%esignation
Standard
E
tandards for I0C on the e.isting phone net&ork* such
as international addressing
I
tandards for I0C concepts* terminology* and services*
such as net&ork services
<
tandards for s&itching and signaling* such as call setup*
flo& control* and error correction
In practice* you &ill probably not need to kno& these standards* but
you &ill need to memori!e them for the certification e.am. )se the
follo&ing to help remember the classifications.
E for E.isting net&orks
I for Identifying concepts
< for <uality s&itching signals
IS%N Addressing
I0C is a Cet&ork layer protocol that operates over a specific hard&are
interface configuration. >or this reason* I0C has its o&n Cet&ork and 0ata
#ink layer addressing. I0C uses the follo&ing addresses:
Address C$aracteristics
3erminal Endpoint
Identifier '3EI(
0ata #ink layer address 'similar to an Ethernet $2C
address(.
3EIs are dynamically assigned to the router by the I0C
s&itch &hen the connection is made.
Each I0C device is assigned one 3EI.
ervice Protocol
Identifier 'PI0(
Cet&ork layer address 'similar to a telephone number that
that allo&s each channel to make and receive calls(.
0epending on the specific I0C implementation* each
device can have one or more PI0s. 3he follo&ing are
common PI0 assignments.
=ne PI0 is assigned to the entire device
Each @ channel has its o&n PI0
Each @ channel can have more than one assigned
PI0
3he 12C service provide assigns the PI0s for you to
configure on the router.
6our I0C router &ill be connected to an I0C s&itch at the 12C service
provider. 6our router must be configured to communicate &ith the s&itch
type used by your 12C service provider. Cisco routers support over ,;
s&itch types. In Corth 2merica* the most common types are:
23Y3 BE
Corthern 0$-,;;
Cational I0C-,
IS%N Communication Facts
3he follo&ing process is used to initiali!e an I0C router.
,. 3he router uses the 0 channel to perform 0ata #ink 'layer 8(
initiali!ation. 3EIs are dynamically assigned to identify the router.
8. 3he router uses the 0 channel to perform Cet&ork 'layer <(
initiali!ation. It uses its preconfigured PI0s 'if re+uired( to set up the
@ channels.
1hen a router needs to communicate &ith another I0C device* the
follo&ing process is used.
,. 3he sending device re+uests a connection through the 0 channel.
8. 3he receiving device ans&ers and the link is established.
<. 3he @ channel is used to transmit data. 3he 0 channel is used for
session maintenance.
E. 2fter the transmission is over* the 0 channel is used to tear do&n the
link.
#ink 2ccess Protocol for the 0-Channel '#2P0( is the 0ata #ink encapsulation
protocol used on an I0C net&ork. 2s its name implies* it operates on the 0
channel of an I0C connection and is used for:
Initiali!ing #ayer 8 and #ayer < communications.
2ssigning 3EIs.
$aintaining the session.
3erminating the link.